简体繁体 English

如何禁止其他 Linux Kernel 模块访问某些常规文件？

[英]How can I prohibit other Linux Kernel modules to get access to some regular files?

原文 2020-05-01 09:26:36 7 1 c/ linux/ security/ linux-kernel

The problem is to prohibit access to some files (files from my "blacklist").问题是禁止访问某些文件（来自我的“黑名单”的文件）。 It implies that nobody besides me (my own kernel module) can either read or modify these files.这意味着除了我（我自己的 kernel 模块）之外没有人可以读取或修改这些文件。

I've already asked this question here, on StackOverflow, but I haven't gotten an answer.我已经在这里，在 StackOverflow 上问过这个问题，但我还没有得到答案。 There was only one solution offered to change file's permissions and file's owner.只有一种解决方案可以更改文件的权限和文件的所有者。 However, it isn't enough for my goals, since file's permissions as well as file's owner can be easily modified by someone else.但是，这对我的目标来说还不够，因为文件的权限以及文件的所有者可以很容易地被其他人修改。

But I haven't given up, I've carried on studying this problem.但我没有放弃，我继续研究这个问题。

I replaced some fields of the system calls table by the pointers to my own functions.我用指向我自己函数的指针替换了系统调用表的一些字段。 Thus I managed to prohibit any USER module to get an access to the files from my blacklist;因此，我设法禁止任何 USER 模块从我的黑名单中访问文件； in addition, this approach doesn't depend on file's permissions or file's owner.此外，这种方法不依赖于文件的权限或文件的所有者。 However, the key word is "user modules".然而，关键词是“用户模块”。 I mean that any kernel module still can easily get an access to the files from my blacklist via calling, for instance, the filp_open() function.我的意思是任何 kernel 模块仍然可以通过调用filp_open() function 轻松访问我的黑名单中的文件。 I looked through the Linux code sources and it turned out that all these system calls that I hooked ( open , openat , ...) are simple wrappers and no more.我查看了 Linux 代码源，结果发现我挂钩的所有这些系统调用（ open ， openat ，...）都是简单的包装器，仅此而已。

Could you help me?你可以帮帮我吗？ Is there a way to do something with filp_open that is similar to what I've done with system calls?有没有办法用filp_open做一些类似于我对系统调用所做的事情？ Any other solutions (without hooking) are welcome.欢迎任何其他解决方案（没有挂钩）。

1 个解决方案

What you are asking for is impossible.你所要求的是不可能的。 Theoretically , this could be achieved by running the kernel under a custom-made hypervisor or running on custom-made hardware, but it would be extremely complicated (if not impossible) to achieve in reality.理论上，这可以通过在定制的管理程序下运行 kernel 或在定制的硬件上运行来实现，但在现实中实现起来会非常复杂（如果不是不可能的话）。

You cannot protect the kernel from itself.您无法保护 kernel 不受自身影响。 In any normal scenario (ie no dedicated hardware or hypervisor), the Linux kernel runs at the highest privilege level on the machine, and can therefore revert any changes you make if it wants.在任何正常情况下（即没有专用硬件或管理程序），Linux kernel 在机器上以最高权限级别运行，因此可以根据需要恢复您所做的任何更改。 If your module needs to deny access to some file to the whole kernel , then there's really something conceptually wrong about what you are doing.如果您的模块需要拒绝对整个 kernel 的某些文件的访问，那么您所做的事情在概念上确实存在问题。 Moreover, you seem to be assuming that other kernel modules would be somehow "interested" in messing with your module: why would that be the case?此外，您似乎假设其他 kernel 模块会以某种方式“有兴趣”弄乱您的模块：为什么会这样？

Furthermore, even changing permissions or overriding syscalls does not solve any problem: unless you correctly configure kernel lockdown (kernel >= v5.4) and/or some other security measure like module signing (and ideally also secure boot), the root user is always able to insert modules and subvert your "security" measures.此外，即使更改权限或覆盖系统调用也不能解决任何问题：除非您正确配置kernel 锁定（内核 >= v5.4）和/或其他一些安全措施，如模块签名（理想情况下也是安全启动），否则root用户是总是能够插入模块并颠覆您的“安全”措施。

If you need to deprive root of access to these files, then as I said there's really something logically wrong.如果您需要剥夺root对这些文件的访问权限，那么正如我所说，确实存在逻辑错误。 The root user can already do whatever it wants with whichever configuration file it wants, of course destroying important configuration files is going to break the system, but that's not really something that you can avoid. root用户已经可以使用它想要的任何配置文件为所欲为，当然破坏重要的配置文件会破坏系统，但这并不是你可以避免的。 Assuming that root is evil doesn't make much sense as a threat model in any normal scenario.在任何正常情况下，假设root是邪恶的，作为威胁 model 没有多大意义。