Re: Query regarding kernel modules intercepting system call.

2017-07-09 Thread Lino Sanfilippo 
On 09.07.2017 12:06, Lino Sanfilippo wrote:
> Hi,
> 
> On 08.07.2017 17:38, Ajinkya Surnis wrote:
>> The purpose of assignment is to check the authenticity of the user
>> executing the system call, and prevent certain users from executing, kind
>> of like certain security programs (although I don't exactly know how they
>> work).
>>
> 
> I suggest to take a look at "fanotify", which offers you the possibility
> to intercept open() calls at VFS level and also provides you with the
> user/group id of the file accessing process.
> 

Actually you are provided the file descriptor of the accessed file and the
pid of the accessing process. But it is not too hard to derive access rights
(e.g. via stat() or fstat()) from these. 

Regards,
Lino

___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: Query regarding kernel modules intercepting system call.

2017-07-09 Thread Lino Sanfilippo 
Hi,

On 08.07.2017 17:38, Ajinkya Surnis wrote:
> The purpose of assignment is to check the authenticity of the user
> executing the system call, and prevent certain users from executing, kind
> of like certain security programs (although I don't exactly know how they
> work).
> 

I suggest to take a look at "fanotify", which offers you the possibility
to intercept open() calls at VFS level and also provides you with the
user/group id of the file accessing process.


Regards,
Lino


___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: Query regarding kernel modules intercepting system call.

2017-07-08 Thread valdis . kletnieks 
On Sat, 08 Jul 2017 21:08:40 +0530, Ajinkya Surnis said:

> The purpose of assignment is to check the authenticity of the user
> executing the system call, and prevent certain users from executing, kind
> of like certain security programs (although I don't exactly know how they
> work).

The only hint I'll give you is that way back in April 2005, we
added a rather extensive API for exactly this purpose, and that almost
every single major distribution uses this API for one of several major
packages.  Maybe you should find out "exactly how they work" :)

And now the bad news:  If you didn't *already* know that, you're almost
certainly not qualified to write security code for the Linux environment.
(I admit that if I was the interviewer, and the *immediate* answer hadn't
been "Why should I intercept syscalls when I could do XYZ?", that would
be in my mind an instant "not qualified").  Security coding done correctly
is a lot harder than it looks. For example, consider intercepting that 
open() syscall.  What happens if one program opens the file and isn't stopped
by your intercept - and it then passes the open file descriptor across
an exec() system call to a cooperating malicious process?

The other possibility is that the interviewer didn't know about XYZ
either - in which case you *DO NOT* want to work there.  Trust me on this. :)


pgp6r2Qigy_hb.pgp
Description: PGP signature
___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: Query regarding kernel modules intercepting system call.

2017-07-08 Thread Aruna Hewapathirane 
On Sat, Jul 8, 2017 at 2:19 PM, Ajinkya Surnis  wrote:

> Hello Aruna,
>
> Thanks a lot for your help.
>

Your welcome, and it is advisable not to top post when replying. Since your
new this is to be expected.
But in future please do not, will likely upset a lot of folks here who have
the experience and knowledge to help you.
You need them, I need them so best never again to top post.


> I'm aware that a single kernel module will accomplish syscall interception.
> In fact, I submitted my solution to the interviewers. Here's my source
> code:
>
> https://github.com/Ajinkya-Veritas/Test-Module/blob/master/testmod.c
>
> However, the interviewer had done a weird scenario where he created two
> modules from same code.
> (mod1 and mod2) So obviously, they would intercept same system call.
> After loading those modules and unloading them in same order caused panic,
> which I described in detail
> initially.
> My goal is to avoid panic, but couldn't find out how.
>

It is difficult to provide guidance without actually looking at the two
'weird' modules but what I would do is

EXPORT_SYMBOL(check_if_original_mod1_is_loaded) then test against that ?

If it is available you use original_open2 if not available you fall back to
open1 ?

This may not be the correct way or linux way but if it works why not ? You
can always ask here again... why not post the two modules and see if some
one can identify where and what is causing the kernel to panic ?

