cormander / tpe-lkm Goto Github PK
View Code? Open in Web Editor NEWTrusted Path Execution (TPE) Linux Kernel Module
License: Other
tpe-lkm's Introduction
===============================================================================
Trusted Path Execution (TPE) Linux Kernel Module, Version 2
===============================================================================
About this module
Trusted Path Execution is a security feature that denies users from executing
programs that are not owned by root, or are writable. This closes the door on a
whole category of exploits where a malicious user tries to execute his or her
own code to attack the system.
Since this module doesn't use any kind of ACLs, it works out of the box with no
configuration. It isn't complicated to test or deploy to current production
systems. Just install it and you're done!
===============================================================================
Supported Kernels
Version 2 has been tested on the following systems (x86_64 only):
- RHEL/CentOS 7 (linux-3.10.0)
- Ubuntu 16.04 LTS (linux-4.8.0-39-generic)
Version 1 works on older kernels, as far back as RHEL/CentOS 5 (linux-2.6.18)
This module *should* work on most linux kernels version 3.10 and above, but has
only been verified on the above systems. If you get a compile error or a kernel
oops, please contact this module's author.
===============================================================================
Features
* Trusted Path Execution; deny execution of non-root owned or writable binaries
$ gcc -o exploit exploit.c
$ chmod 755 exploit
$ ./exploit
-bash: ./exploit: Permission denied
$ dmesg | tail -n1
tpe: Denied untrusted exec of /home/corey/exploit (uid:500) by /bin/bash
(uid:500), parents: /usr/sbin/sshd (uid:500), /usr/sbin/sshd (uid:0),
/sbin/init (uid:0). Deny reason: directory uid not trusted
See the "Configuration" section below for how to tweak configuration.
Extras features, also ported from grsecurity (but not TPE related):
* Restrict non-root users from viewing loaded kernel modules
$ cat /proc/modules
cat: /proc/modules: Operation not permitted
* Restrict non-root users from viewing the kernel symbol table
$ cat /proc/kallsyms
cat: /proc/kallsyms: Operation not permitted
* Restrict non-root users from viewing processes they don't own
$ ps auxf
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
corey 22450 0.0 0.7 97780 1804 ? S 14:12 0:00 sshd: corey @pts/1
corey 22451 0.0 0.7 108288 1884 pts/1 Ss 14:12 0:00 \_ -bash
corey 22474 0.0 0.4 110184 1044 pts/1 R+ 14:12 0:00 \_ ps auxf
* Restrict users from getting the kernel version
$ uname -a
GNU/Linux
* Restrict uses from running ptrace operations against their own processes
$ strace -p $$
strace: attach: ptrace(PTRACE_ATTACH, ...): Permission denied
Most of these are just kernel protections, and the user may be able to get the
info via other means if you don't take additional precautions.
See the "Configuration" section below for how to enable these extras.
===============================================================================
How it works
This module makes use of the kernel ftrace framework. In a nutshell, ftrace is
in charge of the first few bytes of most kernel symbols, and can redirect them
to other addresses. TPE instructs ftrace to redirect certain security handlers
to TPE code, which then decides whether it's appropriate to continue or not.
===============================================================================
Installation
See the INSTALL file for installation instructions.
===============================================================================
FAQ
See the FAQ file for frequently asked questions.
===============================================================================
Configuration
Although most people will find they don't need to change the default values,
you have the option to configure various things in this module at runtime using
the sysctl interface to tighten or lax the TPE restrictions. You can see the
values in this proc directory:
/proc/sys/tpe/
softmode - log what would be denied but don't actually deny. default off
strict - enforce some TPE features even on trusted users. default on
check_file - check file owner/mode in addition to directory. default on
group_writable - check if the file/directory is group writable. default on
kill - kill the offending process and its parent when it gets denied
execution from TPE, unless it's root. default off
log - whether to log denied execs to the ring buffer. default on
log_verbose - log what can be done to allow what was denied. default on
log_max - maximum parent processes in a single log entry. default 50
log_floodburst - number of log entries before logging is disabled. default 5
log_floodtime - seconds until re-enabling logging after floodburst. default 5
xattr_soften - check extended attributes for a soften flag. default on
paranoid - enforce the trusted path restrictions on root too. default off
trusted_apps - a list of files, separated by commas, that would otherwise
have had been denied an exec/mmap/mprotect, are instead
allowed to proceed. default to empty (off)
hardcoded_path - use with caution! a list of directories, separated by colons,
that the trusted path will be restricted to; nothing outside
this path may be executed/mmaped. default to empty (off)
trusted_gid - gid of trusted users whom TPE is not enforced (see strict)
default 0 (off)
trusted_invert - changes what "trusted_gid" means; if set, users in the gid
will be the only ones whom TPE is enforced. default 0 (off)
admin_gid - files belonging to this group are treated as if they're owned
by root; TPE is not enforced on them. default 0 (off)
dmz_gid - users in this gid can't exec anything at all. default 0 (off)
extras/ - directory for additional protections that aren't TPE related.
ignore_softmode - enable extra features even if softmode is on. default off
log - whether to log when extra features are denied. default on
lsmod - denies non-root users from viewing loaded kernel modules
proc_kallsyms - denies non-root users from viewing /proc/kallsyms
harden_ptrace - denies non-root users from running ptrace operations
hide_uname - denies non-root users from asking the kernel its version
ps - denies non-root users from viewing processes they don't own
ps_gid - gid of users who aren't restricted by ps. default 0 (off)
restrict_setuid - users not in the trusted_gid are denied calls to setuid()
Edit the /etc/sysctl.d/tpe.conf file to change the defaults of these various
features.
