Disable SeLinux on some qualcomm devices via cmdline injection
Fastboot protocol is implemented by Qualcomm's ABL which is open-source.
There exists a command in Fastboot protocol called "fastboot oem set-gpu-preemption value"
The value should only be 0 or 1
But the fact is we can send a string.
The value is put into cmdline,like " msm_kgsl.preempt_enable=value"
So this causes a cmdline injection.
But we meet some difficulties when using this injection to get temp root.
Like initrd=address,length or root=/dev/xxxx
Because we do not know the address of the downloaded buffer.
Anyone who has better ideas can pull a request.
But by cmdline injection,we can modify any prop formatted as ro.boot.xxx
We can use androidboot.selinux=permissive to disable selinux temporarily
But this only works on some devices,because other devices force selinux enforcing.
And we can also disable kaslr by "nokaslr"
With some temp root exploit and permissive selinux,we can gain temp root. But the best method is through the exploit itself.But I have no better ideas.
This poc may not work on your devices.
And it is patched as you see.
I will not be responsible for any corruption.
