diff --git a/kerneldriver/core/Makefile b/kerneldriver/core/Makefile index cadf86b8ed9bd53854beaf0f1345a0c41769daaa..bf7b71a6ee68ddcb86f4b15b7af3a1c3e8c9f24e 100644 --- a/kerneldriver/core/Makefile +++ b/kerneldriver/core/Makefile @@ -6,6 +6,7 @@ secDetector_core-objs += hook_unit/secDetector_hook_tracepoint.o secDetector_core-objs += hook_unit/secDetector_hook.o secDetector_core-objs += response_unit/secDetector_proc.o secDetector_core-objs += response_unit/secDetector_response.o +secDetector_core-objs += secDetector_workflow.o secDetector_core-objs += secDetector_manager.o secDetector_core-objs += secDetector_main.o @@ -21,7 +22,7 @@ endif export KBUILD_EXTRA_SYMBOLS all: - $(MAKE) -C $(KERNEL_SRC) M=$(PWD) modules KCPPFLAGS="${cflags-y}" + $(MAKE) -C $(KERNEL_SRC) M=$(PWD) modules KCPPFLAGS="${cflags-y}" clean: - rm -rf *.ko *.o .*.o.d .*.ko.cmd *.mod.c *.mod .*.cmd Modules.* *.symvers *.order .tmp* *.markers */*.ko */*.o */.*.o.d */.*.ko.cmd */*.mod.c */*.mod */.*.cmd */Modules.* */*.symvers + rm -rf *.ko *.o .*.o.d .*.ko.cmd *.mod.c *.mod .*.cmd Modules.* *.symvers *.order .tmp* *.markers */*.ko */*.o */.*.o.d */.*.ko.cmd */*.mod.c */*.mod */.*.cmd */Modules.* */*.symvers diff --git a/kerneldriver/core/hook_unit/secDetector_hook.c b/kerneldriver/core/hook_unit/secDetector_hook.c index d3ae696454540b09f57a83b431b7d1eac92e7779..f4ac8df88638839801abb4b5a4dd3c9cc0e86d81 100644 --- a/kerneldriver/core/hook_unit/secDetector_hook.c +++ b/kerneldriver/core/hook_unit/secDetector_hook.c @@ -18,6 +18,7 @@ #include #include #include "secDetector_hook.h" +#include "secDetector_hook_type.h" struct hook_list_func { int type_min; diff --git a/kerneldriver/core/hook_unit/secDetector_hook.h b/kerneldriver/core/hook_unit/secDetector_hook.h index 0ecd315a4da2d8a635500c0d7ef5470782d7d615..381f9eecb2e15feac7cb307033e623e8ede573f0 100644 --- a/kerneldriver/core/hook_unit/secDetector_hook.h +++ b/kerneldriver/core/hook_unit/secDetector_hook.h @@ -19,7 +19,7 @@ #include #include -#include +#include "secDetector_workflow_type.h" extern struct list_head secDetector_hook_array[HOOKEND]; extern struct mutex g_hook_list_array_mutex; @@ -49,7 +49,7 @@ extern void init_secDetector_hook(void); return; \ list_for_each_entry_rcu(workflow, &(callback_list), list) { \ if (atomic_read(&workflow->enabled) && atomic_read(&workflow->module->enabled)) \ - workflow->callback_func.func(PARAMS(args)); \ + workflow->workflow_func.func(PARAMS(args)); \ } \ mutex_unlock(&g_hook_list_array_mutex); \ } while(0) @@ -61,7 +61,7 @@ extern void init_secDetector_hook(void); rcu_read_lock(); \ list_for_each_entry_rcu(workflow, &(callback_list), list) { \ if (atomic_read(&workflow->enabled) && atomic_read(&workflow->module->enabled)) \ - workflow->callback_func.func(PARAMS(args)); \ + workflow->workflow_func.func(PARAMS(args)); \ } \ rcu_read_unlock(); \ } while(0) diff --git a/kerneldriver/core/secDetector_manager.c b/kerneldriver/core/secDetector_manager.c index 89ed1d88e11b158034a0e2e792263339876a0be4..d79f0d9ed3ad0c89da7b02ab037c569ac83fefa9 100644 --- a/kerneldriver/core/secDetector_manager.c +++ b/kerneldriver/core/secDetector_manager.c @@ -19,6 +19,7 @@ #include #include "hook_unit/secDetector_hook.h" #include "secDetector_manager.h" +#include "secDetector_workflow.h" static DEFINE_IDR(g_module_idr); static LIST_HEAD(secDetector_module_list); @@ -83,11 +84,15 @@ int secDetector_module_register(struct secDetector_module *module) mutex_lock(&g_hook_list_array_mutex); for (i = 0, wf = module->workflow_array; i < module->workflow_array_len; i++, wf++) { - if (wf == NULL) { - ret = -EINVAL; - goto error; - } + if (wf == NULL) { + ret = -EINVAL; + goto error; + } wf->module = module; + if (wf->workflow_type == WORKFLOW_PRESET) { + wf->workflow_func.func = preset_workflow; + } + ret = insert_callback(wf); if (ret < 0) { pr_err("[secDetector] insert callback failed\n"); diff --git a/kerneldriver/core/secDetector_workflow.c b/kerneldriver/core/secDetector_workflow.c new file mode 100644 index 0000000000000000000000000000000000000000..2ad97a5790c59be6ab98ed7a2108c84f75911ac1 --- /dev/null +++ b/kerneldriver/core/secDetector_workflow.c @@ -0,0 +1,20 @@ +/* + * Copyright (c) 2023 Huawei Technologies Co., Ltd. All rights reserved. + * secDetector is licensed under Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * http://license.coscl.org.cn/MulanPSL2 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PSL v2 for more details. + * + * Author: yieux + * create: 2023-09-25 + * Description: detector workflow manager + */ +#include "secDetector_workflow_type.h" + +void preset_workflow(void) { + +} \ No newline at end of file diff --git a/kerneldriver/include/secDetector_analyze.h b/kerneldriver/include/secDetector_analyze.h new file mode 100644 index 0000000000000000000000000000000000000000..f5dfbe09c25982fdf79293220f9dd24908a5c728 --- /dev/null +++ b/kerneldriver/include/secDetector_analyze.h @@ -0,0 +1,19 @@ +/* + * Copyright (c) 2023 Huawei Technologies Co., Ltd. All rights reserved. + * secDetector is licensed under Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * http://license.coscl.org.cn/MulanPSL2 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PSL v2 for more details. + * + * Author: yieux + * Create: 2023-09-25 + * Description: secDetector analyze unit header + */ +#ifndef SECDETECTOR_ANALYZE_H +#define SECDETECTOR_ANALYZE_H +#include "secDetector_analyze_type.h" +#endif \ No newline at end of file diff --git a/kerneldriver/include/secDetector_analyze_type.h b/kerneldriver/include/secDetector_analyze_type.h new file mode 100644 index 0000000000000000000000000000000000000000..ef7705273435f026e520488a177e7ee82a15dac8 --- /dev/null +++ b/kerneldriver/include/secDetector_analyze_type.h @@ -0,0 +1,32 @@ +/* + * Copyright (c) 2023 Huawei Technologies Co., Ltd. All rights reserved. + * secDetector is licensed under Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * http://license.coscl.org.cn/MulanPSL2 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PSL v2 for more details. + * + * Author: yieux + * Create: 2023-09-25 + * Description: secDetector analyze unit type header + */ +#ifndef SECDETECTOR_ANALYZE_TYPE_H +#define SECDETECTOR_ANALYZE_TYPE_H + +enum ANALYZE_TYPE{ + ANALYZE_RECORD, + ANALYZE_PRESET_START, + ANALYZE_PRESET_SAVE_CHECK = ANALYZE_PRESET_START, + ANALYZE_PRESET_FREQUENCY_RANGE, + ANALYZE_PRESET_END = ANALYZE_PRESET_FREQUENCY_RANGE, + ANALYZE_CUSTOMIZATION, +}; + +typedef union analyze_func { + void (*func)(void); + void (*analyze_record_func)(void); +}analyze_func_t; +#endif \ No newline at end of file diff --git a/kerneldriver/include/secDetector_collect.h b/kerneldriver/include/secDetector_collect.h new file mode 100644 index 0000000000000000000000000000000000000000..df4ac1f67955d2479b619f67af953152caaddab9 --- /dev/null +++ b/kerneldriver/include/secDetector_collect.h @@ -0,0 +1,19 @@ +/* + * Copyright (c) 2023 Huawei Technologies Co., Ltd. All rights reserved. + * secDetector is licensed under Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * http://license.coscl.org.cn/MulanPSL2 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PSL v2 for more details. + * + * Author: yieux + * Create: 2023-09-25 + * Description: secDetector collect unit header + */ +#ifndef SECDETECTOR_COLLECT_H +#define SECDETECTOR_COLLECT_H +#include "secDetector_collect_type.h" +#endif \ No newline at end of file diff --git a/kerneldriver/include/secDetector_collect_type.h b/kerneldriver/include/secDetector_collect_type.h new file mode 100644 index 0000000000000000000000000000000000000000..1122d156e9c2a498178483d56d4ba352287e0e09 --- /dev/null +++ b/kerneldriver/include/secDetector_collect_type.h @@ -0,0 +1,44 @@ +/* + * Copyright (c) 2023 Huawei Technologies Co., Ltd. All rights reserved. + * secDetector is licensed under Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * http://license.coscl.org.cn/MulanPSL2 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PSL v2 for more details. + * + * Author: yieux + * Create: 2023-09-25 + * Description: secDetector collect unit type header + */ +#ifndef