Check-in [cd0d83fed7]
Overview
SHA1:cd0d83fed72979c0dd1eca01bf4ce195ca604349
Date: 2016-01-20 15:16:29
User: rkeene
Comment:Added initial source code, modified from https://gist.github.com/juwi/3804334
Timelines: family | ancestors | descendants | both | trunk
Downloads: Tarball | ZIP archive
Other Links: files | file ages | folders | manifest
Tags And Properties
Context
2016-01-20
15:26
[aca54cb4a1] Added ignore file (user: rkeene, tags: trunk)
15:16
[cd0d83fed7] Added initial source code, modified from https://gist.github.com/juwi/3804334 (user: rkeene, tags: trunk)
15:15
[705e04a522] initial empty check-in (user: rkeene, tags: trunk)
Changes

Added Makefile version [53c5d86523].

            1  +# Copyright (C) 2011 Alessandro Ghedini <alessandro@ghedini.me>
            2  +# Updated 2012 by Mike Perry to extract syscall table addresses
            3  +# Updated 2014 by Francis Brosnan Blázquez to check for ia32 support
            4  +obj-m += nokeyctl.o
            5  +
            6  +ifdef M
            7  +include $(M)/Makefile.inc
            8  +ifndef SYSTEM_MAP_FILE
            9  +SYSTEM_MAP_FILE := $(KERNEL_DIR)/System.map
           10  +endif
           11  +
           12  +SCT   := $(shell grep " sys_call_table" '$(SYSTEM_MAP_FILE)' | awk '{ print $$1; }')
           13  +SCT32 := $(shell grep "ia32_sys_call_table" '$(SYSTEM_MAP_FILE)' | awk '{ print $$1; }')
           14  +
           15  +EXTRA_CFLAGS += -Dsys_call_table_addr="((void**)0x$(SCT))"
           16  +ifdef SCT32
           17  +EXTRA_CFLAGS += -Dia32_sys_call_table_addr="((void**)0x$(SCT32))" -D__enable_32bits_support
           18  +endif
           19  +else
           20  +include Makefile.inc
           21  +endif
           22  +
           23  +all:
           24  +	@echo "Building with " $(EXTRA_CFLAGS)
           25  +	make -C '$(KERNEL_DIR)' 'M=$(PWD)'
           26  +
           27  +install: all
           28  +	-mkdir -p '$(DESTDIR)/lib/modules/$(KERNEL_VER)/misc'
           29  +	cp nokeyctl.ko '$(DESTDIR)/lib/modules/$(KERNEL_VER)/misc/'
           30  +
           31  +clean:
           32  +	make -C '$(KERNEL_DIR)' 'M=$(PWD)' clean
           33  +	rm -f Module.symvers built-in.o modules.order nokeyctl.ko nokeyctl.mod.c nokeyctl.mod.o nokeyctl.o
           34  +
           35  +distclean: clean
           36  +	rm -f Makefile.inc

Added configure version [b512e69854].

            1  +#! /bin/bash
            2  +
            3  +if [ -z "${KERNEL_DIR}" ]; then
            4  +	for tryKernelDir in "/lib/modules/$(uname -r)"/{build,source} "/usr/src/linux-$(uname -r)"; do
            5  +		if [ -f "${tryKernelDir}/.config" ]; then
            6  +			kernelDir="${tryKernelDir}"
            7  +
            8  +			break
            9  +		fi
           10  +	done
           11  +
           12  +else
           13  +	kernelDir="${KERNEL_DIR}"
           14  +fi
           15  +
           16  +if [ -z "${kernelDir}" ]; then
           17  +	echo "error: Unable to determine kernel build directory.  Try specifying the KERNEL_DIR environment variable" >&2
           18  +
           19  +	exit 1
           20  +fi
           21  +
           22  +if [ -z "${SYSTEM_MAP_FILE}" ]; then
           23  +	for trySystemMapFile in /proc/kallsyms "${kernelDir}/System.map" "/boot/System.map"; do
           24  +		if grep ' sys_call_table' "${trySystemMapFile}" >/dev/null 2>/dev/null; then
           25  +			systemMapFile="${trySystemMapFile}"
           26  +
           27  +			break
           28  +		fi
           29  +	done
           30  +else
           31  +	systemMapFile="${SYSTEM_MAP_FILE}"
           32  +fi
           33  +
           34  +if [ -z "${systemMapFile}" ]; then
           35  +	echo "error: Unable to determine system map file.  Try specifying the SYSTEM_MAP_FILE environment variable." >&2
           36  +
           37  +	exit 1
           38  +fi
           39  +
           40  +rm -f Makefile.inc
           41  +echo "SYSTEM_MAP_FILE = ${systemMapFile}" > Makefile.inc
           42  +echo "KERNEL_DIR = ${kernelDir}" >> Makefile.inc
           43  +echo "KERNEL_VER = $(uname -r)" >> Makefile.inc
           44  +
           45  +exit 0

Added nokeyctl.c version [4f334e08a5].

            1  +/*
            2  + * Kernel module to disable the keyctl() system call.
            3  + *
            4  + * Compile:
            5  + * $ make
            6  + *
            7  + * Usage:
            8  + * # insmod nokeyctl.ko
            9  + * # rmmod nokeyctl
           10  + *
           11  + * Copyright (C) 2011 Alessandro Ghedini <alessandro@ghedini.me>
           12  + *
           13  + * This program is free software: you can redistribute it and/or modify
           14  + * it under the terms of the GNU General Public License as published by
           15  + * the Free Software Foundation, either version 2 of the License, or
           16  + * (at your option) any later version.
           17  + *
           18  + * This program is distributed in the hope that it will be useful,
           19  + * but WITHOUT ANY WARRANTY; without even the implied warranty of
           20  + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
           21  + * GNU General Public License for more details.
           22  + *
           23  + * You should have received a copy of the GNU General Public License
           24  + * along with this program.  If not, see <http://www.gnu.org/licenses/>.
           25  + */
           26  +
           27  +#include <linux/init.h>
           28  +
           29  +#include <linux/module.h>
           30  +#include <linux/kernel.h>
           31  +#include <linux/syscalls.h>
           32  +#include <linux/sched.h>
           33  +
           34  +MODULE_LICENSE("GPL");
           35  +MODULE_AUTHOR("Alessandro Ghedini and Mike Perry");
           36  +MODULE_DESCRIPTION("disable the keyctl() system call");
           37  +
           38  +/* ia32 entry */
           39  +#define __NR_compat_keyctl 311
           40  +
           41  +static asmlinkage long (*o_ptr)(int cmd, ...);
           42  +#if defined(__enable_32bits_support)
           43  +static asmlinkage long (*o_ptr32)(int cmd, ...);
           44  +#endif
           45  +
           46  +asmlinkage long nokeyctl(int cmd, ...) {
           47  +	printk("[nokeyctl] keyctl() invoked by process %i\n", current->pid);
           48  +
           49  +	return(-EPERM);
           50  +}
           51  +
           52  +static void sys_call_table_make_rw(void **addr);
           53  +static void sys_call_table_make_ro(void **addr);
           54  +
           55  +static int __init init_nokeyctl(void) {
           56  +	void **sys_call_tbl = sys_call_table_addr;
           57  +#if defined(__enable_32bits_support)
           58  +	void **ia32_sys_call_tbl = ia32_sys_call_table_addr;
           59  +#endif
           60  +
           61  +	sys_call_table_make_rw(sys_call_tbl);
           62  +	o_ptr = sys_call_tbl[__NR_keyctl];
           63  +	sys_call_tbl[__NR_keyctl] = nokeyctl;
           64  +	sys_call_table_make_ro(sys_call_tbl);
           65  +
           66  +#if defined(__enable_32bits_support)
           67  +	sys_call_table_make_rw(ia32_sys_call_tbl);
           68  +	o_ptr32 = ia32_sys_call_tbl[__NR_compat_keyctl];
           69  +	ia32_sys_call_tbl[__NR_compat_keyctl] = nokeyctl;
           70  +	sys_call_table_make_ro(ia32_sys_call_tbl);
           71  +#endif
           72  +
           73  +	printk("[nokeyctl] keyctl syscall disabled\n");
           74  +
           75  +	return 0;
           76  +}
           77  +
           78  +static void __exit exit_nokeyctl(void) {
           79  +	void **sys_call_tbl = sys_call_table_addr;
           80  +#if defined(__enable_32bits_support)
           81  +	void **ia32_sys_call_tbl = ia32_sys_call_table_addr;
           82  +#endif
           83  +
           84  +	sys_call_table_make_rw(sys_call_tbl);
           85  +	sys_call_tbl[__NR_keyctl] = o_ptr;
           86  +	sys_call_table_make_ro(sys_call_tbl);
           87  +
           88  +#if defined(__enable_32bits_support)
           89  +	sys_call_table_make_rw(ia32_sys_call_tbl);
           90  +	ia32_sys_call_tbl[__NR_compat_keyctl] = o_ptr32;
           91  +	sys_call_table_make_ro(ia32_sys_call_tbl);
           92  +#endif
           93  +
           94  +	printk("[nokeyctl] keyctl syscall restored\n");
           95  +}
           96  +
           97  +module_init(init_nokeyctl);
           98  +module_exit(exit_nokeyctl);
           99  +
          100  +static void sys_call_table_make_rw(void **addr) {
          101  +	unsigned int lvl;
          102  +
          103  +	pte_t *pte = lookup_address((unsigned long) addr, &lvl);
          104  +
          105  +	if (pte -> pte &~ _PAGE_RW)
          106  +		pte -> pte |= _PAGE_RW;
          107  +
          108  +	write_cr0(read_cr0() & (~ 0x10000));
          109  +}
          110  +
          111  +static void sys_call_table_make_ro(void **addr) {
          112  +	unsigned int lvl;
          113  +
          114  +	pte_t *pte = lookup_address((unsigned long) addr, &lvl);
          115  +	pte -> pte = pte -> pte &~_PAGE_RW;
          116  +
          117  +	write_cr0(read_cr0() | 0x10000);
          118  +}