librewolf/lkrg
1
0
Fork 0
mirror of https://github.com/openwall/lkrg.git synced 2023-12-13 21:30:29 +01:00
Code Issues Projects Releases Wiki Activity
lkrg/src/p_lkrg_main.h

449 lines
13 KiB
C
Raw Permalink Normal View History

Initial LKRG-main
2017-10-27 07:29:49 +02:00
/*
* pi3's Linux kernel Runtime Guard
*
* Component:
* - Main module
*
* Notes:
* - None
*
* Timeline:
* - Created: 24.XI.2015
*
* Author:
* - Adam 'pi3' Zabrocki (http://pi3.com.pl)
*
*/
#ifndef P_LKRG_MAIN_H
#define P_LKRG_MAIN_H
#define P_LKRG_UNHIDE
Support the "nolkrg" option in LKRG itself This commit adds support the "nolkrg" boot option and addresses issue #125
2021-11-23 22:26:56 +01:00
#define P_BOOT_DISABLE_LKRG "nolkrg"
Initial LKRG-main
2017-10-27 07:29:49 +02:00
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/moduleparam.h>
#include <linux/kallsyms.h>
#include <linux/slab.h>
#include <linux/cpu.h>
#include <linux/random.h>
#include <linux/fs.h>
#include <asm/uaccess.h>
#include <linux/version.h>
#include <linux/cpufreq.h>
#include <linux/cpu_pm.h>
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,10,0)
#include <linux/cpuhotplug.h>
#endif
#include <linux/netdevice.h>
#include <net/netevent.h>
#include <net/addrconf.h>
#include <linux/inetdevice.h>
#include <linux/usb.h>
#include <linux/acpi.h>
[1] Add Mikhail Klementev's <jollheef@riseup.net> patch for Makefile. [2] Add Mikhail Klementev's <jollheef@riseup.net> patch which creates .gitignore file. [3] Add Mikhail Klementev's <jollheef@riseup.net> patch for missing include file (linux/profile.h) [4] [CI] Change output message format when *_JUMP_LABEL was detected for kernel module's .text section.
2018-09-05 02:43:48 +02:00
#include <linux/profile.h>
Initial LKRG-main
2017-10-27 07:29:49 +02:00
#include <linux/kprobes.h>
#include <linux/namei.h>
#include <linux/dcache.h>
#include <linux/limits.h>
#include <linux/slab.h>
#include <linux/uaccess.h>
#include <linux/rbtree.h>
#include <linux/major.h>
#include <linux/crypto.h>
#include <crypto/hash.h>
#include <linux/scatterlist.h>
#include <linux/signal.h>
Support for 3.x kernels
2017-12-12 21:34:31 +01:00
#include <linux/timex.h>
Don't include linux/cryptohash.h on recent kernels This fixes LKRG build on Linux 5.8+, which renamed that header file. Thanks to Andy Lavr for reporting this problem and suggesting a (different) fix, which made us revisit our use of that header file. We only need that header file on older kernels (< 4.4.72 or < RHEL 7.4) for the one use of md5_transform() in get_random_long(). On newer kernels, we simply use the kernel-provided get_random_long(). Further, 5.8's crypto/sha.h doesn't declare md5_transform() anyway (linux/cryptohash.h on much older kernels did).
2020-08-04 21:48:36 +02:00
Add FTRACE support 1) We are hooking into FTRACE's internal functions to be able to monitor when new modifications are executed and react accordingly. 2) Linux kernel has bugs in FTRACE code. The LKRG may highlight them. 3) We are introducing 'p_state_init' variable to track when full LKRG's initialization is complete.
2020-11-02 03:40:46 +01:00
#include <linux/vmalloc.h>
#include <linux/ftrace.h>
p_ed_enforce_pcfi: validate the p_task stack but not irq_stack In the irq context, we should not get the p_task stack from p_regs.
2022-04-28 05:57:34 +02:00
#include <linux/preempt.h>
Fix build with non-RHEL kernels broken with the previous commit
2020-08-05 18:19:32 +02:00
#ifndef RHEL_RELEASE_VERSION
#define RHEL_RELEASE_VERSION(a, b) (((a) << 8) + (b))
#endif
Don't include linux/cryptohash.h on recent kernels This fixes LKRG build on Linux 5.8+, which renamed that header file. Thanks to Andy Lavr for reporting this problem and suggesting a (different) fix, which made us revisit our use of that header file. We only need that header file on older kernels (< 4.4.72 or < RHEL 7.4) for the one use of md5_transform() in get_random_long(). On newer kernels, we simply use the kernel-provided get_random_long(). Further, 5.8's crypto/sha.h doesn't declare md5_transform() anyway (linux/cryptohash.h on much older kernels did).
2020-08-04 21:48:36 +02:00
#if ( (LINUX_VERSION_CODE < KERNEL_VERSION(4,4,72)) && \
(!(defined(RHEL_RELEASE_CODE)) || \
RHEL_RELEASE_CODE < RHEL_RELEASE_VERSION(7, 4)))
Simplify our get_random_long() wrapper (only used with old kernels) Fixes #234
2022-10-17 20:08:45 +02:00
static inline unsigned long get_random_long(void) {
unsigned long p_ret;
get_random_bytes(&p_ret, sizeof(p_ret));
return p_ret;
}
Don't include linux/cryptohash.h on recent kernels This fixes LKRG build on Linux 5.8+, which renamed that header file. Thanks to Andy Lavr for reporting this problem and suggesting a (different) fix, which made us revisit our use of that header file. We only need that header file on older kernels (< 4.4.72 or < RHEL 7.4) for the one use of md5_transform() in get_random_long(). On newer kernels, we simply use the kernel-provided get_random_long(). Further, 5.8's crypto/sha.h doesn't declare md5_transform() anyway (linux/cryptohash.h on much older kernels did).
2020-08-04 21:48:36 +02:00
#endif
Initial LKRG-main
2017-10-27 07:29:49 +02:00
define p_kzfree() wrapper p_kzfree() wraps kzfree() call for kernel < 5.10 and kfree_sensitive() in the other case. This reflects the changes made in kernel since 23224e45004ed84c8466fd1e8e5860f541187029 and fix the build against kernel 5.10.
2020-12-16 17:09:12 +01:00
#if LINUX_VERSION_CODE < KERNEL_VERSION(5,10,0)
#define p_kzfree kzfree
#else
#define p_kzfree kfree_sensitive
#endif
Fix build on CentOS Stream 9 Fixes #145
2022-01-21 16:21:05 +01:00
#if LINUX_VERSION_CODE < KERNEL_VERSION(5,15,0) && \
(!defined(RHEL_RELEASE_CODE) || RHEL_RELEASE_CODE < RHEL_RELEASE_VERSION(9, 0))
Replace deprecated CPU-hotplug functions for kernels 5.15+ On the latest kernels (5.15+) get/put_onlince_cpus() API is deprecated and new synchronization functions must be used. This commit addressed that issue and #118
2021-10-08 17:16:38 +02:00
#define p_read_cpu_lock get_online_cpus
#define p_read_cpu_unlock put_online_cpus
#else
#define p_read_cpu_lock cpus_read_lock
#define p_read_cpu_unlock cpus_read_unlock
#endif
Introduce pCFI mitigation - new type of mitigation which dynamically adds "poor's man CFI"
2018-12-31 21:52:20 +01:00
#include <linux/stacktrace.h>
#include <asm/stacktrace.h>
#include <asm/tlbflush.h>
unwind.h is not available on RHEL7 with old kernel(s). Fix it.
