mirror of
https://github.com/openwall/lkrg.git
synced 2023-12-13 21:30:29 +01:00
ptrace: replace ptrace kprobes with security_ptrace_access_check
This commit is contained in:
Mariusz Zaborski
Adam 'pi3' Zabrocki
parent
ca8237ed22
commit
645983fbf6
12 changed files with 104 additions and 378 deletions
4
Makefile
4
Makefile
|
|
@ -70,18 +70,16 @@ p_lkrg-objs += src/modules/ksyms/p_resolve_ksym.o \
|
|||
src/modules/exploit_detection/syscalls/keyring/p_sys_add_key/p_sys_add_key.o \
|
||||
src/modules/exploit_detection/syscalls/keyring/p_sys_request_key/p_sys_request_key.o \
|
||||
src/modules/exploit_detection/syscalls/keyring/p_sys_keyctl/p_sys_keyctl.o \
|
||||
src/modules/exploit_detection/syscalls/p_sys_ptrace/p_sys_ptrace.o \
|
||||
src/modules/exploit_detection/syscalls/p_security_ptrace_access/p_security_ptrace_access.o \
|
||||
src/modules/exploit_detection/syscalls/compat/p_compat_sys_execve/p_compat_sys_execve.o \
|
||||
src/modules/exploit_detection/syscalls/compat/p_compat_sys_execveat/p_compat_sys_execveat.o \
|
||||
src/modules/exploit_detection/syscalls/compat/p_compat_sys_keyctl/p_compat_sys_keyctl.o \
|
||||
src/modules/exploit_detection/syscalls/compat/p_compat_sys_ptrace/p_compat_sys_ptrace.o \
|
||||
src/modules/exploit_detection/syscalls/compat/p_compat_sys_capset/p_compat_sys_capset.o \
|
||||
src/modules/exploit_detection/syscalls/compat/p_compat_sys_add_key/p_compat_sys_add_key.o \
|
||||
src/modules/exploit_detection/syscalls/compat/p_compat_sys_request_key/p_compat_sys_request_key.o \
|
||||
src/modules/exploit_detection/syscalls/__x32/p_x32_sys_execve/p_x32_sys_execve.o \
|
||||
src/modules/exploit_detection/syscalls/__x32/p_x32_sys_execveat/p_x32_sys_execveat.o \
|
||||
src/modules/exploit_detection/syscalls/__x32/p_x32_sys_keyctl/p_x32_sys_keyctl.o \
|
||||
src/modules/exploit_detection/syscalls/__x32/p_x32_sys_ptrace/p_x32_sys_ptrace.o \
|
||||
src/modules/exploit_detection/syscalls/override/p_override_creds/p_override_creds.o \
|
||||
src/modules/exploit_detection/syscalls/override/p_revert_creds/p_revert_creds.o \
|
||||
src/modules/exploit_detection/syscalls/override/overlayfs/p_ovl_create_or_link/p_ovl_create_or_link.o \
|
||||
|
|
|
|||
|
|
@ -85,6 +85,13 @@ static const struct p_functions_hooks {
|
|||
NULL,
|
||||
1
|
||||
},
|
||||
{ "security_ptrace_access",
|
||||
p_install_security_ptrace_access_hook,
|
||||
p_uninstall_security_ptrace_access_hook,
|
||||
0,
|
||||
"LKRG won't enforce validation on 'security_ptrace_access'",
|
||||
0
|
||||
},
|
||||
{ "sys_setuid",
|
||||
p_install_sys_setuid_hook,
|
||||
p_uninstall_sys_setuid_hook,
|
||||
|
|
@ -222,13 +229,6 @@ static const struct p_functions_hooks {
|
|||
NULL,
|
||||
0
|
||||
},
|
||||
{ "sys_ptrace",
|
||||
p_install_sys_ptrace_hook,
|
||||
p_uninstall_sys_ptrace_hook,
|
||||
0,
|
||||
"LKRG won't enforce validation on 'sys_ptrace'",
|
||||
0
|
||||
},
|
||||
#ifdef CONFIG_COMPAT
|
||||
{ "compat_sys_execve",
|
||||
