Re: Query regarding kernel modules intercepting system call.
On 09.07.2017 12:06, Lino Sanfilippo wrote: > Hi, > > On 08.07.2017 17:38, Ajinkya Surnis wrote: >> The purpose of assignment is to check the authenticity of the user >> executing the system call, and prevent certain users from executing, kind >> of like certain security programs (although I don't exactly know how they >> work). >> > > I suggest to take a look at "fanotify", which offers you the possibility > to intercept open() calls at VFS level and also provides you with the > user/group id of the file accessing process. > Actually you are provided the file descriptor of the accessed file and the pid of the accessing process. But it is not too hard to derive access rights (e.g. via stat() or fstat()) from these. Regards, Lino ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Query regarding kernel modules intercepting system call.
Hi, On 08.07.2017 17:38, Ajinkya Surnis wrote: > The purpose of assignment is to check the authenticity of the user > executing the system call, and prevent certain users from executing, kind > of like certain security programs (although I don't exactly know how they > work). > I suggest to take a look at "fanotify", which offers you the possibility to intercept open() calls at VFS level and also provides you with the user/group id of the file accessing process. Regards, Lino ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Query regarding kernel modules intercepting system call.
On Sat, 08 Jul 2017 21:08:40 +0530, Ajinkya Surnis said: > The purpose of assignment is to check the authenticity of the user > executing the system call, and prevent certain users from executing, kind > of like certain security programs (although I don't exactly know how they > work). The only hint I'll give you is that way back in April 2005, we added a rather extensive API for exactly this purpose, and that almost every single major distribution uses this API for one of several major packages. Maybe you should find out "exactly how they work" :) And now the bad news: If you didn't *already* know that, you're almost certainly not qualified to write security code for the Linux environment. (I admit that if I was the interviewer, and the *immediate* answer hadn't been "Why should I intercept syscalls when I could do XYZ?", that would be in my mind an instant "not qualified"). Security coding done correctly is a lot harder than it looks. For example, consider intercepting that open() syscall. What happens if one program opens the file and isn't stopped by your intercept - and it then passes the open file descriptor across an exec() system call to a cooperating malicious process? The other possibility is that the interviewer didn't know about XYZ either - in which case you *DO NOT* want to work there. Trust me on this. :) pgp6r2Qigy_hb.pgp Description: PGP signature ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Query regarding kernel modules intercepting system call.
On Sat, Jul 8, 2017 at 2:19 PM, Ajinkya Surniswrote: > Hello Aruna, > > Thanks a lot for your help. > Your welcome, and it is advisable not to top post when replying. Since your new this is to be expected. But in future please do not, will likely upset a lot of folks here who have the experience and knowledge to help you. You need them, I need them so best never again to top post. > I'm aware that a single kernel module will accomplish syscall interception. > In fact, I submitted my solution to the interviewers. Here's my source > code: > > https://github.com/Ajinkya-Veritas/Test-Module/blob/master/testmod.c > > However, the interviewer had done a weird scenario where he created two > modules from same code. > (mod1 and mod2) So obviously, they would intercept same system call. > After loading those modules and unloading them in same order caused panic, > which I described in detail > initially. > My goal is to avoid panic, but couldn't find out how. > It is difficult to provide guidance without actually looking at the two 'weird' modules but what I would do is EXPORT_SYMBOL(check_if_original_mod1_is_loaded) then test against that ? If it is available you use original_open2 if not available you fall back to open1 ? This may not be the correct way or linux way but if it works why not ? You can always ask here again... why not post the two modules and see if some one can identify where and what is causing the kernel to panic ? I would also get on IRC and join #kernelnewbies, you get real time answers most times and you get access to some of the most experienced folks there. Who believe it or not are extremely patient and helpful with newbies :) > > Thanks, > Ajinkya. > > > On Sat, Jul 8, 2017 at 11:36 PM, Aruna Hewapathirane < > aruna.hewapathir...@gmail.com> wrote: > >> Hello Ajinkya, >> >> On Sat, Jul 8, 2017 at 12:14 PM, Greg KH wrote: >> >>> On Sat, Jul 08, 2017 at 09:38:52PM +0530, Ajinkya Surnis wrote: >>> > Actually, this is not a college assignment. I'm a professional software >>> > engineer who is completely new to kernel programming. >>> >> >> Welcome to the world of kernel hacking and speaking the 'truth' and being >> 'honest' >> does have it's benefits as you will see soon :) >> >> >>> > I recently gave an interview to one cloud security firm. The >>> interviewer gave >>> > me this particular assignment, since this kind of functionality is >>> needed in >>> > their software. >>> >> >> Wish you good luck with the job ! >> >> >>> > Now I'm aware that the approach I have (syscall interception) is wrong. >>> > But I also need to find out alternate mechanism to achieve my goal. >>> > I searched really hard, but got nothing. >>> >> >> Go through the link below very carefully, you do not require two modules. >> One single module >> that intercepts a syscall and does what you have to do.. please do pay >> careful attention to the comments >> within the code! >> >> https://github.com/jvns/kernel-module-fun/blob/master/rickroll.c >> >> >>> >>> So it's a programming test to get a job? That's worse than trying to >>> cheat on an exam, as it would mean that I pass the test, not you :( >>> >> >> Though I agree 110% with gregkh 'I' also have been where Ajinkya is >> coming from so many times. >> I have been there, done that too many times to walk away now so.. I >> understand the man's pain and frustration. >> So against my better judgement I have given him something if he studies >> carefully will help him to do what its is he must. >> >>> >>> good luck! >>> >>> greg k-h >>> >>> >> Greg, he told us the plain truth and all he wants is some guidance. If I >> am out of line you can bust me as usual on IRC ! How is telling the simple >> and plain 'truth' equate to 'cheating" ? Duhh... >> >> Good luck, hope this helps - Aruna >> >> >> >> >> >>> ___ >>> Kernelnewbies mailing list >>> Kernelnewbies@kernelnewbies.org >>> https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies >>> >> >> > ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Query regarding kernel modules intercepting system call.