I would also get on IRC and join #kernelnewbies, you get real time answers
most times and you get access to some of the most experienced folks there.
Who believe it or not are extremely patient and helpful with newbies :)


>
> Thanks,
> Ajinkya.
>
>
> On Sat, Jul 8, 2017 at 11:36 PM, Aruna Hewapathirane <
> aruna.hewapathir...@gmail.com> wrote:
>
>> Hello Ajinkya,
>>
>> On Sat, Jul 8, 2017 at 12:14 PM, Greg KH  wrote:
>>
>>> On Sat, Jul 08, 2017 at 09:38:52PM +0530, Ajinkya Surnis wrote:
>>> > Actually, this is not a college assignment. I'm a professional software
>>> > engineer who is completely new to kernel programming.
>>>
>>
>> Welcome to the world of kernel hacking and speaking the 'truth' and being
>> 'honest'
>> does have it's benefits as you will see soon :)
>>
>>
>>> > I recently gave an interview to one cloud security firm. The
>>> interviewer gave
>>> > me this particular assignment, since this kind of functionality is
>>> needed in
>>> > their software.
>>>
>>
>> Wish you good luck with the job !
>>
>>
>>> > Now I'm aware that the approach I have (syscall interception) is wrong.
>>> > But I also need to find out alternate mechanism to achieve my goal.
>>> > I searched really hard, but got nothing.
>>>
>>
>> Go through the link below very carefully, you do not require two modules.
>> One single module
>> that intercepts a syscall and does what you have to do.. please do pay
>> careful attention to the comments
>> within the code!
>>
>> https://github.com/jvns/kernel-module-fun/blob/master/rickroll.c
>>
>>
>>>
>>> So it's a programming test to get a job?  That's worse than trying to
>>> cheat on an exam, as it would mean that I pass the test, not you :(
>>>
>>
>> Though I agree 110% with gregkh 'I' also have been where Ajinkya is
>> coming from so many times.
>> I have been there, done that too many times to walk away now so.. I
>> understand the man's pain and frustration.
>> So against my better judgement I have given him something if he studies
>> carefully will help him to do what its is he must.
>>
>>>
>>> good luck!
>>>
>>> greg k-h
>>>
>>>
>> Greg, he told us the plain truth and all he wants is some guidance. If I
>> am out of line you can bust me as usual on IRC ! How is telling the simple
>> and plain 'truth' equate to 'cheating" ? Duhh...
>>
>> Good luck, hope this helps - Aruna
>>
>>
>>
>>
>>
>>> ___
>>> Kernelnewbies mailing list
>>> Kernelnewbies@kernelnewbies.org
>>> https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>>
>>
>>
>
___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: Query regarding kernel modules intercepting system call.

2017-07-08 Thread Ajinkya Surnis 
Hello Aruna,

Thanks a lot for your help.
I'm aware that a single kernel module will accomplish syscall interception.
In fact, I submitted my solution to the interviewers. Here's my source code:

https://github.com/Ajinkya-Veritas/Test-Module/blob/master/testmod.c

However, the interviewer had done a weird scenario where he created two
modules from same code.
(mod1 and mod2) So obviously, they would intercept same system call.
After loading those modules and unloading them in same order caused panic,
which I described in detail
initially.
My goal is to avoid panic, but couldn't find out how.

Thanks,
Ajinkya.


On Sat, Jul 8, 2017 at 11:36 PM, Aruna Hewapathirane <
aruna.hewapathir...@gmail.com> wrote:

> Hello Ajinkya,
>
> On Sat, Jul 8, 2017 at 12:14 PM, Greg KH  wrote:
>
>> On Sat, Jul 08, 2017 at 09:38:52PM +0530, Ajinkya Surnis wrote:
>> > Actually, this is not a college assignment. I'm a professional software
>> > engineer who is completely new to kernel programming.
>>
>
> Welcome to the world of kernel hacking and speaking the 'truth' and being
> 'honest'
> does have it's benefits as you will see soon :)
>
>
>> > I recently gave an interview to one cloud security firm. The
>> interviewer gave
>> > me this particular assignment, since this kind of functionality is
>> needed in
>> > their software.
>>
>
> Wish you good luck with the job !
>
>
>> > Now I'm aware that the approach I have (syscall interception) is wrong.
>> > But I also need to find out alternate mechanism to achieve my goal.
>> > I searched really hard, but got nothing.
>>
>
> Go through the link below very carefully, you do not require two modules.
> One single module
> that intercepts a syscall and does what you have to do.. please do pay
> careful attention to the comments
> within the code!
>
> https://github.com/jvns/kernel-module-fun/blob/master/rickroll.c
>
>
>>
>> So it's a programming test to get a job?  That's worse than trying to
>> cheat on an exam, as it would mean that I pass the test, not you :(
>>
>
> Though I agree 110% with gregkh 'I' also have been where Ajinkya is coming
> from so many times.
> I have been there, done that too many times to walk away now so.. I
> understand the man's pain and frustration.
> So against my better judgement I have given him something if he studies
> carefully will help him to do what its is he must.
>
>>
>> good luck!
>>
>> greg k-h
>>
>>
> Greg, he told us the plain truth and all he wants is some guidance. If I
> am out of line you can bust me as usual on IRC ! How is telling the simple
> and plain 'truth' equate to 'cheating" ? Duhh...
>
> Good luck, hope this helps - Aruna
>
>
>
>
>
>> ___
>> Kernelnewbies mailing list
>> Kernelnewbies@kernelnewbies.org
>> https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>>
>
>
___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: Query regarding kernel modules intercepting system call.

2017-07-08 Thread Aruna Hewapathirane 
Hello Ajinkya,

On Sat, Jul 8, 2017 at 12:14 PM, Greg KH  wrote:

> On Sat, Jul 08, 2017 at 09:38:52PM +0530, Ajinkya Surnis wrote:
> > Actually, this is not a college assignment. I'm a professional software
> > engineer who is completely new to kernel programming.
>

Welcome to the world of kernel hacking and speaking the 'truth' and being
'honest'
does have it's benefits as you will see soon :)


> > I recently gave an interview to one cloud security firm. The interviewer
> gave
> > me this particular assignment, since this kind of functionality is
> needed in
> > their software.
>

Wish you good luck with the job !


> > Now I'm aware that the approach I have (syscall interception) is wrong.
> > But I also need to find out alternate mechanism to achieve my goal.
> > I searched really hard, but got nothing.
>

Go through the link below very carefully, you do not require two modules.
One single module
that intercepts a syscall and does what you have to do.. please do pay
careful attention to the comments
within the code!

https://github.com/jvns/kernel-module-fun/blob/master/rickroll.c


>
> So it's a programming test to get a job?  That's worse than trying to
> cheat on an exam, as it would mean that I pass the test, not you :(
>

Though I agree 110% with gregkh 'I' also have been where Ajinkya is coming
from so many times.
I have been there, done that too many times to walk away now so.. I
understand the man's pain and frustration.
So against my better judgement I have given him something if he studies
carefully will help him to do what its is he must.

>
> good luck!
>
> greg k-h
>
>
Greg, he told us the plain truth and all he wants is some guidance. If I am
out of line you can bust me as usual on IRC ! How is telling the simple and
plain 'truth' equate to 'cheating" ? Duhh...

Good luck, hope this helps - Aruna





> ___
> Kernelnewbies mailing list
> Kernelnewbies@kernelnewbies.org
> https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies
>
___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: Query regarding kernel modules intercepting system call.

2017-07-08 Thread Greg KH 
On Sat, Jul 08, 2017 at 09:38:52PM +0530, Ajinkya Surnis wrote:
> Actually, this is not a college assignment. I'm a professional software
> engineer who is completely new to kernel programming.
> I recently gave an interview to one cloud security firm. The interviewer gave
> me this particular assignment, since this kind of functionality is needed in
> their software.
> Now I'm aware that the approach I have (syscall interception) is wrong.
> But I also need to find out alternate mechanism to achieve my goal.
> I searched really hard, but got nothing.

So it's a programming test to get a job?  That's worse than trying to
cheat on an exam, as it would mean that I pass the test, not you :(

good luck!

greg k-h

___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: Query regarding kernel modules intercepting system call.

2017-07-08 Thread Ajinkya Surnis 
Actually, this is not a college assignment. I'm a professional software
engineer who is completely new to kernel programming.
I recently gave an interview to one cloud security firm. The interviewer
gave me this particular assignment, since this kind of functionality is
needed in their software.
Now I'm aware that the approach I have (syscall interception) is wrong.
But I also need to find out alternate mechanism to achieve my goal.
I searched really hard, but got nothing.

Thanks,
Ajinkya.

On Sat, Jul 8, 2017 at 9:34 PM, Greg KH  wrote:

> On Sat, Jul 08, 2017 at 09:08:40PM +0530, Ajinkya Surnis wrote:
> > The purpose of assignment is to check the authenticity of the user
> executing
> > the system call, and prevent certain users from executing, kind of like
> certain
> > security programs (although I don't exactly know how they work).
>
> Then that's a totally different thing.
>
> Don't hook a syscall for this at all.
>
> There is a better way, and a correct one, but as this is a homework
> assignment, and I'm not the one getting credit for the assignment, I'm
> not going to spell it out how to do it, sorry.  Otherwise you would get
> in trouble.
>
> Actually, are you sure you are allowed to ask for help for your
> assignment from others in the first place?  Most schools have rules
> about stuff like this...
>
> greg k-h
>
___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: Query regarding kernel modules intercepting system call.

2017-07-08 Thread Greg KH 
On Sat, Jul 08, 2017 at 09:08:40PM +0530, Ajinkya Surnis wrote:
> The purpose of assignment is to check the authenticity of the user executing
> the system call, and prevent certain users from executing, kind of like 
> certain
> security programs (although I don't exactly know how they work).

Then that's a totally different thing.

Don't hook a syscall for this at all.

There is a better way, and a correct one, but as this is a homework
assignment, and I'm not the one getting credit for the assignment, I'm
not going to spell it out how to do it, sorry.  Otherwise you would get
in trouble.

Actually, are you sure you are allowed to ask for help for your
assignment from others in the first place?  Most schools have rules
about stuff like this...

greg k-h

___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: Query regarding kernel modules intercepting system call.

2017-07-08 Thread Ajinkya Surnis 
The purpose of assignment is to check the authenticity of the user
executing the system call, and prevent certain users from executing, kind
of like certain security programs (although I don't exactly know how they
work).

On Sat, Jul 8, 2017 at 8:50 PM, Greg KH  wrote:

> On Sat, Jul 08, 2017 at 07:53:31PM +0530, Ajinkya Surnis wrote:
> > Actually, I've been given an assignment to write a kernel module such
> that
> > whenever a certain system call (e.g. open()) is executed, the control
> should
> > come to my new module; then it will do some processing on the parameters
> and
> > then call the actual syscall function (sys_open()).
>
> Horrible assignment, please pass along my regards to the professor that
> this is not anything that should ever be assigned.  Seriously, do you
> want me to email them this?
>
> > I only found the way of intercepting 'sys_call_table'. I know this kind
> of
> > hacking is probably not a good idea.
> > Can you suggest any alternative way?
> > I would really appreciate.
>
> Don't do it.
>
> Really, this is not a valid thing to do in Linux.
>
> Feel free to quote me.
>
> Also, the assignment said nothing about 2 modules, so are you sure you
> are even doing this right?  :)
>
> thanks,
>
> greg k-h
>
___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: Query regarding kernel modules intercepting system call.

2017-07-08 Thread Greg KH 
On Sat, Jul 08, 2017 at 07:53:31PM +0530, Ajinkya Surnis wrote:
> Actually, I've been given an assignment to write a kernel module such that
> whenever a certain system call (e.g. open()) is executed, the control should
> come to my new module; then it will do some processing on the parameters and
> then call the actual syscall function (sys_open()).

Horrible assignment, please pass along my regards to the professor that
this is not anything that should ever be assigned.  Seriously, do you
want me to email them this?

> I only found the way of intercepting 'sys_call_table'. I know this kind of
> hacking is probably not a good idea.
> Can you suggest any alternative way?
> I would really appreciate.

Don't do it.

Really, this is not a valid thing to do in Linux.

Feel free to quote me.

Also, the assignment said nothing about 2 modules, so are you sure you
are even doing this right?  :)

thanks,

greg k-h

___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: Query regarding kernel modules intercepting system call.

2017-07-08 Thread Ajinkya Surnis 
Actually, I've been given an assignment to write a kernel module such that
whenever a certain system call (e.g. open()) is executed, the control
should come to my new module; then it will do some processing on the
parameters and then call the actual syscall function (sys_open()).
I only found the way of intercepting 'sys_call_table'. I know this kind of
hacking is probably not a good idea.
Can you suggest any alternative way?
I would really appreciate.

