Check-in [cd0d83fed7]
Overview
SHA1:cd0d83fed72979c0dd1eca01bf4ce195ca604349
Date: 2016-01-20 15:16:29
User: rkeene
Comment:Added initial source code, modified from https://gist.github.com/juwi/3804334
Timelines: family | ancestors | descendants | both | trunk
Downloads: Tarball | ZIP archive
Other Links: files | file ages | folders | manifest
Tags And Properties
Context
2016-01-20
15:26
[aca54cb4a1] Added ignore file (user: rkeene, tags: trunk)
15:16
[cd0d83fed7] Added initial source code, modified from https://gist.github.com/juwi/3804334 (user: rkeene, tags: trunk)
15:15
[705e04a522] initial empty check-in (user: rkeene, tags: trunk)
Changes

Added Makefile version [53c5d86523].









































































>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# Copyright (C) 2011 Alessandro Ghedini <alessandro@ghedini.me>
# Updated 2012 by Mike Perry to extract syscall table addresses
# Updated 2014 by Francis Brosnan Blázquez to check for ia32 support
obj-m += nokeyctl.o

ifdef M
include $(M)/Makefile.inc
ifndef SYSTEM_MAP_FILE
SYSTEM_MAP_FILE := $(KERNEL_DIR)/System.map
endif

SCT   := $(shell grep " sys_call_table" '$(SYSTEM_MAP_FILE)' | awk '{ print $$1; }')
SCT32 := $(shell grep "ia32_sys_call_table" '$(SYSTEM_MAP_FILE)' | awk '{ print $$1; }')

EXTRA_CFLAGS += -Dsys_call_table_addr="((void**)0x$(SCT))"
ifdef SCT32
EXTRA_CFLAGS += -Dia32_sys_call_table_addr="((void**)0x$(SCT32))" -D__enable_32bits_support
endif
else
include Makefile.inc
endif

all:
	@echo "Building with " $(EXTRA_CFLAGS)
	make -C '$(KERNEL_DIR)' 'M=$(PWD)'

install: all
	-mkdir -p '$(DESTDIR)/lib/modules/$(KERNEL_VER)/misc'
	cp nokeyctl.ko '$(DESTDIR)/lib/modules/$(KERNEL_VER)/misc/'

clean:
	make -C '$(KERNEL_DIR)' 'M=$(PWD)' clean
	rm -f Module.symvers built-in.o modules.order nokeyctl.ko nokeyctl.mod.c nokeyctl.mod.o nokeyctl.o

distclean: clean
	rm -f Makefile.inc

Added configure version [b512e69854].



























































































>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
#! /bin/bash

if [ -z "${KERNEL_DIR}" ]; then
	for tryKernelDir in "/lib/modules/$(uname -r)"/{build,source} "/usr/src/linux-$(uname -r)"; do
		if [ -f "${tryKernelDir}/.config" ]; then
			kernelDir="${tryKernelDir}"

			break
		fi
	done

else
	kernelDir="${KERNEL_DIR}"
fi

if [ -z "${kernelDir}" ]; then
	echo "error: Unable to determine kernel build directory.  Try specifying the KERNEL_DIR environment variable" >&2

	exit 1
fi

if [ -z "${SYSTEM_MAP_FILE}" ]; then
	for trySystemMapFile in /proc/kallsyms "${kernelDir}/System.map" "/boot/System.map"; do
		if grep ' sys_call_table' "${trySystemMapFile}" >/dev/null 2>/dev/null; then
			systemMapFile="${trySystemMapFile}"

			break
		fi
	done
else
	systemMapFile="${SYSTEM_MAP_FILE}"
fi

if [ -z "${systemMapFile}" ]; then
	echo "error: Unable to determine system map file.  Try specifying the SYSTEM_MAP_FILE environment variable." >&2

	exit 1
fi

rm -f Makefile.inc
echo "SYSTEM_MAP_FILE = ${systemMapFile}" > Makefile.inc
echo "KERNEL_DIR = ${kernelDir}" >> Makefile.inc
echo "KERNEL_VER = $(uname -r)" >> Makefile.inc

exit 0

Added nokeyctl.c version [4f334e08a5].













































































































































































































































>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
/*
 * Kernel module to disable the keyctl() system call.
 *
 * Compile:
 * $ make
 *
 * Usage:
 * # insmod nokeyctl.ko
 * # rmmod nokeyctl
 *
 * Copyright (C) 2011 Alessandro Ghedini <alessandro@ghedini.me>
 *
 * This program is free software: you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation, either version 2 of the License, or
 * (at your option) any later version.
 *
 * This program is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */

#include <linux/init.h>

#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/syscalls.h>
#include <linux/sched.h>

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Alessandro Ghedini and Mike Perry");
MODULE_DESCRIPTION("disable the keyctl() system call");

/* ia32 entry */
#define __NR_compat_keyctl 311

static asmlinkage long (*o_ptr)(int cmd, ...);
#if defined(__enable_32bits_support)
static asmlinkage long (*o_ptr32)(int cmd, ...);
#endif

asmlinkage long nokeyctl(int cmd, ...) {
	printk("[nokeyctl] keyctl() invoked by process %i\n", current->pid);

	return(-EPERM);
}

static void sys_call_table_make_rw(void **addr);
static void sys_call_table_make_ro(void **addr);

static int __init init_nokeyctl(void) {
	void **sys_call_tbl = sys_call_table_addr;
#if defined(__enable_32bits_support)
	void **ia32_sys_call_tbl = ia32_sys_call_table_addr;
#endif

	sys_call_table_make_rw(sys_call_tbl);
	o_ptr = sys_call_tbl[__NR_keyctl];
	sys_call_tbl[__NR_keyctl] = nokeyctl;
	sys_call_table_make_ro(sys_call_tbl);

#if defined(__enable_32bits_support)
	sys_call_table_make_rw(ia32_sys_call_tbl);
	o_ptr32 = ia32_sys_call_tbl[__NR_compat_keyctl];
	ia32_sys_call_tbl[__NR_compat_keyctl] = nokeyctl;
	sys_call_table_make_ro(ia32_sys_call_tbl);
#endif

	printk("[nokeyctl] keyctl syscall disabled\n");

	return 0;
}

static void __exit exit_nokeyctl(void) {
	void **sys_call_tbl = sys_call_table_addr;
#if defined(__enable_32bits_support)
	void **ia32_sys_call_tbl = ia32_sys_call_table_addr;
#endif

	sys_call_table_make_rw(sys_call_tbl);
	sys_call_tbl[__NR_keyctl] = o_ptr;
	sys_call_table_make_ro(sys_call_tbl);

#if defined(__enable_32bits_support)
	sys_call_table_make_rw(ia32_sys_call_tbl);
	ia32_sys_call_tbl[__NR_compat_keyctl] = o_ptr32;
	sys_call_table_make_ro(ia32_sys_call_tbl);
#endif

	printk("[nokeyctl] keyctl syscall restored\n");
}

module_init(init_nokeyctl);
module_exit(exit_nokeyctl);

static void sys_call_table_make_rw(void **addr) {
	unsigned int lvl;

	pte_t *pte = lookup_address((unsigned long) addr, &lvl);

	if (pte -> pte &~ _PAGE_RW)
		pte -> pte |= _PAGE_RW;

	write_cr0(read_cr0() & (~ 0x10000));
}

static void sys_call_table_make_ro(void **addr) {
	unsigned int lvl;

	pte_t *pte = lookup_address((unsigned long) addr, &lvl);
	pte -> pte = pte -> pte &~_PAGE_RW;

	write_cr0(read_cr0() | 0x10000);
}