cormander / tpe-lkm Goto Github PK
View Code? Open in Web Editor NEWTrusted Path Execution (TPE) Linux Kernel Module
License: Other
Trusted Path Execution (TPE) Linux Kernel Module
License: Other
=============================================================================== Trusted Path Execution (TPE) Linux Kernel Module, Version 2 =============================================================================== About this module Trusted Path Execution is a security feature that denies users from executing programs that are not owned by root, or are writable. This closes the door on a whole category of exploits where a malicious user tries to execute his or her own code to attack the system. Since this module doesn't use any kind of ACLs, it works out of the box with no configuration. It isn't complicated to test or deploy to current production systems. Just install it and you're done! =============================================================================== Supported Kernels Version 2 has been tested on the following systems (x86_64 only): - RHEL/CentOS 7 (linux-3.10.0) - Ubuntu 16.04 LTS (linux-4.8.0-39-generic) Version 1 works on older kernels, as far back as RHEL/CentOS 5 (linux-2.6.18) This module *should* work on most linux kernels version 3.10 and above, but has only been verified on the above systems. If you get a compile error or a kernel oops, please contact this module's author. =============================================================================== Features * Trusted Path Execution; deny execution of non-root owned or writable binaries $ gcc -o exploit exploit.c $ chmod 755 exploit $ ./exploit -bash: ./exploit: Permission denied $ dmesg | tail -n1 tpe: Denied untrusted exec of /home/corey/exploit (uid:500) by /bin/bash (uid:500), parents: /usr/sbin/sshd (uid:500), /usr/sbin/sshd (uid:0), /sbin/init (uid:0). Deny reason: directory uid not trusted See the "Configuration" section below for how to tweak configuration. Extras features, also ported from grsecurity (but not TPE related): * Restrict non-root users from viewing loaded kernel modules $ cat /proc/modules cat: /proc/modules: Operation not permitted * Restrict non-root users from viewing the kernel symbol table $ cat /proc/kallsyms cat: /proc/kallsyms: Operation not permitted * Restrict non-root users from viewing processes they don't own $ ps auxf USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND corey 22450 0.0 0.7 97780 1804 ? S 14:12 0:00 sshd: corey @pts/1 corey 22451 0.0 0.7 108288 1884 pts/1 Ss 14:12 0:00 \_ -bash corey 22474 0.0 0.4 110184 1044 pts/1 R+ 14:12 0:00 \_ ps auxf * Restrict users from getting the kernel version $ uname -a GNU/Linux * Restrict uses from running ptrace operations against their own processes $ strace -p $$ strace: attach: ptrace(PTRACE_ATTACH, ...): Permission denied Most of these are just kernel protections, and the user may be able to get the info via other means if you don't take additional precautions. See the "Configuration" section below for how to enable these extras. =============================================================================== How it works This module makes use of the kernel ftrace framework. In a nutshell, ftrace is in charge of the first few bytes of most kernel symbols, and can redirect them to other addresses. TPE instructs ftrace to redirect certain security handlers to TPE code, which then decides whether it's appropriate to continue or not. =============================================================================== Installation See the INSTALL file for installation instructions. =============================================================================== FAQ See the FAQ file for frequently asked questions. =============================================================================== Configuration Although most people will find they don't need to change the default values, you have the option to configure various things in this module at runtime using the sysctl interface to tighten or lax the TPE restrictions. You can see the values in this proc directory: /proc/sys/tpe/ softmode - log what would be denied but don't actually deny. default off strict - enforce some TPE features even on trusted users. default on check_file - check file owner/mode in addition to directory. default on group_writable - check if the file/directory is group writable. default on kill - kill the offending process and its parent when it gets denied execution from TPE, unless it's root. default off log - whether to log denied execs to the ring buffer. default on log_verbose - log what can be done to allow what was denied. default on log_max - maximum parent processes in a single log entry. default 50 log_floodburst - number of log entries before logging is disabled. default 5 log_floodtime - seconds until re-enabling logging after floodburst. default 5 xattr_soften - check extended attributes for a soften flag. default on paranoid - enforce the trusted path restrictions on root too. default off trusted_apps - a list of files, separated by commas, that would otherwise have had been denied an exec/mmap/mprotect, are instead allowed to proceed. default to empty (off) hardcoded_path - use with caution! a list of directories, separated by colons, that the trusted path will be restricted to; nothing outside this path may be executed/mmaped. default to empty (off) trusted_gid - gid of trusted users whom TPE is not enforced (see strict) default 0 (off) trusted_invert - changes what "trusted_gid" means; if set, users in the gid will be the only ones whom TPE is enforced. default 0 (off) admin_gid - files belonging to this group are treated as if they're owned by root; TPE is not enforced on them. default 0 (off) dmz_gid - users in this