p_install_compat_sys_execve_hook,
|
||||
|
|
@ -253,13 +253,6 @@ static const struct p_functions_hooks {
|
|||
NULL,
|
||||
0
|
||||
},
|
||||
{ "compat_sys_ptrace",
|
||||
p_install_compat_sys_ptrace_hook,
|
||||
p_uninstall_compat_sys_ptrace_hook,
|
||||
0,
|
||||
"LKRG won't enforce validation on 'compat_sys_ptrace'",
|
||||
0
|
||||
},
|
||||
#ifdef P_SYSCALL_LAYOUT_4_17
|
||||
#ifdef CONFIG_X86
|
||||
{ "compat_sys_capset",
|
||||
|
|
@ -309,13 +302,6 @@ static const struct p_functions_hooks {
|
|||
NULL,
|
||||
0
|
||||
},
|
||||
{ "x32_sys_ptrace",
|
||||
p_install_x32_sys_ptrace_hook,
|
||||
p_uninstall_x32_sys_ptrace_hook,
|
||||
0,
|
||||
"LKRG won't enforce validation on 'x32_sys_ptrace'",
|
||||
0
|
||||
},
|
||||
#endif /* P_SYSCALL_LAYOUT_4_17 */
|
||||
#endif /* CONFIG_X86_X32 */
|
||||
{ "override_creds",
|
||||
|
|
|
|||
|
|
@ -269,18 +269,16 @@ struct p_ed_global_variables {
|
|||
#include "syscalls/keyring/p_sys_add_key/p_sys_add_key.h"
|
||||
#include "syscalls/keyring/p_sys_request_key/p_sys_request_key.h"
|
||||
#include "syscalls/keyring/p_sys_keyctl/p_sys_keyctl.h"
|
||||
#include "syscalls/p_sys_ptrace/p_sys_ptrace.h"
|
||||
#include "syscalls/p_security_ptrace_access/p_security_ptrace_access.h"
|
||||
#include "syscalls/compat/p_compat_sys_execve/p_compat_sys_execve.h"
|
||||
#include "syscalls/compat/p_compat_sys_execveat/p_compat_sys_execveat.h"
|
||||
#include "syscalls/compat/p_compat_sys_keyctl/p_compat_sys_keyctl.h"
|
||||
#include "syscalls/compat/p_compat_sys_ptrace/p_compat_sys_ptrace.h"
|
||||
#include "syscalls/compat/p_compat_sys_capset/p_compat_sys_capset.h"
|
||||
#include "syscalls/compat/p_compat_sys_add_key/p_compat_sys_add_key.h"
|
||||
#include "syscalls/compat/p_compat_sys_request_key/p_compat_sys_request_key.h"
|
||||
#include "syscalls/__x32/p_x32_sys_execve/p_x32_sys_execve.h"
|
||||
#include "syscalls/__x32/p_x32_sys_execveat/p_x32_sys_execveat.h"
|
||||
#include "syscalls/__x32/p_x32_sys_keyctl/p_x32_sys_keyctl.h"
|
||||
#include "syscalls/__x32/p_x32_sys_ptrace/p_x32_sys_ptrace.h"
|
||||
/* Override creds */
|
||||
#include "syscalls/override/p_override_creds/p_override_creds.h"
|
||||
#include "syscalls/override/p_revert_creds/p_revert_creds.h"
|
||||
|
|
|
|||
|
|
@ -1,81 +0,0 @@
|
|||
/*
|
||||
* pi3's Linux kernel Runtime Guard
|
||||
*
|
||||
* Component:
|
||||
* - Intercept X32 ptrace syscall
|
||||
*
|
||||
* Notes:
|
||||
* - Enforce Exploit Detection validation
|
||||
*
|
||||
* Caveats:
|
||||
* - None
|
||||
*
|
||||
* Timeline:
|
||||
* - Created: 13.VIII.2018
|
||||
*
|
||||
* Author:
|
||||
* - Adam 'pi3' Zabrocki (http://pi3.com.pl)
|
||||
*
|
||||
*/
|
||||
|
||||
#ifdef CONFIG_X86_X32
|
||||
|
||||
#include "../../../../../p_lkrg_main.h"
|
||||
|
||||
#ifdef P_SYSCALL_LAYOUT_4_17
|
||||
|
||||
|
||||
char p_x32_sys_ptrace_kretprobe_state = 0;
|
||||
|
||||
static struct kretprobe p_x32_sys_ptrace_kretprobe = {
|
||||
.kp.symbol_name = P_GET_X32_SYSCALL_NAME(ptrace),
