uboot and kernel entry point, load address for booting kernel from FIT image
Hi list, uboot requires that kernel entry point and load address be specified at FIT specI thought this indo Should be sowewher in System.mapCan u help me how to find entry point in System.map or perhaps I vmllinux file?ThanX ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Why some user space programs write to writable pages of other processes?
I am in the process of developing patch to restrict process ability to write to other process read-only patch. I have sent this patch to kernel-hardening list and waiting for a comments (this is my first patch to kernel)https://www.openwall.com/lists/kernel-hardening/2019/08/24/1 Meanwhie I started to explore idea of restricting process from writes to write enabled pages of another process vma. To my surprise ( I am not such esperienced) many processes , systemd-journal, Xorg, dbus-server, konsole were caught by highlkighted if below, but system continues to WORK NORMALLY ! Can somedody to comment please ? Here is the code snippet of function arch_vma_access_permitted()static inline bool arch_vma_access_permitted(struct vm_area_struct *vma, bool write, bool execute, bool foreign){ /* Forbid write to PROT_READ pages of foreign process */ if (write && foreign && (!(vma->vm_flags & VM_WRITE))) return false; /* Forbid write to write-enabled of foreign process */ if (current->mm && current->mm != vma->vm_mm){ if (current->in_execve) { return true; } pr_err("FOREIGN WRITE? current->mm != vma->vm_mm pid %d \n", current->pid); return false; } ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Solved:: Help:get_user_pages_remote - succeed on QEMU, Oops on Android 9 board
The problem was how I convert received page address to kernel address. I need to do it with kmap()Now all works again 16.04.2019, 17:17, "Lev Olshvang" :Hello all, I need to remap 1 page from user space to kernel and I use get_user_pages_remote for this purpose ret = get_user_pages_remote(tsk, tsk->mm, offset, 1, 0, _page, NULL); Kernel is 4.9.88I compiled module for Arm Vertex board and run it under QEMU with no problemBut on Android 9 with this exactly kernel I got Oops:Unable to handle kernel paging request at virtual address fe002000pgd = d8c14000[fe002000] *pgd=Internal error: Oops: 5 [#1] PREEMPT SMP ARM I checked config files and did not find any difference( almost except balloon ) in memory related configs. Does anybody have a clue what is a problem here? Regards,Lev ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Help:get_user_pages_remote - succeed on QEMU, Oops on Android 9 board
Hello all, I need to remap 1 page from user space to kernel and I use get_user_pages_remote for this purpose ret = get_user_pages_remote(tsk, tsk->mm, offset, 1, 0, _page, NULL); Kernel is 4.9.88I compiled module for Arm Vertex board and run it under QEMU with no problemBut on Android 9 with this exactly kernel I got Oops:Unable to handle kernel paging request at virtual address fe002000pgd = d8c14000[fe002000] *pgd=Internal error: Oops: 5 [#1] PREEMPT SMP ARM I checked config files and did not find any difference( almost except balloon ) in memory related configs. Does anybody have a clue what is a problem here? Regards,Lev ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: What will happen if 2 processes map same physical page
Hello Okash, Actually there were 3 question: Third question is : Is there any way to tell the kernel that PTE of same physical page should be equal in all processes? For example, shared lib mapped from different processes to same physical page must have same PTE, isn it? And the presence of SELinux feature SELINUX_CHECKREQPROT_VALUE indicates for me that kernel somehow knows the correct page protections. (although I do not see in code how it is done) But the question might be rephrased : IMHO Kernel should mandate same PTE flags no matter how many virtual mapping were made to the same physical page. What do you think? 21.03.2019, 13:45, "Okash Khawaja" : > On Thu, 21 Mar 2019 12:56:17 +0300 > Lev Olshvang wrote: > >> Hi Vaaldis, >> >> Thanks for answer, >> I still wondering whether the kernel will allow write to a read-only >> page of shared library while it has mapped to several processes? >> Kernel knows that page's reference count >1, will it allow >> mmap/mprotect to change page protection ? Or will it allow direct >> right by physical address? I suppose that CPU should raise page fault >> when write is made to read only page, >> >> What is the sequence CPU raises page faul before write to page of >> after data is written Will CPU wait until kernel will consider what >> to do , whether agree and change PTE "writable " bit to 1 ? Or >> kernel may disagree and raise SEGFAULT? > > Note that each process has its own PTE. So PTE in one process may say > the page is writable and PTE in another process may say it's read-only. > >> I checked in the handle_mm_fault() calls for >> arch_vma_access_permitted() which just returns true on most >> architectures which is very strange and contradicts my prediction of >> SEFFAULT. arch_vma_access_permitted() retutus true when is sees that >> access is made from foreign process? >> https://elixir.bootlin.com/linux/latest/ident/arch_vma_access_permitted >> >> I am totally confused. >> >> What do you think ? >> >> Regards, >> Lev > > It looks like there are two separate questions in the email. > > 1) Will kernel allow the same physical page to be mapped as read-only > in one process and as read-write in another process? > > 2) How page fault is generated? > > Answer for first is yes. Same physical page can be mapped with > different permissions in two different processes. It means read-only > process will ultimately (hopefully very soon) notice changes made by > read-write process. > > Answer for second question is a bit complicated. However there is a > trick to it. Once we know that, rest will become clear automaticaly. > The trick (at least for x86 systems) is that permissions are maintained > at two different levels: > > - VMA level > - PTE level (or PUD level for larger page size but that is not relevant > here) > > When a page in memory is accessed, permission on corresponding VMA is > checked first. If the access is allowed by VMA then PTE permissions are > checked. Otherwise segfault is generated. If permissions at PTE level > don't match the access type then a page fault is generated. That's when > page fault hander kicks in and tries to resolve the problem by faulting > the page into RAM, copying the page in RAM (for copy-on-write) etc. > >> 20.03.2019, 20:08, "Valdis Klētnieks" : >> > On Wed, 20 Mar 2019 16:42:39 +0300, Lev Olshvang said: >> >> The question is it ipossiblle in Linux/MMU/TLB that 2 processes >> >> map to the same physical address? >> > >> > Totally possible. That's how mmap shared memory works, and why >> > shared libraries are possible. >> > >> >> Will CPU or TLB discover that second process tries to reach >> >> occupied physical page? >> > >> > Well, the hardware won't discover it as a "second" process, it only >> > knows it's processing *this* memory access. >> > >> >> What if first process set page permission to read and second >> >> whats to write to this page ? >> > >> > Perfectly OK - the two processes have separate page table mappings, >> > with separate permission bits. So (for example) physical page >> > 0x17F000 is mapped to virtual address 0x2034D000 with read-only >> > permission n process 1's page tables, and to virtual address >> > 0x98FF3000 with read-write permission in process 2's page tables. >> > No problem. >> > >> > (And before you ask, yes it's possible for process 2 to running on >> > one core doin
Re: What will happen if 2 processes map same physical page