gid can't exec anything at all. default 0 (off) extras/ - directory for additional protections that aren't TPE related. ignore_softmode - enable extra features even if softmode is on. default off log - whether to log when extra features are denied. default on lsmod - denies non-root users from viewing loaded kernel modules proc_kallsyms - denies non-root users from viewing /proc/kallsyms harden_ptrace - denies non-root users from running ptrace operations hide_uname - denies non-root users from asking the kernel its version ps - denies non-root users from viewing processes they don't own ps_gid - gid of users who aren't restricted by ps. default 0 (off) restrict_setuid - users not in the trusted_gid are denied calls to setuid() Edit the /etc/sysctl.d/tpe.conf file to change the defaults of these various features. =============================================================================== Compatibility Issues Test this module before deploying to a critical system, especially if you're not using a kernel in the above "Supported Kernels" list. Trusted Path Execution will cause some programs to stop functioning correctly. If it doesn't result in a kernel BUG or other stack-trace to show up in dmesg, it's the program that needs fixing, not this module. There are several ways to work around this problem: 1) Set a file attribute on the offending binary to soften the checks or 2) Tune the module config with the "sysctl" command (see the admin_gid, trusted_gid, and trusted_apps options) For example: $ sudo setfattr -n security.tpe -v "soften_mmap" /usr/bin/gnome-session or $ sudo sysctl tpe.trusted_apps="/usr/bin/gnome-session" The file attributes "soften_<check>" (where <check> is one of the checks, i.e.; mmap, exec, etc) is the preferred solution as it only disables that specific check, and not anything else. Programs that have been reported to need such measures are: * wine * Dropbox * Gnome Desktop You can persist these changes by editing the /etc/sysctl.conf file, or adding a conf file of your own in /etc/sysctl.d/ A few notes: Kernel modules that make use of kernel tracing (ftrace, kprobes, etc) may conflict with this module if they touch the same kernel symbols. The only one I know of is "kpatch". This module will not work on systems where loadable kernel module support is disabled at compile time (CONFIG_MODULES not being set). This module requires many LSM hooks in order to work, and will error out when security is disabled at compile time (CONFIG_SECURITY not being set). If you custom compile your own kernel and want TPE, consider using grsecurity instead of this module. =============================================================================== BUGS There are currently no known bugs. If you discover one, please report it to the author. =============================================================================== Acknowledgements - kpatch - https://github.com/dynup/kpatch Looking at the kpatch implementation, I was able to simplify this module. - Brad Spengler - http://grsecurity.net/ Trusted Path Execution is a feature of grsecurity, and I originally pulled code from that project to make this module. =============================================================================== About the Author website: http://cormander.com/ github: https://github.com/cormander/ email: corman /AT/ cormander /DOT/ com ===============================================================================
Hey,
First i want to thanks for your work. I was using grsecurity tpe when was free. Today i have found your project and looks great but i have a still problem, how to define trusted group for users who will be able to run some app or script. How can i set that group ?
Thanks !
Hello,
I'm testing this magnificent module, it has some issue with hosting servers but it's good over all.
Now i'm trying to test harden_symlink but it's not available in package via http://elrepo.org/ , should I build it from source to use symlink protection? any other idea or method?
if I add tpe.extras.harden_symlink it does not work : is an unknown key
my package : kmod-tpe-1.0.3-4.el5.elrepo.x86_64 , centos 5 64 bit.
Any suggestions?
Thanks,
There is attempt to get TPE into mainline http://openwall.com/lists/kernel-hardening/2017/06/03/11 partially based on your work. It would be nice if you can add your feedback/review (I'm not the submitter).
Sorry for disturbing you again but I can't load tpe module:
sudo modprobe tpe
modprobe: ERROR: could not insert 'tpe': Function not implemented
sudo dmesg |grep tpe
tpe: Unable to insert module, ftrace is not enabled
zcat /proc/config.gz | grep TRACER
# CONFIG_ATH5K_TRACER is not set
CONFIG_NOP_TRACER=y
CONFIG_HAVE_FUNCTION_TRACER=y
CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
CONFIG_TRACER_MAX_TRACE=y
CONFIG_CONTEXT_SWITCH_TRACER=y
CONFIG_GENERIC_TRACER=y
CONFIG_FUNCTION_TRACER=y
CONFIG_FUNCTION_GRAPH_TRACER=y
# CONFIG_IRQSOFF_TRACER is not set
# CONFIG_PREEMPT_TRACER is not set
CONFIG_SCHED_TRACER=y
CONFIG_HWLAT_TRACER=y
CONFIG_TRACER_SNAPSHOT=y
# CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set
CONFIG_STACK_TRACER=y
zcat /proc/config.gz | grep FTRACE
CONFIG_KPROBES_ON_FTRACE=y
CONFIG_HAVE_KPROBES_ON_FTRACE=y
CONFIG_STM_SOURCE_FTRACE=m
# CONFIG_PSTORE_FTRACE is not set
CONFIG_HAVE_DYNAMIC_FTRACE=y
CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
CONFIG_FTRACE=y
CONFIG_FTRACE_SYSCALLS=y
CONFIG_DYNAMIC_FTRACE=y
CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
CONFIG_FTRACE_MCOUNT_RECORD=y
# CONFIG_FTRACE_STARTUP_TEST is not set
sudo sysctl -a |grep ftrace
kernel.ftrace_dump_on_oops = 0
kernel.ftrace_enabled = 1
findmnt |grep debugfs
│ ├─/sys/kernel/debug debugfs debugfs rw,relatime
Has anyone tested this on newer kernels?
I tried to use this module for a simple "hello world" hijacking of fadvise() system call. It seems to work fine on kernel 2.6.32 (Ubuntu), but when I try it on kernel 3.8.0 (xubuntu) it doesn't work - I always get the same arguments (in fadvise() case this means same file descriptor , same offset etc). This suggests accessing the wrong place in memory, or bad registers. I dont know exactly.
Has anyone tried this? besides altering security.c, I had to make some changes to make the code compile on 3.8.0 kernel, the same changes suggested in the previous issue opened here, after which the code compiled just fine.
Anyway, I'm attaching my security.c code just to demonstrate what I'm trying to do
// the actual hijacking of system calls, and inserting code
#include "module.h"
#include <linux/blkdev.h>
struct kernsym sym_sys_fadvise64_64;
// sys_fadvise64_64
int tpe_sys_fadvise64_64(int fd, loff_t offset, loff_t len, int advice){
// save old fadvise
int (*run)(int fd, loff_t offset, loff_t len, int advice) = sym_sys_fadvise64_64.run;
printk(PKPRE "*** hijacked fadvise. fd=%d offset=%d len=%d advice=%d\n", fd, offset, len, advice); // ALWAYS THE SAME IN 3.8.0!!!
return run(fd, offset, len, advice);
}
void printfail(const char *name) {
printk(PKPRE "warning: unable to implement protections for %s\n", name);
}
struct symhook {
char *name;
struct kernsym *sym;
unsigned long *func;
};
// find symbols in /proc/kallsyms
struct symhook security2hook[] = {
{"sys_fadvise64_64", &sym_sys_fadvise64_64, (unsigned long *)tpe_sys_fadvise64_64},
};
// hijack the needed functions. whenever possible, hijack just the LSM function
void hijack_syscalls(void) {
int ret, i;
for (i = 0; i < ARRAY_SIZE(security2hook); i++) {
ret = symbol_hijack(security2hook[i].sym, security2hook[i].name, security2hook[i].func);
if (IN_ERR(ret))
printfail(security2hook[i].name);
printk("%s hijacked successfuly!\n", security2hook[i].name);
}
}
void undo_hijack_syscalls(void) {
int i;
for (i = 0; i < ARRAY_SIZE(security2hook); i++)
symbol_restore(security2hook[i].sym);
}
Hi! First of all thank you for maintaining this.
I tried build it on Archlinux with kernel 4.11 but it failed. Here log output:
./scripts/find_kernel_src.sh: line 8: arch: command not found
make -C /lib/modules/4.11.0-1/build M=/tmp/build/tpe-lkm/src/tpe-lkm modules
make[1]: Entering directory '/usr/lib/modules/4.11.0-1/build'
CC [M] /tmp/build/tpe-lkm/src/tpe-lkm/fopskit.o
CC [M] /tmp/build/tpe-lkm/src/tpe-lkm/tpe_core.o
CC [M] /tmp/build/tpe-lkm/src/tpe-lkm/tpe_module.o
CC [M] /tmp/build/tpe-lkm/src/tpe-lkm/tpe_config.o
/tmp/build/tpe-lkm/src/tpe-lkm/tpe_core.c: In function ‘tpe_file_getfattr’:
/tmp/build/tpe-lkm/src/tpe-lkm/tpe_core.c:18:18: error: ‘const struct inode_operations’ has no member named ‘getxattr’; did you mean ‘getattr’?
if (!inode->i_op->getxattr) return 0;
^~
/tmp/build/tpe-lkm/src/tpe-lkm/tpe_core.c:20:19: error: ‘const struct inode_operations’ has no member named ‘getxattr’; did you mean ‘getattr’?
ret = inode->i_op->getxattr(get_dentry(file),
^~
In file included from /tmp/build/tpe-lkm/src/tpe-lkm/tpe_core.c:2:0:
/tmp/build/tpe-lkm/src/tpe-lkm/tpe_core.c: In function ‘tpe_log_denied_action’:
/tmp/build/tpe-lkm/src/tpe-lkm/tpe.h:22:49: error: dereferencing pointer to incomplete type ‘const struct cred’
#define get_task_uid(task) __kuid_val(task->cred->uid)
^
/tmp/build/tpe-lkm/src/tpe-lkm/tpe_core.c:83:3: note: in expansion of macro ‘get_task_uid’
get_task_uid(current),
^~~~~~~~~~~~
/tmp/build/tpe-lkm/src/tpe-lkm/tpe_core.c: In function ‘tpe_allow_file’:
/tmp/build/tpe-lkm/src/tpe-lkm/tpe_core.c:148:21: error: implicit declaration of function ‘in_group_p’ [-Werror=implicit-function-declaration]
if (tpe_dmz_gid && in_group_p(KGIDT_INIT(tpe_dmz_gid)))
^~~~~~~~~~
cc1: some warnings being treated as errors
make[2]: *** [scripts/Makefile.build:295: /tmp/build/tpe-lkm/src/tpe-lkm/tpe_core.o] Error 1
make[2]: *** Waiting for unfinished jobs....
make[1]: *** [Makefile:1492: _module_/tmp/build/tpe-lkm/src/tpe-lkm] Error 2
make[1]: Leaving directory '/usr/lib/modules/4.11.0-1/build'
make: *** [Makefile:24: tpe.ko] Error 2
[1m[31m==> ERROR:(B[m[1m A failure occurred in build().(B[m
[1m Aborting...(B[m
I don't know if this is something specific or general error. I would be grateful if you can look at this.
Is this project still active? There seems to be multiple unaddressed outstanding issues, no release for a year and the current source doesn't even build on EL5 kernels.
Hi,
I'm trying to compile on a 3.16.0-4-amd64 kernel, on an host with Devuan 8 (same kernel and issue on Debian 8).
# make
make -C /usr/src/linux-headers-3.16.0-4-amd64 M=/root/tpe-lkm modules
make[1]: Entering directory '/usr/src/linux-headers-3.16.0-4-amd64'
make[1]: Entering directory '/usr/src/linux-headers-3.16.0-4-amd64'
CC [M] /root/tpe-lkm/fopskit.o
In file included from /root/tpe-lkm/fopskit.c:2:0:
/root/tpe-lkm/fopskit.h:48:38: error: ‘FTRACE_OPS_FL_IPMODIFY’ undeclared here (not in a function)
.flags = FTRACE_OPS_FL_SAVE_REGS | FTRACE_OPS_FL_IPMODIFY, \
^
/root/tpe-lkm/fopskit.c:63:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_prepare_creds) {
^
/usr/src/linux-headers-3.16.0-4-common/scripts/Makefile.build:262: recipe for target '/root/tpe-lkm/fopskit.o' failed
make[4]: *** [/root/tpe-lkm/fopskit.o] Error 1
/usr/src/linux-headers-3.16.0-4-common/Makefile:1355: recipe for target '_module_/root/tpe-lkm' failed
make[3]: *** [_module_/root/tpe-lkm] Error 2
Makefile:181: recipe for target 'sub-make' failed
make[2]: *** [sub-make] Error 2
Makefile:8: recipe for target 'all' failed
make[1]: *** [all] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-3.16.0-4-amd64'
Makefile:24: recipe for target 'tpe.ko' failed
make: *** [tpe.ko] Error 2`
The CONFIG_FUNCTION_TRACER is enabled.
# cat .config |grep CONFIG_FUNCTION_TRACER
CONFIG_FUNCTION_TRACER=y
Any hint?
Gianluca
I'm just testing some of the module features and it looks like tpe.trusted_apps
doesn't work on the 4.20.16-amd64 kernel.
# sysctl -a | grep trust
tpe.trusted_apps = "/home/morfik/gems/bin/jekyll"
tpe.trusted_gid = 0
tpe.trusted_invert = 0
kernel: tpe: Denied untrusted exec of /home/morfik/gems/bin/jekyll (uid:1000) by /bin/zsh (uid:1000), parents: /bin/zsh (uid:1000), /usr/bin/tmux (uid:1000), /lib/systemd/systemd (uid:0). Deny reason: directory uid not trusted
kernel: tpe: If this exec was legitimate and you cannot correct the behavior, an exception can be made to allow this by running; setfattr -n security.tpe -v "soften_exec:soften_mmap" /home/morfik/gems/bin/jekyll. To silence this message, run; sysctl tpe.log_verbose = 0
kernel: tpe: Denied untrusted exec of /home/morfik/gems/bin/jekyll (uid:1000) by /bin/zsh (uid:1000), parents: /bin/zsh (uid:1000), /usr/bin/tmux (uid:1000), /lib/systemd/systemd (uid:0). Deny reason: directory uid not trusted
kernel: tpe: If this exec was legitimate and you cannot correct the behavior, an exception can be made to allow this by running; setfattr -n security.tpe -v "soften_exec:soften_mmap" /home/morfik/gems/bin/jekyll. To silence this message, run; sysctl tpe.log_verbose = 0
But using setfattr -n security.tpe -v "soften_exec:soften_mmap"
works well, so only tpe.trusted_apps
doesn't work.
Have plans to support Arch?
Is this something serious?
kernel: tpe: loading out-of-tree module taints kernel.
kernel: fopskit: fopskit_find_sym_addr() failed with return code -14 for fops_hook { name => selinux_enabled, addr => 0, found => 0, hooked => 0 } at fopskit_find_sym_addr() line 223
kernel: fopskit: fopskit_find_sym_addr() failed with return code -14 for fops_hook { name => selinux_disabled, addr => 0, found => 0, hooked => 0 } at fopskit_find_sym_addr() line 223
kernel: tpe: warning: cred->security was not remapped; the soften_mmap flag won't persist to child processes.
kernel: fopskit: fopskit_find_sym_addr() failed with return code -14 for fops_hook { name => sys_newuname, addr => 0, found => 0, hooked => 0 } at fopskit_find_sym_addr() line 223
kernel: tpe: added to kernel
Kernel:
$ uname -a
Linux morfikownia 4.20.16-amd64-morficzny+ #1 SMP PREEMPT Sun Mar 10 14:48:11 CET 2019 x86_64 GNU/Linux
$ lsb_release -rd
Description: Ubuntu 12.10
Release: 12.10
/usr/src/tpe-lkm# make
make -C /usr/src/linux-headers-3.5.0-17-generic M=/usr/src/tpe-lkm modules
make[1]: Entering directory /usr/src/linux-headers-3.5.0-17-generic' CC [M] /usr/src/tpe-lkm/core.o /usr/src/tpe-lkm/core.c: In function ‘tpe_allow_file’: /usr/src/tpe-lkm/core.c:208:1: warning: the frame size of 1328 bytes is larger than 1024 bytes [-Wframe-larger-than=] CC [M] /usr/src/tpe-lkm/module.o CC [M] /usr/src/tpe-lkm/security.o CC [M] /usr/src/tpe-lkm/symbols.o CC [M] /usr/src/tpe-lkm/malloc.o CC [M] /usr/src/tpe-lkm/sysctl.o CC [M] /usr/src/tpe-lkm/hijacks.o CC [M] /usr/src/tpe-lkm/arch/x86/lib/inat.o /usr/src/tpe-lkm/arch/x86/lib/inat.c:32:13: error: conflicting types for ‘inat_get_escape_attribute’ In file included from /usr/src/linux-headers-3.5.0-17-generic/arch/x86/include/asm/insn.h:24:0, from /usr/src/tpe-lkm/arch/x86/lib/inat.c:21: /usr/src/linux-headers-3.5.0-17-generic/arch/x86/include/asm/inat.h:101:20: note: previous declaration of ‘inat_get_escape_attribute’ was here /usr/src/tpe-lkm/arch/x86/lib/inat.c:55:13: error: conflicting types for ‘inat_get_group_attribute’ In file included from /usr/src/linux-headers-3.5.0-17-generic/arch/x86/include/asm/insn.h:24:0, from /usr/src/tpe-lkm/arch/x86/lib/inat.c:21: /usr/src/linux-headers-3.5.0-17-generic/arch/x86/include/asm/inat.h:104:20: note: previous declaration of ‘inat_get_group_attribute’ was here make[2]: *** [/usr/src/tpe-lkm/arch/x86/lib/inat.o] Error 1 make[1]: *** [_module_/usr/src/tpe-lkm] Error 2 make[1]: Leaving directory
/usr/src/linux-headers-3.5.0-17-generic'
make: *** [tpe.ko] Error 2
There is a nice explanation what most of the TPE parameters do in the README file, but I haven't noticed there a parameter called tpe.lock
. What does it do?
Also, what does tpe.xattr_soften
do? The README file says: "check extended attributes for a soften flag." . What is this "soften flag" ? I couldn't find any info about it.
The next thing is ignore_softmode
, which "enables extra features even if softmode is on" . What extra features? Does this mean all the tpe.extras.*
options?
And the last one is extras/
-- I don't have this parameter in sysctl
. Should I have it?
Hello,
I tried to compile the tpe module with kernel v. 4.9.16 and got error:
$ make
make -C /usr/src/linux-4.9.16-gentoo M=/usr/src/tpe-lkm modules
make[1]: Entering directory '/usr/src/linux-4.9.16-gentoo'
CC [M] /usr/src/tpe-lkm/fopskit.o
In file included from /usr/src/tpe-lkm/fopskit.c:2:0:
/usr/src/tpe-lkm/fopskit.h:42:16: error: variable ‘fops_security_prepare_creds’ has initializer but incomplete type
static struct ftrace_ops fops_##val __read_mostly = { \
^
/usr/src/tpe-lkm/fopskit.c:63:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_prepare_creds) {
^
/usr/src/tpe-lkm/fopskit.h:42:16: error: unknown field ‘func’ specified in initializer
static struct ftrace_ops fops_##val __read_mostly = { \
^
/usr/src/tpe-lkm/fopskit.c:63:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_prepare_creds) {
^
/usr/src/tpe-lkm/fopskit.h:43:11: warning: excess elements in struct initializer
.func = fopskit_##val, \
^
/usr/src/tpe-lkm/fopskit.c:63:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_prepare_creds) {
^
/usr/src/tpe-lkm/fopskit.h:43:11: note: (near initialization for ‘fops_security_prepare_creds’)
.func = fopskit_##val, \
^
/usr/src/tpe-lkm/fopskit.c:63:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_prepare_creds) {
^
/usr/src/tpe-lkm/fopskit.h:42:16: error: unknown field ‘flags’ specified in initializer
static struct ftrace_ops fops_##val __read_mostly = { \
^
