This week I have been toying around with the idea of hijacking the linux kernel pointers, instead of overwriting functions, to implement security features. Well, tonight I pushed a big commit to tpe-lkm that implements all the features entirely with this new method. It’s currently in a “dev” branch, as it’s not been fully tested. So far, however, the method seems promising.
It essentially goes like this; all the LSM hooks know which functions of SELinux/AppArmor/etc to call via the “security_ops” pointer. It points to a structure with a bunch of pointers to functions. All I need to do is find the right pointers and change them to point to my module’s functions, and it’s all done. No funky assembly code, no tricky copying and overwriting of kernel functions on the fly, just changing some pointers.
As for the other features of the tpe-lkm module – they all use a similar callback – a structure with pointers to functions to use. How convenient for me.
I should also mention that this code structure of the linux kernel basically makes the security_ops pointer a single point of failure for the whole LSM framework. If I were a little more malicious, I could disable the whole kernel security system by changing that one pointer. I wouldn’t ever do that, just thought I’d point out that it’s possible
Anyway, hopefully this sticks. Although it may limit what features I could add to tpe-lkm down the road, it’s so much easier to deal with.