Hi Vaaldis, Thanks for answer, I still wondering whether the kernel will allow write to a read-only page of shared library while it has mapped to several processes? Kernel knows that page's reference count >1, will it allow mmap/mprotect to change page protection ? Or will it allow direct right by physical address? I suppose that CPU should raise page fault when write is made to read only page, What is the sequence CPU raises page faul before write to page of after data is written Will CPU wait until kernel will consider what to do , whether agree and change PTE "writable " bit to 1 ? Or kernel may disagree and raise SEGFAULT? I checked in the handle_mm_fault() calls for arch_vma_access_permitted() which just returns true on most architectures which is very strange and contradicts my prediction of SEFFAULT. arch_vma_access_permitted() retutus true when is sees that access is made from foreign process? https://elixir.bootlin.com/linux/latest/ident/arch_vma_access_permitted I am totally confused. What do you think ? Regards, Lev 20.03.2019, 20:08, "Valdis Klētnieks" : > On Wed, 20 Mar 2019 16:42:39 +0300, Lev Olshvang said: >> The question is it ipossiblle in Linux/MMU/TLB that 2 processes map to >> the same physical address? > > Totally possible. That's how mmap shared memory works, and why shared > libraries are possible. > >> Will CPU or TLB discover that second process tries to reach occupied >> physical page? > > Well, the hardware won't discover it as a "second" process, it only knows it's > processing *this* memory access. > >> What if first process set page permission to read and second whats to write >> to this page ? > > Perfectly OK - the two processes have separate page table mappings, with > separate permission bits. So (for example) physical page 0x17F000 is mapped to > virtual address 0x2034D000 with read-only permission n process 1's page > tables, > and to virtual address 0x98FF3000 with read-write permission in process 2's > page tables. No problem. > > (And before you ask, yes it's possible for process 2 to running on one core > doing a write to the page at the exact same time that process 1 is doing a > read > on another core. Depending on the hardware cache design, this may or may not > get process 1 updated data. This is why locking and memory barriers are > important. See Documentation/memory-barriers.txt for more details) > > "And then there's the Alpha" - a processor design that got much of its speed > by > being weird about this stuff. :) > >> Perhaps during context switch all page access permissions of first process >> is >> flashed out from MMU ? > > Actually, the kernel just points the MMU at a new set of page table entries > and lets > the TLB reload as needed. In particular, on most architectures, the kernel > tries really > hard to ensure that all processes share at least part of their page table > mappings so > the kernel is always mapped at the same place, meaning that there's a better > chance > that on a syscall, the TLB already has hot entries for large parts of the > kernel so no > TLB reloads are needed. ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
What will happen if 2 processes map same physical page
Hi all, The question is it ipossiblle in Linux/MMU/TLB that 2 processes map to the same physical address? Will CPU or TLB discover that second process tries to reach occupied physical page? What if first process set page permission to read and second whats to write to this page ? Perhaps during context switch all page access permissions of first process is flashed out from MMU ? I confess I do not know what exactly happens in TLB and between Linux and hardware view of pages. I am particularly intereste in ARMv7, perhaps its architecture have some solutions to these question. Regards, Lev ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Finding all modules which consume kernel lib?
There is also modulus.dep file which depmod builds. You can just grep to find which modulus depends.10:29 AM, March 9, 2019, Greg KH :On Sat, Mar 09, 2019 at 12:07:00AM -0800, Andy Nicholas wrote: Hello, Is there a website or service or tool or package or script or something which allows me to determine which pieces of the compiled kernel (especially modules) contained the source-code changes I might make to any given directory? Like a kernel-code dependency graph website? For instance, assume I made a change to code in net/wireless/. How do I figure out which pieces of the kernel or modules get linked against the library built from this directory? I could attempt to trace the kernel's build output line-by-line and then grep through the output looking for which other code is linking against cfg80211. That is way too tedious. In this case I would like to know which kernel modules I would need to, potentially, re-test because I apply a patch to this directory without examining the build logs.Just look at the build logs, it will show you exactly what gets rebuiltwhen you touch a single file (or multiple files.) That's the simplestway to do what you want here.good luck!greg k-h___Kernelnewbies mailing listKernelnewbies@kernelnewbies.orghttps://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies-- Sent from Yandex.Mail for mobile___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: writes to /dev/kmsg
Can you please elaborate, what you are trying to synchronize, I suppose messages from your driver are uniquely identified?19.02.2019, 19:42, "Constantine Shulyupin" :I write to /dev/kmsg when it is need to synchronize UM and driver's logs. On Tue, Feb 19, 2019 at 3:34 PM Lev Olshvang <levon...@yandex.com> wrote:Kernel documentation describes interfacehttps://www.kernel.org/doc/Documentation/ABI/testing/dev-kmsg I wonder what kind of applications use it?Why somebody need to use kmsg instead of syslog? Can anybody give example of such application? Regards,Lev ___ Linux-il mailing list linux...@cs.huji.ac.il http://mailman.cs.huji.ac.il/mailman/listinfo/linux-il -- Constantine Shulyupinhttp://www.MakeLinux.co.il/Embedded Linux SystemsTel Aviv ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
writes to /dev/kmsg
Kernel documentation describes interfacehttps://www.kernel.org/doc/Documentation/ABI/testing/dev-kmsg I wonder what kind of applications use it?Why somebody need to use kmsg instead of syslog? Can anybody give example of such application? Regards,Lev ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
SELinux, LSM and ima_policy rules
Hello everybody. I learned recently that IMA kernel security subsystem can be integrated with LSMs, such as SELinux, Smack, ... https://sourceforge.net/p/linux-ima/wiki/Home/ https://www.kernel.org/doc/Documentation/ABI/testing/ima_policy It was present in kernel since v3.8 but not google does not know much about the usability. Does anybody have any experience or references which I can read to learn restrictions, performance impact or just use cases? ThanX! Lev. ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Security-What can be done in kernel to disable forever executable memory modificaton
Hi All, The fact that the text segment could be modified is bad news from the security standpoint. For example, in order to set a breakpoint GDB should map a text segment with MAP_PRIVATE flag which allows kernel to ignore the dirty bit that MMU sets on this page. Somewhere in the middle of this mapping, perhaps in mprotect, permission bits of page's PTE entry are modified as well from their original RO+X to RWX I am not sure whether it is actually happening, perhaps instead new pages are allocated, sort of COW (copy on write). And here I am getting to the point : Is there any way to disable the change of permission bits of PTE? Is it possible in the hardware (ARM) or should kernel be patched? Regards to All, Happy new year. Lev. ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: How to signal kernel that shared library is not in use by any process anymore ?