/usr/src/tpe-lkm/fopskit.c:63:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_prepare_creds) {
^
/usr/src/tpe-lkm/fopskit.h:44:12: error: ‘FTRACE_OPS_FL_SAVE_REGS’ undeclared here (not in a function)
.flags = FTRACE_OPS_FL_SAVE_REGS | FTRACE_OPS_FL_IPMODIFY, \
^
/usr/src/tpe-lkm/fopskit.c:63:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_prepare_creds) {
^
/usr/src/tpe-lkm/fopskit.h:44:38: error: ‘FTRACE_OPS_FL_IPMODIFY’ undeclared here (not in a function)
.flags = FTRACE_OPS_FL_SAVE_REGS | FTRACE_OPS_FL_IPMODIFY, \
^
/usr/src/tpe-lkm/fopskit.c:63:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_prepare_creds) {
^
/usr/src/tpe-lkm/fopskit.h:44:12: warning: excess elements in struct initializer
.flags = FTRACE_OPS_FL_SAVE_REGS | FTRACE_OPS_FL_IPMODIFY, \
^
/usr/src/tpe-lkm/fopskit.c:63:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_prepare_creds) {
^
/usr/src/tpe-lkm/fopskit.h:44:12: note: (near initialization for ‘fops_security_prepare_creds’)
.flags = FTRACE_OPS_FL_SAVE_REGS | FTRACE_OPS_FL_IPMODIFY, \
^
/usr/src/tpe-lkm/fopskit.c:63:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_prepare_creds) {
^
/usr/src/tpe-lkm/fopskit.h:42:16: error: variable ‘fops_security_cred_alloc_blank’ has initializer but incomplete type
static struct ftrace_ops fops_##val __read_mostly = { \
^
/usr/src/tpe-lkm/fopskit.c:90:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_cred_alloc_blank) {
^
/usr/src/tpe-lkm/fopskit.h:42:16: error: unknown field ‘func’ specified in initializer
static struct ftrace_ops fops_##val __read_mostly = { \
^
/usr/src/tpe-lkm/fopskit.c:90:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_cred_alloc_blank) {
^
/usr/src/tpe-lkm/fopskit.h:43:11: warning: excess elements in struct initializer
.func = fopskit_##val, \
^
/usr/src/tpe-lkm/fopskit.c:90:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_cred_alloc_blank) {
^
/usr/src/tpe-lkm/fopskit.h:43:11: note: (near initialization for ‘fops_security_cred_alloc_blank’)
.func = fopskit_##val, \
^
/usr/src/tpe-lkm/fopskit.c:90:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_cred_alloc_blank) {
^
/usr/src/tpe-lkm/fopskit.h:42:16: error: unknown field ‘flags’ specified in initializer
static struct ftrace_ops fops_##val __read_mostly = { \
^
/usr/src/tpe-lkm/fopskit.c:90:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_cred_alloc_blank) {
^
/usr/src/tpe-lkm/fopskit.h:44:12: warning: excess elements in struct initializer
.flags = FTRACE_OPS_FL_SAVE_REGS | FTRACE_OPS_FL_IPMODIFY, \
^
/usr/src/tpe-lkm/fopskit.c:90:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_cred_alloc_blank) {
^
/usr/src/tpe-lkm/fopskit.h:44:12: note: (near initialization for ‘fops_security_cred_alloc_blank’)
.flags = FTRACE_OPS_FL_SAVE_REGS | FTRACE_OPS_FL_IPMODIFY, \
^
/usr/src/tpe-lkm/fopskit.c:90:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_cred_alloc_blank) {
^
/usr/src/tpe-lkm/fopskit.h:42:16: error: variable ‘fops_proc_sys_write’ has initializer but incomplete type
static struct ftrace_ops fops_##val __read_mostly = { \
^
/usr/src/tpe-lkm/fopskit.c:114:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(proc_sys_write) {
^
/usr/src/tpe-lkm/fopskit.h:42:16: error: unknown field ‘func’ specified in initializer
static struct ftrace_ops fops_##val __read_mostly = { \
^
/usr/src/tpe-lkm/fopskit.c:114:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(proc_sys_write) {
^
/usr/src/tpe-lkm/fopskit.h:43:11: warning: excess elements in struct initializer
.func = fopskit_##val, \
^
/usr/src/tpe-lkm/fopskit.c:114:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(proc_sys_write) {
^
/usr/src/tpe-lkm/fopskit.h:43:11: note: (near initialization for ‘fops_proc_sys_write’)
.func = fopskit_##val, \
^
/usr/src/tpe-lkm/fopskit.c:114:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(proc_sys_write) {
^
/usr/src/tpe-lkm/fopskit.h:42:16: error: unknown field ‘flags’ specified in initializer
static struct ftrace_ops fops_##val __read_mostly = { \
^
/usr/src/tpe-lkm/fopskit.c:114:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(proc_sys_write) {
^
/usr/src/tpe-lkm/fopskit.h:44:12: warning: excess elements in struct initializer
.flags = FTRACE_OPS_FL_SAVE_REGS | FTRACE_OPS_FL_IPMODIFY, \
^
/usr/src/tpe-lkm/fopskit.c:114:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(proc_sys_write) {
^
/usr/src/tpe-lkm/fopskit.h:44:12: note: (near initialization for ‘fops_proc_sys_write’)
.flags = FTRACE_OPS_FL_SAVE_REGS | FTRACE_OPS_FL_IPMODIFY, \
^
/usr/src/tpe-lkm/fopskit.c:114:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(proc_sys_write) {
