Add support for RHEL 8.3

RHEL 8.3 backported modern *_JUMP_LABEL logic to own kernels. This commit add supports for it.
lkrg-org · Mar 5, 2021 · 7092d7a · 7092d7a
1 parent b42ef9c
commit 7092d7a
Show file tree

Hide file tree

Showing 3 changed files with 12 additions and 6 deletions.
diff --git a/...database/JUMP_LABEL/p_arch_jump_label_transform_apply/p_arch_jump_label_transform_apply.c b/...database/JUMP_LABEL/p_arch_jump_label_transform_apply/p_arch_jump_label_transform_apply.c
@@ -72,7 +72,8 @@ notrace int p_arch_jump_label_transform_apply_entry(struct kretprobe_instance *p
 #else
       if (p_tmp->len == JUMP_LABEL_NOP_SIZE &&
           p_tmp->addr
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 5, 0)
+#if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 5, 0) || \
+   (defined(RHEL_RELEASE_CODE) && RHEL_RELEASE_CODE >= RHEL_RELEASE_VERSION(8, 3))
           && p_tmp->opcode) {
 #else
           && p_tmp->detour) {

diff --git a/src/modules/exploit_detection/p_exploit_detection.c b/src/modules/exploit_detection/p_exploit_detection.c
@@ -1672,7 +1672,8 @@ static void p_validate_selinux(void) {
       }
    } while(1);
 
-#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0)
+#if (!defined(RHEL_RELEASE_CODE) && LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0)) || \
+     (defined(RHEL_RELEASE_CODE) && RHEL_RELEASE_CODE < RHEL_RELEASE_VERSION(8, 3))
    if (p_ed_guard_globals.p_selinux.p_selinux_enabled != *P_SYM(p_selinux_enabled)) {
       p_print_log(P_LKRG_CRIT,
              "<Exploit Detection> Detected data corruption against SELINUX! 'selinux_enabled' has "
@@ -2280,7 +2281,8 @@ int p_exploit_detection_init(void) {
    }
 
 #ifdef CONFIG_SECURITY_SELINUX
-#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0)
+#if (!defined(RHEL_RELEASE_CODE) && LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0)) || \
+     (defined(RHEL_RELEASE_CODE) && RHEL_RELEASE_CODE < RHEL_RELEASE_VERSION(8, 3))
    P_SYM(p_selinux_enabled)    = (int *)P_SYM(p_kallsyms_lookup_name)("selinux_enabled");
 #endif
 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
@@ -2305,7 +2307,8 @@ int p_exploit_detection_init(void) {
  #endif
 #endif
 
-#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0)
+#if (!defined(RHEL_RELEASE_CODE) && LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0)) || \
+     (defined(RHEL_RELEASE_CODE) && RHEL_RELEASE_CODE < RHEL_RELEASE_VERSION(8, 3))
    if (!P_SYM(p_selinux_enabled)) {
       p_print_log(P_LKRG_ERR,
              "[ED] ERROR: Can't find 'selinux_enabled' variable :( Exiting...\n");
@@ -2334,7 +2337,8 @@ int p_exploit_detection_init(void) {
    p_ed_guard_globals.p_selinux.p_selinux_enforcing = *P_SYM(p_selinux_enforcing);
  #endif
 #endif
-#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0)
+#if (!defined(RHEL_RELEASE_CODE) && LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0)) || \
+     (defined(RHEL_RELEASE_CODE) && RHEL_RELEASE_CODE < RHEL_RELEASE_VERSION(8, 3))
    p_ed_guard_globals.p_selinux.p_selinux_enabled = *P_SYM(p_selinux_enabled);
 #endif
    p_lkrg_counter_lock_init(&p_ed_guard_globals.p_selinux_lock);

diff --git a/src/modules/exploit_detection/syscalls/p_sel_write_enforce/p_sel_write_enforce.c b/src/modules/exploit_detection/syscalls/p_sel_write_enforce/p_sel_write_enforce.c
@@ -81,7 +81,8 @@ int p_sel_write_enforce_ret(struct kretprobe_instance *p_ri, struct pt_regs *p_r
       p_ed_guard_globals.p_selinux.p_selinux_enforcing = *P_SYM(p_selinux_enforcing);
  #endif
 #endif
-#if LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0)
+#if (!defined(RHEL_RELEASE_CODE) && LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0)) || \
+     (defined(RHEL_RELEASE_CODE) && RHEL_RELEASE_CODE < RHEL_RELEASE_VERSION(8, 3))
       p_ed_guard_globals.p_selinux.p_selinux_enabled = *P_SYM(p_selinux_enabled);
 #endif
    }