Linux kernel module configuration - linux

For my university project I'm doing a module which will allow or disallow a process to perform a system calls (e. g. A little loadable selinux). For now I nave code that controls syscalls. For each process I store a link to the structure which contains permissions config. However, now I've just hardcoded two configs: one is default (allow all) and another one is to allow everything except opening '/testfile'.
My question is how to load configs dynamically?
I have a parser for config files but I've read that accessing files from the kernel is bad idea.
How should I store configs and how should I load them?

I've read that reading files from the kernel is bad idea
Description of filp_open function in the kernel sources says:
This is the helper to open a file from kernelspace if you really have to. But in generally you should not do this, so please move along, nothing to see here..
So, if you need to load/store content of the file into/from the kernel module, then do that. But use appropriate functions, as described in that question.

Related

Linux kernel module, concept of configuration and persistent state

I work on Linux kernel loadable module and I look for proper way to configure it and way to load/store binary data when module is loaded/unloaded. The module needs to read configuration data in time of loading, but it may change data and save them in run-time. I read on many places that reading/writing to file is not recommended and I also read that sysfs can be used for such purpose. Can be binary configuration data stored in sysfs ? Or exist more suitable solution ? Can you provide link to some example or doc where I can found some details about how to load/save persistent configuration by module ?
Peter
Maybe you can use the firmware interface in the module.
It should be able to load a binary file which include your settings with request_firmware(..)
I think it isn't required to write this binary file to the hardware...?
There are probably a lot of ways to do this. The way that leaps to my mind is with a character device and a script running in userspace. You could arrange that the script loads your module and then writes the binary data to the character device file created by the module. The script could proceed to loop on a read of the device file. When the module wants to export new state, it unblocks the read. The script then copies out the data, and repeats.

Example for reading directory contents in kernel mode?

I am currently working on an antiroot-kit for android as a student project. My task is to identify hidden files on the filesystem.
Therefore, I want to read the contents of a directory in a kernel module to compare it with the contents of a directory an app might see in usermode (which is probably censored by a rootkit). I know that file IO is generally a bad idea in kernel mode but I think this might be an exception.
I used filp_open to open a file and get a struct file. With this I was able to get the inode and dentry structures of the file. I was not able to get the contents of a directory this way. I thought there must be a function for it.
I searched on stackoverflow and found the vfs_readdir function. The problem is that I have not understood how to use this function. What do I set for the filldir_t parameter and what do I set for the buffer? How do I retrieve the contents of a directory in a kernelmodule? Can somebody provide an example? I could not find an easy example on the internet and in the linux kernel.

Linux kernel : logging to a specific file

I am trying to edit the linux kernel. I want some information to be written out to a file as a part of the debugging process. I have read about the printk function. But i would like to add text to a particular file (file other from the default files that keep debug logs).
To cut it short: I would kind of like to specify the "destination" in the printk function (or at least some work-around it)
How can I achieve this? Will using fwrite/fopen work (if yes, will it work without causing much overhead compared to printk, since they are implemented differently)?
What other options do i have?
Using fopen and fwrite will certainly not work. Working with files in kernel space is generally a bad idea.
It all really depends on what you are doing in the kernel though. In some configurations, there may not even be a hard disk for you to write to. If however, you are working at a stage where you can have certain assumptions about the running kernel, you probably actually want to write a kernel module rather than edit the kernel itself. For all you care, a kernel module is just as good as any other part of the kernel, but they are inserted when the kernel is already up and running.
You may also be thinking of doing so for debugging, or have output of a kernel-level application (e.g. an application that you are forced to run at kernel level for real-time constraints etc). In that case, kio may be of interest to you, but if you want to use it, do make sure you understand why.
kio is a library I wrote just for those "kernel-level applications", which makes a kernel module see a /proc file as if it's a user of it (rather than a provider). To make it work, you should have a user-space application also opening that virtual file and redirect it to wherever you want to write your log. Something along the lines of opening the file with kopen in write mode and in user space tell cat /proc/your_file > ~/log_file.
Note: I still recommend printk unless you really know what you are doing. Since you are thinking of fopen in kernel space, I don't think you really know what you are doing.

intercepting file system system calls

I am writing an application for which I need to intercept some filesystem system calls eg. unlink. I would like to save some file say abc. If user deletes the file then I need to copy it to some other place. So I need unlink to call my code before deleting abc so that I could save it. I have gone through threads related to intercepting system calls but methods like LD_PRELOAD it wont work in my case because I want this to be secure and implemented in kernel so this method wont be useful. inotify notifies after the event so I could not be able to save it. Could you suggest any such method. I would like to implement this in a kernel module instead of modifying kernel code itself.
Another method as suggested by Graham Lee, I had thought of this method but it has some problems ,I need hardlink mirror of all the files it consumes no space but still could be problematic as I have to repeatedly mirror drive to keep my mirror up to date, also it won't work cross partition and on partition not supporting link so I want a solution through which I could attach hooks to the files/directories and then watch for changes instead of repeated scanning.
I would also like to add support for write of modified file for which I cannot use hard links.
I would like to intercept system calls by replacing system calls but I have not been able to find any method of doing that in linux > 3.0. Please suggest some method of doing that.
As far as hooking into the kernel and intercepting system calls go, this is something I do in a security module I wrote:
https://github.com/cormander/tpe-lkm
Look at hijacks.c and symbols.c for the code; how they're used is in the hijack_syscalls function inside security.c. I haven't tried this on linux > 3.0 yet, but the same basic concept should still work.
It's a bit tricky, and you may have to write a good deal of kernel code to do the file copy before the unlink, but it's possible here.
One suggestion could be Filesystems in Userspace (FUSE.) That is, write a FUSE module (which is, granted, in userspace) which intercepts filesystem-related syscalls, performs whatever tasks you want, and possibly calls the "default" syscall afterwards.
You could then mount certain directories with your FUSE filesystem and, for most of your cases, it seems like the default syscall behavior would not need to be overridden.
You can watch unlink events with inotify, though this might happen too late for your purposes (I don't know because I don't know your purposes, and you should experiment to find out). The in-kernel alternatives based on LSM (by which I mean SMACK, TOMOYO and friends) are really for Mandatory Access Control so may not be suitable for your purposes.
If you want to handle deletions only, you could keep a "shadow" directory of hardlinks (created via link) to the files being watched (via inotify, as suggested by Graham Lee).
If the original is now unlinked, you still have the shadow file to handle as you want to, without using a kernel module.

reading and writing from a file in linux kernel

I'm writing a patch for VFS FAT implmentation on kernel 3.0
I want to add posix attributes to FAT files that are created in linux.
to achive that, I must save a file that contains all the relevant information on the mounted drive.
I know that reading and writing files from kernel space is something normally shouldn't be done, and I'm looking for another way to read/write the data.
I saw articles on the net that suggested to use /proc or to create a userspace daemon that will do the IO for me. I wanted to know if anyone saw or know where can I look at an implmentation of a thing like that,because I didn't find any examples for that over the net.
I'm not looking for a read/write to proc example, I want to see an entire solution for this issue.
Have a look at the quota implementation; this is a mechanism (ok, presumably not available on vfat) which reads/writes files from the kernel.
Additionally, the "loop" block device is another example of a kernel facility which does file IO.

Resources