From 197c3fc81957e5d270a990094614fae7d9dd094a Mon Sep 17 00:00:00 2001
Message-Id: <197c3fc81957e5d270a990094614fae7d9dd094a.1621826682.git.escape@linux.alibaba.com>
From: Yi Tao <escape@linux.alibaba.com>
Date: Fri, 21 May 2021 14:39:42 +0800
Subject: [PATCH] filters some specific mount behavior to strengthen security

Signed-off-by: Yi Tao <escape@linux.alibaba.com>
---
 drivers/Makefile       |   1 +
 drivers/mount-filter.c | 111 +++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 112 insertions(+)
 create mode 100644 drivers/mount-filter.c

diff --git a/drivers/Makefile b/drivers/Makefile
index 5762280..08707db 100644
--- a/drivers/Makefile
+++ b/drivers/Makefile
@@ -189,3 +189,4 @@ obj-$(CONFIG_GNSS)		+= gnss/
 obj-$(CONFIG_INTERCONNECT)	+= interconnect/
 obj-$(CONFIG_COUNTER)		+= counter/
 obj-$(CONFIG_MOST)		+= most/
+obj-m				+= mount-filter.o
diff --git a/drivers/mount-filter.c b/drivers/mount-filter.c
new file mode 100644
index 00000000..4c32c4f
--- /dev/null
+++ b/drivers/mount-filter.c
@@ -0,0 +1,111 @@
+// SPDX-License-Identifier: GPL-2.0-only
+#include <linux/module.h>
+#include <linux/livepatch.h>
+#include <linux/ftrace.h>
+#include <linux/sched.h>
+#include <linux/dcache.h>
+#include <linux/string.h>
+#include <linux/pid.h>
+#include <linux/mount.h>
+
+#define PATH_MAX 4096
+
+struct ftrace_ops fops;
+unsigned long security_sb_mount;
+struct mnt_namespace *default_mnt_ns;
+char usr_path[PATH_MAX];
+char buffer[PATH_MAX];
+char *bin_whitelist[] = {"/usr/bin/ostree", "/usr/bin/ignition", NULL};
+char *path_blacklist[] = {"/", "/usr/", "/sysroot", NULL};
+
+/*
+ * set usr path by systemd path
+ * eg:
+ * from /ostree/deploy/LifseaOS/deploy/cd6773a136494c3fc70370cf9aff9676806c0b8424ec8354369255ce3aa86957.2/usr/lib/systemd/systemd
+ * to /ostree/deploy/LifseaOS/deploy/cd6773a136494c3fc70370cf9aff9676806c0b8424ec8354369255ce3aa86957.2/usr/
+ */
+void set_usr_path(char *usr_path)
+{
+	struct task_struct *systemd = pid_task(find_get_pid(1), PIDTYPE_PID);
+	char *systemd_path = dentry_path_raw(systemd->mm->exe_file->f_path.dentry, buffer, PATH_MAX - 1);
+	char *ptr = systemd_path;
+	int i;
+
+	//find prefix
+	for (i = 0; i < 6; i++) {
+		ptr = strchr(ptr, '/') + 1;
+	}
+	strcpy(ptr, "usr/");
+	strcpy(usr_path, systemd_path);
+}
+
+
+int mount_filter(const char *dev_name, const struct path *path,
+		     const char *type, unsigned long flags, void *data)
+{
+	int pid = task_pid_nr(current);
+	int i;
+	char *mount_path;
+	char *file_path = dentry_path_raw(current->mm->exe_file->f_path.dentry, buffer, PATH_MAX - 1);
+
+	//init, pass
+	if (pid == 1)
+		return 0;
+
+	//white list binary, pass
+	if (file_path && strstr(file_path, usr_path))
+		for (i = 0; bin_whitelist[i] != NULL; i++)
+			if (strstr(file_path, bin_whitelist[i]))
+				return 0;
+
+
+	// not default mnt namespace, pass
+	if (current->nsproxy->mnt_ns != default_mnt_ns)
+		return 0;
+
+	//sensitive path, forbidden
+	mount_path = dentry_path_raw(path->dentry, buffer, PATH_MAX - 1);
+	for (i = 0; path_blacklist[i] != NULL; i++)
+		if (!strcmp(mount_path, path_blacklist[i]))
+			return -1;
+
+	// sensitive device, forbidden
+	if (dev_name && strstr(dev_name, "/dev/vda4"))
+		return -1;
+
+	return 0;
+}
+
+void notrace hook_handler(unsigned long ip, unsigned long parent_ip,
+			struct ftrace_ops *fops, struct pt_regs*regs)
+{
+	klp_arch_set_pc(regs, (unsigned long)mount_filter);
+}
+
+
+static int __init mount_filter_init(void)
+{
+
+	set_usr_path(usr_path);
+
+	default_mnt_ns = current->nsproxy->mnt_ns;
+
+	security_sb_mount = kallsyms_lookup_name("security_sb_mount");
+	fops.func = hook_handler;
+	fops.flags = FTRACE_OPS_FL_SAVE_REGS |
+			FTRACE_OPS_FL_DYNAMIC |
+			FTRACE_OPS_FL_IPMODIFY;
+
+
+
+	ftrace_set_filter_ip(&fops, security_sb_mount, 0, 0);
+
+	return register_ftrace_function(&fops);
+}
+
+
+module_init(mount_filter_init);
+
+MODULE_AUTHOR("Yi Tao");
+MODULE_DESCRIPTION("Filter specific mount hevaviors");
+MODULE_LICENSE("GPL");
-- 
1.8.3.1