lunes, 18 de mayo de 2015

Listing missed whitelist kernel module symbols on Red Hat 7

This is short but useful:

This example looks for the symbols of ecryptfs:

NOTE: It is assumed that the ecryptfs module was build and  ecryptfs.ko file exist. I will write later how to build ecryptfs.

1. Install the kabi-whitelists

[root@localhost linux-3.10.0-229.1.2.el7]# yum install kernel-abi-whitelists
Loaded plugins: product-id, subscription-manager
rhel-7-server-eus-rpms                                                       | 2.9 kB  00:00:00    
rhel-7-server-rpms                                                           | 3.7 kB  00:00:00    
rhel-7-server-rt-beta-rpms                                                   | 3.3 kB  00:00:00    
rhel-7-server-rt-rpms                                                        | 3.3 kB  00:00:00    
rhel-ha-for-rhel-7-server-eus-rpms                                           | 2.9 kB  00:00:00    
rhel-ha-for-rhel-7-server-rpms                                               | 3.7 kB  00:00:00    
rhel-rs-for-rhel-7-server-eus-rpms                                           | 2.9 kB  00:00:00    
rhel-rs-for-rhel-7-server-rpms                                               | 3.7 kB  00:00:00    
rhel-sap-for-rhel-7-server-rpms                                              | 3.5 kB  00:00:00    
Resolving Dependencies
--> Running transaction check
---> Package kernel-abi-whitelists.noarch 0:3.10.0-229.4.2.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================
 Package                    Arch        Version                   Repository                   Size
====================================================================================================
Installing:
 kernel-abi-whitelists      noarch      3.10.0-229.4.2.el7        rhel-7-server-eus-rpms      1.4 M

Transaction Summary
====================================================================================================
Install  1 Package

Total download size: 1.4 M
Installed size: 56 k
Is this ok [y/d/N]: y
Downloading packages:
kernel-abi-whitelists-3.10.0-229.4.2.el7.noarch.rpm                          | 1.4 MB  00:00:02    
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
  Installing : kernel-abi-whitelists-3.10.0-229.4.2.el7.noarch                                  1/1
  Verifying  : kernel-abi-whitelists-3.10.0-229.4.2.el7.noarch                                  1/1

Installed:
  kernel-abi-whitelists.noarch 0:3.10.0-229.4.2.el7                                                

Complete!

2.-  Download the kabi_check.py file from http://people.redhat.com/jcm/el6/dup/docs/scripts/rhel6_kabi_check.py  ; this is for rhel6 but works too for rhel7. In this ecample I renamed it to kabi_check.py


[root@localhost linux-3.10.0-229.1.2.el7]# find / -name *abi*
/root/rpmbuild/SOURCES/linux-3.10.0-229.1.2.el7/kabi_check.py

3.- Locate the directory where the whitelists where installed:

[root@localhost linux-3.10.0-229.1.2.el7]# ls /lib/modules/kabi-
kabi-current/ kabi-rhel70/  kabi-rhel71/

4.- I am checking aganst rhel71:

[root@localhost linux-3.10.0-229.1.2.el7]# python kabi_check.py -w /lib/modules/kabi-rhel71/kabi_whitelist_x86_64 /root/rpmbuild/SOURCES/linux-3.10.0-229.1.2.el7/fs/ecryptfs/ecryptfs.ko
Red Hat Enterprise Linux 6 ABI Checker
--------------------------------------

ABI Checker version: 2.0

Module:    /root/rpmbuild/SOURCES/linux-3.10.0-229.1.2.el7/fs/ecryptfs/ecryptfs.ko
Kernel:    3.10.0-229.el7.x86_64
Whitelist: /lib/modules/kabi-rhel71/kabi_whitelist_x86_64 (package kabi-whitelists is not installed
)

WARNING: The following symbols are used by your module
WARNING: and are not on the ABI whitelist.

symbol: generic_fillattr
symbol: clear_nlink
symbol: d_instantiate
symbol: clear_inode
symbol: vfs_setxattr
symbol: notify_change
symbol: grab_cache_page_write_begin
symbol: crypto_alloc_base
symbol: vfs_getattr
symbol: vfs_rename
symbol: lookup_one_len
symbol: generic_file_splice_read
symbol: kfree_put_link
symbol: init_special_inode
symbol: unregister_filesystem
symbol: kzfree
symbol: d_make_root
symbol: generic_readlink
symbol: set_freezable
symbol: do_sync_write
symbol: read_cache_page
symbol: iput
symbol: sg_init_one
symbol: fsstack_copy_attr_all
symbol: register_filesystem
symbol: vfs_unlink
symbol: kmem_cache_alloc_trace
symbol: path_put
symbol: inode_change_ok
symbol: __fentry__
symbol: vfs_mkdir
symbol: crypto_destroy_tfm
symbol: __refrigerator
symbol: inode_newsize_ok
symbol: d_drop
symbol: bdi_setup_and_register
symbol: unlock_new_inode
symbol: do_sync_read
symbol: __stack_chk_fail
symbol: truncate_inode_pages_final
symbol: fs_kobj
symbol: key_type_encrypted
symbol: generic_file_mmap
symbol: __free_pages
symbol: atomic_dec_and_mutex_lock
symbol: mntput
symbol: inode_init_once
symbol: key_put
symbol: fput
symbol: set_nlink
symbol: lock_rename
symbol: warn_slowpath_null
symbol: wait_on_sync_kiocb
symbol: sget
symbol: sysfs_create_group
symbol: d_rehash
symbol: freezing_slow_path
symbol: current_task
symbol: default_llseek
symbol: from_kuid
symbol: crypto_alloc_ablkcipher
symbol: kern_path
symbol: kernel_read
symbol: key_validate
symbol: unlock_rename
symbol: vfs_rmdir
symbol: kobject_create_and_add
symbol: truncate_setsize
symbol: sysfs_remove_group
symbol: generic_file_aio_write
symbol: vfs_symlink
symbol: igrab
symbol: generic_read_dir
symbol: vfs_fsync
symbol: vfs_mknod
symbol: init_user_ns
symbol: dentry_open
symbol: match_token
symbol: seq_printf
symbol: dput
symbol: generic_file_aio_read
symbol: lockref_get
symbol: deactivate_locked_super
symbol: touch_atime
symbol: filemap_write_and_wait
symbol: system_freezing_cnt
symbol: vfs_link
symbol: dget_parent
symbol: key_type_user
symbol: kill_anon_super
symbol: iget5_locked
symbol: inode_permission
symbol: vfs_readdir
symbol: mntget
symbol: __mark_inode_dirty
symbol: generic_file_llseek
symbol: make_bad_inode
symbol: kernel_stack
symbol: set_anon_super
symbol: sg_init_table
symbol: fsstack_copy_inode_size
symbol: kernel_write
symbol: alloc_pages_current
symbol: request_key
symbol: vfs_create

[root@localhost linux-3.10.0-229.1.2.el7]#


Enjoy!
P.S. Ok, I have no time to find a new flag :/ going to a meeting.

No hay comentarios:

Publicar un comentario en la entrada