backport some patches
This commit is contained in:
zgzxx
parent
06ea89184c
commit
cb647d168f
37
Backport-del-useless-code-for-timestamp.patch
Normal file
37
Backport-del-useless-code-for-timestamp.patch
Normal file
@ -0,0 +1,37 @@
|
||||
From 8798032e6dafed4730c51fb796347fb7b5092d7c Mon Sep 17 00:00:00 2001
|
||||
From: zgzxx <zhangguangzhi3@huawei.com>
|
||||
Date: Wed, 29 Nov 2023 10:15:00 +0800
|
||||
Subject: del useless code for timestamp
|
||||
|
||||
---
|
||||
.../kmodule_baseline/secDetector_mc_kmodule_baseline.c | 7 -------
|
||||
1 file changed, 7 deletions(-)
|
||||
|
||||
diff --git a/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c b/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c
|
||||
index 6a7edda..cff1ff5 100644
|
||||
--- a/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c
|
||||
+++ b/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c
|
||||
@@ -17,7 +17,6 @@
|
||||
|
||||
#define MODULE_LIST_MAXSIZE 0x10000
|
||||
#define NAME_LEN 4096
|
||||
-#define HEADER_MSG_LEN 128
|
||||
#define KMODULE_BASELINE_TYPE 0x00800000
|
||||
|
||||
typedef struct chkrkatt_module {
|
||||
@@ -79,12 +78,6 @@ static void report_kmodule_baseline(void)
|
||||
pr_err("module_name_all kzalloc failed\n");
|
||||
return;
|
||||
}
|
||||
- header_msg = (char *)kzalloc(HEADER_MSG_LEN, GFP_ATOMIC);
|
||||
- if (header_msg == NULL) {
|
||||
- pr_err("hearder_msg kzalloc failed\n");
|
||||
- kfree(module_name_all);
|
||||
- return;
|
||||
- }
|
||||
|
||||
header_msg_len = get_timestamp_str(&header_msg);
|
||||
if (header_msg_len <= 0)
|
||||
--
|
||||
2.33.0
|
||||
|
||||
24
Backport-fix-bug-of-mc-case-not-collect-data.patch
Normal file
24
Backport-fix-bug-of-mc-case-not-collect-data.patch
Normal file
@ -0,0 +1,24 @@
|
||||
From b1689ab1e8e79f7e8125adb2c8f8614d90eb3209 Mon Sep 17 00:00:00 2001
|
||||
From: yieux <yangxy79315@sina.com>
|
||||
Date: Tue, 28 Nov 2023 10:49:35 +0800
|
||||
Subject: fix bug of mc case not collect data
|
||||
|
||||
---
|
||||
.../cases/memory_corruption/secDetector_memory_corruption.c | 1 +
|
||||
1 file changed, 1 insertion(+)
|
||||
|
||||
diff --git a/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c b/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c
|
||||
index 5b487ac..c9e9868 100644
|
||||
--- a/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c
|
||||
+++ b/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c
|
||||
@@ -43,6 +43,7 @@ static struct secDetector_workflow workflow_array[] = {
|
||||
.workflow_type = WORKFLOW_PRESET,
|
||||
.hook_type = SECDETECTOR_TIMER,
|
||||
.collect_array = collect_array,
|
||||
+ .collect_array_len = ARRAY_SIZE(collect_array),
|
||||
.analyze_type = ANALYZE_PRESET_SAVE_CHECK,
|
||||
.interval = TIME_INTERVAL,
|
||||
.enabled = ATOMIC_INIT(true)
|
||||
--
|
||||
2.33.0
|
||||
|
||||
68
Backport-fix-memory-leak-bug-in-sc-analyze-unit.patch
Normal file
68
Backport-fix-memory-leak-bug-in-sc-analyze-unit.patch
Normal file
@ -0,0 +1,68 @@
|
||||
From 6d1833b44b7cdea6c8459df8c431f1779afa2ab8 Mon Sep 17 00:00:00 2001
|
||||
From: yieux <yangxy79315@sina.com>
|
||||
Date: Mon, 27 Nov 2023 15:29:30 +0800
|
||||
Subject: fix memory leak bug in sc analyze unit
|
||||
|
||||
---
|
||||
README.md | 2 +-
|
||||
.../core/analyze_unit/secDetector_save_check.c | 15 +++++++++------
|
||||
2 files changed, 10 insertions(+), 7 deletions(-)
|
||||
|
||||
diff --git a/README.md b/README.md
|
||||
index a2b7726..9658879 100644
|
||||
--- a/README.md
|
||||
+++ b/README.md
|
||||
@@ -68,7 +68,7 @@ secDetector在架构上分为四个部分:SDK、Service、检测特性集合ca
|
||||
|
||||
检测框架core是以一个cases依赖的基础框架,提供case的管理,和workflow所需的通用的基础功能单元。内核异常信息检测框架会以内核模块ko的形态承载。一个检测特性case可以将自己注册到框架中,或者从框架中去注册。框架还可以提供特定的交互接口以满足外部的动态请求。一个workflow被定义为有四类功能单元组成:事件发生器、信息采集器、事件分析器、响应单元。
|
||||
|
||||
-
|
||||
+Driver分为两类,kerneldriver 和 usrdriver。顾名思义,kerneldriver是部署在内核态中的,以内核模块的形式承载。usrdriver是部署在用户态中的,直接被部署为Service中的一个模块。从逻辑上usrdriver是在Service之下的,但是在运行中,为了降低通信成本,usrdriver被直接集成在Service程序中。
|
||||
|
||||
## 安装教程
|
||||
- kerneldriver
|
||||
diff --git a/kerneldriver/core/analyze_unit/secDetector_save_check.c b/kerneldriver/core/analyze_unit/secDetector_save_check.c
|
||||
index 101a028..72c4948 100644
|
||||
--- a/kerneldriver/core/analyze_unit/secDetector_save_check.c
|
||||
+++ b/kerneldriver/core/analyze_unit/secDetector_save_check.c
|
||||
@@ -129,7 +129,8 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz
|
||||
response_arrays[response_array_index] = kmalloc(strlen(cd->name) + REPORT_MORE_CHAR_LEN, GFP_KERNEL);
|
||||
if (response_arrays[response_array_index] == NULL) {
|
||||
pr_err("kmalloc failed");
|
||||
- return -ENOMEM;
|
||||
+ ret = -ENOMEM;
|
||||
+ goto end;
|
||||
}
|
||||
|
||||
strcpy(response_arrays[response_array_index], "[save_check]");
|
||||
@@ -155,20 +156,22 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz
|
||||
timestamp_len = get_timestamp_str(×tamp);
|
||||
response_data->report_data.type = event_type;
|
||||
response_data->report_data.len = response_data_char_len + timestamp_len;
|
||||
- response_data->report_data.text = kmalloc(response_data_char_len + 1, GFP_KERNEL);
|
||||
+ response_data->report_data.text = kmalloc(response_data->report_data.len + 1, GFP_KERNEL);
|
||||
if (response_data->report_data.text == NULL) {
|
||||
pr_err("kmalloc failed");
|
||||
- return -ENOMEM;
|
||||
+ ret = -ENOMEM;
|
||||
+ goto end;
|
||||
}
|
||||
if (timestamp_len > 0) {
|
||||
strncat(response_data->report_data.text, timestamp, timestamp_len);
|
||||
kfree(timestamp);
|
||||
}
|
||||
- for (i = 0; i < response_array_index; i++) {
|
||||
+ for (i = 0; i < response_array_index; i++)
|
||||
strncat(response_data->report_data.text, response_arrays[i], strlen(response_arrays[i]));
|
||||
- kfree(response_arrays[i]);
|
||||
- }
|
||||
}
|
||||
+end:
|
||||
+ for (i = 0; i < response_array_index; i++)
|
||||
+ kfree(response_arrays[i]);
|
||||
kfree(response_arrays);
|
||||
|
||||
return ret;
|
||||
--
|
||||
2.33.0
|
||||
|
||||
49
Backport-modify-for-getting-common-info-in-createfile.patch
Normal file
49
Backport-modify-for-getting-common-info-in-createfile.patch
Normal file
@ -0,0 +1,49 @@
|
||||
From 7eadc69ff955e57de06b2d9be1ad8d74f3189047 Mon Sep 17 00:00:00 2001
|
||||
From: zgzxx <zhangguangzhi3@huawei.com>
|
||||
Date: Wed, 29 Nov 2023 18:35:53 +0800
|
||||
Subject: modify for getting common info in createfile
|
||||
|
||||
---
|
||||
.../ebpf/file_ebpf/file_fentry.bpf.c | 26 ++++++++++++++++++-
|
||||
1 file changed, 25 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
|
||||
index 0b3d3ad..7afb7e2 100644
|
||||
--- a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
|
||||
+++ b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c
|
||||
@@ -117,7 +117,31 @@ int BPF_PROG(do_filp_open_exit, int dfd, struct filename *pathname, const struct
|
||||
return 0;
|
||||
|
||||
e->type = CREATFILE;
|
||||
- get_common_info(e);
|
||||
+
|
||||
+ struct task_struct *parent = NULL;
|
||||
+ struct task_struct *task = NULL;
|
||||
+
|
||||
+ e->timestamp = bpf_ktime_get_ns();
|
||||
+ e->pid = bpf_get_current_pid_tgid() >> 32;
|
||||
+ e->pgid = e->tgid = bpf_get_current_pid_tgid() >> 32;
|
||||
+ e->uid = bpf_get_current_uid_gid();
|
||||
+ e->gid = bpf_get_current_uid_gid() >> 32;
|
||||
+ bpf_get_current_comm(&e->comm, sizeof(e->comm));
|
||||
+ /*
|
||||
+ * exe path is diffcult to get in ebpf, we can get it from userspace
|
||||
+ */
|
||||
+ bpf_get_current_comm(&e->exe, sizeof(e->exe));
|
||||
+
|
||||
+ task = (struct task_struct *)bpf_get_current_task();
|
||||
+ parent = (struct task_struct *)BPF_CORE_READ(task, real_parent);
|
||||
+
|
||||
+ e->ppid = BPF_CORE_READ(parent, pid);
|
||||
+ e->sid = get_task_sid(task);
|
||||
+ e->pns = BPF_CORE_READ(pid_ns(task), ns.inum);
|
||||
+ e->root_pns = BPF_CORE_READ(pid_ns(find_init_task()), ns.inum);
|
||||
+ BPF_CORE_READ_INTO(&e->pcomm, parent, real_parent, comm);
|
||||
+ BPF_CORE_READ_INTO(&e->nodename, task, nsproxy, uts_ns, name.nodename);
|
||||
+ //get_common_info(e);
|
||||
__builtin_memcpy(e->event_name, "createfile", sizeof("createfile"));
|
||||
bpf_probe_read(e->file_info.filename, MAX_TEXT_SIZE, pathname->name);
|
||||
bpf_ringbuf_submit(e, 0);
|
||||
--
|
||||
2.33.0
|
||||
|
||||
165
Backport-rm-kmodule_list-in-mc-and-fix-param-ringbuf-desc.patch
Normal file
165
Backport-rm-kmodule_list-in-mc-and-fix-param-ringbuf-desc.patch
Normal file
@ -0,0 +1,165 @@
|
||||
From 71409081fc4c642412d7b7fb1812bee12b6af6b9 Mon Sep 17 00:00:00 2001
|
||||
From: zcfsite <zhchf2010@126.com>
|
||||
Date: Mon, 27 Nov 2023 22:27:06 +0800
|
||||
Subject: rm kmodule_list in mc and fix param ringbuf desc
|
||||
|
||||
---
|
||||
kerneldriver/cases/Makefile | 2 +-
|
||||
.../secDetector_mc_kmodule_list.c | 55 -------------------
|
||||
.../secDetector_mc_kmodule_list.h | 12 ----
|
||||
.../secDetector_memory_corruption.c | 16 ------
|
||||
kerneldriver/core/secDetector_main.c | 2 +-
|
||||
5 files changed, 2 insertions(+), 85 deletions(-)
|
||||
delete mode 100644 kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.c
|
||||
delete mode 100644 kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.h
|
||||
|
||||
diff --git a/kerneldriver/cases/Makefile b/kerneldriver/cases/Makefile
|
||||
index 0af72ba..5a94e50 100644
|
||||
--- a/kerneldriver/cases/Makefile
|
||||
+++ b/kerneldriver/cases/Makefile
|
||||
@@ -8,7 +8,7 @@ obj-m += secDetector_kmodule_baseline.o
|
||||
# obj-m += secDetector_lsm_example.o
|
||||
obj-m += secDetector_program_action.o
|
||||
|
||||
-secDetector_memory_corruption-objs := memory_corruption/secDetector_memory_corruption.o memory_corruption/secDetector_mc_kmodule_list.o
|
||||
+secDetector_memory_corruption-objs := memory_corruption/secDetector_memory_corruption.o
|
||||
#secDetector_task_block-objs := task_block/secDetector_task_block.o
|
||||
#secDetector_file_block-objs := file_block/secDetector_file_block.o
|
||||
secDetector_kmodule_baseline-objs := kmodule_baseline/secDetector_kmodule_baseline.o kmodule_baseline/secDetector_mc_kmodule_baseline.o
|
||||
diff --git a/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.c b/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.c
|
||||
deleted file mode 100644
|
||||
index 283590b..0000000
|
||||
--- a/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.c
|
||||
+++ /dev/null
|
||||
@@ -1,55 +0,0 @@
|
||||
-/*
|
||||
- * SPDX-License-Identifier: GPL-2.0
|
||||
- *
|
||||
- * Author: yieux
|
||||
- * create: 2023-09-28
|
||||
- * Description: the main implement of the kmodule list corruption.
|
||||
- */
|
||||
-#include <linux/module.h>
|
||||
-#include <linux/list.h>
|
||||
-#include <linux/spinlock.h>
|
||||
-#include "secDetector_mc_kmodule_list.h"
|
||||
-#include "secDetector_response.h"
|
||||
-#include <linux/slab.h>
|
||||
-
|
||||
-#define MODULE_LIST_MAXSIZE 0x10000
|
||||
-#define MC_KMODULE_REPORT_WORD_LEN 55
|
||||
-
|
||||
-// 3 ways for get kernel module list.
|
||||
-// struct module->list
|
||||
-// struct module->mkobj->kobj->entry
|
||||
-// struct module->mkobj->kobj->kset
|
||||
-void check_kmodule_list(void)
|
||||
-{
|
||||
- struct module_kobject *mobj = NULL;
|
||||
- struct kobject *k = NULL;
|
||||
- struct module *m = NULL;
|
||||
- struct kset *module_kset = __this_module.mkobj.kobj.kset;
|
||||
- response_data_t log;
|
||||
-
|
||||
- if (module_kset == NULL)
|
||||
- return;
|
||||
-
|
||||
- spin_lock(&module_kset->list_lock);
|
||||
- list_for_each_entry(k, &module_kset->list, entry) {
|
||||
- if (k->name == NULL)
|
||||
- continue;
|
||||
- mobj = container_of(k, struct module_kobject, kobj);
|
||||
- if (mobj == NULL || mobj->mod == NULL || (unsigned long)mobj->mod->name < MODULE_LIST_MAXSIZE)
|
||||
- continue;
|
||||
-
|
||||
- mutex_lock(&module_mutex);
|
||||
- m = find_module(k->name);
|
||||
- if (m == NULL) {
|
||||
- pr_err("[secDetector] mc kmoudle list find! module_name=%s.\n", k->name);
|
||||
- log.report_data.len = MC_KMODULE_REPORT_WORD_LEN + strlen(k->name);
|
||||
- log.report_data.text = kmalloc(log.report_data.len, GFP_KERNEL);
|
||||
- sprintf(log.report_data.text, "[secDetector] mc kmoudle list find! module_name=%s.\n", k->name);
|
||||
- secDetector_report(&log);
|
||||
- kfree(log.report_data.text);
|
||||
- }
|
||||
- mutex_unlock(&module_mutex);
|
||||
- }
|
||||
- spin_unlock(&module_kset->list_lock);
|
||||
- return;
|
||||
-}
|
||||
\ No newline at end of file
|
||||
diff --git a/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.h b/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.h
|
||||
deleted file mode 100644
|
||||
index 737ca47..0000000
|
||||
--- a/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.h
|
||||
+++ /dev/null
|
||||
@@ -1,12 +0,0 @@
|
||||
-/*
|
||||
- * SPDX-License-Identifier: GPL-2.0
|
||||
- *
|
||||
- * Author: yieux
|
||||
- * create: 2023-09-28
|
||||
- * Description: the kmodule list corruption head file.
