/*
* Kernel module to disable the keyctl() system call.
*
* Compile:
* $ make
*
* Usage:
* # insmod nokeyctl.ko
* # rmmod nokeyctl
*
* Copyright (C) 2011 Alessandro Ghedini <alessandro@ghedini.me>
*
* This program is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program. If not, see <http://www.gnu.org/licenses/>.
*/
#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/syscalls.h>
#include <linux/sched.h>
#include <linux/cred.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Alessandro Ghedini and Mike Perry");
MODULE_DESCRIPTION("disable the keyctl() system call");
/* ia32 entry */
#define __NR_compat_keyctl 311
static asmlinkage long (*o_ptr)(int cmd, ...);
#if defined(__enable_32bits_support)
static asmlinkage long (*o_ptr32)(int cmd, ...);
#endif
asmlinkage long nokeyctl(int cmd, ...) {
printk("[nokeyctl] keyctl() invoked by process %llu, user id = %llu\n", \
(unsigned long long) current->pid, \
(unsigned long long) (get_current_user()->uid.val)
);
return(-EPERM);
}
static void sys_call_table_make_rw(void **addr);
static void sys_call_table_make_ro(void **addr);
static int __init init_nokeyctl(void) {
void **sys_call_tbl = sys_call_table_addr;
#if defined(__enable_32bits_support)
void **ia32_sys_call_tbl = ia32_sys_call_table_addr;
#endif
sys_call_table_make_rw(sys_call_tbl);
o_ptr = sys_call_tbl[__NR_keyctl];
sys_call_tbl[__NR_keyctl] = nokeyctl;
sys_call_table_make_ro(sys_call_tbl);
#if defined(__enable_32bits_support)
sys_call_table_make_rw(ia32_sys_call_tbl);
o_ptr32 = ia32_sys_call_tbl[__NR_compat_keyctl];
ia32_sys_call_tbl[__NR_compat_keyctl] = nokeyctl;
sys_call_table_make_ro(ia32_sys_call_tbl);
#endif
printk("[nokeyctl] keyctl syscall disabled\n");
return 0;
}
static void __exit exit_nokeyctl(void) {
void **sys_call_tbl = sys_call_table_addr;
#if defined(__enable_32bits_support)
void **ia32_sys_call_tbl = ia32_sys_call_table_addr;
#endif
sys_call_table_make_rw(sys_call_tbl);
sys_call_tbl[__NR_keyctl] = o_ptr;
sys_call_table_make_ro(sys_call_tbl);
#if defined(__enable_32bits_support)
sys_call_table_make_rw(ia32_sys_call_tbl);
ia32_sys_call_tbl[__NR_compat_keyctl] = o_ptr32;
sys_call_table_make_ro(ia32_sys_call_tbl);
#endif
printk("[nokeyctl] keyctl syscall restored\n");
}
module_init(init_nokeyctl);
module_exit(exit_nokeyctl);
static void sys_call_table_make_rw(void **addr) {
unsigned int lvl;
pte_t *pte = lookup_address((unsigned long) addr, &lvl);
if (pte -> pte &~ _PAGE_RW)
pte -> pte |= _PAGE_RW;
write_cr0(read_cr0() & (~ 0x10000));
}
static void sys_call_table_make_ro(void **addr) {
unsigned int lvl;
pte_t *pte = lookup_address((unsigned long) addr, &lvl);
pte -> pte = pte -> pte &~_PAGE_RW;
write_cr0(read_cr0() | 0x10000);
}