Has anyone tested this on newer kernels?
I tried to use this module for a simple "hello world" hijacking of fadvise() system call. It seems to work fine on kernel 2.6.32 (Ubuntu), but when I try it on kernel 3.8.0 (xubuntu) it doesn't work - I always get the same arguments (in fadvise() case this means same file descriptor , same offset etc). This suggests accessing the wrong place in memory, or bad registers. I dont know exactly.
Has anyone tried this? besides altering security.c, I had to make some changes to make the code compile on 3.8.0 kernel, the same changes suggested in the previous issue opened here, after which the code compiled just fine.
Anyway, I'm attaching my security.c code just to demonstrate what I'm trying to do
// the actual hijacking of system calls, and inserting code
#include "module.h"
#include <linux/blkdev.h>
struct kernsym sym_sys_fadvise64_64;
// sys_fadvise64_64
int tpe_sys_fadvise64_64(int fd, loff_t offset, loff_t len, int advice){
// save old fadvise
int (*run)(int fd, loff_t offset, loff_t len, int advice) = sym_sys_fadvise64_64.run;
printk(PKPRE "*** hijacked fadvise. fd=%d offset=%d len=%d advice=%d\n", fd, offset, len, advice); // ALWAYS THE SAME IN 3.8.0!!!
return run(fd, offset, len, advice);
}
void printfail(const char *name) {
printk(PKPRE "warning: unable to implement protections for %s\n", name);
}
struct symhook {
char *name;
struct kernsym *sym;
unsigned long *func;
};
// find symbols in /proc/kallsyms
struct symhook security2hook[] = {
{"sys_fadvise64_64", &sym_sys_fadvise64_64, (unsigned long *)tpe_sys_fadvise64_64},
};
// hijack the needed functions. whenever possible, hijack just the LSM function
void hijack_syscalls(void) {
int ret, i;
for (i = 0; i < ARRAY_SIZE(security2hook); i++) {
ret = symbol_hijack(security2hook[i].sym, security2hook[i].name, security2hook[i].func);
if (IN_ERR(ret))
printfail(security2hook[i].name);
printk("%s hijacked successfuly!\n", security2hook[i].name);
}
}
void undo_hijack_syscalls(void) {
int i;
for (i = 0; i < ARRAY_SIZE(security2hook); i++)
symbol_restore(security2hook[i].sym);
}
Has anyone tested this on newer kernels? I tried to use this module for a simple "hello world" hijacking of fadvise() system call. It seems to work fine on kernel 2.6.32 (Ubuntu), but when I try it on kernel 3.8.0 (xubuntu) it doesn't work - I always get the same arguments (in fadvise() case this means same file descriptor , same offset etc). This suggests accessing the wrong place in memory, or bad registers. I dont know exactly. Has anyone tried this? besides altering security.c, I had to make some changes to make the code compile on 3.8.0 kernel, the same changes suggested in the previous issue opened here, after which the code compiled just fine.
Anyway, I'm attaching my security.c code just to demonstrate what I'm trying to do