2020-06-15 01:21:09 +02:00
#if defined(CONFIG_X86) && defined(CONFIG_UNWINDER_ORC)
[1] Add support for pCFI stackwalk when CONFIG_UNWINDER_ORC is enabled [2] Whitelist true/false binaries [3] Modify the logic when stack-page is updated [4] Add __scm_send hook to verify creds on SCM_CREDENTIALS
2020-04-30 17:25:53 +02:00
#include <asm/unwind.h>
When LKRG is configured to allow only whitelisted executables to be run by UMH, we might be in the situation of overwriting RO page. Add support for that
2020-05-10 01:56:58 +02:00
#endif
Fix implicit declaration of function 'task_stack_page' on arm Due to kernel commit f3ac60671954c ("sched/headers: Move task-stack related APIs from <linux/sched.h> to <linux/sched/task_stack.h>") (Linux v4.11) `linux/sched/task_stack.h' should be included to access `task_stack_page'. Compilation failure is appearing on armv8l arch: In file included from ./include/linux/prefetch.h:15, from ./arch/arm/include/asm/atomic.h:12, from ./include/linux/atomic.h:7, from ./include/asm-generic/bitops/lock.h:5, from ./arch/arm/include/asm/bitops.h:243, from ./include/linux/bitops.h:26, from ./include/linux/kernel.h:12, from /usr/src/RPM/BUILD/lkrg-0.8.1/src/modules/exploit_detection/../../p_lkrg_main.h:23, from /usr/src/RPM/BUILD/lkrg-0.8.1/src/modules/exploit_detection/p_exploit_detection.c:18: /usr/src/RPM/BUILD/lkrg-0.8.1/src/modules/exploit_detection/p_exploit_detection.c: In function 'p_iterate_processes': ./arch/arm/include/asm/processor.h:99:40: error: implicit declaration of function 'task_stack_page'; did you mean 'walk_stackframe'? [-Werror=implicit-function-declaration] 99 | ((struct pt_regs *)(THREAD_START_SP + task_stack_page(p)) - 1) | ^~~~~~~~~~~~~~~ /usr/src/RPM/BUILD/lkrg-0.8.1/src/modules/exploit_detection/p_exploit_detection.c:779:30: note: in expansion of macro 'task_pt_regs' 779 | p_regs_set_ip(task_pt_regs(p_tmp), -1); | ^~~~~~~~~~~~ cc1: some warnings being treated as errors make[1]: *** [scripts/Makefile.build:265: /usr/src/RPM/BUILD/lkrg-0.8.1/src/modules/exploit_detection/p_exploit_detection.o] Error 1 Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
2020-08-18 21:26:54 +02:00
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,11,0)
#include <linux/sched/task_stack.h>
#endif
Introduce pCFI mitigation - new type of mitigation which dynamically adds "poor's man CFI"
2018-12-31 21:52:20 +01:00
Reduce memory overhead generated by kmem_cache_create This commit brings a few important changes: - LKRG has used to leverage SLAB_HWCACHE_ALIGN but memory overhead may be too significant for LKRG's use cases - Since the kernel 4.5+ we can use SLAB_ACCOUNT to make sure that LKRG's caches are standalone - Modify the size of pCFI stack buffer cache to be smaller and decoupled from the PAGE_SIZE (there is no reason for that) Additionally, this commit should help addressing #131
2022-06-10 23:02:56 +02:00
/*
* Define kmem_cache_create() flags:
* - LKRG has used to leverage SLAB_HWCACHE_ALIGN but memory overhead
* may be too significant for LKRG's use cases
* - Since the kernel 4.5+ we can use SLAB_ACCOUNT to make sure
* that LKRG's caches are standalone
*/
#if LINUX_VERSION_CODE < KERNEL_VERSION(4,5,0)
#define P_LKRG_CACHE_FLAGS 0
#else
#define P_LKRG_CACHE_FLAGS SLAB_ACCOUNT
#endif
Introduce a new compilation macro - P_KERNEL_AGGRESSIVE_INLINING Some custom compilation of the kernel might aggresively inline critical functions (from LKRG perspective). That's problematic for the project. However, some of the problems *might* be solved by uncommenting this new definition (P_KERNEL_AGGRESSIVE_INLINING). Unfortunately, not all of the problems can be solved by it (at least no for now). You need to experiment. This can be useful to address issues like #40
2021-02-07 02:15:42 +01:00
/*
* Some custom compilation of the kernel might aggresively inline
* critical functions (from LKRG perspective). That's problematic
* for the project. However, some of the problems *might* be solved
* by uncommenting following definition. However, not all of them
* so you need to experiment.
*/
//#define P_KERNEL_AGGRESSIVE_INLINING 1
This is a pretty big change in LKRG: [1] Introducing a RO-page which keeps the most-critical internal structures [2] Moving internal control structure (configurable via sysctl interface) to the RO-page [3] Introducing a new structure which keeps all dynamically resolved pointers [4] Moving a new structure with dynamic pointers to the RO-page [5] Refactoring the entire code to be compatible with the new design [6] Adding appropriate messages when a new sysctl option is put in place [7] A few more minor changes
2019-12-20 21:43:48 +01:00
//#define p_lkrg_read_only __attribute__((__section__(".data..p_lkrg_read_only"),aligned(PAGE_SIZE)))
#define __p_lkrg_read_only __attribute__((__section__(".p_lkrg_read_only")))
#if defined(CONFIG_X86_64) || defined(CONFIG_ARM64)
#define P_LKRG_MARKER1 0x3369705f6d616441
#define P_LKRG_MARKER2 0xdeadbabedeadbabe
#else
#define P_LKRG_MARKER1 0x3369705f
#define P_LKRG_MARKER2 0xdeadbabe
#endif
SELinux: Disable state monitoring for kernels with randomized structs New Linux kernels may be built with the CONFIG_GCC_PLUGIN_RANDSTRUCT option. This randomly changes the order of fields in certain structures, including selinux_state. Currently, LKRG isn't capable to recreate the structure layout. Thus, we have to disable LKRG's SELinux monitoring on kernels built with this option. CONFIG_GCC_PLUGIN_RANDSTRUCT was introduced to make it harder for attackers to overwrite particular fields of structures. LKRG's goal was the same. So even disabling LKRG's monitoring, we still have some mitigations for SELinux state overwrites. We might make LKRG capable to recreate randomized structures in the future.
2021-03-17 23:20:13 +01:00
#if defined(CONFIG_SECURITY_SELINUX_DEVELOP) && !defined(CONFIG_GCC_PLUGIN_RANDSTRUCT)
#define P_SELINUX_VERIFY
#endif
Add more stable kernels with unexported __module_address.
2021-07-20 14:44:44 +02:00
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5,9,0) || \
(LINUX_VERSION_CODE >= KERNEL_VERSION(5,4,118) && LINUX_VERSION_CODE < KERNEL_VERSION(5,5,0)) || \
(LINUX_VERSION_CODE >= KERNEL_VERSION(4,19,191) && LINUX_VERSION_CODE < KERNEL_VERSION(4,20,0)) || \
(LINUX_VERSION_CODE >= KERNEL_VERSION(4,14,233) && LINUX_VERSION_CODE < KERNEL_VERSION(4,15,0))
#define P_LKRG_UNEXPORTED_MODULE_ADDRESS
#endif
Minor fixes - typos, spaces, formating, etc.
2020-06-03 06:22:04 +02:00
#define nitems(val) (sizeof(val) / sizeof(val[0]))
Merged in oshogbo/lkrg-osho/umh (pull request #6) Rework UMH. * Introduce nitems for nice array counting scheme. * Rework the umh whitelist. No functional changes intended. * Sort the UMH and remove dups.
2020-06-03 05:34:30 +02:00
This is a pretty big change in LKRG: [1] Introducing a RO-page which keeps the most-critical internal structures [2] Moving internal control structure (configurable via sysctl interface) to the RO-page [3] Introducing a new structure which keeps all dynamically resolved pointers [4] Moving a new structure with dynamic pointers to the RO-page [5] Refactoring the entire code to be compatible with the new design [6] Adding appropriate messages when a new sysctl option is put in place [7] A few more minor changes
2019-12-20 21:43:48 +01:00
typedef struct _p_lkrg_global_conf_structure {
Group hot RO page settings into a cache line
2020-05-21 21:16:53 +02:00
#if defined(CONFIG_X86)
unsigned int p_smep_validate;
unsigned int p_smap_validate;
#endif
unsigned int p_pcfi_validate;
This is a huge change. We completely rewrote communication channel and added a lot of new configuration options. Summary: 1) Introduce 'kint_validate' to control kernel/system integrity logic: 0 - disabled 1 - validation is performed only when manually triggered 3 - validation is performed periodically by timer interrupt and on random events 2) Introduce 'kint_enforce' to control how LKRG reacts when kernel/system integrity fails: 0 - log & accept corruption 1 - log only (for SELinux and CR0.WP violation log & restore original values) 2 - panic() - kill the kernel 3) Introduce 'pint_validate' to control tasks validation logic: 0 - disabled 1 - validate only currently running tasks 2 - validate only currently running tasks + task which changes state to RUNNING 3 - validate all tasks in the system (paranoid mode) 4) Introduce 'pint_enforce' to control how LKRG reacts when task validation fails: 0 - log & accept corruption 1 - kill corrupted task 2 - panic() - kill the kernel 5) Introduce 'smep_validate' to control if SMEP validation will be performed 0 - disable SMEP validation 1 - enable SMEP validation 6) Introduce 'smep_enforce' to control how LKRG reacts when SMEP validation fails: 0 - log & accept 1 - log & restore 2 - panic() - kill the kernel 7) Introduce 'umh_validate' to control if UMH validation will be performed 0 - disable UMH validation 1 - allow only whitelited binaries to execute via UMH 2 - completely block UMH 8) Introduce 'smep_enforce' to control how LKRG reacts when UMH validation fails: 0 - log only 1 - prevent execution 2 - panic() - kill the kernel 9) Introduce 'pcfi_validate' to control if pCFI validation will be performed 0 - disabled 1 - no stackwalk (weak pCFI) 2 - fully enabled 10) Introduce 'pcfi_enforce' to control how LKRG reacts when pCFI validation fails: 0 - log only 1 - kill corrupted task 2 - panic() - kill the kernel 11) Rename 'timestamp' to 'interval' 12) Rename 'force_run' to 'trigger' 13) Rename 'clean_message' to 'heartbeat' 14) Rename 'msr_enforce' to 'msr_validate' 15) Option 'hide' stays the same 16) Option 'log_level' stays the same 17) Option 'block_modules' stays the same
2020-04-25 19:41:52 +02:00
unsigned int p_pint_validate;
Group hot RO page settings into a cache line
2020-05-21 21:16:53 +02:00
unsigned int p_kint_validate;
This is a pretty big change in LKRG: [1] Introducing a RO-page which keeps the most-critical internal structures [2] Moving internal control structure (configurable via sysctl interface) to the RO-page [3] Introducing a new structure which keeps all dynamically resolved pointers [4] Moving a new structure with dynamic pointers to the RO-page [5] Refactoring the entire code to be compatible with the new design [6] Adding appropriate messages when a new sysctl option is put in place [7] A few more minor changes
2019-12-20 21:43:48 +01:00
unsigned int p_log_level;
unsigned int p_block_modules;
Group hot RO page settings into a cache line
2020-05-21 21:16:53 +02:00
unsigned int p_msr_validate;
This is a huge change. We completely rewrote communication channel and added a lot of new configuration options. Summary: 1) Introduce 'kint_validate' to control kernel/system integrity logic: 0 - disabled 1 - validation is performed only when manually triggered 3 - validation is performed periodically by timer interrupt and on random events 2) Introduce 'kint_enforce' to control how LKRG reacts when kernel/system integrity fails: 0 - log & accept corruption 1 - log only (for SELinux and CR0.WP violation log & restore original values) 2 - panic() - kill the kernel 3) Introduce 'pint_validate' to control tasks validation logic: 0 - disabled 1 - validate only currently running tasks 2 - validate only currently running tasks + task which changes state to RUNNING 3 - validate all tasks in the system (paranoid mode) 4) Introduce 'pint_enforce' to control how LKRG reacts when task validation fails: 0 - log & accept corruption 1 - kill corrupted task 2 - panic() - kill the kernel 5) Introduce 'smep_validate' to control if SMEP validation will be performed 0 - disable SMEP validation 1 - enable SMEP validation 6) Introduce 'smep_enforce' to control how LKRG reacts when SMEP validation fails: 0 - log & accept 1 - log & restore 2 - panic() - kill the kernel 7) Introduce 'umh_validate' to control if UMH validation will be performed 0 - disable UMH validation 1 - allow only whitelited binaries to execute via UMH 2 - completely block UMH 8) Introduce 'smep_enforce' to control how LKRG reacts when UMH validation fails: 0 - log only 1 - prevent execution 2 - panic() - kill the kernel 9) Introduce 'pcfi_validate' to control if pCFI validation will be performed 0 - disabled 1 - no stackwalk (weak pCFI) 2 - fully enabled 10) Introduce 'pcfi_enforce' to control how LKRG reacts when pCFI validation fails: 0 - log only 1 - kill corrupted task 2 - panic() - kill the kernel 11) Rename 'timestamp' to 'interval' 12) Rename 'force_run' to 'trigger' 13) Rename 'clean_message' to 'heartbeat' 14) Rename 'msr_enforce' to 'msr_validate' 15) Option 'hide' stays the same 16) Option 'log_level' stays the same 17) Option 'block_modules' stays the same
2020-04-25 19:41:52 +02:00
unsigned int p_heartbeat;
Group hot RO page settings into a cache line
2020-05-21 21:16:53 +02:00
unsigned int p_interval;
unsigned int p_umh_validate;
When LKRG is configured to allow only whitelisted executables to be run by UMH, we might be in the situation of overwriting RO page. Add support for that
2020-05-10 01:56:58 +02:00
#if defined(CONFIG_X86)
This is a huge change. We completely rewrote communication channel and added a lot of new configuration options. Summary: 1) Introduce 'kint_validate' to control kernel/system integrity logic: 0 - disabled 1 - validation is performed only when manually triggered 3 - validation is performed periodically by timer interrupt and on random events 2) Introduce 'kint_enforce' to control how LKRG reacts when kernel/system integrity fails: 0 - log & accept corruption 1 - log only (for SELinux and CR0.WP violation log & restore original values) 2 - panic() - kill the kernel 3) Introduce 'pint_validate' to control tasks validation logic: 0 - disabled 1 - validate only currently running tasks 2 - validate only currently running tasks + task which changes state to RUNNING 3 - validate all tasks in the system (paranoid mode) 4) Introduce 'pint_enforce' to control how LKRG reacts when task validation fails: 0 - log & accept corruption 1 - kill corrupted task 2 - panic() - kill the kernel 5) Introduce 'smep_validate' to control if SMEP validation will be performed 0 - disable SMEP validation 1 - enable SMEP validation 6) Introduce 'smep_enforce' to control how LKRG reacts when SMEP validation fails: 0 - log & accept 1 - log & restore 2 - panic() - kill the kernel 7) Introduce 'umh_validate' to control if UMH validation will be performed 0 - disable UMH validation 1 - allow only whitelited binaries to execute via UMH 2 - completely block UMH 8) Introduce 'smep_enforce' to control how LKRG reacts when UMH validation fails: 0 - log only 1 - prevent execution 2 - panic() - kill the kernel 9) Introduce 'pcfi_validate' to control if pCFI validation will be performed 0 - disabled 1 - no stackwalk (weak pCFI) 2 - fully enabled 10) Introduce 'pcfi_enforce' to control how LKRG reacts when pCFI validation fails: 0 - log only 1 - kill corrupted task 2 - panic() - kill the kernel 11) Rename 'timestamp' to 'interval' 12) Rename 'force_run' to 'trigger' 13) Rename 'clean_message' to 'heartbeat' 14) Rename 'msr_enforce' to 'msr_validate' 15) Option 'hide' stays the same 16) Option 'log_level' stays the same 17) Option 'block_modules' stays the same
2020-04-25 19:41:52 +02:00
unsigned int p_smep_enforce;
Add SMAP bit verification logic (x86 arch). It is guarded in the same way as SMEP. Two new LKRG sysctl interface are introduced to control verification and enforcement logic: 1) Introduce 'smap_validate' to control if SMAP validation will be performed 0 - disable SMAP validation 1 - enable SMAP validation 6) Introduce 'smap_enforce' to control how LKRG reacts when SMAP validation fails: 0 - log & accept 1 - log & restore 2 - panic() - kill the kernel
2020-05-10 22:56:47 +02:00
unsigned int p_smap_enforce;
This is a pretty big change in LKRG: [1] Introducing a RO-page which keeps the most-critical internal structures [2] Moving internal control structure (configurable via sysctl interface) to the RO-page [3] Introducing a new structure which keeps all dynamically resolved pointers [4] Moving a new structure with dynamic pointers to the RO-page [5] Refactoring the entire code to be compatible with the new design [6] Adding appropriate messages when a new sysctl option is put in place [7] A few more minor changes
2019-12-20 21:43:48 +01:00
#endif
This is a huge change. We completely rewrote communication channel and added a lot of new configuration options. Summary: 1) Introduce 'kint_validate' to control kernel/system integrity logic: 0 - disabled 1 - validation is performed only when manually triggered 3 - validation is performed periodically by timer interrupt and on random events 2) Introduce 'kint_enforce' to control how LKRG reacts when kernel/system integrity fails: 0 - log & accept corruption 1 - log only (for SELinux and CR0.WP violation log & restore original values) 2 - panic() - kill the kernel 3) Introduce 'pint_validate' to control tasks validation logic: 0 - disabled 1 - validate only currently running tasks 2 - validate only currently running tasks + task which changes state to RUNNING 3 - validate all tasks in the system (paranoid mode) 4) Introduce 'pint_enforce' to control how LKRG reacts when task validation fails: 0 - log & accept corruption 1 - kill corrupted task 2 - panic() - kill the kernel 5) Introduce 'smep_validate' to control if SMEP validation will be performed 0 - disable SMEP validation 1 - enable SMEP validation 6) Introduce 'smep_enforce' to control how LKRG reacts when SMEP validation fails: 0 - log & accept 1 - log & restore 2 - panic() - kill the kernel 7) Introduce 'umh_validate' to control if UMH validation will be performed 0 - disable UMH validation 1 - allow only whitelited binaries to execute via UMH 2 - completely block UMH 8) Introduce 'smep_enforce' to control how LKRG reacts when UMH validation fails: 0 - log only 1 - prevent execution 2 - panic() - kill the kernel 9) Introduce 'pcfi_validate' to control if pCFI validation will be performed 0 - disabled 1 - no stackwalk (weak pCFI) 2 - fully enabled 10) Introduce 'pcfi_enforce' to control how LKRG reacts when pCFI validation fails: 0 - log only 1 - kill corrupted task 2 - panic() - kill the kernel 11) Rename 'timestamp' to 'interval' 12) Rename 'force_run' to 'trigger' 13) Rename 'clean_message' to 'heartbeat' 14) Rename 'msr_enforce' to 'msr_validate' 15) Option 'hide' stays the same 16) Option 'log_level' stays the same 17) Option 'block_modules' stays the same
2020-04-25 19:41:52 +02:00
unsigned int p_pcfi_enforce;
Group hot RO page settings into a cache line
2020-05-21 21:16:53 +02:00
unsigned int p_pint_enforce;
unsigned int p_kint_enforce;
unsigned int p_trigger;
unsigned int p_hide_lkrg;
unsigned int p_umh_enforce;
Introduce 'profiles' configurable from the sysctl interfact: 1) profile_validate: a) 0 (Disabled): -> kint_validate = 0 (Disabled) -> pint_validate = 0 (Disabled) -> pcfi_validate = 0 (Disabled) -> umh_validate = 0 (Disabled) -> msr_validate = 0 (Disabled) -> smep_validate = 0 (Disabled) -> smap_validate = 0 (Disabled) b) 1 (Light): -> kint_validate = 1 (Manual trigger only) -> pint_validate = 1 (Current task only) -> pcfi_validate = 1 (Weak pCFI) -> umh_validate = 1 (Whitelist) -> msr_validate = 0 (Disabled) -> smep_validate = 1 (Enabled) -> smap_validate = 1 (Enabled) c) 2 (Balanced): -> kint_validate = 2 (Triggered by timer) -> pint_validate = 2 (Current + weaking up task) -> pcfi_validate = 1 (Weak pCFI) -> umh_validate = 1 (Whitelist) -> msr_validate = 0 (Disabled) -> smep_validate = 1 (Enabled) -> smap_validate = 1 (Enabled) d) 3 (Moderate): -> kint_validate = 3 (Triggered by timer + random events) -> pint_validate = 2 (Current + weaking up task) -> pcfi_validate = 2 (Full pCFI) -> umh_validate = 1 (Whitelist) -> msr_validate = 1 (Enabled) -> smep_validate = 1 (Enabled) -> smap_validate = 1 (Enabled) e) 4 (Heavy): -> kint_validate = 3 (Triggered by timer + random events) -> pint_validate = 3 (Paranoid mode - verify all tasks in the system by every hook) -> pcfi_validate = 2 (Full pCFI) -> umh_validate = 2 (Full UMH lock-down) -> msr_validate = 1 (Enabled) -> smep_validate = 1 (Enabled) -> smap_validate = 1 (Enabled) 2) profile_enforce: a) 0 (Log & Accept): -> kint_enforce = 0 (Log & accept) -> pint_enforce = 0 (Log & accept) -> pcfi_enforce = 0 (Log only) -> umh_enforce = 0 (Log only) -> smep_enforce = 0 (Log & accept) -> smap_enforce = 0 (Log & accept) b) 1 (Balanced - selective panic): -> kint_enforce = 1 (Log only) -> pint_enforce = 1 (Kill task) -> pcfi_enforce = 1 (Kill task) -> umh_enforce = 1 (Prevent execution) -> smep_enforce = 2 (Panic) -> smap_enforce = 2 (Panic) c) 2 (Moderate - more panic): -> kint_enforce = 2 (Panic) -> pint_enforce = 1 (Kill task) -> pcfi_enforce = 1 (Kill task) -> umh_enforce = 1 (Prevent execution) -> smep_enforce = 2 (Panic) -> smap_enforce = 2 (Panic) d) 3 (Panic): -> kint_enforce = 2 (Panic) -> pint_enforce = 2 (Panic) -> pcfi_enforce = 2 (Panic) -> umh_enforce = 2 (Panic) -> smep_enforce = 2 (Panic) -> smap_enforce = 2 (Panic)
2020-05-27 18:22:48 +02:00
/* Profiles */
unsigned int p_profile_validate;
unsigned int p_profile_enforce;
This is a pretty big change in LKRG: [1] Introducing a RO-page which keeps the most-critical internal structures [2] Moving internal control structure (configurable via sysctl interface) to the RO-page [3] Introducing a new structure which keeps all dynamically resolved pointers [4] Moving a new structure with dynamic pointers to the RO-page [5] Refactoring the entire code to be compatible with the new design [6] Adding appropriate messages when a new sysctl option is put in place [7] A few more minor changes
2019-12-20 21:43:48 +01:00
} p_lkrg_global_conf_struct;
typedef struct _p_lkrg_global_symbols_structure {
unsigned long (*p_kallsyms_lookup_name)(const char *name);
int (*p_freeze_processes)(void);
void (*p_thaw_processes)(void);
#if !defined(CONFIG_ARM64)
void (*p_flush_tlb_all)(void);
#endif
Introduce a new compilation macro - P_KERNEL_AGGRESSIVE_INLINING Some custom compilation of the kernel might aggresively inline critical functions (from LKRG perspective). That's problematic for the project. However, some of the problems *might* be solved by uncommenting this new definition (P_KERNEL_AGGRESSIVE_INLINING). Unfortunately, not all of the problems can be solved by it (at least no for now). You need to experiment. This can be useful to address issues like #40
2021-02-07 02:15:42 +01:00
#if defined(P_KERNEL_AGGRESSIVE_INLINING)
Unify kernel symbol lookups through introduction of a macro
2022-07-09 21:54:08 +02:00
int (*p_set_memory_ro)(unsigned long addr, int numpages);
int (*p_set_memory_rw)(unsigned long addr, int numpages);
Introduce a new compilation macro - P_KERNEL_AGGRESSIVE_INLINING Some custom compilation of the kernel might aggresively inline critical functions (from LKRG perspective). That's problematic for the project. However, some of the problems *might* be solved by uncommenting this new definition (P_KERNEL_AGGRESSIVE_INLINING). Unfortunately, not all of the problems can be solved by it (at least no for now). You need to experiment. This can be useful to address issues like #40
2021-02-07 02:15:42 +01:00
#if defined(CONFIG_X86)
;
Unify kernel symbol lookups through introduction of a macro
2022-07-09 21:54:08 +02:00
// int (*p_set_memory_np)(unsigned long addr, int numpages);
Introduce a new compilation macro - P_KERNEL_AGGRESSIVE_INLINING Some custom compilation of the kernel might aggresively inline critical functions (from LKRG perspective). That's problematic for the project. However, some of the problems *might* be solved by uncommenting this new definition (P_KERNEL_AGGRESSIVE_INLINING). Unfortunately, not all of the problems can be solved by it (at least no for now). You need to experiment. This can be useful to address issues like #40
2021-02-07 02:15:42 +01:00
#elif defined(CONFIG_ARM64)
Unify kernel symbol lookups through introduction of a macro
2022-07-09 21:54:08 +02:00
int (*p_set_memory_valid)(unsigned long addr, int numpages, int enable);
Introduce a new compilation macro - P_KERNEL_AGGRESSIVE_INLINING Some custom compilation of the kernel might aggresively inline critical functions (from LKRG perspective). That's problematic for the project. However, some of the problems *might* be solved by uncommenting this new definition (P_KERNEL_AGGRESSIVE_INLINING). Unfortunately, not all of the problems can be solved by it (at least no for now). You need to experiment. This can be useful to address issues like #40
2021-02-07 02:15:42 +01:00
#endif
#else
#if defined(CONFIG_X86)
This is a pretty big change in LKRG: [1] Introducing a RO-page which keeps the most-critical internal structures [2] Moving internal control structure (configurable via sysctl interface) to the RO-page [3] Introducing a new structure which keeps all dynamically resolved pointers [4] Moving a new structure with dynamic pointers to the RO-page [5] Refactoring the entire code to be compatible with the new design [6] Adding appropriate messages when a new sysctl option is put in place [7] A few more minor changes
2019-12-20 21:43:48 +01:00
int (*p_change_page_attr_set_clr)(unsigned long *addr, int numpages,
pgprot_t mask_set, pgprot_t mask_clr,
int force_split, int in_flag,
struct page **pages);
Introduce a new compilation macro - P_KERNEL_AGGRESSIVE_INLINING Some custom compilation of the kernel might aggresively inline critical functions (from LKRG perspective). That's problematic for the project. However, some of the problems *might* be solved by uncommenting this new definition (P_KERNEL_AGGRESSIVE_INLINING). Unfortunately, not all of the problems can be solved by it (at least no for now). You need to experiment. This can be useful to address issues like #40
2021-02-07 02:15:42 +01:00
#elif defined(CONFIG_ARM) || defined(CONFIG_ARM64)
This is a pretty big change in LKRG: [1] Introducing a RO-page which keeps the most-critical internal structures [2] Moving internal control structure (configurable via sysctl interface) to the RO-page [3] Introducing a new structure which keeps all dynamically resolved pointers [4] Moving a new structure with dynamic pointers to the RO-page [5] Refactoring the entire code to be compatible with the new design [6] Adding appropriate messages when a new sysctl option is put in place [7] A few more minor changes
2019-12-20 21:43:48 +01:00
int (*p_change_memory_common)(unsigned long addr, int numpages,
pgprot_t set_mask, pgprot_t clear_mask);
Introduce a new compilation macro - P_KERNEL_AGGRESSIVE_INLINING Some custom compilation of the kernel might aggresively inline critical functions (from LKRG perspective). That's problematic for the project. However, some of the problems *might* be solved by uncommenting this new definition (P_KERNEL_AGGRESSIVE_INLINING). Unfortunately, not all of the problems can be solved by it (at least no for now). You need to experiment. This can be useful to address issues like #40
2021-02-07 02:15:42 +01:00
#endif
This is a pretty big change in LKRG: [1] Introducing a RO-page which keeps the most-critical internal structures [2] Moving internal control structure (configurable via sysctl interface) to the RO-page [3] Introducing a new structure which keeps all dynamically resolved pointers [4] Moving a new structure with dynamic pointers to the RO-page [5] Refactoring the entire code to be compatible with the new design [6] Adding appropriate messages when a new sysctl option is put in place [7] A few more minor changes
2019-12-20 21:43:48 +01:00
#endif
Unify kernel symbol lookups through introduction of a macro
2022-07-09 21:54:08 +02:00
int (*p___kernel_text_address)(unsigned long p_addr);
Support various CONFIG_SECCOMP configurations Some distro kernels for ARM do not enable CONFIG_SECCOMP. Up until this commit, LKRG presumed that SECCOMP was always enabled/compiled in.
