Open m4b4 opened 4 months ago
On my Pixel 7 it seems overwriting only uid, gid, .. in the task structure is not sufficient to grant full root access (see here). For instance, after getting the root shell I wasn't able to cd into /data/local/tmp anymore:
cd
/data/local/tmp
panther:/ # whoami root panther:/data/local/tmp # ls ls: .: Permission denied 1|panther:/data/local/tmp # getenforce Permissive
This PR contains the following changes:
get_root
cap_*
securebits
I don't have a chance to test this on a Pro model, but on the Pixel 7 it seems to fix the issue for me:
panther:/data/local/tmp # whoami root panther:/data/local/tmp # cd /data/local/tmp panther:/data/local/tmp # ls another_boot.img boot.img boot_231105_003_p7.img exp2 exp_new exp_new2 exploit exploit2 kernel kernel_pixel8 magiskboot mali_kbase.ko mali_pixel.ko smaps.txt panther:/data/local/tmp #
what is my issue?
atimofeev86
commented
2 months ago
On my Pixel 7 it seems overwriting only uid, gid, .. in the task structure is not sufficient to grant full root access (see here). For instance, after getting the root shell I wasn't able to
cdinto/data/local/tmpanymore:This PR contains the following changes:
get_rootalso overwrite thecap_*fields andsecurebits.I don't have a chance to test this on a Pro model, but on the Pixel 7 it seems to fix the issue for me: