Permalink
Browse files

Implement "ps" extras feature

This creates a new sysctl entry: extras/ps

When enabled, non-root users won't be able to view processes other than their
own. The "ps" command only shows their processes, and a "ls -l /proc" won't
show any data at all for the pid directories of processes they don't own.
  • Loading branch information...
cormander committed Nov 28, 2011
1 parent 4cf1548 commit 899bd5d74764af343d5fee1d8058756ddc63bfe3
Showing with 39 additions and 8 deletions.
  1. +1 −0 README
  2. +0 −8 core.c
  3. +9 −0 module.h
  4. +20 −0 security.c
  5. +9 −0 sysctl.c
View
1 README
@@ -67,6 +67,7 @@ extras/ - directory for additional protections that aren't TPE related.
dmesg - denies non-root users from viewing the kernel ring buffer
lsmod - denies non-root users from viewing loaded kernel modules
proc_kallsyms - denies non-root users from viewing /proc/kallsyms
+ps - denied non-root users from viewing processes they don't own
===============================================================================
View
8 core.c
@@ -4,14 +4,6 @@
// the single most important function of all (for this module, of course). prevent
// the execution of untrusted binaries
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 28)
-#define get_task_uid(task) task->uid
-#define get_task_parent(task) task->parent
-#else
-#define get_task_uid(task) task->cred->uid
-#define get_task_parent(task) task->real_parent
-#endif
-
unsigned long tpe_alert_wtime = 0;
unsigned long tpe_alert_fyet = 0;
View
@@ -31,6 +31,14 @@
#define IN_ERR(x) (x < 0)
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 28)
+#define get_task_uid(task) task->uid
+#define get_task_parent(task) task->parent
+#else
+#define get_task_uid(task) task->cred->uid
+#define get_task_parent(task) task->real_parent
+#endif
+
struct kernsym {
void *addr; // orig addr
void *end_addr;
@@ -82,5 +90,6 @@ extern int tpe_log_floodburst;
extern int tpe_dmesg;
extern int tpe_lsmod;
extern int tpe_proc_kallsyms;
+extern int tpe_ps;
#endif
View
@@ -14,6 +14,7 @@ struct kernsym sym_do_syslog;
struct kernsym sym_m_show;
struct kernsym sym_kallsyms_open;
struct kernsym sym_sys_kill;
+struct kernsym sym_pid_getattr;
// it's possible to mimic execve by loading a binary into memory, mapping pages
// as executable via mmap, thus bypassing TPE protections. This prevents that.
@@ -190,6 +191,19 @@ void tpe_sys_kill(int pid, int sig) {
run(pid, sig);
}
+int tpe_pid_getattr(struct vfsmount *mnt, struct dentry *dentry, struct kstat *stat) {
+
+ int (*run)(struct vfsmount *, struct dentry *, struct kstat *) = sym_pid_getattr.run;
+ int ret = 0;
+
+ if (tpe_ps && !capable(CAP_SYS_ADMIN) && dentry->d_inode && dentry->d_inode->i_uid != get_task_uid(current))
+ return -EPERM;
+
+ ret = (int) run(mnt, dentry, stat);
+
+ return ret;
+}
+
// hijack the needed functions. whenever possible, hijack just the LSM function
void hijack_syscalls(void) {
@@ -229,6 +243,11 @@ void hijack_syscalls(void) {
}
+ ret = symbol_hijack(&sym_pid_getattr, "pid_getattr", (unsigned long *)tpe_pid_getattr);
+
+ if (IN_ERR(ret))
+ printfail("pid_getattr");
+
#ifndef CONFIG_X86_32
// execve compat
@@ -285,5 +304,6 @@ void undo_hijack_syscalls(void) {
symbol_restore(&sym_do_syslog);
symbol_restore(&sym_m_show);
symbol_restore(&sym_kallsyms_open);
+ symbol_restore(&sym_pid_getattr);
}
View
@@ -16,6 +16,7 @@ int tpe_log_floodburst = LOG_FLOODBURST;
int tpe_dmesg = 0;
int tpe_lsmod = 0;
int tpe_proc_kallsyms = 0;
+int tpe_ps = 0;
static ctl_table tpe_extras_table[] = {
{
@@ -34,6 +35,14 @@ static ctl_table tpe_extras_table[] = {
.mode = 0644,
.proc_handler = &proc_dointvec,
},
+ {
+ .ctl_name = CTL_UNNUMBERED,
+ .procname = "ps",
+ .data = &tpe_ps,
+ .maxlen = sizeof(int),
+ .mode = 0644,
+ .proc_handler = &proc_dointvec,
+ },
{
.ctl_name = CTL_UNNUMBERED,
.procname = "proc_kallsyms",

0 comments on commit 899bd5d

Please sign in to comment.