^
/usr/src/tpe-lkm/fopskit.c: In function ‘fopskit_sym_int’:
/usr/src/tpe-lkm/fopskit.c:297:27: error: storage size of ‘fops_int’ isn’t known
static struct ftrace_ops fops_int;
^
/usr/src/tpe-lkm/fopskit.c:297:27: warning: unused variable ‘fops_int’ [-Wunused-variable]
/usr/src/tpe-lkm/fopskit.c: In function ‘fopskit_sym_str’:
/usr/src/tpe-lkm/fopskit.c:312:27: error: storage size of ‘fops_str’ isn’t known
static struct ftrace_ops fops_str;
^
/usr/src/tpe-lkm/fopskit.c:312:27: warning: unused variable ‘fops_str’ [-Wunused-variable]
/usr/src/tpe-lkm/fopskit.c: In function ‘fopskit_sym_ptr’:
/usr/src/tpe-lkm/fopskit.c:327:27: error: storage size of ‘fops_ptr’ isn’t known
static struct ftrace_ops fops_ptr;
^
/usr/src/tpe-lkm/fopskit.c:327:27: warning: unused variable ‘fops_ptr’ [-Wunused-variable]
make[2]: *** [scripts/Makefile.build:294: /usr/src/tpe-lkm/fopskit.o] Error 1
make[1]: *** [Makefile:1490: _module_/usr/src/tpe-lkm] Error 2
make[1]: Leaving directory '/usr/src/linux-4.9.16-gentoo'
make: *** [Makefile:24: tpe.ko] Error 2
In case of file name larger than you MAX_FILE_LEN you will have a crash because the pointer will point to the error number.
You have to use the IS_ERR macro in the exe_from_mm in order to catch this case from d_path call. Then just return a NULL in order to use it for error handling when calling the exe_from_mm function.
Cheers!
Panos
Following a thread on the ElRepo mailing list, I am vetting intermittent kernel panics when running ClearOS 7.5 in a VBox VM on a Win10 host. More often than not the system boots correctly but if fails with a panic in about a quarter of boots. I've attached a screen dump of the crash.
The distro can be downloaded from http://mirror.clearos.com/clearos/7/iso/x86_64/ClearOS-DVD-x86_64.iso (all versions are the same). This may give you a 7.4 installation as the 7.5 was only released to the update channel on Friday. You will need to install and select "Community" version (Community is 7.5, Home and Business will stay on 7.4 for a couple of weeks and the repo's act a little strangely during this period, especially while you are on a 30 day trial). You will probably have to register the system at https://www.clearcenter.com/. Then I suggest you do a "yum update" which may put you on 7.5 if the download didn't.
My compiled tpe is available from my server here: https://www.howitts.co.uk/clearos/ClearOS_7.x/kmod-tpe-2.0.3-6.20170731git.el7_5.elrepo.x86_64.rpm
If you needed to set up development stuff, instructions are at https://www.clearos.com/clearfoundation/development/clearos/content:en_us:dev_development_environment
If you have any questions, please ask. I understand you can set VBox to capture via a serial port but I don't know how.
[edit]
AFAIK, the ClearOS kernel is an EL7 kernel with IMQ added for QoS so all kmod drivers need to be recompiled against the ClearOS kernel before they can be used. The drive I linked to has been recompiled so should be directly usable.
[/edit]
Hello,
Any possibility of this getting support for 4.x ++ kernels , i find it very useful ?
Thanks !
Below return -1 to user-space program:
fopskit_return(fopskit_eperm); //int fopskit_eperm(void) { return -EPERM; }
In user-space run with strace,I saw this:
creat("/tmp/test/create.txt", 0644) = 4294967295
Normally,display should be:
creat("/tmp/test/create.txt", 0644) = -1 EACCES (Permission denied)
So,how should I do?
Seems like the main dev is on a roll, so trying to take advantage and requesting a feature. :-)
Can we haz multiple values for trusted_gid or admin_gid? Sometimes I want to exclude from tpe certain scripts owned by e.g. CPanel via different gids, I'm sure there would be other practical use cases.
Is there a way to build the module in-tree such that it's actually built into the kernel, not as a separate, un-loadable module?
Thanks for writing this - very educational.
I am not currently able to get tpe.extra features to work on el7 with the latest kernel (3.10.0-514.16.1.el7.x86_64) running tpe-lkm 2.0.1. I am using the elrepo kmod-tpe package and also tried the in-testing 2.0.2 version with no difference built by @pjperry a few days ago.
I even went as far as to rebuild the rpm manually against latest commit from the elrepo spec file and it made no difference. I am not sure if this is an issue with the spec and how elrepo rpm is built (@pjperry ) or if its a tpe-lkm issue directly (@cormander).
Testing has been conducted on two separate el7 sytems, one KVM based and one bare metal with same results.
