search

cormander / tpe-lkm

Trusted Path Execution (TPE) Linux Kernel Module
Other
157 stars 55 forks source link

testing on newer kernels? #6

Closed aviadzuc closed 10 years ago

aviadzuc commented 11 years ago

Has anyone tested this on newer kernels? I tried to use this module for a simple "hello world" hijacking of fadvise() system call. It seems to work fine on kernel 2.6.32 (Ubuntu), but when I try it on kernel 3.8.0 (xubuntu) it doesn't work - I always get the same arguments (in fadvise() case this means same file descriptor , same offset etc). This suggests accessing the wrong place in memory, or bad registers. I dont know exactly. Has anyone tried this? besides altering security.c, I had to make some changes to make the code compile on 3.8.0 kernel, the same changes suggested in the previous issue opened here, after which the code compiled just fine.

Anyway, I'm attaching my security.c code just to demonstrate what I'm trying to do

// the actual hijacking of system calls, and inserting code
#include "module.h"
#include <linux/blkdev.h>

struct kernsym sym_sys_fadvise64_64;

// sys_fadvise64_64
int tpe_sys_fadvise64_64(int fd, loff_t offset, loff_t len, int advice){
    // save old fadvise
    int (*run)(int fd, loff_t offset, loff_t len, int advice) = sym_sys_fadvise64_64.run;

    printk(PKPRE "*** hijacked fadvise. fd=%d offset=%d len=%d advice=%d\n", fd, offset, len, advice); // ALWAYS THE SAME IN 3.8.0!!!
    return run(fd, offset, len, advice);
}

void printfail(const char *name) {
    printk(PKPRE "warning: unable to implement protections for %s\n", name);
}

struct symhook {
    char *name;
    struct kernsym *sym;
    unsigned long *func;
};

// find symbols in /proc/kallsyms
struct symhook security2hook[] = {
    {"sys_fadvise64_64", &sym_sys_fadvise64_64, (unsigned long *)tpe_sys_fadvise64_64},
};

// hijack the needed functions. whenever possible, hijack just the LSM function

void hijack_syscalls(void) {

    int ret, i;

    for (i = 0; i < ARRAY_SIZE(security2hook); i++) {
        ret = symbol_hijack(security2hook[i].sym, security2hook[i].name, security2hook[i].func);

        if (IN_ERR(ret))
            printfail(security2hook[i].name);

        printk("%s hijacked successfuly!\n",  security2hook[i].name);        
    }

}

void undo_hijack_syscalls(void) {
    int i;

    for (i = 0; i < ARRAY_SIZE(security2hook); i++)
        symbol_restore(security2hook[i].sym);
}
cormander commented 10 years ago

Working on this now, will have a new build cut soon. Look in the coming weeks for a new release.