Hi Lior thanks for your time and code example. Shachar Shemesh explained to me couple of simple things I forgotten. You can find his replies in this thread but the bottom line : I do not need to signal kernel.Kernel memory manager will discover that pages are not active ( each page have active bit) so it will use it whenever get free page request is received. And the second option is to look mapped memory for this loib /proc/pid/mapsand issue munmap () call. simple and easy. Thanks to given it a thought.Lev 08.01.2019, 05:52, "Lior Okman" : On Fri, Dec 21, 2018 at 4:21 PM Lev Olshvang <levon...@yandex.com> wrote:Hi All,I have an executable (C++) which is the exclusive user of the some shared library that it uses only during the initialization phase.I would like to free memory used by this shared library, because I am running on embedded system.How can I achieve this?I know that dlopen() will load shared library, and hope that following dlclose() will free this lib memory. According to the dlclose (2) man page: "The function dlclose() decrements the reference count on the dynamically loaded shared object referred to by handle. If the reference count drops to zero, then the object is unloaded. All shared objects that were automatically loaded when dlopen() was invoked on the object referred to by handle are recursively closed in the same manner. A successful return from dlclose() does not guarantee that the symbols associated with handle are removed from the caller's address space. In addition to references resulting from explicit dlopen() calls, a shared object may have been implicitly loaded (and reference counted) because of dependencies in other shared objects. Only when all references have been released can the shared object be removed from the address space." 1. Still I do not know what method should be used to make dynamic linker look again into executable and resolve symbols of the newly appeared symbols ? If you are using the dlopen/dlclose functions, you are responsible for symbol resolution for symbols provided by your shared object. After you get a handle from dlopen(), you need to call dlsym() in order to get a pointer to your symbol. You can then call that symbol when you need it. 2. And how to tell the dynamic linker ld-linux.so to postpone the symbol resolution until dlopen() will load the library? When you use dlopen() your compilation shouldn't need to resolve any symbols from your dlopen()-ed libraries. 3. Whether to compile and link executable with this library or leave unresolved symbols? You shouldn't have any unresolved symbols, nor should you link to your library during compilation. I guess the best thing is to show an example: Given the following library source (printint.c) : #include void printint(int num) { printf("Called with num=%d \n", num);} Create a shared object from it using gcc -shared -o libprintint.so printint.c Now consider the following test program (main.c) which uses printint with dlopen (removed most of the error handling for clarity here):---#include typedef void printint(int num); int main(int argc, char *argv[]) { void *handle = NULL; handle = dlopen("./libprintint.so", RTLD_LAZY); if (handle == NULL ) { // use dlerror to find out what went wrong return -1; } printint *sym = NULL; sym = (printint*)dlsym(handle, "printint"); if (sym == NULL ) { // use dlerror to find out what went wrong return -1; } sym(argc); dlclose(handle); return 0;}-- You compile this program like this: gcc main.c -ldl -o a.out You can verify that the program doesn't dynamically link to libprintint.so by running "ldd ./a.out". When you run it with libprintit.so in the same directory it will load the shared library and call the correct function. Waiting for your advises,Lev.___Linux-il mailing listlinux...@cs.huji.ac.ilhttp://mailman.cs.huji.ac.il/mailman/listinfo/linux-il,___Kernelnewbies mailing listKernelnewbies@kernelnewbies.orghttps://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
mount /proc at boot as read-only
Hello all, I am trying to harden the embedded system. Is it possible and safe to mount /proc file system in a read-only mode and how to do this? I have embedded system with systemd where /proc is mounted rw. I suspect that systemd mounts it when it bebgns to bootsrtap user space. On my currently idle and small embedded board and on QEMU I was able to remount /proc read-only. But when I changed fstab to mount it as a read-only it is still mounted rw,relatime after reboot. So who mounts it first ? Is it hardcoded in systemd when it starts process of PID 1 or in a kernel? Regards, Lev ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
How to forbid user space and kernel executable pages from becoming writable?