|
||||
.handler = p_x32_sys_ptrace_ret,
|
||||
.entry_handler = p_x32_sys_ptrace_entry,
|
||||
.data_size = sizeof(struct p_x32_sys_ptrace_data),
|
||||
/* Probe up to 40 instances concurrently. */
|
||||
.maxactive = 40,
|
||||
};
|
||||
|
||||
/*
|
||||
* x86-64 syscall ABI:
|
||||
* *rax - syscall_number
|
||||
* rdi - 1st argument
|
||||
* rsi - 2nd argument
|
||||
* rdx - 3rd argument
|
||||
* rcx - 4th argument
|
||||
*
|
||||
* r8 - 5th one
|
||||
* r9 - 6th one
|
||||
*/
|
||||
|
||||
int p_x32_sys_ptrace_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {
|
||||
|
||||
struct p_ed_process *p_tmp;
|
||||
unsigned long p_flags;
|
||||
|
||||
p_tasks_read_lock(&p_flags);
|
||||
if ( (p_tmp = p_find_ed_by_pid(task_pid_nr(current))) != NULL) {
|
||||
// This process is on the ED list - validate 'off' flag
|
||||
p_ed_is_off_off_wrap(p_tmp);
|
||||
}
|
||||
p_tasks_read_unlock(&p_flags);
|
||||
|
||||
p_ed_enforce_validation();
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
int p_x32_sys_ptrace_ret(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {
|
||||
|
||||
// p_ed_enforce_validation();
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
GENERATE_INSTALL_FUNC(x32_sys_ptrace)
|
||||
|
||||
#endif
|
||||
|
||||
#endif
|
||||
|
|
@ -1,43 +0,0 @@
|
|||
/*
|
||||
* pi3's Linux kernel Runtime Guard
|
||||
*
|
||||
* Component:
|
||||
* - Intercept X32 ptrace syscall
|
||||
*
|
||||
* Notes:
|
||||
* - Enforce Exploit Detection validation
|
||||
*
|
||||
* Caveats:
|
||||
* - None
|
||||
*
|
||||
* Timeline:
|
||||
* - Created: 13.VIII.2018
|
||||
*
|
||||
* Author:
|
||||
* - Adam 'pi3' Zabrocki (http://pi3.com.pl)
|
||||
*
|
||||
*/
|
||||
|
||||
#ifdef CONFIG_X86_X32
|
||||
|
||||
#ifdef P_SYSCALL_LAYOUT_4_17
|
||||
|
||||
#ifndef P_LKRG_EXPLOIT_DETECTION_X32_SYS_PTRACE_H
|
||||
#define P_LKRG_EXPLOIT_DETECTION_X32_SYS_PTRACE_H
|
||||
|
||||
/* per-instance private data */
|
||||
struct p_x32_sys_ptrace_data {
|
||||
ktime_t entry_stamp;
|
||||
};
|
||||
|
||||
|
||||
int p_x32_sys_ptrace_ret(struct kretprobe_instance *p_ri, struct pt_regs *p_regs);
|
||||
int p_x32_sys_ptrace_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs);
|
||||
int p_install_x32_sys_ptrace_hook(int p_isra);
|
||||
void p_uninstall_x32_sys_ptrace_hook(void);
|
||||
|
||||
#endif
|
||||
|
||||
#endif
|
||||
|
||||
#endif
|
||||
|
|
@ -1,77 +0,0 @@
|
|||
/*
|
||||
* pi3's Linux kernel Runtime Guard
|
||||
*
|
||||
* Component:
|
||||
* - Intercept compat_ptrace syscall
|
||||
*
|
||||
* Notes:
|
||||
* - Enforce Exploit Detection validation
|
||||
*
|
||||
* Caveats:
|
||||
* - None
|
||||
*
|
||||
* Timeline:
|
||||
* - Created: 31.I.2018
|
||||
*
|
||||
* Author:
|
||||
* - Adam 'pi3' Zabrocki (http://pi3.com.pl)
|
||||
*
|
||||
*/
|
||||
|
||||
#ifdef CONFIG_COMPAT
|
||||
|
||||
#include "../../../../../p_lkrg_main.h"
|
||||
|
||||
|
||||
char p_compat_sys_ptrace_kretprobe_state = 0;
|
||||
|
||||
