From ba1d13a4ac61d57b743c9749f7f8852b8a110372 Mon Sep 17 00:00:00 2001 From: zgzxx Date: Mon, 6 Nov 2023 14:26:28 +0800 Subject: [PATCH] add case kmodule baseline --- kerneldriver/cases/Makefile | 2 + .../secDetector_kmodule_baseline.c | 66 ++++++++ .../secDetector_mc_kmodule_baseline.c | 157 ++++++++++++++++++ .../secDetector_mc_kmodule_baseline.h | 12 ++ .../secDetector_memory_corruption.c | 3 +- lib/secDetector_sdk.h | 2 + observer_agent/service/main.cpp | 2 +- 7 files changed, 242 insertions(+), 2 deletions(-) create mode 100644 kerneldriver/cases/kmodule_baseline/secDetector_kmodule_baseline.c create mode 100644 kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c create mode 100644 kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.h diff --git a/kerneldriver/cases/Makefile b/kerneldriver/cases/Makefile index cf875c0..154be14 100644 --- a/kerneldriver/cases/Makefile +++ b/kerneldriver/cases/Makefile @@ -3,10 +3,12 @@ obj-m += secDetector_memory_corruption.o obj-m += secDetector_task_block.o obj-m += secDetector_file_block.o +obj-m += secDetector_kmodule_baseline.o secDetector_memory_corruption-objs := memory_corruption/secDetector_memory_corruption.o memory_corruption/secDetector_mc_kmodule_list.o secDetector_task_block-objs := task_block/secDetector_task_block.o secDetector_file_block-objs := file_block/secDetector_file_block.o +secDetector_kmodule_baseline-objs := kmodule_baseline/secDetector_kmodule_baseline.o kmodule_baseline/secDetector_mc_kmodule_baseline.o KERNEL_SRC ?= /lib/modules/$(shell uname -r)/build diff --git a/kerneldriver/cases/kmodule_baseline/secDetector_kmodule_baseline.c b/kerneldriver/cases/kmodule_baseline/secDetector_kmodule_baseline.c new file mode 100644 index 0000000..85411c0 --- /dev/null +++ b/kerneldriver/cases/kmodule_baseline/secDetector_kmodule_baseline.c @@ -0,0 +1,66 @@ +/* + * SPDX-License-Identifier: GPL-2.0 + * + * Author: zhangguangzhi + * create: 2023-11-7 + * Description: the main implement of kmodule baseline. + */ +#include +#include +#include +#include "secDetector_manager.h" +#include +#include "secDetector_mc_kmodule_baseline.h" + +#define KMOD_BASELINE_TIME_INTERVAL 5 +DEFINE_MUTEX(case_kmodule_mutex); + +static void check_watching_kmodule(void) +{ + mutex_lock(&case_kmodule_mutex); + check_kmodule_baseline(); + mutex_unlock(&case_kmodule_mutex); +} + +static struct secDetector_workflow workflow_array[] = { + { + .workflow_type = WORKFLOW_CUSTOMIZATION, + .workflow_func.func = check_watching_kmodule, + .hook_type = SECDETECTOR_TIMER, + .interval = KMOD_BASELINE_TIME_INTERVAL, + .enabled = ATOMIC_INIT(true) + }, +}; + +static struct secDetector_module mc_kmodule = { + .name = "secDetector kmodule baseline module", + .enabled = ATOMIC_INIT(true), + .workflow_array = workflow_array, + .workflow_array_len = ARRAY_SIZE(workflow_array), +}; + +static int __init register_secDetector_kmodule_baseline(void) +{ + int ret; + ret = secDetector_module_register(&mc_kmodule); + if (ret < 0) + pr_err("[secDetector case kmodule baseline] register failed"); + else + pr_info("[secDetector case kmodule baseline] register success\n"); + + return ret; +} + +static void __exit unregister_secDetector_kmodule_baseline(void) +{ + mutex_lock(&case_kmodule_mutex); + (void)secDetector_module_unregister(&mc_kmodule); + mutex_unlock(&case_kmodule_mutex); + + pr_info("[secDetector