|
||||
- */
|
||||
- #ifndef SECDETECTOR_MC_KMODULE_LIST_H
|
||||
- #define SECDETECTOR_MC_KMODULE_LIST_H
|
||||
-
|
||||
-void check_kmodule_list(void);
|
||||
- #endif
|
||||
\ No newline at end of file
|
||||
diff --git a/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c b/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c
|
||||
index 5b487ac..f4a1c9f 100644
|
||||
--- a/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c
|
||||
+++ b/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c
|
||||
@@ -10,35 +10,19 @@
|
||||
#include <linux/seq_file.h>
|
||||
#include "secDetector_manager.h"
|
||||
#include <secDetector_module_type.h>
|
||||
-#include "secDetector_mc_kmodule_list.h"
|
||||
|
||||
|
||||
#define TIME_INTERVAL 10
|
||||
DEFINE_MUTEX(case_mc_mutex);
|
||||
#define KERNELKEYDATATAMPER 0x00008000
|
||||
|
||||
-static void check_all_watching_memory(void)
|
||||
-{
|
||||
- mutex_lock(&case_mc_mutex);
|
||||
- check_kmodule_list();
|
||||
- mutex_unlock(&case_mc_mutex);
|
||||
-}
|
||||
-
|
||||
static struct secDetector_collect collect_array[] = {
|
||||
{
|
||||
.collect_type = COLLECT_GLOBAL_FUNCTION_SWITCH,
|
||||
},
|
||||
};
|
||||
|
||||
-
|
||||
static struct secDetector_workflow workflow_array[] = {
|
||||
- {
|
||||
- .workflow_type = WORKFLOW_CUSTOMIZATION,
|
||||
- .workflow_func.func = check_all_watching_memory,
|
||||
- .hook_type = SECDETECTOR_TIMER,
|
||||
- .interval = TIME_INTERVAL,
|
||||
- .enabled = ATOMIC_INIT(true)
|
||||
- },
|
||||
{
|
||||
.workflow_type = WORKFLOW_PRESET,
|
||||
.hook_type = SECDETECTOR_TIMER,
|
||||
diff --git a/kerneldriver/core/secDetector_main.c b/kerneldriver/core/secDetector_main.c
|
||||
index 878d4a3..3931229 100644
|
||||
--- a/kerneldriver/core/secDetector_main.c
|
||||
+++ b/kerneldriver/core/secDetector_main.c
|
||||
@@ -22,7 +22,7 @@ MODULE_PARM_DESC(log_size, "log size");
|
||||
static unsigned int ringbuf_size = MIN_RINGBUF_SIZE; /* unit is Mb */
|
||||
static unsigned int ringbuf_size_bytes; /* unit is bytes */
|
||||
module_param(ringbuf_size, uint, 0400);
|
||||
-MODULE_PARM_DESC(log_size, "ringbuffer size");
|
||||
+MODULE_PARM_DESC(ringbuf_size, "ringbuffer size");
|
||||
|
||||
static bool ringbuf_size_check(void)
|
||||
{
|
||||
--
|
||||
2.33.0
|
||||
|
||||
@ -5,7 +5,7 @@
|
||||
Name : secDetector
|
||||
Summary : OS Security Intrusion Detection System
|
||||
Version : 1.0
|
||||
Release : 5
|
||||
Release : 6
|
||||
License : GPL-2.0
|
||||
Source0 : %{name}-v%{version}.tar.gz
|
||||
BuildRequires: kernel-devel kernel-headers
|
||||
@ -21,6 +21,11 @@ Patch0003: Backport-check-value-for-topic.patch
|
||||
Patch0004: Backport-fix-printf-error-in-main.cpp.patch
|
||||
Patch0005: Backport-fix-system-crash-caused-by-registration-exception.patch
|
||||
Patch0006: Backport-fix-register-kpobe-mutiple-times.patch
|
||||
Patch0007: Backport-rm-kmodule_list-in-mc-and-fix-param-ringbuf-desc.patch
|
||||
Patch0008: Backport-fix-memory-leak-bug-in-sc-analyze-unit.patch
|
||||
Patch0009: Backport-fix-bug-of-mc-case-not-collect-data.patch
|
||||
Patch0010: Backport-del-useless-code-for-timestamp.patch
|
||||
Patch0011: Backport-modify-for-getting-common-info-in-createfile.patch
|
||||
|
||||
%description
|
||||
OS Security Intrusion Detection System
|
||||
@ -94,6 +99,9 @@ rm -rf %{buildroot}
|
||||
%attr(0644,root,root) /usr/include/secDetector/secDetector_topic.h
|
||||
|
||||
%changelog
|
||||
* Wed Nov 29 2023 zhangguangzhi <zhangguangzhi3@huawei.com> 1.0-6
|
||||
- backport some patches
|
||||
|
||||
* Mon Nov 27 2023 zcfsite <zhchf2010@126.com> 1.0-5
|
||||
- fix some kerneldriver error
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user