Process hiding Kernel patch for 2.6.24.x

Currently all Linux kernel security patch projects seem to be sleeping. There is no useful kernel patch that provides us with a decent patch set allowing us to strengthen the Linux kernel. Some years ago I was using Grsecurity, a wonderful solution to enforce security on 2.4.x kernels at that time. The project seems to be pretty dead by now.

During the last months I was using RSBAC, a great set of security enhancements to the 2.6.x kernels. RSBAC seems to be a great project and I like the way they provide pre-patched vanilla kernels. But again, reaction time is way too slow. Root exploits for Linux kernels seem to appear all the time and force a server administrator to react fast. The lately published vmsplice root exploit made me give up on RSBAC as it’s just always a step behind. I decided to switch back to self compiled vanilla kernels from kernel.org.

Besides that, all I was looking for was a tiny little kernel patch for user based process hiding. (check my previous article about process hiding in RSBAC)
Finally I found a simple way to accomplish this. Actually it is a simple patch nothing more than 6 lines found on the debian-kernel mailing list. The patch found in this thread was done for Linux kernel 2.6.23.8.
I’d like to provide you with an updated patch for the current stable kernel where the vmsplice root exploit should be fixed, 2.6.24.2 (UPDATED 2008-04-25: 2.6.24.5):

You see? Actually it’s just a six line patch of fs/proc/base.c.
It works like a charm. In make menuconfig you can setup process hiding under:

Here’s my patch: prochide-patch_2.6.24.2.diff

UPDATED 2008-04-25: prochide-patch_2.6.24.5.diff

3 Responses

  1. Daniel Mettler
    Feb 27, 2008 - 06:57 PM

    Interesting hint, though I have no need for such a feature currently (maybe later). I use a Gentoo Xen kernel I customized – works pretty well. Cheers

  2. bob
    Apr 06, 2008 - 12:34 AM

    Actually RBSAC protects from vmsplice ;)
    Proving new kernel support however for a project of this size is sometimes difficult for the few RSBAC developper. E.g. 2.6.24 (which has the vmsplice fix, if you aren’t willing to patch 2.6.23 yourself) introduced a whole new PID architecture using structs. This means changing the core way RSBAC identify processes.
    It took 2 weeks to code.
    IMHO this is rather fast, even if not acceptable for security. But in that case, you *should* use your distro kernels or kernel patches of course. Distro kernels are rarely bleeding edge, they simply patch them for the security issues found.

    Although unlikely, if e.g. your patch has to change totally in the next kernel version you will feel the problem at it’s core.

  3. anonymous
    Oct 08, 2011 - 12:19 PM

    This patch works but it doesn’t show any defunct/zombie processes even if you started them. I don’t think that is the correct behavior. So, the state of the process needs to be checked before setting inode->i_mode. So if the process is a zombie, then the mode must be S_IFDIR|S_IRUGO|S_IXUGO regardless of what option was chosen.
    Any ideas?

Leave a Comment

css.php