static struct kretprobe p_compat_sys_ptrace_kretprobe = {
|
||||
.kp.symbol_name = P_GET_COMPAT_SYSCALL_NAME(ptrace),
|
||||
.handler = p_compat_sys_ptrace_ret,
|
||||
.entry_handler = p_compat_sys_ptrace_entry,
|
||||
.data_size = sizeof(struct p_compat_sys_ptrace_data),
|
||||
/* Probe up to 40 instances concurrently. */
|
||||
.maxactive = 40,
|
||||
};
|
||||
|
||||
/*
|
||||
* x86-64 syscall ABI:
|
||||
* *rax - syscall_number
|
||||
* rdi - 1st argument
|
||||
* rsi - 2nd argument
|
||||
* rdx - 3rd argument
|
||||
* rcx - 4th argument
|
||||
*
|
||||
* r8 - 5th one
|
||||
* r9 - 6th one
|
||||
*/
|
||||
|
||||
int p_compat_sys_ptrace_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {
|
||||
|
||||
struct p_ed_process *p_tmp;
|
||||
unsigned long p_flags;
|
||||
|
||||
p_tasks_read_lock(&p_flags);
|
||||
if ( (p_tmp = p_find_ed_by_pid(task_pid_nr(current))) != NULL) {
|
||||
// This process is on the ED list - validate 'off' flag
|
||||
p_ed_is_off_off_wrap(p_tmp);
|
||||
}
|
||||
p_tasks_read_unlock(&p_flags);
|
||||
|
||||
p_ed_enforce_validation();
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
int p_compat_sys_ptrace_ret(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {
|
||||
|
||||
// p_ed_enforce_validation();
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
GENERATE_INSTALL_FUNC(compat_sys_ptrace)
|
||||
|
||||
#endif
|
||||
|
|
@ -1,39 +0,0 @@
|
|||
/*
|
||||
* pi3's Linux kernel Runtime Guard
|
||||
*
|
||||
* Component:
|
||||
* - Intercept compat_ptrace syscall
|
||||
*
|
||||
* Notes:
|
||||
* - Enforce Exploit Detection validation
|
||||
*
|
||||
* Caveats:
|
||||
* - None
|
||||
*
|
||||
* Timeline:
|
||||
* - Created: 31.I.2018
|
||||
*
|
||||
* Author:
|
||||
* - Adam 'pi3' Zabrocki (http://pi3.com.pl)
|
||||
*
|
||||
*/
|
||||
|
||||
#ifdef CONFIG_COMPAT
|
||||
|
||||
#ifndef P_LKRG_EXPLOIT_DETECTION_COMPAT_SYS_PTRACE_H
|
||||
#define P_LKRG_EXPLOIT_DETECTION_COMPAT_SYS_PTRACE_H
|
||||
|
||||
/* per-instance private data */
|
||||
struct p_compat_sys_ptrace_data {
|
||||
ktime_t entry_stamp;
|
||||
};
|
||||
|
||||
|
||||
int p_compat_sys_ptrace_ret(struct kretprobe_instance *p_ri, struct pt_regs *p_regs);
|
||||
int p_compat_sys_ptrace_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs);
|
||||
int p_install_compat_sys_ptrace_hook(int p_isra);
|
||||
void p_uninstall_compat_sys_ptrace_hook(void);
|
||||
|
||||
#endif
|
||||
|
||||
#endif
|
||||
|
|
@ -0,0 +1,61 @@
|
|||
/*
|
||||
* pi3's Linux kernel Runtime Guard
|
||||
*
|
||||
* Component:
|
||||
* - Intercept ptrace syscall
|
||||
*
|
||||
* Notes:
|
||||
* - Enforce Exploit Detection validation
|
||||
*
|
||||
* Caveats:
|
||||
* - None
|
||||
*
|
||||
* Timeline:
|
||||
* - Created: 5.XI.2020
|
||||
*
|
||||
* Author:
|
||||
* - Mariusz Zaborski (https://oshogbo.vexillium.org/)
|
||||
*
|
||||
*/
|
||||
|
||||
#include "../../../../p_lkrg_main.h"
|
||||
|
||||
|
||||
char p_security_ptrace_access_kretprobe_state = 0;
|
||||
|
||||
static struct kretprobe p_security_ptrace_access_kretprobe = {
|
||||
.kp.symbol_name = "security_ptrace_access_check",
|
||||
.handler = p_security_ptrace_access_ret,
|
||||
.entry_handler = p_security_ptrace_access_entry,
|
||||
.data_size = sizeof(struct p_security_ptrace_access_data),
|
||||
/* Probe up to 40 instances concurrently. */
|
||||
.maxactive = 40,
|
||||
};
|
||||
|
||||
int p_security_ptrace_access_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {
|
||||
|
||||
struct p_ed_process *p_tmp;
|
||||
unsigned long p_flags;
|
||||
|
||||
p_tasks_read_lock(&p_flags);
|
||||
if ( (p_tmp = p_find_ed_by_pid(task_pid_nr(current))) != NULL) {
|
||||
// This process is on the ED list - validate 'off' flag
|
||||
p_ed_is_off_off_wrap(p_tmp);
|
||||
}
|
||||
p_tasks_read_unlock(&p_flags);
|
||||
|
||||
p_ed_enforce_validation();
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
int p_security_ptrace_access_ret(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {
|
||||
|
||||
// p_ed_enforce_validation();
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
GENERATE_INSTALL_FUNC(security_ptrace_access)
|
||||
|
|
@ -0,0 +1,33 @@
|
|||
/*
|
||||
* pi3's Linux kernel Runtime Guard
|
||||
*
|
||||
* Component:
|
||||
* - Intercept ptrace syscall
|
||||
*
|
||||
* Notes:
|
||||
* - Enforce Exploit Detection validation
|
||||
*
|
||||
* Caveats:
|
||||
* - None
|
||||
*
|
||||
* Timeline:
|
||||
* - Created: 5.XI.2020
|
||||
*
|
||||
* Author:
|
||||
* - Mariusz Zaborski (https://oshogbo.vexillium.org/)
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef P_LKRG_EXPLOIT_DETECTION_SECURITY_PTRACE_ACCESS_H
|
||||
#define P_LKRG_EXPLOIT_DETECTION_SECURTIY_PTRACE_ACCESS_H
|
||||
|
||||
struct p_security_ptrace_access_data {
|
||||
ktime_t entry_stamp;
|
||||
};
|
||||
|
||||
int p_security_ptrace_access_ret(struct kretprobe_instance *p_ri, struct pt_regs *p_regs);
|
||||
int p_security_ptrace_access_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs);
|
||||
int p_install_security_ptrace_access_hook(int p_isra);
|
||||
void p_uninstall_security_ptrace_access_hook(void);
|
||||
|
||||
#endif
|
||||
|
|
@ -1,73 +0,0 @@
|
|||
/*
|
||||
* pi3's Linux kernel Runtime Guard
|
||||
*
|
||||
* Component:
|
||||
* - Intercept ptrace syscall
|
||||
*
|
||||
* Notes:
|
||||
* - Enforce Exploit Detection validation
|
||||
*
|
||||
* Caveats:
|
||||
* - None
|
||||
*
|
||||
* Timeline:
|
||||
* - Created: 31.I.2018
|
||||
*
|
||||
* Author:
|
||||
* - Adam 'pi3' Zabrocki (http://pi3.com.pl)
|
||||
*
|
||||
*/
|
||||
|
||||
#include "../../../../p_lkrg_main.h"
|
||||
|
||||
|
||||
char p_sys_ptrace_kretprobe_state = 0;
|
||||
|
||||
static struct kretprobe p_sys_ptrace_kretprobe = {
|
||||
.kp.symbol_name = P_GET_SYSCALL_NAME(ptrace),
|
||||
.handler = p_sys_ptrace_ret,
|
||||
.entry_handler = p_sys_ptrace_entry,
|
||||
.data_size = sizeof(struct p_sys_ptrace_data),
|
||||
/* Probe up to 40 instances concurrently. */
|
||||
.maxactive = 40,
