Репозиторий Sisyphus
Последнее обновление: 4 марта 2021 | Пакетов: 17846 | Посещений: 20396473
en ru br
Репозитории ALT
S:0.8.1+git20210222.abaca2f-alt1.328805.1
www.altlinux.org/Changes

Группа :: Система/Ядро и оборудование
Пакет: kernel-modules-lkrg-std-pae

 Главная   Изменения   Спек   Патчи   Sources   Загрузить   Gear   Bugs and FR  Repocop 

%define module_name lkrg
%define module_version 0.8.1+git20210219.8a3aaa6
%define module_release alt1

%define flavour std-pae
%define karch %ix86
BuildRequires(pre): rpm-build-kernel
BuildRequires(pre): kernel-headers-modules-std-pae
%setup_kernel_module %flavour

%define module_dir /lib/modules/%kversion-%flavour-%krelease/misc

Summary: Linux Kernel Runtime Guard module
Name: kernel-modules-%module_name-%flavour
Version: %module_version
Release: %module_release.%kcode.%kbuildrelease
License: GPL-2.0
Group: System/Kernel and hardware

Packager: Kernel Maintainer Team <kernel at packages.altlinux.org>

ExclusiveOS: Linux
URL: https://www.openwall.com/lkrg/

Source1: lkrg.init

%define qemu_pkg %_arch
%ifarch %ix86 x86_64
%define qemu_pkg x86
%endif
%ifarch %arm
%define qemu_pkg arm
%endif

BuildRequires: kernel-headers-modules-%flavour = %kepoch%kversion-%krelease
BuildRequires: kernel-source-%module_name = %module_version
%{?!_without_check:%{?!_disable_check:BuildRequires(pre): rpm-build-kernel-perms}}
%{?!_without_check:%{?!_disable_check:BuildRequires: qemu-system-%qemu_pkg-core ipxe-roms-qemu glibc-devel-static kernel-image-%flavour}}

Provides:  kernel-modules-%module_name-%kversion-%flavour-%krelease = %version-%release
Conflicts: kernel-modules-%module_name-%kversion-%flavour-%krelease < %version-%release
Conflicts: kernel-modules-%module_name-%kversion-%flavour-%krelease > %version-%release

ExclusiveArch: %karch

%description
Linux Kernel Runtime Guard (LKRG) is a loadable kernel module that performs
runtime integrity checking of the Linux kernel and detection of security
vulnerability exploits against the kernel. As controversial as this concept is,
LKRG attempts to post-detect and hopefully promptly respond to unauthorized
modifications to the running Linux kernel (integrity checking) or to
credentials (such as user IDs) of the running processes (exploit
detection). For process credentials, LKRG attempts to detect the exploit and
take action before the kernel would grant the process access (such as open a
file) based on the unauthorized credentials.

%prep
rm -rf %module_name-%module_version
tar -jxf %kernel_src/kernel-source-%module_name-%module_version.tar.bz2
%setup -D -T -n %module_name-%module_version
cp -a %SOURCE1 .

%build
%make_build -C %_usrsrc/linux-%kversion-%flavour modules M=$(pwd)
echo "enable lkrg.service" > lkrg.preset

%install
install -D -p -m0644 p_lkrg.ko %buildroot%module_dir/p_lkrg.ko
install -D -p -m0755 lkrg.init %buildroot%_initdir/lkrg
install -D -p -m0644 scripts/bootup/systemd/lkrg.service %buildroot%_unitdir/lkrg.service
install -D -p -m0644 lkrg.preset %buildroot%_presetdir/30-lkrg.preset

%check
# based on %%check of kernel-image-%%flavour.spec
KernelVer=%kversion-%flavour-%krelease
mkdir -p test
cd test
lkrg_trigger=/proc/sys/lkrg/trigger
failmsg="LKRG test failed"
%__cc %optflags -s -static -xc -o init - <<__EOF__
#include <errno.h>
#include <fcntl.h>
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <linux/module.h>
#include <sys/mount.h>
#include <sys/reboot.h>
#include <sys/syscall.h>
#define finit_module(fd, param_values, flags) syscall(__NR_finit_module, fd, param_values, flags)
#define delete_module(name, flags) syscall(__NR_delete_module, name, flags)
int main()
{
int fd = open("p_lkrg.ko", O_RDONLY);

if (fd == -1) {
perror("$failmsg p_lkrg.ko");
goto exit;
}

/* always returns -1 caused module verification */
finit_module(fd, "log_level=3", MODULE_INIT_IGNORE_MODVERSIONS|MODULE_INIT_IGNORE_VERMAGIC);
close(fd);

sleep(2);

if (mount("proc", "/proc", "proc", 0, NULL) == -1) {
perror("$failmsg mount");
goto exit;
}

fd = open("$lkrg_trigger", O_WRONLY);
if (fd == -1) {
perror("$failmsg $lkrg_trigger");
goto exit;
}

int r = write(fd, "1\n", sizeof("1\n"));
close(fd);

if (r == -1) {
perror("$failmsg write");
goto exit;
}

fd = open("fuse.ko", O_RDONLY);
if (fd == -1) {
perror("$failmsg fuse.ko");
goto exit;
}

finit_module(fd, NULL, MODULE_INIT_IGNORE_MODVERSIONS|MODULE_INIT_IGNORE_VERMAGIC);
close(fd);

sleep(2);

exit:
delete_module("fuse", 0);
delete_module("p_lkrg", 0);

reboot(RB_POWER_OFF);
pause();
}
__EOF__
mkdir -p proc
cp -a %buildroot%module_dir/p_lkrg.ko p_lkrg.ko
cp -a /lib/modules/%kversion-%kflavour-%krelease/kernel/fs/fuse/fuse.ko fuse.ko
find init fuse.ko p_lkrg.ko proc -print | cpio -H newc -o | gzip -8n > initrd.img.gz
qemu_arch=%_arch
qemu_opts=""
console=ttyS0
timeout=600
%ifarch %ix86
qemu_arch=i386
%endif
%ifarch aarch64
qemu_opts="-machine accel=tcg,type=virt -cpu cortex-a57"
console=ttyAMA0
%endif
%ifarch %arm
qemu_arch=arm
qemu_opts="-machine accel=tcg,type=virt"
console=ttyAMA0
timeout=1800
%endif
timeout --foreground "$timeout" qemu-system-"$qemu_arch" -m 512 $qemu_opts -kernel /boot/vmlinuz-$KernelVer -nographic -append console="$console no_timer_check" -initrd initrd.img.gz > boot.log &&
grep -qF "LKRG initialized successfully!" boot.log &&
grep -qF "LKRG unloaded!" boot.log &&
grep -qE '^(\[ *[0-9]+\.[0-9]+\] *)?reboot: Power down' boot.log &&
! grep -qF "$failmsg" &&
! grep -qF 'Kernel panic' || {
cat >&2 boot.log
exit 1
}

%post
%post_service lkrg

%preun
%preun_service lkrg

%files
%module_dir/p_lkrg.ko
%_initdir/lkrg
%_unitdir/lkrg.service
%_presetdir/30-lkrg.preset

%changelog

Полный changelog можно просмотреть здесь

 
дизайн и разработка: Vladimir Lettiev aka crux © 2004-2005, Andrew Avramenko aka liks © 2007-2008
текущий майнтейнер: Michael Shigorin