1*dd0948b3SAndroid Build Coastguard Worker/* 2*dd0948b3SAndroid Build Coastguard Worker * Copyright (C) 2023 The Android Open Source Project 3*dd0948b3SAndroid Build Coastguard Worker * 4*dd0948b3SAndroid Build Coastguard Worker * Licensed under the Apache License, Version 2.0 (the "License"); 5*dd0948b3SAndroid Build Coastguard Worker * you may not use this file except in compliance with the License. 6*dd0948b3SAndroid Build Coastguard Worker * You may obtain a copy of the License at 7*dd0948b3SAndroid Build Coastguard Worker * 8*dd0948b3SAndroid Build Coastguard Worker * http://www.apache.org/licenses/LICENSE-2.0 9*dd0948b3SAndroid Build Coastguard Worker * 10*dd0948b3SAndroid Build Coastguard Worker * Unless required by applicable law or agreed to in writing, software 11*dd0948b3SAndroid Build Coastguard Worker * distributed under the License is distributed on an "AS IS" BASIS, 12*dd0948b3SAndroid Build Coastguard Worker * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 13*dd0948b3SAndroid Build Coastguard Worker * See the License for the specific language governing permissions and 14*dd0948b3SAndroid Build Coastguard Worker * limitations under the License. 15*dd0948b3SAndroid Build Coastguard Worker */ 16*dd0948b3SAndroid Build Coastguard Worker 17*dd0948b3SAndroid Build Coastguard Worker// Shell code that sets the current SELinux context to a given string. 18*dd0948b3SAndroid Build Coastguard Worker// 19*dd0948b3SAndroid Build Coastguard Worker// The desired SELinux context is appended to the payload as a null-terminated 20*dd0948b3SAndroid Build Coastguard Worker// string. 21*dd0948b3SAndroid Build Coastguard Worker// 22*dd0948b3SAndroid Build Coastguard Worker// After the SELinux context has been updated the current process will raise 23*dd0948b3SAndroid Build Coastguard Worker// SIGSTOP. 24*dd0948b3SAndroid Build Coastguard Worker 25*dd0948b3SAndroid Build Coastguard Worker#include "./shell-code/constants.S" 26*dd0948b3SAndroid Build Coastguard Worker#include "./shell-code/constants-arm.S" 27*dd0948b3SAndroid Build Coastguard Worker 28*dd0948b3SAndroid Build Coastguard Worker.thumb 29*dd0948b3SAndroid Build Coastguard Worker 30*dd0948b3SAndroid Build Coastguard Worker.globl __setcon_shell_code_start 31*dd0948b3SAndroid Build Coastguard Worker.globl __setcon_shell_code_end 32*dd0948b3SAndroid Build Coastguard Worker 33*dd0948b3SAndroid Build Coastguard Worker__setcon_shell_code_start: 34*dd0948b3SAndroid Build Coastguard Worker // Ensure that the context and SELinux /proc file are readable. This assumes 35*dd0948b3SAndroid Build Coastguard Worker // that the max length of these two strings is shorter than 0x1000. 36*dd0948b3SAndroid Build Coastguard Worker // 37*dd0948b3SAndroid Build Coastguard Worker // mprotect(context & ~0xFFF, 0x2000, PROT_READ | PROT_EXEC) 38*dd0948b3SAndroid Build Coastguard Worker mov r7, SYS_MPROTECT 39*dd0948b3SAndroid Build Coastguard Worker adr r0, context 40*dd0948b3SAndroid Build Coastguard Worker movw r2, 0xF000 41*dd0948b3SAndroid Build Coastguard Worker movt r2, 0xFFFF 42*dd0948b3SAndroid Build Coastguard Worker and r0, r0, r2 43*dd0948b3SAndroid Build Coastguard Worker mov r1, 0x2000 44*dd0948b3SAndroid Build Coastguard Worker mov r2, (PROT_READ | PROT_EXEC) 45*dd0948b3SAndroid Build Coastguard Worker swi 0 46*dd0948b3SAndroid Build Coastguard Worker 47*dd0948b3SAndroid Build Coastguard Worker // r10 = open("/proc/self/attr/current", O_WRONLY, O_WRONLY) 48*dd0948b3SAndroid Build Coastguard Worker mov r7, SYS_OPEN 49*dd0948b3SAndroid Build Coastguard Worker adr r0, selinux_proc_file 50*dd0948b3SAndroid Build Coastguard Worker mov r1, O_WRONLY 51*dd0948b3SAndroid Build Coastguard Worker mov r2, O_WRONLY 52*dd0948b3SAndroid Build Coastguard Worker swi 0 53*dd0948b3SAndroid Build Coastguard Worker mov r10, r0 54*dd0948b3SAndroid Build Coastguard Worker 55*dd0948b3SAndroid Build Coastguard Worker // r11 = strlen(context) 56*dd0948b3SAndroid Build Coastguard Worker mov r11, 0 57*dd0948b3SAndroid Build Coastguard Worker adr r0, context 58*dd0948b3SAndroid Build Coastguard Workerstrlen_start: 59*dd0948b3SAndroid Build Coastguard Worker ldrb r1, [r0, r11] 60*dd0948b3SAndroid Build Coastguard Worker cmp r1, 0 61*dd0948b3SAndroid Build Coastguard Worker beq strlen_done 62*dd0948b3SAndroid Build Coastguard Worker add r11, r11, 1 63*dd0948b3SAndroid Build Coastguard Worker b strlen_start 64*dd0948b3SAndroid Build Coastguard Workerstrlen_done: 65*dd0948b3SAndroid Build Coastguard Worker 66*dd0948b3SAndroid Build Coastguard Worker // write(r10, context, r11) 67*dd0948b3SAndroid Build Coastguard Worker mov r7, SYS_WRITE 68*dd0948b3SAndroid Build Coastguard Worker mov r0, r10 69*dd0948b3SAndroid Build Coastguard Worker adr r1, context 70*dd0948b3SAndroid Build Coastguard Worker mov r2, r11 71*dd0948b3SAndroid Build Coastguard Worker swi 0 72*dd0948b3SAndroid Build Coastguard Worker 73*dd0948b3SAndroid Build Coastguard Worker // close(r10) 74*dd0948b3SAndroid Build Coastguard Worker mov r7, SYS_CLOSE 75*dd0948b3SAndroid Build Coastguard Worker mov r0, r10 76*dd0948b3SAndroid Build Coastguard Worker swi 0 77*dd0948b3SAndroid Build Coastguard Worker 78*dd0948b3SAndroid Build Coastguard Worker // r0 = getpid() 79*dd0948b3SAndroid Build Coastguard Worker mov r7, SYS_GETPID 80*dd0948b3SAndroid Build Coastguard Worker swi 0 81*dd0948b3SAndroid Build Coastguard Worker 82*dd0948b3SAndroid Build Coastguard Worker // kill(r0, SIGSTOP) 83*dd0948b3SAndroid Build Coastguard Worker mov r7, SYS_KILL 84*dd0948b3SAndroid Build Coastguard Worker mov r1, SIGSTOP 85*dd0948b3SAndroid Build Coastguard Worker swi 0 86*dd0948b3SAndroid Build Coastguard Worker 87*dd0948b3SAndroid Build Coastguard Workerselinux_proc_file: 88*dd0948b3SAndroid Build Coastguard Worker .asciz "/proc/thread-self/attr/current" 89*dd0948b3SAndroid Build Coastguard Worker 90*dd0948b3SAndroid Build Coastguard Workercontext: 91*dd0948b3SAndroid Build Coastguard Worker__setcon_shell_code_end: 92