case kmodule baseline] unregister success\n"); +} + +module_init(register_secDetector_kmodule_baseline); +module_exit(unregister_secDetector_kmodule_baseline); +MODULE_LICENSE("GPL"); + diff --git a/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c b/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c new file mode 100644 index 0000000..fd013be --- /dev/null +++ b/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.c @@ -0,0 +1,157 @@ +/* + * SPDX-License-Identifier: GPL-2.0 + * + * Author: zhangguangzhi + * create: 2023-11-3 + * Description: the main implement of the kmodule baseline corruption. + */ + +#include +#include +#include +#include +#include +#include "secDetector_mc_kmodule_baseline.h" +#include "secDetector_response.h" + +#define MODULE_LIST_MAXSIZE 0x10000 +#define NAME_LEN 4096 +#define HEADER_MSG_LEN 128 +#define KMODULE_BASELINE_TYPE 0x00800000 + +typedef struct chkrkatt_module { + struct list_head list; + char *module_name; +} CHKRKATT_MODULE; + +static LIST_HEAD(chkrkatt_module_list); + +static int add_kmodule_baseline_name(const char *name) +{ + CHKRKATT_MODULE *module = NULL; + size_t name_len; + + module = (CHKRKATT_MODULE *)kmalloc(sizeof(CHKRKATT_MODULE), GFP_KERNEL); + if (!module) { + pr_err("module kmalloc failed\n"); + return -1; + } + module->module_name = (char *)kzalloc(NAME_LEN, GFP_KERNEL); + if (!module->module_name) { + pr_err("module_name kzalloc failed\n"); + kfree(module); + return -1; + } + + name_len = strlen(name) < NAME_LEN ? strlen(name) : NAME_LEN; + memcpy(module->module_name, name, name_len); + list_add(&module->list, &chkrkatt_module_list); + return 0; +} + +static void free_kmodule_baseline(void) +{ + CHKRKATT_MODULE *module_name = NULL; + CHKRKATT_MODULE *module_name_next = NULL; + list_for_each_entry_safe(module_name, module_name_next, &chkrkatt_module_list, list) { + if (module_name != NULL) { + list_del(&module_name->list); + kfree(module_name->module_name); + kfree(module_name); + } + } +} + +static void report_kmodule_baseline(void) +{ + CHKRKATT_MODULE *get_module_name = NULL; + CHKRKATT_MODULE *get_module_name_next = NULL; + char *module_name_all = NULL; + char *header_msg = NULL; + char strtmp[] = ", "; + struct timespec64 ts; + struct tm stm; + int header_msg_len; + int ret; + response_data_t log; + + module_name_all = (char *)kzalloc(NAME_LEN, GFP_ATOMIC); + if (module_name_all == NULL) { + pr_err("module_name_all kzalloc failed\n"); + return; + } + header_msg = (char *)kzalloc(HEADER_MSG_LEN, GFP_ATOMIC); + if (header_msg == NULL) { + pr_err("hearder_msg kzalloc failed\n"); + kfree(module_name_all); + return; + } + + ktime_get_real_ts64(&ts); + time64_to_tm(ts.tv_sec, 0, &stm); + header_msg_len = scnprintf(header_msg, HEADER_MSG_LEN, + "time=%04ld%02d%02d%02d%02d%02d event_type=kmodulelist module_name=", + stm.tm_year + 1900, stm.tm_mon + 1, stm.tm_mday, stm.tm_hour, stm.tm_min, stm.tm_sec); + if (header_msg_len <= 0) + goto out; + + list_for_each_entry_safe(get_module_name, get_module_name_next, &chkrkatt_module_list, list) { + if (get_module_name != NULL && get_module_name_next != NULL) { + /* 2: ', ' */ + if(sizeof(module_name_all) + sizeof(get_module_name->module_name) < NAME_LEN - 2 - header_msg_len) { + strcat(module_name_all, get_module_name->module_name); + strcat(module_name_all, strtmp); + } + } + } + + log.report_data.type = KMODULE_BASELINE_TYPE; + log.report_data.len = strlen(module_name_all) + header_msg_len + 1; + log.report_data.text = kmalloc(log.report_data.len, GFP_KERNEL); + + if (log.report_data.text == NULL) { + pr_err("log text malloc failed\n"); + goto out; + } + + ret = scnprintf(log.report_data.text, log.report_data.len, "%s%s\n", header_msg, module_name_all); + if (ret > 0) { + log.report_data.text[log.report_data.len - 1] = '\0'; + secDetector_report(&log); + } + kfree(log.report_data.text); +out: + kfree(header_msg); + kfree(module_name_all); +} + +void check_kmodule_baseline(void) +{ + struct module_kobject *mobj = NULL; + struct kobject *k = NULL; + struct kset *module_kset = __this_module.mkobj.kobj.kset; + int ret; + + if (module_kset == NULL) + return; + + mutex_lock(&module_mutex); + spin_lock(&module_kset->list_lock); + list_for_each_entry(k, &module_kset->list, entry) { + if (k->name == NULL) + continue; + mobj = container_of(k, struct module_kobject, kobj); + if (mobj == NULL || mobj->mod == NULL || (unsigned long)mobj->mod->name < MODULE_LIST_MAXSIZE) + continue; + + ret = add_kmodule_baseline_name(k->name); + if (ret != 0) + break; + } + spin_unlock(&module_kset->list_lock); + mutex_unlock(&module_mutex); + + report_kmodule_baseline(); + free_kmodule_baseline(); + return; +} diff --git a/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.h b/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.h new file mode 100644 index 0000000..b8434ed --- /dev/null +++ b/kerneldriver/cases/kmodule_baseline/secDetector_mc_kmodule_baseline.h @@ -0,0 +1,12 @@ +/* + * SPDX-License-Identifier: GPL-2.0 + * + * Author: zhangguangzhi + * create: 2023-11-3 + * Description: the kmodule baseline corruption head file. + */ +#ifndef SECDETECTOR_MC_KMODULE_BASELINE_H +#define SECDETECTOR_MC_KMODULE_BASELINE_H + +void check_kmodule_baseline(void); +#endif diff --git a/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c b/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c index 6ff810d..7432edc 100644 --- a/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c +++ b/kerneldriver/cases/memory_corruption/secDetector_memory_corruption.c @@ -79,4 +79,5 @@ static void __exit unregister_secDetector_mc(void) module_init(register_secDetector_mc); module_exit(unregister_secDetector_mc); -MODULE_LICENSE("GPL"); \ No newline at end of file +MODULE_LICENSE("GPL"); + diff --git a/lib/secDetector_sdk.h b/lib/secDetector_sdk.h index d5935b1..198d107 100644 --- a/lib/secDetector_sdk.h +++ b/lib/secDetector_sdk.h @@ -47,6 +47,8 @@ #define NEWACCOUNT 0x00200000 /* device management */ #define OPERATEDEV 0x00400000 +/* memory corruption kmodule list */ +#define KMODULELIST 0x00800000 void *secSub(const int topic); void secUnsub(const int topic, void *reader); diff --git a/observer_agent/service/main.cpp b/observer_agent/service/main.cpp index 74bb952..e0e71ca 100644 --- a/observer_agent/service/main.cpp +++ b/observer_agent/service/main.cpp @@ -53,7 +53,7 @@ static int ringbuf_cb(struct response_rb_entry *entry, size_t entry_size) { PubSubClient client(grpc::CreateChannel( server_address, grpc::InsecureChannelCredentials())); // topic need extra args - client.Publish(1, entry->text); + client.Publish(entry->type, entry->text); return 0; } -- Gitee