mirror of https://github.com/openwall/lkrg.git
1. Add LKRG early boot systemd script file. Currently only Systemd init system is supported. There are no technical reasons to not add support for other Init systems. 2. Modify Makefile to support install/unistall option which will deploy/remove systemd boot service. 3. [ED] Add functionality of freezing all user-mode processes during Exploit-Detection initialization.
This commit is contained in:
parent
c904dfe27a
commit
96721f15ec
8
Makefile
8
Makefile
|
@ -8,9 +8,10 @@
|
|||
export CFLAGS="$CFLAGS"
|
||||
|
||||
P_OUTPUT = output
|
||||
P_PWD = $(shell pwd)
|
||||
P_PWD ?= $(shell pwd)
|
||||
P_KVER ?= $(shell uname -r)
|
||||
P_KERNEL := /lib/modules/$(P_KVER)/build
|
||||
P_BOOTUP_SCRIPT ?= scripts/bootup/lkrg-bootup.sh
|
||||
|
||||
obj-m += p_lkrg.o
|
||||
p_lkrg-objs += src/modules/ksyms/p_resolve_ksym.o \
|
||||
|
@ -83,6 +84,11 @@ all:
|
|||
|
||||
install:
|
||||
$(MAKE) -C $(P_KERNEL) M=$(P_PWD) modules_install
|
||||
depmod -a
|
||||
$(P_PWD)/$(P_BOOTUP_SCRIPT) install
|
||||
|
||||
uninstall:
|
||||
$(P_PWD)/$(P_BOOTUP_SCRIPT) uninstall
|
||||
|
||||
clean:
|
||||
$(MAKE) -C $(P_KERNEL) M=$(P_PWD) clean
|
||||
|
|
|
@ -0,0 +1,27 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Bootup installation script for LKRG (main branch)
|
||||
#
|
||||
# Author:
|
||||
# - Adam 'pi3' Zabrocki (http://pi3.com.pl)
|
||||
##
|
||||
|
||||
P_PWD=`pwd`
|
||||
P_LKRG_SYSTEMD="scripts/bootup/systemd/lkrg-systemd.sh"
|
||||
|
||||
P_RED='\033[0;31m'
|
||||
P_GREEN='\033[0;32m'
|
||||
P_WHITE='\033[1;37m'
|
||||
P_NC='\033[0m' # No Color
|
||||
|
||||
echo -e " ${P_GREEN}[*] ${P_WHITE}Executing LKRG's bootup installation script${P_NC}"
|
||||
|
||||
case "`readlink /proc/1/exe`" in
|
||||
/usr/lib/systemd/systemd | \
|
||||
/lib/systemd/systemd)
|
||||
$P_PWD/$P_LKRG_SYSTEMD "$@"
|
||||
;;
|
||||
*)
|
||||
echo " ${P_RED}[-] Unsupported init system: not systemd?${P_NC}"
|
||||
;;
|
||||
esac
|
|
@ -0,0 +1,41 @@
|
|||
#!/bin/bash
|
||||
#
|
||||
# Systemd installation script for LKRG (main branch)
|
||||
#
|
||||
# Author:
|
||||
# - Adam 'pi3' Zabrocki (http://pi3.com.pl)
|
||||
##
|
||||
|
||||
P_PWD=`pwd`
|
||||
P_SYSTEMD_DIR=`systemctl show -p UnitPath | cut -d " " -f5`
|
||||
|
||||
P_RED='\033[0;31m'
|
||||
P_GREEN='\033[0;32m'
|
||||
P_WHITE='\033[1;37m'
|
||||
P_YL='\033[1;33m'
|
||||
P_NC='\033[0m' # No Color
|
||||
|
||||
echo -e " ${P_GREEN}[+] ${P_WHITE}Systemd detected${P_NC}"
|
||||
|
||||
if [ "$1" == "install" ]; then
|
||||
if [ -f $P_SYSTEMD_DIR/lkrg.service ]; then
|
||||
echo -e " ${P_RED}ERROR! ${P_YL}lkrg.service${P_RED} file already exists under ${P_YL}$P_SYSTEMD_DIR${P_RED} folder"
|
||||
exit 666
|
||||
else
|
||||
echo -e " ${P_GREEN}Installing ${P_YL}lkrg.service${P_GREEN} file under ${P_YL}$P_SYSTEMD_DIR${P_GREEN} folder${P_NC}"
|
||||
cp $P_PWD/scripts/bootup/systemd/lkrg.service $P_SYSTEMD_DIR/lkrg.service
|
||||
echo -e " ${P_GREEN}Enabling ${P_YL}lkrg.service${P_GREEN} on bootup${P_NC}"
|
||||
systemctl enable lkrg.service
|
||||
fi
|
||||
