Ticket #6 (assigned enhancement)

Opened 9 years ago

Last modified 9 years ago

compilation on kernels >= 2.6.26

Reported by: mz Owned by: rmcmillen
Priority: major Milestone:
Component: component1 Version:
Keywords: Cc:

Description

Hi,

I wrote a patch that allows to compile Sebek on kernels >= 2.6.26. I tested it on Debian 5.0 (2.6.26-1-686).

Sorry if it's not a proper place for posting a patch but I didn't find any other, better place. I plan to go deeper into Sebek internals and hope to improve something.

Here's the patch:

Index: src/util.h =================================================================== --- src/util.h (revision 22) +++ src/util.h (working copy) @@ -21,9 +21,11 @@

#include <linux/fs.h> #include <linux/file.h>

+#include <linux/fdtable.h>

#include <linux/proc_fs.h> #include <linux/netdevice.h> #include <linux/dcache.h>

+#include <linux/version.h>

#include "fudge.h" #include "config.h"

@@ -106,7 +108,11 @@

extern u32 s_packets;

extern struct net_device *output_dev;

-extern get_info_t * old_get_info; +#if ( LINUX_VERSION_CODE < KERNEL_VERSION(2,6,24) ) +extern get_info_t * old_read_proc; +#else +extern read_proc_t * old_read_proc; +#endif

//----------------------------------------------------------------------------- //----- Functions

Index: src/filter.c =================================================================== --- src/filter.c (revision 22) +++ src/filter.c (working copy) @@ -344,8 +344,8 @@

for(;;){

//--- at the overal fs root ?

- if(dentry_ptr == current->fs->root && - vfsmnt_ptr == current->fs->rootmnt)break; + if(dentry_ptr == current->fs->root.dentry && + vfsmnt_ptr == current->fs->root.mnt)break;

//--- at the vfs root? if(dentry_ptr == vfsmnt_ptr->mnt_root

Index: src/net.c =================================================================== --- src/net.c (revision 22) +++ src/net.c (working copy) @@ -515,7 +515,12 @@

//----- dev_get_info: called when /proc/net/dev is accessed this calls //----- the modified sprintf_stats.

+//Kernel 2.6.26 drops struct's proc_dir_entry get_info_t *get_info member so in it and newer kernels we use read_proc_t as a function type +#if ( LINUX_VERSION_CODE < KERNEL_VERSION(2,6,26) )

static int dev_get_info(char *buffer, char **start, off_t offset, int length)

+#else +static int dev_get_info(char *buffer, char **start, off_t offset, int length, int* eof, void* data) +#endif

{

int len = 0; off_t begin = 0;

@@ -579,7 +584,7 @@

#if ( LINUX_VERSION_CODE < KERNEL_VERSION(2,6,24) )

for(proc_ptr = proc_net->subdir;proc_ptr !=0;proc_ptr = proc_ptr->next){

if(proc_ptr->namelen == 3 && !memcmp("dev",proc_ptr->name,3)){

- old_get_info = proc_ptr->get_info; + old_read_proc = proc_ptr->get_info;

lock_kernel(); proc_net_remove("dev"); proc_net_create("dev",0,dev_get_info);

@@ -590,10 +595,10 @@

#else

for(proc_ptr = init_net.proc_net->subdir;proc_ptr !=0;proc_ptr = proc_ptr->next){

if(proc_ptr->namelen == 3 && !memcmp("dev",proc_ptr->name,3)){

- old_get_info = proc_ptr->get_info; + old_read_proc = proc_ptr->read_proc;

lock_kernel(); proc_net_remove(&init_net,"dev");

- create_proc_info_entry("dev",0,init_net.proc_net,dev_get_info); + create_proc_read_entry("dev",0,init_net.proc_net,dev_get_info, NULL);

unlock_kernel(); return 1;

}

@@ -605,17 +610,17 @@

int stop_proc_hiding(){

- if(!old_get_info) + if(!old_read_proc)

return 0;

lock_kernel();

#if ( LINUX_VERSION_CODE < KERNEL_VERSION(2,6,24) )

proc_net_remove("dev");

- proc_net_create("dev",0,old_get_info); + proc_net_create("dev",0,old_read_proc);

#else

proc_net_remove(&init_net,"dev");

- create_proc_info_entry("dev",0,init_net.proc_net,old_get_info); + create_proc_read_entry("dev",0,init_net.proc_net,old_read_proc, NULL);

#endif

unlock_kernel();

Index: src/sebek.c =================================================================== --- src/sebek.c (revision 22) +++ src/sebek.c (working copy) @@ -36,7 +36,12 @@

u32 s_packets;

struct net_device *output_dev;

-get_info_t * old_get_info; +//Kernel 2.6.26 drops struct's proc_dir_entry get_info_t *get_info member so in newer kernels we use read_proc_t as a function type +#if ( LINUX_VERSION_CODE < KERNEL_VERSION(2,6,26) ) +get_info_t * old_read_proc; +#else +read_proc_t * old_read_proc; +#endif

//----- these 2 pups used to track use of syscalls

Index: src/net.h =================================================================== --- src/net.h (revision 22) +++ src/net.h (working copy) @@ -29,6 +29,7 @@

#include <linux/skbuff.h> #include <linux/netdevice.h> #include <linux/file.h>

+#include <linux/fdtable.h>

#include <linux/version.h>

#include <linux/smp_lock.h>

Index: src/util.c =================================================================== --- src/util.c (revision 22) +++ src/util.c (working copy) @@ -92,7 +92,7 @@

f_ptr = fcheck_files(files,fd);

- return d_path(f_ptr->f_dentry,f_ptr->f_vfsmnt,buffer,pathmax); + return d_path(&f_ptr->f_path,buffer,pathmax);

}

Regards, Mariusz

Change History

  Changed 9 years ago by mz

Could you guys confirm whether patch works for you? Thanks.

follow-up: ↓ 3   Changed 9 years ago by rmcmillen

  • owner changed from somebody to rmcmillen
  • status changed from new to assigned

Applied to idt branch. Will test soon and hopefully merge into trunk.

in reply to: ↑ 2   Changed 9 years ago by mz

Nice. rmcmillen, how can I contact with you? I would like to help further with Sebek development.

  Changed 9 years ago by mz

I've tested my patch further on debian 5.0 and Ubuntu 8.10

Debian 5.0 ==========

It fails when unloading the module (in test mode). I've investigated that following code breaks it:

int stop_proc_hiding() {

/* other code */

create_proc_read_entry("dev",0,init_net.proc_net, old_read_proc, NULL);

/* other code */ }

Namely old_read_proc breaks it - it isn't valid. It's a pointer of read_proc_t type, it was set in start_proc_hiding() function:

if(proc_ptr->namelen == 3 && !memcmp("dev",proc_ptr->name,3)){

old_read_proc = proc_ptr->read_proc; lock_kernel(); proc_net_remove(&init_net,"dev"); create_proc_read_entry("dev",0,init_net.proc_net,dev_get_info, NULL); unlock_kernel(); return 1;

}

It is set almost identical as it was before except that now is read_proc_t type and create_proc_read_entry(...) being used instead of get_info_t type and create_proc_info_entry(...) function (these were dropped in 2.6.26 kernel).

Do you guys have any idea how to handle this?

Ubuntu 8.10 ===========

It compiles successfully but unfortunately crashes while loading the module. I've tested it on server and generic kernels from Ubuntu repository. The reason is probably that Ubuntu's kernels are heavily patched. I didn't investigated it further, for now I want to make it work reliable on Debian 5.0.

  Changed 9 years ago by AtesComp

Note: See TracTickets for help on using tickets.