|
||||
};
|
||||
|
||||
/*
|
||||
* x86-64 syscall ABI:
|
||||
* *rax - syscall_number
|
||||
* rdi - 1st argument
|
||||
* rsi - 2nd argument
|
||||
* rdx - 3rd argument
|
||||
* rcx - 4th argument
|
||||
*
|
||||
* r8 - 5th one
|
||||
* r9 - 6th one
|
||||
*/
|
||||
|
||||
int p_sys_ptrace_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {
|
||||
|
||||
struct p_ed_process *p_tmp;
|
||||
unsigned long p_flags;
|
||||
|
||||
p_tasks_read_lock(&p_flags);
|
||||
if ( (p_tmp = p_find_ed_by_pid(task_pid_nr(current))) != NULL) {
|
||||
// This process is on the ED list - validate 'off' flag
|
||||
p_ed_is_off_off_wrap(p_tmp);
|
||||
}
|
||||
p_tasks_read_unlock(&p_flags);
|
||||
|
||||
p_ed_enforce_validation();
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
int p_sys_ptrace_ret(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {
|
||||
|
||||
// p_ed_enforce_validation();
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
GENERATE_INSTALL_FUNC(sys_ptrace)
|
||||
|
|
@ -1,35 +0,0 @@
|
|||
/*
|
||||
* pi3's Linux kernel Runtime Guard
|
||||
*
|
||||
* Component:
|
||||
* - Intercept ptrace syscall
|
||||
*
|
||||
* Notes:
|
||||
* - Enforce Exploit Detection validation
|
||||
*
|
||||
* Caveats:
|
||||
* - None
|
||||
*
|
||||
* Timeline:
|
||||
* - Created: 31.I.2018
|
||||
*
|
||||
* Author:
|
||||
* - Adam 'pi3' Zabrocki (http://pi3.com.pl)
|
||||
*
|
||||
*/
|
||||
|
||||
#ifndef P_LKRG_EXPLOIT_DETECTION_SYS_PTRACE_H
|
||||
#define P_LKRG_EXPLOIT_DETECTION_SYS_PTRACE_H
|
||||
|
||||
/* per-instance private data */
|
||||
struct p_sys_ptrace_data {
|
||||
ktime_t entry_stamp;
|
||||
};
|
||||
|
||||
|
||||
int p_sys_ptrace_ret(struct kretprobe_instance *p_ri, struct pt_regs *p_regs);
|
||||
int p_sys_ptrace_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs);
|
||||
int p_install_sys_ptrace_hook(int p_isra);
|
||||
void p_uninstall_sys_ptrace_hook(void);
|
||||
|
||||
#endif
|
||||
|
|
@ -113,9 +113,8 @@ static struct p_addr_name {
|
|||
P_LKRG_DEBUG_RULE_KPROBE(p_scm_send),
|
||||
P_LKRG_DEBUG_RULE_KPROBE(p_seccomp),
|
||||
P_LKRG_DEBUG_RULE_KPROBE(p_sys_setresgid),
|
||||
P_LKRG_DEBUG_RULE_KPROBE(p_sys_ptrace),
|
||||
P_LKRG_DEBUG_RULE_KPROBE(p_security_ptrace_access),
|
||||
P_LKRG_DEBUG_RULE_KPROBE(p_compat_sys_execve),
|
||||
P_LKRG_DEBUG_RULE_KPROBE(p_compat_sys_ptrace),
|
||||
P_LKRG_DEBUG_RULE_KPROBE(p_compat_sys_add_key),
|
||||
P_LKRG_DEBUG_RULE_KPROBE(p_compat_sys_capset),
|
||||
P_LKRG_DEBUG_RULE_KPROBE(p_compat_sys_keyctl),
|
||||
|
|
@ -144,7 +143,6 @@ static struct p_addr_name {
|
|||
P_LKRG_DEBUG_RULE_KPROBE(p_call_usermodehelper),
|
||||
P_LKRG_DEBUG_RULE_KPROBE(p_sys_execveat),
|
||||
P_LKRG_DEBUG_RULE_KPROBE(p_ttwu_do_wakeup),
|
||||
P_LKRG_DEBUG_RULE_KPROBE(p_x32_sys_ptrace),
|
||||
P_LKRG_DEBUG_RULE_KPROBE(p_x32_sys_execve),
|
||||
P_LKRG_DEBUG_RULE_KPROBE(p_x32_sys_execveat),
|
||||
P_LKRG_DEBUG_RULE_KPROBE(p_x32_sys_keyctl),
|
||||
|
|
|
|||
Loading…
Reference in a new issue