Merry HaXmas! The holidays are yeeting toward us, the decade is drawing to a close, and there are few days left to finish your 2010s haxlist. Last year, I wrote about a few nifty ways to stealthily stage and execute payloads on Linux. One downside was that the coolest, stealthiest method, which maps and runs a process much like the execve syscall but in userspace, was easily mitigated by tools like the SELinux's commonly-applied execmem permission. Since then, I've had an inkling of a way to bypass this, and all I wanted for HaXmas this year was to get it out of my system.
The SE is for Super-Esoteric
Distros and phone manufacturers have been using SELinux to foil hackers and rooters for a while now, but providing a performant, fine-grained permission framework for system resources is a tricky task and the policy language can be a bit opaque with all the rules and macros that tend to end up in the final product. Below is an overview of some important concepts needed to understand how and where memory laundering can be applied. For a more in-depth guide, check out the wiki or your favorite distro's documentation.
Growing out of the NSA's work to add Mandatory Access Control to Linux, SELinux provides ways to specify sets of restrictions, or "policies", that only the policy administrator (not necessarily any root session) can change. These restrictions are scoped across different groups of files and processes, termed "domains", types of resources, called "object types", "users", and "roles".
For example, a web server will be unable to serve files belonging to a domain that an enforced ..
Support the originator by clicking the read the rest link below.
