It recently came to my attention that RHEL/CentOS 7 kernels started support for the ftrace system as of version 7.2. This is an in-kernel system to instrument kernel functions in a safe and clean way.
Since using ftrace basically meant a rewrite of most of the tpe-lkm code, and dropping of support of older kernels, this new release has bumped the major version from 1 to 2.
New features in this release include:
* guaranteed safety of kernel function hooking
* better long-term support from future kernels
* added harden_ptrace to tpe.extras
* added hide_uname to tpe.extras
* ability to soften certain TPE checks with filesystem attributes
* default mmap whitelist to allow Gnome Desktop to boot properly
* better logging options
Additionally, the availability for this in-tree method of hooking kernel functions has wider implications for implementing security features in distribution kernels. For more information, read the following whitepaper I drafted:
I am mentoring the develop a kpatch delivery mechanism for the CentOS Google Summer of Code (GSoC) project. Per my recent “office hours” email to the CentOS GSoC, I’ll be online from 10pm to 11pm US Mountain time on weekdays in the #centos-gsoc and #centos-devel chat rooms on irc.freenode.net
I’ve decided that I’ll keep these hours even after the project ends. If anyone wants to get in touch with me outside of email, just drop me a chat during those hours. My username is cormander.
A few weeks ago I go an email that tpe-lkm didn’t build on EL7. To be honest, I didn’t even know that EL7 had been released, I’ve been so disconnected from things outside of family and work the past few years.
Anyway, I got back to work and now everything is nice and ready for release. You can download it from the tpe-lkm github project page. It has a few new features as well.
Job change, kid in and out of the hospital, wife having a seizure, legal issues… yeah I’ve been around, just not present in the open source community. I’ve dropped off the radar before, and this probably won’t be the last time. But things are finally looking up and hopefully I’ll be around a while.
As for the meaning of the version number goes, the 3rd # is for bugfixes, a 2nd # is if new features are added, and if I ever increment the first #, it’ll be a major rewrite of the code. I may do that some day.
So I’ve decided to see if I can get a speaking slot at LinuxCon in San Diego this year. Here is the abstract that I sent them. Wish me luck!
I will talk about hooking into pre-compiled distribution linux kernels to add security hardening. This allows for certain security frameworks to be used on kernels that are either 1) too old, 2) don’t have certain config flags set, or 3) don’t use non-mainline security patches. The primary example I’ll be discussing is my implementation of “Trusted Path Execution” as a linux kernel module, the source code of which is here: https://github.com/cormander/tpe-lkm . I may also demo installing AppArmor on a RHEL6 system via a kernel module, if I get the module stable before July.
The audience would be system administrators and developers who manage systems that they can not change the kernel on, or don’t want to manage custom kernel builds. This is important because it allows access to kernel hardening to a lot of people who have their hands tied either by policy or lack of experience.
Early this morning I got a bug report from someone that, when the full path to a file is sufficiently long enough, a denied execution of it will throw a NULL pointer exception in the kernel. This evening I researched the issue and coded in a fix. Basically, the error reporting tried to print out a NULL pointer under those conditions. How embarrassing for me to not notice this.
If you’re using the tpe-lkm module, you’ll want to update it. I’ve also bumped the version number.
About a year ago, I posted about me coding a TPE module for distribution kernels. In that time I’ve added some features, fixed some bugs, and deployed it to all of my non-grsecurity systems. With the last known outstanding bug (that I know about) being fixed a little over two weeks ago (and tested) I’m excited to say that, you guessed it, tpe-lkm is ready for wider deployment.
I’ve been using GitHub a lot more lately, and have found it to be a great service. So, this is me officially saying that any code I reference you should be able to find in one of my github repositories. If I’ve mentioned something to you that isn’t in there, call me out on it; I’ll get it up ASAP.