Hello Aruna, Thanks a lot for your help. I'm aware that a single kernel module will accomplish syscall interception. In fact, I submitted my solution to the interviewers. Here's my source code: https://github.com/Ajinkya-Veritas/Test-Module/blob/master/testmod.c However, the interviewer had done a weird scenario where he created two modules from same code. (mod1 and mod2) So obviously, they would intercept same system call. After loading those modules and unloading them in same order caused panic, which I described in detail initially. My goal is to avoid panic, but couldn't find out how. Thanks, Ajinkya. On Sat, Jul 8, 2017 at 11:36 PM, Aruna Hewapathirane < aruna.hewapathir...@gmail.com> wrote: > Hello Ajinkya, > > On Sat, Jul 8, 2017 at 12:14 PM, Greg KHwrote: > >> On Sat, Jul 08, 2017 at 09:38:52PM +0530, Ajinkya Surnis wrote: >> > Actually, this is not a college assignment. I'm a professional software >> > engineer who is completely new to kernel programming. >> > > Welcome to the world of kernel hacking and speaking the 'truth' and being > 'honest' > does have it's benefits as you will see soon :) > > >> > I recently gave an interview to one cloud security firm. The >> interviewer gave >> > me this particular assignment, since this kind of functionality is >> needed in >> > their software. >> > > Wish you good luck with the job ! > > >> > Now I'm aware that the approach I have (syscall interception) is wrong. >> > But I also need to find out alternate mechanism to achieve my goal. >> > I searched really hard, but got nothing. >> > > Go through the link below very carefully, you do not require two modules. > One single module > that intercepts a syscall and does what you have to do.. please do pay > careful attention to the comments > within the code! > > https://github.com/jvns/kernel-module-fun/blob/master/rickroll.c > > >> >> So it's a programming test to get a job? That's worse than trying to >> cheat on an exam, as it would mean that I pass the test, not you :( >> > > Though I agree 110% with gregkh 'I' also have been where Ajinkya is coming > from so many times. > I have been there, done that too many times to walk away now so.. I > understand the man's pain and frustration. > So against my better judgement I have given him something if he studies > carefully will help him to do what its is he must. > >> >> good luck! >> >> greg k-h >> >> > Greg, he told us the plain truth and all he wants is some guidance. If I > am out of line you can bust me as usual on IRC ! How is telling the simple > and plain 'truth' equate to 'cheating" ? Duhh... > > Good luck, hope this helps - Aruna > > > > > >> ___ >> Kernelnewbies mailing list >> Kernelnewbies@kernelnewbies.org >> https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies >> > > ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Query regarding kernel modules intercepting system call.
