/* * Kernel module to disable the keyctl() system call. * * Compile: * $ make * * Usage: * # insmod nokeyctl.ko * # rmmod nokeyctl * * Copyright (C) 2011 Alessandro Ghedini <alessandro@ghedini.me> * * This program is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 2 of the License, or * (at your option) any later version. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program. If not, see <http://www.gnu.org/licenses/>. */ #include <linux/init.h> #include <linux/module.h> #include <linux/kernel.h> #include <linux/syscalls.h> #include <linux/sched.h> #include <linux/cred.h> MODULE_LICENSE("GPL"); MODULE_AUTHOR("Alessandro Ghedini and Mike Perry"); MODULE_DESCRIPTION("disable the keyctl() system call"); /* ia32 entry */ #define __NR_compat_keyctl 311 static asmlinkage long (*o_ptr)(int cmd, ...); #if defined(__enable_32bits_support) static asmlinkage long (*o_ptr32)(int cmd, ...); #endif asmlinkage long nokeyctl(int cmd, ...) { printk("[nokeyctl] keyctl() invoked by process %llu, user id = %llu\n", \ (unsigned long long) current->pid, \ (unsigned long long) (get_current_user()->uid.val) ); return(-EPERM); } static void sys_call_table_make_rw(void **addr); static void sys_call_table_make_ro(void **addr); static int __init init_nokeyctl(void) { void **sys_call_tbl = sys_call_table_addr; #if defined(__enable_32bits_support) void **ia32_sys_call_tbl = ia32_sys_call_table_addr; #endif sys_call_table_make_rw(sys_call_tbl); o_ptr = sys_call_tbl[__NR_keyctl]; sys_call_tbl[__NR_keyctl] = nokeyctl; sys_call_table_make_ro(sys_call_tbl); #if defined(__enable_32bits_support) sys_call_table_make_rw(ia32_sys_call_tbl); o_ptr32 = ia32_sys_call_tbl[__NR_compat_keyctl]; ia32_sys_call_tbl[__NR_compat_keyctl] = nokeyctl; sys_call_table_make_ro(ia32_sys_call_tbl); #endif printk("[nokeyctl] keyctl syscall disabled\n"); return 0; } static void __exit exit_nokeyctl(void) { void **sys_call_tbl = sys_call_table_addr; #if defined(__enable_32bits_support) void **ia32_sys_call_tbl = ia32_sys_call_table_addr; #endif sys_call_table_make_rw(sys_call_tbl); sys_call_tbl[__NR_keyctl] = o_ptr; sys_call_table_make_ro(sys_call_tbl); #if defined(__enable_32bits_support) sys_call_table_make_rw(ia32_sys_call_tbl); ia32_sys_call_tbl[__NR_compat_keyctl] = o_ptr32; sys_call_table_make_ro(ia32_sys_call_tbl); #endif printk("[nokeyctl] keyctl syscall restored\n"); } module_init(init_nokeyctl); module_exit(exit_nokeyctl); static void sys_call_table_make_rw(void **addr) { unsigned int lvl; pte_t *pte = lookup_address((unsigned long) addr, &lvl); if (pte -> pte &~ _PAGE_RW) pte -> pte |= _PAGE_RW; write_cr0(read_cr0() & (~ 0x10000)); } static void sys_call_table_make_ro(void **addr) { unsigned int lvl; pte_t *pte = lookup_address((unsigned long) addr, &lvl); pte -> pte = pte -> pte &~_PAGE_RW; write_cr0(read_cr0() | 0x10000); }