Kptr_restrict to a pointer in the user space kernel (/proc/kallsyms-modules displays value all 0)

CSDN	GitHub
Kptr_restrict to a pointer in the user space kernel (/proc/kallsyms-modules displays value all 0)	Linuxdevicedrivers/study/debug/filesystem/procfs/kptr_restrict

This work uses the Knowledge sharing signature-non-commercial use-the same way Shares 4.0 international License Agreement to authorize, reprint please indicate the source, thank the cooperation

Because of my technical level and limited knowledge, the content if there are flaws or need to amend the place, you are welcome to correct, but also welcome you to provide some other good debugging tools for inclusion, I hereby thank you

1/proc/kallsyms Display value all is 0

Today, a co-worker asked me cat/proc/kallsyms display value is all 0. I tried it on the phone and sure enough.

Switch to Root to run, still 0. It's very strange because the kernel is crash or when Trace is turned on, it's called Sprint_ symbol to print. Why is the kernel OK, user state Cat can't?

It was later discovered that the system used a protection method to protect these symbolic addresses so that ordinary users other than root could not see the symbolic address directly. 2 kptr_restrict Introduction

The reason is that the following restrictions are made in the display symbol address command in kernel file KALLSYMS.C.

seq_printf (M, "%pk%c%s\n", (void *) Iter->value, Iter->type, iter->name);

Just replace the%PK with the%p to allow ordinary users to see the symbolic address. A lot of the bug is used here to get the symbolic address.

The kernel provides control variable/proc/sys/kernel/kptr_restrict to modify. From the kernel document Documentation/sysctl/kernel.txt, you can see some output printing that Kptr_restrict uses to control the kernel.

Documentation/printk-formats.txt has a more detailed description, in addition to some of the print formats we normally encounter, there are some more special formats (I didn't notice before).

============================================================== Kptr_restrict:this Toggle Indicates whether

Restrictions are placed on exposing kernel addresses via/proc and other interfaces.

When Kptr_restrict was set to (0), the default, there are no restrictions. When kptr_restrict are set to (1), kernel pointers printed using the%PK format specifier'll be replaced with 0 ' s unless The user has Cap_syslog and effective user and group IDs are equal to the real IDs. This is because%PK checks are do at read () time rather than open () time, so if permissions are elevated between the ope N () and the read () (e.g via a setuid binary) then%pk won't leak kernel to pointers users. Note, this is a temporary solution only. The correct long-term solution is to doing the permission checks at open (). Consider removing world Read permissions from files, using%PK, and with dmesg_restrict to protect against of uses of In DMESG (8) If leaking kernel pointer values to UNPRIVileged users is a concern.
When Kptr_restrict was set to (2), kernel pointers printed using%PK would be replaced with 0 ' s regardless of privileges. ==============================================================

kptr_restrict	Permission Description
2	The kernel prints the symbolic address as full 0, and root and normal users do not have permissions
1	Root user has permission to read, normal user does not have permissions
0	Both root and normal users can read

The kptr_restrict value is 2 o'clock, and all users cannot read the kernel symbol address.

The kptr_restrict value is 1 o'clock, and normal users cannot read the kernel symbol address, which the root user can view.

The kptr_restrict value is 0 o'clock, and all users can read the kernel address.

Note that Kptr_restrict has an impact on the information export of many address and symbol tables in the kernel, such as/proc/modules. 3 kptr_restrict Design

Kptr_restrict in the kernel commit 455cd5ab--kptr_restrict for hiding kernel pointers users, the specific source is located in unprivileged . C, Line 1708

#http://elixir.free-electrons.com/linux/v4.13.9/source/lib/vsprintf.c#l1708 case ' K ': switch (kptr_restrict) {
        Case 0:/* Always Print%PK values * * BREAK;

            Case 1: {const struct cred *cred; /* Kptr_restrict==1 cannot to used in IRQ context * because its test for Cap_syslog would am m
             Eaningless.
                    */if (IN_IRQ () | | IN_SERVING_SOFTIRQ () | | In_nmi ()) {if (spec.field_width = = 1)
                Spec.field_width = Default_width;
            return string (buf, End, "Pk-error", spec); }/* Only print the real pointer value if the current * process has Cap_syslog D is running with the * same credentials it started with. This is because * access to files are checked at open () time, but%PK * checks permission at read () time.
        We don ' t want to     * Leak pointer values if a binary opens a file using *%PK and then elevates privileges before I
            T. */cred = current_cred ();
                if (!has_capability_noaudit (current, cap_syslog) | |
                !uid_eq (Cred->euid, cred->uid) | |
            !gid_eq (Cred->egid, cred->gid)) ptr = NULL;
        Break
            Case 2:default:/* Always print 0 ' for%PK */ptr = NULL;
        Break } break;

4 References

Introducing Linux Kernel Symbols

Is there a way to set Kptr_restrict to 0?

Kptr_restrict for hiding kernel pointers from unprivileged users

Analysis of Linux kallsyms mechanism

This work/Bowen (aderstep-Purple night-Blue Ling Xiang Cao copyright©2013-2017), by Chengjian (gatieme) creation,

Use of knowledge-sharing signatures-non-commercial use-Share 4.0 International license agreements in the same way. Welcome to reprint, use, republish, but be sure to keep the article signed Chengjian Gatieme (including Links: http://blog.csdn.net/gatieme), not for commercial purposes.

Based on the modified works of this article must be issued with the same license. If you have any questions, please contact me.