Modify the logic how LKRG tracks the exec syscalls

Since kernel 5.8 function search_binary_handler is not exported anymore. On the aggressively optimized kernels it is possible that `search_binary_handler` can be inlined. However, GCC can splits the function to put the big part in its own function, which receives as a name the original function name plus .part + .<some number>, and inlines the rest in other functions. This is a very problematic behavior from the LKRG point of view and was reported as #41 and #45. This commit fixes the problem by replacing the 'search_binary_handler' (or 'do_execveat_common') hook with security_bprm_committing_creds and security_bprm_committed_creds. Additionally, this change is desired from the security point of view.
lkrg-org · Jan 19, 2021 · d3276d4 · d3276d4
1 parent 76a9382
commit d3276d4
Show file tree

Hide file tree

Showing 9 changed files with 184 additions and 102 deletions.
diff --git a/Makefile b/Makefile
@@ -45,7 +45,8 @@ $(TARGET)-objs += src/modules/ksyms/p_resolve_ksym.o \
                   src/modules/self-defense/hiding/p_hiding.o \
                   src/modules/exploit_detection/p_rb_ed_trees/p_rb_ed_pids/p_rb_ed_pids_tree.o \
                   src/modules/exploit_detection/syscalls/p_install.o \
-                  src/modules/exploit_detection/syscalls/p_search_binary_handler/p_search_binary_handler.o \
+                  src/modules/exploit_detection/syscalls/exec/p_security_bprm_committing_creds/p_security_bprm_committing_creds.o \
+                  src/modules/exploit_detection/syscalls/exec/p_security_bprm_committed_creds/p_security_bprm_committed_creds.o \
                   src/modules/exploit_detection/syscalls/p_call_usermodehelper/p_call_usermodehelper.o \
                   src/modules/exploit_detection/syscalls/p_call_usermodehelper_exec/p_call_usermodehelper_exec.o \
                   src/modules/exploit_detection/syscalls/p_do_exit/p_do_exit.o \

diff --git a/src/modules/exploit_detection/p_exploit_detection.c b/src/modules/exploit_detection/p_exploit_detection.c
@@ -42,13 +42,17 @@ static const struct p_functions_hooks {
 
 } p_functions_hooks_array[] = {
    {
-#if LINUX_VERSION_CODE < KERNEL_VERSION(5,8,0)
-     "search_binary_handler",
-#else
-     "do_execveat_common",
-#endif
-     p_install_search_binary_handler_hook,
-     p_uninstall_search_binary_handler_hook,
+     "security_bprm_committing_creds",
+     p_install_security_bprm_committing_creds_hook,
+     p_uninstall_security_bprm_committing_creds_hook,
+     1,
+     NULL,
+     1
+   },
+   {
+     "security_bprm_committed_creds",
+     p_install_security_bprm_committed_creds_hook,
+     p_uninstall_security_bprm_committed_creds_hook,
      1,
      NULL,
      1
@@ -593,15 +597,10 @@ struct p_lkrg_debug_off_flag_callers {
    { 34, "p_seccomp_ret" },
    { 35, "p_set_current_groups_entry" },
    { 36, "p_set_current_groups_ret" },
-#if LINUX_VERSION_CODE < KERNEL_VERSION(5,8,0)
-   { 37, "p_search_binary_handler_entry" },
-   { 38, "p_search_binary_handler_ret" },
-#else
-   { 37, "p_do_execveat_common_entry" },
-   { 38, "p_do_execveat_common_ret" },
-#endif
+   { 37, "p_security_bprm_committing_creds_entry" },
+   { 38, "RESERVED" },
    { 39, "RESERVED" },
-   { 40, "RESERVED" },
+   { 40, "p_security_bprm_committed_creds_ret" },
    { 41, "p_sys_setfsgid_entry" },
    { 42, "p_sys_setfsgid_ret" },
    { 43, "p_sys_setfsuid_entry" },

diff --git a/src/modules/exploit_detection/p_exploit_detection.h b/src/modules/exploit_detection/p_exploit_detection.h
@@ -280,7 +280,8 @@ struct p_ed_global_variables {
 
 #include "p_rb_ed_trees/p_rb_ed_pids/p_rb_ed_pids_tree.h"
 #include "syscalls/p_install.h"
-#include "syscalls/p_search_binary_handler/p_search_binary_handler.h"
+#include "syscalls/exec/p_security_bprm_committing_creds/p_security_bprm_committing_creds.h"
+#include "syscalls/exec/p_security_bprm_committed_creds/p_security_bprm_committed_creds.h"
 #include "syscalls/p_call_usermodehelper/p_usermode_kernel_dep.h"
 #include "syscalls/p_call_usermodehelper/p_call_usermodehelper.h"
 #include "syscalls/p_call_usermodehelper_exec/p_call_usermodehelper_exec.h"

diff --git a/..._binary_handler/p_search_binary_handler.c → ...d_creds/p_security_bprm_committed_creds.c b/..._binary_handler/p_search_binary_handler.c → ...d_creds/p_security_bprm_committed_creds.c
@@ -12,35 +12,34 @@
  *  - None
  *
  * Timeline:
+ *  - 18.I.2021:   Replace one 'search_binary_handler' hook with two
+ *                 independent one to reduce the race window while
+ *                 the process is not being verified
  *  - 28.XII.2020: Replace various execve syscall hooks with one hook
  *                 of the function 'search_binary_handler'
- *  - Created: 18.IX.2017
+ *  - Created:     18.IX.2017
  *
  * Author:
  *  - Adam 'pi3' Zabrocki (http://pi3.com.pl)
  *
  */
 
-#include "../../../../p_lkrg_main.h"
+#include "../../../../../p_lkrg_main.h"
 
 
-char p_search_binary_handler_kretprobe_state = 0;
+char p_security_bprm_committed_creds_kretprobe_state = 0;
 
-static struct kretprobe p_search_binary_handler_kretprobe = {
-#if LINUX_VERSION_CODE < KERNEL_VERSION(5,8,0)
-    .kp.symbol_name = "search_binary_handler",
-#else
-    .kp.symbol_name = "do_execveat_common",
-#endif
-    .handler = p_search_binary_handler_ret,
-    .entry_handler = p_search_binary_handler_entry,
-    .data_size = sizeof(struct p_search_binary_handler_data),
+static struct kretprobe p_security_bprm_committed_creds_kretprobe = {
+    .kp.symbol_name = "security_bprm_committed_creds",
+    .handler = p_security_bprm_committed_creds_ret,
+    .entry_handler = NULL,
+    .data_size = sizeof(struct p_security_bprm_committed_creds_data),
     /* Probe up to 40 instances concurrently. */
     .maxactive = 40,
 };
 
 
-struct inode *p_get_inode_from_task(struct task_struct *p_arg) {
+notrace struct inode *p_get_inode_from_task(struct task_struct *p_arg) {
 
    struct mm_struct *p_mm;
    struct inode *p_inode = NULL;
@@ -74,29 +73,7 @@ struct inode *p_get_inode_from_task(struct task_struct *p_arg) {
    return p_inode;
 }
 
-int p_search_binary_handler_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {
-
-   struct p_ed_process *p_tmp;
-   unsigned long p_flags;
-
-   p_ed_enforce_validation();
-
-   p_tasks_write_lock(&p_flags);
-   if ( (p_tmp = p_find_ed_by_pid(task_pid_nr(current))) != NULL) {
-      p_verify_addr_limit(p_tmp, current);
-#ifdef P_LKRG_TASK_OFF_DEBUG
-      p_debug_off_flag_override_off(p_tmp, 37, p_regs);
-#endif
-      // This process is on the ED list - set temporary 'disable' flag!
-      p_set_ed_process_override_off(p_tmp);
-   }
-   p_tasks_write_unlock(&p_flags);
-
-   return 0;
-}
-
-
-int p_search_binary_handler_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
+notrace int p_security_bprm_committed_creds_ret(struct kretprobe_instance *ri, struct pt_regs *p_regs) {
 
 //   struct inode *p_inode;
    struct p_ed_process *p_tmp;
@@ -120,14 +97,14 @@ int p_search_binary_handler_ret(struct kretprobe_instance *ri, struct pt_regs *p
          p_print_log(P_LKRG_INFO, "Updating ED pid[%d]\n",task_pid_nr(current));
          p_update_ed_process(p_tmp, current, 1);
 #ifdef P_LKRG_TASK_OFF_DEBUG
-         p_debug_off_flag_reset(p_tmp, 38);
+         p_debug_off_flag_reset(p_tmp, 40);
 #endif
          p_reset_ed_flags(p_tmp);
       } else {
 #ifdef P_LKRG_TASK_OFF_DEBUG
-         p_debug_off_flag_override_on(p_tmp, 38, p_regs);
+         p_debug_off_flag_on(p_tmp, 40);
 #endif
-         p_set_ed_process_override_on(p_tmp);
+         p_set_ed_process_on(p_tmp);
       }
    }
    p_tasks_write_unlock(&p_flags);
@@ -137,5 +114,4 @@ int p_search_binary_handler_ret(struct kretprobe_instance *ri, struct pt_regs *p
    return 0;
 }
 
-
-GENERATE_INSTALL_FUNC(search_binary_handler)
+GENERATE_INSTALL_FUNC(security_bprm_committed_creds)
diff --git a/...detection/syscalls/exec/p_security_bprm_committed_creds/p_security_bprm_committed_creds.h b/...detection/syscalls/exec/p_security_bprm_committed_creds/p_security_bprm_committed_creds.h
@@ -0,0 +1,45 @@
+/*
+ * pi3's Linux kernel Runtime Guard
+ *
+ * Component:
+ *  - Intercept 'security_bprm_committed_creds' syscall
+ *
+ * Notes:
+ *  - We are maintianing Red-Black tree of pid's for Exploit Detection feature.
+ *    When process calls execve, we need to update RB tree.
+ *
+ * Caveats:
+ *  - None
+ *
+ * Timeline:
+ *  - 18.I.2021:   Replace one 'search_binary_handler' hook with two
+ *                 independent one to reduce the race window while
+ *                 the process is not being verified
+ *  - 28.XII.2020: Replace various execve syscall hooks with one hook
+ *                 of the function 'search_binary_handler'
+ *  - Created:     18.IX.2017
+ *
+ * Author:
+ *  - Adam 'pi3' Zabrocki (http://pi3.com.pl)
+ *
+ */
+
+#ifndef P_LKRG_EXPLOIT_DETECTION_SECURITY_BPRM_COMMITTED_CREDS_H
+#define P_LKRG_EXPLOIT_DETECTION_SECURITY_BPRM_COMMITTED_CREDS_H
+
+#define P_MAX_PATH PATH_MAX + 0x20 /* For weirdos used by d_path */
+
+
+/* per-instance private data */
+struct p_security_bprm_committed_creds_data {
+    ktime_t entry_stamp;
+};
+
+
+struct inode *p_get_inode_from_task(struct task_struct *p_arg);
+
+int p_security_bprm_committed_creds_ret(struct kretprobe_instance *p_ri, struct pt_regs *p_regs);
+int p_install_security_bprm_committed_creds_hook(int p_isra);
+void p_uninstall_security_bprm_committed_creds_hook(void);
+
+#endif
diff --git a/...tection/syscalls/exec/p_security_bprm_committing_creds/p_security_bprm_committing_creds.c b/...tection/syscalls/exec/p_security_bprm_committing_creds/p_security_bprm_committing_creds.c
@@ -0,0 +1,63 @@
+/*
+ * pi3's Linux kernel Runtime Guard
+ *
+ * Component:
+ *  - Intercept 'search_binary_handler' syscall
+ *
+ * Notes:
+ *  - We are maintianing Red-Black tree of pid's for Exploit Detection feature.
+ *    When process calls execve, we need to update RB tree.
+ *
+ * Caveats:
+ *  - None
+ *
+ * Timeline:
+ *  - 18.I.2021:   Replace one 'search_binary_handler' hook with two
+ *                 independent one to reduce the race window while
+ *                 the process is not being verified
+ *  - 28.XII.2020: Replace various execve syscall hooks with one hook
+ *                 of the function 'search_binary_handler'
+ *  - Created:     18.IX.2017
+ *
+ * Author:
+ *  - Adam 'pi3' Zabrocki (http://pi3.com.pl)
+ *
+ */
+
+#include "../../../../../p_lkrg_main.h"
+
+
+char p_security_bprm_committing_creds_kretprobe_state = 0;
+
+static struct kretprobe p_security_bprm_committing_creds_kretprobe = {
+    .kp.symbol_name = "security_bprm_committing_creds",
+    .handler = NULL,
+    .entry_handler = p_security_bprm_committing_creds_entry,
+    .data_size = sizeof(struct p_security_bprm_committing_creds_data),
+    /* Probe up to 40 instances concurrently. */
+    .maxactive = 40,
+};
+
+
+notrace int p_security_bprm_committing_creds_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs) {
+
+   struct p_ed_process *p_tmp;
+   unsigned long p_flags;
+
+   p_ed_enforce_validation();
+
+   p_tasks_write_lock(&p_flags);
+   if ( (p_tmp = p_find_ed_by_pid(task_pid_nr(current))) != NULL) {
+      p_verify_addr_limit(p_tmp, current);
+#ifdef P_LKRG_TASK_OFF_DEBUG
+      p_debug_off_flag_off(p_tmp, 37);
+#endif
+      // This process is on the ED list - set temporary 'disable' flag!
+      p_set_ed_process_off(p_tmp);
+   }
+   p_tasks_write_unlock(&p_flags);
+
+   return 0;
+}
+
+GENERATE_INSTALL_FUNC(security_bprm_committing_creds)
diff --git a/...tection/syscalls/exec/p_security_bprm_committing_creds/p_security_bprm_committing_creds.h b/...tection/syscalls/exec/p_security_bprm_committing_creds/p_security_bprm_committing_creds.h
@@ -0,0 +1,39 @@
+/*
+ * pi3's Linux kernel Runtime Guard
+ *
+ * Component:
+ *  - Intercept 'security_bprm_committing_creds' syscall
+ *
+ * Notes:
+ *  - We are maintianing Red-Black tree of pid's for Exploit Detection feature.
+ *    When process calls execve, we need to update RB tree.
+ *
+ * Caveats:
+ *  - None
+ *
+ * Timeline:
+ *  - 18.I.2021:   Replace one 'search_binary_handler' hook with two
+ *                 independent one to reduce the race window while
+ *                 the process is not being verified
+ *  - 28.XII.2020: Replace various execve syscall hooks with one hook
+ *                 of the function 'search_binary_handler'
+ *  - Created:     18.IX.2017
+ *
+ * Author:
+ *  - Adam 'pi3' Zabrocki (http://pi3.com.pl)
+ *
+ */
+
+#ifndef P_LKRG_EXPLOIT_DETECTION_SECURITY_BPRM_COMMITTING_CREDS_H
+#define P_LKRG_EXPLOIT_DETECTION_SECURITY_BPRM_COMMITTING_CREDS_H
+
+/* per-instance private data */
+struct p_security_bprm_committing_creds_data {
+    ktime_t entry_stamp;
+};
+
+int p_security_bprm_committing_creds_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs);
+int p_install_security_bprm_committing_creds_hook(int p_isra);
+void p_uninstall_security_bprm_committing_creds_hook(void);
+
+#endif
diff --git a/src/modules/exploit_detection/syscalls/p_search_binary_handler/p_search_binary_handler.h b/src/modules/exploit_detection/syscalls/p_search_binary_handler/p_search_binary_handler.h
diff --git a/src/modules/print_log/p_lkrg_debug_log.c b/src/modules/print_log/p_lkrg_debug_log.c
@@ -124,7 +124,8 @@ static struct p_addr_name {
    P_LKRG_DEBUG_RULE_KPROBE(p_ovl_create_or_link),
    P_LKRG_DEBUG_RULE_KPROBE(p_revert_creds),
    P_LKRG_DEBUG_RULE_KPROBE(p_override_creds),
-   P_LKRG_DEBUG_RULE_KPROBE(p_search_binary_handler),
+   P_LKRG_DEBUG_RULE_KPROBE(security_bprm_committing_creds),
+   P_LKRG_DEBUG_RULE_KPROBE(security_bprm_committed_creds),
    P_LKRG_DEBUG_RULE_KPROBE(p_sys_setresuid),
    P_LKRG_DEBUG_RULE_KPROBE(p_sys_keyctl),
    P_LKRG_DEBUG_RULE_KPROBE(p_key_change_session_keyring),