linux kptr_restrict使用
在内核Documentation/sysctl/kernel.txt中对其使用有介绍,如下所示:
kptr_restrict:
This toggle indicates whether restrictions are placed on
exposing kernel addresses via /proc and other interfaces.
When kptr_restrict is set to 0 (the default) the address is hashed before
printing. (This is the equivalent to %p.)
When kptr_restrict is set to (1), kernel pointers printed using the %pK
format specifier will be replaced with 0's unless the user has CAP_SYSLOG
and effective user and group ids are equal to the real ids. This is
because %pK checks are done at read() time rather than open() time, so
if permissions are elevated between the open() and the read() (e.g via
a setuid binary) then %pK will not leak kernel pointers to unprivileged
users. Note, this is a temporary solution only. The correct long-term
solution is to do the permission checks at open() time. Consider removing
world read permissions from files that use %pK, and using dmesg_restrict
to protect against uses of %pK in dmesg(8) if leaking kernel pointer
values to unprivileged users is a concern.
When kptr_restrict is set to (2), kernel pointers printed using
%pK will be replaced with 0's regardless of privileges.
简单来讲,变量kptr_restrict是可以用来限制内核地址的打印,当kptr_restrict=0时,会直接打印内核地址(%p和%pK效果一样);当kptr_restrict=1时,若在中断上下文或软中断时,%pK打印“pK-error”,否则内核地址打印全0;当kptr_restrict=2时,%pK打印内核地址为全0;而内核地址以%p打印时无论在什么情况下都会以HASH地址方式打印,而%pK可以通过 变量kptr_restrict隐藏内核地址,防止内核地址泄漏。
可以通过代码简单看出:
char *restricted_pointer(char *buf, char *end, const void *ptr,
struct printf_spec spec)
{
switch (kptr_restrict) {
case 0:
/* Handle as %p, hash and do _not_ leak addresses. */
return ptr_to_id(buf, end, ptr, spec); //直接打印内核地址HASH值
case 1: {
const struct cred *cred;
/*
* kptr_restrict==1 cannot be used in IRQ context
* because its test for CAP_SYSLOG would be meaningless.
*/
if (in_irq() || in_serving_softirq() || in_nmi()) {
if (spec.field_width == -1)
spec.field_width = 2 * sizeof(ptr);
return error_string(buf, end, "pK-error", spec); //在中断上下文或软中断等处,打印“pK-error”
}
/*
* Only print the real pointer value if the current
* process has CAP_SYSLOG and is running with the
* same credentials it started with. This is because
* access to files is checked at open() time, but %pK
* checks permission at read() time. We don't want to
* leak pointer values if a binary opens a file using
* %pK and then elevates privileges before reading it.
*/
cred = current_cred();
if (!has_capability_noaudit(current, CAP_SYSLOG) ||
!uid_eq(cred->euid, cred->uid) ||
!gid_eq(cred->egid, cred->gid))
ptr = NULL; //直接打印全0
break;
}
case 2:
default:
/* Always print 0's for %pK */
ptr = NULL;
break;
}
以下为以%pK打印内核地址:
在未修改时或kptr_restrict=0时,内核地址打印如下所示:
Euler:/home # ./test.sh
disable begin 0
[ 128.153235] hisi_sas_v3_hw 0000:74:02.0: erroneous completion iptt=4030 task=0000000021ed4560 dev id=1 CQ hdr: 0x1103 0x10fbe 0x0
0x20000 Error info: 0x0 0x4000000 0x0 0x0
[ 128.168481] sas: smp_execute_task_sg: task to dev 500e004aaaaaaa1f response: 0x0 status 0x2
[ 128.177189] sas: broadcast received: 0
[ 128.180938] sas: REVALIDATING DOMAIN on port 0, pid:3519
修改kptr_restrict=1时,内核地址打印如下所示:
Euler:/home # ./test.sh
disable begin 0
[ 226.287150] hisi_sas_v3_hw 0000:74:02.0: erroneous completion iptt=4064 task= pK-error dev id=1 CQ hdr: 0x1103 0x10fe0 0x0
0x20000 Error info: 0x0 0x4000000 0x0 0x0
[ 226.302395] sas: smp_execute_task_sg: task to dev 500e004aaaaaaa1f response: 0x0 status 0x2
[ 226.311106] sas: broadcast received: 0
[ 226.314852] sas: REVALIDATING DOMAIN on port 0, pid:3519
修改kptr_restrict=2时,内核地址打印如下所示:
Euler:/home # ./test.sh
disable begin 0
[ 506.507222] hisi_sas_v3_hw 0000:74:02.0: erroneous completion iptt=4041 task=0000000000000000 dev id=1 CQ hdr: 0x1103 0x10fc9 0x0
0x20000 Error info: 0x0 0x4000000 0x0 0x0
[ 506.522471] sas: smp_execute_task_sg: task to dev 500e004aaaaaaa1f response: 0x0 status 0x2
[ 506.531174] sas: broadcast received: 0
[ 506.534918] sas: REVALIDATING DOMAIN on port 0, pid:3519
linux kptr_restrict使用相关推荐
- linux内核参数详解
kernel.acct acct功能用于系统记录进程信息,正常结束的进程都会在该文件尾添加对应的信息.异常结束是指重启或其它致命的系统问题,不能够记录永不停止的进程.该设置需要配置三个值,分别是: 1 ...
- Linux系统中sysctl命令详解 sysctl -p、sysctl -a、sysctl -w
sysctl命令用于运行时配置内核参数,这些参数位于/proc/sys目录下.sysctl配置与显示在/proc/sys目录中的内核参数.可以用sysctl来设置或重新设置联网功能,如IP转发.IP碎 ...
- 如何通过数据包套接字攻击Linux内核
一.前言 最近我花了一些时间使用syzkaller工具对Linux内核中与网络有关的接口进行了模糊测试(fuzz).除了最近发现的DCCP套接字漏洞之外,我还发现了另一个漏洞,该漏洞位于数据包套接字( ...
- Linux 权能综述
为了执行权限检查,传统的 UNIX 实现区分两种类型的进程:特权进程(其有效用户 ID 为0,称为超级用户或 root),和非特权用户(其有效 UID 非0).特权进程绕过所有的内核权限检查,而非特权 ...
- linux 内核地址随机化,GNU/Linux内核的地址随机化
地址空间布局随机化(ASLR)是一项增加安全性的技术,***者发现漏洞之后开始编写exploit时如果要考虑绕过ASLR这会增加编写exploit的难度,最早是2001年Grsecurity社区(强悍 ...
- Android 8.0 系统学习(6)---Linux内核接口要求
接口要求 本页介绍了 Android 正常运行所需的一系列 Linux 内核接口.供应商测试套件 (VTS) 会测试这些接口是否存在以及是否正确无误.这些接口的数量将随时间的推移不断增加,包含越来越多 ...
- linux 系统级性能分析工具 perf 的介绍与使用
目录 1. 背景知识 1.1 tracepoints 1.2 硬件特性之cache 2. 主要关注点 3. perf的使用 3.0 perf引入的overhead 3.1 perf list 3.2 ...
- linux安装perf工具
centos系统yum安装: sudo yum install perf 安装完成,键入perf查看可用选项. 但一般情况下,这样的安装完成后,普通用户下perf stat|top|record--并 ...
- kptr_restrict 向用户空间内核中的指针(/proc/kallsyms-modules显示value全部为0)
CSDN GitHub kptr_restrict 向用户空间内核中的指针(/proc/kallsyms-modules显示value全部为0) LinuxDeviceDrivers/study/de ...
最新文章
- [学习笔记]矩阵乘法及其优化dp
- 算法笔记_157:算法提高 c++_ch02_01(Java)
- 这个云代驾,你打几分
- MyBatis——[注解方式]一对多查询DEMO
- Qt Designer手册
- cocos2d-x初探学习笔记(13)--内存回收机制
- WPF 透明窗口在桌面上放虫子。。。
- [XSY] 简单的数论题(数学、构造)
- python图像标记工具怎么用_一眼看穿的最佳图像标记工具!
- 0.接口测试学习路径
- EASYUI 表单(FORM)用法
- #地形剖面图_七年级上册微课 | 地图:地形剖面图与分层设色地形图
- 关系数据库查看器应用程序-ASP.NET Core
- 13 张图彻底搞懂分布式系统服务注册与发现原理
- LA 4794 状态DP+子集枚举
- 使用OpenSSL库函数测试AES-CCM加密算法
- LLVM学习笔记----clang、llvm-as、llvm-dis、llc、 llvm-link、lli
- 初学Python案例之一(开平方代码)
- 视频超分:Zooming Slow-Mo(Zooming Slow-Mo: Fast and Accurate One-Stage Space-Time Video Super-Resolution)
- Unity性能优化之动态图形渲染