===============================================================================
Compatibility Issues
Test this module before deploying to a critical system, especially if you're
not using a kernel in the above "Supported Kernels" list.
Trusted Path Execution will cause some programs to stop functioning correctly.
If it doesn't result in a kernel BUG or other stack-trace to show up in dmesg,
it's the program that needs fixing, not this module. There are several ways
to work around this problem:
1) Set a file attribute on the offending binary to soften the checks
or
2) Tune the module config with the "sysctl" command (see the admin_gid,
trusted_gid, and trusted_apps options)
For example:
$ sudo setfattr -n security.tpe -v "soften_mmap" /usr/bin/gnome-session
or
$ sudo sysctl tpe.trusted_apps="/usr/bin/gnome-session"
The file attributes "soften_<check>" (where <check> is one of the checks,
i.e.; mmap, exec, etc) is the preferred solution as it only disables that
specific check, and not anything else.
Programs that have been reported to need such measures are:
* wine
* Dropbox
* Gnome Desktop
You can persist these changes by editing the /etc/sysctl.conf file, or adding
a conf file of your own in /etc/sysctl.d/
A few notes:
Kernel modules that make use of kernel tracing (ftrace, kprobes, etc) may
conflict with this module if they touch the same kernel symbols. The only one
I know of is "kpatch".
This module will not work on systems where loadable kernel module support is
disabled at compile time (CONFIG_MODULES not being set).
This module requires many LSM hooks in order to work, and will error out when
security is disabled at compile time (CONFIG_SECURITY not being set).
If you custom compile your own kernel and want TPE, consider using grsecurity
instead of this module.
===============================================================================
BUGS
There are currently no known bugs. If you discover one, please report it to the
author.
===============================================================================
Acknowledgements
- kpatch - https://github.com/dynup/kpatch
Looking at the kpatch implementation, I was able to simplify this module.
- Brad Spengler - http://grsecurity.net/
Trusted Path Execution is a feature of grsecurity, and I originally pulled code
from that project to make this module.
===============================================================================
About the Author
website: http://cormander.com/
github: https://github.com/cormander/
email: corman /AT/ cormander /DOT/ com
===============================================================================
tpe-lkm's People
Contributors
Stargazers
Watchers
Forkers
b3h3moth pjperry hiboma guodong530 llubu kaniini cychoi wewela oasisfleeting qqshow safe3 openalmeida berise lsgxeva okdo helaibai kernux exssperion ddemuro linsec shekkbuilder tempbottle chikatambun doudoukongkong dandepol rokkucode yuchaocs bugshacker bogerm eyedeekay c0dak muhammadraafatdawood peasentspring connlan gaoyingie mincau faxiang1230 jk1900 welljsjs skflyang agnosy xinpengliu developer191 stringtrim ubogdan dr-kino luhaiyong fduartef jepsenwan orangice1997 fengjixuchui ywsy xuganlai huasalutetpe-lkm's Issues
How to define trusted gid ?
Hey,
First i want to thanks for your work. I was using grsecurity tpe when was free. Today i have found your project and looks great but i have a still problem, how to define trusted group for users who will be able to run some app or script. How can i set that group ?
Thanks !
Harden_symlinks not available via package?
Hello,
I'm testing this magnificent module, it has some issue with hosting servers but it's good over all.
Now i'm trying to test harden_symlink but it's not available in package via http://elrepo.org/ , should I build it from source to use symlink protection? any other idea or method?
if I add tpe.extras.harden_symlink it does not work : is an unknown key
my package : kmod-tpe-1.0.3-4.el5.elrepo.x86_64 , centos 5 64 bit.
Any suggestions?
Thanks,
[info] Attempt to upstream TPE
There is attempt to get TPE into mainline http://openwall.com/lists/kernel-hardening/2017/06/03/11 partially based on your work. It would be nice if you can add your feedback/review (I'm not the submitter).
Unable to insert module, ftrace is not enabled
Sorry for disturbing you again but I can't load tpe module:
sudo modprobe tpe
modprobe: ERROR: could not insert 'tpe': Function not implemented
sudo dmesg |grep tpe
tpe: Unable to insert module, ftrace is not enabled
zcat /proc/config.gz | grep TRACER
# CONFIG_ATH5K_TRACER is not set
CONFIG_NOP_TRACER=y
CONFIG_HAVE_FUNCTION_TRACER=y
CONFIG_HAVE_FUNCTION_GRAPH_TRACER=y
CONFIG_TRACER_MAX_TRACE=y
CONFIG_CONTEXT_SWITCH_TRACER=y
CONFIG_GENERIC_TRACER=y
CONFIG_FUNCTION_TRACER=y
CONFIG_FUNCTION_GRAPH_TRACER=y
# CONFIG_IRQSOFF_TRACER is not set
# CONFIG_PREEMPT_TRACER is not set
CONFIG_SCHED_TRACER=y
CONFIG_HWLAT_TRACER=y
CONFIG_TRACER_SNAPSHOT=y
# CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set
CONFIG_STACK_TRACER=y
zcat /proc/config.gz | grep FTRACE
CONFIG_KPROBES_ON_FTRACE=y
CONFIG_HAVE_KPROBES_ON_FTRACE=y
CONFIG_STM_SOURCE_FTRACE=m
# CONFIG_PSTORE_FTRACE is not set
CONFIG_HAVE_DYNAMIC_FTRACE=y
CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
CONFIG_FTRACE=y
CONFIG_FTRACE_SYSCALLS=y
CONFIG_DYNAMIC_FTRACE=y
CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
CONFIG_FTRACE_MCOUNT_RECORD=y
# CONFIG_FTRACE_STARTUP_TEST is not set
sudo sysctl -a |grep ftrace
kernel.ftrace_dump_on_oops = 0
kernel.ftrace_enabled = 1
findmnt |grep debugfs
│ ├─/sys/kernel/debug debugfs debugfs rw,relatime
testing on newer kernels?
Has anyone tested this on newer kernels?
I tried to use this module for a simple "hello world" hijacking of fadvise() system call. It seems to work fine on kernel 2.6.32 (Ubuntu), but when I try it on kernel 3.8.0 (xubuntu) it doesn't work - I always get the same arguments (in fadvise() case this means same file descriptor , same offset etc). This suggests accessing the wrong place in memory, or bad registers. I dont know exactly.
Has anyone tried this? besides altering security.c, I had to make some changes to make the code compile on 3.8.0 kernel, the same changes suggested in the previous issue opened here, after which the code compiled just fine.
Anyway, I'm attaching my security.c code just to demonstrate what I'm trying to do
// the actual hijacking of system calls, and inserting code
#include "module.h"
#include <linux/blkdev.h>
struct kernsym sym_sys_fadvise64_64;
// sys_fadvise64_64
int tpe_sys_fadvise64_64(int fd, loff_t offset, loff_t len, int advice){
// save old fadvise
int (*run)(int fd, loff_t offset, loff_t len, int advice) = sym_sys_fadvise64_64.run;
printk(PKPRE "*** hijacked fadvise. fd=%d offset=%d len=%d advice=%d\n", fd, offset, len, advice); // ALWAYS THE SAME IN 3.8.0!!!
return run(fd, offset, len, advice);
}
void printfail(const char *name) {
printk(PKPRE "warning: unable to implement protections for %s\n", name);
}
struct symhook {
char *name;
struct kernsym *sym;
unsigned long *func;
};
// find symbols in /proc/kallsyms
struct symhook security2hook[] = {
{"sys_fadvise64_64", &sym_sys_fadvise64_64, (unsigned long *)tpe_sys_fadvise64_64},
};
// hijack the needed functions. whenever possible, hijack just the LSM function
void hijack_syscalls(void) {
int ret, i;
for (i = 0; i < ARRAY_SIZE(security2hook); i++) {
ret = symbol_hijack(security2hook[i].sym, security2hook[i].name, security2hook[i].func);
if (IN_ERR(ret))
printfail(security2hook[i].name);
printk("%s hijacked successfuly!\n", security2hook[i].name);
}
}
void undo_hijack_syscalls(void) {
int i;
for (i = 0; i < ARRAY_SIZE(security2hook); i++)
symbol_restore(security2hook[i].sym);
}
Build failed on linux-4.11
Hi! First of all thank you for maintaining this.
I tried build it on Archlinux with kernel 4.11 but it failed. Here log output:
./scripts/find_kernel_src.sh: line 8: arch: command not found
make -C /lib/modules/4.11.0-1/build M=/tmp/build/tpe-lkm/src/tpe-lkm modules
make[1]: Entering directory '/usr/lib/modules/4.11.0-1/build'
CC [M] /tmp/build/tpe-lkm/src/tpe-lkm/fopskit.o
CC [M] /tmp/build/tpe-lkm/src/tpe-lkm/tpe_core.o
CC [M] /tmp/build/tpe-lkm/src/tpe-lkm/tpe_module.o
CC [M] /tmp/build/tpe-lkm/src/tpe-lkm/tpe_config.o
/tmp/build/tpe-lkm/src/tpe-lkm/tpe_core.c: In function ‘tpe_file_getfattr’:
/tmp/build/tpe-lkm/src/tpe-lkm/tpe_core.c:18:18: error: ‘const struct inode_operations’ has no member named ‘getxattr’; did you mean ‘getattr’?
if (!inode->i_op->getxattr) return 0;
^~
/tmp/build/tpe-lkm/src/tpe-lkm/tpe_core.c:20:19: error: ‘const struct inode_operations’ has no member named ‘getxattr’; did you mean ‘getattr’?