SECDETECTOR_COLLECT_TYPE_H +#define SECDETECTOR_COLLECT_TYPE_H + +enum COLLECT_TYPE{ + COLLECT_TIME, + COLLECT_CURRENT_START, + COLLECT_CURRENT_PROCESS = COLLECT_CURRENT_START, + COLLECT_CURRENT_FILE, + COLLECT_CURRENT_END = COLLECT_CURRENT_FILE, + COLLECT_GLOBAL_START, + COLLECT_GLOBAL_PROCESS = COLLECT_GLOBAL_START, + COLLECT_GLOBAL_FILE, + COLLECT_GLOBAL_RESOURCE, + COLLECT_GLOBAL_END = COLLECT_GLOBAL_RESOURCE, + COLLECT_CUSTOMIZATION, +}; + +union collect_func { + void (*func)(void); + void (*COLLECT_record_func)(void); +}; + +struct secDetector_collect { + struct list_head list; + struct rcu_head rcu; + unsigned int collect_type; + union collect_func collect_func; +}; +#endif \ No newline at end of file diff --git a/kerneldriver/include/secDetector_hook_type.h b/kerneldriver/include/secDetector_hook_type.h new file mode 100644 index 0000000000000000000000000000000000000000..97f5f6682dd55992b53feafa4a6fceaa87786a5d --- /dev/null +++ b/kerneldriver/include/secDetector_hook_type.h @@ -0,0 +1,31 @@ +/* + * Copyright (c) 2023 Huawei Technologies Co., Ltd. All rights reserved. + * secDetector is licensed under Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * http://license.coscl.org.cn/MulanPSL2 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PSL v2 for more details. + * + * Author: yieux + * Create: 2023-09-25 + * Description: secDetector hook unit type header + */ +#ifndef SECDETECTOR_HOOK_TYPE_H +#define SECDETECTOR_HOOK_TYPE_H + +enum HOOK_TYPE { + TRACEPOINT_HOOK_START, + TRACEPOINT_CREATE_FILE = TRACEPOINT_HOOK_START, + TRACEPOINT_WRITE_FILE, + TRACEPOINT_CREATE_PROCESS, + TRACEPOINT_HOOK_END = TRACEPOINT_CREATE_PROCESS, + + HOOKEND, + + SECDETECTOR_TIMER, +}; + +#endif \ No newline at end of file diff --git a/kerneldriver/include/secDetector_manager.h b/kerneldriver/include/secDetector_manager.h index f64b5f6df8e1fb99b5414f23739604df62491630..70dedd327a2c7bee5da527a0ad534fe9fdfd87ea 100644 --- a/kerneldriver/include/secDetector_manager.h +++ b/kerneldriver/include/secDetector_manager.h @@ -17,50 +17,7 @@ #include #include #include - -enum CALLBACKTYPE { - TRACEPOINT_HOOK_START, - TRACEPOINT_CREATE_FILE = TRACEPOINT_HOOK_START, - TRACEPOINT_WRITE_FILE, - TRACEPOINT_CREATE_PROCESS, - TRACEPOINT_HOOK_END = TRACEPOINT_CREATE_PROCESS, - - HOOKEND, - - SECDETECTOR_TIMER, -}; - -union callback_func { - void (*func)(void); - void (*create_file)(struct filename *); - void (*write_file)(struct filename *); - void (*create_process)(int); - void (*timer_func)(struct timer_list *); -}; - -struct secDetector_workflow { - struct list_head list; - struct rcu_head rcu; - unsigned int id; - struct secDetector_module *module; - atomic_t enabled; - - unsigned int hook_type; - int interval; - union callback_func callback_func; -}; - -struct secDetector_module { - struct list_head list; - struct rcu_head rcu; - unsigned int id; - char *name; - struct module *kmodule; - atomic_t enabled; - - struct secDetector_workflow *workflow_array; - uint32_t workflow_array_len; -}; +#include "secDetector_module_type.h" extern void secDetector_init_manager(void); extern int secDetector_module_register(struct secDetector_module *module); diff --git a/kerneldriver/include/secDetector_module_type.h b/kerneldriver/include/secDetector_module_type.h new file mode 100644 index 0000000000000000000000000000000000000000..dc9a149c3daac4189eba1fcb41dce631dca4c30b --- /dev/null +++ b/kerneldriver/include/secDetector_module_type.h @@ -0,0 +1,36 @@ +/* + * Copyright (c) 2023 Huawei Technologies Co., Ltd. All rights reserved. + * secDetector is licensed under Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * http://license.coscl.org.cn/MulanPSL2 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PSL v2 for more details. + * + * Author: yieux + * Create: 2023-09-25 + * Description: secDetector module type header + */ +#ifndef SECDETECTOR_MODULE_TYPE_H +#define SECDETECTOR_MODULE_TYPE_H +#include +#include +#include +#include "secDetector_workflow_type.h" + +typedef struct secDetector_workflow secDetector_workflow_t; +struct