[ED] Replace 'umh_lock' sysctl interface with 'enforce_umh'. New interface has 3 possible states:

lkrg.enforce_umh: 0 - Disable protection 1 - Whitelist UMH paths (default) 2 - Completely block UMH
2023-12-13 21:30:29 +01:00 · 2020-01-25 22:07:34 +00:00 · 2020-01-25 22:07:34 +00:00 · 347d13e9b8
commit 347d13e9b8
parent ef9ac30776
4 changed files with 26 additions and 24 deletions
--- a/src/modules/comm_channel/p_comm_channel.c
+++ b/src/modules/comm_channel/p_comm_channel.c
@ -51,8 +51,8 @@ static int p_smep_panic_min = 0x0;
 static int p_smep_panic_max = 0x1;
 #endif

-static int p_umh_lock_min = 0x0;
-static int p_umh_lock_max = 0x1;
+static int p_enforce_umh_min = 0x0;
+static int p_enforce_umh_max = 0x2;

 /* Enforce MSR validation */
 static int p_enforce_msr_min = 0x0;
@ -84,8 +84,8 @@ static int p_sysctl_ci_panic(struct ctl_table *p_table, int p_write,
 static int p_sysctl_smep_panic(struct ctl_table *p_table, int p_write,
                               void __user *p_buffer, size_t *p_len, loff_t *p_pos);
 #endif
-static int p_sysctl_umh_lock(struct ctl_table *p_table, int p_write,
-                             void __user *p_buffer, size_t *p_len, loff_t *p_pos);
+static int p_sysctl_enforce_umh(struct ctl_table *p_table, int p_write,
+                                void __user *p_buffer, size_t *p_len, loff_t *p_pos);
 static int p_sysctl_enforce_msr(struct ctl_table *p_table, int p_write,
                                void __user *p_buffer, size_t *p_len, loff_t *p_pos);
 static int p_sysctl_enforce_pcfi(struct ctl_table *p_table, int p_write,
@ -189,13 +189,13 @@ struct ctl_table p_lkrg_sysctl_table[] = {
   },
 #endif
   {
-      .procname       = "umh_lock",
-      .data           = &P_CTRL(p_umh_lock),
+      .procname       = "enforce_umh",
+      .data           = &P_CTRL(p_enforce_umh),
      .maxlen         = sizeof(unsigned int),
      .mode           = 0600,
-      .proc_handler   = p_sysctl_umh_lock,
-      .extra1         = &p_umh_lock_min,
-      .extra2         = &p_umh_lock_max,
+      .proc_handler   = p_sysctl_enforce_umh,
+      .extra1         = &p_enforce_umh_min,
+      .extra2         = &p_enforce_umh_max,
   },
   {
      .procname       = "enforce_msr",
@ -499,32 +499,29 @@ static int p_sysctl_smep_panic(struct ctl_table *p_table, int p_write,
 }
 #endif

-static int p_sysctl_umh_lock(struct ctl_table *p_table, int p_write,
+static int p_sysctl_enforce_umh(struct ctl_table *p_table, int p_write,
                             void __user *p_buffer, size_t *p_len, loff_t *p_pos) {

   int p_ret;
-   unsigned int p_tmp;
+   char *p_umh_strings[] = { "Disable protection",
+                             "Whitelist UMH paths",
+                             "Completely block UMH" };

 // STRONG_DEBUG
   p_debug_log(P_LKRG_STRONG_DBG,
-          "Entering function <p_sysctl_umh_lock>\n");
+          "Entering function <p_sysctl_enforce_umh>\n");

-   p_tmp = P_CTRL(p_umh_lock);
   p_lkrg_open_rw();
   if ( (p_ret = proc_dointvec_minmax(p_table, p_write, p_buffer, p_len, p_pos)) == 0 && p_write) {
-      if (P_CTRL(p_umh_lock) && !p_tmp) {
-         p_print_log(P_LKRG_CRIT,
-                     "Enabling complete lock-down of UMH interface.\n");
-      } else if (p_tmp && !P_CTRL(p_umh_lock)) {
-         p_print_log(P_LKRG_CRIT,
-                     "Disabling complete lock-down of UMH interface.\n");
-      }
+      p_print_log(P_LKRG_CRIT, "[ED] New UMH configuration => %d (%s)\n",
+                  P_CTRL(p_enforce_umh),
+                  p_umh_strings[P_CTRL(p_enforce_umh)]);
   }
   p_lkrg_close_rw();

 // STRONG_DEBUG
   p_debug_log(P_LKRG_STRONG_DBG,
-          "Leaving function <p_sysctl_umh_lock>\n");
+          "Leaving function <p_sysctl_enforce_umh>\n");

   return p_ret;
 }
--- a/src/modules/exploit_detection/syscalls/p_call_usermodehelper/p_call_usermodehelper.c
+++ b/src/modules/exploit_detection/syscalls/p_call_usermodehelper/p_call_usermodehelper.c
@ -88,8 +88,11 @@ int p_call_usermodehelper_entry(struct kretprobe_instance *p_ri, struct pt_regs

   p_ed_enforce_validation();

-   if (P_CTRL(p_umh_lock))
+   if (!P_CTRL(p_enforce_umh)) {
+      goto p_call_usermodehelper_entry_out;
+   } else if (P_CTRL(p_enforce_umh) == 0x2) {
      goto p_call_usermodehelper_entry_not_allowed;
+   }

   spin_lock_irqsave(&p_rb_ed_pids_lock, p_flags);
   if ( (p_tmp = p_rb_find_ed_pid(&p_global_ed_pids_root, task_pid_nr(current))) != NULL) {
@ -135,6 +138,8 @@ p_call_usermodehelper_entry_not_allowed:
 #endif
   }

+p_call_usermodehelper_entry_out:
+
   p_debug_kprobe_log(
          "Leaving function <p_call_usermodehelper_entry>\n");

--- a/src/p_lkrg_main.c
+++ b/src/p_lkrg_main.c
@ -41,7 +41,7 @@ p_ro_page p_ro __p_lkrg_read_only = {
 #if defined(CONFIG_X86)
      .p_smep_panic = 0,                  // smep_panic
 #endif
-      .p_umh_lock = 0,                    // umh_lock
+      .p_enforce_umh = 1,                 // enforce_umh
      .p_enforce_msr = 1,                 // enforce_msr
      .p_enforce_pcfi = P_PCFI_ENABLED    // enforce_pcfi
   },
--- a/src/p_lkrg_main.h
+++ b/src/p_lkrg_main.h
@ -90,7 +90,7 @@ typedef struct _p_lkrg_global_conf_structure {
 #ifdef CONFIG_X86
   unsigned int p_smep_panic;
 #endif
-   unsigned int p_umh_lock;
+   unsigned int p_enforce_umh;
   unsigned int p_enforce_msr;
   unsigned int p_enforce_pcfi;