[Announce] aegisctl - control Aegis settings from the comfort of your own terminal
 

aegisctl
control Aegis settings from the comfort of your own terminal

aegisctl makes it easy to take control and modify the Aegis enforcement bits on your incepted N9. This has many practical uses:

• aegisctl -s: allows running any program from opensh, allows running a chroot environment as root
• aegisctl -k: allows loading any kernel module without updating the whitelist
• aegisctl --really @es: enter permissive mode (WARNING: Only if you know what you're doing)
• aegisctl -r: temporarily disable "relaxed mode" (developer mode)
• aegisctl +esdrtxk,-az: reset to (developer mode) defaults

aegisctl is built around an adaptation of javispedro's work on the unseal.ko kernel module.

Run aegisctl -? for usage instructions.

WARNING: This program is compatible only with PR1.2 and PR1.3 firmware (including beta versions). aegisctl has only been tested with the "stock" Nokia kernels, and might not work properly on customized third-party kernels.

NOTE: This must be installed using the incept utility provided with INCEPTION. Additionally, you must have opensh or a similar utility installed so that you can run aegisctl with the permissions required to change Aegis settings.

Install package: aegisctl_1.3_armel.deb
Source package: aegisctl_1.3.dsc aegisctl_1.3.tar.gz
License: Contains GPL2, WTFPL, and BSD code
  More info in the copyright file

Re: [Announce] aegisctl - control Aegis settings from the comfort of your own terminal
 

please explain, what is profit here? more real samples, please.

Re: [Announce] aegisctl - control Aegis settings from the comfort of your own terminal
 

Installed working well.

Re: [Announce] aegisctl - control Aegis settings from the comfort of your own terminal
 

The main benefit is that it solves the problem of the "source identifier check": the check that prevents you from running just any executable with any privilege. Normally, you can't just run anything from opensh - only programs provided by Nokia or installed through incept are allowed. The same problem applies with vanilla/stock open mode - it's not only an INCEPTION problem.

With aegisctl, this behavior can be controlled at the flick of a switch. :)

Also, I added a few more usage examples to the OP.

Re: [Announce] aegisctl - control Aegis settings from the comfort of your own terminal
 

Can I get debian finaly, and run OpenOffice?

If yes...how?

Thanks

Re: [Announce] aegisctl - control Aegis settings from the comfort of your own terminal
 

okay, i see, will be useful for launching binaries.
can i use it without inception but in openmode kernel with patched aegis and wiped /etc/aegisfs.d folder?
or it will be useless? or maybe some test to be sure?

Re: [Announce] aegisctl - control Aegis settings from the comfort of your own terminal
 

My mem must be failing me but I thought stuff like source identifier check was basically a non-issue in vanilla/stock open-mode?
Man I really need to find some time to go back a re-read everything, so much happening in the last few months.

Re: [Announce] aegisctl - control Aegis settings from the comfort of your own terminal
 

Don't use this with a patched kernel - it has a hardcoded offset based on the stock PR1.2 kernel and changing the kernel could cause aegisctl to crash your system.

"Vanilla" open mode basically gives you the same type of access as INCEPTION - you just don't need incept to install privileged packages. However, like with INCEPTION, there aren't any changes in Aegis enforcement unless you make those changes yourself. While I stated in the OP that INCEPTION is required for this, it also works if you use open mode and the stock kernel.

Re: [Announce] aegisctl - control Aegis settings from the comfort of your own terminal
 

with patched openmode kernel you can freely write to /sys/kernel/security/validator/enabled, so you really don't need this as you can edit the modes without it.

Re: [Announce] aegisctl - control Aegis settings from the comfort of your own terminal
 

okay, thanks for explain.
what should i change?

and, i have another request.
can you enable AEGIS_FIXED_ORIGIN with inception? it says ".. allowed only in open mode.."