All extra features are not working, that is to say all processes are visible for non-root users, lsmod can be run without issue, kallsyms can be cat'd and hide_uname makes no difference (when enabled).
Find below current sysctl values for TPE.
tpe.admin_gid = 0
tpe.check_file = 0
tpe.dmz_gid = 0
tpe.extras.harden_ptrace = 1
tpe.extras.hide_uname = 0
tpe.extras.lsmod = 1
tpe.extras.proc_kallsyms = 1
tpe.extras.ps = 1
tpe.extras.ps_gid = 0
tpe.extras.restrict_setuid = 0
tpe.group_writable = 1
tpe.hardcoded_path =
tpe.kill = 0
tpe.lock = 0
tpe.log = 0
tpe.log_floodburst = 5
tpe.log_floodtime = 5
tpe.log_max = 50
tpe.log_verbose = 1
tpe.paranoid = 0
tpe.softmode = 1
tpe.strict = 0
tpe.trusted_apps =
tpe.trusted_gid = 0
tpe.trusted_invert = 0
tpe.xattr_soften = 1
Most of the tpe.extras.*
options work well, but tpe.extras.hide_uname
doesn't.
When I set it to "0", I get:
# sysctl -w tpe.extras.hide_uname=0
tpe.extras.hide_uname = 0
$ uname -a
Linux morfikownia 4.20.12-amd64-morficzny+ #3 SMP PREEMPT Sat Feb 23 18:43:09 CET 2019 x86_64 GNU/Linux
When I change it to "1", I get:
# sysctl -w tpe.extras.hide_uname=1
tpe.extras.hide_uname = 1
$ uname -a
Linux morfikownia 4.20.12-amd64-morficzny+ #3 SMP PREEMPT Sat Feb 23 18:43:09 CET 2019 x86_64 GNU/Linux
Also when I try to check the sysctl value using:
# sysctl -a | grep tpe.extras.hide_uname
I get the following log and the sysctl
command hangs:
tpe: Denied untrusted uname of /sbin/sysctl (uid:0) by /sbin/sysctl (uid:0), parents: /bin/zsh (uid:0), /bin/su (uid:1000), /bin/zsh (uid:1000), /usr/bin/tmux (uid:1000), /lib/systemd/systemd (uid:0). Deny reason: tpe_extras
kernel: tpe: If this uname was legitimate and you cannot correct the behavior, an exception can be made to allow this by running; setfattr -n security.tpe -v "soften_uname" /sbin/sysctl. To silence this message, run; sysctl tpe.log_verbose = 0
Here are my current TPE settings:
# sysctl -a | grep tpe
tpe.admin_gid = 0
tpe.check_file = 1
tpe.dmz_gid = 0
tpe.extras.harden_ptrace = 1
tpe.extras.hide_uname = 0
tpe.extras.ignore_softmode = 0
tpe.extras.log = 1
tpe.extras.lsmod = 1
tpe.extras.proc_kallsyms = 1
tpe.extras.ps = 0
tpe.extras.ps_gid = 0
tpe.extras.restrict_setuid = 0
tpe.group_writable = 1
tpe.hardcoded_path =
tpe.kill = 0
tpe.lock = 0
tpe.log = 1
tpe.log_floodburst = 5
tpe.log_floodtime = 5
tpe.log_max = 50
tpe.log_verbose = 1
tpe.paranoid = 0
tpe.softmode = 0
tpe.strict = 1
tpe.trusted_apps = "/usr/local/bin/docker-entrypoint.sh"
tpe.trusted_gid = 0
tpe.trusted_invert = 0
tpe.xattr_soften = 1
When I start some docker containers I get the following log:
kernel: tpe: Denied untrusted exec of /usr/local/bin/docker-entrypoint.sh (uid:999) by /usr/local/bin/gosu (uid:999), parents: /usr/bin/containerd-shim (uid:0), /usr/bin/containerd (uid:0), /lib/systemd/systemd (uid:0). Deny reason: file is writable
kernel: tpe: If this exec was legitimate and you cannot correct the behavior, an exception can be made to allow this by running; setfattr -n security.tpe -v "soften_exec:soften_mmap" /usr/local/bin/docker-entrypoint.sh. To silence this message, run; sysctl tpe.log_verbose = 0
It says, that /usr/local/bin/docker-entrypoint.sh
is untrusted , but I don't have this file in my system:
# ls -al /usr/local/bin/docker-entrypoint.sh
ls: cannot access '/usr/local/bin/docker-entrypoint.sh': No such file or directory
# ls -ald /usr/local/bin
drwxr-xr-x 2 root root 4096 2019-02-21 20:06:32 /usr/local/bin/
The file in question is inside of the container:
root@mariadb:/# ls -al /usr/local/bin/*
-rwxrwxr-x 1 root root 5816 Jan 8 23:47 /usr/local/bin/docker-entrypoint.sh
-rwxr-xr-x 1 root root 1286720 May 24 2017 /usr/local/bin/gosu
I tried to add the execs to tpe.trusted_apps
, but that doesn't work. So how to handle such case like docker?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.