Hello Ajinkya, On Sat, Jul 8, 2017 at 12:14 PM, Greg KHwrote: > On Sat, Jul 08, 2017 at 09:38:52PM +0530, Ajinkya Surnis wrote: > > Actually, this is not a college assignment. I'm a professional software > > engineer who is completely new to kernel programming. > Welcome to the world of kernel hacking and speaking the 'truth' and being 'honest' does have it's benefits as you will see soon :) > > I recently gave an interview to one cloud security firm. The interviewer > gave > > me this particular assignment, since this kind of functionality is > needed in > > their software. > Wish you good luck with the job ! > > Now I'm aware that the approach I have (syscall interception) is wrong. > > But I also need to find out alternate mechanism to achieve my goal. > > I searched really hard, but got nothing. > Go through the link below very carefully, you do not require two modules. One single module that intercepts a syscall and does what you have to do.. please do pay careful attention to the comments within the code! https://github.com/jvns/kernel-module-fun/blob/master/rickroll.c > > So it's a programming test to get a job? That's worse than trying to > cheat on an exam, as it would mean that I pass the test, not you :( > Though I agree 110% with gregkh 'I' also have been where Ajinkya is coming from so many times. I have been there, done that too many times to walk away now so.. I understand the man's pain and frustration. So against my better judgement I have given him something if he studies carefully will help him to do what its is he must. > > good luck! > > greg k-h > > Greg, he told us the plain truth and all he wants is some guidance. If I am out of line you can bust me as usual on IRC ! How is telling the simple and plain 'truth' equate to 'cheating" ? Duhh... Good luck, hope this helps - Aruna > ___ > Kernelnewbies mailing list > Kernelnewbies@kernelnewbies.org > https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies > ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Query regarding kernel modules intercepting system call.
On Sat, Jul 08, 2017 at 09:38:52PM +0530, Ajinkya Surnis wrote: > Actually, this is not a college assignment. I'm a professional software > engineer who is completely new to kernel programming. > I recently gave an interview to one cloud security firm. The interviewer gave > me this particular assignment, since this kind of functionality is needed in > their software. > Now I'm aware that the approach I have (syscall interception) is wrong. > But I also need to find out alternate mechanism to achieve my goal. > I searched really hard, but got nothing. So it's a programming test to get a job? That's worse than trying to cheat on an exam, as it would mean that I pass the test, not you :( good luck! greg k-h ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Query regarding kernel modules intercepting system call.
Actually, this is not a college assignment. I'm a professional software engineer who is completely new to kernel programming. I recently gave an interview to one cloud security firm. The interviewer gave me this particular assignment, since this kind of functionality is needed in their software. Now I'm aware that the approach I have (syscall interception) is wrong. But I also need to find out alternate mechanism to achieve my goal. I searched really hard, but got nothing. Thanks, Ajinkya. On Sat, Jul 8, 2017 at 9:34 PM, Greg KHwrote: > On Sat, Jul 08, 2017 at 09:08:40PM +0530, Ajinkya Surnis wrote: > > The purpose of assignment is to check the authenticity of the user > executing > > the system call, and prevent certain users from executing, kind of like > certain > > security programs (although I don't exactly know how they work). > > Then that's a totally different thing. > > Don't hook a syscall for this at all. > > There is a better way, and a correct one, but as this is a homework > assignment, and I'm not the one getting credit for the assignment, I'm > not going to spell it out how to do it, sorry. Otherwise you would get > in trouble. > > Actually, are you sure you are allowed to ask for help for your > assignment from others in the first place? Most schools have rules > about stuff like this... > > greg k-h > ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Query regarding kernel modules intercepting system call.
On Sat, Jul 08, 2017 at 09:08:40PM +0530, Ajinkya Surnis wrote: > The purpose of assignment is to check the authenticity of the user executing > the system call, and prevent certain users from executing, kind of like > certain > security programs (although I don't exactly know how they work). Then that's a totally different thing. Don't hook a syscall for this at all. There is a better way, and a correct one, but as this is a homework assignment, and I'm not the one getting credit for the assignment, I'm not going to spell it out how to do it, sorry. Otherwise you would get in trouble. Actually, are you sure you are allowed to ask for help for your assignment from others in the first place? Most schools have rules about stuff like this... greg k-h ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Query regarding kernel modules intercepting system call.
The purpose of assignment is to check the authenticity of the user executing the system call, and prevent certain users from executing, kind of like certain security programs (although I don't exactly know how they work). On Sat, Jul 8, 2017 at 8:50 PM, Greg KHwrote: > On Sat, Jul 08, 2017 at 07:53:31PM +0530, Ajinkya Surnis wrote: > > Actually, I've been given an assignment to write a kernel module such > that > > whenever a certain system call (e.g. open()) is executed, the control > should > > come to my new module; then it will do some processing on the parameters > and > > then call the actual syscall function (sys_open()). > > Horrible assignment, please pass along my regards to the professor that > this is not anything that should ever be assigned. Seriously, do you > want me to email them this? > > > I only found the way of intercepting 'sys_call_table'. I know this kind > of > > hacking is probably not a good idea. > > Can you suggest any alternative way? > > I would really appreciate. > > Don't do it. > > Really, this is not a valid thing to do in Linux. > > Feel free to quote me. > > Also, the assignment said nothing about 2 modules, so are you sure you > are even doing this right? :) > > thanks, > > greg k-h > ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Query regarding kernel modules intercepting system call.