Thanks,
Ajinkya.

On Sat, Jul 8, 2017 at 7:43 PM, Greg KH  wrote:

> On Sat, Jul 08, 2017 at 07:38:21PM +0530, Ajinkya Surnis wrote:
> > Hi guys,
> >
> > I'm new to kernelnewbies and this is my first question in the list.
> >
> >
> > I'm working on system call interception (for open() system call) and I
> got one
> > problem: I have two kernel modules (mod1 and mod2) and both of them are
> trying
> > to intercept open() syscall. I've loaded mod1 first and then mod2.
> > The mod1 intercepted open() by:
> >
> > original_open1 = sys_call_table[__NR_open];
> > sys_call_table[__NR_open] = mod1_open;
> >
> > Here original_open1 would be sys_open. After
> this, mod2 intercepted open() by:
> >
> > original_open2 = sys_call_table[__NR_open];
> > sys_call_table[__NR_open] = mod2_open;
>
> Eeek!  First of, don't do this, you are seeing why you should not do
> this already, no need to have to explain in detail why this is a bad
> thing :)
>
> >
> > problem is: Suppose I unload mod1 first and open() system call gets
> executed,
> > then mod2_open() would get called, which ultimately calls mod1_open().
> >
> > Since mod1 is already unloaded, calling mod1_open() caused panic (since
> the
> > function pointer is no longer a valid memory region).
> >
> > I need some mechanism to avoid this problem. Basically, I want a
> solution which
> > facilitates loading/unloading the modules (which intercept same syscall)
> in any
> > random order without causing any panic.
>
> Why doy ou feel you wish to grab the system call in the first place?
> What problem are you trying to solve where this is the only solution?
>
> > Is there some kind of facility such that while unloading the module
> (`mod2`
> > here), the module will broadcast the message to all other modules that
> it's
> > being unloaded and instead of refering to `original_open2()` the other
> modules
> > should use `original_open1()`.
>
> Nope, don't try to grab syscalls, it's a bad idea, and you get to keep
> the pieces your kernel will be in when things die (and they will die...)
>
> sorry,
>
> greg k-h
>
___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies

Re: Query regarding kernel modules intercepting system call.

2017-07-08 Thread Greg KH 
On Sat, Jul 08, 2017 at 07:38:21PM +0530, Ajinkya Surnis wrote:
> Hi guys,
> 
> I'm new to kernelnewbies and this is my first question in the list.
> 
> 
> I'm working on system call interception (for open() system call) and I got one
> problem: I have two kernel modules (mod1 and mod2) and both of them are trying
> to intercept open() syscall. I've loaded mod1 first and then mod2.
> The mod1 intercepted open() by:
> 
> original_open1 = sys_call_table[__NR_open];
> sys_call_table[__NR_open] = mod1_open;
> 
> Here original_open1 would be sys_open. After this, mod2 intercepted open() by:
> 
> original_open2 = sys_call_table[__NR_open];
> sys_call_table[__NR_open] = mod2_open;

Eeek!  First of, don't do this, you are seeing why you should not do
this already, no need to have to explain in detail why this is a bad
thing :)

> 
> problem is: Suppose I unload mod1 first and open() system call gets executed,
> then mod2_open() would get called, which ultimately calls mod1_open().
> 
> Since mod1 is already unloaded, calling mod1_open() caused panic (since the
> function pointer is no longer a valid memory region).
> 
> I need some mechanism to avoid this problem. Basically, I want a solution 
> which
> facilitates loading/unloading the modules (which intercept same syscall) in 
> any
> random order without causing any panic.

Why doy ou feel you wish to grab the system call in the first place?
What problem are you trying to solve where this is the only solution?

> Is there some kind of facility such that while unloading the module (`mod2`
> here), the module will broadcast the message to all other modules that it's
> being unloaded and instead of refering to `original_open2()` the other modules
> should use `original_open1()`.

Nope, don't try to grab syscalls, it's a bad idea, and you get to keep
the pieces your kernel will be in when things die (and they will die...)

sorry,

greg k-h

___
Kernelnewbies mailing list
Kernelnewbies@kernelnewbies.org
https://lists.kernelnewbies.org/mailman/listinfo/kernelnewbies