ret = inode->i_op->getxattr(get_dentry(file),
^~
In file included from /tmp/build/tpe-lkm/src/tpe-lkm/tpe_core.c:2:0:
/tmp/build/tpe-lkm/src/tpe-lkm/tpe_core.c: In function ‘tpe_log_denied_action’:
/tmp/build/tpe-lkm/src/tpe-lkm/tpe.h:22:49: error: dereferencing pointer to incomplete type ‘const struct cred’
#define get_task_uid(task) __kuid_val(task->cred->uid)
^
/tmp/build/tpe-lkm/src/tpe-lkm/tpe_core.c:83:3: note: in expansion of macro ‘get_task_uid’
get_task_uid(current),
^~~~~~~~~~~~
/tmp/build/tpe-lkm/src/tpe-lkm/tpe_core.c: In function ‘tpe_allow_file’:
/tmp/build/tpe-lkm/src/tpe-lkm/tpe_core.c:148:21: error: implicit declaration of function ‘in_group_p’ [-Werror=implicit-function-declaration]
if (tpe_dmz_gid && in_group_p(KGIDT_INIT(tpe_dmz_gid)))
^~~~~~~~~~
cc1: some warnings being treated as errors
make[2]: *** [scripts/Makefile.build:295: /tmp/build/tpe-lkm/src/tpe-lkm/tpe_core.o] Error 1
make[2]: *** Waiting for unfinished jobs....
make[1]: *** [Makefile:1492: _module_/tmp/build/tpe-lkm/src/tpe-lkm] Error 2
make[1]: Leaving directory '/usr/lib/modules/4.11.0-1/build'
make: *** [Makefile:24: tpe.ko] Error 2
[1m[31m==> ERROR:(B[m[1m A failure occurred in build().(B[m
[1m Aborting...(B[m
I don't know if this is something specific or general error. I would be grateful if you can look at this.
Project dead?
Is this project still active? There seems to be multiple unaddressed outstanding issues, no release for a year and the current source doesn't even build on EL5 kernels.
Can't compile on Debian/Devuan 8
Hi,
I'm trying to compile on a 3.16.0-4-amd64 kernel, on an host with Devuan 8 (same kernel and issue on Debian 8).
# make
make -C /usr/src/linux-headers-3.16.0-4-amd64 M=/root/tpe-lkm modules
make[1]: Entering directory '/usr/src/linux-headers-3.16.0-4-amd64'
make[1]: Entering directory '/usr/src/linux-headers-3.16.0-4-amd64'
CC [M] /root/tpe-lkm/fopskit.o
In file included from /root/tpe-lkm/fopskit.c:2:0:
/root/tpe-lkm/fopskit.h:48:38: error: ‘FTRACE_OPS_FL_IPMODIFY’ undeclared here (not in a function)
.flags = FTRACE_OPS_FL_SAVE_REGS | FTRACE_OPS_FL_IPMODIFY, \
^
/root/tpe-lkm/fopskit.c:63:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_prepare_creds) {
^
/usr/src/linux-headers-3.16.0-4-common/scripts/Makefile.build:262: recipe for target '/root/tpe-lkm/fopskit.o' failed
make[4]: *** [/root/tpe-lkm/fopskit.o] Error 1
/usr/src/linux-headers-3.16.0-4-common/Makefile:1355: recipe for target '_module_/root/tpe-lkm' failed
make[3]: *** [_module_/root/tpe-lkm] Error 2
Makefile:181: recipe for target 'sub-make' failed
make[2]: *** [sub-make] Error 2
Makefile:8: recipe for target 'all' failed
make[1]: *** [all] Error 2
make[1]: Leaving directory '/usr/src/linux-headers-3.16.0-4-amd64'
Makefile:24: recipe for target 'tpe.ko' failed
make: *** [tpe.ko] Error 2`
The CONFIG_FUNCTION_TRACER is enabled.
# cat .config |grep CONFIG_FUNCTION_TRACER
CONFIG_FUNCTION_TRACER=y
Any hint?
Gianluca
tpe.trusted_apps doesn't work
I'm just testing some of the module features and it looks like tpe.trusted_apps doesn't work on the 4.20.16-amd64 kernel.
# sysctl -a | grep trust
tpe.trusted_apps = "/home/morfik/gems/bin/jekyll"
tpe.trusted_gid = 0
tpe.trusted_invert = 0
kernel: tpe: Denied untrusted exec of /home/morfik/gems/bin/jekyll (uid:1000) by /bin/zsh (uid:1000), parents: /bin/zsh (uid:1000), /usr/bin/tmux (uid:1000), /lib/systemd/systemd (uid:0). Deny reason: directory uid not trusted
kernel: tpe: If this exec was legitimate and you cannot correct the behavior, an exception can be made to allow this by running; setfattr -n security.tpe -v "soften_exec:soften_mmap" /home/morfik/gems/bin/jekyll. To silence this message, run; sysctl tpe.log_verbose = 0
kernel: tpe: Denied untrusted exec of /home/morfik/gems/bin/jekyll (uid:1000) by /bin/zsh (uid:1000), parents: /bin/zsh (uid:1000), /usr/bin/tmux (uid:1000), /lib/systemd/systemd (uid:0). Deny reason: directory uid not trusted
kernel: tpe: If this exec was legitimate and you cannot correct the behavior, an exception can be made to allow this by running; setfattr -n security.tpe -v "soften_exec:soften_mmap" /home/morfik/gems/bin/jekyll. To silence this message, run; sysctl tpe.log_verbose = 0
But using setfattr -n security.tpe -v "soften_exec:soften_mmap" works well, so only tpe.trusted_apps doesn't work.
#error "Arch not currently supported.
Have plans to support Arch?
kernel: tpe: warning: cred->security was not remapped; the soften_mmap flag won't persist to child processes.
