Security:Capable Probe Module

From Tizen Wiki
Jump to: navigation, search

Module description

capable_probe is kernel module for tracing occurrences of capability security mechanism checks. When process calls syscall needing some capabilities to succeed, kernel's cap_capable function is called. Those calls are registered by capable_probe module and are written to /dev/kmsg (dmesg). Process's creation and execution occurrences are registered also to identify processes command.

Build and installation procedure

Kernel build and installation

M0 IVI
Build kernel image adding Security probes module to configuration
% make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- tizen_defconfig
% make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- menuconfig
Security options    --->
        <M> Security probes
% make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- -j4 zImage dtbs
% cat arch/arm/boot/zImage arch/arm/boot/dts/exynos4412-trats2.dtb > bImage
% mkimage -A arm -C none -O linux -a  40008000 -e 40008000 -n 'Linux 3.10 Tizen kernel' -d bImage uImage
% make ARCH=i386 ivi_defconfig
% make ARCH=i386 menuconfig
Security options    --->
        <M> Security probes
File systems    --->
        Pseudo filesystems    --->
                {*} Userspace-driven configuration filesystem
% make ARCH=i386 -j4
Flash image
% tar cf kernel.tar uImage
% lthor kernel.tar

Module build and installation

working M0 target premounted IVI image
Build capable_probe module
% make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- M=security/kprobes
% make ARCH=i386 M=security/kprobes
Install capable_probe module

Install module:

% mkdir /tmp/capable_probe
% make ARCH=arm CROSS_COMPILE=arm-linux-gnueabi- M=security/kprobes modules_install INSTALL_MOD_PATH=/tmp/capable_probe

Copy to target:

% sdb push /tmp/capable_probe/lib/modules* /lib/modules/ > /dev/null 2>&1

Mount image (N stands for loop device number and M stands for partition number):

% losetup /dev/loopN image.tar
% kpartx -v -a /dev/loopN
% mount /dev/mapper/loopNpM /mnt

Install module:

% make ARCH=i386 M=security/kprobes modules_install INSTALL_MOD_PATH=/mnt

Unmount image:

% umount /mnt
% kpartx -d /dev/loopN
% losetup -d /dev/loopN
Run on target to make module runable on boot
% echo "capable_probe" >> /etc/modules
% echo "options capable_probe arg_cap_cumulative=1 arg_command_filter=\"\"" > /etc/modprobe.d/capable_probe.conf
% echo "capable_probe" > /etc/modules-load.d/capable_probe.conf

Usage tutorial

Parameters

Module takes two stearing parameters:

  1. cap_cumulative
    asked capability set may be printed for every cap_capable call (cap_cumulative: 0) or collected and printed only when process asks for new capabilities (cap_cumulative: 1).
  2. command_filter
    Capabilities may be printed for each process (command_filter: "") or for those with specified command (command_filter: "systemd-cgroups"). Mostly only first 16 chars of binary file name which process executed or was forked with are checked (original binary path of "systemd-cgroups" is "/usr/lib/systemd/systemd-cgroups-agent"). Module is not immune to changing command by process itself.

Default parameters are:

  • cap_cumulative: 1
  • command_filter: ""

Same as options set in /etc/modprobe.d/capable_probe.conf in installation tutorial. They can be changed there to be load on boot. They can also be seen and changed at runtime.

% echo "systemd-cgroups-agent" > /sys/kernel/config/process_filter/command_filter
% cat /sys/kernel/config/process_filter/command_filter
systemd-cgroups
% echo 1 > /sys/kernel/config/process_filter/cap_cumulative
% cat /sys/kernel/config/process_filter/cap_cumulative
1

Output

Access logs by calling:

% dmesg

Fragment of output example:

[   18.772197] Collected capability set asked for comm: (ds-agent), pid: 2301 is 0x1
[   18.779742] Collected capability set asked for comm: (ds-agent), pid: 2301 is 0x200001
[   18.788502] Processs execed. comm: (ds-agent), comm_execed: /usr/bin/oma-ds-agent, pid: 2301
[   18.796948] Collected capability set asked for comm: oma-ds-agent, pid: 2301 is 0x200000
[   18.804040] Collected capability set asked for comm: dbus-daemon, pid: 2300 is 0x2000d1
[   18.812022] Processs created. comm: kworker/u8:1, pid: 2302
[   18.817637] Processs execed. comm: kworker/u8:1, comm_execed: /usr/lib/systemd/systemd-cgroups-agent, pid: 2302
[   18.827852] Collected capability set asked for comm: kworker/u8:1, pid: 2302 is 0x200000
[   18.836408] Collected capability set asked for comm: systemd-cgroups, pid: 2302 is 0x200000
[   18.847860] Collected capability set asked for comm: systemd-cgroups, pid: 2302 is 0x200001
[   18.867648] Processs created. comm: systemd, pid: 2303
[   18.872888] Collected capability set asked for comm: (m_server), pid: 2303 is 0x1
[   18.878899] Collected capability set asked for comm: oma-ds-agent, pid: 2301 is 0x200001
[   18.887072] Collected capability set asked for comm: (m_server), pid: 2303 is 0x200001
[   18.896700] Processs execed. comm: (m_server), comm_execed: /usr/bin/system_server, pid: 2303
[   18.905971] Collected capability set asked for comm: system_server, pid: 2303 is 0x200000

Registered capabilities set is presented as hexadecimal value. It can be decoded using capsh command (usage below) from libcap2-bin package or from tizen.org package libcap-tools which can be found in libcap repository.

% capsh --decode=<hexadecimal cap set>

Example

% capsh --decode=0x2000d1
0x00000000002000d1=cap_chown,cap_fsetid,cap_setgid,cap_setuid,cap_sys_admin