[N950] Infodump Thread
Can we use this is an information dump thread for Harmattan/MeeGo 1.2/N950 junk?
Simple things like allow screen wakeup with volume keys when disabling double-tap-to-unlock due to thigh sensitivity. Code:
/etc/mce/mce.ini => TriggerUnlockScreenWithVolumeKeys=1 Code:
/usr/share/themes/base/meegotouch/devicelockd/style/devicelockd.css |
Re: [N950] Infodump Thread
Change terminal toolbar;
/usr/share/meego-terminal/meego-terminal-toolbar.xml Syntax is fairly simple to follow. Example of adding a forward slash... Code:
<button name="Slash" group="Slash" showon="always" text="/" toggle="false" pressed="false"> Code:
<item name="Slash" /> |
Re: [N950] Infodump Thread
Also, the obvious removal of the snd_camera_shutter.wav file from inside /usr/share/sounds/ui-tones will stop the shutter sound from going off.
|
Re: [N950] Infodump Thread
From experience - some scripts in /usr/bin are sensitive to changes and if you save them before you intended with invalid code your N950 will reboot after several secs and show a nice "Device Malfunction" screen on boot that will force you to reflash.
Verified on /usr/bin/update-hwkb-config |
Re: [N950] Infodump Thread
Harmattan platform security is a real thorn in my side. This blog post seems to have some ideas for giving powers to various packages and objects using /var/lib/aegis/restok/restok.conf
This fmc thread has some good tips for getting into the most "free" mode possible. |
Re: [N950] Infodump Thread
qole;
Here's what I've done so far and what I suspect might bring it a bit closer. Keep in mind, this is pure speculation as I have absolutely ZERO knowledge with Aegis, or any TCP. We'll need to modify `/var/lib/aegis/restok/restok.conf` and insert a capability request for a single binary that will execute and drop into the chroot environment. Code:
Package: qole Once /opt/qole-chroot-exec is run, it will eventually request capabilities from aegis and assumingly, if running in "relaxed mode", it will give authorize the above capabilities under suidroot (uid 0) for the unsigned binary -- allowing for a rudimentary root change. Whether or not after that, you can exec binaries, is a piss in the wind. I don't know the flow of the TC implementation, so again this is just how I imagine it might work. It's all negated if injecting into com.nokia.* requires signatures. See https://meego.gitorious.org/meego-pl.../credp/credp.c for what looks like how restok is handled when setting policy credentials and a bit more of what happens. |
Re: [N950] Infodump Thread
I tried changing the object to /opt/qchroot, the script that does the chroot. It still fails. I tried adding an object which pointed to the chroot's /bin/sh file, but still it fails. :( I think I need an open kernel.
|
Re: [N950] Infodump Thread
Can shell scripts be priv-esclated through aegis? I'd try it with a binary, done purely in C or shell code.
|
Re: [N950] Infodump Thread
The fact that Qole was able to modify the file at all made me realize the file is not protected or hashed. Something that is so ridiculous I did not even previously consider. Congratulations Hawaii, you found the first Aegis "hole" (note: it's so large I believe it may be intentional -- you probably can only modify the file in developer mode).
Therefore, Aegis is now partially defeated -- I am now running the stock kernel in non-enforcing mode. That is, to my knowledge, the nearest thing to open mode that exists: I can run arbitrary binaries as root, I can load new kernel modules, and I can even reenable Aegis if I wanted to. |
Re: [N950] Infodump Thread
So javispedro, can you explain how to get into this "non-enforcing mode"? Because I'm still stuck in the same place.
|
All times are GMT. The time now is 21:13. |
vBulletin® Version 3.8.8