понедельник, 4 октября 2021 г.

security hooks in linux kernel

This mechanism was inspired by NSA. As described all hooks stored in huge struct security_hooks_list, but it`s format is different in each version. We can determine which list belongs to what hook with disasm magic. Lets see function that calls security hooks - for example security_path_chown:

.text:FFFFFFC010496448 security_path_chown        ; CODE XREF: chown_common+104↑p
.text:FFFFFFC010496448   STP             X29, X30, [SP,#-0x18+var_18]!
.text:FFFFFFC01049644C   MOV             X29, SP
.text:FFFFFFC010496450   STP             X20, X21, [SP,#0x18+var_s0]
.text:FFFFFFC010496454   STR             X22, [SP,#0x18+var_s10]
.text:FFFFFFC010496458   MOV             X20, path
.text:FFFFFFC01049645C   MOV             W21, W1
.text:FFFFFFC010496460   MOV             path, X30
.text:FFFFFFC010496464   MOV             W22, W2
.text:FFFFFFC010496468 loc_FFFFFFC010496468  ; DATA XREF: .init.data:FFFFFFC0111474C0↓o
.text:FFFFFFC010496468   BL              _mcount
.text:FFFFFFC01049646C   LDR             X0, [path,#8]
.text:FFFFFFC010496470   LDR             X0, [X0,#0x30]
.text:FFFFFFC010496474   LDR             W0, [X0,#0xC]
.text:FFFFFFC010496478   TBNZ            W0, #9, loc_FFFFFFC0104964B4
.text:FFFFFFC01049647C   ADRP            X0, #security_hook_heads_0.path_chown@PAGE
.text:FFFFFFC010496480   STR             X19, [X29,#0x18+var_8]
.text:FFFFFFC010496484   LDR             X19, [X0,#security_hook_heads_0.path_chown@PAGEOFF]