Is this something serious?
kernel: tpe: loading out-of-tree module taints kernel.
kernel: fopskit: fopskit_find_sym_addr() failed with return code -14 for fops_hook { name => selinux_enabled, addr => 0, found => 0, hooked => 0 } at fopskit_find_sym_addr() line 223
kernel: fopskit: fopskit_find_sym_addr() failed with return code -14 for fops_hook { name => selinux_disabled, addr => 0, found => 0, hooked => 0 } at fopskit_find_sym_addr() line 223
kernel: tpe: warning: cred->security was not remapped; the soften_mmap flag won't persist to child processes.
kernel: fopskit: fopskit_find_sym_addr() failed with return code -14 for fops_hook { name => sys_newuname, addr => 0, found => 0, hooked => 0 } at fopskit_find_sym_addr() line 223
kernel: tpe: added to kernel
Kernel:
$ uname -a
Linux morfikownia 4.20.16-amd64-morficzny+ #1 SMP PREEMPT Sun Mar 10 14:48:11 CET 2019 x86_64 GNU/Linux
Fails to build from source on kernel 3.5.0-17
$ lsb_release -rd
Description: Ubuntu 12.10
Release: 12.10
/usr/src/tpe-lkm# make
make -C /usr/src/linux-headers-3.5.0-17-generic M=/usr/src/tpe-lkm modules
make[1]: Entering directory /usr/src/linux-headers-3.5.0-17-generic' CC [M] /usr/src/tpe-lkm/core.o /usr/src/tpe-lkm/core.c: In function ‘tpe_allow_file’: /usr/src/tpe-lkm/core.c:208:1: warning: the frame size of 1328 bytes is larger than 1024 bytes [-Wframe-larger-than=] CC [M] /usr/src/tpe-lkm/module.o CC [M] /usr/src/tpe-lkm/security.o CC [M] /usr/src/tpe-lkm/symbols.o CC [M] /usr/src/tpe-lkm/malloc.o CC [M] /usr/src/tpe-lkm/sysctl.o CC [M] /usr/src/tpe-lkm/hijacks.o CC [M] /usr/src/tpe-lkm/arch/x86/lib/inat.o /usr/src/tpe-lkm/arch/x86/lib/inat.c:32:13: error: conflicting types for ‘inat_get_escape_attribute’ In file included from /usr/src/linux-headers-3.5.0-17-generic/arch/x86/include/asm/insn.h:24:0, from /usr/src/tpe-lkm/arch/x86/lib/inat.c:21: /usr/src/linux-headers-3.5.0-17-generic/arch/x86/include/asm/inat.h:101:20: note: previous declaration of ‘inat_get_escape_attribute’ was here /usr/src/tpe-lkm/arch/x86/lib/inat.c:55:13: error: conflicting types for ‘inat_get_group_attribute’ In file included from /usr/src/linux-headers-3.5.0-17-generic/arch/x86/include/asm/insn.h:24:0, from /usr/src/tpe-lkm/arch/x86/lib/inat.c:21: /usr/src/linux-headers-3.5.0-17-generic/arch/x86/include/asm/inat.h:104:20: note: previous declaration of ‘inat_get_group_attribute’ was here make[2]: *** [/usr/src/tpe-lkm/arch/x86/lib/inat.o] Error 1 make[1]: *** [_module_/usr/src/tpe-lkm] Error 2 make[1]: Leaving directory/usr/src/linux-headers-3.5.0-17-generic'
make: *** [tpe.ko] Error 2
Lack of documentation on some TPE parameters
There is a nice explanation what most of the TPE parameters do in the README file, but I haven't noticed there a parameter called tpe.lock . What does it do?
Also, what does tpe.xattr_soften do? The README file says: "check extended attributes for a soften flag." . What is this "soften flag" ? I couldn't find any info about it.
The next thing is ignore_softmode , which "enables extra features even if softmode is on" . What extra features? Does this mean all the tpe.extras.* options?
And the last one is extras/ -- I don't have this parameter in sysctl. Should I have it?