2021-06-06 02:48:25 +02:00
#if defined(CONFIG_SECCOMP)
This is a pretty big change in LKRG: [1] Introducing a RO-page which keeps the most-critical internal structures [2] Moving internal control structure (configurable via sysctl interface) to the RO-page [3] Introducing a new structure which keeps all dynamically resolved pointers [4] Moving a new structure with dynamic pointers to the RO-page [5] Refactoring the entire code to be compatible with the new design [6] Adding appropriate messages when a new sysctl option is put in place [7] A few more minor changes
2019-12-20 21:43:48 +01:00
void (*p_get_seccomp_filter)(struct task_struct *p_task);
Fix resolution and usage of put_seccomp_filter on Linux >= 5.9
2020-10-17 03:00:25 +02:00
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5,9,0)
void (*p_put_seccomp_filter)(struct seccomp_filter *p_filter);
#else
This is a pretty big change in LKRG: [1] Introducing a RO-page which keeps the most-critical internal structures [2] Moving internal control structure (configurable via sysctl interface) to the RO-page [3] Introducing a new structure which keeps all dynamically resolved pointers [4] Moving a new structure with dynamic pointers to the RO-page [5] Refactoring the entire code to be compatible with the new design [6] Adding appropriate messages when a new sysctl option is put in place [7] A few more minor changes
2019-12-20 21:43:48 +01:00
void (*p_put_seccomp_filter)(struct task_struct *p_task);
Fix resolution and usage of put_seccomp_filter on Linux >= 5.9
2020-10-17 03:00:25 +02:00
#endif
Support various CONFIG_SECCOMP configurations Some distro kernels for ARM do not enable CONFIG_SECCOMP. Up until this commit, LKRG presumed that SECCOMP was always enabled/compiled in.
2021-06-06 02:48:25 +02:00
#endif
This is a pretty big change in LKRG: [1] Introducing a RO-page which keeps the most-critical internal structures [2] Moving internal control structure (configurable via sysctl interface) to the RO-page [3] Introducing a new structure which keeps all dynamically resolved pointers [4] Moving a new structure with dynamic pointers to the RO-page [5] Refactoring the entire code to be compatible with the new design [6] Adding appropriate messages when a new sysctl option is put in place [7] A few more minor changes
2019-12-20 21:43:48 +01:00
#ifdef CONFIG_SECURITY_SELINUX
Add support for kernels 5.6+
2020-04-17 02:50:59 +02:00
#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0)
This is a pretty big change in LKRG: [1] Introducing a RO-page which keeps the most-critical internal structures [2] Moving internal control structure (configurable via sysctl interface) to the RO-page [3] Introducing a new structure which keeps all dynamically resolved pointers [4] Moving a new structure with dynamic pointers to the RO-page [5] Refactoring the entire code to be compatible with the new design [6] Adding appropriate messages when a new sysctl option is put in place [7] A few more minor changes
2019-12-20 21:43:48 +01:00
int *p_selinux_enabled;
Add support for kernels 5.6+
2020-04-17 02:50:59 +02:00
#endif
SELinux: Disable state monitoring for kernels with randomized structs New Linux kernels may be built with the CONFIG_GCC_PLUGIN_RANDSTRUCT option. This randomly changes the order of fields in certain structures, including selinux_state. Currently, LKRG isn't capable to recreate the structure layout. Thus, we have to disable LKRG's SELinux monitoring on kernels built with this option. CONFIG_GCC_PLUGIN_RANDSTRUCT was introduced to make it harder for attackers to overwrite particular fields of structures. LKRG's goal was the same. So even disabling LKRG's monitoring, we still have some mitigations for SELinux state overwrites. We might make LKRG capable to recreate randomized structures in the future.
2021-03-17 23:20:13 +01:00
#ifdef P_SELINUX_VERIFY
This is a pretty big change in LKRG: [1] Introducing a RO-page which keeps the most-critical internal structures [2] Moving internal control structure (configurable via sysctl interface) to the RO-page [3] Introducing a new structure which keeps all dynamically resolved pointers [4] Moving a new structure with dynamic pointers to the RO-page [5] Refactoring the entire code to be compatible with the new design [6] Adding appropriate messages when a new sysctl option is put in place [7] A few more minor changes
2019-12-20 21:43:48 +01:00
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4,17,0)
struct p_selinux_state *p_selinux_state;
#else
int *p_selinux_enforcing;
#endif
#endif
#endif
int (*p_core_kernel_text)(unsigned long p_addr);
When LKRG is configured to allow only whitelisted executables to be run by UMH, we might be in the situation of overwriting RO page. Add support for that
2020-05-10 01:56:58 +02:00
pmd_t *(*p_mm_find_pmd)(struct mm_struct *mm, unsigned long address);
Simplify synchronization with JUMP_LABEL engine We don't need to introduce custom LKRG-counter lock to synchronize with JUMP_LABEL engine and avoid potential deadlock with FTRACE. We can check if jump_label lock is taken after acquiring ftrace lock and before taking text_mutex. This simplification changes p_text_section_(un)lock API. This also fixes problem reported by Jacek
2020-11-02 22:09:07 +01:00
struct mutex *p_jump_label_mutex;
This is a pretty big change in LKRG: [1] Introducing a RO-page which keeps the most-critical internal structures [2] Moving internal control structure (configurable via sysctl interface) to the RO-page [3] Introducing a new structure which keeps all dynamically resolved pointers [4] Moving a new structure with dynamic pointers to the RO-page [5] Refactoring the entire code to be compatible with the new design [6] Adding appropriate messages when a new sysctl option is put in place [7] A few more minor changes
2019-12-20 21:43:48 +01:00
struct mutex *p_text_mutex;
kINT: Fix synchronization problem The reported problem with integrity verification on ARM64 (#269) is a result of a very tight race condition with tracepoints. Changes which simplify synchronization with JUMP_LABEL engine: f98da1b17c01c168ec163b0349327661adc9e38d affected differently ARM64 platform which made such race possible. However, potentially the same race problem may exist on x86 and this commit fixes it and should address #269
2023-10-25 11:00:42 +02:00
struct mutex *p_tracepoints_mutex;
This is a pretty big change in LKRG: [1] Introducing a RO-page which keeps the most-critical internal structures [2] Moving internal control structure (configurable via sysctl interface) to the RO-page [3] Introducing a new structure which keeps all dynamically resolved pointers [4] Moving a new structure with dynamic pointers to the RO-page [5] Refactoring the entire code to be compatible with the new design [6] Adding appropriate messages when a new sysctl option is put in place [7] A few more minor changes
2019-12-20 21:43:48 +01:00
struct text_poke_loc **p_tp_vec;
int *p_tp_vec_nr;
#if defined(CONFIG_DYNAMIC_DEBUG)
struct list_head *p_ddebug_tables;
struct mutex *p_ddebug_lock;
Add support for Linux kernel post-6.3 Linux kernel post-6.3 modified the 'struct module' and introduced a new substructure describing module's memory layout. Additionally, the logic for dynamic debug (ddebug) has been modified and some of the functions which LKRG uses are no longer exported. This commit adopts to these post-6.3 changed and addresses #267
2023-05-03 02:46:52 +02:00
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 1, 0) && LINUX_VERSION_CODE < KERNEL_VERSION(6, 4, 0)
Unify kernel symbol lookups through introduction of a macro
2022-07-09 21:54:08 +02:00
int (*p_ddebug_remove_module)(const char *p_name);
This is a pretty big change in LKRG: [1] Introducing a RO-page which keeps the most-critical internal structures [2] Moving internal control structure (configurable via sysctl interface) to the RO-page [3] Introducing a new structure which keeps all dynamically resolved pointers [4] Moving a new structure with dynamic pointers to the RO-page [5] Refactoring the entire code to be compatible with the new design [6] Adding appropriate messages when a new sysctl option is put in place [7] A few more minor changes
2019-12-20 21:43:48 +01:00
#endif
#endif
Unify kernel symbol lookups through introduction of a macro
2022-07-09 21:54:08 +02:00
struct list_head *p_modules;
This is a pretty big change in LKRG: [1] Introducing a RO-page which keeps the most-critical internal structures [2] Moving internal control structure (configurable via sysctl interface) to the RO-page [3] Introducing a new structure which keeps all dynamically resolved pointers [4] Moving a new structure with dynamic pointers to the RO-page [5] Refactoring the entire code to be compatible with the new design [6] Adding appropriate messages when a new sysctl option is put in place [7] A few more minor changes
2019-12-20 21:43:48 +01:00
struct kset **p_module_kset;
Do not resolve 'native_write_cr4' on AARCH64 Since kernel 5.8+ 'native_write_cr4' must be manually resolved. However, this is X86 specific code which should nbot be executed on other platforms. This commit fixes that and addresses #48
2021-02-11 20:43:49 +01:00
#if defined(CONFIG_X86)
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5,8,0)
Since kernel 5.8 function native_write_cr4 is not exported anymore. We could write own function which modifies CR4, however, we don't want to introduce new potential gadgets. Instead we dynamically resolve it to fix this problem.
2020-08-16 19:38:24 +02:00
void (*p_native_write_cr4)(unsigned long p_val);
Do not resolve 'native_write_cr4' on AARCH64 Since kernel 5.8+ 'native_write_cr4' must be manually resolved. However, this is X86 specific code which should nbot be executed on other platforms. This commit fixes that and addresses #48
2021-02-11 20:43:49 +01:00
#endif
Dynamically resolve __module_address and __module_text_address on Linux >= 5.9
2020-10-17 02:59:20 +02:00
#endif
Add more stable kernels with unexported __module_address.
