Simplify seccomp validation

See #354
lkrg-org · Oct 19, 2024 · 3bdf5c8 · 3bdf5c8
1 parent 3e6abdd
commit 3bdf5c8
Show file tree

Hide file tree

Showing 4 changed files with 0 additions and 61 deletions.
diff --git a/src/modules/exploit_detection/p_exploit_detection.c b/src/modules/exploit_detection/p_exploit_detection.c
@@ -433,7 +433,6 @@ static notrace void p_dump_creds(struct p_cred *p_where, const struct cred *p_fr
 #if defined(CONFIG_SECCOMP)
 static notrace void p_dump_seccomp(struct p_seccomp *p_sec, struct task_struct *p_task, char p_force) {
 
-   p_lkrg_seccomp_filter_get(p_task);
    p_sec->sec.mode    = p_task->seccomp.mode;   // Mode
    p_sec->sec.filter  = p_task->seccomp.filter; // Filter
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5,11,0)
@@ -446,7 +445,6 @@ static notrace void p_dump_seccomp(struct p_seccomp *p_sec, struct task_struct *
       p_sec->flag = 0;
    if (p_force)
       p_sec->flag_sync_thread = 0;
-   p_lkrg_seccomp_filter_put(p_task);
 }
 #endif
 
@@ -1377,12 +1375,7 @@ static int p_cmp_tasks(struct p_ed_process *p_orig, struct task_struct *p_curren
 
 #if defined(CONFIG_SECCOMP)
    /* Seccomp */
-#if LINUX_VERSION_CODE < KERNEL_VERSION(5,9,0)
    if (p_orig->p_ed_task.p_sec.flag) { // SECCOMP was enabled so it make sense to compare...
-#else
-   if (p_orig->p_ed_task.p_sec.flag && current == p_current) { // SECCOMP was enabled so it make sense to compare...
-#endif
-      p_lkrg_seccomp_filter_get(p_current);
 
 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5,11,0)
       if (test_task_syscall_work(p_current,SECCOMP) != p_orig->p_ed_task.p_sec.flag) {
@@ -1416,8 +1409,6 @@ static int p_cmp_tasks(struct p_ed_process *p_orig, struct task_struct *p_curren
 
       if (current == p_current && !(p_current->flags & PF_EXITING))
          P_CMP_PTR(p_orig->p_ed_task.p_sec.sec.filter, p_current->seccomp.filter, "seccomp filter")
-
-      p_lkrg_seccomp_filter_put(p_current);
    }
 #endif
 
@@ -1988,13 +1979,6 @@ int p_exploit_detection_init(void) {
 
    P_SYM_INIT(__kernel_text_address)
    P_SYM_INIT(mm_find_pmd)
-#if defined(CONFIG_SECCOMP)
-   if (P_LKRG_SUCCESS != p_lkrg_seccomp_init()) {
-      p_print_log(P_LOG_FATAL, "Can't initialize seccomp() logic");
-      p_ret = P_LKRG_GENERAL_ERROR;
-      goto p_exploit_detection_init_out;
-   }
-#endif
 
 #ifdef CONFIG_SECURITY_SELINUX
 #if (!defined(RHEL_RELEASE_CODE) && LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0)) || \

diff --git a/src/modules/exploit_detection/syscalls/p_seccomp/p_seccomp.c b/src/modules/exploit_detection/syscalls/p_seccomp/p_seccomp.c
@@ -34,43 +34,6 @@ static struct kretprobe p_seccomp_kretprobe = {
     .data_size = sizeof(struct p_seccomp_data),
 };
 
-int p_lkrg_seccomp_init(void) {
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(5,9,0)
-   P_SYM_INIT(get_seccomp_filter)
-   P_SYM_INIT(put_seccomp_filter)
-#endif
-
-   return P_LKRG_SUCCESS;
-
-#if LINUX_VERSION_CODE < KERNEL_VERSION(5,9,0)
-p_sym_error:
-   return P_LKRG_GENERAL_ERROR;
-#endif
-}
-
-void p_lkrg_seccomp_filter_get(struct task_struct *p_task) {
-#if LINUX_VERSION_CODE < KERNEL_VERSION(5,9,0)
-   P_SYM(p_get_seccomp_filter)(p_task);
-#else
-   struct p_fake_seccomp_filter *p_filter = (struct p_fake_seccomp_filter *)p_task->seccomp.filter;
-
-   if (p_filter)
-      refcount_inc(&p_filter->refs);
-#endif
-}
-
-void p_lkrg_seccomp_filter_put(struct task_struct *p_task) {
-#if LINUX_VERSION_CODE < KERNEL_VERSION(5,9,0)
-   P_SYM(p_put_seccomp_filter)(p_task);
-#else
-   struct p_fake_seccomp_filter *p_filter = (struct p_fake_seccomp_filter *)p_task->seccomp.filter;
-
-   if (p_filter)
-      refcount_dec(&p_filter->refs);
-#endif
-}
-
 /*
  * x86-64 syscall ABI:
  *  *rax - syscall_number

diff --git a/src/modules/exploit_detection/syscalls/p_seccomp/p_seccomp.h b/src/modules/exploit_detection/syscalls/p_seccomp/p_seccomp.h
@@ -34,10 +34,6 @@ struct p_fake_seccomp_filter {
 };
 #endif
 
-int p_lkrg_seccomp_init(void);
-void p_lkrg_seccomp_filter_get(struct task_struct *p_task);
-void p_lkrg_seccomp_filter_put(struct task_struct *p_task);
-
 int p_seccomp_ret(struct kretprobe_instance *p_ri, struct pt_regs *p_regs);
 int p_seccomp_entry(struct kretprobe_instance *p_ri, struct pt_regs *p_regs);
 int p_install_seccomp_hook(int p_isra);

diff --git a/src/p_lkrg_main.h b/src/p_lkrg_main.h
@@ -213,10 +213,6 @@ typedef struct _p_lkrg_global_symbols_structure {
  #endif
 #endif
    int (*p___kernel_text_address)(unsigned long p_addr);
-#if defined(CONFIG_SECCOMP) && LINUX_VERSION_CODE < KERNEL_VERSION(5,9,0)
-   void (*p_get_seccomp_filter)(struct task_struct *p_task);
-   void (*p_put_seccomp_filter)(struct task_struct *p_task);
-#endif
 #ifdef CONFIG_SECURITY_SELINUX
 #if LINUX_VERSION_CODE < KERNEL_VERSION(5, 6, 0)
    int *p_selinux_enabled;