diff --git a/drivers/hck/vendor_hooks.c b/drivers/hck/vendor_hooks.c index 7bea8ddcaaa8bac1809c83c5775586d2fd8024d3..8fef38e4bf8b18c5a7fa9853ddcfbe76751ecadf 100644 --- a/drivers/hck/vendor_hooks.c +++ b/drivers/hck/vendor_hooks.c @@ -10,4 +10,5 @@ /* add your lite vendor hook header file here */ #include #include +#include #include diff --git a/fs/exec.c b/fs/exec.c index a6fbabf940911bdd5fe71594f926a979d3b0ede3..eedc61f186776d8a8b16aad2d507168ba3946740 100644 --- a/fs/exec.c +++ b/fs/exec.c @@ -73,6 +73,7 @@ #include "internal.h" #include +#include static int bprm_creds_from_file(struct linux_binprm *bprm); @@ -1842,6 +1843,7 @@ static int bprm_execve(struct linux_binprm *bprm, rseq_execve(current); acct_update_integrals(current); task_numa_free(current, false); + CALL_HCK_LITE_HOOK(ced_detection_lhck, current); return retval; out: diff --git a/include/linux/hck/lite_hck_ced.h b/include/linux/hck/lite_hck_ced.h new file mode 100644 index 0000000000000000000000000000000000000000..dbf3b060890beac15f0ae7fc29f5cc2d3b6d9b44 --- /dev/null +++ b/include/linux/hck/lite_hck_ced.h @@ -0,0 +1,39 @@ +/* SPDX-License-Identifier: GPL-2.0-or-later */ +/* + * Copyright (c) 2023 Huawei Device Co., Ltd. + */ + +#ifndef _LITE_HCK_CED_H +#define _LITE_HCK_CED_H + +#include +#include +#include + +#ifndef CONFIG_HCK +#undef CALL_HCK_LITE_HOOK +#define CALL_HCK_LITE_HOOK(name, args...) +#undef REGISTER_HCK_LITE_HOOK +#define REGISTER_HCK_LITE_HOOK(name, probe) +#undef REGISTER_HCK_LITE_DATA_HOOK +#define REGISTER_HCK_LITE_DATA_HOOK(name, probe, data) +#else +DECLARE_HCK_LITE_HOOK(ced_switch_task_namespaces_lhck, + TP_PROTO(struct task_struct *task, struct nsproxy *new), + TP_ARGS(task, new)); + +DECLARE_HCK_LITE_HOOK(record_ced_flag_lhck, + TP_PROTO(struct task_struct *task), + TP_ARGS(task)); + +DECLARE_HCK_LITE_HOOK(ced_detection_lhck, + TP_PROTO(struct task_struct *task), + TP_ARGS(task)); + +DECLARE_HCK_LITE_HOOK(ced_initialize_lhck, + TP_PROTO(struct task_struct *task), + TP_ARGS(task)); + +#endif /* CONFIG_HCK */ + +#endif /* _LITE_HCK_CED_H */ diff --git a/include/linux/sched.h b/include/linux/sched.h index d590141f04d189dd322e17c8633043eaaab80043..d39943cf5506a2826004097d44eae6b4ba6642b0 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h @@ -302,6 +302,15 @@ struct prev_cputime { #endif }; +struct ced_record { +#ifdef CONFIG_SECURITY_CONTAINER_ESCAPE_DETECTION + uint8_t has_security_started; + uint8_t is_container_process; + uint8_t is_derogation; + uint8_t reserved; +#endif +}; + enum vtime_state { /* Task is sleeping or running in a CPU with VTIME inactive: */ VTIME_INACTIVE = 0, @@ -1508,6 +1517,9 @@ struct task_struct { u64 token; u64 ftoken; #endif +#ifdef CONFIG_SECURITY_CONTAINER_ESCAPE_DETECTION + struct ced_record ced_flags; +#endif #ifdef CONFIG_QOS_CTRL struct qos_task_struct qts; #endif diff --git a/init/main.c b/init/main.c index 30d6afeae93272fd1f8608c5e339df2eabef89f9..0bb39678051c8ad310ca07fd493746c5ff868cd9 100644 --- a/init/main.c +++ b/init/main.c @@ -112,6 +112,7 @@ #include #include +#include static int kernel_init(void *); @@ -857,6 +858,7 @@ asmlinkage __visible void __init __no_sanitize_address start_kernel(void) char *after_dashes; set_task_stack_end_magic(&init_task); + CALL_HCK_LITE_HOOK(ced_initialize_lhck, &init_task); smp_setup_processor_id(); debug_objects_early_init(); diff --git a/kernel/cred.c b/kernel/cred.c index 421b1149c6516004221159824dc6c18770db64e6..c6d436de2c255cbe754edfd08a78d81a2e49a022 100644 --- a/kernel/cred.c +++ b/kernel/cred.c @@ -16,6 +16,7 @@ #include #include #include +#include #if 0 #define kdebug(FMT, ...) \ @@ -509,6 +510,7 @@ int commit_creds(struct cred *new) /* release the old obj and subj refs both */ put_cred(old); put_cred(old); + CALL_HCK_LITE_HOOK(record_ced_flag_lhck, current); return 0; } EXPORT_SYMBOL(commit_creds); diff --git a/kernel/fork.c b/kernel/fork.c index dfeadf1c07fe0249d70be57075cd0c2863fa0fae..5a021d0548131b5f8dad1ce00432041b8bb9ab36 100644 --- a/kernel/fork.c +++ b/kernel/fork.c @@ -109,6 +109,7 @@ #include #include +#include #define CREATE_TRACE_POINTS #include @@ -2554,6 +2555,7 @@ pid_t kernel_clone(struct kernel_clone_args *args) } put_pid(pid); + CALL_HCK_LITE_HOOK(record_ced_flag_lhck, p); return nr; } diff --git a/kernel/nsproxy.c b/kernel/nsproxy.c index 3d5a5faf91b51ba42f1f44b55a6f977e339ef494..b1747143b7f529374081b1db4e5741862b22e3b9 100644 --- a/kernel/nsproxy.c +++ b/kernel/nsproxy.c @@ -26,6 +26,7 @@ #include #include #include +#include static struct kmem_cache *nsproxy_cachep; @@ -250,6 +251,8 @@ void switch_task_namespaces(struct task_struct *p, struct nsproxy *new) p->nsproxy = new; task_unlock(p); + CALL_HCK_LITE_HOOK(ced_switch_task_namespaces_lhck, p, new); + if (ns && atomic_dec_and_test(&ns->count)) free_nsproxy(ns); } diff --git a/security/Kconfig b/security/Kconfig index 43cd1c19a90ade762db74b7fbe09983812dc7c73..3f6bf765092497a6eba53f1af2ada88c290e0c90 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -231,6 +231,7 @@ source "security/yama/Kconfig" source "security/safesetid/Kconfig" source "security/lockdown/Kconfig" source "security/xpm/Kconfig" +source "security/container_escape_detection/Kconfig" source "security/integrity/Kconfig" diff --git a/security/Makefile b/security/Makefile index 3f01136d7b1fd4edd53c54ae863ae1c639e30717..4042bbb68d347097523388c5d8a70f70153987f8 100644 --- a/security/Makefile +++ b/security/Makefile @@ -14,6 +14,7 @@ subdir-$(CONFIG_SECURITY_SAFESETID) += safesetid subdir-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown subdir-$(CONFIG_BPF_LSM) += bpf subdir-$(CONFIG_SECURITY_XPM) += xpm +subdir-$(CONFIG_SECURITY_CONTAINER_ESCAPE_DETECTION) += container_escape_detection # always enable default capabilities obj-y += commoncap.o @@ -34,6 +35,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/ obj-$(CONFIG_CGROUPS) += device_cgroup.o obj-$(CONFIG_BPF_LSM) += bpf/ obj-$(CONFIG_SECURITY_XPM) += xpm/ +obj-$(CONFIG_SECURITY_CONTAINER_ESCAPE_DETECTION) += container_escape_detection/ # Object integrity file lists subdir-$(CONFIG_INTEGRITY) += integrity