Compile failed with kernel 4.9
Hello,
I tried to compile the tpe module with kernel v. 4.9.16 and got error:
$ make
make -C /usr/src/linux-4.9.16-gentoo M=/usr/src/tpe-lkm modules
make[1]: Entering directory '/usr/src/linux-4.9.16-gentoo'
CC [M] /usr/src/tpe-lkm/fopskit.o
In file included from /usr/src/tpe-lkm/fopskit.c:2:0:
/usr/src/tpe-lkm/fopskit.h:42:16: error: variable ‘fops_security_prepare_creds’ has initializer but incomplete type
static struct ftrace_ops fops_##val __read_mostly = { \
^
/usr/src/tpe-lkm/fopskit.c:63:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_prepare_creds) {
^
/usr/src/tpe-lkm/fopskit.h:42:16: error: unknown field ‘func’ specified in initializer
static struct ftrace_ops fops_##val __read_mostly = { \
^
/usr/src/tpe-lkm/fopskit.c:63:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_prepare_creds) {
^
/usr/src/tpe-lkm/fopskit.h:43:11: warning: excess elements in struct initializer
.func = fopskit_##val, \
^
/usr/src/tpe-lkm/fopskit.c:63:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_prepare_creds) {
^
/usr/src/tpe-lkm/fopskit.h:43:11: note: (near initialization for ‘fops_security_prepare_creds’)
.func = fopskit_##val, \
^
/usr/src/tpe-lkm/fopskit.c:63:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_prepare_creds) {
^
/usr/src/tpe-lkm/fopskit.h:42:16: error: unknown field ‘flags’ specified in initializer
static struct ftrace_ops fops_##val __read_mostly = { \
^
/usr/src/tpe-lkm/fopskit.c:63:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_prepare_creds) {
^
/usr/src/tpe-lkm/fopskit.h:44:12: error: ‘FTRACE_OPS_FL_SAVE_REGS’ undeclared here (not in a function)
.flags = FTRACE_OPS_FL_SAVE_REGS | FTRACE_OPS_FL_IPMODIFY, \
^
/usr/src/tpe-lkm/fopskit.c:63:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_prepare_creds) {
^
/usr/src/tpe-lkm/fopskit.h:44:38: error: ‘FTRACE_OPS_FL_IPMODIFY’ undeclared here (not in a function)
.flags = FTRACE_OPS_FL_SAVE_REGS | FTRACE_OPS_FL_IPMODIFY, \
^
/usr/src/tpe-lkm/fopskit.c:63:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_prepare_creds) {
^
/usr/src/tpe-lkm/fopskit.h:44:12: warning: excess elements in struct initializer
.flags = FTRACE_OPS_FL_SAVE_REGS | FTRACE_OPS_FL_IPMODIFY, \
^
/usr/src/tpe-lkm/fopskit.c:63:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_prepare_creds) {
^
/usr/src/tpe-lkm/fopskit.h:44:12: note: (near initialization for ‘fops_security_prepare_creds’)
.flags = FTRACE_OPS_FL_SAVE_REGS | FTRACE_OPS_FL_IPMODIFY, \
^
/usr/src/tpe-lkm/fopskit.c:63:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_prepare_creds) {
^
/usr/src/tpe-lkm/fopskit.h:42:16: error: variable ‘fops_security_cred_alloc_blank’ has initializer but incomplete type
static struct ftrace_ops fops_##val __read_mostly = { \
^
/usr/src/tpe-lkm/fopskit.c:90:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_cred_alloc_blank) {
^
/usr/src/tpe-lkm/fopskit.h:42:16: error: unknown field ‘func’ specified in initializer
static struct ftrace_ops fops_##val __read_mostly = { \
^
/usr/src/tpe-lkm/fopskit.c:90:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_cred_alloc_blank) {
^
/usr/src/tpe-lkm/fopskit.h:43:11: warning: excess elements in struct initializer
.func = fopskit_##val, \
^
/usr/src/tpe-lkm/fopskit.c:90:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_cred_alloc_blank) {
^
/usr/src/tpe-lkm/fopskit.h:43:11: note: (near initialization for ‘fops_security_cred_alloc_blank’)
.func = fopskit_##val, \
^
/usr/src/tpe-lkm/fopskit.c:90:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_cred_alloc_blank) {
^
/usr/src/tpe-lkm/fopskit.h:42:16: error: unknown field ‘flags’ specified in initializer
static struct ftrace_ops fops_##val __read_mostly = { \
^
/usr/src/tpe-lkm/fopskit.c:90:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_cred_alloc_blank) {
^
/usr/src/tpe-lkm/fopskit.h:44:12: warning: excess elements in struct initializer
.flags = FTRACE_OPS_FL_SAVE_REGS | FTRACE_OPS_FL_IPMODIFY, \
^
/usr/src/tpe-lkm/fopskit.c:90:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_cred_alloc_blank) {
^
/usr/src/tpe-lkm/fopskit.h:44:12: note: (near initialization for ‘fops_security_cred_alloc_blank’)
.flags = FTRACE_OPS_FL_SAVE_REGS | FTRACE_OPS_FL_IPMODIFY, \
^
/usr/src/tpe-lkm/fopskit.c:90:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(security_cred_alloc_blank) {
^
/usr/src/tpe-lkm/fopskit.h:42:16: error: variable ‘fops_proc_sys_write’ has initializer but incomplete type
static struct ftrace_ops fops_##val __read_mostly = { \
^
/usr/src/tpe-lkm/fopskit.c:114:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(proc_sys_write) {
^
/usr/src/tpe-lkm/fopskit.h:42:16: error: unknown field ‘func’ specified in initializer
static struct ftrace_ops fops_##val __read_mostly = { \
^
/usr/src/tpe-lkm/fopskit.c:114:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(proc_sys_write) {
^
/usr/src/tpe-lkm/fopskit.h:43:11: warning: excess elements in struct initializer
.func = fopskit_##val, \
^
/usr/src/tpe-lkm/fopskit.c:114:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(proc_sys_write) {
^
/usr/src/tpe-lkm/fopskit.h:43:11: note: (near initialization for ‘fops_proc_sys_write’)
.func = fopskit_##val, \
^
/usr/src/tpe-lkm/fopskit.c:114:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(proc_sys_write) {
^
/usr/src/tpe-lkm/fopskit.h:42:16: error: unknown field ‘flags’ specified in initializer