I am researching this issue and I am confused with the finding Some articles, ex https://shanetully.com/2013/12/writing-a-self-mutating-x86_64-c-program/ state that mprotect() can change protection of executable section. As I understanf pte entry has page protection bits set to RO so mprotect should change pte which is loaded to MMU/TLB. Why kernel can not refuse do perform this mprotect call(). Whu we do norhave kernel config options to forbid user-space mutable code as security feature? >From the other side, when run-time linker or elf_loader loads the executable >it uses MAP_DENYWRITE which protect executable file from being overwritten. But writing to executable text will make page dirty and require the write-back which is disabled by MAP_DENYWRITE. (or it might be disable for other processes except current, I am not sure?) To add to the confusion, the following quote from the LWN articlle https://lwn.net/Articles/422487/ about CONFIG_DEBUG_SET_MODULE_RONX "Marking the kernel module pages as RO and/or NX is important not only because it is consistent with how the rest of the kernel pages are handled" Digging dipper I see that ARM since kernel version 4.11 has CONFIG_STRICT_KERNEL_RWX , and as I understand it is enforced in hardware. But I am not sure that some variant of pte_clear(), pte_mkexec(0 can not disable it. So let me cut to final qiestion: Suppose I want to cut off dynamic code instrumentation, like ftrace and friends. Is it achievable at least at ARM architecture to enforce RO+X at hardware or kernel? Thanks to all folks for reading till this point. Regards Lev ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: How to signal kernel that shared library is not in use by any process anymore ?
Hello Greg, Thanks for you your reply. It help me to better express my question From the application I can access /proc/self/maps and see which memory is mapped for my library I do not intend to use after application passes init phase. I would like to unmap this memory region, but since I do not have file descriptor for this so I can not do this. Only kernel can unmap this memory for me, I am willing to pass library name or address to system cal, but IMHO such system call does not exist. Should I rely on memory manager which will use reuse this pages because they will never page faulted back ? I am afraid that since this is C++ lib, some pages are modified and will not be considered clean ? Thanks again for your precious time. Perhaps somebody from the list can respond too. Thank you all Lev 21.12.2018, 18:31, "Greg KH" : > On Fri, Dec 21, 2018 at 05:20:36PM +0300, Lev Olshvang wrote: >> Hi All, >> >> I have an executable (C++) which is the exclusive user of the some shared >> library that it uses only during the initialization phase. >> >> I would like to free memory used by this shared library, because I am >> running on embedded system. >> >> How can I achieve this? >> >> I know that dlopen() will load shared library, and hope that following >> dlclose() will free this lib memory. > > That right there is how you "achieve" this, call dlclose() and all will > be fine. If your system needs the memory that was being used, it will > reclaim it from the memory that was previously being used by the library > at this point in time. > > Nothing else needs to be done. > > Have you tested this and found it not to work properly? > >> 1. Still I do not know what method should be used to make dynamic linker >> look again into executable and resolve symbols of the newly appeared symbols >> ? > > What "newly appeared symbols"? > > If you need to load the library again, call dlopen(). > >> 2. And how to tell the dynamic linker ld-linux.so to postpone the symbol >> resolution until dlopen() will load the library? > > It will not happen until you tell it to, right? > >> 3. Whether to compile and link executable with this library or leave >> unresolved symbols? > > It sounds like you don't really know what type of problem you are trying > to solve here. > > Back up, what is the real issue you are having with the kernel at this > point in time? > > thanks, > > greg k-h ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: In a process context kernel_read returns -EINTR, how to proceed?
I use security_mmap_file hook. 21.12.2018, 19:15, "valdis.kletni...@vt.edu" : > On Fri, 21 Dec 2018 16:51:29 +0300, Lev Olshvang said: > >> I need to read file inside LSM hook and I can not do it in user space > > Why? And which LSM hook are you trying to do this? ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
How to signal kernel that shared library is not in use by any process anymore ?
Hi All, I have an executable (C++) which is the exclusive user of the some shared library that it uses only during the initialization phase. I would like to free memory used by this shared library, because I am running on embedded system. How can I achieve this? I know that dlopen() will load shared library, and hope that following dlclose() will free this lib memory. 1. Still I do not know what method should be used to make dynamic linker look again into executable and resolve symbols of the newly appeared symbols ? 2. And how to tell the dynamic linker ld-linux.so to postpone the symbol resolution until dlopen() will load the library? 3. Whether to compile and link executable with this library or leave unresolved symbols? Waiting for your advises, Lev. ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: In a process context kernel_read returns -EINTR, how to proceed?
Hi Valdis, I need to read file inside LSM hook and I can not do it in user space I forgot o mention that same error occurried both in 4.4 and 4.13 kernels What alternative you can recommend to read file in kernel and avoid -EINTR? Is vfs_read() different from kernel_read() ? ThanX Lev 20.12.2018, 23:09, "valdis.kletni...@vt.edu" : > On Thu, 20 Dec 2018 13:33:09 +0300, Lev Olshvang said: >> I use kernel_read to read file in chunks of 4K size in a process context >> On several files, like libc, libm, I got -EINTR error. > > What are you trying to accomplish? This is not a recommended way to do things. > >> I do not understand who may interrupt such a small read, I suppose these >> libraries are already mapped in other processes so no real I/O should be >> done. > > That should be a hint > > ___ > Kernelnewbies mailing list > Kernelnewbies@kernelnewbies.org > https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
In a process context kernel_read returns -EINTR, how to proceed?
Hi All, I use kernel_read to read file in chunks of 4K size in a process context On several files, like libc, libm, I got -EINTR error. Then I repeated the attempt limited number of times but still on every read attempt I got -EINTR I do not understand who may interrupt such a small read, I suppose these libraries are already mapped in other processes so no real I/O should be done. In a user space it is recommended to repeat syscall, what is the proper course of action in kernel. As I stated, this code is not in a kernel thread or atomic context, it is in a process context so a tried before next attempt yield() but to no success. Waiting for your advises. Thx, Lev ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Why existing filesystem encryption tools do not limit run-time file access while user/session might be used?
