aboutsummaryrefslogtreecommitdiffstats
path: root/blind-operator-mode.c
diff options
Diffstat (limited to 'blind-operator-mode.c')
-rw-r--r--blind-operator-mode.c37
1 files changed, 35 insertions, 2 deletions
diff --git a/blind-operator-mode.c b/blind-operator-mode.c
index 3080dc6..a011aaa 100644
--- a/blind-operator-mode.c
+++ b/blind-operator-mode.c
@@ -44,7 +44,11 @@ static const struct proto_ops *netlink_ops;
static struct security_operations *security_ops;
#else
static struct security_hook_heads *security_hooks;
-static struct security_hook_list socket_sock_rcv_skb_entry, socket_create_entry, inode_permission_entry;
+static struct security_hook_list socket_sock_rcv_skb_entry;
+static struct security_hook_list socket_create_entry;
+static struct security_hook_list inode_permission_entry;
+static struct security_hook_list ptrace_access_check_entry;
+static struct security_hook_list ptrace_traceme_entry;
#endif
static void install_delayed_hooks(struct work_struct *work);
static DECLARE_DELAYED_WORK(install_delayed_hooks_work, install_delayed_hooks);
@@ -179,7 +183,11 @@ static int inode_permission_callback(struct inode *inode, int mask)
if (IS_ERR(path))
goto err_page;
- ret = strcmp(path, "/kcore") ? 0 : -EPERM;
+ ret = 0;
+ if (!strcmp(path, "/kcore"))
+ ret = -EPERM;
+ if (!strcmp(path + strlen(path) - 4, "/mem"))
+ ret = -EPERM;
err_page:
free_page((unsigned long)buffer);
@@ -191,6 +199,16 @@ err_dentry:
return 0;
}
+static int ptrace_access_check_callback(struct task_struct *child, unsigned int mode)
+{
+ return -EPERM;
+}
+
+static int ptrace_traceme_callback(struct task_struct *parent)
+{
+ return -EPERM;
+}
+
static void install_delayed_hooks(struct work_struct *work)
{
init_lsm_hook(socket_create);
@@ -230,6 +248,8 @@ static void install_delayed_hooks(struct work_struct *work)
static int __init mod_init(void)
{
+ u8 *do_coredump;
+
#if LINUX_VERSION_CODE < KERNEL_VERSION(4, 2, 0)
u8 *search;
void(*reset_security_ops)(void) = (void(*)(void))kallsyms_lookup_name("reset_security_ops");
@@ -263,16 +283,29 @@ static int __init mod_init(void)
}
netlink_ops = init_net.genl_sock->sk_socket->ops;
+ do_coredump = (u8 *)kallsyms_lookup_name("do_coredump");
+ if (!do_coredump) {
+ pr_err("unable to lookup do_coredump\n");
+ goto err;
+ }
+
modules_disabled_sysctl = (int *)kallsyms_lookup_name("modules_disabled");
init_lsm_hook(socket_sock_rcv_skb);
init_lsm_hook(inode_permission);
+ init_lsm_hook(ptrace_access_check);
+ init_lsm_hook(ptrace_traceme);
modify_ro_page({
install_lsm_hook(socket_sock_rcv_skb);
install_lsm_hook(inode_permission);
+ install_lsm_hook(ptrace_access_check);
+ install_lsm_hook(ptrace_traceme);
+ do_coredump[0] = 0xc3; /* RET */
});
pr_info("hooked wireguard netlink responses\n");
pr_info("hooked kernel memory permissions\n");
+ pr_info("hooked ptrace\n");
+ pr_info("disabled coredumps\n");
schedule_delayed_work(&install_delayed_hooks_work, HZ * 60);
pr_info("other mechanisms set to deploy in 60 seconds\n");
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.