static struct ftrace_ops fops_##val __read_mostly = { \
^
/usr/src/tpe-lkm/fopskit.c:114:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(proc_sys_write) {
^
/usr/src/tpe-lkm/fopskit.h:44:12: warning: excess elements in struct initializer
.flags = FTRACE_OPS_FL_SAVE_REGS | FTRACE_OPS_FL_IPMODIFY, \
^
/usr/src/tpe-lkm/fopskit.c:114:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(proc_sys_write) {
^
/usr/src/tpe-lkm/fopskit.h:44:12: note: (near initialization for ‘fops_proc_sys_write’)
.flags = FTRACE_OPS_FL_SAVE_REGS | FTRACE_OPS_FL_IPMODIFY, \
^
/usr/src/tpe-lkm/fopskit.c:114:1: note: in expansion of macro ‘fopskit_hook_handler’
fopskit_hook_handler(proc_sys_write) {
^
/usr/src/tpe-lkm/fopskit.c: In function ‘fopskit_sym_int’:
/usr/src/tpe-lkm/fopskit.c:297:27: error: storage size of ‘fops_int’ isn’t known
static struct ftrace_ops fops_int;
^
/usr/src/tpe-lkm/fopskit.c:297:27: warning: unused variable ‘fops_int’ [-Wunused-variable]
/usr/src/tpe-lkm/fopskit.c: In function ‘fopskit_sym_str’:
/usr/src/tpe-lkm/fopskit.c:312:27: error: storage size of ‘fops_str’ isn’t known
static struct ftrace_ops fops_str;
^
/usr/src/tpe-lkm/fopskit.c:312:27: warning: unused variable ‘fops_str’ [-Wunused-variable]
/usr/src/tpe-lkm/fopskit.c: In function ‘fopskit_sym_ptr’:
/usr/src/tpe-lkm/fopskit.c:327:27: error: storage size of ‘fops_ptr’ isn’t known
static struct ftrace_ops fops_ptr;
^
/usr/src/tpe-lkm/fopskit.c:327:27: warning: unused variable ‘fops_ptr’ [-Wunused-variable]
make[2]: *** [scripts/Makefile.build:294: /usr/src/tpe-lkm/fopskit.o] Error 1
make[1]: *** [Makefile:1490: _module_/usr/src/tpe-lkm] Error 2
make[1]: Leaving directory '/usr/src/linux-4.9.16-gentoo'
make: *** [Makefile:24: tpe.ko] Error 2
Case of large file name
In case of file name larger than you MAX_FILE_LEN you will have a crash because the pointer will point to the error number.
You have to use the IS_ERR macro in the exe_from_mm in order to catch this case from d_path call. Then just return a NULL in order to use it for error handling when calling the exe_from_mm function.
Cheers!
Panos
Random kernel panics on boot
Following a thread on the ElRepo mailing list, I am vetting intermittent kernel panics when running ClearOS 7.5 in a VBox VM on a Win10 host. More often than not the system boots correctly but if fails with a panic in about a quarter of boots. I've attached a screen dump of the crash.
The distro can be downloaded from http://mirror.clearos.com/clearos/7/iso/x86_64/ClearOS-DVD-x86_64.iso (all versions are the same). This may give you a 7.4 installation as the 7.5 was only released to the update channel on Friday. You will need to install and select "Community" version (Community is 7.5, Home and Business will stay on 7.4 for a couple of weeks and the repo's act a little strangely during this period, especially while you are on a 30 day trial). You will probably have to register the system at https://www.clearcenter.com/. Then I suggest you do a "yum update" which may put you on 7.5 if the download didn't.
My compiled tpe is available from my server here: https://www.howitts.co.uk/clearos/ClearOS_7.x/kmod-tpe-2.0.3-6.20170731git.el7_5.elrepo.x86_64.rpm
If you needed to set up development stuff, instructions are at https://www.clearos.com/clearfoundation/development/clearos/content:en_us:dev_development_environment
If you have any questions, please ask. I understand you can set VBox to capture via a serial port but I don't know how.
[edit]
AFAIK, the ClearOS kernel is an EL7 kernel with IMQ added for QoS so all kmod drivers need to be recompiled against the ClearOS kernel before they can be used. The drive I linked to has been recompiled so should be directly usable.
[/edit]
Possibility for 4.x kernels ?
Hello,
Any possibility of this getting support for 4.x ++ kernels , i find it very useful ?
Thanks !
user-space programs can not get the correct errno
Below return -1 to user-space program:
fopskit_return(fopskit_eperm); //int fopskit_eperm(void) { return -EPERM; }
In user-space run with strace,I saw this:
creat("/tmp/test/create.txt", 0644) = 4294967295
Normally,display should be:
creat("/tmp/test/create.txt", 0644) = -1 EACCES (Permission denied)
So,how should I do?
Feature request - multiple values for trusted_gid
Seems like the main dev is on a roll, so trying to take advantage and requesting a feature. :-)
Can we haz multiple values for trusted_gid or admin_gid? Sometimes I want to exclude from tpe certain scripts owned by e.g. CPanel via different gids, I'm sure there would be other practical use cases.
In-tree build
Is there a way to build the module in-tree such that it's actually built into the kernel, not as a separate, un-loadable module?
Thanks for writing this - very educational.
extras disabled by softmode in 2.0
I am not currently able to get tpe.extra features to work on el7 with the latest kernel (3.10.0-514.16.1.el7.x86_64) running tpe-lkm 2.0.1. I am using the elrepo kmod-tpe package and also tried the in-testing 2.0.2 version with no difference built by @pjperry a few days ago.
I even went as far as to rebuild the rpm manually against latest commit from the elrepo spec file and it made no difference. I am not sure if this is an issue with the spec and how elrepo rpm is built (@pjperry ) or if its a tpe-lkm issue directly (@cormander).
