五、内核安全相关数据结构
5.1 security_operations结构体
-
这是一个钩子函数的指针数组,其中每一个数组元素都是一个SELINUX安全钩子函数,在2.6以上的内核中,大部分涉及安全控制的系统调用都被替换为了这个结构体中的对应钩子函数项,从而使SELINUX能在代码执行流这个层面实现安全访问控制。
-
这个结构中包含了按照内核对象或内核子系统分组的钩子组成的子结构,以及一些用于系统操作的顶层钩子。在内核源代码中很容易找到对钩子函数的调用: 其前缀是security_ops->xxxx
struct security_operations { char name[SECURITY_NAME_MAX + 1]; int (*ptrace_access_check) (struct task_struct *child, unsigned int mode); int (*ptrace_traceme) (struct task_struct *parent); int (*capget) (struct task_struct *target,\ kernel_cap_t *effective,\ kernel_cap_t *inheritable, kernel_cap_t *permitted); int (*capset) (struct cred *new,\ const struct cred *old,\ const kernel_cap_t *effective,\ const kernel_cap_t *inheritable,\ const kernel_cap_t *permitted); int (*capable) (struct task_struct *tsk, const struct cred *cred,\ int cap, int audit); int (*acct) (struct file *file); int (*sysctl) (struct ctl_table *table, int op); int (*quotactl) (int cmds, int type, int id, struct super_block *sb); int (*quota_on) (struct dentry *dentry); int (*syslog) (int type); int (*settime) (struct timespec *ts, struct timezone *tz); int (*vm_enough_memory) (struct mm_struct *mm, long pages); int (*bprm_set_creds) (struct linux_binprm *bprm); int (*bprm_check_security) (struct linux_binprm *bprm); int (*bprm_secureexec) (struct linux_binprm *bprm); void (*bprm_committing_creds) (struct linux_binprm *bprm); void (*bprm_committed_creds) (struct linux_binprm *bprm); int (*sb_alloc_security) (struct super_block *sb); void (*sb_free_security) (struct super_block *sb); int (*sb_copy_data) (char *orig, char *copy); int (*sb_kern_mount) (struct super_block *sb, int flags, void *data); int (*sb_show_options) (struct seq_file *m, struct super_block *sb); int (*sb_statfs) (struct dentry *dentry); int (*sb_mount) (char *dev_name, struct path *path, char *type, unsigned long flags, void *data); int (*sb_check_sb) (struct vfsmount *mnt, struct path *path); int (*sb_umount) (struct vfsmount *mnt, int flags); void (*sb_umount_close) (struct vfsmount *mnt); void (*sb_umount_busy) (struct vfsmount *mnt); void (*sb_post_remount) (struct vfsmount *mnt, unsigned long flags, void *data); void (*sb_post_addmount) (struct vfsmount *mnt,\ struct path *mountpoint); int (*sb_pivotroot) (struct path *old_path,\ struct path *new_path); void (*sb_post_pivotroot) (struct path *old_path,\ struct path *new_path); int (*sb_set_mnt_opts) (struct super_block *sb,\ struct security_mnt_opts *opts); void (*sb_clone_mnt_opts) (const struct super_block *oldsb,\ struct super_block *newsb); int (*sb_parse_opts_str) (char *options, struct security_mnt_opts *opts); #ifdef CONFIG_SECURITY_PATH int (*path_unlink) (struct path *dir, struct dentry *dentry); int (*path_mkdir) (struct path *dir, struct dentry *dentry, int mode); int (*path_rmdir) (struct path *dir, struct dentry *dentry); int (*path_mknod) (struct path *dir, struct dentry *dentry, int mode,\ unsigned int dev); int (*path_truncate) (struct path *path, loff_t length,\ unsigned int time_attrs); int (*path_symlink) (struct path *dir, struct dentry *dentry,\ const char *old_name); int (*path_link) (struct dentry *old_dentry, struct path *new_dir,\ struct dentry *new_dentry); int (*path_rename) (struct path *old_dir, struct dentry *old_dentry,\ struct path *new_dir, struct dentry *new_dentry); #endif int (*inode_alloc_security) (struct inode *inode); void (*inode_free_security) (struct inode *inode); int (*inode_init_security) (struct inode *inode, struct inode *dir,\ char **name, void **value, size_t *len); int (*inode_create) (struct inode *dir,\ struct dentry *dentry, int mode); int (*inode_link) (struct dentry *old_dentry,\ struct inode *dir, struct dentry *new_dentry); int (*inode_unlink) (struct