elif [ "$1" == "uninstall" ]; then
|
||||
echo -e " ${P_GREEN}Disabling ${P_YL}lkrg.service${P_GREEN} on bootup${P_NC}"
|
||||
systemctl disable lkrg.service
|
||||
echo -e " ${P_GREEN}Deleting ${P_YL}lkrg.service${P_GREEN} file from the ${P_YL}$P_SYSTEMD_DIR${P_GREEN} folder${P_NC}"
|
||||
rm $P_SYSTEMD_DIR/lkrg.service
|
||||
else
|
||||
echo -e " ${P_RED}ERROR! Unknown option!${P_NC}"
|
||||
exit 666
|
||||
fi
|
||||
|
||||
|
||||
echo -e " ${P_GREEN}[+] ${P_WHITE}Done!${P_NC}"
|
|
@ -0,0 +1,23 @@
|
|||
##
|
||||
# Systemd service for LKRG (main branch)
|
||||
#
|
||||
# Author:
|
||||
# - Adam 'pi3' Zabrocki (http://pi3.com.pl)
|
||||
##
|
||||
|
||||
[Unit]
|
||||
Description=Linux Kernel Runtime Guard
|
||||
After=basic.target
|
||||
Before=network.target
|
||||
|
||||
[Service]
|
||||
Type=simple
|
||||
ExecStartPre=/sbin/modprobe p_lkrg p_init_log_level=3
|
||||
ExecStart=/sbin/sysctl lkrg.clean_message=0
|
||||
ExecStop=/sbin/rmmod p_lkrg
|
||||
RemainAfterExit=yes
|
||||
Restart=on-failure
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
|
@ -37,6 +37,8 @@ struct kmem_cache *p_ed_pcfi_cache = NULL;
|
|||
#define p_ed_pcfi_free(name) kmem_cache_free(p_ed_pcfi_cache, (void *)(name))
|
||||
|
||||
int (*p_is_kernel_text_address)(unsigned long p_addr) = 0x0;
|
||||
int (*p_freeze_processes)(void) = 0x0;
|
||||
void (*p_thaw_processes)(void) = 0x0;
|
||||
|
||||
struct p_umh_whitelist p_umh_global[] = {
|
||||
|
||||
|
@ -1091,6 +1093,24 @@ int p_exploit_detection_init(void) {
|
|||
goto p_exploit_detection_init_out;
|
||||
}
|
||||
|
||||
p_freeze_processes = (int (*)(void))p_kallsyms_lookup_name("freeze_processes");
|
||||
|
||||
if (!p_freeze_processes) {
|
||||
p_print_log(P_LKRG_ERR,
|
||||
"[ED] ERROR: Can't find 'freeze_processes' function :( Exiting...\n");
|
||||
p_ret = P_LKRG_GENERAL_ERROR;
|
||||
goto p_exploit_detection_init_out;
|
||||
}
|
||||
|
||||
p_thaw_processes = (void (*)(void))p_kallsyms_lookup_name("thaw_processes");
|
||||
|
||||
if (!p_thaw_processes) {
|
||||
p_print_log(P_LKRG_ERR,
|
||||
"[ED] ERROR: Can't find 'thaw_processes' function :( Exiting...\n");
|
||||
p_ret = P_LKRG_GENERAL_ERROR;
|
||||
goto p_exploit_detection_init_out;
|
||||
}
|
||||
|
||||
#ifdef CONFIG_SECURITY_SELINUX
|
||||
p_selinux_enabled = (int *)p_kallsyms_lookup_name("selinux_enabled");
|
||||
#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
|
||||
|
@ -1130,6 +1150,10 @@ int p_exploit_detection_init(void) {
|
|||
goto p_exploit_detection_init_out;
|
||||
}
|
||||
|
||||
// Freeze all non-kernel processes
|
||||
while (p_freeze_processes())
|
||||
schedule();
|
||||
|
||||
// Dump processes and threads
|
||||
p_iterate_processes(p_dump_task_f);
|
||||
|
||||
|
@ -1494,6 +1518,9 @@ p_exploit_detection_init_err:
|
|||
|
||||
p_exploit_detection_init_out:
|
||||
|
||||
// Thaw all non-kernel processes
|
||||
p_thaw_processes();
|
||||
|
||||
// STRONG_DEBUG
|
||||
p_debug_log(P_LKRG_STRONG_DBG,
|
||||
"Leaving function <p_exploit_detection_init> (p_ret => %d)\n",p_ret);
|
||||
|
|
Loading…
Reference in New Issue