2021-07-20 14:44:44 +02:00
#ifdef P_LKRG_UNEXPORTED_MODULE_ADDRESS
Unify kernel symbol lookups through introduction of a macro
2022-07-09 21:54:08 +02:00
struct module* (*p___module_address)(unsigned long p_val);
struct module* (*p___module_text_address)(unsigned long p_val);
Since kernel 5.8 function native_write_cr4 is not exported anymore. We could write own function which modifies CR4, however, we don't want to introduce new potential gadgets. Instead we dynamically resolve it to fix this problem.
2020-08-16 19:38:24 +02:00
#endif
Add support for kernels 5.12+ Since this patch: https://www.mail-archive.com/linuxppc-dev@lists.ozlabs.org/msg182925.html 'module_mutex' and 'find_module' is not exported. We need to manually find it. This commit addresses described issue.
2021-03-28 21:39:01 +02:00
struct module* (*p_find_module)(const char *name);
struct mutex *p_module_mutex;
[1] Change initialization logic for exploit detection module: - Not all hooks are fatal. If for any reason non-fatal hook can't be placed, continue initialization and print appropriate message - If hook is fatal, stop intialization [2] Add support for ISRA optimized functions: - Some of the functions might be optimized by ISRA. However, some of the hooks can still be functional even under ISRA optimized functions.
2020-06-09 23:38:01 +02:00
int (*p_kallsyms_on_each_symbol)(int (*)(void *, const char *, struct module *, unsigned long), void *);
Add FTRACE support 1) We are hooking into FTRACE's internal functions to be able to monitor when new modifications are executed and react accordingly. 2) Linux kernel has bugs in FTRACE code. The LKRG may highlight them. 3) We are introducing 'p_state_init' variable to track when full LKRG's initialization is complete.
2020-11-02 03:40:46 +01:00
#if defined(CONFIG_FUNCTION_TRACER)
struct ftrace_rec_iter *(*p_ftrace_rec_iter_start)(void);
struct ftrace_rec_iter *(*p_ftrace_rec_iter_next)(struct ftrace_rec_iter *iter);
struct dyn_ftrace *(*p_ftrace_rec_iter_record)(struct ftrace_rec_iter *iter);
struct mutex *p_ftrace_lock;
#endif
Add dependency on CONFIG_OPTPROBES If CONFIG_OPTPROBES is not enabled, don't try to sync with kprobe optimizer
2021-02-07 02:33:03 +01:00
#if defined(CONFIG_OPTPROBES)
Add synchronization with kprobe optimizer On the aggressively optimized kernels it is possible that kprobe optimizer won't be fast enough to do the job before LKRG creates own database. This is problematic because LKRG might snapshot hash of the kernel's .text section with non-optimized own hooks. As soon as the kprobe optimizer finishes the job, previously snapshoted hash won't be correct and LKRG will detect this inconsistency. To be able to correctly solve this unusual corner case problem, LKRG can wait for kprobe optimizer before creating database.
2021-01-19 02:00:42 +01:00
void (*p_wait_for_kprobe_optimizer)(void);
Add dependency on CONFIG_OPTPROBES If CONFIG_OPTPROBES is not enabled, don't try to sync with kprobe optimizer
2021-02-07 02:33:03 +01:00
#endif
Move copy of THIS_MODULE to RO page. Fix the problem of 'block_modules' as being a parameter.
2020-03-12 05:21:21 +01:00
struct module *p_find_me;
Add FTRACE support 1) We are hooking into FTRACE's internal functions to be able to monitor when new modifications are executed and react accordingly. 2) Linux kernel has bugs in FTRACE code. The LKRG may highlight them. 3) We are introducing 'p_state_init' variable to track when full LKRG's initialization is complete.
2020-11-02 03:40:46 +01:00
unsigned int p_state_init;
This is a pretty big change in LKRG: [1] Introducing a RO-page which keeps the most-critical internal structures [2] Moving internal control structure (configurable via sysctl interface) to the RO-page [3] Introducing a new structure which keeps all dynamically resolved pointers [4] Moving a new structure with dynamic pointers to the RO-page [5] Refactoring the entire code to be compatible with the new design [6] Adding appropriate messages when a new sysctl option is put in place [7] A few more minor changes
2019-12-20 21:43:48 +01:00
} p_lkrg_global_syms;
Introduce LKRG_P_MODULE_ADDRESS and LKRG_P_MODULE_TEXT_ADDRESS. No functional change, just simplify the code.
2021-07-20 14:35:12 +02:00
#ifdef P_LKRG_UNEXPORTED_MODULE_ADDRESS
Unify kernel symbol lookups through introduction of a macro
2022-07-09 21:54:08 +02:00
#define LKRG_P_MODULE_ADDRESS(p_addr) P_SYM(p___module_address)(p_addr)
#define LKRG_P_MODULE_TEXT_ADDRESS(p_addr) P_SYM(p___module_text_address)(p_addr)
Introduce LKRG_P_MODULE_ADDRESS and LKRG_P_MODULE_TEXT_ADDRESS. No functional change, just simplify the code.
2021-07-20 14:35:12 +02:00
#else
#define LKRG_P_MODULE_ADDRESS(p_addr) __module_address(p_addr)
#define LKRG_P_MODULE_TEXT_ADDRESS(p_addr) __module_text_address(p_addr)
#endif
This is a huge change. We completely rewrote communication channel and added a lot of new configuration options. Summary: 1) Introduce 'kint_validate' to control kernel/system integrity logic: 0 - disabled 1 - validation is performed only when manually triggered 3 - validation is performed periodically by timer interrupt and on random events 2) Introduce 'kint_enforce' to control how LKRG reacts when kernel/system integrity fails: 0 - log & accept corruption 1 - log only (for SELinux and CR0.WP violation log & restore original values) 2 - panic() - kill the kernel 3) Introduce 'pint_validate' to control tasks validation logic: 0 - disabled 1 - validate only currently running tasks 2 - validate only currently running tasks + task which changes state to RUNNING 3 - validate all tasks in the system (paranoid mode) 4) Introduce 'pint_enforce' to control how LKRG reacts when task validation fails: 0 - log & accept corruption 1 - kill corrupted task 2 - panic() - kill the kernel 5) Introduce 'smep_validate' to control if SMEP validation will be performed 0 - disable SMEP validation 1 - enable SMEP validation 6) Introduce 'smep_enforce' to control how LKRG reacts when SMEP validation fails: 0 - log & accept 1 - log & restore 2 - panic() - kill the kernel 7) Introduce 'umh_validate' to control if UMH validation will be performed 0 - disable UMH validation 1 - allow only whitelited binaries to execute via UMH 2 - completely block UMH 8) Introduce 'smep_enforce' to control how LKRG reacts when UMH validation fails: 0 - log only 1 - prevent execution 2 - panic() - kill the kernel 9) Introduce 'pcfi_validate' to control if pCFI validation will be performed 0 - disabled 1 - no stackwalk (weak pCFI) 2 - fully enabled 10) Introduce 'pcfi_enforce' to control how LKRG reacts when pCFI validation fails: 0 - log only 1 - kill corrupted task 2 - panic() - kill the kernel 11) Rename 'timestamp' to 'interval' 12) Rename 'force_run' to 'trigger' 13) Rename 'clean_message' to 'heartbeat' 14) Rename 'msr_enforce' to 'msr_validate' 15) Option 'hide' stays the same 16) Option 'log_level' stays the same 17) Option 'block_modules' stays the same
2020-04-25 19:41:52 +02:00
typedef struct _p_lkrg_critical_variables {
Change SMEP enforcement/validation logic
2020-05-03 20:47:44 +02:00
unsigned long p_dummy1;
This is a huge change. We completely rewrote communication channel and added a lot of new configuration options. Summary: 1) Introduce 'kint_validate' to control kernel/system integrity logic: 0 - disabled 1 - validation is performed only when manually triggered 3 - validation is performed periodically by timer interrupt and on random events 2) Introduce 'kint_enforce' to control how LKRG reacts when kernel/system integrity fails: 0 - log & accept corruption 1 - log only (for SELinux and CR0.WP violation log & restore original values) 2 - panic() - kill the kernel 3) Introduce 'pint_validate' to control tasks validation logic: 0 - disabled 1 - validate only currently running tasks 2 - validate only currently running tasks + task which changes state to RUNNING 3 - validate all tasks in the system (paranoid mode) 4) Introduce 'pint_enforce' to control how LKRG reacts when task validation fails: 0 - log & accept corruption 1 - kill corrupted task 2 - panic() - kill the kernel 5) Introduce 'smep_validate' to control if SMEP validation will be performed 0 - disable SMEP validation 1 - enable SMEP validation 6) Introduce 'smep_enforce' to control how LKRG reacts when SMEP validation fails: 0 - log & accept 1 - log & restore 2 - panic() - kill the kernel 7) Introduce 'umh_validate' to control if UMH validation will be performed 0 - disable UMH validation 1 - allow only whitelited binaries to execute via UMH 2 - completely block UMH 8) Introduce 'smep_enforce' to control how LKRG reacts when UMH validation fails: 0 - log only 1 - prevent execution 2 - panic() - kill the kernel 9) Introduce 'pcfi_validate' to control if pCFI validation will be performed 0 - disabled 1 - no stackwalk (weak pCFI) 2 - fully enabled 10) Introduce 'pcfi_enforce' to control how LKRG reacts when pCFI validation fails: 0 - log only 1 - kill corrupted task 2 - panic() - kill the kernel 11) Rename 'timestamp' to 'interval' 12) Rename 'force_run' to 'trigger' 13) Rename 'clean_message' to 'heartbeat' 14) Rename 'msr_enforce' to 'msr_validate' 15) Option 'hide' stays the same 16) Option 'log_level' stays the same 17) Option 'block_modules' stays the same
2020-04-25 19:41:52 +02:00
} p_lkrg_critical_var;
This is a pretty big change in LKRG: [1] Introducing a RO-page which keeps the most-critical internal structures [2] Moving internal control structure (configurable via sysctl interface) to the RO-page [3] Introducing a new structure which keeps all dynamically resolved pointers [4] Moving a new structure with dynamic pointers to the RO-page [5] Refactoring the entire code to be compatible with the new design [6] Adding appropriate messages when a new sysctl option is put in place [7] A few more minor changes