inode *dir, struct dentry *dentry); int (*inode_symlink) (struct inode *dir,\ struct dentry *dentry, const char *old_name); int (*inode_mkdir) (struct inode *dir, struct dentry *dentry, int mode); int (*inode_rmdir) (struct inode *dir, struct dentry *dentry); int (*inode_mknod) (struct inode *dir, struct dentry *dentry,\ int mode, dev_t dev); int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry,\ struct inode *new_dir, struct dentry *new_dentry); int (*inode_readlink) (struct dentry *dentry); int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd); int (*inode_permission) (struct inode *inode, int mask); int (*inode_setattr) (struct dentry *dentry, struct iattr *attr); int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry); void (*inode_delete) (struct inode *inode); int (*inode_setxattr) (struct dentry *dentry, const char *name,\ const void *value, size_t size, int flags); void (*inode_post_setxattr) (struct dentry *dentry, const char *name,\ const void *value, size_t size, int flags); int (*inode_getxattr) (struct dentry *dentry, const char *name); int (*inode_listxattr) (struct dentry *dentry); int (*inode_removexattr) (struct dentry *dentry, const char *name); int (*inode_need_killpriv) (struct dentry *dentry); int (*inode_killpriv) (struct dentry *dentry); int (*inode_getsecurity) (const struct inode *inode, \ const char *name, void **buffer, bool alloc); int (*inode_setsecurity) (struct inode *inode, \ const char *name, const void *value, \ size_t size, int flags); int (*inode_listsecurity) (struct inode *inode, char *buffer, size_t buffer_size); void (*inode_getsecid) (const struct inode *inode, u32 *secid); int (*file_permission) (struct file *file, int mask); int (*file_alloc_security) (struct file *file); void (*file_free_security) (struct file *file); int (*file_ioctl) (struct file *file, unsigned int cmd, unsigned long arg); int (*file_mmap) (struct file *file,\ unsigned long reqprot, unsigned long prot,\ unsigned long flags, unsigned long addr,\ unsigned long addr_only); int (*file_mprotect) (struct vm_area_struct *vma,\ unsigned long reqprot,\ unsigned long prot); int (*file_lock) (struct file *file, unsigned int cmd); int (*file_fcntl) (struct file *file, unsigned int cmd,\ unsigned long arg); int (*file_set_fowner) (struct file *file); int (*file_send_sigiotask) (struct task_struct *tsk,\ struct fown_struct *fown, int sig); int (*file_receive) (struct file *file); int (*dentry_open) (struct file *file, const struct cred *cred); int (*task_create) (unsigned long clone_flags); int (*cred_alloc_blank) (struct cred *cred, gfp_t gfp); void (*cred_free) (struct cred *cred); int (*cred_prepare)(struct cred *new, const struct cred *old,\ gfp_t gfp); void (*cred_commit)(struct cred *new, const struct cred *old); void (*cred_transfer)(struct cred *new, const struct cred *old); int (*kernel_act_as)(struct cred *new, u32 secid); int (*kernel_create_files_as)(struct cred *new, struct inode *inode); int (*kernel_module_request)(void); int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags); int (*task_fix_setuid) (struct cred *new, const struct cred *old,\ int flags); int (*task_setgid) (gid_t id0, gid_t id1, gid_t id2, int flags); int (*task_setpgid) (struct task_struct *p, pid_t pgid); int (*task_getpgid) (struct task_struct *p); int (*task_getsid) (struct task_struct *p); void (*task_getsecid) (struct task_struct *p, u32 *secid); int (*task_setgroups) (struct group_info *group_info); int (*task_setnice) (struct task_struct *p, int nice); int (*task_setioprio) (struct task_struct *p, int ioprio); int (*task_getioprio) (struct task_struct *p); int (*task_setrlimit) (unsigned int resource, struct rlimit *new_rlim); int (*task_setscheduler) (struct task_struct *p, int policy,\ struct sched_param *lp); int (*task_getscheduler) (struct task_struct *p); int (*task_movememory) (struct task_struct *p); int (*task_kill) (struct task_struct *p,\ struct siginfo *info, int sig, u32 secid); int (*task_wait) (struct task_struct *p); int (*task_prctl) (int option, unsigned long arg2,\ unsigned long arg3, unsigned long arg4,\ unsigned long arg5); void (*task_to_inode) (struct task_struct *p, struct inode *inode); int (*ipc_permission) (struct kern_ipc_perm *ipcp, short flag); void (*ipc_getsecid) (struct kern_ipc_perm *ipcp, u32 *secid); int (*msg_msg_alloc_security) (struct msg_msg *msg); void (*msg_msg_free_security) (struct msg_msg *msg); int (*msg_queue_alloc_security) (struct msg_queue *msq); void (*msg_queue_free_security) (struct msg_queue *msq); int (*msg_queue_associate) (struct msg_queue *msq, int msqflg); int (*msg_queue_msgctl) (struct msg_queue *msq, int cmd); int (*msg_queue_msgsnd) (struct msg_queue *msq,\ struct msg_msg *msg, int msqflg); int (*msg_queue_msgrcv) (struct msg_queue *msq,\ struct msg_msg *msg,\ struct task_struct *target,\ long type, int mode); int (*shm_alloc_security) (struct shmid_kernel *shp); void (*shm_free_security) (struct shmid_kernel *shp); int (*shm_associate) (struct shmid_kernel *shp, int shmflg); int (*shm_shmctl) (struct shmid_kernel *shp, int cmd); int (*shm_shmat) (struct shmid_kernel *shp,\ char __user *shmaddr, int shmflg); int (*sem_alloc_security) (struct sem_array *sma); void (*sem_free_security) (struct sem_array *sma); int (*sem_associate) (struct sem_array *sma, int semflg); int (*sem_semctl) (struct sem_array *sma, int cmd); int (*sem_semop) (struct sem_array *sma,\ struct sembuf *sops, unsigned nsops, int alter); int (*netlink_send) (struct sock *sk, struct sk_buff *skb); int (*netlink_recv) (struct sk_buff *skb, int cap); void (*d_instantiate) (struct dentry *dentry, struct inode *inode); int (*getprocattr) (struct task_struct *p, char *name, char **value); int (*setprocattr) (struct task_struct *p, char *name, void *value, size_t size); int (*secid_to_secctx) (u32 secid, char **secdata, u32 *seclen); int (*secctx_to_secid) (const char *secdata, u32 seclen, u32 *secid); void (*release_secctx) (char *secdata, u32 seclen); int (*inode_notifysecctx)(struct inode *inode, void *ctx, u32 ctxlen); int (*inode_setsecctx)(struct dentry *dentry, void *ctx, u32 ctxlen); int (*inode_getsecctx)(struct inode *inode, void **ctx, u32 *ctxlen); #ifdef CONFIG_SECURITY_NETWORK int (*unix_stream_connect) (struct socket *sock,\ struct socket *other, struct sock *newsk); int (*unix_may_send) (struct socket *sock, struct socket *other); int (*socket_create) (int family, int type, int protocol, int kern); int (*socket_post_create) (struct socket *sock, int family,\ int type, int protocol, int kern); int (*socket_bind) (struct socket *sock,\ struct sockaddr *address, int addrlen); int (*socket_connect) (struct socket *sock,\ struct sockaddr *address, int addrlen); int (*socket_listen) (struct socket *sock, int backlog); int (*socket_accept) (struct socket *sock, struct socket *newsock); int (*socket_sendmsg) (struct socket *sock,\ struct msghdr *msg, int size); int (*socket_recvmsg) (struct socket *sock, struct msghdr *msg, int size, int flags); int (*socket_getsockname) (struct socket *sock); int (*socket_getpeername) (struct socket *sock); int (*socket_getsockopt) (struct socket *sock, int level, int optname); int (*socket_setsockopt) (struct socket *sock, int level, int optname); int (*socket_shutdown) (struct socket *sock, int how); int (*socket_sock_rcv_skb) (struct sock *sk, struct sk_buff *skb); int (*socket_getpeersec_stream) (struct socket *sock, \ char __user *optval, \ int __user *optlen, unsigned len); int (*socket_getpeersec_dgram) (struct socket *sock, \ struct sk_buff *skb, u32 *secid); int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority); void (*sk_free_security) (struct sock *sk); void (*sk_clone_security) (const struct sock *sk, struct sock *newsk); void (*sk_getsecid) (struct sock *sk, u32 *secid); void (*sock_graft) (struct sock *sk, struct socket *parent); int (*inet_conn_request) (struct sock *sk, struct sk_buff *skb,\ struct request_sock *req); void (*inet_csk_clone) (struct sock *newsk, const struct request_sock *req); void (*inet_conn_established) (struct sock *sk, struct sk_buff *skb); void (*req_classify_flow) (const struct request_sock *req, struct flowi *fl); int (*tun_dev_create)(void); void (*tun_dev_post_create)(struct sock *sk); int (*tun_dev_attach)(struct sock *sk); #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_NETWORK_XFRM int (*xfrm_policy_alloc_security) (struct xfrm_sec_ctx **ctxp, struct xfrm_user_sec_ctx *sec_ctx); int (*xfrm_policy_clone_security) (struct xfrm_sec_ctx *old_ctx, struct xfrm_sec_ctx **new_ctx); void (*xfrm_policy_free_security) (struct xfrm_sec_ctx *ctx); int (*xfrm_policy_delete_security) (struct xfrm_sec_ctx *ctx); int (*xfrm_state_alloc_security) (struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx, u32 secid); void (*xfrm_state_free_security) (struct xfrm_state *x); int (*xfrm_state_delete_security) (struct xfrm_state *x); int (*xfrm_policy_lookup) (struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir); int (*xfrm_state_pol_flow_match) (struct xfrm_state *x,\ struct xfrm_policy *xp, struct flowi *fl); int (*xfrm_decode_session) (struct sk_buff *skb, u32 *secid, int ckall); #endif /* CONFIG_SECURITY_NETWORK_XFRM */ /* key management security hooks */ #ifdef CONFIG_KEYS int (*key_alloc) (struct key *key, const struct cred *cred, unsigned long flags); void (*key_free) (struct key *key); int (*key_permission) (key_ref_t key_ref,\ const struct cred *cred,\ key_perm_t perm); int (*key_getsecurity)(struct key *key, char **_buffer); int (*key_session_to_parent)(const struct cred *cred,\ const struct cred *parent_cred,\ struct key *key); #endif /* CONFIG_KEYS */ #ifdef CONFIG_AUDIT int (*audit_rule_init) (u32 field, u32 op, char *rulestr, void **lsmrule); int (*audit_rule_known) (struct audit_krule *krule); int (*audit_rule_match) (u32 secid, u32 field, u32 op, void *lsmrule,\ struct audit_context *actx); void (*audit_rule_free) (void *lsmrule); #endif /* CONFIG_AUDIT */ }; -
拓展链接:
- http://www.hep.by/gnu/kernel/lsm/framework.html
- http://blog.sina.com.cn/s/blog_858820890101eb3c.html
- http://mirror.linux.org.au/linux-mandocs/2.6.4-cset-20040312_2111/security_operations.html
5.2 kprobe结构体
-
用于存储每个探测点的基本结构
struct kprobe { /*用于保存kprobe的全局hash表,以被探测的addr为key*/ struct hlist_node hlist; /*当对同一个探测点存在多个探测函数时,所有的函数挂在这条链上*/ struct list_head list; /*count the number of times this probe was temporarily disarmed */ unsigned long nmissed; /*被探测的目标地址,要注意的是,只能是addr或是symbol_name其中一个填入了值,如果两个都填入,在注册这个探头的时候就会出现错误-21非法符号*/ kprobe_opcode_t *addr; /*允许用户指定函数名,内核函数kallsyms_lookup_name("xx")会去获取具体的函数地址*/ const char *symbol_name; /* 如果被探测点为函数内部某个指令,需要使用addr + offset的方式 从这点也可以看出,kprobe可以hook在内核中的任何位置 */ unsigned int offset; /*探测函数,在目标探测点执行之前调用*/ kprobe_pre_handler_t pre_handler; /*探测函数,在目标探测点执行之后调用*/ kprobe_post_handler_t post_handler; /* called if executing addr causes a fault (eg. page fault). Return 1 if it handled fault, otherwise kernel will see it. */ kprobe_fault_handler_t fault_handler; /* called if breakpoint trap occurs in probe handler. Return 1 if it handled break, otherwise kernel will see it. */ kprobe_break_handler_t break_handler; /*opcode 以及 ainsn 用于保存被替换的指令码*/ /* Saved opcode (which has been replaced with breakpoint) */ kprobe_opcode_t opcode; /* copy of the original instruction */ struct arch_specific_insn ainsn; /* Indicates various status flags. Protected by kprobe_mutex after this kprobe is registered. */ u32 flags; };
