不同系统调用中行为不均

时间:2018-09-30 18:00:11

标签: c linux linux-kernel hook kernel-module

我正在一个项目中挂接到系统调用。当用户尝试打开文件时,如果当前任务(“黑名单”的pid或tgid)有可能将文件泄漏出主机,我希望sys_open阻止该操作。

无论如何,该挂钩本身在 sys_read sys_write 上都可以正常工作(我在虚假函数中有一些 printk 作为指标)。

但是,当我尝试挂接sys_open函数时,什么都没有打印出来-意味着覆盖未成功。 我在覆盖前后打印了sys调用的地址,所以这可能不是问题。

我对挂钩不同功能时导致不均匀行为的原因感到困惑。

很高兴在这里提供一些输入。 谢谢!

dmesg输出示例:

钩子写入时-

  

...

     

[2989.500485]是我写的...

     

[2989.500585]在我的文章中...

当钩子打开时,注意到打印了,但是这里有些“调试”输出-

  

[890.709696]找到地址00000000103d42f6

     

[890.709697]之前的地址-0000000006d29c3a

     

[890.709698]-00000000a5117c6a之后的地址

     

[948.533339]再见!!

使用lubuntu vm(内核v 4.15.0.20)。

这是源代码:

#include <linux/init.h>             // Macros used to mark up functions e.g., __init __exit
#include <linux/module.h>           
#include <linux/kernel.h>           
#include <linux/slab.h>
#include <linux/types.h>
#include <linux/syscalls.h>
#include <linux/sched.h>
#include <asm/uaccess.h>
#include <asm/unistd.h>
#include <asm/page.h>
#include <linux/kallsyms.h>
#include <linux/semaphore.h>
#include <asm/cacheflush.h>
#include <linux/set_memory.h>
#include <linux/cred.h>
#include <linux/user.h>


MODULE_LICENSE("GPL");                                     
MODULE_AUTHOR("ABC"); 
MODULE_VERSION("0.1");



asmlinkage long (*original_call)( char __user *filename, int flags, umode_t mode);    // for read or  write:  (unsigned int fd, char __user *buf, size_t count);
asmlinkage long my_sys_READ(unsigned int fd, char __user *buf, size_t count);
asmlinkage long my_sys_WRITE(unsigned int fd, char __user *buf, size_t count);
asmlinkage long my_sys_OPEN( char __user *filename, int flags, umode_t mode);

unsigned long* find_sys_call_table(void);
void set_page_rw( unsigned long addr);
void set_page_ro( unsigned long addr);
const struct cred *_cred = NULL ; 
struct user_struct *user =NULL ;
unsigned long* sys_call_table = NULL;


void set_page_rw(unsigned long addr)
{

    unsigned int level;
    pte_t *pte = lookup_address(addr, &level);
    if (pte->pte &~ _PAGE_RW) pte->pte |= _PAGE_RW;
}

void set_page_ro( unsigned long addr)
{

    unsigned int level;
    pte_t *pte = lookup_address(addr, &level);
    pte->pte = pte->pte &~_PAGE_RW;
}

/*
asmlinkage long my_sys_READ(unsigned int fd, char __user *buf, size_t count)
{
    //_cred = current_cred();
    user =  get_current_user();
    if( (int)(*user).uid.val == uid )
    {
        printk(KERN_ALERT"in my read ... hacked !");    
        return original_call(fd,  buf, count);
    }
    printk(KERN_ALERT"in my read ... hacked !");
    return original_call(fd,  buf, count);
}


asmlinkage long my_sys_WRITE(unsigned int fd, char __user *buf, size_t count)
{
    //_cred = current_cred();
    user =  get_current_user();
    if( (int)(*user).uid.val == uid )
    {
        printk(KERN_ALERT"in my write ... hacked !");   
        return original_call(fd,  buf, count);
    }
    printk(KERN_ALERT"in my write ... hacked !");
    return original_call(fd,  buf, count);
}
*/

asmlinkage long my_sys_OPEN( char __user *filename, int flags, umode_t mode)
{

    printk(KERN_ALERT"in my open ... hacked !");
    return original_call(filename, flags, mode);

}

unsigned long* find_sys_call_table(void)  
{
    return   (unsigned long *)kallsyms_lookup_name("sys_call_table");

}


int init_module()
{

    printk(KERN_ALERT "I'm dangerous. I hope you did a ");
    printk(KERN_ALERT "sync before you insmod'ed me.\n");

    sys_call_table = find_sys_call_table();
    printk(KERN_INFO"address found %p \n",sys_call_table);
    original_call = (void *)sys_call_table[__NR_open];
    set_page_rw((unsigned long)sys_call_table);

    printk(KERN_INFO"  Address before -  %p", (void *)sys_call_table[__NR_open]);
    sys_call_table[__NR_open] = (unsigned long)my_sys_OPEN;
    printk(KERN_INFO"  Address after -  %p", (void *)sys_call_table[__NR_open]);
    return 0;
}
/*
* Cleanup − unregister the appropriate file from /proc
*/
void cleanup_module()
{
    /*
    * Return the system call back to normal

    */

    if (sys_call_table[__NR_open] != (unsigned long)my_sys_OPEN) {
        printk(KERN_ALERT "Somebody else also played with the ");
        printk(KERN_ALERT "open system call\n");

    }
    printk(KERN_ALERT "BYE !!!\n");

    sys_call_table[__NR_open] = (unsigned long)original_call;
}

1 个答案:

答案 0 :(得分:2)

您的Ubuntu版本基于glibc 2.27。

glibc版本2.26 switched to implementing open with openat

commit b41152d716ee9c5ba34495a54e64ea2b732139b5
Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date:   Fri Nov 11 15:00:03 2016 -0200

    Consolidate Linux open implementation

    This patch consolidates the open Linux syscall implementation on
    sysdeps/unix/sysv/linux/open{64}.c.  The changes are:

      1. Remove open{64} from auto-generation syscalls.list.
      2. Add a new open{64}.c implementation.  For architectures that
         define __OFF_T_MATCHES_OFF64_T the default open64 will create
         alias to required open symbols.
      3. Use __NR_openat as default syscall for open{64}.

因此,除了openat之外,您还必须钩住open

请注意,Linux内核为此fanotify interface的形式提供了适当的接口。如果使用它,则不必担心此类细节。

相关问题
最新问题