Active Topics

 


Reply
Thread Tools
hawaii's Avatar
Posts: 1,030 | Thanked: 792 times | Joined on Jun 2009
#1
Can we use this is an information dump thread for Harmattan/MeeGo 1.2/N950 junk?

Simple things like allow screen wakeup with volume keys when disabling double-tap-to-unlock due to thigh sensitivity.
Code:
/etc/mce/mce.ini => TriggerUnlockScreenWithVolumeKeys=1
or showing the full indicator bar on the lock screen.
Code:
/usr/share/themes/base/meegotouch/devicelockd/style/devicelockd.css

MStatusBarStyle#LockedWindowNoStatusBar {
    enable-status-indicator-menu: true;
    offset: 0 -100%;
}
Feel free to drop in anything useful you've found that hasn't been shared before.
 

The Following 12 Users Say Thank You to hawaii For This Useful Post:
hawaii's Avatar
Posts: 1,030 | Thanked: 792 times | Joined on Jun 2009
#2
Change terminal toolbar;

/usr/share/meego-terminal/meego-terminal-toolbar.xml

Syntax is fairly simple to follow. Example of adding a forward slash...

Code:
<button name="Slash" group="Slash" showon="always" text="/" toggle="false" pressed="false">
                <actions>
                    <sendstring string="/"> </sendstring>
                </actions>
            </button>
and add a new item for the layout
Code:
<item name="Slash" />
 

The Following 7 Users Say Thank You to hawaii For This Useful Post:
hawaii's Avatar
Posts: 1,030 | Thanked: 792 times | Joined on Jun 2009
#3
Also, the obvious removal of the snd_camera_shutter.wav file from inside /usr/share/sounds/ui-tones will stop the shutter sound from going off.
 

The Following 9 Users Say Thank You to hawaii For This Useful Post:
Posts: 329 | Thanked: 505 times | Joined on Jul 2008 @ Israel
#4
From experience - some scripts in /usr/bin are sensitive to changes and if you save them before you intended with invalid code your N950 will reboot after several secs and show a nice "Device Malfunction" screen on boot that will force you to reflash.

Verified on /usr/bin/update-hwkb-config
 

The Following 2 Users Say Thank You to damagedspline For This Useful Post:
qole's Avatar
Moderator | Posts: 7,109 | Thanked: 8,820 times | Joined on Oct 2007 @ Vancouver, BC, Canada
#5
Harmattan platform security is a real thorn in my side. This blog post seems to have some ideas for giving powers to various packages and objects using /var/lib/aegis/restok/restok.conf

This fmc thread has some good tips for getting into the most "free" mode possible.
__________________
qole.org --- twitter --- Easy Debian wiki page
Please don't send me a private message, post to the appropriate thread.
Thank you all for your donations!
 

The Following 5 Users Say Thank You to qole For This Useful Post:
hawaii's Avatar
Posts: 1,030 | Thanked: 792 times | Joined on Jun 2009
#6
qole;

Here's what I've done so far and what I suspect might bring it a bit closer.

Keep in mind, this is pure speculation as I have absolutely ZERO knowledge with Aegis, or any TCP.

We'll need to modify `/var/lib/aegis/restok/restok.conf` and insert a capability request for a single binary that will execute and drop into the chroot environment.

Code:
Package: qole
Source: com.nokia.maemo
Object: /opt/qole-chroot-exec
Request:
	UID::root
        GID::disk
	CAP::sys_chroot
        CAP::fowner
        CAP::fsetid
        CAP::chown
        CAP::sys_admin
        CAP::dac_override
Policy: add
and then run `aegis-loader` to reload the configuration file. More capabilities might be needed, such as sys_mknod, sys_resource or rawio and you may have to register through dbus in order for it to all work?

Once /opt/qole-chroot-exec is run, it will eventually request capabilities from aegis and assumingly, if running in "relaxed mode", it will give authorize the above capabilities under suidroot (uid 0) for the unsigned binary -- allowing for a rudimentary root change. Whether or not after that, you can exec binaries, is a piss in the wind.

I don't know the flow of the TC implementation, so again this is just how I imagine it might work. It's all negated if injecting into com.nokia.* requires signatures.

See https://meego.gitorious.org/meego-pl.../credp/credp.c for what looks like how restok is handled when setting policy credentials and a bit more of what happens.

Last edited by hawaii; 2011-08-09 at 17:29.
 

The Following 6 Users Say Thank You to hawaii For This Useful Post:
qole's Avatar
Moderator | Posts: 7,109 | Thanked: 8,820 times | Joined on Oct 2007 @ Vancouver, BC, Canada
#7
I tried changing the object to /opt/qchroot, the script that does the chroot. It still fails. I tried adding an object which pointed to the chroot's /bin/sh file, but still it fails. I think I need an open kernel.
__________________
qole.org --- twitter --- Easy Debian wiki page
Please don't send me a private message, post to the appropriate thread.
Thank you all for your donations!
 

The Following 2 Users Say Thank You to qole For This Useful Post:
hawaii's Avatar
Posts: 1,030 | Thanked: 792 times | Joined on Jun 2009
#8
Can shell scripts be priv-esclated through aegis? I'd try it with a binary, done purely in C or shell code.
 

The Following User Says Thank You to hawaii For This Useful Post:
javispedro's Avatar
Posts: 2,355 | Thanked: 5,249 times | Joined on Jan 2009 @ Barcelona
#9
The fact that Qole was able to modify the file at all made me realize the file is not protected or hashed. Something that is so ridiculous I did not even previously consider. Congratulations Hawaii, you found the first Aegis "hole" (note: it's so large I believe it may be intentional -- you probably can only modify the file in developer mode).

Therefore, Aegis is now partially defeated -- I am now running the stock kernel in non-enforcing mode. That is, to my knowledge, the nearest thing to open mode that exists: I can run arbitrary binaries as root, I can load new kernel modules, and I can even reenable Aegis if I wanted to.

Last edited by javispedro; 2011-08-09 at 19:55.
 

The Following 6 Users Say Thank You to javispedro For This Useful Post:
qole's Avatar
Moderator | Posts: 7,109 | Thanked: 8,820 times | Joined on Oct 2007 @ Vancouver, BC, Canada
#10
So javispedro, can you explain how to get into this "non-enforcing mode"? Because I'm still stuck in the same place.
__________________
qole.org --- twitter --- Easy Debian wiki page
Please don't send me a private message, post to the appropriate thread.
Thank you all for your donations!
 
Reply

Thread Tools

 
Forum Jump


All times are GMT. The time now is 09:45.