Testing has been conducted on two separate el7 sytems, one KVM based and one bare metal with same results.
All extra features are not working, that is to say all processes are visible for non-root users, lsmod can be run without issue, kallsyms can be cat'd and hide_uname makes no difference (when enabled).
Find below current sysctl values for TPE.
tpe.admin_gid = 0
tpe.check_file = 0
tpe.dmz_gid = 0
tpe.extras.harden_ptrace = 1
tpe.extras.hide_uname = 0
tpe.extras.lsmod = 1
tpe.extras.proc_kallsyms = 1
tpe.extras.ps = 1
tpe.extras.ps_gid = 0
tpe.extras.restrict_setuid = 0
tpe.group_writable = 1
tpe.hardcoded_path =
tpe.kill = 0
tpe.lock = 0
tpe.log = 0
tpe.log_floodburst = 5
tpe.log_floodtime = 5
tpe.log_max = 50
tpe.log_verbose = 1
tpe.paranoid = 0
tpe.softmode = 1
tpe.strict = 0
tpe.trusted_apps =
tpe.trusted_gid = 0
tpe.trusted_invert = 0
tpe.xattr_soften = 1
Setting tpe.extras.hide_uname=1 doesn't work.
Most of the tpe.extras.* options work well, but tpe.extras.hide_uname doesn't.
When I set it to "0", I get:
# sysctl -w tpe.extras.hide_uname=0
tpe.extras.hide_uname = 0
$ uname -a
Linux morfikownia 4.20.12-amd64-morficzny+ #3 SMP PREEMPT Sat Feb 23 18:43:09 CET 2019 x86_64 GNU/Linux
When I change it to "1", I get:
# sysctl -w tpe.extras.hide_uname=1
tpe.extras.hide_uname = 1
$ uname -a
Linux morfikownia 4.20.12-amd64-morficzny+ #3 SMP PREEMPT Sat Feb 23 18:43:09 CET 2019 x86_64 GNU/Linux
Also when I try to check the sysctl value using:
# sysctl -a | grep tpe.extras.hide_uname
I get the following log and the sysctl command hangs:
tpe: Denied untrusted uname of /sbin/sysctl (uid:0) by /sbin/sysctl (uid:0), parents: /bin/zsh (uid:0), /bin/su (uid:1000), /bin/zsh (uid:1000), /usr/bin/tmux (uid:1000), /lib/systemd/systemd (uid:0). Deny reason: tpe_extras
kernel: tpe: If this uname was legitimate and you cannot correct the behavior, an exception can be made to allow this by running; setfattr -n security.tpe -v "soften_uname" /sbin/sysctl. To silence this message, run; sysctl tpe.log_verbose = 0
Here are my current TPE settings:
# sysctl -a | grep tpe
tpe.admin_gid = 0
tpe.check_file = 1
tpe.dmz_gid = 0
tpe.extras.harden_ptrace = 1
tpe.extras.hide_uname = 0
tpe.extras.ignore_softmode = 0
tpe.extras.log = 1
tpe.extras.lsmod = 1
tpe.extras.proc_kallsyms = 1
tpe.extras.ps = 0
tpe.extras.ps_gid = 0
tpe.extras.restrict_setuid = 0
tpe.group_writable = 1
tpe.hardcoded_path =
tpe.kill = 0
tpe.lock = 0
tpe.log = 1
tpe.log_floodburst = 5
tpe.log_floodtime = 5
tpe.log_max = 50
tpe.log_verbose = 1
tpe.paranoid = 0
tpe.softmode = 0
tpe.strict = 1
tpe.trusted_apps = "/usr/local/bin/docker-entrypoint.sh"
tpe.trusted_gid = 0
tpe.trusted_invert = 0
tpe.xattr_soften = 1
Can TPE work with Docker containers?
When I start some docker containers I get the following log:
kernel: tpe: Denied untrusted exec of /usr/local/bin/docker-entrypoint.sh (uid:999) by /usr/local/bin/gosu (uid:999), parents: /usr/bin/containerd-shim (uid:0), /usr/bin/containerd (uid:0), /lib/systemd/systemd (uid:0). Deny reason: file is writable
kernel: tpe: If this exec was legitimate and you cannot correct the behavior, an exception can be made to allow this by running; setfattr -n security.tpe -v "soften_exec:soften_mmap" /usr/local/bin/docker-entrypoint.sh. To silence this message, run; sysctl tpe.log_verbose = 0
It says, that /usr/local/bin/docker-entrypoint.sh is untrusted , but I don't have this file in my system:
# ls -al /usr/local/bin/docker-entrypoint.sh
ls: cannot access '/usr/local/bin/docker-entrypoint.sh': No such file or directory
# ls -ald /usr/local/bin
drwxr-xr-x 2 root root 4096 2019-02-21 20:06:32 /usr/local/bin/
The file in question is inside of the container:
root@mariadb:/# ls -al /usr/local/bin/*
-rwxrwxr-x 1 root root 5816 Jan 8 23:47 /usr/local/bin/docker-entrypoint.sh
-rwxr-xr-x 1 root root 1286720 May 24 2017 /usr/local/bin/gosu
I tried to add the execs to tpe.trusted_apps , but that doesn't work. So how to handle such case like docker?
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.