How can I implement my own hook function with LSM?

Question

I'm learning something about access control. And try to implement own hook function with LSM api. But I found I have to code in the kernel source in Kernel version 3.1.4. So , how can I get started?

Could someone give an example about it? Thanks a lot.

PS: I have found some examples, but in kernel version 2.6.20. As LSM have been modified, those examples cannot work.

Answer 1

You can't load an LSM module since 2.6.35 (see c1e992b99603a84d7debb188542b64f2d9232c07 commit). So, it isn't a valid task to get LSM outside the kernel. But you always can try to disassemble the kernel at run time and find all the private symbols such as security_ops pointer.

For example, have a look at the exported security_sb_copy_data symbol:

int security_sb_copy_data(char *orig, char *copy)
{
        return security_ops->sb_copy_data(orig, copy);
}
EXPORT_SYMBOL(security_sb_copy_data);

It dump may looks this (x86_64):

(gdb) x/7i security_sb_copy_data 
   0xffffffff811f61b0:  push   %rbp
   0xffffffff811f61b1:  mov    %rsp,%rbp
   0xffffffff811f61b4:  data32 data32 data32 xchg %ax,%ax
   0xffffffff811f61b9:  mov    0x881690(%rip),%rax        # 0xffffffff81a77850
   0xffffffff811f61c0:  callq  *0x98(%rax)
   0xffffffff811f61c6:  pop    %rbp
   0xffffffff811f61c7:  retq

So, the 0xffffffff81a77850 address is the exact security_ops pointer. Let's check it out with:

(gdb) x/s* 0xffffffff81a77850
0xffffffff81850fa0:  "default"

OK, now we have valid security_ops pointer and can do anything with LSM outside the kernel.

P.S. There is a great Linux kernel security project - AKARI. It implements interesting methods of private symbols resolution without disassembly (see sources for details).