secDetector_module { + struct list_head list; + struct rcu_head rcu; + unsigned int id; + char *name; + struct module *kmodule; + atomic_t enabled; + + secDetector_workflow_t *workflow_array; + uint32_t workflow_array_len; +}; + +#endif \ No newline at end of file diff --git a/kerneldriver/include/secDetector_response.h b/kerneldriver/include/secDetector_response.h index e91d4db94453173eee25947894d94a2ab842bf87..5231b24d4f297ce3c8a33694a466b811c71e8bc5 100644 --- a/kerneldriver/include/secDetector_response.h +++ b/kerneldriver/include/secDetector_response.h @@ -17,6 +17,13 @@ #define SECDETECTOR_RESPONSE_H #include "secDetector_response_type.h" +struct secdetector_response { + struct list_head list; + struct rcu_head rcu; + unsigned int response_type; + response_func_t response_func; +}; + extern void notrace secdetector_respond(unsigned int response_type, response_data_t *data); extern void notrace secdetector_report(response_data_t *data); diff --git a/kerneldriver/include/secDetector_workflow.h b/kerneldriver/include/secDetector_workflow.h new file mode 100644 index 0000000000000000000000000000000000000000..37ee8124c2afb6b9d533ec3ef6e70226e799beda --- /dev/null +++ b/kerneldriver/include/secDetector_workflow.h @@ -0,0 +1,25 @@ +/* + * Copyright (c) 2023 Huawei Technologies Co., Ltd. All rights reserved. + * secDetector is licensed under Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * http://license.coscl.org.cn/MulanPSL2 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PSL v2 for more details. + * + * Author: yieux + * Create: 2023-09-25 + * Description: secDetector workflow header + */ +#ifndef SECDETECTOR_WORKFLOW_H +#define SECDETECTOR_WORKFLOW_H +#include "secDetector_collect.h" +#include "secDetector_analyze.h" +#include "secDetector_response.h" +#include "secDetector_workflow_type.h" + + +void preset_workflow(void); +#endif \ No newline at end of file diff --git a/kerneldriver/include/secDetector_workflow_type.h b/kerneldriver/include/secDetector_workflow_type.h new file mode 100644 index 0000000000000000000000000000000000000000..146a905c4a8d76abe793544807e3ba9b3063621a --- /dev/null +++ b/kerneldriver/include/secDetector_workflow_type.h @@ -0,0 +1,67 @@ +/* + * Copyright (c) 2023 Huawei Technologies Co., Ltd. All rights reserved. + * secDetector is licensed under Mulan PSL v2. + * You can use this software according to the terms and conditions of the Mulan PSL v2. + * You may obtain a copy of Mulan PSL v2 at: + * http://license.coscl.org.cn/MulanPSL2 + * THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, + * EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, + * MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. + * See the Mulan PSL v2 for more details. + * + * Author: yieux + * Create: 2023-09-25 + * Description: secDetector workflow type header + */ +#ifndef SECDETECTOR_WORKFLOW_TYPE_H +#define SECDETECTOR_WORKFLOW_TYPE_H +#include "secDetector_hook_type.h" +#include "secDetector_collect_type.h" +#include "secDetector_analyze_type.h" +#include "secDetector_response_type.h" +#include "secDetector_module_type.h" + +enum WORKFLOW_TYPE{ + WORKFLOW_CUSTOMIZATION, + WORKFLOW_PRESET, +}; + +union workflow_func { + void (*func)(void); + void (*create_file)(struct filename *); + void (*write_file)(struct filename *); + void (*create_process)(int); + void (*timer_func)(struct timer_list *); +}; + +typedef struct secDetector_module secDetector_module_t; +typedef struct secDetector_workflow { + struct list_head list; + struct rcu_head rcu; + unsigned int id; + secDetector_module_t *module; + atomic_t enabled; + unsigned int workflow_type; + union workflow_func workflow_func; + + //hook + unsigned int hook_type; + int interval; + + //collect + struct secDetector_collect *collect_array; + uint32_t collect_array_len; + + //analyze + unsigned int analyze_type; + analyze_func_t analyze_func; + + //response + struct secdetector_response *response_array; + uint32_t response_array_len; + +} secDetector_workflow_t; + + + +#endif \ No newline at end of file