On Sat, Jul 08, 2017 at 07:53:31PM +0530, Ajinkya Surnis wrote: > Actually, I've been given an assignment to write a kernel module such that > whenever a certain system call (e.g. open()) is executed, the control should > come to my new module; then it will do some processing on the parameters and > then call the actual syscall function (sys_open()). Horrible assignment, please pass along my regards to the professor that this is not anything that should ever be assigned. Seriously, do you want me to email them this? > I only found the way of intercepting 'sys_call_table'. I know this kind of > hacking is probably not a good idea. > Can you suggest any alternative way? > I would really appreciate. Don't do it. Really, this is not a valid thing to do in Linux. Feel free to quote me. Also, the assignment said nothing about 2 modules, so are you sure you are even doing this right? :) thanks, greg k-h ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Query regarding kernel modules intercepting system call.
Actually, I've been given an assignment to write a kernel module such that whenever a certain system call (e.g. open()) is executed, the control should come to my new module; then it will do some processing on the parameters and then call the actual syscall function (sys_open()). I only found the way of intercepting 'sys_call_table'. I know this kind of hacking is probably not a good idea. Can you suggest any alternative way? I would really appreciate. Thanks, Ajinkya. On Sat, Jul 8, 2017 at 7:43 PM, Greg KHwrote: > On Sat, Jul 08, 2017 at 07:38:21PM +0530, Ajinkya Surnis wrote: > > Hi guys, > > > > I'm new to kernelnewbies and this is my first question in the list. > > > > > > I'm working on system call interception (for open() system call) and I > got one > > problem: I have two kernel modules (mod1 and mod2) and both of them are > trying > > to intercept open() syscall. I've loaded mod1 first and then mod2. > > The mod1 intercepted open() by: > > > > original_open1 = sys_call_table[__NR_open]; > > sys_call_table[__NR_open] = mod1_open; > > > > Here original_open1 would be sys_open. After > this, mod2 intercepted open() by: > > > > original_open2 = sys_call_table[__NR_open]; > > sys_call_table[__NR_open] = mod2_open; > > Eeek! First of, don't do this, you are seeing why you should not do > this already, no need to have to explain in detail why this is a bad > thing :) > > > > > problem is: Suppose I unload mod1 first and open() system call gets > executed, > > then mod2_open() would get called, which ultimately calls mod1_open(). > > > > Since mod1 is already unloaded, calling mod1_open() caused panic (since > the > > function pointer is no longer a valid memory region). > > > > I need some mechanism to avoid this problem. Basically, I want a > solution which > > facilitates loading/unloading the modules (which intercept same syscall) > in any > > random order without causing any panic. > > Why doy ou feel you wish to grab the system call in the first place? > What problem are you trying to solve where this is the only solution? > > > Is there some kind of facility such that while unloading the module > (`mod2` > > here), the module will broadcast the message to all other modules that > it's > > being unloaded and instead of refering to `original_open2()` the other > modules > > should use `original_open1()`. > > Nope, don't try to grab syscalls, it's a bad idea, and you get to keep > the pieces your kernel will be in when things die (and they will die...) > > sorry, > > greg k-h > ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
Re: Query regarding kernel modules intercepting system call.
On Sat, Jul 08, 2017 at 07:38:21PM +0530, Ajinkya Surnis wrote: > Hi guys, > > I'm new to kernelnewbies and this is my first question in the list. > > > I'm working on system call interception (for open() system call) and I got one > problem: I have two kernel modules (mod1 and mod2) and both of them are trying > to intercept open() syscall. I've loaded mod1 first and then mod2. > The mod1 intercepted open() by: > > original_open1 = sys_call_table[__NR_open]; > sys_call_table[__NR_open] = mod1_open; > > Here original_open1 would be sys_open. After this, mod2 intercepted open() by: > > original_open2 = sys_call_table[__NR_open]; > sys_call_table[__NR_open] = mod2_open; Eeek! First of, don't do this, you are seeing why you should not do this already, no need to have to explain in detail why this is a bad thing :) > > problem is: Suppose I unload mod1 first and open() system call gets executed, > then mod2_open() would get called, which ultimately calls mod1_open(). > > Since mod1 is already unloaded, calling mod1_open() caused panic (since the > function pointer is no longer a valid memory region). > > I need some mechanism to avoid this problem. Basically, I want a solution > which > facilitates loading/unloading the modules (which intercept same syscall) in > any > random order without causing any panic. Why doy ou feel you wish to grab the system call in the first place? What problem are you trying to solve where this is the only solution? > Is there some kind of facility such that while unloading the module (`mod2` > here), the module will broadcast the message to all other modules that it's > being unloaded and instead of refering to `original_open2()` the other modules > should use `original_open1()`. Nope, don't try to grab syscalls, it's a bad idea, and you get to keep the pieces your kernel will be in when things die (and they will die...) sorry, greg k-h ___ Kernelnewbies mailing list Kernelnewbies@kernelnewbies.org https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies