Notices


Reply
Thread Tools
Posts: 245 | Thanked: 908 times | Joined on Feb 2012
#1
aegisctl
control Aegis settings from the comfort of your own terminal

aegisctl makes it easy to take control and modify the Aegis enforcement bits on your incepted N9. This has many practical uses:

  • aegisctl -s: allows running any program from opensh, allows running a chroot environment as root
  • aegisctl -k: allows loading any kernel module without updating the whitelist
  • aegisctl --really @es: enter permissive mode (WARNING: Only if you know what you're doing)
  • aegisctl -r: temporarily disable "relaxed mode" (developer mode)
  • aegisctl +esdrtxk,-az: reset to (developer mode) defaults

aegisctl is built around an adaptation of javispedro's work on the unseal.ko kernel module.

Run aegisctl -? for usage instructions.

WARNING: This program is compatible only with PR1.2 and PR1.3 firmware (including beta versions). aegisctl has only been tested with the "stock" Nokia kernels, and might not work properly on customized third-party kernels.

NOTE: This must be installed using the incept utility provided with INCEPTION. Additionally, you must have opensh or a similar utility installed so that you can run aegisctl with the permissions required to change Aegis settings.

Install package: aegisctl_1.3_armel.deb
Source package: aegisctl_1.3.dsc aegisctl_1.3.tar.gz
License: Contains GPL2, WTFPL, and BSD code
  More info in the copyright file

Last edited by itsnotabigtruck; 2012-07-03 at 16:12.
 

The Following 39 Users Say Thank You to itsnotabigtruck For This Useful Post:
coderus's Avatar
Posts: 6,064 | Thanked: 11,225 times | Joined on Nov 2011 @ Open Mobile Platform, Innopolis, Russia
#2
please explain, what is profit here? more real samples, please.
 

The Following User Says Thank You to coderus For This Useful Post:
Posts: 1,539 | Thanked: 1,604 times | Joined on Oct 2011 @ With my N9
#3
Installed working well.
__________________
Arie|www.everythingn9.com|Nokia N9 64GB x2|Nokia N950

@everythingn9

Temporary Inception Fix


Times Banned from TMO: 4
 
Posts: 245 | Thanked: 908 times | Joined on Feb 2012
#4
Originally Posted by coderus View Post
please explain, what is profit here? more real samples, please.
The main benefit is that it solves the problem of the "source identifier check": the check that prevents you from running just any executable with any privilege. Normally, you can't just run anything from opensh - only programs provided by Nokia or installed through incept are allowed. The same problem applies with vanilla/stock open mode - it's not only an INCEPTION problem.

With aegisctl, this behavior can be controlled at the flick of a switch.

Also, I added a few more usage examples to the OP.
 
Posts: 92 | Thanked: 16 times | Joined on Jun 2011 @ Sacramento, CA USA
#5
Can I get debian finaly, and run OpenOffice?

If yes...how?

Thanks
 
coderus's Avatar
Posts: 6,064 | Thanked: 11,225 times | Joined on Nov 2011 @ Open Mobile Platform, Innopolis, Russia
#6
okay, i see, will be useful for launching binaries.
can i use it without inception but in openmode kernel with patched aegis and wiped /etc/aegisfs.d folder?
or it will be useless? or maybe some test to be sure?
 

The Following User Says Thank You to coderus For This Useful Post:
Moderator | Posts: 5,319 | Thanked: 4,455 times | Joined on Oct 2009
#7
Originally Posted by itsnotabigtruck View Post
The same problem applies with vanilla/stock open mode - it's not only an INCEPTION problem.
My mem must be failing me but I thought stuff like source identifier check was basically a non-issue in vanilla/stock open-mode?
Man I really need to find some time to go back a re-read everything, so much happening in the last few months.
 
Posts: 245 | Thanked: 908 times | Joined on Feb 2012
#8
Originally Posted by coderus View Post
okay, i see, will be useful for launching binaries.
can i use it without inception but in openmode kernel with patched aegis and wiped /etc/aegisfs.d folder?
or it will be useless? or maybe some test to be sure?
Don't use this with a patched kernel - it has a hardcoded offset based on the stock PR1.2 kernel and changing the kernel could cause aegisctl to crash your system.

Originally Posted by jalyst View Post
My mem must be failing me but I thought stuff like source identifier check was basically a non-issue in vanilla/stock open-mode?
Man I really need to find some time to go back a re-read everything, so much happening in the last few months.
"Vanilla" open mode basically gives you the same type of access as INCEPTION - you just don't need incept to install privileged packages. However, like with INCEPTION, there aren't any changes in Aegis enforcement unless you make those changes yourself. While I stated in the OP that INCEPTION is required for this, it also works if you use open mode and the stock kernel.

Last edited by itsnotabigtruck; 2012-03-12 at 21:06.
 
Posts: 1,067 | Thanked: 2,377 times | Joined on Jan 2012 @ Finland
#9
Originally Posted by coderus View Post
okay, i see, will be useful for launching binaries.
can i use it without inception but in openmode kernel with patched aegis and wiped /etc/aegisfs.d folder?
or it will be useless? or maybe some test to be sure?

with patched openmode kernel you can freely write to /sys/kernel/security/validator/enabled, so you really don't need this as you can edit the modes without it.
 

The Following User Says Thank You to rainisto For This Useful Post:
coderus's Avatar
Posts: 6,064 | Thanked: 11,225 times | Joined on Nov 2011 @ Open Mobile Platform, Innopolis, Russia
#10
okay, thanks for explain.
Code:
/sys/kernel/security/validator # ls
cache     devorig   enabled   enforce   flush     hashlist  modlist
/sys/kernel/security/validator # cat enforce
0x7
/sys/kernel/security/validator # cat enabled
0x1e7
what should i change?

and, i have another request.
can you enable AEGIS_FIXED_ORIGIN with inception? it says ".. allowed only in open mode.."

Last edited by coderus; 2012-03-12 at 20:50.
 
Reply

Tags
aegisctl, enforce, harmattan, inception, permissive

Thread Tools

 
Forum Jump


All times are GMT. The time now is 10:17.