5.3 jprobe结构体
-
jprobe是对kprobes的一层功能上的封装,这点从数据结构上也能看出来
struct jprobe { struct kprobe kp; /* 定义的probe程序,要注意的是 1. 注册进去的探头程序应该和被注册的函数的参数列表一致 2. 我们在设置函数指针的时候需要使用(kprobe_opcode_t *)进行强制转换 */ void *entry; }
5.4 kretprobe结构体
- kretprobe注册(register_kretprobe)的时候需要传递这个结构体
struct kretprobe
{
struct kprobe kp;
//注册的回调函数,handler指定探测点的处理函数
kretprobe_handler_t handler;
//注册的预处理回调函数,类似于kprobes中的pre_handler()
kretprobe_handler_t entry_handler;
//maxactive指定可以同时运行的最大处理函数实例数,它应当被恰当设置,否则可能丢失探测点的某些运行
int maxactive;
int nmissed;
//指示kretprobe需要为回调监控预留多少内存空间
size_t data_size;
struct hlist_head free_instances;
raw_spinlock_t lock;
};
5.5 kretprobe_instance
- 在kretprobe的注册处理函数(.handler)中我们可以拿到这个结构体
struct kretprobe_instance
{
struct hlist_node hlist;
//指向相应的kretprobe_instance变量(就是我们在register_kretprobe时传入的参数)
struct kretprobe *rp;
//返回地址
kprobe_opcode_t *ret_addr;
//指向相应的task_struct
struct task_struct *task;
char data[0];
};
5.6 kretprobe_blackpoint 、struct kprobe_blacklist_entry
struct kretprobe_blackpoint
{
const char *name;
void *addr;
};
struct kprobe_blacklist_entry
{
struct list_head list;
unsigned long start_addr;
unsigned long end_addr;
};
5.7 linux_binprm
-
在Linux内核中,每种二进制格式都表示为
struct linux_binprm数据结构,Linux支持的二进制格式有:- flat_format: 平坦格式
用于没有内存管理单元(MMU)的嵌入式CPU上,为节省空间,可执行文件中的数据还可以压缩(如果内核可提供zlib支持)
- script_format: 伪格式
用于运行使用#!机制的脚本,检查文件的第一行,内核即知道使用何种解释器,启动适当的应用程序即可(例如: #! /usr/bin/perl 则启动perl) - misc_format: 伪格式
用于启动需要外部解释器的应用程序,与#!机制相比,解释器无须显示指定,而可以通过特定的文件标识符(后缀、文件头…),例如该格式用于执行java字节码或用wine运行windows程序 - elf_format:
这是一种与计算机和体系结构无关的格式,可用于32/64位,它是linux的标准格式 - elf_fdpic_format: ELF格式变体
提供了针对没有MMU系统的特别特性 - irix_format: ELF格式变体
提供了特定于irix的特性 - som_format:
在PA-Risc计算机上使用,特定于HP-UX的格式 - aout_format:
a.out是引入ELF之前linux的标准格式
- flat_format: 平坦格式
-
/source/include/linux/binfmts.h
/*
* This structure is used to hold the arguments that are used when loading binaries.
*/
struct linux_binprm
{
//保存可执行文件的头128字节
char buf[BINPRM_BUF_SIZE];
#ifdef CONFIG_MMU
struct vm_area_struct *vma;
unsigned long vma_pages;
#else
# define MAX_ARG_PAGES 32
struct page *page[MAX_ARG_PAGES];
#endif
struct mm_struct *mm;
unsigned long p; //当前内存页最高地址
unsigned int
cred_prepared:1, /* true if creds already prepared (multiple
* preps happen for interpreters) */
cap_effective:1; /* true if has elevated effective capabilities,
* false if not; except for init which inherits
* its parent's caps anyway */
#ifdef __alpha__
unsigned int taso:1;
#endif
unsigned int recursion_depth;
struct file * file; //要执行的文件
struct cred *cred; //new credentials
int unsafe; /* how unsafe this exec is (mask of LSM_UNSAFE_*) */
unsigned int per_clear; /* bits to clear in current->personality */
int argc, envc; //命令行参数和环境变量数目
char * filename; //要执行的二进制文件的名称
char * interp; //要执行的文件的真实名称,通常和filename相同
unsigned interp_flags;
unsigned interp_data;
unsigned long loader, exec;
};
5.8 linux_binfmt
- /source/include/linux/binfmts.h
/*
* This structure defines the functions that are used to load the binary formats that
* linux accepts.
*/
struct linux_binfmt
{
//链表结构
struct list_head lh;
struct module *module;
//装入二进制代码
int (*load_binary)(struct linux_binprm *, struct pt_regs * regs);
//装入公用库
int (*load_shlib)(struct file *);
int (*core_dump)(long signr, struct pt_regs *regs, \
struct file *file, unsigned long limit);
unsigned long min_coredump; /* minimal dump size */
int hasvdso;
};
2万+
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