2019-12-20 21:43:48 +01:00
typedef struct _p2_lkrg_global_ctrl_structure {
p_lkrg_global_conf_struct ctrl;
p_lkrg_global_syms syms;
This is a huge change. We completely rewrote communication channel and added a lot of new configuration options. Summary: 1) Introduce 'kint_validate' to control kernel/system integrity logic: 0 - disabled 1 - validation is performed only when manually triggered 3 - validation is performed periodically by timer interrupt and on random events 2) Introduce 'kint_enforce' to control how LKRG reacts when kernel/system integrity fails: 0 - log & accept corruption 1 - log only (for SELinux and CR0.WP violation log & restore original values) 2 - panic() - kill the kernel 3) Introduce 'pint_validate' to control tasks validation logic: 0 - disabled 1 - validate only currently running tasks 2 - validate only currently running tasks + task which changes state to RUNNING 3 - validate all tasks in the system (paranoid mode) 4) Introduce 'pint_enforce' to control how LKRG reacts when task validation fails: 0 - log & accept corruption 1 - kill corrupted task 2 - panic() - kill the kernel 5) Introduce 'smep_validate' to control if SMEP validation will be performed 0 - disable SMEP validation 1 - enable SMEP validation 6) Introduce 'smep_enforce' to control how LKRG reacts when SMEP validation fails: 0 - log & accept 1 - log & restore 2 - panic() - kill the kernel 7) Introduce 'umh_validate' to control if UMH validation will be performed 0 - disable UMH validation 1 - allow only whitelited binaries to execute via UMH 2 - completely block UMH 8) Introduce 'smep_enforce' to control how LKRG reacts when UMH validation fails: 0 - log only 1 - prevent execution 2 - panic() - kill the kernel 9) Introduce 'pcfi_validate' to control if pCFI validation will be performed 0 - disabled 1 - no stackwalk (weak pCFI) 2 - fully enabled 10) Introduce 'pcfi_enforce' to control how LKRG reacts when pCFI validation fails: 0 - log only 1 - kill corrupted task 2 - panic() - kill the kernel 11) Rename 'timestamp' to 'interval' 12) Rename 'force_run' to 'trigger' 13) Rename 'clean_message' to 'heartbeat' 14) Rename 'msr_enforce' to 'msr_validate' 15) Option 'hide' stays the same 16) Option 'log_level' stays the same 17) Option 'block_modules' stays the same
2020-04-25 19:41:52 +02:00
p_lkrg_critical_var var;
This is a pretty big change in LKRG: [1] Introducing a RO-page which keeps the most-critical internal structures [2] Moving internal control structure (configurable via sysctl interface) to the RO-page [3] Introducing a new structure which keeps all dynamically resolved pointers [4] Moving a new structure with dynamic pointers to the RO-page [5] Refactoring the entire code to be compatible with the new design [6] Adding appropriate messages when a new sysctl option is put in place [7] A few more minor changes
2019-12-20 21:43:48 +01:00
} p_lkrg_global_ctrl_struct __attribute__((aligned(PAGE_SIZE)));
typedef struct _p_lkrg_ro_page {
Introduce a new compilation macro - P_KERNEL_AGGRESSIVE_INLINING Some custom compilation of the kernel might aggresively inline critical functions (from LKRG perspective). That's problematic for the project. However, some of the problems *might* be solved by uncommenting this new definition (P_KERNEL_AGGRESSIVE_INLINING). Unfortunately, not all of the problems can be solved by it (at least no for now). You need to experiment. This can be useful to address issues like #40
2021-02-07 02:15:42 +01:00
#if !defined(CONFIG_ARM) && (!defined(P_KERNEL_AGGRESSIVE_INLINING) && defined(CONFIG_X86))
This is a pretty big change in LKRG: [1] Introducing a RO-page which keeps the most-critical internal structures [2] Moving internal control structure (configurable via sysctl interface) to the RO-page [3] Introducing a new structure which keeps all dynamically resolved pointers [4] Moving a new structure with dynamic pointers to the RO-page [5] Refactoring the entire code to be compatible with the new design [6] Adding appropriate messages when a new sysctl option is put in place [7] A few more minor changes
2019-12-20 21:43:48 +01:00
unsigned long p_marker_np1 __attribute__((aligned(PAGE_SIZE)));
#endif
p_lkrg_global_ctrl_struct p_lkrg_global_ctrl;
Introduce a new compilation macro - P_KERNEL_AGGRESSIVE_INLINING Some custom compilation of the kernel might aggresively inline critical functions (from LKRG perspective). That's problematic for the project. However, some of the problems *might* be solved by uncommenting this new definition (P_KERNEL_AGGRESSIVE_INLINING). Unfortunately, not all of the problems can be solved by it (at least no for now). You need to experiment. This can be useful to address issues like #40
2021-02-07 02:15:42 +01:00
#if !defined(CONFIG_ARM) && (!defined(P_KERNEL_AGGRESSIVE_INLINING) && defined(CONFIG_X86))
This is a pretty big change in LKRG: [1] Introducing a RO-page which keeps the most-critical internal structures [2] Moving internal control structure (configurable via sysctl interface) to the RO-page [3] Introducing a new structure which keeps all dynamically resolved pointers [4] Moving a new structure with dynamic pointers to the RO-page [5] Refactoring the entire code to be compatible with the new design [6] Adding appropriate messages when a new sysctl option is put in place [7] A few more minor changes
2019-12-20 21:43:48 +01:00
unsigned long p_marker_np2 __attribute__((aligned(PAGE_SIZE)));
unsigned long p_marker_np3 __attribute__((aligned(PAGE_SIZE)));
#endif
} p_ro_page;
extern p_ro_page p_ro;
This is a huge change. We completely rewrote communication channel and added a lot of new configuration options. Summary: 1) Introduce 'kint_validate' to control kernel/system integrity logic: 0 - disabled 1 - validation is performed only when manually triggered 3 - validation is performed periodically by timer interrupt and on random events 2) Introduce 'kint_enforce' to control how LKRG reacts when kernel/system integrity fails: 0 - log & accept corruption 1 - log only (for SELinux and CR0.WP violation log & restore original values) 2 - panic() - kill the kernel 3) Introduce 'pint_validate' to control tasks validation logic: 0 - disabled 1 - validate only currently running tasks 2 - validate only currently running tasks + task which changes state to RUNNING 3 - validate all tasks in the system (paranoid mode) 4) Introduce 'pint_enforce' to control how LKRG reacts when task validation fails: 0 - log & accept corruption 1 - kill corrupted task 2 - panic() - kill the kernel 5) Introduce 'smep_validate' to control if SMEP validation will be performed 0 - disable SMEP validation 1 - enable SMEP validation 6) Introduce 'smep_enforce' to control how LKRG reacts when SMEP validation fails: 0 - log & accept 1 - log & restore 2 - panic() - kill the kernel 7) Introduce 'umh_validate' to control if UMH validation will be performed 0 - disable UMH validation 1 - allow only whitelited binaries to execute via UMH 2 - completely block UMH 8) Introduce 'smep_enforce' to control how LKRG reacts when UMH validation fails: 0 - log only 1 - prevent execution 2 - panic() - kill the kernel 9) Introduce 'pcfi_validate' to control if pCFI validation will be performed 0 - disabled 1 - no stackwalk (weak pCFI) 2 - fully enabled 10) Introduce 'pcfi_enforce' to control how LKRG reacts when pCFI validation fails: 0 - log only 1 - kill corrupted task 2 - panic() - kill the kernel 11) Rename 'timestamp' to 'interval' 12) Rename 'force_run' to 'trigger' 13) Rename 'clean_message' to 'heartbeat' 14) Rename 'msr_enforce' to 'msr_validate' 15) Option 'hide' stays the same 16) Option 'log_level' stays the same 17) Option 'block_modules' stays the same
2020-04-25 19:41:52 +02:00
#define P_VAR(p_field) p_ro.p_lkrg_global_ctrl.var.p_field
This is a pretty big change in LKRG: [1] Introducing a RO-page which keeps the most-critical internal structures [2] Moving internal control structure (configurable via sysctl interface) to the RO-page [3] Introducing a new structure which keeps all dynamically resolved pointers [4] Moving a new structure with dynamic pointers to the RO-page [5] Refactoring the entire code to be compatible with the new design [6] Adding appropriate messages when a new sysctl option is put in place [7] A few more minor changes
2019-12-20 21:43:48 +01:00
#define P_SYM(p_field) p_ro.p_lkrg_global_ctrl.syms.p_field
Introduce a P_CTRL macro for referencing control structure in RO-page
2019-12-21 00:52:06 +01:00
#define P_CTRL(p_field) p_ro.p_lkrg_global_ctrl.ctrl.p_field
#define P_CTRL_ADDR &p_ro.p_lkrg_global_ctrl
This is a pretty big change in LKRG: [1] Introducing a RO-page which keeps the most-critical internal structures [2] Moving internal control structure (configurable via sysctl interface) to the RO-page [3] Introducing a new structure which keeps all dynamically resolved pointers [4] Moving a new structure with dynamic pointers to the RO-page [5] Refactoring the entire code to be compatible with the new design [6] Adding appropriate messages when a new sysctl option is put in place [7] A few more minor changes
2019-12-20 21:43:48 +01:00
Simplify the use of P_SYM_INIT()
2023-05-18 10:19:01 +02:00
#define P_SYM_INIT(sym) \
if (!(P_SYM(p_ ## sym) = (typeof(P_SYM(p_ ## sym)))P_SYM(p_kallsyms_lookup_name)(#sym))) { \
Logging: Revise, unify, and reduce duplication of logging and responses Use macros, move logging and enforcement responses from callers into called functions, remove where it was duplicate. Unify our log and kernel panic messages.
