Is there a way to modify Linux syscall table in a proprietary kernel module?

0
votes

I wrote an kind of SELinux clone that supervises system call execution such as open and execve.

The result is proven by SELinux as a secure way to monitor all disk access made by users.

The code modifies the syscall table in the following way:

  1. Change the name->address relationship of a syscall
  2. After the change, the syscall name is my own function, which then calls the original syscall.
  3. the original syscall address is protected by address space layout randomization which requires scanning 16 exabytes of data, and the address changes with every reboot.

Old trick, but the only way I found to achieve this is via a service routine exported only to GPL modules with the following code:

MODULE_LICENSE("GPL");

Is there a way to discover either the syscall table or the syscall address without a GPL kernel module?

1
csecuritylinux-kernelkernel-module

1 Answers

1
votes

You did it wrong. Syscall wrapping is the standard TOCTOU bug class factory. See this paper http://www.watson.org/~robert/2007woot/2007usenixwoot-exploitingconcurrency.pdf

In fact, LSM hooks (used to implement selinux) are precisely what you need to actually get this to work in a secure manner. But then there is no use of overwriting anything in the syscall table.