Hi Valdis, I am afraid I did not clearly explain myself. I want run-time protection of one special user from any other users of the same board ( embedded device).This user will user import a key from HSM to a keyring , and LSM will provide only him access to HSM.Actually I am not sure whether LSM is a proper mechanism to do it, I will be glad if you can enlighten me,But I am continue to my pointThis specific user A starts a service daemon and receive key from HSM which he put as the session key into the keyring and use it to decrypt files.When superpowered user B will su to became user A he will discover himself in a different session which does not have user A key. So the trick with B> sudo A -c /bin./bash car secretfile will not work. I think many developers like me already thought of this method, I wonder why eCrypts does not provide such solution?Perhaps I have fundamental issue about exclusive HSM access, whether it is possible? ThanX for you time.Please continue to share your thoughts with me.Lev, 07.12.2018, 23:59, "valdis.kletni...@vt.edu" :On Fri, 07 Dec 2018 23:13:45 +0300, Lev Olshvang said: Existing file encryption tools, like dm-crypt, fscrypt and eCryptfs provide only encryption of files only until file system is mounted. (data at rest) The moment it became mounted, every user of computer can try to access the data.There's this thing called "threat model" - what are you trying to protect, andwho are you protecting from.Most filesystem encryption is designed to defend against a stolen device suchas a laptop, so that the thief cannot read the data. I do not understand why linux kernel key belonging to only one user can not be used at every read/write to decrypt data only for him? Evidently I do not understand the reason why mount of user home directory during login (Ubunty's eCrypfs) do not use user's session kernel key to allow only holder of this key to encrypt/decrypt files?Note - a *session* kernel key doesn't work, because those change session tosession, and thus there's no guarantee that they'll function as a key todecrypt files that last across multiple sessions. For a thought experiment,figure out how to have 2 sessions with different keys to both be able todecrypt the same file. A lot harder than it looks. So you end up using areasonably permanent key for the files.Now you're talking a different threat model - two users who distrust each otheron the same powered-on system. However, this proposed crypto behavior doesn'tprovide any *actual* additional security over and above the already existingpermission bits and ACLs.Consider two users A and B, and a file /home/a/secretfile that's owned by A andmode 600. B is an attacker, who can't read secretfile because of thepermissions.Now let's say that B gets root. Now they can bypass the permissions and readsecretfile. However, adding a permanent kernel key and crypto doesn't addsecurity, because unless you have a whole mess of other things in place (forinstance SELinux) preventing root from doing so, B-as-root can just 'sudo A/bin/bash' and get access.So the short answer of why we don't do it - because you have to do a lot of*other* hardening to make it impossible to bypass it, and that adds to thetotal cost (in sysadmin time and other factors). So unless you have some*really* valuable data to protect it's not worth the effort.And usually, it's a heck of a lot cheaper to just buy a whole second server soA and B are on different hardware which neutralizes things like Spectre attacksas well ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Why existing filesystem encryption tools do not limit run-time file access while user/session might be used?
Hi All, Existing file encryption tools, like dm-crypt, fscrypt and eCryptfs provide only encryption of files only until file system is mounted. (data at rest)The moment it became mounted, every user of computer can try to access the data.I do not understand why linux kernel key belonging to only one user can not be used at every read/write to decrypt data only for him? Evidently I do not understand the reason why mount of user home directory during login (Ubunty's eCrypfs) do not use user's session kernel key to allow only holder of this key to encrypt/decrypt files? Thx,Lev ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
When kernel deletes unused kernel module from RAM?
Hi list, I saw many times that kernel keeps kernel module with reference count of 0 in a running system until explicit rmmod command is entered/ Is there any way to require that unused module will be removed from kernel by the kernel itself ? I mean may be there are might exist some sysctl parameter or configuration option or OOM policy to configure such behavior? Please advice. Lev. ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
HOW CONFIG_DEFAULT_SECURITY affect precedence of decisions between LSM and Linux DAC ?
One of the choices of security options proposes to select default securityCONFIG_DEFAULT_SECURITYUser can select traditional Unix DAC or one of LSMs.Suppose CONFIG_DEFAULT_SECURITY_DAC=y selected.I wonder how it affects LSM policy decisions? Lets take file permissionsfile fs/namei.c, kernel 4.8 __inode_permission ---> do_inode_permission --> generic_permission : /* * Do the basic permission checks. */ ret = acl_permission_check(inode, mask); if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH)) return 0; do_inode_permission(inode, mask); if (retval) return retval; ... retval = devcgroup_inode_permission(inode, mask); if (retval) return retval; return security_inode_permission(inode, mask); from reading the code we see that first file ACL is consulted, then unix UID/GID thencapabilties and finally security_inode_permissions, i.e LSM So the questioned config option seems obsolete ?Wheher LSM always consulted last ? Am I write ? Perhaps I miss another code path?___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Kernel default security configuration - how it affects LSM policy?
21.11.2018, 17:20, "Lev Olshvang" :One of the choices of security options proposes to select default securityCONFIG_DEFAULT_SECURITYUser can select traditional Unix DAC or one of LSMs.Suppose CONFIG_DEFAULT_SECURITY_DAC=y selected.I wonder how it affects LSM policy decisions? Lets take file permissionsfile fs/namei.c, kernel 4.8 __inode_permission ---> do_inode_permission --> generic_permission : /* * Do the basic permission checks. */ ret = acl_permission_check(inode, mask); if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH)) return 0; do_inode_permission(inode, mask); if (retval) return retval; ... retval = devcgroup_inode_permission(inode, mask); if (retval) return retval; return security_inode_permission(inode, mask); from reading the code we see that first file ACL is consulted, then unix UID/GID thencapabilties and finally security_inode_permissions, i.e LSM So the questioned config option seems obsolete ?Wheher LSM always consulted last ? Am I write ? Perhaps I miss another code path? ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Kernel default security configuration - how it affects LSM policy?