2022-07-09 21:57:29 +02:00
p_print_log(P_LOG_FATAL, "Can't find '" #sym "'"); \
Unify kernel symbol lookups through introduction of a macro
2022-07-09 21:54:08 +02:00
goto p_sym_error; \
}
Change SELinux-type lock to be global LKRG-counter lock This type of locking idea is useful in other situations as well
2020-10-26 00:54:19 +01:00
/*
* LKRG counter lock
*/
typedef struct p_lkrg_counter_lock {
atomic_t p_counter;
spinlock_t p_lock;
} p_lkrg_counter_lock;
/* Counter lock API */
static inline void p_lkrg_counter_lock_init(p_lkrg_counter_lock *p_arg) {
spin_lock_init(&p_arg->p_lock);
smp_mb();
atomic_set(&p_arg->p_counter, 0);
smp_mb();
}
Add LKRG's counter lock around *JUMP_LABEL engine 1) This is necessary for future FTRACE support. FTRACE is not fully synchronized with JUMP_LABEL (which I think is a buggy logic in the kernel). However, we can manually add such logic. The way how text_mutex is used by both subsystems makes it prone to deadlock if 3rd system wants to sync with both of them. 2) New lock efnorces changes in p_text_section_(un)lock API which we do in the same commit 3) Introduce new LKRG's counter lock API - trylock 4) Add a few minor changes: - notrace attribute (probably, we need to add such attributes to majority of our functions) - add information about module name in case of KMOD notifier activity
2020-10-30 19:34:53 +01:00
static inline unsigned long p_lkrg_counter_lock_trylock(p_lkrg_counter_lock *p_arg, unsigned long *p_flags) {
local_irq_save(*p_flags);
if (!spin_trylock(&p_arg->p_lock)) {
local_irq_restore(*p_flags);
return 0;
}
return 1;
}
Change SELinux-type lock to be global LKRG-counter lock This type of locking idea is useful in other situations as well
2020-10-26 00:54:19 +01:00
static inline void p_lkrg_counter_lock_lock(p_lkrg_counter_lock *p_arg, unsigned long *p_flags) {
spin_lock_irqsave(&p_arg->p_lock, *p_flags);
}
static inline void p_lkrg_counter_lock_unlock(p_lkrg_counter_lock *p_arg, unsigned long *p_flags) {
spin_unlock_irqrestore(&p_arg->p_lock, *p_flags);
}
static inline void p_lkrg_counter_lock_val_inc(p_lkrg_counter_lock *p_arg) {
smp_mb();
atomic_inc(&p_arg->p_counter);
smp_mb();
}
static inline void p_lkrg_counter_lock_val_dec(p_lkrg_counter_lock *p_arg) {
smp_mb();
atomic_dec(&p_arg->p_counter);
smp_mb();
}
static inline int p_lkrg_counter_lock_val_read(p_lkrg_counter_lock *p_arg) {
register int p_ret;
smp_mb();
p_ret = atomic_read(&p_arg->p_counter);
smp_mb();
return p_ret;
}
/* End */
Initial LKRG-main
2017-10-27 07:29:49 +02:00
/*
Rename the module from p_lkrg to lkrg
2022-07-18 20:54:33 +02:00
* LKRG modules
Initial LKRG-main
2017-10-27 07:29:49 +02:00
*/
#include "modules/print_log/p_lkrg_print_log.h" // printing, error and debug module
Replace SuperFastHash algorithm with SipHash
2017-12-21 05:45:46 +01:00
#include "modules/hashing/p_lkrg_fast_hash.h" // Hashing module
Initial LKRG-main
2017-10-27 07:29:49 +02:00
#include "modules/ksyms/p_resolve_ksym.h" // Resolver module
#include "modules/database/p_database.h" // Database module
#include "modules/integrity_timer/p_integrity_timer.h" // Integrity timer module
#include "modules/kmod/p_kmod.h" // Kernel's modules module
#include "modules/notifiers/p_notifiers.h" // Notifiers module
#include "modules/self-defense/hiding/p_hiding.h" // Hiding module
Enforce verification during internal RO-page modification When we 'open' our internal RO-page for modification we should verify if integrity of the system is fine. Add verification during this operation.
2020-12-21 21:34:05 +01:00
#include "modules/exploit_detection/p_exploit_detection.h" // Exploit Detection
Initial LKRG-main
2017-10-27 07:29:49 +02:00
#include "modules/wrap/p_struct_wrap.h" // Wrapping module
#include "modules/comm_channel/p_comm_channel.h" // Communication channel (sysctl) module
Support kernel 4.13+
2017-11-13 00:43:10 +01:00
#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 13, 0)
#define __GFP_REPEAT ((__force gfp_t)___GFP_RETRY_MAYFAIL)
#endif
Initial LKRG-main
2017-10-27 07:29:49 +02:00
Add verification whether specific CONFIG_* options are enabled
2020-06-04 18:32:43 +02:00
#if !defined(CONFIG_KPROBES)
#error "LKRG requires CONFIG_KPROBES"
#elif !defined(CONFIG_HAVE_KRETPROBES)
Cleanup commit
2020-06-19 19:20:39 +02:00
#error "CONFIG_KPROBES is enabled, however CONFIG_HAVE_KRETPROBES is not found. LKRG requires both."
Add verification whether specific CONFIG_* options are enabled
2020-06-04 18:32:43 +02:00
#endif
#if !defined(CONFIG_MODULE_UNLOAD)
#error "LKRG requires CONFIG_MODULE_UNLOAD"
#endif
#if !defined(CONFIG_KALLSYMS_ALL)
#error "LKRG requires CONFIG_KALLSYMS_ALL"
#endif
#if !defined(CONFIG_JUMP_LABEL)
No longer ask people to contact us for no-CONFIG_JUMP_LABEL support
2020-07-08 16:36:28 +02:00
#error "LKRG requires CONFIG_JUMP_LABEL"
Add verification whether specific CONFIG_* options are enabled
2020-06-04 18:32:43 +02:00
#endif
#if !defined(CONFIG_STACKTRACE)
Cleanup commit
2020-06-19 19:20:39 +02:00
/*
* A #warning in this header file would be printed too many times during build,
* so let's only do that for something truly important, which the below is not.
*/
// #warning "LKRG does NOT require CONFIG_STACKTRACE. However, in case of pCFI violation, LKRG won't be able to dump full stack-trace."
Add verification whether specific CONFIG_* options are enabled
2020-06-04 18:32:43 +02:00
#endif
Initial LKRG-main
2017-10-27 07:29:49 +02:00
Do not support RT kernels We do not want to support RT kernels (at least not for now). RT kernels are commonly used in medical and similar devices, where reliability is crucial. It is safer to to not support RT kernels in LKRG for now. For more information please read entire discussion at #40.
2021-02-16 06:06:26 +01:00
#if defined(CONFIG_PREEMPT_RT)
#error "LKRG does not support RT kernels (PREEMPT_RT is enabled)"
#endif
Correctly handle CONFIG_TRIM_UNUSED_KSYMS option LKRG requires CONFIG_TRIM_UNUSED_KSYMS to be disabled if it should be built as an out-of-tree kernel module. Otherwise, it can be enabled.
2021-04-19 01:45:40 +02:00
#if defined(CONFIG_TRIM_UNUSED_KSYMS) && !defined(CONFIG_SECURITY_LKRG)
#error "LKRG requires CONFIG_TRIM_UNUSED_KSYMS to be disabled if it should be built as an out-of-tree kernel module"
#endif
Initial LKRG-main
2017-10-27 07:29:49 +02:00
#endif
Reference in a new issue Copy permalink