Hijack fails if mprotect() is restricted

[scintill]

In testing on CyanogenMod 12, I saw consistent SEGV_ACCERR with the "shell code" entrypoint as the fault address, and -1 value in r0. I believe this means the mprotect() call to make the stack executable failed. If I turn off SELinux enforcement (setenforce 0), it appears to get further (I believe it was an ARM/Thumb hook mismatch that crashed it later.) I don't know a lot about it, but there appears to be an SELinux feature execstack that prevents the stack from being made executable.

I don't know if this is a CM-specific SELinux policy, or how widely it will be implemented in other Android 5.0 builds, but it would make sense if this is in AOSP.

There's another Android injector here, which appears to function without mprotect() (you have to adjust inject.c for your needs.) I haven't tested it on Android 5 yet, though.

I know solving this is not trivial, so I'm not requesting it, just noting the issue.

[E3V3A]

If it's a policy related issue, you should be able to see something in logcat *:V and possibly also in the AVC log, if implemented. You might then be able to inject the required policy items using Chainfire's supolicy binary, part of SuperSU. Everything in 5.0 will use SELinux (aka SEAndroid) by default.