diff options
| author |   Jason A. Donenfeld <Jason@zx2c4.com> | 2017-11-15 23:48:58 +0100 |
|---|---|---|
| committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2017-11-17 00:54:53 +0100 |
| commit | f2f1db963ba71a3159d568bbd2e19cecba12ca69 (patch) | |
| tree | ab040ca97ff215f49ba057e05c7dacd9294c2fd5 | |
| parent | Convert to blind-operator-mode (diff) | |
| download | blind-operator-mode-f2f1db963ba71a3159d568bbd2e19cecba12ca69.tar.xz blind-operator-mode-f2f1db963ba71a3159d568bbd2e19cecba12ca69.zip | |
Disable ptrace, /proc/pid/mem, and coredumps
| -rw-r--r-- | README.md | 3 | ||||
| -rw-r--r-- | blind-operator-mode.c | 37 |
2 files changed, 38 insertions, 2 deletions
@@ -20,6 +20,9 @@ other tricks, exploiting zero day vulnerabilities, looking inside from the hyper simply forgetting to actually load this module, or many other potential leaks and subversion. +Ptrace, /proc/PID/mem, and coredumps are also disabled, to gain some rudimentary +support for hindering data extraction from userspace programs. + Disabling of modules and of raw sockets is delayed until 60 seconds after this loads, in order to allow DHCP daemons to start and for other modules to be loaded. diff --git a/blind-operator-mode.c b/blind-operator-mode.c index 3080dc6..a011aaa 100644 --- a/blind-operator-mode.c +++ b/blind-operator-mode.c @@ -44,7 +44,11 @@ static const struct proto_ops *netlink_ops; static struct security_operations *security_ops; #else static struct security_hook_heads *security_hooks; -static struct security_hook_list socket_sock_rcv_skb_entry, socket_create_entry, inode_permission_entry; +static struct security_hook_list socket_sock_rcv_skb_entry; +static struct security_hook_list socket_create_entry; +static struct security_hook_list inode_permission_entry; +static struct security_hook_list ptrace_access_check_entry; +static struct security_hook_list ptrace_traceme_entry; #endif static void install_delayed_hooks(struct work_struct *work); static DECLARE_DELAYED_WORK(install_delayed_hooks_work, install_delayed_hooks); @@ -179,7 +183,11 @@ static int inode_permission_callback(struct inode *inode, int mask) if (IS_ERR(path)) goto err_page; - ret = strcmp(path, "/kcore") ? 0 : -EPERM; + ret = 0; + if (!strcmp(path, "/kcore")) + ret = -EPERM; + if (!strcmp(path + strlen(path) - 4, "/mem")) + ret = -EPERM; err_page: free_page((unsigned long)buffer); @@ -191,6 +199,16 @@ err_dentry: return 0; } +static int ptrace_access_check_callback(struct task_struct *child, unsigned int mode) +{ + return -EPERM; +} + +static int ptrace_traceme_callback(struct task_struct *parent) +{ + return -EPERM; +} + static void install_delayed_hooks(struct work_struct *work) { init_lsm_hook(socket_create); @@ -230,6 +248,8 @@ static void install_delayed_hooks(struct work_struct *work) static int __init mod_init(void) { + u8 *do_coredump; + #if LINUX_VERSION_CODE < KERNEL_VERSION(4, 2, 0) u8 *search; void(*reset_security_ops)(void) = (void(*)(void))kallsyms_lookup_name("reset_security_ops"); @@ -263,16 +283,29 @@ static int __init mod_init(void) } netlink_ops = init_net.genl_sock->sk_socket->ops; + do_coredump = (u8 *)kallsyms_lookup_name("do_coredump"); + if (!do_coredump) { + pr_err("unable to lookup do_coredump\n"); + goto err; + } + modules_disabled_sysctl = (int *)kallsyms_lookup_name("modules_disabled"); init_lsm_hook(socket_sock_rcv_skb); init_lsm_hook(inode_permission); + init_lsm_hook(ptrace_access_check); + init_lsm_hook(ptrace_traceme); modify_ro_page({ install_lsm_hook(socket_sock_rcv_skb); install_lsm_hook(inode_permission); + install_lsm_hook(ptrace_access_check); + install_lsm_hook(ptrace_traceme); + do_coredump[0] = 0xc3; /* RET */ }); pr_info("hooked wireguard netlink responses\n"); pr_info("hooked kernel memory permissions\n"); + pr_info("hooked ptrace\n"); + pr_info("disabled coredumps\n"); schedule_delayed_work(&install_delayed_hooks_work, HZ * 60); pr_info("other mechanisms set to deploy in 60 seconds\n"); |