From cb647d168fb446fc8f5759b1c47ccc7b7d86013b Mon Sep 17 00:00:00 2001 From: zgzxx Date: Wed, 29 Nov 2023 20:37:35 +0800 Subject: [PATCH] backport some patches --- Backport-del-useless-code-for-timestamp.patch | 37 ++++ ...-fix-bug-of-mc-case-not-collect-data.patch | 24 +++ ...x-memory-leak-bug-in-sc-analyze-unit.patch | 68 ++++++++ ...or-getting-common-info-in-createfile.patch | 49 ++++++ ...ist-in-mc-and-fix-param-ringbuf-desc.patch | 165 ++++++++++++++++++ secDetector.spec | 10 +- 6 files changed, 352 insertions(+), 1 deletion(-) create mode 100644 Backport-del-useless-code-for-timestamp.patch create mode 100644 Backport-fix-bug-of-mc-case-not-collect-data.patch create mode 100644 Backport-fix-memory-leak-bug-in-sc-analyze-unit.patch create mode 100644 Backport-modify-for-getting-common-info-in-createfile.patch create mode 100644 Backport-rm-kmodule_list-in-mc-and-fix-param-ringbuf-desc.patch diff --git a/Backport-del-useless-code-for-timestamp.patch b/Backport-del-useless-code-for-timestamp.patch new file mode 100644 index 0000000..c219600 --- /dev/null +++ b/Backport-del-useless-code-for-timestamp.patch @@ -0,0 +1,37 @@ +From 8798032e6dafed4730c51fb796347fb7b5092d7c Mon Sep 17 00:00:00 2001 +From: zgzxx +Date: Wed, 29 Nov 2023 10:15:00 +0800 +Subject: del useless code for timestamp + +--- + .../kmodule_baseline/secDetector_mc_kmodule_baseline.c | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c b/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c +index 6a7edda..cff1ff5 100644 +--- a/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c ++++ b/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c +@@ -17,7 +17,6 @@ + + #define MODULE_LIST_MAXSIZE 0x10000 + #define NAME_LEN 4096 +-#define HEADER_MSG_LEN 128 + #define KMODULE_BASELINE_TYPE 0x00800000 + + typedef struct chkrkatt_module { +@@ -79,12 +78,6 @@ static void report_kmodule_baseline(void) + pr_err("module_name_all kzalloc failed\n"); + return; + } +- header_msg = (char *)kzalloc(HEADER_MSG_LEN, GFP_ATOMIC); +- if (header_msg == NULL) { +- pr_err("hearder_msg kzalloc failed\n"); +- kfree(module_name_all); +- return; +- } + + header_msg_len = get_timestamp_str(&header_msg); + if (header_msg_len <= 0) +-- +2.33.0 + diff --git a/Backport-fix-bug-of-mc-case-not-collect-data.patch b/Backport-fix-bug-of-mc-case-not-collect-data.patch new file mode 100644 index 0000000..1e4a92e --- /dev/null +++ b/Backport-fix-bug-of-mc-case-not-collect-data.patch @@ -0,0 +1,24 @@ +From b1689ab1e8e79f7e8125adb2c8f8614d90eb3209 Mon Sep 17 00:00:00 2001 +From: yieux +Date: Tue, 28 Nov 2023 10:49:35 +0800 +Subject: fix bug of mc case not collect data + +--- + .../cases/memory_corruption/secDetector_memory_corruption.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c b/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c +index 5b487ac..c9e9868 100644 +--- a/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c ++++ b/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c +@@ -43,6 +43,7 @@ static struct secDetector_workflow workflow_array[] = { + .workflow_type = WORKFLOW_PRESET, + .hook_type = SECDETECTOR_TIMER, + .collect_array = collect_array, ++ .collect_array_len = ARRAY_SIZE(collect_array), + .analyze_type = ANALYZE_PRESET_SAVE_CHECK, + .interval = TIME_INTERVAL, + .enabled = ATOMIC_INIT(true) +-- +2.33.0 + diff --git a/Backport-fix-memory-leak-bug-in-sc-analyze-unit.patch b/Backport-fix-memory-leak-bug-in-sc-analyze-unit.patch new file mode 100644 index 0000000..740e754 --- /dev/null +++ b/Backport-fix-memory-leak-bug-in-sc-analyze-unit.patch @@ -0,0 +1,68 @@ +From 6d1833b44b7cdea6c8459df8c431f1779afa2ab8 Mon Sep 17 00:00:00 2001 +From: yieux +Date: Mon, 27 Nov 2023 15:29:30 +0800 +Subject: fix memory leak bug in sc analyze unit + +--- + README.md | 2 +- + .../core/analyze_unit/secDetector_save_check.c | 15 +++++++++------ + 2 files changed, 10 insertions(+), 7 deletions(-) + +diff --git a/README.md b/README.md +index a2b7726..9658879 100644 +--- a/README.md ++++ b/README.md +@@ -68,7 +68,7 @@ secDetector在架构上分为四个部分:SDK、Service、检测特性集合ca + + 检测框架core是以一个cases依赖的基础框架,提供case的管理,和workflow所需的通用的基础功能单元。内核异常信息检测框架会以内核模块ko的形态承载。一个检测特性case可以将自己注册到框架中,或者从框架中去注册。框架还可以提供特定的交互接口以满足外部的动态请求。一个workflow被定义为有四类功能单元组成:事件发生器、信息采集器、事件分析器、响应单元。 + +- ++Driver分为两类,kerneldriver 和 usrdriver。顾名思义,kerneldriver是部署在内核态中的,以内核模块的形式承载。usrdriver是部署在用户态中的,直接被部署为Service中的一个模块。从逻辑上usrdriver是在Service之下的,但是在运行中,为了降低通信成本,usrdriver被直接集成在Service程序中。 + + ## 安装教程 + - kerneldriver +diff --git a/kerneldriver/core/analyze_unit/secDetector_save_check.c b/kerneldriver/core/analyze_unit/secDetector_save_check.c +index 101a028..72c4948 100644 +--- a/kerneldriver/core/analyze_unit/secDetector_save_check.c ++++ b/kerneldriver/core/analyze_unit/secDetector_save_check.c +@@ -129,7 +129,8 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz + response_arrays[response_array_index] = kmalloc(strlen(cd->name) + REPORT_MORE_CHAR_LEN, GFP_KERNEL); + if (response_arrays[response_array_index] == NULL) { + pr_err("kmalloc failed"); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto end; + } + + strcpy(response_arrays[response_array_index], "[save_check]"); +@@ -155,20 +156,22 @@ static int analyze_save_check_normal(struct list_head *collect_data_list, analyz + timestamp_len = get_timestamp_str(×tamp); + response_data->report_data.type = event_type; + response_data->report_data.len = response_data_char_len + timestamp_len; +- response_data->report_data.text = kmalloc(response_data_char_len + 1, GFP_KERNEL); ++ response_data->report_data.text = kmalloc(response_data->report_data.len + 1, GFP_KERNEL); + if (response_data->report_data.text == NULL) { + pr_err("kmalloc failed"); +- return -ENOMEM; ++ ret = -ENOMEM; ++ goto end; + } + if (timestamp_len > 0) { + strncat(response_data->report_data.text, timestamp, timestamp_len); + kfree(timestamp); + } +- for (i = 0; i < response_array_index; i++) { ++ for (i = 0; i < response_array_index; i++) + strncat(response_data->report_data.text, response_arrays[i], strlen(response_arrays[i])); +- kfree(response_arrays[i]); +- } + } ++end: ++ for (i = 0; i < response_array_index; i++) ++ kfree(response_arrays[i]); + kfree(response_arrays); + + return ret; +-- +2.33.0 + diff --git a/Backport-modify-for-getting-common-info-in-createfile.patch b/Backport-modify-for-getting-common-info-in-createfile.patch new file mode 100644 index 0000000..92c43d7 --- /dev/null +++ b/Backport-modify-for-getting-common-info-in-createfile.patch @@ -0,0 +1,49 @@ +From 7eadc69ff955e57de06b2d9be1ad8d74f3189047 Mon Sep 17 00:00:00 2001 +From: zgzxx +Date: Wed, 29 Nov 2023 18:35:53 +0800 +Subject: modify for getting common info in createfile + +--- + .../ebpf/file_ebpf/file_fentry.bpf.c | 26 ++++++++++++++++++- + 1 file changed, 25 insertions(+), 1 deletion(-) + +diff --git a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c +index 0b3d3ad..7afb7e2 100644 +--- a/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c ++++ b/observer_agent/ebpf/file_ebpf/file_fentry.bpf.c +@@ -117,7 +117,31 @@ int BPF_PROG(do_filp_open_exit, int dfd, struct filename *pathname, const struct + return 0; + + e->type = CREATFILE; +- get_common_info(e); ++ ++ struct task_struct *parent = NULL; ++ struct task_struct *task = NULL; ++ ++ e->timestamp = bpf_ktime_get_ns(); ++ e->pid = bpf_get_current_pid_tgid() >> 32; ++ e->pgid = e->tgid = bpf_get_current_pid_tgid() >> 32; ++ e->uid = bpf_get_current_uid_gid(); ++ e->gid = bpf_get_current_uid_gid() >> 32; ++ bpf_get_current_comm(&e->comm, sizeof(e->comm)); ++ /* ++ * exe path is diffcult to get in ebpf, we can get it from userspace ++ */ ++ bpf_get_current_comm(&e->exe, sizeof(e->exe)); ++ ++ task = (struct task_struct *)bpf_get_current_task(); ++ parent = (struct task_struct *)BPF_CORE_READ(task, real_parent); ++ ++ e->ppid = BPF_CORE_READ(parent, pid); ++ e->sid = get_task_sid(task); ++ e->pns = BPF_CORE_READ(pid_ns(task), ns.inum); ++ e->root_pns = BPF_CORE_READ(pid_ns(find_init_task()), ns.inum); ++ BPF_CORE_READ_INTO(&e->pcomm, parent, real_parent, comm); ++ BPF_CORE_READ_INTO(&e->nodename, task, nsproxy, uts_ns, name.nodename); ++ //get_common_info(e); + __builtin_memcpy(e->event_name, "createfile", sizeof("createfile")); + bpf_probe_read(e->file_info.filename, MAX_TEXT_SIZE, pathname->name); + bpf_ringbuf_submit(e, 0); +-- +2.33.0 + diff --git a/Backport-rm-kmodule_list-in-mc-and-fix-param-ringbuf-desc.patch b/Backport-rm-kmodule_list-in-mc-and-fix-param-ringbuf-desc.patch new file mode 100644 index 0000000..ed4d089 --- /dev/null +++ b/Backport-rm-kmodule_list-in-mc-and-fix-param-ringbuf-desc.patch @@ -0,0 +1,165 @@ +From 71409081fc4c642412d7b7fb1812bee12b6af6b9 Mon Sep 17 00:00:00 2001 +From: zcfsite +Date: Mon, 27 Nov 2023 22:27:06 +0800 +Subject: rm kmodule_list in mc and fix param ringbuf desc + +--- + kerneldriver/cases/Makefile | 2 +- + .../secDetector_mc_kmodule_list.c | 55 ------------------- + .../secDetector_mc_kmodule_list.h | 12 ---- + .../secDetector_memory_corruption.c | 16 ------ + kerneldriver/core/secDetector_main.c | 2 +- + 5 files changed, 2 insertions(+), 85 deletions(-) + delete mode 100644 kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.c + delete mode 100644 kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.h + +diff --git a/kerneldriver/cases/Makefile b/kerneldriver/cases/Makefile +index 0af72ba..5a94e50 100644 +--- a/kerneldriver/cases/Makefile ++++ b/kerneldriver/cases/Makefile +@@ -8,7 +8,7 @@ obj-m += secDetector_kmodule_baseline.o + # obj-m += secDetector_lsm_example.o + obj-m += secDetector_program_action.o + +-secDetector_memory_corruption-objs := memory_corruption/secDetector_memory_corruption.o memory_corruption/secDetector_mc_kmodule_list.o ++secDetector_memory_corruption-objs := memory_corruption/secDetector_memory_corruption.o + #secDetector_task_block-objs := task_block/secDetector_task_block.o + #secDetector_file_block-objs := file_block/secDetector_file_block.o + secDetector_kmodule_baseline-objs := kmodule_baseline/secDetector_kmodule_baseline.o kmodule_baseline/secDetector_mc_kmodule_baseline.o +diff --git a/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.c b/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.c +deleted file mode 100644 +index 283590b..0000000 +--- a/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.c ++++ /dev/null +@@ -1,55 +0,0 @@ +-/* +- * SPDX-License-Identifier: GPL-2.0 +- * +- * Author: yieux +- * create: 2023-09-28 +- * Description: the main implement of the kmodule list corruption. +- */ +-#include +-#include +-#include +-#include "secDetector_mc_kmodule_list.h" +-#include "secDetector_response.h" +-#include +- +-#define MODULE_LIST_MAXSIZE 0x10000 +-#define MC_KMODULE_REPORT_WORD_LEN 55 +- +-// 3 ways for get kernel module list. +-// struct module->list +-// struct module->mkobj->kobj->entry +-// struct module->mkobj->kobj->kset +-void check_kmodule_list(void) +-{ +- struct module_kobject *mobj = NULL; +- struct kobject *k = NULL; +- struct module *m = NULL; +- struct kset *module_kset = __this_module.mkobj.kobj.kset; +- response_data_t log; +- +- if (module_kset == NULL) +- return; +- +- spin_lock(&module_kset->list_lock); +- list_for_each_entry(k, &module_kset->list, entry) { +- if (k->name == NULL) +- continue; +- mobj = container_of(k, struct module_kobject, kobj); +- if (mobj == NULL || mobj->mod == NULL || (unsigned long)mobj->mod->name < MODULE_LIST_MAXSIZE) +- continue; +- +- mutex_lock(&module_mutex); +- m = find_module(k->name); +- if (m == NULL) { +- pr_err("[secDetector] mc kmoudle list find! module_name=%s.\n", k->name); +- log.report_data.len = MC_KMODULE_REPORT_WORD_LEN + strlen(k->name); +- log.report_data.text = kmalloc(log.report_data.len, GFP_KERNEL); +- sprintf(log.report_data.text, "[secDetector] mc kmoudle list find! module_name=%s.\n", k->name); +- secDetector_report(&log); +- kfree(log.report_data.text); +- } +- mutex_unlock(&module_mutex); +- } +- spin_unlock(&module_kset->list_lock); +- return; +-} +\ No newline at end of file +diff --git a/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.h b/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.h +deleted file mode 100644 +index 737ca47..0000000 +--- a/kerneldriver/cases/memory_corruption/secDetector_mc_kmodule_list.h ++++ /dev/null +@@ -1,12 +0,0 @@ +-/* +- * SPDX-License-Identifier: GPL-2.0 +- * +- * Author: yieux +- * create: 2023-09-28 +- * Description: the kmodule list corruption head file. +- */ +- #ifndef SECDETECTOR_MC_KMODULE_LIST_H +- #define SECDETECTOR_MC_KMODULE_LIST_H +- +-void check_kmodule_list(void); +- #endif +\ No newline at end of file +diff --git a/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c b/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c +index 5b487ac..f4a1c9f 100644 +--- a/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c ++++ b/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c +@@ -10,35 +10,19 @@ + #include + #include "secDetector_manager.h" + #include +-#include "secDetector_mc_kmodule_list.h" + + + #define TIME_INTERVAL 10 + DEFINE_MUTEX(case_mc_mutex); + #define KERNELKEYDATATAMPER 0x00008000 + +-static void check_all_watching_memory(void) +-{ +- mutex_lock(&case_mc_mutex); +- check_kmodule_list(); +- mutex_unlock(&case_mc_mutex); +-} +- + static struct secDetector_collect collect_array[] = { + { + .collect_type = COLLECT_GLOBAL_FUNCTION_SWITCH, + }, + }; + +- + static struct secDetector_workflow workflow_array[] = { +- { +- .workflow_type = WORKFLOW_CUSTOMIZATION, +- .workflow_func.func = check_all_watching_memory, +- .hook_type = SECDETECTOR_TIMER, +- .interval = TIME_INTERVAL, +- .enabled = ATOMIC_INIT(true) +- }, + { + .workflow_type = WORKFLOW_PRESET, + .hook_type = SECDETECTOR_TIMER, +diff --git a/kerneldriver/core/secDetector_main.c b/kerneldriver/core/secDetector_main.c +index 878d4a3..3931229 100644 +--- a/kerneldriver/core/secDetector_main.c ++++ b/kerneldriver/core/secDetector_main.c +@@ -22,7 +22,7 @@ MODULE_PARM_DESC(log_size, "log size"); + static unsigned int ringbuf_size = MIN_RINGBUF_SIZE; /* unit is Mb */ + static unsigned int ringbuf_size_bytes; /* unit is bytes */ + module_param(ringbuf_size, uint, 0400); +-MODULE_PARM_DESC(log_size, "ringbuffer size"); ++MODULE_PARM_DESC(ringbuf_size, "ringbuffer size"); + + static bool ringbuf_size_check(void) + { +-- +2.33.0 + diff --git a/secDetector.spec b/secDetector.spec index 5dc390d..1a95251 100644 --- a/secDetector.spec +++ b/secDetector.spec @@ -5,7 +5,7 @@ Name : secDetector Summary : OS Security Intrusion Detection System Version : 1.0 -Release : 5 +Release : 6 License : GPL-2.0 Source0 : %{name}-v%{version}.tar.gz BuildRequires: kernel-devel kernel-headers @@ -21,6 +21,11 @@ Patch0003: Backport-check-value-for-topic.patch Patch0004: Backport-fix-printf-error-in-main.cpp.patch Patch0005: Backport-fix-system-crash-caused-by-registration-exception.patch Patch0006: Backport-fix-register-kpobe-mutiple-times.patch +Patch0007: Backport-rm-kmodule_list-in-mc-and-fix-param-ringbuf-desc.patch +Patch0008: Backport-fix-memory-leak-bug-in-sc-analyze-unit.patch +Patch0009: Backport-fix-bug-of-mc-case-not-collect-data.patch +Patch0010: Backport-del-useless-code-for-timestamp.patch +Patch0011: Backport-modify-for-getting-common-info-in-createfile.patch %description OS Security Intrusion Detection System @@ -94,6 +99,9 @@ rm -rf %{buildroot} %attr(0644,root,root) /usr/include/secDetector/secDetector_topic.h %changelog +* Wed Nov 29 2023 zhangguangzhi 1.0-6 +- backport some patches + * Mon Nov 27 2023 zcfsite 1.0-5 - fix some kerneldriver error