With the current design of JUMP_LABEL support we do not need to manually take this mutex. Our hooks are deep enough to be protected and integrity routine depends on text mutext
Introduce new type of SELinux lock type - p_lkrg_selinux_lock. Verification routine can take this lock only when atomic counter is zero. This means there are no other consumers of SELinux variables
If we want to track all changes in kernel core .text section and when modification happens we want to know which exactly bytes were modified, which offset and what's the symbol corelated to it, we can compile LKRG with this feature. Disabled by default. It's mostly useful for debugging.
It's OK to remove such lock, since LKRG .text section validation is syncing with the kernel through JL mutex and .text mutex. There is one corner case where these mutexes are not taken by the kernel when new kernel module might be compiled without long nops. In such case, Linux kernel might modify such .text and 'inject' long-nops where is needed, however, it is done when new module has UNFORMED state. UNFORMED modules can't be verified yet so we are fine.
Due to kernel commit f3ac60671954c ("sched/headers: Move task-stack
related APIs from <linux/sched.h> to <linux/sched/task_stack.h>") (Linux
v4.11) `linux/sched/task_stack.h' should be included to access
`task_stack_page'.
Compilation failure is appearing on armv8l arch:
In file included from ./include/linux/prefetch.h:15,
from ./arch/arm/include/asm/atomic.h:12,
from ./include/linux/atomic.h:7,
from ./include/asm-generic/bitops/lock.h:5,
from ./arch/arm/include/asm/bitops.h:243,
from ./include/linux/bitops.h:26,
from ./include/linux/kernel.h:12,
from /usr/src/RPM/BUILD/lkrg-0.8.1/src/modules/exploit_detection/../../p_lkrg_main.h:23,
from /usr/src/RPM/BUILD/lkrg-0.8.1/src/modules/exploit_detection/p_exploit_detection.c:18:
/usr/src/RPM/BUILD/lkrg-0.8.1/src/modules/exploit_detection/p_exploit_detection.c: In function 'p_iterate_processes':
./arch/arm/include/asm/processor.h:99:40: error: implicit declaration of function 'task_stack_page'; did you mean 'walk_stackframe'? [-Werror=implicit-function-declaration]
99 | ((struct pt_regs *)(THREAD_START_SP + task_stack_page(p)) - 1)
| ^~~~~~~~~~~~~~~
/usr/src/RPM/BUILD/lkrg-0.8.1/src/modules/exploit_detection/p_exploit_detection.c:779:30: note: in expansion of macro 'task_pt_regs'
779 | p_regs_set_ip(task_pt_regs(p_tmp), -1);
| ^~~~~~~~~~~~
cc1: some warnings being treated as errors
make[1]: *** [scripts/Makefile.build:265: /usr/src/RPM/BUILD/lkrg-0.8.1/src/modules/exploit_detection/p_exploit_detection.o] Error 1
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
* Various spelling corrections by codespell 1.17.1
* Various grammar corrections
Signed-off-by: Vitaly Chikunov <vt@altlinux.org>
Co-authored-by: Solar Designer <solar@openwall.com>
This fixes LKRG build on Linux 5.8+, which renamed that header file. Thanks to
Andy Lavr for reporting this problem and suggesting a (different) fix, which
made us revisit our use of that header file.
We only need that header file on older kernels (< 4.4.72 or < RHEL 7.4) for the
one use of md5_transform() in get_random_long(). On newer kernels, we simply
use the kernel-provided get_random_long(). Further, 5.8's crypto/sha.h doesn't
declare md5_transform() anyway (linux/cryptohash.h on much older kernels did).
- Not all hooks are fatal. If for any reason non-fatal hook can't be placed, continue initialization and print appropriate message
- If hook is fatal, stop intialization
[2] Add support for ISRA optimized functions:
- Some of the functions might be optimized by ISRA. However, some of the hooks can still be functional even under ISRA optimized functions.
