This is the mail archive of the
systemtap@sourceware.org
mailing list for the systemtap project.
Re: prevent module unloading
- From: Daniel Doron <danielmeirdoron at gmail dot com>
- To: Arkady <arkady dot miasnikov at gmail dot com>
- Cc: systemtap at sourceware dot org
- Date: Wed, 18 Oct 2017 18:15:21 +0300
- Subject: Re: prevent module unloading
- Authentication-results: sourceware.org; auth=none
- References: <CAFwN=+wZ+EKbzYMxnrk_63McdiMdCA-vKn1_CAcrT30Rh1xV4w@mail.gmail.com> <CANA-60p-qAgF6zPV735gxewAEiRqLADvXCL=meU4QZeABUD-Fg@mail.gmail.com> <CAFwN=+wna9sc+qDg_Tyr4Brj7m6nZ3hf6MP=+68L17YJXfwBtg@mail.gmail.com> <CAFwN=+xn9gxPWAN1rJgOkbMy081Ozw+x8i8x+EtAHHE2jetPQg@mail.gmail.com> <CANA-60qqFF_T5jpLLj2EGDrMa_cW8wFHgjRxjNje6bm-0EUO=Q@mail.gmail.com> <CANA-60oSF9P10a+OFq4TL6jmr-MeYQ-Wimudho00JafHGsW9+g@mail.gmail.com>
BTW, the UID approach did not work for me, so I am taking the task
caps approach, i.e. removing and restoring CAP_SYS_MODULE.
Sorry, I did not get what you mean by "Probably easier is to allow
rmmod and insmod the module immediately after that from a script." ...
On Wed, Oct 18, 2017 at 5:17 PM, Arkady <arkady.miasnikov@gmail.com> wrote:
> Probably easier is to allow rmmod and insmod the module immediately
> after that from a script.
>
> On Wed, Oct 18, 2017 at 11:27 AM, Arkady <arkady.miasnikov@gmail.com> wrote:
>> https://stackoverflow.com/questions/43003805/can-ebpf-modify-the-return-value-or-parameters-of-a-syscall/43030030
>>
>> On Wed, Oct 18, 2017 at 11:24 AM, Daniel Doron
>> <danielmeirdoron@gmail.com> wrote:
>>> Wondering, then how does the possibility of changing the $return value works?
>>>
>>> On Wed, Oct 18, 2017 at 11:21 AM, Daniel Doron
>>> <danielmeirdoron@gmail.com> wrote:
>>>> Brilliant! thanks Arkady :-)
>>>>
>>>> On Wed, Oct 18, 2017 at 11:20 AM, Arkady <arkady.miasnikov@gmail.com> wrote:
>>>>> Modifying syscall arguments in the SystemTap probe will not impact the
>>>>> system call itself.
>>>>> The krpobes copies the syscall arguments to a memory space allocated
>>>>> specifically for the probe.
>>>>> What the SystemTap probes see is a copy of the arguments user
>>>>> application provided.
>>>>>
>>>>> If you want to "break" a system call you need to modify internal
>>>>> kernel structures or the
>>>>> original syscall stack. One approach could be to change the UID in the
>>>>> beginning of the rmmod
>>>>> and recover the UID in the end
>>>>>
>>>>> On Wed, Oct 18, 2017 at 11:13 AM, Daniel Doron
>>>>> <danielmeirdoron@gmail.com> wrote:
>>>>>> Hi,
>>>>>>
>>>>>> i am interested in protecting some modules unloading via SystemTap. I
>>>>>> have contemplated modifying the name_user argument but i see it is
>>>>>> passed as const. So does that mean that the pointer is pointing to a
>>>>>> read only memory location in which case i have no way of modifying it?
>>>>>> I wanted to change it to some non-existing module name which would
>>>>>> result in an error...Or maybe there is a way to cast the const away
>>>>>> and modify the name....?
>>>>>>
>>>>>> Ideas?
>>>>>>
>>>>>>
>>>>>> Thanks,
>>>>>> -Daniel.