LSM内核相关源代码分析见:http://blog.csdn.net/lwyeluo/article/details/55215686

本文修改内核代码来测试自定义的安全模块

测试

操作系统ubuntu14.04,内核版本3.13

  • 在ima代码里创建一个新文件,路径为security/integrity/ima/ima.hooks.c
/*
 * ima_hooks.c
 *
 *  Created on: Feb 15, 2017
 *      Author: Wu Luo
 */
#include <linux/security.h>
#include <linux/sysctl.h>
#include <linux/ptrace.h>
#include <linux/prctl.h>
#include <linux/ratelimit.h>
#include <linux/workqueue.h>
#include <linux/file.h>
#include <linux/fs.h>
#include <linux/dcache.h>
#include <linux/path.h>

int test_file_permission(struct file *file, int mask)
{
    char *name = file->f_path.dentry->d_name.name;

    if(!strcmp(name, "test.txt"))
    {
        file->f_flags |= O_RDONLY;
        printk("[Wu Luo][DEBUG]you can have your control code here!\n");
    }
    return 0;
}


static struct security_operations test_security_ops = {
    .name =                 "test",
    .file_permission =      test_file_permission,
};

static __init int test_init(void)
{
    printk("[Wu Luo][DEBUG]enter test init!\n");

    if (register_security(&test_security_ops))
        printk("[Wu Luo][DEBUG]Test: kernel registration failed.\n");

    return 0;
}

security_initcall(test_init);
  • 在同目录的Makefile里,ima-y项最后加入ima_hooks.o
  • security/security.c::register_security中加入调试信息
int __init register_security(struct security_operations *ops)
{
    printk("[Wu Luo] enter register_security[name=%s]!\n", ops->name);

    if (verify(ops)) {
            printk(KERN_DEBUG "%s could not verify "
                   "security_operations structure.\n", __func__);
            return -EINVAL;
    }

    printk("[Wu Luo] verify succeed!\n");

    if (security_ops != &default_security_ops)
            return -EAGAIN;

    printk("[Wu Luo] allocate security_ops!\n");

    security_ops = ops;

    return 0;
}
  • 在grub.cfg中启动IMA:
sed -i "/linux\t/s/$/& ima_tcb ima_template=\"ima\" ima_hash=\"sha1\"/g" /boot/grub/grub.cfg
  • 重新编译内核,进入编译之后的内核系统,dmesg查看打印的信息
root@BlockIMATest:~# dmesg | grep "Wu Luo"
[    0.000323] [Wu Luo] enter register_security[name=apparmor]!
[    0.000325] [Wu Luo] verify succeed!
[    0.000326] [Wu Luo] allocate security_ops!
[    0.000334] [Wu Luo][DEBUG]enter test init!
[    0.000335] [Wu Luo] enter register_security[name=test]!
[    0.000336] [Wu Luo] verify succeed!
[    0.000337] [Wu Luo][DEBUG]Test: kernel registration failed.

可以看到由于apparmor已经注册过,导致test注册失败,那我们先暂时把apparmor关闭吧

查看security/apparmor/Kconfig,发现:

config SECURITY_APPARMOR_BOOTPARAM_VALUE
    int "AppArmor boot parameter default value"
    depends on SECURITY_APPARMOR
    range 0 1
    default 1
    help
      This option sets the default value for the kernel parameter
      'apparmor', which allows AppArmor to be enabled or disabled
      at boot.  If this option is set to 0 (zero), the AppArmor
      kernel parameter will default to 0, disabling AppArmor at
      boot.  If this option is set to 1 (one), the AppArmor
      kernel parameter will default to 1, enabling AppArmor at
      boot.

      If you are unsure how to answer this question, answer 1.

在make menuconfig后,先执行以下命令,将AppArmor boot parameter default value设置为0,然后再编译内核。其中${obj_dir}为内核源码目录

sed -i "s/\(CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=\).*/\10/g" ${obj_dir}/.config

进入重新编译的内核之后dmesg可以看到钩子成功注册:

root@BlockIMATest:~# dmesg | grep "Wu Luo"
[    0.000095] [Wu Luo][DEBUG]enter test init!
[    0.000096] [Wu Luo] enter register_security[name=test]!
[    0.000097] [Wu Luo] verify succeed!
[    0.000098] [Wu Luo] allocate security_ops!

再cat test.txt,发现打印信息!

root@BlockIMATest:~# touch test.txt
root@BlockIMATest:~# cat test.txt
root@BlockIMATest:~# dmesg | grep "Wu Luo"

...
[  253.010935] [Wu Luo][DEBUG]you can have your control code here!
Logo

开放原子开发者工作坊旨在鼓励更多人参与开源活动,与志同道合的开发者们相互交流开发经验、分享开发心得、获取前沿技术趋势。工作坊有多种形式的开发者活动,如meetup、训练营等,主打技术交流,干货满满,真诚地邀请各位开发者共同参与!

更多推荐