One of the choices of security options proposes to select default securityCONFIG_DEFAULT_SECURITYUser can select traditional Unix DAC or one of LSMs.Suppose CONFIG_DEFAULT_SECURITY_DAC=y selected.I wonder how it affects LSM policy decisions? Lets take file permissionsfile fs/namei.c, kernel 4.8 __inode_permission ---> do_inode_permission --> generic_permission : /* * Do the basic permission checks. */ ret = acl_permission_check(inode, mask); if (capable_wrt_inode_uidgid(inode, CAP_DAC_READ_SEARCH)) return 0; do_inode_permission(inode, mask); if (retval) return retval; ... retval = devcgroup_inode_permission(inode, mask); if (retval) return retval; return security_inode_permission(inode, mask); from reading the code we see that first file ACL is consulted, then unix UID/GID thencapabilties and finally security_inode_permissions, i.e LSM So the questioned config option seems obsolete ?Wheher LSM always consulted last ? Am I write ? Perhaps I miss another code path? ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Backporting stacked security patch
Hi Greg, Thanks for a reply. While diff between two kernels is indeed tremendous, the commits which were done in security subsystem do not look too bid,. There are 7 commits, and 2 of them is about comments and one about file deletion. I see that in 4.1 Smack was changed (couple of commits) and about 12 commits in SeLinux and Smack that we were changed in 4.0, and in 3.19 only IMA was changed. So the job is to apply very limited number of commits, and commits of 4.1 or 4.0 are not important for me because I am interested only in Apparmor stacking Perhaps I am overlooking some basic issue ? As I stated, I have no option to come to customer and ask to upgrade his kernel, but I will try to put his attention to mentioned by you cease of security updates. Best Regards Lev 30.10.2018, 17:32, "Greg KH" : > On Tue, Oct 30, 2018 at 02:43:12PM +0300, Lev Olshvang wrote: >> Hi All, >> >> I week ago I asked the list about kernel 4.2 stacked security patch >> location , but >> Greg strongly advised me against, without going into details. >> I highly appreciate Greg advice, and I know he is a very busy person. >> Unfortunately I do not have a choice to upgrade kernel, and I am asking >> again : >> - what are major challenges of a such backport ? >> Does kernel security changed so much between 3.18 and 4.2 ? > > $ git log --no-merges v3.18..v4.2 | grep "^commit " | wc -l > 48573 > > That's over 48 thousand changes between those kernels. That's a > non-trivial thing to review and backport only parts of it. > > And if you were to backport only parts of it, then you would be dealing > with a kernel that only you can support, not the company/vendor that is > forcing you to stick with 3.18. Why not ask them to do this work for > you as they are the ones you are paying for this type of work already? > > Also, why 3.18? That's a very old and obsolete kernel already, never > use that for any new type of device, you are guaranteed to have problems > with it as I'll probably stop doing security updates for it any week > now... > > good luck! > > greg k-h ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Backporting stacked security patch
Hi All, I week ago I asked the list about kernel 4.2 stacked security patch location , but Greg strongly advised me against, without going into details. I highly appreciate Greg advice, and I know he is a very busy person. Unfortunately I do not have a choice to upgrade kernel, and I am asking again : - what are major challenges of a such backport ? Does kernel security changed so much between 3.18 and 4.2 ? The link is https://kernelnewbies.org/Linux_4.2#Stacking_of_security_modules Regards, Lev ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
stap shows kfree() is 5 times more than kallocs, how could be?
Hello all, I am debugging kernel module and use SystemTap to monitor requested and freed memory. I see that SystemTap statistics shows that kfree() is called 5 times more than kalloc. It happens not only on my module, it happens on VirtualBox vboxsf driver as well. See hits count below kmalloc hits: 21561 kfree hits: 102175 - probe hit report: kernel.function("__kmalloc@mm/slub.c:3706"), (./kmalloc_argus.stp:10:1), hits: 21561, cycles: 21228min/52226avg/334688max, from: kernel.function("__kmalloc@mm/slub.c:3706") from: kernel.function("__kmalloc"), index: 0 kernel.function("__kmalloc@mm/slub.c:3706").return, (./kmalloc_argus.stp:25:1), hits: 21561, cycles: 18843min/51228avg/406816max, from: kernel.function("__kmalloc@mm/slub.c:3706").return from: kernel.function("__kmalloc").return, index: 1 kernel.function("kfree@mm/slub.c:3843"), (./kmalloc_argus.stp:38:1), hits: 102175, cycles: 400min/1557avg/499754max, from: kernel.function("kfree@mm/slub.c:3843") from: kernel.function("kfree"), index: 2 Please comment. Lev ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
How to make linux stop all processes/activities except the one I am benchmarking?
Hello all list readers, newbies and experts ! I would like to measure CPU consumption and Disk read latency for a single application. I know I can use CPU affinity to bind application to a CPU, but I am not sure if it is exclusive for other processes. Of cause the simplest way which comes to my mind is to send SIGPAUSE to all processes, except mine.But I think that many system processeds including systemd will just ignore it. and so new processes might be forked while kill works. The more fancy way might be to use freezer cgroup, but I am just speculating because I know the concept only. And the question of measuring IO. Since application read file in filesystem. there might be other filesystem's users (lets disregard kernel fs code, since i believe it is very efficient and works with small objects like dentries (which are RAM) and inodes. But other applications might read/write to this file system until I have a means to pause them. Please advise. Regards,Lev ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
How to assess how much stack space kernel function may use?
Hello all I am writing kernel module function that calls for vfs function , so I am not aware how deep kernel stack can grow due to my calls I need to take 512 bytes for some processing, and I know kernel stack is 4K only. My function is also part of calling chain, so I do not know how much stack is used before my function is called. What dara can I get from kernel during compilation and run about stack utiilizaton to help me in estimation ? Lev ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: How to unwind stack to seek for specific caller?
