[https://blog.csdn.net/farsight_2098/article/details/130875915](Linux内核安全模块(Linux Security Module,LSM)例子)
Last active
August 22, 2023 08:05
-
-
Save mbs0221/1064027a660f580539f41e31ec58fab2 to your computer and use it in GitHub Desktop.
linux-security-modules
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // 下面是一个基于进程名和文件名实现特定进程可以访问特定文件的LSM示例代码 | |
| #include <linux/lsm_hooks.h> | |
| #include <linux/path.h> | |
| #include <linux/dcache.h> | |
| #include <linux/namei.h> | |
| // 定义允许访问文件的进程名称 | |
| static char *allowed_process_name = "my_app"; | |
| // 定义需要保护的文件路径 | |
| static char *file_path = "path/to/protected/file"; | |
| // 在inode对象访问的钩子点上实现自定义钩子函数 | |
| static int example_inode_permission(struct inode *inode, int mask) | |
| { | |
| // 获取当前进程的进程组ID和进程ID | |
| pid_t current_pid = task_tgid_vnr(current); | |
| // 获取当前进程的进程名称 | |
| char * current_process_name = (char*)get_task_comm(current); | |
| // 判断进程名称和进程组是否匹配 | |
| if (strcmp(current_process_name, allowed_process_name) || current_pid != pid_nr(get_task_pid(current, PIDTYPE_PID))) { | |
| // 如果当前进程名称和进程组和要求不匹配,则拒绝访问 | |
| return -EACCES; | |
| } | |
| // 判断访问的文件路径是否与被保护路径匹配 | |
| struct path file; | |
| int err = kern_path(file_path, LOOKUP_FOLLOW, &file); | |
| if (err) { | |
| printk(KERN_INFO "%!(NOVERB)s not found.\n", file_path); | |
| return -EACCES; | |
| } | |
| if (file.dentry != inode->i_dentry) { | |
| return -EACCES; | |
| } | |
| // 允许进程访问文件 | |
| return 0; | |
| } | |
| // 定义自定义钩子函数列表 | |
| static struct security_hook_list example_hooks[] = { | |
| LSM_HOOK_INIT(inode_permission, example_inode_permission), | |
| }; | |
| // 安全模块初始化函数 | |
| static __init int example_init(void) | |
| { | |
| printk(KERN_INFO "example LSM initialized\n"); | |
| // 注册自定义钩子函数 | |
| security_add_hooks(example_hooks, ARRAY_SIZE(example_hooks)); | |
| return 0; | |
| } | |
| // 安全模块注销函数 | |
| static __exit void example_exit(void) | |
| { | |
| printk(KERN_INFO "example LSM exited\n"); | |
| // 删除自定义钩子函数 | |
| security_delete_hooks(example_hooks, ARRAY_SIZE(example_hooks)); | |
| } | |
| // 模块初始化和注销函数 | |
| security_initcall(example_init); | |
| module_exit(example_exit); | |
| MODULE_LICENSE("GPL"); | |
| MODULE_DESCRIPTION("LSM示例:仅特定进程可以访问特定文件"); |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| // https://blog.csdn.net/farsight_2098/article/details/130875915 | |
| #include <linux/lsm_hooks.h> | |
| #include <linux/net.h> | |
| #include <linux/sched.h> | |
| // 定义允许使用网络的进程名称 | |
| static char *allowed_process_name = "my_network_app"; | |
| // 在socket对象访问的钩子点上实现自定义钩子函数 | |
| static int example_socket_socket_create(int family, int type, int protocol, int kern) | |
| { | |
| // 获取当前进程的进程名称 | |
| char * current_process_name = (char*)get_task_comm(current); | |
| // 判断当前进程名称是否匹配允许使用网络的进程名称 | |
| if (strcmp(current_process_name, allowed_process_name)) { | |
| return -EACCES; | |
| } | |
| return 0; | |
| } | |
| // 在bind(绑定套接字)钩子点上实现自定义钩子函数 | |
| static int example_socket_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) | |
| { | |
| // 获取当前进程的进程名称 | |
| char * current_process_name = (char*)get_task_comm(current); | |
| // 判断当前进程名称是否匹配允许使用网络的进程名称 | |
| if (strcmp(current_process_name, allowed_process_name)) { | |
| return -EACCES; | |
| } | |
| return 0; | |
| } | |
| // 在connect(连接到远程主机)钩子点上实现自定义钩子函数 | |
| static int example_socket_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen, int flags) | |
| { | |
| // 获取当前进程的进程名称 | |
| char * current_process_name = (char*)get_task_comm(current); | |
| // 判断当前进程名称是否匹配允许使用网络的进程名称 | |
| if (strcmp(current_process_name, allowed_process_name)) { | |
| return -EACCES; | |
| } | |
| return 0; | |
| } | |
| // 定义自定义钩子函数列表 | |
| static struct security_hook_list example_hooks[] = { | |
| LSM_HOOK_INIT(socket_socket_create, example_socket_socket_create), | |
| LSM_HOOK_INIT(socket_bind, example_socket_socket_bind), | |
| LSM_HOOK_INIT(socket_connect, example_socket_socket_connect), | |
| }; | |
| // 安全模块初始化函数 | |
| static __init int example_init(void) | |
| { | |
| printk(KERN_INFO "example LSM initialized\n"); | |
| // 注册自定义钩子函数 | |
| security_add_hooks(example_hooks, ARRAY_SIZE(example_hooks)); | |
| return 0; | |
| } | |
| // 安全模块注销函数 | |
| static __exit void example_exit(void) | |
| { | |
| printk(KERN_INFO "example LSM exited\n"); | |
| // 删除自定义钩子函数 | |
| security_delete_hooks(example_hooks, ARRAY_SIZE(example_hooks)); | |
| } | |
| // 模块初始化和注销函数 | |
| security_initcall(example_init); | |
| module_exit(example_exit); | |
| MODULE_LICENSE("GPL"); | |
| MODULE_DESCRIPTION("LSM示例:仅特定进程可以使用网络"); |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment