Re: [PATCH 1/9] Known exploit detection
From: David Rientjes
Date: Thu Dec 19 2013 - 01:14:28 EST
On Thu, 12 Dec 2013, vegard.nossum@xxxxxxxxxx wrote:
> diff --git a/security/exploit.c b/security/exploit.c
> new file mode 100644
> index 0000000..a732613
> --- /dev/null
> +++ b/security/exploit.c
> @@ -0,0 +1,28 @@
> +#include <linux/cred.h>
> +#include <linux/exploit.h>
> +#include <linux/printk.h>
> +#include <linux/ratelimit.h>
> +#include <linux/sched.h>
> +
> +void _exploit(const char *id)
> +{
> + /*
> + * This function needs to be super defensive/conservative, since
> + * userspace can easily get to it from several different contexts.
> + * We don't want it to become an attack vector in itself!
> + *
> + * We can assume that we're in process context, but spinlocks may
> + * be held, etc.
Not task_lock(current), though.
> + */
> +
> + struct task_struct *task = current;
> + pid_t pid = task_pid_nr(task);
> + uid_t uid = from_kuid(&init_user_ns, current_uid());
> + char comm[sizeof(task->comm)];
> +
> + get_task_comm(comm, task);
> +
> + pr_warn_ratelimited("warning: possible %s exploit attempt by pid=%u uid=%u comm=%s\n",
> + id, pid, uid, comm);
> +}
> +EXPORT_SYMBOL(_exploit);
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/