The reported problem with integrity verification on ARM64 (#269)
is a result of a very tight race condition with tracepoints.
Changes which simplify synchronization with JUMP_LABEL engine:
f98da1b17c
affected differently ARM64 platform which made such race possible.
However, potentially the same race problem may exist on x86 and
this commit fixes it and should address #269
... for better debuggability. If non standard P_LKRG_JUMP_LABEL_STEXT_DEBUG
is enabled, it means that LKRG is being actively debugged.
In that case, we want to avoid unnecessary noise.
Linux kernel post-6.3 modified the 'struct module' and introduced a new
substructure describing module's memory layout. Additionally, the logic for
dynamic debug (ddebug) has been modified and some of the functions which LKRG
uses are no longer exported. This commit adopts to these post-6.3 changed and
addresses #267
Starting from kernel 5.14.0-162.12.1 (RHEL 9.1), a new 'text_poke_loc'
structure is used. This commit brings the support for such kernels as
well as addresses the #256 problem
Add a new logic to the integrity verification routine verifying if the
kprobes are enabled and correctly run.
This commit makes kprobe verification functionality as an independent
module invoked by integrity verification routine as well as during
initialization to make sure kprobes are enabled and run as intended
(otherwise, initialization fails).
Starting from RHEL8.6 4.18.0-372.32.1.el8_6 kernel struct text_poke_loc
is not exported and we need to correctly take this into account.
Previous RHEL8.6 kernels did not hide this structure so we need to find
some ways to disinguish them. We do it in this commit and it should fix#236
The original logic was hooking 'ovl_create_or_link' function but it could be
inlined. This commit changes it by hooking 'ovl_dentry_is_whiteout' when
possible.
Fixes#215
It was inconsistent to produce "alerts" that did not invoke any response
action, whereas downgrading them to informational messages lets us skip
a lengthy block of checks at default log level.
Use macros, move logging and enforcement responses from callers into
called functions, remove where it was duplicate.
Unify our log and kernel panic messages.
sed -i 's/\\n"/"/g' `fgrep -rl '\n"' src`
Followed by manual re-alignment of trailing backslashes in a few places,
and indeed the edit of p_print_log().
sed -i 's/P_LOG_LEVEL_MIN/P_LOG_MIN/g' `fgrep -rl P_LOG_LEVEL_MIN src`
sed -i 's/P_LOG_LEVEL_MAX/P_LOG_MAX/g' `fgrep -rl P_LOG_LEVEL_MAX src`
sed -i 's/P_LKRG_CRIT/P_LOG_ALERT/g' `fgrep -rl P_LKRG_CRIT src`
sed -i 's/P_LKRG_ALIVE/P_LOG_ALIVE/g' `fgrep -rl P_LKRG_ALIVE src`
sed -i 's/P_LKRG_ERR/P_LOG_FAULT/g' `fgrep -rl P_LKRG_ERR src`
sed -i 's/P_LKRG_WARN/P_LOG_ISSUE/g' `fgrep -rl P_LKRG_WARN src`
sed -i 's/P_LKRG_INFO/P_LOG_WATCH/g' `fgrep -rl P_LKRG_INFO src`
sed -i 's/P_LKRG_DBG/P_LOG_DEBUG/g' `fgrep -rl P_LKRG_DBG src`
sed -i 's/P_LKRG_STRONG_DBG/P_LOG_FLOOD/g' `fgrep -rl P_LKRG_STRONG_DBG src`
Followed by manual re-alignment of trailing backslashes in a few places.