In disasm we just search for first reference to memory near address of security_hook_heads. Some results:
sudo ./lkmem -d -c -S ~/krnl/curr ~/krnl/System.map-5.11.0-37-generic
ptrace_access_check: 3
 0xffffffff964ae400 - kernel!cap_ptrace_access_check
 0xffffffff96515a40 - kernel!yama_ptrace_access_check
 0xffffffff96506770 - kernel!apparmor_ptrace_access_check
ptrace_traceme: 3
 0xffffffff964ae380 - kernel!cap_ptrace_traceme
 0xffffffff965159a0 - kernel!yama_ptrace_traceme
 0xffffffff965065e0 - kernel!apparmor_ptrace_traceme
capget: 2
 0xffffffff964ad960 - kernel!cap_capget
 0xffffffff96505a90 - kernel!apparmor_capget
capset: 1
 0xffffffff964ae490 - kernel!cap_capset
capable: 2
 0xffffffff964ada50 - kernel!cap_capable
 0xffffffff96505780 - kernel!apparmor_capable
bprm_creds_for_exec: 1
 0xffffffff964fcc60 - kernel!apparmor_bprm_creds_for_exec
bprm_creds_from_file: 1
 0xffffffff964ae8e0 - kernel!cap_bprm_creds_from_file
bprm_committing_creds: 1
 0xffffffff96504bc0 - kernel!apparmor_bprm_committing_creds
bprm_committed_creds: 1
 0xffffffff965054d0 - kernel!apparmor_bprm_committed_creds
sb_mount: 1
 0xffffffff96506ab0 - kernel!apparmor_sb_mount
sb_umount: 1
 0xffffffff96505c10 - kernel!apparmor_sb_umount
sb_pivotroot: 1
 0xffffffff965070d0 - kernel!apparmor_sb_pivotroot
path_unlink: 1
 0xffffffff965065a0 - kernel!apparmor_path_unlink
path_mkdir: 1
 0xffffffff965064c0 - kernel!apparmor_path_mkdir
path_rmdir: 1
 0xffffffff965065c0 - kernel!apparmor_path_rmdir
path_mknod: 1
 0xffffffff965064f0 - kernel!apparmor_path_mknod
path_truncate: 1
 0xffffffff965063b0 - kernel!apparmor_path_truncate
path_symlink: 1
 0xffffffff96506490 - kernel!apparmor_path_symlink
path_link: 1
 0xffffffff96508060 - kernel!apparmor_path_link
path_rename: 1
 0xffffffff96508210 - kernel!apparmor_path_rename
path_chmod: 1
 0xffffffff965063f0 - kernel!apparmor_path_chmod
path_chown: 1
 0xffffffff965063d0 - kernel!apparmor_path_chown
inode_getattr: 1
 0xffffffff96506390 - kernel!apparmor_inode_getattr
inode_need_killpriv: 1
 0xffffffff964ad990 - kernel!cap_inode_need_killpriv
inode_killpriv: 1
 0xffffffff964ad9c0 - kernel!cap_inode_killpriv
inode_getsecurity: 1
 0xffffffff964ae010 - kernel!cap_inode_getsecurity
file_permission: 1
 0xffffffff96506120 - kernel!apparmor_file_permission
mmap_addr: 1
 0xffffffff964ade10 - kernel!cap_mmap_addr
mmap_file: 2
 0xffffffff964ad930 - kernel!cap_mmap_file
 0xffffffff965060e0 - kernel!apparmor_mmap_file
file_mprotect: 1
 0xffffffff96506090 - kernel!apparmor_file_mprotect
file_lock: 1
 0xffffffff96506020 - kernel!apparmor_file_lock
file_receive: 1
 0xffffffff96506140 - kernel!apparmor_file_receive
file_open: 1
 0xffffffff965078c0 - kernel!apparmor_file_open
task_alloc: 1
 0xffffffff96505110 - kernel!apparmor_task_alloc
task_free: 2
 0xffffffff96515320 - kernel!yama_task_free
 0xffffffff965056c0 - kernel!apparmor_task_free
cred_alloc_blank: 1
 0xffffffff965046b0 - kernel!apparmor_cred_alloc_blank
cred_free: 1
 0xffffffff965055c0 - kernel!apparmor_cred_free
task_fix_setuid: 1
 0xffffffff964ade60 - kernel!cap_task_fix_setuid
task_getsecid: 1
 0xffffffff96505570 - kernel!apparmor_task_getsecid
task_setnice: 1
 0xffffffff964ae370 - kernel!cap_task_setnice
task_setioprio: 1
 0xffffffff964ae360 - kernel!cap_task_setioprio
task_setrlimit: 1
 0xffffffff96505d50 - kernel!apparmor_task_setrlimit
task_setscheduler: 1
 0xffffffff964ae350 - kernel!cap_task_setscheduler
task_kill: 1
 0xffffffff96507b40 - kernel!apparmor_task_kill
task_prctl: 2
 0xffffffff964adb10 - kernel!cap_task_prctl
 0xffffffff965155d0 - kernel!yama_task_prctl
setprocattr: 1
 0xffffffff96508c50 - kernel!apparmor_setprocattr
secctx_to_secid: 1
 0xffffffff96509a70 - kernel!apparmor_secctx_to_secid
release_secctx: 1
 0xffffffff96509ac0 - kernel!apparmor_release_secctx
unix_stream_connect: 1
 0xffffffff96507260 - kernel!apparmor_unix_stream_connect
unix_may_send: 1
 0xffffffff96506900 - kernel!apparmor_unix_may_send
socket_create: 1
 0xffffffff96507e50 - kernel!apparmor_socket_create
socket_post_create: 1
 0xffffffff96508490 - kernel!apparmor_socket_post_create
socket_bind: 1
 0xffffffff96504e10 - kernel!apparmor_socket_bind
socket_connect: 1
 0xffffffff96504dd0 - kernel!apparmor_socket_connect
socket_listen: 1
 0xffffffff96504da0 - kernel!apparmor_socket_listen
socket_accept: 1
 0xffffffff96504d70 - kernel!apparmor_socket_accept
socket_sendmsg: 1
 0xffffffff96505070 - kernel!apparmor_socket_sendmsg
socket_recvmsg: 1
 0xffffffff96504d20 - kernel!apparmor_socket_recvmsg
socket_getsockname: 1
 0xffffffff96504cb0 - kernel!apparmor_socket_getsockname
socket_getpeername: 1
 0xffffffff96504c90 - kernel!apparmor_socket_getpeername
socket_getsockopt: 1
 0xffffffff965050c0 - kernel!apparmor_socket_getsockopt
socket_setsockopt: 1
 0xffffffff96504cd0 - kernel!apparmor_socket_setsockopt
socket_shutdown: 1
 0xffffffff96504c70 - kernel!apparmor_socket_shutdown
socket_getpeersec_stream: 1
 0xffffffff96506d00 - kernel!apparmor_socket_getpeersec_stream
sock_graft: 1
 0xffffffff96505200 - kernel!apparmor_sock_graft
inet_conn_request: 1
 0xffffffff96504b00 - kernel!apparmor_inet_conn_request
audit_rule_init: 1
 0xffffffff964f60a0 - kernel!aa_audit_rule_init
audit_rule_known: 1
 0xffffffff964f6150 - kernel!aa_audit_rule_known
audit_rule_match: 1
 0xffffffff964f6190 - kernel!aa_audit_rule_match
audit_rule_free: 1
 0xffffffff964f6040 - kernel!aa_audit_rule_free
locked_down: 1
 0xffffffff96516700 - kernel!lockdown_is_locked_down
settime64: 1
 0xffffffff964ad940 - kernel!cap_settime
vm_enough_memory_mm: 1
 0xffffffff964adad0 - kernel!cap_vm_enough_memory
file_alloc: 1
 0xffffffff965076d0 - kernel!apparmor_file_alloc_security
prepare_creds: 1
 0xffffffff96505330 - kernel!apparmor_cred_prepare
sock_rcv_skb: 1
 0xffffffff96504b50 - kernel!apparmor_socket_sock_rcv_skb

needless to say that you can`t get this info with standard system tools
Автор: redp на 17:10

Комментариев нет:

Отправить комментарий

Подписаться на: Комментарии к сообщению (Atom)