03.08.2018, 15:42, "valdis.kletni...@vt.edu" : > On Fri, 03 Aug 2018 15:14:45 +0300, Lev Olshvang said: > >> But I need to find out whether my function y() was called from linux kernel >> function x().\ > > What problem are you trying to solve? If it's your function, don't you already > *know* which functions call it? > > And if being called from code A requires different behavior than if it was > called from B, the *right* answer is to create a flag and pass it. That > requires less code, is simpler than trying to unwind the stack, and makes it > easier if 6 months from now you call a call from routine C. > > For an example, see the memory-allocation flags GFP_ATOMIC and similar - if > you're adding another call site that needs it, you just add GFP_ATOMIC to the > flags. > > And I'm willing to bet that most of those GFP_ flags were *all* originally "we > have to do something special if we try to do memory allocation from That One > Problem Spot. :) Hi Valdis, Thanks for the reply. Now I see i miised to explain that my function x() in my module might be called from kernel functions foo() or bar() which I do not own ( function my_x() is sort of callback) . Since I can not change foo()) or bar() code and add flags I need to inspect the stack. I am confused to see in kernel code that there is a new to me objects of type kernel dumper who need to be registered in order to get dump_stack() output. Saw I applied yo list wisdom to seek for an advise. Thanks All. Lev ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
How to unwind stack to seek for specific caller?
Hello all I know that I can print stack of function using dump_stack() But I need to find out whether my function y() was called from linux kernel function x().\ I see that kmsg_dump_get_buffer() function can get kernel messages but it is not clear for me should I use it bedore calling dump_stack or I need to do additional setup before calling for these 2 functions? Regards, Lev ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
mmap patch works in Virtualbox, not in QEMU
Hi I have strange problem testing my patch. I work in Virtual Box on Windoes running Ubuntu 16.10. I downloaded Buidroot and buil QEMU x86_64 environment with kernel 4.9I applied my patch to mmap (added MAP_DENYWRITE for shared libraries) before building kernel.the I run qemu with patched kernel image , but no effect of MAP_DENYWRITE . So I decided to check Virtual box Ubuntu. I applied the same patch, built new Ubuntu kernel. Then I rebooted Virtual box machine and selected new kernel, kernel worked as expected rejecting attempts to change shared library while in use. Please advice. Lev. ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Dangling/orphaned shared library as MAP_DENYWRITE result ( BUG)
Hello list, I applied MAP_DENYWRITE flag to shared object ( kernel 4.8) I compiled test shared library and small executable who uses it. Then executable which used it works as expected, and any attempt to change shared library rejected with EXTBUSY error. But when executable terminated, library is still busy. I though that kernel will clean inode counters, if nobody else reference it(and this is my case - I am the only user of this lib) Is this behaviour a BUG , I mean reference count is zero, but kernel not zeroed i_writecount ?) I suppose that the memory is unmapped, but how can I confirm it ? ( do not have pid for pmap ) Regars,Lev ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Why replacing running executable file is forbidden, but overwriting of memory mapped shared object is allowed ?
10.11.2017, 22:06, "valdis.kletni...@vt.edu" <valdis.kletni...@vt.edu>:> On Fri, 10 Nov 2017 21:04:22 +0300, Lev Olshvang said:>>> I am going to patch inode reference count of mapped shared libs>> Congrats. You just corrupted your file system.>> Hint 1: What happens if you decrement the count by one unnecessarily,> and later on, probably during system shutdown, the reference count drops> to zero instead of one?>> Hint 2: What happens if you incremented the count, and at system shutdown,> there's still a reference left when the kernel tries to unmount and sync the> filesystem?> ,> Hi Valdis , Now you make things more clearly to me and I start to see the problem. The difference between executable and file that executable may crash. whileshared lib can not. Still there are unknown for me what happen with opened files and mmaped files when crash occurs I used to think that kernel decrease reference counts and closes files, whether application exits normally or crashed. Now I add some facts about executables from kernel code:fss/binfmt_misc.c: deny_write_access(interp_file);fs/exec.c: err = deny_write_access(file);fs/exec.c: ret = deny_write_access(file); And I found following explanatioin in old kernel list archive:https://lists.gt.net/linux/kernel/222875 The reason the kernel refuses to honour it, is that MAP_DENYWRITE is an > > excellent DoS-vehicle - you just mmap("/etc/passwd") with MAP_DENYWRITE, > > and even root cannot write to it.. Vary nasty. And I still confused because shared libraries are mapped with PROT_EXEC flag and so they differfrom regular file like /etc/passwd and generally have -r-x file system permissions. Regards,Lev___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Why replacing running executable file is forbidden, but overwriting of memory mapped shared object is allowed ?
10.11.2017, 19:24, "valdis.kletni...@vt.edu" <valdis.kletni...@vt.edu>: > On Fri, 10 Nov 2017 16:30:17 +0300, Lev Olshvang said: > >> But the attempt to replace shared object library succeeded, and I do not >> understand the logic of this decision > > You might want to do an lsof after such an upgrade, and ponder what > *really* happened. > > Hint 1: How do you do this in a way that doesn't break currently running > binaries? > > Hint 2: Do you see the string '(deleted)' in the lsof output? What does it > mean? > >> I want to patch my kernel to forbid shared objects live replacement. ( as I >> said I worry about security issue) > > Attackers doing that is the least of your problems. If your system is > correctly set up, if an attacker manages to get to a point where this attack > is > feasible, you're *already* in deep trouble even before they do a live > replacement. > > For bonus points - you're probably worrying about the wrong security issue, > because you're probably only thinking about the *obvious* problem. The trouble > is that even if you forbid live replacement of a .so, that's *not* the only > attack surface. > > Phrack ran an interesting article many years ago on how to inject a module > into > a Linux kernel *even if the kernel was built with CONFIG_MODULE=n*. > > http://phrack.org/issues/58/7.html#article > > (The important part isn't the exact mechanism - that SucKIT code from 16 > years ago probably won't work on a 4.14 kernel. But it illustrates the > out-of-box > thinking the attacker can use - and that you'll have to defend against. > > How did Emacs in times gone by do an 'unexec()' to write out an executable > image of itself, as the state was after startup? > > What can you over-write by setting /proc/sys/kernel/core_pattern, forking, > and then forcing a coredump in the child process? > > Can you combine the techniques to splat a .so that's currently in use? > > , Hi Valdis, Thank you for prompt response. I am afraid you did not quite understand my question. I am going to patch inode reference count of mapped shared libs to disable overwrite because I do not see any other solution giving requirements I got - prevent overwrite by simple tools like dd. I agree with you that is is this is not enough to protect the system, but this is just one line of defense. I understand that it is hard to not crash running executable by changing lib under the hood, but hackers can repedeately crash programs until desired result achieved. I am not seasoned kernel developer, there are a lot of things do not know about kernel. I would like to consult with list whether increment inode nlink_count in shared libraries in the same way is done for executable will break things in kernel. ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Why replacing running executable file is forbidden, but overwriting of memory mapped shared object is allowed ?
Hi list The reason for my question is mainly security context. Here the story If you ever tried to replace executable file by new image the message executable is busy appeared and operation fails. But the attempt to replace shared object library succeeded, and I do not understand the logic of this decision. Besides to be security hole, I do not see any legitimate use except of live patching of shared object. I do not know whether production or mission critical system may take a risk of live patching, but development system would do a library update by stopping dependent application first. I saw in kernel archives that some years ago the decision was made to withdraw restriction on shared object live replacement and I would like to know the what what were the reasons because I want to patch my kernel to forbid shared objects live replacement. ( as I said I worry about security issue) Regards, Lev ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
How inode of /proc. /sys keep the same number on a given system
Hello all, I observe that between reboot inode of files in /proc and /sys filesystem keep the same number. I need to know whether I can rely on this in my program, and under what conditions this assumption became incorrect? Would inode number be the same on another system burned from the same image ? I mean when I create 10 of embedded devices, will the inode /proc of same files same between all devices? Best regards, Lev ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
why inode reference i_count = 1 for all executable and libraries ?
Hello dear list members! I have I hook in linux security ops on bprm_check_security() and I print the i_count of inode inside my hook I started several instances of cat utility but the i_count stays equal 1, while write count decreases in negative numbers. printk("INODES: %s, %p, %ld, ", filename, dentry->d_inode, dentry->d_inode->i_ino); printk("%d, %d, %d\n", atomic_read(>d_inode->i_count),>i_dio_count), atomic_read(>d_inode->i_writecount)); The inode number printed by this code snippet correctly points to my /bin/cat utility ( verified with stat comand So I am very puzzled, I see that code of fs/namei.c increments and decrements i_count. Is there any reason that i_count of executable and shared object is not reference counted? Is there another methods I can distinguish between first time execution and repeated? Thank you.Lev. ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
How to make per process firewall ?
Hi all, I would like to constrain process (by name) or group of process to specific network interface and to specific port. Please advice if there is some cgroups controller or netfilter module? ThanX, Lev ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
monitor of SEGFAULT processes
Thank you Greg and others advising on my first question. I am writing monitor sybsytem, abd here the question : Is it possible from kernel module or user space to monitor which processes were terminated abnormally ? I understand that trap gates are initialized to handle it , fill trap_info, then sig_info and send signal to faulting process. Is it correct to place a hook in these chain? probably in signal.c : next_signal()? If so what is the proper method, ex jprobe? ThanX ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: how to get filename of execve() system call from kernel module which install hook to syscall table to intercept original syscall in kernels before 4.2 and atter 4.2 ? X86_64
Hi Greg, Thank you for a prompt reply. My intention is to build some euristics for Intrusion detection of embedded based on sequence of syscalls.I am collecting syscall events and send then with netlink to my monitor.Since platform may use SELinux or other LSM, I thought the hook of syscall is the only point I can use to catch syscalls. Is it wrong direction ? I was googling and reading kernel git logs trying find out the why execve, clone, fork use assembly glue code instead of calling sys_execve like others syscalls.Can you give me some point where to look? Regards.Lev.07.03.2017, 22:23, "Greg KH" <g...@kroah.com>:On Mon, Mar 06, 2017 at 10:18:26AM +0300, Lev Olshvang wrote: Hello all, In kernels 3.X up to 4.2 execve(|) system call was for x86_64 architecture the the system call was made through some magic ( I can't say I understand it ) assembly stub in arch/x86/kernel/entry_64.S so up to kernel 4.2 it was possble to patch this assembly to install the hook, ex. see http://stackoverflow.com/questions/8372912/hooking-sys-execve-on-linux-3-x/9672512#9672512 But this hook still can't access in a proper way filename argument, althouth I tried to do it with in the same way as fs/exec.c does : using kernel's getname() function (which I was need to find through kallsyms_lookup_name() In kernels 4.2 and up, the arch/x86/kernel/entry_64.S is gone, and I still dont' have a clue what to do to get filename as a char string.Why do you want to hook a syscall? that's a very complex, and broken,and ill-advised thing to do. Please don't do that.What problem are you trying to solve here that led you to think thatputting a syscall hook in is a good solution?thanks,greg k-h___Kernelnewbies mailing listKernelnewbies@kernelnewbies.orghttps://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
how to get filename of execve() system call from kernel module which install hook to syscall table to intercept original syscall in kernels before 4.2 and atter 4.2 ? X86_64
Hello all, In kernels 3.X up to 4.2 execve(|) system call was for x86_64 architecture the the system call was made through some magic ( I can't say I understand it ) assembly stub in arch/x86/kernel/entry_64.S so up to kernel 4.2 it was possble to patch this assembly to install the hook, ex. see http://stackoverflow.com/questions/8372912/hooking-sys-execve-on-linux-3-x/9672512#9672512 But this hook still can't access in a proper way filename argument, althouth I tried to do it with in the same way as fs/exec.c does : using kernel's getname() function (which I was need to find through kallsyms_lookup_name() In kernels 4.2 and up, the arch/x86/kernel/entry_64.S is gone, and I still dont' have a clue what to do to get filename as a char string. Please advise. Lev. ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies