Andreas Christoforou2024-11-25T14:35:19+00:00https://chandreas.github.ioAndreas ChristoforouBuilding WebKit2023-11-29T17:05:54+00:00https://chandreas.github.io/2023/11/29/Webkit-build<p><strong>Building WebKit</strong></p>
<p>WebKit is the web browser engine used by Safari, Mail, the App Store, and various other applications on macOS and iOS.</p>
<p>To build WebKit, you must have Xcode installed from the App Store. Then, run the following command in Terminal to install the Xcode Command Line Tools:</p>
<div class="language-zsh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>xcode-select <span class="nt">--install</span>
</code></pre></div></div>
<p><strong>Cloning the WebKit Project</strong></p>
<p>Open Terminal on your macOS.
Use the following command to clone the WebKit repository from GitHub:</p>
<div class="language-zsh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>git clone https://github.com/WebKit/WebKit.git WebKit
<span class="nb">cd </span>Webkit
</code></pre></div></div>
<p><strong>Building WebKit</strong></p>
<p>To build WebKit, run the following command in Terminal:</p>
<div class="language-zsh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>./Tools/Scripts/build-webkit
</code></pre></div></div>
<p><strong>Building WebKit with Debug Flag and ccache</strong></p>
<p>To build WebKit with debugging information and improve recompile times, use the following command in Terminal:</p>
<div class="language-zsh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>./Tools/Scripts/build-webkit <span class="nt">--debug</span> <span class="nt">--use-ccache</span>
</code></pre></div></div>
<p>The compilation will take about 20 minutes to complete.</p>
<p><strong>Running WebKit in Safari</strong></p>
<div class="language-zsh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>./Tools/Scripts/run-safari <span class="nt">--debug</span>
</code></pre></div></div>
<p><strong>Running the MiniBrowser</strong></p>
<p>The MiniBrowser is a lightweight tool for testing and debugging your WebKit build. Here’s how to run it:</p>
<div class="language-zsh highlighter-rouge"><div class="highlight"><pre class="highlight"><code>./Tools/Scripts/run-minibrowser <span class="nt">--debug</span>
</code></pre></div></div>
<p>References</p>
<p>https://webkit.org/building-webkit/</p>
Building Chromium for Android2020-01-29T17:32:51+00:00https://chandreas.github.io/2020/01/29/build-chromium-android<p>How to build chromium for Android.</p>
<p><strong>Download Tools</strong></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>git clone https://chromium.googlesource.com/chromium/tools/depot_tools.git
<span class="nb">export </span><span class="nv">PATH</span><span class="o">=</span><span class="s2">"</span><span class="nv">$PATH</span><span class="s2">:/path/to/depot_tools"</span>
</code></pre></div></div>
<p><strong>Get Chromium Project</strong></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">mkdir</span> ~/chromium <span class="o">&&</span> <span class="nb">cd</span> ~/chromium
fetch <span class="nt">--nohooks</span> android
<span class="nb">cd </span>src
<span class="nb">echo</span> <span class="s2">"target_os = [ 'linux', 'android' ]"</span> <span class="o">>></span> ../.gclient
gclient <span class="nb">sync
</span>build/install-build-deps.sh
gclient runhooks
</code></pre></div></div>
<p>Fetch the latest tags for Android and replace VERSION with the correct value.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>git fetch <span class="nt">--tags</span>
git checkout VERSION
gclient <span class="nb">sync</span> <span class="nt">-D</span> <span class="nt">--with_branch_heads</span> <span class="nt">--with_tags</span> <span class="nt">--jobs</span> 32
</code></pre></div></div>
<p><strong>Install dependencies</strong></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>build/install-build-deps.sh
</code></pre></div></div>
<p><strong>Setting up the build</strong></p>
<p>Create args.gn</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">mkdir</span> <span class="nt">-p</span> out/Default
<span class="nb">cat</span> <span class="o"><<</span><span class="no">EOF</span><span class="sh"> > out/Default/args.gn
target_os = "android"
target_cpu = "arm64"
android_channel = "stable"
android_default_version_name = "131.0.6778.39"
android_default_version_code = "677803900"
ext_version_enabled = true
ext_version_increment = "0"
is_component_build = false
is_debug = false
is_official_build = true
symbol_level = 1
disable_fieldtrial_testing_config = true
dfmify_dev_ui = false
ffmpeg_branding = "Chrome"
proprietary_codecs = true
is_cfi = true
use_cfi_cast = true
use_relative_vtables_abi = false
include_both_v8_snapshots = false
enable_vr = false
enable_arcore = false
enable_openxr = false
enable_cardboard = false
enable_remoting = false
enable_reporting = false
</span><span class="no">EOF
</span></code></pre></div></div>
<p>If you want to build the chromium for debugging or to fuzz with libfuzzer change or add the following</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>is_asan <span class="o">=</span> <span class="nb">true
</span>is_hwasan <span class="o">=</span> <span class="nb">true
</span>is_msan <span class="o">=</span> <span class="nb">true
</span>is_lsan <span class="o">=</span> <span class="nb">true
</span>is_tsan <span class="o">=</span> <span class="nb">true
</span>msan_track_origins <span class="o">=</span> 2
is_ubsan_no_recover <span class="o">=</span> <span class="nb">false
</span>is_ubsan_security <span class="o">=</span> <span class="nb">true
</span>is_debug <span class="o">=</span> <span class="nb">true
</span>dcheck_always_on <span class="o">=</span> <span class="nb">true
</span>is_java_debug <span class="o">=</span> <span class="nb">true
</span>is_component_build <span class="o">=</span> <span class="nb">true
</span>use_libfuzzer <span class="o">=</span> <span class="nb">true
</span>use_fuzzilli <span class="o">=</span> <span class="nb">true</span>
</code></pre></div></div>
<p>GN build configuration</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gn gen out/Default
</code></pre></div></div>
<p><strong>Build</strong></p>
<p>The following command is used to build Trichrome for Android minSdkVersion=29.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>autoninja <span class="nt">-C</span> out/Default trichrome_chrome_bundle
</code></pre></div></div>
<p>The following command is used to build Monochrome, which provides both Chromium and the WebView for Android minSdkVersion=26</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>autoninja <span class="nt">-C</span> out/Default monochrome_public_bundle
</code></pre></div></div>
<p>for devices with minSdkVersion=26 and for local development (to avoid building WebView).</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>autoninja <span class="nt">-C</span> out/Default chrome_public_apk
</code></pre></div></div>
<p><strong>Install to Device</strong></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>out/Default/bin/trichrome_chrome_bundle <span class="nb">install</span>
</code></pre></div></div>
<p><strong>Running a test</strong></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>out/Default/bin/trichrome_chrome_bundle launch https://google.com
</code></pre></div></div>
<p><strong>Logging and debugging</strong></p>
<p>You can see the logs with adb logcat when you will install the chrome apk or with</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>out/Default/bin/trichrome_chrome_bundle logcat <span class="o">[</span><span class="nt">-v</span><span class="o">]</span>
</code></pre></div></div>
<p>Debugging Java and c/c++ code</p>
<p>C/C++ Debugger</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>out/Default/bin/trichrome_chrome_bundle gdb
out/Default/bin/trichrome_chrome_bundle lldb
</code></pre></div></div>
<p>Java Debugger</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>out/Default/bin/trichrome_chrome_bundle run <span class="nt">--wait-for-java-debugger</span>
</code></pre></div></div>
<p>Symbolizing Crash Stacks and Tombstones (C++)</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>build/android/tombstones.py <span class="nt">--output-directory</span> out/Default
adb logcat <span class="nt">-d</span> | third_party/android_platform/development/scripts/stack <span class="nt">--output-directory</span> out/Default
</code></pre></div></div>
Memory Tagging2019-04-07T17:30:54+00:00https://chandreas.github.io/2019/04/07/memory-tagging<p><strong>ARM Memory Tagging</strong></p>
<p>Memory tagging is a tag assigned to each memory allocation, so all accesses to memory must be via a pointer with correct tag, if the tag is wrong the Operating System can report it to user or note the process in which occured.</p>
<p>Furthermore memory tagging can be used for debugging in development to detect memory errors.</p>
<p>Allocations are done with align allocations by 16-bytes and choose a 4-bit tag which same tag is set to the corresponding pointer and memory. Deallocations are working with re-tag the memory with a different tag.</p>
<p>Example</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">char</span> <span class="o">*</span><span class="n">p</span> <span class="o">=</span> <span class="n">new</span> <span class="kt">char</span><span class="p">[</span><span class="mi">20</span><span class="p">];</span>
</code></pre></div></div>
<p>20 bytes needs to allocated, memory allocator aligns 32 bytes, 16 bytes will be used for tag granularity, the tag will be on the 4 most significant bits of pointer and memory, so when the attacker will try to dereferencing pointer p at position 32, tag values will not be correct between pointer and memory and overflow will be caught.</p>
<p><strong>Memory Tagging Extension instructions</strong></p>
<p>ARM implementated the memory tagging hardware support with tag size of 4-bit and tag granularity of 16-bytes and they have introduced some of the following new instructions</p>
<p>IRG - Insert Random Tag inserts a random logical address tag into the address in the first source register and writes the result to the destination register.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>IRG Xd|SP , Xn|SP<span class="p">;</span> // irg x0, sp<span class="p">;</span>
</code></pre></div></div>
<p>CMPP - Compare with TAG subtracts the 56-bit address held in the second source register from the 56-bit address held in the first source register, updates the condition flags based on the result of the subtraction, and discards the result.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>CMPP <Xn|SP>, <Xm|SP>
</code></pre></div></div>
<p>ADDG - Add with Tag adds an immediate value scaled by the Tag granule to the address in the source register, modifies the Logical Address Tag of the address using an immediate value, and writes the result to the destination register. Tags specified in GCR_EL1 system register.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ADDG <Xd|SP>, <Xn|SP>, <span class="c">#<uimm6>, #<uimm4>; // addg x19, x0, #16, #1</span>
</code></pre></div></div>
<p>STG - Store Allocation Tag stores an Allocation Tag to memory. The address used for the store is calculated from the base register and an immediate signed offset scaled by the Tag granule. The Allocation Tag is calculated from the Logical Address Tag in the source register.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>STG <span class="o">[</span><Xn|SP>], <span class="c">#<simm>; // stg x0, [x0]</span>
</code></pre></div></div>
<p>LDG - Load Allocation Tag loads an Allocation Tag from a memory address, generates a Logical Address Tag from the Allocation Tag and merges it into the destination register. The address used for the load is calculated from the base register and an immediate signed offset scaled by the Tag granule.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>LDG <Xt>, <span class="o">[</span><Xn|SP><span class="o">{</span>, <span class="c">#<simm>}]</span>
</code></pre></div></div>
<p>ST2G - Store Allocation Tags stores an Allocation Tag to two Tag granules of memory. The address used for the store is calculated from the base register and an immediate signed offset scaled by the Tag granule. The Allocation Tag is calculated from the Logical Address Tag in the source register.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ST2G <Xt|SP>, <span class="o">[</span><Xn|SP>], <span class="c">#<simm>; // st2g x8, [sp], #32</span>
</code></pre></div></div>
<p>New System Registers for tagging</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>TCO - Tag Check Override When ARMv8.5-MemTag is implemented, this register allows tag checks to be disabled globally.
TFSRE0_EL1 - Tag Fail Status Register Holds accumulated Tag Check Fails occurring in EL0 which are not taken precisely.
TFSR_EL1 - Tag Fail Status Register Holds accumulated Tag Check Fails occurring in EL1 which are not taken precisely.
TFSR_EL2 - Tag Fail Status Register Holds accumulated Tag Check Fails occurring in EL2 which are not taken precisely.
TFSR_EL3 - Tag Fail Status Register Holds accumulated Tag Check Fails occurring in EL3 which are not taken precisely.
RGSR_EL1 - Random Allocation Tag Seed Register.
GCR_EL1 - Tag Control Register.
</code></pre></div></div>
<p><strong>Compiler Memory Tagging</strong></p>
<p>MTE Example</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>// Compiled with following options <span class="nt">-march</span><span class="o">=</span>armv8.5-a+memtag <span class="nt">-fsanitize</span><span class="o">=</span>memtag
// llvm-objdump <span class="nt">-d</span> <span class="nb">test
</span>0000000100007f04 _main:
100007f04: 7f 23 03 d5 hint <span class="c">#27</span>
100007f08: ff 03 01 d1 sub sp, sp, <span class="c">#64</span>
100007f0c: fd 7b 03 a9 stp x29, x30, <span class="o">[</span>sp, <span class="c">#48]</span>
100007f10: fd c3 00 91 add x29, sp, <span class="c">#48</span>
100007f14: 08 00 00 b0 adrp x8, <span class="c">#4096</span>
100007f18: 08 09 40 f9 ldr x8, <span class="o">[</span>x8, <span class="c">#16]</span>
100007f1c: 08 01 40 f9 ldr x8, <span class="o">[</span>x8]
100007f20: a8 83 1f f8 stur x8, <span class="o">[</span>x29, <span class="c">#-8]</span>
100007f24: 08 00 80 d2 mov x8, <span class="c">#0</span>
100007f28: e8 13 c8 9a <unknown>
100007f2c: 08 01 81 91 <unknown>
100007f30: 08 09 20 d9 <unknown>
100007f34: 09 00 80 52 mov w9, <span class="c">#0</span>
100007f38: 09 01 00 b9 str w9, <span class="o">[</span>x8]
100007f3c: 08 00 00 90 adrp x8, <span class="c">#0</span>
100007f40: 08 d1 3e 91 add x8, x8, <span class="c">#4020</span>
100007f44: ea 03 00 91 mov x10, sp
100007f48: 48 01 00 f9 str x8, <span class="o">[</span>x10]
100007f4c: 00 00 00 90 adrp x0, <span class="c">#0</span>
100007f50: 00 c0 3e 91 add x0, x0, <span class="c">#4016</span>
100007f54: 13 00 00 94 bl <span class="c">#76 <_printf+0x100007fa0></span>
</code></pre></div></div>
<p>If we will check the unknown instructions with llvm machine code we will see the new instructions for Memory tagging</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">echo</span> <span class="s2">"0xE8 0x13 0xC8 0x9A"</span> | llvm-mc <span class="nt">--disassemble</span> <span class="nt">-triple</span><span class="o">=</span>aarch64 <span class="nt">--mattr</span><span class="o">=</span>+mte <span class="nt">-show-encoding</span>
.text
irg x8, sp, x8 // encoding: <span class="o">[</span>0xe8,0x13,0xc8,0x9a]
</code></pre></div></div>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">echo</span> <span class="s2">"0x08 0x01 0x81 0x91"</span> | llvm-mc <span class="nt">--disassemble</span> <span class="nt">-triple</span><span class="o">=</span>aarch64 <span class="nt">--mattr</span><span class="o">=</span>+mte <span class="nt">-show-encoding</span>
.text
addg x8, x8, <span class="c">#16, #0 // encoding: [0x08,0x01,0x81,0x91]</span>
</code></pre></div></div>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">echo</span> <span class="s2">"0x08 0x09 0x20 0xd9"</span> | llvm-mc <span class="nt">--disassemble</span> <span class="nt">-triple</span><span class="o">=</span>aarch64 <span class="nt">--mattr</span><span class="o">=</span>+mte <span class="nt">-show-encoding</span>
.text
stg x8, <span class="o">[</span>x8] // encoding: <span class="o">[</span>0x08,0x09,0x20,0xd9]
</code></pre></div></div>
<p>References</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://llvm.org/devmtg/2018-10/slides/Serebryany-Stepanov-Tsyrklevich-Memory-Tagging-Slides-LLVM-2018.pdf
https://developer.arm.com/docs/ddi0596/latest/base-instructions-alphabetic-order
http://www.keil.com/support/man/docs/armclang_ref/armclang_ref_lnk1549304794624.htm
https://gcc.gnu.org/gcc-9/changes.html
https://github.com/llvm-mirror/llvm/blob/1338c14d0676434da021911c8824f00425d4895d/test/MC/AArch64/armv8.5a-mte.s
</code></pre></div></div>
Building Android AOSP for board hikey9602019-04-06T19:30:54+00:00https://chandreas.github.io/2019/04/06/aosp-android-reference-board<p><strong>Building AOSP</strong></p>
<p>This instruction will show you how to build AOSP for the Hikey960.</p>
<p><strong>Steps to Fetch AOSP Source:</strong></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">mkdir</span> ~/aosp
repo init <span class="nt">-u</span> https://android.googlesource.com/platform/manifest <span class="nt">-b</span> master
repo <span class="nb">sync</span> <span class="nt">-j</span><span class="sb">`</span><span class="nb">nproc</span><span class="sb">`</span>
</code></pre></div></div>
<p><strong>Set up your build environment</strong></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">source </span>build/envsetup.sh
</code></pre></div></div>
<p><strong>Fetch hikey960 vendor package</strong></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>./device/linaro/hikey/fetch-vendor-package.sh
</code></pre></div></div>
<p><strong>Target Selection for Build: hikey960</strong></p>
<p>The following example uses the current AOSP from the master branch for device hikey960. You can select the build variant as follows:</p>
<ol>
<li>user: for production builds</li>
<li>userdebug: for development builds</li>
<li>eng: for development builds with faster build times</li>
</ol>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>lunch hikey960-aosp_current-userdebug
</code></pre></div></div>
<p><em>You can enable hardware AddressSanitizer (ASAN) for memory error detection.</em></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">export </span><span class="nv">SANITIZE_TARGET</span><span class="o">=</span>hwaddress
</code></pre></div></div>
<p><strong>Build AOSP: Start the build process:</strong></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>m <span class="nt">-j</span><span class="sb">`</span><span class="nb">nproc</span><span class="sb">`</span>
</code></pre></div></div>
<p><strong>Flashing all images to the device:</strong></p>
<ol>
<li>
<p>Ensure the Device is in Fastboot Mode: Make sure the board is powered on with Switch 1 and Switch 3 set to ON.</p>
</li>
<li>
<p>Connect the Device: Connect the device to your computer via USB.</p>
</li>
<li>
<p>Open a Terminal: On your host machine, open a terminal window.</p>
</li>
<li>
<p>Verify Fastboot Connection: Run the following command to check if the device is recognised:</p>
</li>
</ol>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>fastboot devices
</code></pre></div></div>
<p><strong>Flash the images:</strong></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>./device/linaro/hikey/installer/hikey960/flash-all.sh
</code></pre></div></div>
<p><strong>Switching to Normal Mode and Connecting via ADB:</strong></p>
<ol>
<li>
<p>Turn off the device.</p>
</li>
<li>
<p>Change Jumper Switch: Set Switch 1 to the ON position and ensure Switch 2 and Switch 3 are set to OFF. This will put the board into normal mode.</p>
</li>
<li>
<p>Wait for the Board to Start: Allow some time for the board to fully boot up.</p>
</li>
<li>
<p>Connect to the Device: Once the board has started, open a terminal on your computer.</p>
</li>
<li>
<p>Execute ADB Shell: Run the following command to connect to the device:</p>
</li>
</ol>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>adb shell
</code></pre></div></div>
<p><strong>Installation is Ready: You can now proceed with your setup or configuration as needed.</strong></p>
Introduction to Memory Management2019-04-06T17:30:54+00:00https://chandreas.github.io/2019/04/06/introduction-memory-management<p><strong>MMU</strong></p>
<p>The Memory Management Unit (MMU) is a hardware component which maps physical frames to virtual addresses. The MMU operates on basic units of memory called pages. Page size can be different base the architecture.</p>
<p><strong>Page</strong></p>
<p>Page is a unit of memory sized and aligned at the page size and page frame or frame refers to page size.</p>
<p><strong>Page Table</strong></p>
<p>A page table is the data structure used by a virtual memory system in a operating system to store the mapping between virtual addresses and physical addresses.</p>
<p><strong>Page Faults</strong></p>
<p>When a process accesses a region of memory that is not mapped or the processes has insufficient permissions for the address requested the MMU will generate a page fault exception.</p>
<p><strong>Page allocator</strong></p>
<p>The Linux page allocator is based on a buddy allocator, implemented in <code class="language-plaintext highlighter-rouge">mm/page_alloc.c</code> and tracks the free pages of different orders.</p>
<p><strong>Translation Lookaside Buffer (TLB)</strong></p>
<p>Translation lookaside buffer (TLB) is a memory cache that is used to reduce the time taken to access a user memory location. It is a part of the chip’s memory-management unit (MMU) and stores the recent translations of virtual memory to physical memory, also can be called an address-translation cache. TLB contains the virtual address, physical address and permissions of the mapping entries, if the the address is in the TLB the MMU will look up the physical resource, if not in TLB the MMU will generate a page fault exception and interrupt the CPU.</p>
<p><strong>Non-Uniform Memory Access Numa</strong></p>
<p>NUMA is used on multiprocessor systems whose memory is divided into multiple memory nodes. The access time of a memory node depends on the relative locations of the accessing CPU and accessed node, which it means that CPU access to memory depends on the distance cost between them. Memory is divided to node and each node is divided to many blocks called zones and a zone contains pages.</p>
<p><strong>Memory Zones</strong></p>
<p>Direct memory access (DMA) is a feature of computer systems that allows certain hardware subsystems to access main system memory (random-access memory), independent of the central processing unit (CPU).
Examples of hardware systems that are using DMA are disk drive controllers, graphics cards, network cards and sound cards.
Linux kernel divides pages into different zones.</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">cat</span> /proc/zoneinfo
</code></pre></div></div>
<p><code class="language-plaintext highlighter-rouge">ZONE_DMA</code> - This zone contains pages that can undergo DMA</p>
<p><code class="language-plaintext highlighter-rouge">ZONE_DMA32</code> - Like <code class="language-plaintext highlighter-rouge">ZOME_DMA</code>, this zone contains pages that can undergo DMA. Unlike <code class="language-plaintext highlighter-rouge">ZONE_DMA</code>, these pages are accessible only by 32-bit devices. On some architectures, this zone is a larger subset of memory.</p>
<p><code class="language-plaintext highlighter-rouge">ZONE_NORMAL</code> - This zone contains normal, regularly mapped, pages.</p>
<p><strong>Linux Kernel Memory Management APIs</strong></p>
<p><strong>kmalloc()</strong></p>
<p>Kmalloc function is similar with userspace <code class="language-plaintext highlighter-rouge">malloc()</code> with the exception of the additional flag parameters. The <code class="language-plaintext highlighter-rouge">kmalloc()</code> function is a simple interface for obtaining kernel memory in byte-sized chunk and guarantees that the pages are physically contiguous (and virtually contiguous).</p>
<p>Further similar to calloc on userspace is <strong>kzalloc</strong> where is setting the memory with zero.</p>
<p>Example</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">p</span> <span class="o">=</span> <span class="n">kmalloc</span><span class="p">(</span><span class="k">sizeof</span><span class="p">(</span><span class="k">struct</span> <span class="n">example</span><span class="p">),</span> <span class="n">GFP_KERNEL</span><span class="p">);</span>
</code></pre></div></div>
<p><strong>gfp_t flags</strong></p>
<p>The flags are broken up into three categories: <code class="language-plaintext highlighter-rouge">action modifiers</code>, <code class="language-plaintext highlighter-rouge">zone modifiers</code>, and <code class="language-plaintext highlighter-rouge">types</code>. Action modifiers specify how the kernel is supposed to allocate the requested memory. Zone modifiers specify from which memory zone the allocation should originate and the type flags specify the required action and zone modifiers to fulfill a particular type of transaction.</p>
<p>Usual usage of flags</p>
<p>Process context which can sleep - <code class="language-plaintext highlighter-rouge">GFP_KERNEL</code></p>
<p>Process context which cannot sleep - <code class="language-plaintext highlighter-rouge">GFP_ATOMIC</code></p>
<p>Interrupt handler - <code class="language-plaintext highlighter-rouge">GFP_ATOMIC</code></p>
<p>Softirq - <code class="language-plaintext highlighter-rouge">GFP_ATOMIC</code></p>
<p>Tasklet - <code class="language-plaintext highlighter-rouge">GFP_ATOMIC</code></p>
<p>DMA-able memory which can sleep - (<code class="language-plaintext highlighter-rouge">GFP_DMA | GFP_KERNEL</code>)</p>
<p>DMA-able memory which cannot sleep - (<code class="language-plaintext highlighter-rouge">GFP_DMA | GFP_ATOMIC</code>)</p>
<p><em>The <code class="language-plaintext highlighter-rouge">GFP_DMA</code> flag is used to specify that the allocator must satisfy the request from <code class="language-plaintext highlighter-rouge">ZONE_DMA</code>. This flag is used by device drivers, which need DMA-able memory for their devices, normally, you combine this flag with the <code class="language-plaintext highlighter-rouge">GFP_ATOMIC</code> or <code class="language-plaintext highlighter-rouge">GFP_KERNEL</code> flag.</em></p>
<p><strong>kfree</strong></p>
<p>The kfree() method frees a block of memory previously allocated with kmalloc() similar with free that we can find in userland.</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">kfree</span><span class="p">(</span><span class="n">p</span><span class="p">);</span>
</code></pre></div></div>
<p><strong>vmalloc</strong></p>
<p>The vmalloc() function is similar to kmalloc(), except it allocates memory that is only virtually contiguous and not physically contiguous. The vmalloc() function ensures only that the pages are contiguous within the virtual address space and it does this by allocating potentially noncontinuous chunks of physical memory and “fixing up” the page tables to map the memory into a contiguous chunk of the logical address space.</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">p</span> <span class="o">=</span> <span class="n">vmalloc</span><span class="p">(</span><span class="mi">16</span> <span class="o">*</span> <span class="n">PAGE_SIZE</span><span class="p">);</span>
</code></pre></div></div>
<p>and free with</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="n">vfree</span><span class="p">(</span><span class="n">p</span><span class="p">);</span>
</code></pre></div></div>
<p><strong>Slab Allocator</strong></p>
<p>The slab allocator is an abstraction layer to make easier allocation of numerous objects of a same type.
The basic idea behind the slab allocator is to have caches of commonly used objects kept in an initialized state available for use by the kernel. The Linux kernel has three main different memory allocators: SLAB, SLUB, and SLOB. The slab layer acts as a generic data structure-caching layer. In this sense, the free list acts as an object cache, caching a frequently used type of object.</p>
<p>Slab usage</p>
<p><code class="language-plaintext highlighter-rouge">kmem_cache_create</code> use arguments such as name, size, flags and ctor (constructor function to call when new objects are added to the cache) to create the cache</p>
<p>The following flags can be used for <code class="language-plaintext highlighter-rouge">kmem_cache_create</code></p>
<p><code class="language-plaintext highlighter-rouge">SLAB_NO_REAP</code> - slab layer will reap objects in the cache when memory is low</p>
<p><code class="language-plaintext highlighter-rouge">SLAB_HWCACHE_ALIGN</code> - align each object within a slab to different cache lines</p>
<p><code class="language-plaintext highlighter-rouge">SLAB_MUST_HWCACHE_ALIGN</code> - debugging purpose</p>
<p><code class="language-plaintext highlighter-rouge">SLAB_POISON</code> - fill memory with 0xa5a5a5a5, useful for catching access to uninitialized memory</p>
<p><code class="language-plaintext highlighter-rouge">SLAB_RED_ZONE</code> - insert “red zone” around the allocated memory to detect buffer overruns</p>
<p><code class="language-plaintext highlighter-rouge">SLAB_PANIC</code> - make slab panic() if allocation fails</p>
<p><code class="language-plaintext highlighter-rouge">SLAB_CACHE_DMA</code> - memory allocated from the slab must come from ZONE_DMA</p>
<p>Example of <em>kmem_cache_create</em></p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="k">struct</span> <span class="n">kmem_cache</span> <span class="o">*</span><span class="nf">kmem_cache_create</span><span class="p">(</span><span class="k">const</span> <span class="kt">char</span> <span class="o">*</span><span class="n">name</span><span class="p">,</span> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">size</span><span class="p">,</span> <span class="kt">unsigned</span> <span class="kt">int</span> <span class="n">align</span><span class="p">,</span><span class="n">slab_flags_t</span> <span class="n">flags</span><span class="p">,</span> <span class="kt">void</span> <span class="p">(</span><span class="o">*</span><span class="n">ctor</span><span class="p">)(</span><span class="kt">void</span> <span class="o">*</span><span class="p">));</span>
<span class="n">p_cache</span> <span class="o">=</span> <span class="n">kmem_cache_create</span><span class="p">(</span><span class="s">"Example cache"</span><span class="p">,</span><span class="k">sizeof</span><span class="p">(</span><span class="k">struct</span> <span class="n">example</span><span class="p">),</span><span class="mi">0</span><span class="p">,</span><span class="n">SLAB_HWCACHE_ALIGN</span><span class="p">,</span><span class="n">NULL_NULL</span><span class="p">);</span>
</code></pre></div></div>
<p>Once a cache of objects is created, you can allocate objects from it by calling kmem_cache_alloc</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">void</span> <span class="o">*</span><span class="nf">kmem_cache_alloc</span> <span class="p">(</span><span class="k">struct</span> <span class="n">kmem_cache</span> <span class="o">*</span> <span class="n">cachep</span><span class="p">,</span> <span class="n">gfp_t</span> <span class="n">flags</span><span class="p">);</span>
<span class="n">p</span> <span class="o">=</span> <span class="n">kmem_cache_alloc</span><span class="p">(</span><span class="n">p_cache</span><span class="p">,</span><span class="n">GFP_KERNEL</span><span class="p">);</span>
</code></pre></div></div>
<p>Deallocate an object</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">void</span> <span class="nf">kmem_cache_free</span><span class="p">(</span><span class="k">struct</span> <span class="n">kmem_cache</span> <span class="o">*</span><span class="n">cachep</span><span class="p">,</span> <span class="kt">void</span> <span class="o">*</span><span class="n">obj</span><span class="p">);</span>
<span class="n">kmem_cache_free</span><span class="p">(</span><span class="n">p_cache</span><span class="p">,</span> <span class="n">p</span><span class="p">);</span>
</code></pre></div></div>
<p>Finally, at module unload time, we have to return the cache to the system:</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">void</span> <span class="nf">kmem_cache_destroy</span><span class="p">(</span><span class="k">struct</span> <span class="n">kmem_cache</span> <span class="o">*</span><span class="n">s</span><span class="p">)</span>
<span class="n">kmem_cache_destroy</span><span class="p">(</span><span class="n">p_cache</span><span class="p">);</span>
</code></pre></div></div>
<p>Use ksize To find the actual amount of memory allocated for an object</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="kt">size_t</span> <span class="nf">ksize</span><span class="p">(</span><span class="k">const</span> <span class="kt">void</span> <span class="o">*</span><span class="n">objp</span><span class="p">);</span>
</code></pre></div></div>
<p>Further you can see the kernel slab cache information in real time with slabtop</p>
<p>References</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://www.kernel.org/doc/htmldocs/kernel-api/mm.html
https://elixir.bootlin.com/linux/v5.1-rc5/source/kernel/sched/core.c#L2837
http://makelinux.net/ldd3/chp-8-sect-2.shtml
</code></pre></div></div>
Introduction to AArch64 Architecture2019-01-29T17:31:51+00:00https://chandreas.github.io/2019/01/29/introduction-aarch64<p><strong>ARM</strong></p>
<p>ARM is a family of Reduced Instruction Set Computer (RISC) architectures for computer processors that has become the predominant CPU for smartphones.</p>
<p><strong>ARM Architecture</strong></p>
<p>Cortex-A Highest performance Optimized for rich operating systems
Application profiles implement a traditional ARM architecture with multiple modes and support a virtual memory system architecture based on an MMU(Memory management Unit). Cortex-A processors provide a range of solutions for devices that make use of a rich operating system such as Linux or Android.</p>
<p>Cortex-R Fast response Optimized for high-performance, hard real-time applications.
Real-time profiles implement a traditional ARM architecture with multiple modes and support a protected memory system architecture based on MPU(Memory protection Unit). The Cortex-R processors target high-performance real-time applications such as hard disk controllers.</p>
<p>Cortex-M Smallest/lowest power Optimized for discrete processing and micro-controller.
Micro-controller profiles implement a programmers’ model designed for fast interrupt processing, with hardware stacking of registers and support for writing interrupt handlers in high-level languages. The processor is designed for integration into an FPGA and is ideal for use in very low power applications.</p>
<p>The latest ARM architecture, ARMv8, introduces 64-bit capability alongside the existing 32-bit mode.</p>
<p>ARMv8 has two execution modes A64 – 64-bit registers and memory accesses, new instruction set A32 (optional) – backwards compatible with ARMv7-A.</p>
<p><strong>AArch64 Privilege model</strong></p>
<p>There are 4 Privilege levels: EL3 – highest, EL0 – lowest</p>
<p>In ARMv8, the four privilege levels extend this to provide support for virtualization and security</p>
<p>EL0 - This is unprivileged and is used for User-land Applications.</p>
<p>EL1 - This is privileged and is used for running an OS Kernel like Linux.</p>
<p>EL2 - This has a higher level of privilege and can be used to run a hypervisor.</p>
<p>EL3 - This is the highest level of privilege and is used to control (and protect) access to TrustZone.</p>
<p>ARMv8-A provides two security states, Secure and Non-secure. The Non-secure state is also referred to as the Normal World. This enables an Operating System (OS) to run in parallel with a trusted OS on the same hardware, and provides protection against certain software attacks and hardware attacks.
EL3 is always Secure, EL2 is always Non-Secure and EL0/1 can be Secure or Non-Secure</p>
<p>ARM TrustZone technology enables the system to be partitioned between the Normal and Secure worlds.</p>
<p><strong>TrustZone</strong></p>
<p>A Trusted Execution Environment (TEE) is a secure area inside a main processor, it runs in parallel of the operating system, in an isolated environment, and it guarantees that the code and data loaded in the TEE are protected.</p>
<p><strong>AArch64 Registers</strong></p>
<p>General purpose Registers</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Wn 32-bits General purpose registers 0-31
Xn 64-bits General purpose registers 0-31
WZR 32-bits Zero register (Reads as 0, writes are ignored, a way to ignore results)
XZR 64-bits Zero register (Reads as 0, writes are ignored, a way to ignore results)
SP 64-bits Stack pointer
X0 – X7 arguments and return value
X8 – X18 temporary registers caller-saved
X19 – X28 callee-saved registers
X29 frame pointer
X30 link register
SP stack pointer
</code></pre></div></div>
<p>There are separate link registers for function calls and exceptions</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>X30 – Updated by branch with link instructions (BL & BLR)
Use RET instruction to return from sub-routines
ELR_ELn – Updated on exception entry
Use ERET instruction to return from exceptions
</code></pre></div></div>
<p>Each exception level has its own stack pointer <code class="language-plaintext highlighter-rouge">SP_EL0</code>, <code class="language-plaintext highlighter-rouge">SP_EL1</code>, <code class="language-plaintext highlighter-rouge">SP_EL2</code> and <code class="language-plaintext highlighter-rouge">SP_EL3</code></p>
<p><strong>Floating point/SIMD registers</strong></p>
<p>32 bit float registers</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>S0-S7 arguments and return value
S8-S15 Callee saved register
S16-S15 Corruptible registers
S24-S31 Corruptible registers
</code></pre></div></div>
<p>64 bit SIMD registers</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>D0-D7 arguments and return value
D8-D15 Callee saved register
D16-D15 Corruptible registers
D24-D31 Corruptible registers
</code></pre></div></div>
<p>128 bit SIMD registers</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>V0-V7 arguments and return value
V8-V15 Callee saved register
V16-V15 Corruptible registers
V24-V31 Corruptible registers
</code></pre></div></div>
<p><strong>The PC (program counter) is not a general purpose register, and cannot be directly accessed by most instructions.</strong></p>
<p>You can use ADR to get the the address of a PC relative offset</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>adr x0 label
</code></pre></div></div>
<p><strong>AArch64 Exceptions</strong></p>
<p>ARMv8-A exceptions interrupt the processor and change the control flow of the program.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>SVC Supervisor Call attempts to access EL1 from EL0. SVC that generates a supervisor call, which are are normally used to request privileged operations or access to system resources from an operating system.
HVC Hypervisor Call attempts to access EL2
SMC Secure Monitor Call attempts to access EL3
HLT Halting software breakpoint Instruction
BRK software breakpoint instruction
</code></pre></div></div>
<p><strong>Exception handling in ARMv8</strong></p>
<p>In ARMv8, a new exception model has been introduced which defines the concept of exception levels.
When an exception occurs, the processor branches to an exception vector table and runs the corresponding handler. In ARMv8, each exception level has its own exception vector table.</p>
<table>
<thead>
<tr>
<th>Offset from VBAR_EL1</th>
<th>Exception type</th>
<th>Exception set level</th>
</tr>
</thead>
<tbody>
<tr>
<td>+0x000</td>
<td>Synchronous</td>
<td>Current EL with SP0</td>
</tr>
<tr>
<td>+0x080</td>
<td>IRQ/vIRQ</td>
<td>”</td>
</tr>
<tr>
<td>+0x100</td>
<td>FIQ/vFIQ</td>
<td>”</td>
</tr>
<tr>
<td>+0x180</td>
<td>SError/vSError</td>
<td>”</td>
</tr>
<tr>
<td>+0x200</td>
<td>Synchronous</td>
<td>Current EL with SPx</td>
</tr>
<tr>
<td>+0x280</td>
<td>IRQ/vIRQ</td>
<td>”</td>
</tr>
<tr>
<td>+0x300</td>
<td>FIQ/vFIQ</td>
<td>”</td>
</tr>
<tr>
<td>+0x380</td>
<td>SError/vSError</td>
<td>”</td>
</tr>
<tr>
<td>+0x400</td>
<td>Synchronous</td>
<td>Lower EL using ARM64</td>
</tr>
<tr>
<td>+0x480</td>
<td>IRQ/vIRQ</td>
<td>”</td>
</tr>
<tr>
<td>+0x500</td>
<td>FIQ/vFIQ</td>
<td>”</td>
</tr>
<tr>
<td>+0x580</td>
<td>SError/vSError</td>
<td>”</td>
</tr>
<tr>
<td>+0x600</td>
<td>Synchronous</td>
<td>Lower EL with ARM32</td>
</tr>
<tr>
<td>+0x680</td>
<td>IRQ/vIRQ</td>
<td>”</td>
</tr>
<tr>
<td>+0x700</td>
<td>FIQ/vFIQ</td>
<td>”</td>
</tr>
<tr>
<td>+0x780</td>
<td>SError/vSError</td>
<td>”</td>
</tr>
</tbody>
</table>
<p>Example on Linux Kernel el1_sync</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>el1_sync:
kernel_entry 1
mrs x1, esr_el1 // read the syndrome register
lsr x24, x1, #ESR_ELx_EC_SHIFT // exception class
cmp x24, #ESR_ELx_EC_DABT_CUR // data abort in EL1
b.eq el1_da
cmp x24, #ESR_ELx_EC_IABT_CUR // instruction abort in EL1
b.eq el1_ia
cmp x24, #ESR_ELx_EC_SYS64 // configurable trap
b.eq el1_undef
cmp x24, #ESR_ELx_EC_SP_ALIGN // stack alignment exception
b.eq el1_sp_pc
cmp x24, #ESR_ELx_EC_PC_ALIGN // pc alignment exception
b.eq el1_sp_pc
cmp x24, #ESR_ELx_EC_UNKNOWN // unknown exception in EL1
b.eq el1_undef
cmp x24, #ESR_ELx_EC_BREAKPT_CUR // debug exception in EL1
b.ge el1_dbg
b el1_inv
</code></pre></div></div>
<p><strong>AArch64 Instructions</strong></p>
<p>Data first loaded into registers, modified, and then stored back in memory or simply discarded once it’s no longer required.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>[instr] [cond] [dest] [src] [operand]
</code></pre></div></div>
<p>Basic instructions</p>
<p>add - arithmetic instrictions</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>add w2,w1,#3; w2 = w1 + 3
</code></pre></div></div>
<p>mov - copies one register to another or load a value to a register</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>mov x0, x1; copies x1 into x0
mov x0, #5; move 5 to x0 register
</code></pre></div></div>
<p>str/ldr - store and load register</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>str x0, [x1]; stores X0 to memory addressed pointed by x1.
ldr x0, [x1]; loads from memory addressed pointed by x1 to X0
</code></pre></div></div>
<p>stp/ldp - store and load pair of register</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>stp x1, x2, [sp];store x1 at sp and x2 at sp+8
ldp x29, x30, [sp]; load x29 and x30 from stack
</code></pre></div></div>
<p>bl/blr - Branch link to register, jumps to a subroutine and stores the return address to x30 link register</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>blr x0; calls the subroutine at the address stored in x0
</code></pre></div></div>
<p>b/br - Branch to a register jumps to an address.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>br x0; jump to the address stored in x0
</code></pre></div></div>
<p>ret - it looks for the return address in the x30 register and jumps there.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ret
</code></pre></div></div>
<p>No load/store multiple instructions.</p>
<p>Conditional select</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>CSEL x2, x4, x5 ;cond implements x2 = if cond then x4 else x5
You can define CMOV x1, x2 with new condition CSEL x1, x2, x1, cond
</code></pre></div></div>
<p>No direct access to CPSR register but with System instruction MRS,MSR</p>
<p>AArch64 system configuration is controlled through system registers</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>TTBR0_EL1 – can be accessed from EL1, EL2 and EL3
TTBR0_EL2 – can be accessed from EL2 and EL3
</code></pre></div></div>
<p>Accessed using MSR and MRS instructions</p>
<p>MSR - Move System register to general-purpose register</p>
<p>MRS - Move general-purpose register to System register</p>
<p>Example</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>MRS x0, TTBR0_EL1 ; Move TTBR0_EL1 into x0
MSR TTBR0_EL1, x0 ; Move x0 into TTBR0_EL1
</code></pre></div></div>
<p>You can find more instructions on the following PDF</p>
<p><a href="https://courses.cs.washington.edu/courses/cse469/18wi/Materials/arm64.pdf">ARMv8 A64 Quick Reference</a></p>
<p><strong>AArch64 MMU</strong></p>
<p>The AArch64 MMU is used to convert from virtual address to physical address and setting the memory attributes, such as access permissions that include read and write permissions for different privilege levels, memory type, and cache policies.</p>
<p>AArch64 Linux uses either 3 levels or 4 levels of translation table with the 4KB page configuration, allowing 39-bit (512GB) or 48-bit (256TB) virtual addresses, respectively, for both user and kernel. With 64KB pages, only 2 levels of translation tables, allowing 42-bit (4TB) virtual address, are used but the memory layout is the same. User addresses have bits 63:48 set to 0 while the kernel addresses have the same bits set to 1. Upper 8 bits of the address can be configured for Tagged Pointers.</p>
<p>Further separate TTBR register for user and kernel TTBRx selection is given by bit 63 of the virtual address.</p>
<p><strong>Translation Lookaside Buffer (TLB)</strong></p>
<p>A translation lookaside buffer (TLB) is a memory cache that is used to reduce the time taken to access a user memory location. It is a part of the chip’s memory-management unit (MMU). The TLB stores the recent translations of virtual memory to physical memory and can be called an address-translation cache.</p>
DoH/DoT DNS Server2019-01-29T17:30:54+00:00https://chandreas.github.io/2019/01/29/unbound-privdns<p>How to create your own DoH/DoT DNS Server running on Docker.</p>
<p><strong>Download and install Docker</strong></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>apt-get update
<span class="k">for </span>pkg <span class="k">in </span>docker.io docker-doc docker-compose docker-compose-v2 podman-docker containerd runc<span class="p">;</span> <span class="k">do </span><span class="nb">sudo </span>apt-get remove <span class="nv">$pkg</span><span class="p">;</span> <span class="k">done
</span><span class="nb">sudo </span>apt-get <span class="nb">install </span>ca-certificates curl
<span class="nb">sudo install</span> <span class="nt">-m</span> 0755 <span class="nt">-d</span> /etc/apt/keyrings
<span class="nb">sudo </span>curl <span class="nt">-fsSL</span> https://download.docker.com/linux/ubuntu/gpg <span class="nt">-o</span> /etc/apt/keyrings/docker.asc
<span class="nb">sudo chmod </span>a+r /etc/apt/keyrings/docker.asc
<span class="nb">echo</span> <span class="s2">"deb [arch=</span><span class="si">$(</span>dpkg <span class="nt">--print-architecture</span><span class="si">)</span><span class="s2"> signed-by=/etc/apt/keyrings/docker.asc] https://download.docker.com/linux/ubuntu </span><span class="se">\</span><span class="s2">
</span><span class="si">$(</span><span class="nb">.</span> /etc/os-release <span class="o">&&</span> <span class="nb">echo</span> <span class="s2">"</span><span class="nv">$VERSION_CODENAME</span><span class="s2">"</span><span class="si">)</span><span class="s2"> stable"</span> | <span class="se">\</span>
<span class="nb">sudo tee</span> /etc/apt/sources.list.d/docker.list <span class="o">></span> /dev/null
<span class="nb">sudo </span>apt-get update
<span class="nb">sudo </span>apt-get <span class="nb">install </span>docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin docker-compose
</code></pre></div></div>
<p><strong>Create Let’s Encrypt Certificate</strong></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>apt-get update
<span class="nb">sudo </span>apt-get <span class="nt">-y</span> <span class="nb">install </span>certbot
<span class="nb">sudo </span>certbot certonly <span class="nt">--no-eff-emai</span> <span class="nt">--agree-tos</span> <span class="nt">--email</span> <your email> <span class="nt">--standalone</span> <span class="nt">--non-interactive</span> <span class="nt">--domain</span> <your domain>
<span class="nb">cp</span> /etc/letsencrypt/live/<your domain>/privkey.pem <span class="nb">.</span>
<span class="nb">cp</span> /etc/letsencrypt/live/<your domain>/fullchain.pem <span class="nb">.</span>
</code></pre></div></div>
<p><strong>Unbound Configuration</strong></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vim unbound.conf
</code></pre></div></div>
<p>Inside, paste the following script:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>server:
username: <span class="s2">"unbound"</span>
<span class="nb">chroot</span>: <span class="s2">"/etc/unbound"</span>
directory: /etc/unbound/
pidfile: <span class="s2">"/var/run/unbound.pid"</span>
logfile: <span class="s2">"/var/log/unbound.log"</span>
log-local-actions: <span class="nb">yes
</span>log-queries: <span class="nb">yes
</span>log-replies: <span class="nb">yes
</span>log-servfail: <span class="nb">yes
</span>verbosity: 1
log-queries: <span class="nb">yes
</span>num-threads: 4
so-rcvbuf: 2m
verbosity: 2
interface: 0.0.0.0@443
<span class="k">do</span><span class="nt">-ip4</span>: <span class="nb">yes
</span><span class="k">do</span><span class="nt">-tcp</span>: <span class="nb">yes
</span><span class="k">do</span><span class="nt">-ip6</span>: <span class="nb">yes
</span>access-control: 0.0.0.0/0 allow
tls-service-key: <span class="s2">"/etc/unbound/privkey.pem"</span>
tls-service-pem: <span class="s2">"/etc/unbound/fullchain.pem"</span>
minimal-responses: <span class="nb">yes
</span>cache-min-ttl: 0
cache-max-ttl: 86400
hide-identity: <span class="nb">yes
</span>hide-version: <span class="nb">yes
</span>hide-trustanchor: <span class="nb">yes
</span>minimal-responses: <span class="nb">yes
</span>prefetch: <span class="nb">yes
</span>prefetch-key: <span class="nb">yes
</span>qname-minimisation: <span class="nb">yes
</span>incoming-num-tcp: 4096
ratelimit: 1000
num-queries-per-thread: 4096
rrset-roundrobin: <span class="nb">yes
</span>use-caps-for-id: <span class="nb">yes
</span>aggressive-nsec: <span class="nb">yes
</span>edns-buffer-size: 1472
harden-glue: <span class="nb">yes
</span>harden-short-bufsize: <span class="nb">yes
</span>harden-large-queries: <span class="nb">yes
</span>harden-algo-downgrade: <span class="nb">yes
</span>harden-dnssec-stripped: <span class="nb">yes
</span>harden-below-nxdomain: <span class="nb">yes
</span>harden-referral-path: <span class="nb">yes
</span><span class="k">do</span><span class="nt">-not-query-localhost</span>: no
statistics-cumulative: <span class="nb">yes
</span>extended-statistics: <span class="nb">yes
</span>val-clean-additional: <span class="nb">yes
</span>ip-dscp: 18
private-address: 10.0.0.0/8
private-address: 172.16.0.0/12
private-address: 192.168.0.0/16
private-address: fd00::/8
private-address: 169.254.0.0/16
private-address: fe80::/10
private-address: 127.0.0.0/8
private-address: ::1/128
private-address: ::ffff:0:0/96
forward-zone:
name: <span class="s2">"."</span>
forward-tls-upstream: <span class="nb">yes
</span>forward-no-cache: no
forward-addr: 8.8.8.8@853
forward-addr: 8.8.4.4@853
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
forward-addr: 9.9.9.9@853
remote-control:
control-enable: no
</code></pre></div></div>
<p><strong>CMD Script</strong></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vim unbound.sh
</code></pre></div></div>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="c">#!/bin/bash</span>
/usr/sbin/unbound <span class="nt">-d</span> <span class="nt">-c</span> /etc/unbound/unbound.conf
</code></pre></div></div>
<p><strong>Dockerfile</strong></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vim Dockerfile
</code></pre></div></div>
<p>Inside, paste the following script:</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>FROM ubuntu:24.04
ENV <span class="nv">DEBIAN_FRONTEND</span><span class="o">=</span>noninteractive
ENV <span class="nv">UNBOUND_VERSION</span><span class="o">=</span>1.22.0
ENV <span class="nv">UNBOUND_SHA256</span><span class="o">=</span>c5dd1bdef5d5685b2cedb749158dd152c52d44f65529a34ac15cd88d4b1b3d43
SHELL <span class="o">[</span><span class="s2">"/bin/bash"</span>, <span class="s2">"-o"</span>, <span class="s2">"pipefail"</span>, <span class="s2">"-c"</span><span class="o">]</span>
RUN <span class="nb">set</span> <span class="nt">-x</span> <span class="se">\</span>
<span class="o">&&</span> apt update <span class="se">\</span>
<span class="o">&&</span> apt <span class="nt">-y</span> upgrade <span class="se">\</span>
<span class="o">&&</span> apt <span class="nt">-y</span> <span class="nb">install </span>build-essential net-tools libnghttp2-dev libssl-dev libexpat-dev libsodium-dev libevent-dev openssl wget knot-dnsutils <span class="se">\</span>
<span class="o">&&</span> groupadd <span class="nt">-g</span> 88 unbound <span class="se">\</span>
<span class="o">&&</span> useradd <span class="nt">-c</span> <span class="s2">"Unbound DNS resolver"</span> <span class="nt">-d</span> /var/lib/unbound <span class="nt">-u</span> 88 <span class="nt">-g</span> unbound <span class="nt">-s</span> /bin/false unbound <span class="se">\</span>
<span class="o">&&</span> wget http://www.unbound.net/downloads/unbound-<span class="k">${</span><span class="nv">UNBOUND_VERSION</span><span class="k">}</span>.tar.gz <span class="se">\</span>
<span class="o">&&</span> <span class="nb">echo</span> <span class="s2">"</span><span class="k">${</span><span class="nv">UNBOUND_SHA256</span><span class="k">}</span><span class="s2"> unbound-</span><span class="k">${</span><span class="nv">UNBOUND_VERSION</span><span class="k">}</span><span class="s2">"</span>.tar.gz | <span class="nb">sha256sum</span> <span class="nt">--check</span> <span class="se">\</span>
<span class="o">&&</span> <span class="nb">tar</span> <span class="nt">-xvf</span> unbound<span class="k">*</span> <span class="se">\</span>
<span class="o">&&</span> <span class="nb">cd </span>unbound-1.<span class="k">*</span>/ <span class="se">\</span>
<span class="o">&&</span> ./configure <span class="nt">--with-libnghttp2</span> <span class="nt">--with-libevent</span> <span class="nt">--enable-dnscrypt</span> <span class="nt">--prefix</span><span class="o">=</span>/usr <span class="nt">--sysconfdir</span><span class="o">=</span>/etc <span class="nt">--disable-static</span> <span class="nt">--with-pidfile</span><span class="o">=</span>/run/unbound.pid <span class="se">\</span>
<span class="o">&&</span> make <span class="se">\</span>
<span class="o">&&</span> make <span class="nb">install</span> <span class="se">\</span>
<span class="o">&&</span> <span class="nb">mv</span> <span class="nt">-v</span> /usr/sbin/unbound-host /usr/bin/ <span class="se">\</span>
<span class="o">&&</span> unbound-anchor /etc/unbound/root.key <span class="p">;</span> <span class="nb">true</span><span class="se">\</span>
<span class="o">&&</span> unbound-control-setup <span class="se">\</span>
<span class="o">&&</span> unbound-checkconf <span class="se">\</span>
<span class="o">&&</span> wget https://www.internic.net/domain/named.root <span class="nt">-qO-</span> | <span class="nb">tee</span> /etc/unbound/root.hints <span class="se">\</span>
<span class="o">&&</span> <span class="nb">rm</span> <span class="nt">-rf</span> /unbound-<span class="k">${</span><span class="nv">UNBOUND_VERSION</span><span class="k">}</span>.tar.gz <span class="se">\</span>
<span class="o">&&</span> <span class="nb">rm</span> <span class="nt">-rf</span> unbound-<span class="k">*</span> <span class="se">\</span>
<span class="o">&&</span> <span class="nb">rm</span> <span class="nt">-rf</span> /var/lib/apt/lists/<span class="k">*</span> <span class="se">\</span>
<span class="o">&&</span> apt-get clean
COPY ./unbound.conf /etc/unbound/unbound.conf
COPY ./privkey.pem /etc/unbound/privkey.pem
COPY ./fullchain.pem /etc/unbound/fullchain.pem
COPY ./unbound.sh /unbound.sh
WORKDIR /etc/unbound/
EXPOSE 443
HEALTHCHECK CMD netstat <span class="nt">-an</span> | <span class="nb">grep </span>443 <span class="o">></span> /dev/null<span class="p">;</span> <span class="k">if</span> <span class="o">[</span> 0 <span class="o">!=</span> <span class="nv">$?</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">exit </span>1<span class="p">;</span> <span class="k">fi</span><span class="p">;</span>
CMD <span class="o">[</span><span class="s2">"/unbound.sh"</span><span class="o">]</span>
</code></pre></div></div>
<p><strong>Build Image</strong></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker build <span class="nt">-t</span> unbound-tls:1.22.0 <span class="nb">.</span>
</code></pre></div></div>
<p><strong>Docker Compose</strong></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vim docker-compose.yml
</code></pre></div></div>
<p>Inside, paste the following script:</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">services</span><span class="pi">:</span>
<span class="na">unbound-tls</span><span class="pi">:</span>
<span class="na">image</span><span class="pi">:</span> <span class="s">unbound-tls:1.22.0</span>
<span class="na">container_name</span><span class="pi">:</span> <span class="s">unbound-tls</span>
<span class="na">restart</span><span class="pi">:</span> <span class="s">always</span>
<span class="na">ports</span><span class="pi">:</span>
<span class="pi">-</span> <span class="s2">"</span><span class="s">443:443"</span>
</code></pre></div></div>
<p><strong>Run image</strong></p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker compose up <span class="nt">-d</span>
</code></pre></div></div>
Android Emulator Kernel Debugging2019-01-28T17:40:51+00:00https://chandreas.github.io/2019/01/28/android-kernel-debugging<p><strong>Android Emulator Kernel Debugging</strong></p>
<p>Download and compile kernel</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>git clone https://android.googlesource.com/kernel/goldfish
cd goldfish
git checkout android-goldfish-4.4-dev
wget https://raw.githubusercontent.com/ChAndreas/linux-config/master/config-goldfish-android
mv config-goldfish-android .config
make oldconfig
make -j64
</code></pre></div></div>
<p>Create emulator image</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>avdmanager create avd -n test-emulator -k "system-images;android-28;google_apis;x86_64"
</code></pre></div></div>
<p>Start the emulator with our compiled kernel</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>emulator \
-verbose \
-show-kernel \
-debug init \
-avd test-emulator \
-kernel ~/goldfish/arch/x86_64/boot/bzImage \
-qemu \
-s
</code></pre></div></div>
<p>Add the following line to .gdbinit</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>vim ~/.gdbinit
add-auto-load-safe-path <path>/goldfish/scripts/gdb/vmlinux-gdb.py
</code></pre></div></div>
<p>Run gdb and attach to emulator.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gdb -q ./vmlinux
(gdb) target remote :1234
</code></pre></div></div>
<p><strong>Examples of using the Linux-provided gdb helpers</strong></p>
<p>Load symbols for all modules and vmlinux.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>lx-symbols
</code></pre></div></div>
<p>Display kernel log.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>lx-dmesg
</code></pre></div></div>
<p>List of loaded Modules.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>lx-lsmod
</code></pre></div></div>
<p>Access current task.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>p $lx_current().pid
p $lx_current().comm
p $lx_current().cred
</code></pre></div></div>
<p>Current kernel processes.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>(gdb) lx-ps
0xffffffff822179c0 <init_task> 0 swapper/0
0xffff88003d5a0000 1 init
0xffff88003d5a1400 2 kthreadd
0xffff88003d5a2800 3 ksoftirqd/0
0xffff88003d5a5000 5 kworker/0:0H
0xffff88003d600000 7 rcu_preempt
0xffff88003d601400 8 rcu_sched
0xffff88003d602800 9 rcu_bh
0xffff88003d603c00 10 migration/0
0xffff88003d649400 11 migration/1
0xffff88003d64a800 12 ksoftirqd/1
</code></pre></div></div>
<p>Container_of macro is used to obtain the container structure address of given member.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>(gdb) p *(struct task_struct *)0xffff880041198000
(gdb) p $container_of(init_task.tasks.next, "struct task_struct", "tasks")
</code></pre></div></div>
<p>Print task for specific pid.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>p/x $lx_task_by_pid(1)
</code></pre></div></div>
<p>Print thread_info structure for the task.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>p/x $lx_thread_info($lx_task_by_pid(1))
</code></pre></div></div>
Introduction to Linux Kernel Debugging2019-01-28T17:31:51+00:00https://chandreas.github.io/2019/01/28/Linux-kernel-debugging<p><strong>Kernel Debugging</strong></p>
<p>Kernel debugging is used to identify kernel bugs.</p>
<p><strong>Debugging by Printing</strong></p>
<p>The printk is similar with printf on C standard library and can be called from anywhere in the kernel at any time, from interrupt or process context.
The printk is not used on boot process, if you want to use similar debug on boot mode you can use <code class="language-plaintext highlighter-rouge">early_printk()</code> unless you are writing to console you can always use <code class="language-plaintext highlighter-rouge">printk()</code>.</p>
<p>The printk is having the following capabilities to specify the loglevel</p>
<p><strong>Loglevels that can be used on printk are below</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>KERN_EMERG 0 emergency condition.System maybe hang.
KERN_ALERT 1 problem that requires immediate attention
KERN_CRIT 2 critical condition
KERN_ERR 3 error
KERN_WARNING 4 warning
KERN_NOTICE 5 normal
KERN_INFO 6 informational message
KERN_DEBUG 7 debugging message
KERN_DEFAULT d the default kernel loglevel
KERN_CONT continued line of printout
</code></pre></div></div>
<p>Example</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>printk(KERN_ERR "Error, return code: %d\n",ret);
</code></pre></div></div>
<p><strong>pr_* macros</strong></p>
<p>The <code class="language-plaintext highlighter-rouge">pr_* macros</code> (with exception of <code class="language-plaintext highlighter-rouge">pr_debug</code>) are simple shorthand definitions in <code class="language-plaintext highlighter-rouge">include/linux/printk.h</code> for their respective printk call and should probably be used in newer drivers.
<code class="language-plaintext highlighter-rouge">pr_devel</code> and <code class="language-plaintext highlighter-rouge">pr_debug</code> are replaced with <code class="language-plaintext highlighter-rouge">printk(KERN_DEBUG ...</code> if the kernel was compiled with DEBUG, otherwise replaced with an empty statement.
For drivers the <code class="language-plaintext highlighter-rouge">pr_debug</code> should not be used anymore (use <code class="language-plaintext highlighter-rouge">dev_dbg</code> instead).</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pr_emerg
pr_alert
pr_crit
pr_err
pr_warning
pr_notice
pr_info
pr_debug,pr_devel if DEBUG is defined.
pr_cont
</code></pre></div></div>
<p>Example</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>pr_err("Error,return code: %d\n", ret);
</code></pre></div></div>
<p>Note that if you don’t specifying the loglevel the default is KERN_WARNING.</p>
<p>To determine your current console_loglevel</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cat /proc/sys/kernel/printk
4 4 1 7
current default minimum boot-time-default
</code></pre></div></div>
<p>To change console_loglevel</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>echo 8 > /proc/sys/kernel/printk
</code></pre></div></div>
<p>if is set to 8, all messages, including debugging ones, are displayed</p>
<p>Another way to change the console log level is to use dmesg with the -n parameter</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> dmesg -n 7
</code></pre></div></div>
<p>To debug an oops and you don’t know where this happened you can use the following line</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>printk(KERN_ALERT "DEBUG: Passed %s %d \n",__FUNCTION__,__LINE__);
</code></pre></div></div>
<p><strong>Log Buffer</strong></p>
<p>Kernel messages are stored in a circular buffer of size LOG_BUF_LEN which is configurable on compile time. The default size is 16KB.</p>
<p><strong>Enable Kernel debugging Option</strong></p>
<p>The following options should be enabled on kernel config</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>CONFIG_DEBUG_KERNEL=y
CONFIG_DEBUG_INFO=y
</code></pre></div></div>
<p><strong>Bugs on code</strong></p>
<p>There are two functions that you can use on the kernel to show an oops message.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>BUG();
BUG_ON();
</code></pre></div></div>
<p>Further a more critical error is signaled via panic() which is printing the error and halt the system.</p>
<p>Example:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>panic("%s: failed to map registers\n", __func__);
</code></pre></div></div>
<p>Sometimes we need stack trace and dump_stack() can be used which is dumps the contents of the registers and function back trace.</p>
<p>Example:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>dump_stack();
</code></pre></div></div>
<p><strong>Decoding an oops message</strong></p>
<p>addr2line translates addresses into file names and line numbers. Given an address in an executable it uses the debugging information to figure out which file name and line number are associated with it.</p>
<p>Examples:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>addr2line -f -e vmlinux 0xffffffff85037434
</code></pre></div></div>
<p>with gdb</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gdb -q vmlinux
list *(0xffffffff85037434)
</code></pre></div></div>
<p>or with objdump to determine the offending line</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cat /proc/modules
</code></pre></div></div>
<p>get the value of module and use it on objdump</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>objdump -dS --adjust-vma=0xffffffff85037434 vmlinux
</code></pre></div></div>
<p><strong>Kernel Debugging with gdb</strong></p>
<p>GDB can be used to debug the kernel. As you can see on the below command we are running gdb on uncompressed kernel image vmlinux. The kcore parameter is acting as a core file to let gdb peek into the memory</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gdb -q vmlinux /proc/kcore
</code></pre></div></div>
<p>KGDB patch enables gdb to debug kernel remotely with serial cable.</p>
<p>How to enable KGDB on your kernel</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>CONFIG_FRAME_POINTER=y
CONFIG_KGDB=y
CONFIG_KGDB_SERIAL_CONSOLE=y
CONFIG_KGDB_KDB=y
CONFIG_KDB_KEYBOARD=y
</code></pre></div></div>
<p><strong>Example kernel Debugging with GDB and QEMU</strong></p>
<p>First step is to download and compile the buildroot with the following config file.</p>
<p>Download buildroot</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cd /root/
wget https://buildroot.uclibc.org/downloads/buildroot-2018.02.10.tar.gz
tar xvf buildroot-2018.02.10.tar.gz
cd buildroot-2018.02.10
make menuconfig
</code></pre></div></div>
<p>Follow the below configuration</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Target options
Target Architecture - Aarch64 (little endian)
Target Architecture Variant (cortex-A57) --->
Toolchain --->
Toolchain type (Buildroot toolchain) --->
Toolchain type (External toolchain) --->
Toolchain (Linaro AArch64 2017.11) --->
*** Host GDB Options ***
[*] Build cross gdb for the host
[*] TUI support
[*] Python support
[*] Simulator support
GDB debugger Version (gdb 8.0.x) --->
System configuration --->
[*] Enable root login with password
( ) Root password ⇐= set your password using this option
[*] Run a getty (login prompt) after boot --->
TTY port - ttyAMA0
Target packages --->
[*] Show packages that are also provided by busybox
Networking applications
[*] dhcpcd
[*] iproute2
[*] openssh
Filesystem images
[*] ext2/3/4 root filesystem
ext2/3/4 variant (ext4) --->
(120M) exact size
[*] tar the root filesystem
</code></pre></div></div>
<p>Build it</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>make -j4
</code></pre></div></div>
<p>Then we will need to install the aarch64 toolchain to compile the kernel</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apt install gcc-aarch64-linux-gnu
</code></pre></div></div>
<p>Compile the Kernel with specific config</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cd /root/
git clone git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
cd linux/
wget https://raw.githubusercontent.com/ChAndreas/linux-config/master/config-aarch64
mv config-aarch64 .config
ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- make oldconfig
ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- make -j40
</code></pre></div></div>
<p>Next step is to install QEMU for the architecture that we have compiled our kernel and buildroot.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo apt install qemu-system-arm
</code></pre></div></div>
<p>Boot the QEMU with following configuration</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>qemu-system-aarch64 \
-machine virt \
-cpu cortex-a57 \
-nographic -smp 2 \
-hda ~/buildroot-2018.02.10/output/images/rootfs.ext4 \
-kernel ~/linux/arch/arm64/boot/Image \
-append "console=ttyAMA0 root=/dev/vda oops=panic panic_on_warn=1 panic=-1 ftrace_dump_on_oops=orig_cpu debug earlyprintk=serial slub_debug=UZ" \
-m 2G \
-net user,hostfwd=tcp::10023-:22 -net nic \
-pidfile vm.pid -s \
2>&1 | tee vm.log
</code></pre></div></div>
<p>Run the gdb and verify that everything is configured correctly by checking symbols</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gdb-multiarch vmlinux
(gdb) add-auto-load-safe-path ~/linux/scripts/gdb/vmlinux-gdb.py
(gdb) info address vmalloc_user
</code></pre></div></div>
<p>Now on QEMU type the follow to compare with the address from the gdb</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>grep 'T vmalloc_user' /proc/kallsyms
</code></pre></div></div>
<p>The addresses should match exactly</p>
<p>Attach to the booted guest:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>(gdb) target remote :1234
</code></pre></div></div>
<p>To see the source context</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>(gdb) info source
(gdb) list
</code></pre></div></div>
<p>We can see the backtrace with the following command</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>(gdb) bt full
</code></pre></div></div>
<p>Use c to continue execution, and Control-C to halt execution. Use n to step over, s to single-step, and finish to finish the current stack frame. Remember that we’re running a build with optimizations, so sometimes variables will be optimized out or the source line may change unexpectedly.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>(gdb) b printk
(gdb) c
</code></pre></div></div>
Compile Linux Kernel (Ubuntu-Debian)2018-09-20T16:40:51+00:00https://chandreas.github.io/2018/09/20/compile-kernel-debian<p><strong>Download neccessary packages</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo apt-get install build-essential libncurses-dev bison flex libssl-dev libelf-dev bc ccache gcc-8-plugin-dev
</code></pre></div></div>
<p><strong>Download Kernel Config hardened check, to verify that we will use the best practice kernel config options for security.</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>git clone https://github.com/a13xp0p0v/kconfig-hardened-check.git
</code></pre></div></div>
<p><strong>Download Kernel</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.3.13.tar.xz
wget https://cdn.kernel.org/pub/linux/kernel/v5.x/linux-5.3.13.tar.sign
</code></pre></div></div>
<p><strong>Extract tar.xz kernel</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>unxz linux-5.3.13.tar.xz
</code></pre></div></div>
<p><strong>Download gpg key of Greg Kroah-Hartman and Linus Torvalds Linux Maintainers.</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gpg --locate-keys torvalds@kernel.org gregkh@kernel.org
</code></pre></div></div>
<p><strong>Verify kernel tarball with gpg.</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>gpg --verify linux-5.3.13.tar.sign
</code></pre></div></div>
<p><strong>If everything is OK and you didn’t get “BAD signature” output from the “gpg –verify” extract the tarball.</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>tar xvf linux-5.3.13.tar
</code></pre></div></div>
<p><strong>Enter the kernel folder.</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cd linux-5.3.13
</code></pre></div></div>
<p><strong>Copy running kernel config.</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cp -v /boot/config-$(uname -r) .config
make oldconfig
</code></pre></div></div>
<p><strong>Check kernel config with kconfig-hardened-check for security.</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>python3 ../kconfig-hardened-check/kconfig-hardened-check.py -c .config
</code></pre></div></div>
<p><strong>Make the nessesary changes that you found with kconfig-hardened-check.</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>make menuconfig
</code></pre></div></div>
<p><strong>Build the kernel</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>make -j$(nproc)
</code></pre></div></div>
<p><strong>Install Kernel Modules</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>make INSTALL_MOD_STRIP=1 modules_install -j$(nproc)
</code></pre></div></div>
<p><strong>Install Kernel</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>make install -j$(nproc)
</code></pre></div></div>
<p><strong>Update initramfs</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>update-initramfs -u -k all
</code></pre></div></div>
<p><strong>Reboot your system</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>reboot
</code></pre></div></div>
ARM Pointer Authentication2018-09-20T16:35:51+00:00https://chandreas.github.io/2018/09/20/arm-authentication-pointers<p>The ARMv8.3 pointer authentication extension adds functionality to detect modification of pointer values, mitigating certain classes of attack such as
ROP/JOP attacks. In essence, it attaches a cryptographic signature to pointer values. Those signatures can be verified before a pointer is used.
An attacker with lack of the key used to create the signatures, cannot create valid pointers for use in an exploit.</p>
<p>When CONFIG_ARM64_POINTER_AUTHENTICATION is selected, and relevant HW support is present, the kernel will assign a random APIAKey value to each process at exec*() time.
The key is assigned at exec() time, not at process creation. So threads share a key, and parent and child will share a key after fork() until one of them calls exec().</p>
<p>New instructions are added which can be used to:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Insert a PAC into a pointer
Strip a PAC from a pointer
Authenticate strip a PAC from a pointer
</code></pre></div></div>
<p>PAC instruction sign pointers become not usable pointer (Pointer + PAC)</p>
<p>AUT instruction authenticate PAC if PAC match the result of the original pointer if not the result will be an invalid pointer (fault).</p>
<p>XPAC instruction stip PAC remove authentication and restored to the original pointer</p>
<p>The new PAC instruction can be used to calculate the authentication code and stored within pointer value. The value containing the authentication code cannot be dereferenced directly, since, without the sign-extension bits, it is no longer recognized as a valid address.</p>
<p>Regaining a usable pointer requires using the AUT instruction, which will recalculate the authentication code and compare it to what is found in the authenticated pointer value. If the two match, the authentication code will be removed otherwise, the pointer will be modified to ensure a fault should it be dereferenced. Thus, any attempt to use a pointer that lacks a proper authentication code will lead to a crash.</p>
<p>GCC 7 compiler include basic support for pointer authentication in the form of the -msign-return-address option.</p>
<p>Example without arm pointer authentication</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>0000000000000724 <main>:
724: a9bf7bfd stp x29, x30, [sp, #-16]!
728: 910003fd mov x29, sp
72c: 90000000 adrp x0, 0 <_init-0x598>
730: 911fa000 add x0, x0, #0x7e8
734: 97ffffb7 bl 610 <printf@plt>
738: d503201f nop
73c: a8c17bfd ldp x29, x30, [sp], #16
740: d65f03c0 ret
744: 00000000 .inst 0x00000000 ; undefined
</code></pre></div></div>
<p>Example with arm pointer authentication</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>0000000000000724 <main>:
724: d503233f paciasp
728: a9bf7bfd stp x29, x30, [sp, #-16]!
72c: 910003fd mov x29, sp
730: 90000000 adrp x0, 0 <_init-0x598>
734: 911fc000 add x0, x0, #0x7f0
738: 97ffffb6 bl 610 <printf@plt>
73c: d503201f nop
740: a8c17bfd ldp x29, x30, [sp], #16
744: d50323bf autiasp
748: d65f03c0 ret
74c: 00000000 .inst 0x00000000 ; undefined
</code></pre></div></div>
Control Flow Integrity2018-09-20T16:15:51+00:00https://chandreas.github.io/2018/09/20/cfi<p>To improve security modern systems contain many mitigation strategies that try to make it harder to exploit security vulnerabilities.
One of those mitigation technologies that is recently added in Android 9 is Control Flow Integrity.</p>
<p>CFI is a security mechanism that disallows changes to the original control flow graph of a compiled binary(Control-flow hijacking: Arbitrary code execution), making it significantly harder to perform such attacks.</p>
<p>CFI restricts the control-flow of an application to valid execution traces by monitoring the program runtime and compare it with precomputed state and if an invalid state an alert is raised and terminate the app.</p>
<p>The CFI mechanism consists of two abstract components: the (often static) analysis component that recovers the Control-Flow Graph (CFG) (Paths defined by application’s Control-Flow Graph) of the application (at different levels of precision) and the dynamic enforcement mechanism that restricts control flows according to the generated CFG.</p>
<p>CFI assumes that executable code is read-only, otherwise an attacker could simply overwrite code and remove the runtime monitors.</p>
<p>Indirect control-flow transfers are further divided into forward-edge control-flow transfers and backward-edge control-flow transfers.</p>
<p>Forward-edge control-flow transfers direct code forward to a new location and are used in indirect jump and indirect call instructions, which are mapped at the source code level to, e.g., switch statements, indirect calls, or virtual calls.</p>
<p>The backward-edge is used to return to a location that was used in a forward-edge earlier, e.g., when returning from a function call through a return instruction.</p>
<p>Example CFI on Android Makefile (Implementing system CFI)</p>
<p>Android.mk</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>LOCAL_SANITIZE := cfi
# Optional features
LOCAL_SANITIZE_DIAG := cfi
LOCAL_SANITIZE_BLACKLIST := cfi_blacklist.txt
</code></pre></div></div>
<p>Example CFI in blueprint files</p>
<p>Android.bp</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sanitize: {
cfi: true,
diag: {
cfi: true,
},
blacklist: "cfi_blacklist.txt",
},
</code></pre></div></div>
Introduction to Kubernetes Cluster2018-05-08T17:31:51+00:00https://chandreas.github.io/2018/05/08/kubernetes<p><strong>Kubernetes</strong></p>
<p>Kubernetes is an open-source system for automating deployment, scaling, and management of containerized applications.</p>
<p><strong>Installation</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Distro: Ubuntu 16.04
Servers: Master
Node Server 1
Node Server 2
</code></pre></div></div>
<p><strong>Disable the swap file on all servers</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo swapoff -a
</code></pre></div></div>
<p>Remove any matching reference found in /etc/fstab</p>
<p><strong>Install the Docker</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apt-get update
apt-get install -y apt-transport-https ca-certificates curl software-properties-common
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | apt-key add -
add-apt-repository "deb https://download.docker.com/linux/$(. /etc/os-release; echo "$ID") $(lsb_release -cs) stable"
apt-get update && apt-get install -y docker-ce=$(apt-cache madison docker-ce | grep 17.03 | head -1 | awk '{print $3}')
</code></pre></div></div>
<p><strong>Install Kubernetes packages</strong></p>
<p>You will install these packages on all of your machines:</p>
<p>kubeadm: the command to bootstrap the cluster.
kubelet: the component that runs on all of the machines in your cluster and does things like starting pods and containers.
kubectl: the command line util to talk to your cluster.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apt-get update && apt-get install -y apt-transport-https curl
curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
cat <<EOF >/etc/apt/sources.list.d/kubernetes.list
deb http://apt.kubernetes.io/ kubernetes-xenial main
EOF
apt-get update
apt-get install -y kubelet kubeadm kubectl kubernetes-cni
</code></pre></div></div>
<p><strong>Create the cluster</strong></p>
<p>We need to create the cluster by initiating the master with kubeadm. Only do this on the master node.</p>
<p>The Kubernetes master is responsible for maintaining the desired state for your cluster.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo kubeadm init --pod-network-cidr=172.16.0.0/16
mkdir -p $HOME/.kube
sudo cp -i /etc/kubernetes/admin.conf $HOME/.kube/config
sudo chown $(id -u):$(id -g) $HOME/.kube/config
</code></pre></div></div>
<p>Login to the other two nodes which are the worker nodes and use the token to join them to the master node.
The worker nodes in a cluster are the machines (VMs, physical servers, etc) that run your applications and cloud workflows.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubeadm join <ip>:6443 --token <token key> --discovery-token-ca-cert-hash sha256:<key>
</code></pre></div></div>
<p><strong>Install networking</strong></p>
<p>Only on master execute the following</p>
<p>Weave NET</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl apply -f "https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\n')"
curl -SL "https://cloud.weave.works/k8s/net?k8s-version=$(kubectl version | base64 | tr -d '\n')&env.IPALLOC_RANGE=172.16.0.0/16" | kubectl apply -f -
</code></pre></div></div>
<p><strong>Creating Pods, Deployments and Services</strong></p>
<p><strong>Pod</strong></p>
<p>A Kubernetes Pod represents a running process on your cluster. A pod is a group of one or more containers, with shared storage/network, and a specification for how to run the containers.</p>
<p>Example
Create a pod.yaml</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span>
<span class="na">kind</span><span class="pi">:</span> <span class="s">Pod</span>
<span class="na">metadata</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span>
<span class="na">spec</span><span class="pi">:</span>
<span class="na">restartPolicy</span><span class="pi">:</span> <span class="s">Always</span>
<span class="na">volumes</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">shared-data</span>
<span class="na">emptyDir</span><span class="pi">:</span> <span class="pi">{}</span>
<span class="na">containers</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx-container</span>
<span class="na">image</span><span class="pi">:</span> <span class="s">nginx</span>
<span class="na">volumeMounts</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">shared-data</span>
<span class="na">mountPath</span><span class="pi">:</span> <span class="s">/usr/share/nginx/html</span>
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl create -f pod.yaml
</code></pre></div></div>
<p><strong>Deployment</strong></p>
<p>A kubernetes Deployment manages creating Pods by means of ReplicaSets.</p>
<p>ReplicaSet is the next-generation Replication Controller.A ReplicaSet ensures that a specified number of pod replicas are running at any given time.</p>
<p>create a deployment.yaml</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">apiVersion</span><span class="pi">:</span> <span class="s">apps/v1</span>
<span class="na">kind</span><span class="pi">:</span> <span class="s">Deployment</span>
<span class="na">metadata</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">nginx-deployment</span>
<span class="na">labels</span><span class="pi">:</span>
<span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span>
<span class="na">spec</span><span class="pi">:</span>
<span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span>
<span class="na">selector</span><span class="pi">:</span>
<span class="na">matchLabels</span><span class="pi">:</span>
<span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span>
<span class="na">template</span><span class="pi">:</span>
<span class="na">metadata</span><span class="pi">:</span>
<span class="na">labels</span><span class="pi">:</span>
<span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span>
<span class="na">spec</span><span class="pi">:</span>
<span class="na">containers</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">nginx</span>
<span class="na">image</span><span class="pi">:</span> <span class="s">nginx:1.7.9</span>
<span class="na">ports</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">containerPort</span><span class="pi">:</span> <span class="m">80</span>
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl create -f deployment.yaml
</code></pre></div></div>
<p>Replicas can be changed either by editing the deployment or using scale.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl edit deployment nginx
kubectl scale --replicas=3 deployment/nginx
</code></pre></div></div>
<p><strong>Service</strong></p>
<p>A Kubernetes Service is an abstraction which defines a logical set of Pods and a policy by which to access them. . The set of Pods targeted by a Service is determined by a Label Selector</p>
<p>create service.yaml file</p>
<div class="language-yaml highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="na">kind</span><span class="pi">:</span> <span class="s">Service</span>
<span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span>
<span class="na">metadata</span><span class="pi">:</span>
<span class="na">name</span><span class="pi">:</span> <span class="s">nginx-service</span>
<span class="na">spec</span><span class="pi">:</span>
<span class="na">selector</span><span class="pi">:</span>
<span class="na">app</span><span class="pi">:</span> <span class="s">nginx</span>
<span class="na">ports</span><span class="pi">:</span>
<span class="pi">-</span> <span class="na">protocol</span><span class="pi">:</span> <span class="s">TCP</span>
<span class="na">port</span><span class="pi">:</span> <span class="m">80</span>
<span class="na">targetPort</span><span class="pi">:</span> <span class="m">9376</span>
</code></pre></div></div>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>kubectl create -f service.yaml
</code></pre></div></div>
<p>Sources</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://kubernetes.io/docs/
</code></pre></div></div>
Introduction to LSM Linux security Module Framework2018-05-08T17:31:51+00:00https://chandreas.github.io/2018/05/08/lsm<p>The Linux Security Module framework provides a mechanism for various security checks to be hooked by new kernel extensions.<br />
The LSM are not actually loadable kernel modules, instead are selectable at build time via CONFIG_DEFAULT_SECURITY and can be overridden at boot-time via the “security=…” in case that more than LSM built in to the kernel.
Linux Mandatory Access Control (MAC) or policy based access control used to enable addition checks base on a policy describing what kind of operations are allowed for which process in which context.
Examples of LSM interface are SELinux, Smack, Tomoyo, and AppArmor. Without enabling a specific LSM to the kernel the Linux capabilities will be a default LSM.</p>
<p>To see the enabled and active security modules use the following command.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cat /sys/kernel/security/lsm
</code></pre></div></div>
<p>Example of Linux Security Module.</p>
<p>YAMA</p>
<p>Yama is a Linux Security Module that collects system-wide DAC security protections that are not handle by the core kernel itself.
It does Discretionary Access Control of some kernel related functions, like defining if process tracing (prace) is allowed.
Linux DAC permissions are classical unix checks compare the current process with UID GID versus the UID and GID of the file being accessed with the checks of which modes are been set “read/write/execute”.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>To enable YAMA use CONFIG_SECURITY_YAMA=y on kernel config.
</code></pre></div></div>
<p>kernel.yama.ptrace_scope this parameter helps system administrators to select what processes can be debugged with ptrace.</p>
<p>To determine the active value of yama ptrace scooe we can use sysctl or check pseudo file system /proc and find the related key.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sysctl kernel.yama.ptrace_scope
</code></pre></div></div>
<p>or</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cat /proc/sys/kernel/yama/ptrace_scope
kernel.yama.ptrace_scope = 0: all processes can be debugged, as long as they have same uid. This is the classical way of how ptracing worked.
kernel.yama.ptrace_scope = 1: only a parent process can be debugged.
kernel.yama.ptrace_scope = 2: Only admin can use ptrace, as it required CAP_SYS_PTRACE capability.
kernel.yama.ptrace_scope = 3: No processes may be traced with ptrace. Once set, a reboot is needed to enable ptracing again.
</code></pre></div></div>
<p>Examples of the two most popular MAC extensions are below.</p>
<p>Apparmor</p>
<p>AppArmor is MAC style security extension for the Linux kernel. It implements a task centered policy, with task “profiles” being created and loaded from user space. Tasks on the system that do not have a profile defined for them run in an unconfined state which is equivalent to standard Linux DAC permissions.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>To enable apparmor use CONFIG_SECURITY_APPARMOR=y on kernel config
</code></pre></div></div>
<p>Check apparmor status</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>apparmor_status
</code></pre></div></div>
<p>Selinux</p>
<p>Selinux is MAC style security extension built into the Linux kernel and defines the access and transition rights of each user, applications, processs and files on the system. The decision making process when you try to access an object example file the policy enforcement server in the kernel will checks an access vector cache AVC and checks if you can access the file or not.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>To enable selinux use CONFIG_SECURITY_SELINUX=y on kernel config.
</code></pre></div></div>
<p>There are three modes on Selinux enforcing which will check and deny or grant an access, permissive where AVC will check and log the attemp if is denied and selinux will not enforce the policy and last mode is disabled where the selinux is fully disabled.</p>
<p>Check Selinux status</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sestatus -v
</code></pre></div></div>
<p>Sources</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://www.kernel.org/doc/html/v4.16/admin-guide/LSM/index.html
https://linux-audit.com/protect-ptrace-processes-kernel-yama-ptrace_scope/
</code></pre></div></div>
Compile aarch64 Linux kernel Upstream for Raspberry Pi2018-05-08T17:31:51+00:00https://chandreas.github.io/2018/05/08/rpi3-kernel-aarch64<p>This is a guide how to compile and install 64 bit (aarch64) kernel for the Raspberry pi 3 b, 3 b+ or 4.</p>
<p>Install build tools</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sudo apt-get install build-essential libgmp-dev libmpfr-dev libmpc-dev bc git-core binutils-aarch64-linux-gnu gcc-aarch64-linux-gnu cpp-aarch64-linux-gnu g++-aarch64-linux-gnu libncurses-dev
</code></pre></div></div>
<p>Clone Linux kernel sources</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>git clone https://github.com/raspberrypi/linux.git rpi3-kernel
cd rpi3-kernel
</code></pre></div></div>
<p>Create output folder</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>mkdir ../out
</code></pre></div></div>
<p>Compile kernel</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>make O=../out/ ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- bcmrpi3_defconfig
make -j4 O=../out/ ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu-
mkdir ../out/out-modules/
make O=../out/ ARCH=arm64 CROSS_COMPILE=aarch64-linux-gnu- INSTALL_MOD_PATH=../out/out-modules/ modules_install
</code></pre></div></div>
<p>Install (plug the sdcard and replace sdX with your device)</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>mount /dev/sdX1 /media/
cd ../out/
rm -rf /media/overlays
cp -R arch/arm64/boot/dts/overlays /media/
cp arch/arm64/boot/Image /media/kernel8.img
cp arch/arm64/boot/dts/broadcom/bcm2710-rpi-3-b.dtb /media/bcm2710-rpi-3-b.dtb
echo "arm_64bit=1" >> /media/config.txt
echo "kernel=kernel8.img" >> /media/config.txt
umount /media
mount /dev/sdX2 /media/
cd out-modules/lib/modules/
cp -R 4.14.* /media/lib/modules/
umount /media
</code></pre></div></div>
Linux Namespaces2018-01-14T17:31:51+00:00https://chandreas.github.io/2018/01/14/namespaces<p>Namespaces are a feature on the Linux kernel that isolate and virtualize system resources of a collection of processes.
Examples of softwares using namespaces are Docker, LXC and Mesos.</p>
<p>There are two essential set of namespaces, label based namespaces and mapping based namespaces.</p>
<p>Label based namespace are used to attach resources to a namespace, for example when you want to add a network card on a namespace you will not see it on the host and it will reappear when your remove it from the namespace. The first label based namespace was network namespace.</p>
<p>Mapping namespaces are used to map resources from parent process to namespace itself, for example pid namespace takes the process pid and projects it into the namespace with different pid. Very useful when you want to run a system container and you want to run a service that required init.</p>
<p>To enable namespaces support on your kernel you must enable if not already the below configs on your kernel .config file:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>CONFIG_NAMESPACES
CONFIG_UTS_NS
CONFIG_IPC_NS
CONFIG_USER_NS
CONFIG_PID_NS
CONFIG_NET_NS
</code></pre></div></div>
<p><strong>Linux supports 7 Namespaces:</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>1. Mount - isolate filesystem mount points
2. UTS - isolate hostname and domain name
3. IPC - isolate interprocess communication (IPC) resources
4. PID - isolate the PID number space
5. Network - isolate network interfaces
6. User - isolate UID/GID number spaces
7. Cgroup - isolate cgroup root directory
</code></pre></div></div>
<p><strong>The namespaces API includes the following system calls:</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>1. clone - creates a new process similar to fork() but allows child process to share parts of its execution.
2. setns - allows the calling process to join an existing namespace and allow any type of namespace to be joined.
3. unshare - moves the calling process to a new namespace and allows a process to disassociate parts of its execution that currently being shared with other process.
</code></pre></div></div>
<p><strong>Mount:</strong></p>
<p>Used to control mount points. Process can have their own rootfs, private or share mount.</p>
<p>Mount namespaces serve a variety of purposes. For example, they can be used to provide per-user views of the filesystem. Other uses include mounting a /proc filesystem for a new PID namespace without causing side effects for other process and chroot()-style isolation of a process to a portion of the single directory hierarchy. In some use cases, mount namespaces are combined with bind mounts.</p>
<p>Example</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#define _GNU_SOURCE
#include</span> <span class="cpf"><sys/types.h></span><span class="cp">
#include</span> <span class="cpf"><sys/wait.h></span><span class="cp">
#include</span> <span class="cpf"><stdio.h></span><span class="cp">
#include</span> <span class="cpf"><sched.h></span><span class="cp">
#include</span> <span class="cpf"><signal.h></span><span class="cp">
#include</span> <span class="cpf"><unistd.h></span><span class="cp">
#include</span> <span class="cpf"><sys/mount.h></span><span class="cp">
</span>
<span class="cp">#define STACK_SIZE (1024 * 1024)
</span>
<span class="k">static</span> <span class="kt">char</span> <span class="n">child_stack</span><span class="p">[</span><span class="n">STACK_SIZE</span><span class="p">];</span> <span class="cm">/* Stack size for cloned child */</span>
<span class="kt">int</span> <span class="nf">child_main</span><span class="p">(</span><span class="kt">void</span><span class="o">*</span> <span class="n">arg</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">if</span> <span class="p">(</span><span class="n">mount</span><span class="p">(</span><span class="s">"proc"</span><span class="p">,</span> <span class="s">"/proc"</span><span class="p">,</span> <span class="s">"proc"</span><span class="p">,</span> <span class="n">MS_BIND</span><span class="o">|</span><span class="n">MS_REC</span><span class="o">|</span><span class="n">MS_SHARED</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">)</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span>
<span class="n">perror</span><span class="p">(</span><span class="s">"mount"</span><span class="p">);</span>
<span class="kt">char</span> <span class="o">*</span><span class="n">child</span><span class="p">[]</span> <span class="o">=</span> <span class="p">{</span>
<span class="s">"/bin/bash"</span><span class="p">,</span>
<span class="s">"-c"</span><span class="p">,</span>
<span class="s">"cat /proc/$$/mountinfo | sed 's/ - .*//'"</span><span class="p">,</span>
<span class="nb">NULL</span>
<span class="p">};</span>
<span class="n">execvp</span><span class="p">(</span><span class="n">child</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">child</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">argv</span><span class="p">[])</span>
<span class="p">{</span>
<span class="kt">int</span> <span class="n">child_pid</span> <span class="o">=</span> <span class="n">clone</span><span class="p">(</span><span class="n">child_main</span><span class="p">,</span> <span class="n">child_stack</span><span class="o">+</span><span class="n">STACK_SIZE</span><span class="p">,</span>
<span class="n">CLONE_NEWNS</span> <span class="o">|</span> <span class="n">SIGCHLD</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span>
<span class="n">waitpid</span><span class="p">(</span><span class="n">child_pid</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p><strong>UTS:</strong></p>
<p>Used to set a hostname on the container.The main job of this namespace was to make nfs run in container.</p>
<p>Example</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#define _GNU_SOURCE
#include</span> <span class="cpf"><sys/types.h></span><span class="cp">
#include</span> <span class="cpf"><sys/wait.h></span><span class="cp">
#include</span> <span class="cpf"><stdio.h></span><span class="cp">
#include</span> <span class="cpf"><sched.h></span><span class="cp">
#include</span> <span class="cpf"><signal.h></span><span class="cp">
#include</span> <span class="cpf"><unistd.h></span><span class="cp">
</span>
<span class="cp">#define STACK_SIZE (1024 * 1024)
</span>
<span class="k">static</span> <span class="kt">char</span> <span class="n">child_stack</span><span class="p">[</span><span class="n">STACK_SIZE</span><span class="p">];</span> <span class="cm">/* Stack size for cloned child */</span>
<span class="kt">int</span> <span class="nf">child</span><span class="p">()</span>
<span class="p">{</span>
<span class="n">sethostname</span><span class="p">(</span><span class="s">"Container"</span><span class="p">,</span> <span class="mi">10</span><span class="p">);</span>
<span class="kt">char</span> <span class="o">*</span><span class="n">shell</span><span class="p">[]</span> <span class="o">=</span> <span class="p">{</span>
<span class="s">"/bin/bash"</span><span class="p">,</span>
<span class="s">"-c"</span><span class="p">,</span>
<span class="s">"echo $HOSTNAME"</span><span class="p">,</span>
<span class="nb">NULL</span>
<span class="p">};</span>
<span class="n">execvp</span><span class="p">(</span><span class="n">shell</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">shell</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">argv</span><span class="p">[])</span>
<span class="p">{</span>
<span class="kt">int</span> <span class="n">child_pid</span> <span class="o">=</span> <span class="n">clone</span><span class="p">(</span><span class="n">child</span><span class="p">,</span> <span class="n">child_stack</span><span class="o">+</span><span class="n">STACK_SIZE</span><span class="p">,</span>
<span class="n">CLONE_NEWUTS</span> <span class="o">|</span> <span class="n">SIGCHLD</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span>
<span class="n">waitpid</span><span class="p">(</span><span class="n">child_pid</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p><strong>IPC:</strong></p>
<p>This namespace allows to unshare IPCs to have an isolated set of System V IPC objects (sem, shm, msg) and POSIX message queues inside namespace.</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#define _GNU_SOURCE
#include</span> <span class="cpf"><sys/types.h></span><span class="cp">
#include</span> <span class="cpf"><sys/wait.h></span><span class="cp">
#include</span> <span class="cpf"><stdio.h></span><span class="cp">
#include</span> <span class="cpf"><sched.h></span><span class="cp">
#include</span> <span class="cpf"><signal.h></span><span class="cp">
#include</span> <span class="cpf"><unistd.h></span><span class="cp">
</span>
<span class="cp">#define STACK_SIZE (1024 * 1024)
</span>
<span class="k">static</span> <span class="kt">char</span> <span class="n">child_stack</span><span class="p">[</span><span class="n">STACK_SIZE</span><span class="p">];</span> <span class="cm">/* Stack size for cloned child */</span>
<span class="kt">int</span> <span class="nf">child_main</span><span class="p">(</span><span class="kt">void</span><span class="o">*</span> <span class="n">arg</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="o">*</span><span class="n">child</span><span class="p">[]</span> <span class="o">=</span> <span class="p">{</span>
<span class="s">"/bin/bash"</span><span class="p">,</span>
<span class="s">"-c"</span><span class="p">,</span>
<span class="s">"ipcs -m"</span><span class="p">,</span>
<span class="nb">NULL</span>
<span class="p">};</span>
<span class="n">execvp</span><span class="p">(</span><span class="n">child</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">child</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">argv</span><span class="p">[])</span>
<span class="p">{</span>
<span class="kt">int</span> <span class="n">child_pid</span> <span class="o">=</span> <span class="n">clone</span><span class="p">(</span><span class="n">child_main</span><span class="p">,</span> <span class="n">child_stack</span><span class="o">+</span><span class="n">STACK_SIZE</span><span class="p">,</span>
<span class="n">CLONE_NEWIPC</span> <span class="o">|</span> <span class="n">SIGCHLD</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span>
<span class="n">waitpid</span><span class="p">(</span><span class="n">child_pid</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p><strong>PID:</strong></p>
<p>Process within the PID namespace can see see process only in the same PID namespace and the PID will start with number 1.</p>
<p>Example</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#define _GNU_SOURCE
#include</span> <span class="cpf"><sys/types.h></span><span class="cp">
#include</span> <span class="cpf"><sys/wait.h></span><span class="cp">
#include</span> <span class="cpf"><stdio.h></span><span class="cp">
#include</span> <span class="cpf"><sched.h></span><span class="cp">
#include</span> <span class="cpf"><signal.h></span><span class="cp">
#include</span> <span class="cpf"><unistd.h></span><span class="cp">
</span>
<span class="cp">#define STACK_SIZE (1024 * 1024)
</span>
<span class="k">static</span> <span class="kt">char</span> <span class="n">child_stack</span><span class="p">[</span><span class="n">STACK_SIZE</span><span class="p">];</span> <span class="cm">/* Stack size for cloned child */</span>
<span class="kt">int</span> <span class="nf">child_main</span><span class="p">(</span><span class="kt">void</span><span class="o">*</span> <span class="n">arg</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="o">*</span><span class="n">child</span><span class="p">[]</span> <span class="o">=</span> <span class="p">{</span>
<span class="s">"/bin/bash"</span><span class="p">,</span>
<span class="s">"-c"</span><span class="p">,</span>
<span class="s">"echo $$"</span><span class="p">,</span>
<span class="nb">NULL</span>
<span class="p">};</span>
<span class="n">execvp</span><span class="p">(</span><span class="n">child</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">child</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">argv</span><span class="p">[])</span>
<span class="p">{</span>
<span class="kt">int</span> <span class="n">child_pid</span> <span class="o">=</span> <span class="n">clone</span><span class="p">(</span><span class="n">child_main</span><span class="p">,</span> <span class="n">child_stack</span><span class="o">+</span><span class="n">STACK_SIZE</span><span class="p">,</span>
<span class="n">CLONE_NEWPID</span> <span class="o">|</span> <span class="n">SIGCHLD</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span>
<span class="n">waitpid</span><span class="p">(</span><span class="n">child_pid</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p><strong>Network:</strong></p>
<p>Example if you run</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> ip addr
</code></pre></div></div>
<p>you will see all the network interface of your system, but lets create a network namespace named test</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> ip netns add test
</code></pre></div></div>
<p>and run again</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> ip netns exec test ip addr
</code></pre></div></div>
<p>you will see only loopback interface. If you want you can add interfaces.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> ip link set enp1s0 netns test.
</code></pre></div></div>
<p>to remove it</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> ip netns exec test ip link set enp1s0 netns 1
</code></pre></div></div>
<p><strong>User:</strong></p>
<p>User namespace gives enhanced privileges to a user and can emulate root user. Also used to map users and groups.If you run namespaces without the CLONE_NEWUSER flag is placed in the same user namespace as its parent process.</p>
<p>Example</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#define _GNU_SOURCE
#include</span> <span class="cpf"><sys/types.h></span><span class="cp">
#include</span> <span class="cpf"><sys/wait.h></span><span class="cp">
#include</span> <span class="cpf"><stdio.h></span><span class="cp">
#include</span> <span class="cpf"><sched.h></span><span class="cp">
#include</span> <span class="cpf"><signal.h></span><span class="cp">
#include</span> <span class="cpf"><unistd.h></span><span class="cp">
</span>
<span class="cp">#define STACK_SIZE (1024 * 1024)
</span>
<span class="k">static</span> <span class="kt">char</span> <span class="n">child_stack</span><span class="p">[</span><span class="n">STACK_SIZE</span><span class="p">];</span> <span class="cm">/* Stack size for cloned child */</span>
<span class="kt">int</span> <span class="nf">child_main</span><span class="p">(</span><span class="kt">void</span><span class="o">*</span> <span class="n">arg</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="o">*</span><span class="n">child</span><span class="p">[]</span> <span class="o">=</span> <span class="p">{</span>
<span class="s">"/bin/bash"</span><span class="p">,</span>
<span class="s">"-c"</span><span class="p">,</span>
<span class="s">"id"</span><span class="p">,</span>
<span class="nb">NULL</span><span class="p">,</span>
<span class="p">};</span>
<span class="n">execvp</span><span class="p">(</span><span class="n">child</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">child</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">argv</span><span class="p">[])</span>
<span class="p">{</span>
<span class="kt">int</span> <span class="n">child_pid</span> <span class="o">=</span> <span class="n">clone</span><span class="p">(</span><span class="n">child_main</span><span class="p">,</span> <span class="n">child_stack</span><span class="o">+</span><span class="n">STACK_SIZE</span><span class="p">,</span>
<span class="n">CLONE_NEWUSER</span> <span class="o">|</span> <span class="n">SIGCHLD</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span>
<span class="n">waitpid</span><span class="p">(</span><span class="n">child_pid</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p><strong>Cgroups:</strong></p>
<p>A process can call unshare() using the CLONE_NEWCGROUP flag to enter a new cgroup namespace. Once it does that, it will no longer see the global cgroup hierarchy.</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#define _GNU_SOURCE
#include</span> <span class="cpf"><sys/types.h></span><span class="cp">
#include</span> <span class="cpf"><sys/wait.h></span><span class="cp">
#include</span> <span class="cpf"><stdio.h></span><span class="cp">
#include</span> <span class="cpf"><sched.h></span><span class="cp">
#include</span> <span class="cpf"><signal.h></span><span class="cp">
#include</span> <span class="cpf"><unistd.h></span><span class="cp">
</span>
<span class="cp">#ifndef CLONE_NEWCGROUP
#define CLONE_NEWCGROUP 0x02000000
#endif
</span>
<span class="cp">#define STACK_SIZE (1024 * 1024)
</span>
<span class="k">static</span> <span class="kt">char</span> <span class="n">child_stack</span><span class="p">[</span><span class="n">STACK_SIZE</span><span class="p">];</span> <span class="cm">/* Stack size for cloned child */</span>
<span class="kt">int</span> <span class="nf">child_main</span><span class="p">(</span><span class="kt">void</span><span class="o">*</span> <span class="n">arg</span><span class="p">)</span>
<span class="p">{</span>
<span class="kt">char</span> <span class="o">*</span><span class="n">child</span><span class="p">[]</span> <span class="o">=</span> <span class="p">{</span>
<span class="s">"/bin/bash"</span><span class="p">,</span>
<span class="s">"-c"</span><span class="p">,</span>
<span class="s">"cat /proc/self/cgroup"</span><span class="p">,</span>
<span class="nb">NULL</span><span class="p">,</span>
<span class="p">};</span>
<span class="n">execvp</span><span class="p">(</span><span class="n">child</span><span class="p">[</span><span class="mi">0</span><span class="p">],</span> <span class="n">child</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">argv</span><span class="p">[])</span>
<span class="p">{</span>
<span class="kt">int</span> <span class="n">child_pid</span> <span class="o">=</span> <span class="n">clone</span><span class="p">(</span><span class="n">child_main</span><span class="p">,</span> <span class="n">child_stack</span><span class="o">+</span><span class="n">STACK_SIZE</span><span class="p">,</span>
<span class="n">CLONE_NEWCGROUP</span> <span class="o">|</span> <span class="n">SIGCHLD</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">);</span>
<span class="n">waitpid</span><span class="p">(</span><span class="n">child_pid</span><span class="p">,</span> <span class="nb">NULL</span><span class="p">,</span> <span class="mi">0</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p><strong>unshare</strong></p>
<p>The unshare command allows you to run a program with some namespaces ‘unshared’ from its parent.</p>
<p>Example</p>
<div class="language-bash highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="nb">sudo </span>unshare <span class="nt">--map-root-user</span> <span class="nt">--user</span> bash <span class="nt">-c</span> <span class="nb">id</span>
</code></pre></div></div>
<p><strong>setns</strong></p>
<p>joining an existing namespace</p>
<p>Example</p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#define _GNU_SOURCE
#include</span> <span class="cpf"><fcntl.h></span><span class="cp">
#include</span> <span class="cpf"><sched.h></span><span class="cp">
#include</span> <span class="cpf"><unistd.h></span><span class="cp">
#include</span> <span class="cpf"><stdlib.h></span><span class="cp">
#include</span> <span class="cpf"><stdio.h></span><span class="cp">
#include</span> <span class="cpf"><errno.h></span><span class="cp">
</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">argv</span><span class="p">[])</span>
<span class="p">{</span>
<span class="kt">int</span> <span class="n">fd</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="n">argc</span> <span class="o"><</span> <span class="mi">3</span><span class="p">)</span> <span class="p">{</span>
<span class="n">fprintf</span><span class="p">(</span><span class="n">stderr</span><span class="p">,</span> <span class="s">"%s /proc/PID/ns/FILE cmd arguments</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">argv</span><span class="p">[</span><span class="mi">0</span><span class="p">]);</span>
<span class="n">exit</span><span class="p">(</span><span class="n">EXIT_FAILURE</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">fd</span> <span class="o">=</span> <span class="n">open</span><span class="p">(</span><span class="n">argv</span><span class="p">[</span><span class="mi">1</span><span class="p">],</span> <span class="n">O_RDONLY</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">fd</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span>
<span class="n">perror</span><span class="p">(</span><span class="s">"open"</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">setns</span><span class="p">(</span><span class="n">fd</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span>
<span class="n">perror</span><span class="p">(</span><span class="s">"setns"</span><span class="p">);</span>
<span class="n">execvp</span><span class="p">(</span><span class="n">argv</span><span class="p">[</span><span class="mi">2</span><span class="p">],</span> <span class="o">&</span><span class="n">argv</span><span class="p">[</span><span class="mi">2</span><span class="p">]);</span>
<span class="n">perror</span><span class="p">(</span><span class="s">"execvp"</span><span class="p">);</span>
<span class="p">}</span>
</code></pre></div></div>
<p>Sources</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://linux.die.net/man/2/setns
https://en.wikipedia.org/wiki/Linux_namespaces
http://man7.org/linux/man-pages/man7/namespaces.7.html
https://lwn.net/Articles/531114/
</code></pre></div></div>
Linux Capabilities2018-01-13T18:31:51+00:00https://chandreas.github.io/2018/01/13/capabilities<p><strong>Linux Kernel distinguishes its processes with the following two categories:</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>1. Privileged Processes: These processes allow the user to bypass all Kernel permission checks.
2. Unprivileged Processes: These processes are subject to full permission checks, such as the effective UID, GID, and supplementary group list.
</code></pre></div></div>
<p>The goal of capabilities is divide the power of superuser into pieces, such that if a program that has one or more capabilities is compromised, its power to do damage to the system would be less than the same program running with root privilege.</p>
<p>Linux’s thread/process privilege checking is based on capabilities.</p>
<p><strong>List of some of the capabilities that are enabled on Linux:</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>CAP_AUDIT_CONTROL - Allows enable and disable kernel auditing.
CAP_AUDIT_READ - Allows reading the audit log via a multicast netlink socket.
CAP_AUDIT_WRITE - Allows to write records to kernel auditing log.
CAP_BLOCK_SUSPEND - Allows the ability to block system suspend.
CAP_CHOWN - Allows to make arbitrary changes to file UIDs and GIDs
CAP_DAC_OVERRIDE - Allows to bypass file read, write, and execute permission checks.
CAP_DAC_READ_SEARCH - Allows to bypass file read permission checks and directory read and execute permission checks.
CAP_NET_ADMIN - Allows various network-related operations.
CAP_NET_RAW - Allows to use of RAW and PACKET sockets.
CAP_SETUID - Allows arbitrary manipulations of process UIDs.
CAP_SETGID - Allows arbitrary manipulations of process groups id.
CAP_SETPCAP - Allows to grant or remove any capability in the caller's permitted capability set to or from any other process.
CAP_MKNOD - Allows to create filesystem node
CAP_SYS_MODULE - Allows to load and unload modules
CAP_SYS_NICE - Allows change process nice value
CAP_SYS_PTRACE - Allows to trace process
CAP_SYS_TIME - Allows to set system clock
CAP_SYS_CHROOT - Allows to run chroot.
CAP_SYS_ADMIN - Allows a range of system administration operation (dangerous capability)
CAP_MAC_OVERRIDE - Allows to change mac address.
CAP_NET_BIND_SERVICE - Allows to bind privileged ports(less than 1024)
CAP_NET_BROADCAST - Allows socket broadcast and listen to multicast.
CAP_SETFCAP - Allows to set file capabilities.
CAP_SYS_BOOT - Allows to run reboot.
CAP_SYS_PACCT - Allows to enable or disable process accounting
CAP_SYS_RAWIO - Allows I/O port operation.
CAP_KILL - Allows to send kill signals.
</code></pre></div></div>
<p><strong>There are 3 modes for Capabilities:</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>1. e: Effective - This indicates that the capability is "activated."
2. p: Permitted - This indicates that the capability can be used.
3. i: Inherited - This indicates that the capability is inherited by child elements/subprocesses and defines which capabilities stay permitted across an exec().
</code></pre></div></div>
<p><strong>Getting/Setting capabilities from userland:</strong></p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>getcap - get capabilities
setcap - set capabilities
</code></pre></div></div>
<p><strong>Example to allow user run wireshark dumpcap utility without root privileges:</strong></p>
<p>Run getcap you will see that no capabilities are enabled for dumpcap</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> getcap /usr/bin/dumpcap
</code></pre></div></div>
<p>Run the below command to allow raw socket and network administrator privileges for dumpcap</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> sudo setcap cap_net_raw,cap_net_admin+eip /usr/bin/dumpcap
</code></pre></div></div>
<p>Run again the getcap commnad and you will get the output that dumpcap has the new capabilities.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> /usr/bin/dumpcap = cap_net_admin,cap_net_raw+eip
</code></pre></div></div>
<p><strong>Example check capabilities on c code.</strong></p>
<div class="language-c highlighter-rouge"><div class="highlight"><pre class="highlight"><code><span class="cp">#define _GNU_SOURCE
#include</span> <span class="cpf"><stdio.h></span><span class="cp">
#include</span> <span class="cpf"><stdlib.h></span><span class="cp">
#include</span> <span class="cpf"><linux/capability.h></span><span class="cp">
#include</span> <span class="cpf"><sys/capability.h></span><span class="cp">
#include</span> <span class="cpf"><errno.h></span><span class="cp">
</span>
<span class="kt">int</span> <span class="nf">cap_check</span><span class="p">(</span><span class="n">cap_value_t</span> <span class="n">cap_flag</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">cap_t</span> <span class="n">cap</span><span class="p">;</span>
<span class="n">cap</span> <span class="o">=</span> <span class="n">cap_get_proc</span><span class="p">();</span>
<span class="k">if</span> <span class="p">(</span><span class="n">cap</span> <span class="o">==</span> <span class="nb">NULL</span><span class="p">)</span>
<span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="n">cap_set_flag</span><span class="p">(</span><span class="n">cap</span><span class="p">,</span> <span class="n">CAP_EFFECTIVE</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="o">&</span><span class="n">cap_flag</span><span class="p">,</span> <span class="n">CAP_SET</span><span class="p">)</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span> <span class="p">)</span>
<span class="p">{</span>
<span class="n">perror</span><span class="p">(</span><span class="s">"not enabled"</span><span class="p">);</span>
<span class="n">cap_free</span><span class="p">(</span><span class="n">cap</span><span class="p">);</span>
<span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="n">cap_set_proc</span><span class="p">(</span><span class="n">cap</span><span class="p">)</span> <span class="o">!=</span> <span class="mi">0</span> <span class="p">)</span>
<span class="p">{</span>
<span class="n">perror</span><span class="p">(</span><span class="s">"cannot set"</span><span class="p">);</span>
<span class="n">cap_free</span><span class="p">(</span><span class="n">cap</span><span class="p">);</span>
<span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">argv</span><span class="p">[])</span>
<span class="p">{</span>
<span class="kt">FILE</span> <span class="o">*</span><span class="n">fd</span><span class="p">;</span>
<span class="kt">int</span> <span class="n">c</span><span class="p">;</span>
<span class="k">if</span> <span class="p">(</span><span class="n">cap_check</span><span class="p">(</span><span class="n">CAP_DAC_READ_SEARCH</span><span class="p">)</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span>
<span class="p">{</span> <span class="n">perror</span><span class="p">(</span><span class="s">"cap_set_flag CAP_DAC_READ_SEARCH"</span><span class="p">);</span>
<span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="n">cap_check</span><span class="p">(</span><span class="n">CAP_DAC_OVERRIDE</span><span class="p">)</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">perror</span><span class="p">(</span><span class="s">"cap_set_flag CAP_DAC_OVERRIDE"</span><span class="p">);</span>
<span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="n">cap_check</span><span class="p">(</span><span class="n">CAP_SYS_ADMIN</span><span class="p">)</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">perror</span><span class="p">(</span><span class="s">"cap_set_flag CAP_SYS_ADMIN"</span><span class="p">);</span>
<span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="n">fd</span> <span class="o">=</span> <span class="n">fopen</span> <span class="p">(</span><span class="s">"/etc/shadow"</span><span class="p">,</span> <span class="s">"r"</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">fd</span> <span class="o">==</span> <span class="nb">NULL</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"Open /etc/shadow failed</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span>
<span class="p">}</span> <span class="k">else</span> <span class="p">{</span>
<span class="k">while</span><span class="p">(</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span>
<span class="n">c</span> <span class="o">=</span> <span class="n">fgetc</span><span class="p">(</span><span class="n">fd</span><span class="p">);</span>
<span class="k">if</span><span class="p">(</span> <span class="n">feof</span><span class="p">(</span><span class="n">fd</span><span class="p">)</span> <span class="p">)</span> <span class="p">{</span>
<span class="k">break</span> <span class="p">;</span>
<span class="p">}</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"%c"</span><span class="p">,</span> <span class="n">c</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">fclose</span><span class="p">(</span><span class="n">fd</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
</code></pre></div></div>
<p>sources</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.2/capfaq-0.2.txt
http://man7.org/linux/man-pages/man7/capabilities.7.html
http://man7.org/linux/man-pages/man3/cap_get_proc.3.html
</code></pre></div></div>
Introduction to Control Groups (cgroups)2017-12-21T17:15:51+00:00https://chandreas.github.io/2017/12/21/cgroups<p>Cgroups is a Linux kernel feature to limit accounts and isolate the resources usage of process.</p>
<p>The cgroup model is one or more separate, unconnected trees of tasks and many different hierarchies of cgroups can exist simultaneously on a system. A single hierarchy can have one or more subsystems attached to it, but any single subsystem (such as cpu) cannot be attached to more than one hierarchy if one of those hierarchies has a different subsystem attached to it already.</p>
<p>Multiple separate hierarchies of cgroups are necessary because each hierarchy is attached to one or more subsystems. A subsystem (resource controller) represents a single resource such as CPU time or memory.</p>
<p>Each time a new hierarchy is created on the systems, all tasks on the system are initially members of the default cgroup of that hierarchy, which is known as the root cgroup.</p>
<p>Further a child task automatically inherits the cgroup membership of its parent but can be moved to different cgroups as needed.</p>
<p>You can find enabled control groups on your computer via proc filesystem:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code> cat /proc/cgroups or
ls -l /sys/fs/cgroup/
</code></pre></div></div>
<p>Linux kernel provides support for following control group subsystems:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cpuset - provide a mechanism for assigning a set of CPUs and Memory Nodes to a set of tasks.
cpu - uses the scheduler to provide cgroup tasks access to the processor resources.
cpuacct - account the CPU usage of these groups of tasks.
blkio - sets limits on input/output access to and from block devices such as physical drives (disk, solid state, or USB).
memory - isolates the memory behaviour of a group of tasks from the rest of the system.
devices - allows or denies access to devices by tasks in a cgroup.
freezer - start or stop sets of tasks or a task in order to schedule the resources of a machine.
net_cls - this subsystem tags network packets with a class identifier (classid) that allows the Linux traffic controller (tc) to identify packets originating from a particular cgroup task.
net_prio - provides a dynamically way to set the priority of network traffic per network interface.
perf_event - provides access to perf events to a group.
hugetlb - allows to limit the HugeTLB (hugepagesize) usage per control group and enforces the controller limit during page fault.
pids - Used to allow a cgroup hierarchy to stop any new tasks from being fork()'d or clone()'d after a certain limit is reached.
systemd - create a cgroup for each service when starting it.
</code></pre></div></div>
<p>Example</p>
<p>Systemd with Cgroups</p>
<p>Through Systemd, we can limit resources for our test service</p>
<p>Create and compile a test c program that is using 100% of a single core and put it on /root folder</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="cp">#include</span> <span class="cpf"><stdio.h></span><span class="cp">
</span><span class="kt">int</span> <span class="nf">main</span><span class="p">()</span>
<span class="p">{</span>
<span class="k">for</span> <span class="p">(;;);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span></code></pre></figure>
<p>Create the following systemd service with limited cpu to 20% percentage and share to 200 (default is 1024 for each core) and memory limit to 50M</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>/etc/systemd/system/test.service
[Unit]
Description=Stress CPU
[Service]
ExecStart=/root/test
ExecStop=/bin/kill -WINCH ${MAINPID}
MemoryAccounting=true
CPUShares=200
CPUQuota=20%
MemoryLimit=50M
[Install]
WantedBy=multi-user.target
</code></pre></div></div>
<p>Start service:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>systemctl start test.service
</code></pre></div></div>
<p>Run systemd-cgtop to see the usage of our test service.</p>
<p>The result should be something like below:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Path Tasks %CPU Memory Input/s Output/s
/system.slice/test.service 1 19.7 84.0K - -
</code></pre></div></div>
<p>To see the difference just remove from the service the CPUShares and CPUQuota to see that the CPU usage for a single core will be 100%:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Path Tasks %CPU Memory Input/s Output/s
/system.slice/test.service 1 99.4 88.0K - -
</code></pre></div></div>
<p>To change the values when the service is running and save this:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>systemctl set-property test CPUShares=500 CPUQuota=50% MemoryLimit=100M
</code></pre></div></div>
<p>Docker with Cgroups</p>
<p>We can create a container that is running our test software and we can set the container to run with ‘cpu.shares’ to assign a relative CPU share and how many cores with cpuset.cpus.</p>
<p>Example</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>docker run -d \
--name='test_with_cgroup' \
--cpuset-cpus=0 \
--cpu-shares=50 \
/bin/bash /tmp/test
</code></pre></div></div>
<p>Again to see the difference just remove the lines CPUShares and CPUset to see that the CPU usage for a single core will be 100%</p>
<p>Limiting Users Resources with cgroups</p>
<p>Create config file /etc/cgconfig.conf</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>group test {
cpu {
cpu.shares="25";
}
cpuacct {
cpuacct.usage="0";
}
memory {
memory.limit_in_bytes="1G";
memory.memsw.limit_in_bytes="1G";
}
}
</code></pre></div></div>
<p>Create config file /etc/cgrules.conf</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>#<user/group> <controller(s)> <cgroup>
@test cpu,cpuacct,memory test
</code></pre></div></div>
<p>Run configuration parcer to parse and load the specified cgroups configuration file</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cgconfigparser -l /etc/cgconfig.conf
</code></pre></div></div>
<p>Run the Rule engine daemon</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cgrulesengd
</code></pre></div></div>
<p>Or you can use systemd to start and enable it:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>systemctl enable cgconfig
systemctl start cgconfig
</code></pre></div></div>
<p>Sources</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt
https://www.kernel.org/doc/Documentation/cgroup-v1/cpusets.txt
https://www.kernel.org/doc/Documentation/cgroup-v1/devices.txt
https://www.kernel.org/doc/Documentation/cgroup-v1/freezer-subsystem.txt
https://www.kernel.org/doc/Documentation/cgroup-v1/memory.txt
https://www.kernel.org/doc/Documentation/cgroup-v1/blkio-controller.txt
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/resource_management_guide/ch01
</code></pre></div></div>
Kernel Tracing with Ftrace2017-12-06T17:15:51+00:00https://chandreas.github.io/2017/12/06/ftrace<p>Ftrace is a tracing utility in the the Linux kernel, designed to help out developers of the system to find what is going on inside the kernel.</p>
<p>Ftrace was developed by Steven Rostedt and has been included in the kernel since version 2.6.27.</p>
<p>It can be used for debugging or analyzing latencies and performance issues that take place outside of user-space.</p>
<p>Ftrace uses the debugfs file system to hold the control files as well as the files to display output.</p>
<p>To mount this directory, you can add to your /etc/fstab file:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>tracefs /sys/kernel/debug/tracing tracefs defaults 0 0
</code></pre></div></div>
<p>Or you can mount it at run time with:</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>mount -t tracefs nodev /sys/kernel/debug/tracing
cd /sys/kernel/debug/tracing
</code></pre></div></div>
<p>Some of the key files are</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>ls /sys/kernel/debug/tracing
available_tracers – available tracing programs
tracing_on - 0 into this file to disable the tracer or 1 to enable it
trace - holds the output of the trace
current_tracer – display the current tracer that is configured
</code></pre></div></div>
<p>Current tracers that may be configured</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cat /sys/kernel/debug/tracing/available_tracers
function - Function call tracer to trace all kernel functions.
function_graph - Similar to the function tracer except that the function tracer probes the functions on their entry
whereas the function graph tracer traces on both entry and exit of the functions. It then provides the ability to draw a graph of function calls similar to C code source.
blk - The block tracer I/O. The tracer used by the blktrace user application.
hwlat - The Hardware Latency tracer is used to detect if the hardware produces any latency.
irqsoff - Traces the areas that disable interrupts and saves the trace with the longest max latency.
preemptoff - Similar to irqsoff but traces and records the amount of time for which preemption is disabled.
preemptirqsoff - Similar to irqsoff and preemptoff, but traces and records the largest time for which irqs and/or preemption is disabled.
wakeup - Traces and records the max latency that it takes for the highest priority task to get scheduled after it has been woken up.
wakeup_rt - Traces and records the max latency that it takes for just RT tasks (as the current "wakeup" does).
wakeup_dl - Traces and records the max latency that it takes for a SCHED_DEADLINE task to be woken (as the "wakeup" and "wakeup_rt" does).
mmiotrace - A special tracer that is used to trace binary module. It will trace all the calls that a module makes to the hardware. Everything it writes and reads from the I/O as well.
branch - This tracer can be configured when tracing likely/unlikely calls within the kernel. It will trace when a likely and unlikely branch is hit and if it was correct in its prediction of being correct.
nop - This is the "trace nothing" tracer. A way to disable other tracers and can be use with events
</code></pre></div></div>
<p>Example how to run ftrace with function tracer</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>sysctl kernel.ftrace_enabled=1
echo function > /sys/kernel/debug/tracing/current_tracer
echo 1 > /sys/kernel/debug/tracing/tracing_on
sleep 1
echo 0 > /sys/kernel/debug/tracing/tracing_on
cat /sys/kernel/debug/tracing/trace
</code></pre></div></div>
<p>Limiting the traces with setting up the filters</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>set_ftrace_filter - enabling or disabling specific functions to be traced
set_ftrace_notrace - Any function that is added here will not be traced
set_ftrace-pid - only traces functions executed by a task with the given pid
set_graph_function - Functions listed in this file will cause the function graph tracer to only trace these functions and the functions that they call.
set_graph_notrace - Disable function graph tracing when the function is hit until it exits the function.
</code></pre></div></div>
<p>Function name filter is very limited show only when enter or exit the function</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>echo schedule > set_ftrace_filter
</code></pre></div></div>
<p>Appending the filter</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>echo '*rcu*' >> set_ftrace_filter
</code></pre></div></div>
<p>Clear the filter</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>echo > set_ftrace_filter
</code></pre></div></div>
<p>Example filter syscalls</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>echo SyS_read > set_ftrace_filter
</code></pre></div></div>
<p>Function stack trace with func_stack_trace option</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>echo schedule > set_ftrace_filter
echo 1 > /sys/kernel/debug/tracing/options/func_stack_trace
echo function > /sys/kernel/debug/tracing/current_tracer
echo 0 > /sys/kernel/debug/tracing/tracing_on
ech0 0 > /sys/kernel/debug/tracing/options/func_stack_trace
</code></pre></div></div>
<p>Tracing Events</p>
<p>The trace event directory. It holds event tracepoints (also known as static tracepoints) that have been compiled into the kernel.
Tracepoints placed in code provides a hook to call a function (probe) that you can provide at runtime can be used
without creating custom kernel modules to register probe functions using the event tracing infrastructure.</p>
<p>You can find all events on</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>cat /sys/kernel/debug/tracing/available_events
</code></pre></div></div>
<p>Example with events</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>echo 0 > /sys/kernel/debug/tracing/tracing_on
echo 1 > /sys/kernel/debug/tracing/events/syscalls/enable
echo 1 > /sys/kernel/debug/tracing/events/exceptions/enable
sh -c 'echo $$ > /sys/kernel/debug/tracing/set_event_pid; echo 1 > /sys/kernel/debug/tracing/tracing_on; exec echo ftrace'
cat /sys/kernel/debug/tracing/trace
</code></pre></div></div>
<p>set_event_pid Events only trace a task with a PID listed in this file</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>echo 0 > /sys/kernel/debug/tracing/tracing_on
echo 1 > /sys/kernel/debug/tracing/events/syscalls/enable
echo 1 > /sys/kernel/debug/tracing/events/exceptions/enable
echo $$ > /sys/kernel/debug/tracing/set_event_pid
echo 1 > /sys/kernel/debug/tracing/tracing_on;
echo ftrace_events;
echo 0 > /sys/kernel/debug/tracing/tracing_on;
</code></pre></div></div>
<p>The new interface trace-cmd</p>
<p>Change tracer to function</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>trace-cmd start -p function
</code></pre></div></div>
<p>See available filters</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>trace-cmd list -f
</code></pre></div></div>
<p>Set ftrace filter</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>trace-cmd start -p function -l schedule
</code></pre></div></div>
<p>Set ftrace pid</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>trace-cmd record -p function -F echo ftrace
</code></pre></div></div>
<p>Syscall tracing</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>trace-cmd -p function -g SyS_read
</code></pre></div></div>
<p>Ftrace no trace (set_ftrace_notrace)</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>trace -p nop -n schedule
</code></pre></div></div>
<p>Ftrace function stack trace ( options/func_stack_trace )</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>trace-cmd start -p function -l schedule --func-stack
</code></pre></div></div>
<p>Ftrace Events list</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>trace-cmd list -e
</code></pre></div></div>
<p>Set Event</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>trace-cmd start -p -e sched
</code></pre></div></div>
<p>Set Event pid</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>trace-cmd record -e syscalls -e exceptions -F echo ftrace
</code></pre></div></div>
<p>Show output</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>trace-cmd show
trace-cmd report
</code></pre></div></div>
<p>source</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://www.kernel.org/doc/Documentation/trace/ftrace.txt
https://www.kernel.org/doc/Documentation/trace/events.txt
https://www.kernel.org/doc/Documentation/trace/tracepoints.txt
https://www.kernel.org/doc/Documentation/trace/ftrace-design.txt
https://kernel-recipes.org/en/2017/talks/understanding-the-linux-kernel-via-ftrace/
</code></pre></div></div>
Understanding Signals2017-11-28T15:20:23+00:00https://chandreas.github.io/2017/11/28/signals<p>Signals are software interrupts to handle asynchronous events.</p>
<p>A signal may be sent from the kernel to a process, from a process to another process, or from a process to itself, or is sent either to a specific thread (Linux task) or to the process as a whole (Linux thread group).</p>
<p>In Linux, every signal has a name that begins with characters SIG.</p>
<p>When the signal is delivered, either it’s caught or ignored by a user handler or it has a default action.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Ignore - nothing will happen but SIGKILL and SIGSTOP cannot be ignored.
Catch and handle Signal Kernel will suspend execution of the process and run handle code or chose to terminate.
Default action, this could be the default action to terminate the process or ignore.
</code></pre></div></div>
<p>Signals Identifiers</p>
<p>Signals are defined in signal.h header file.</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>+--------------------+------------------+
| POSIX signal | default action |
+--------------------+------------------+
| SIGHUP | terminate |
| SIGINT | terminate |
| SIGQUIT | coredump |
| SIGILL | coredump |
| SIGTRAP | coredump |
| SIGABRT/SIGIOT | coredump |
| SIGBUS | coredump |
| SIGFPE | coredump |
| SIGKILL | terminate(+) |
| SIGUSR1 | terminate |
| SIGSEGV | coredump |
| SIGUSR2 | terminate |
| SIGPIPE | terminate |
| SIGALRM | terminate |
| SIGTERM | terminate |
| SIGCHLD | ignore |
| SIGCONT | ignore(*) |
| SIGSTOP | stop(*)(+) |
| SIGTSTP | stop(*) |
| SIGTTIN | stop(*) |
| SIGTTOU | stop(*) |
| SIGURG | ignore |
| SIGXCPU | coredump |
| SIGXFSZ | coredump |
| SIGVTALRM | terminate |
| SIGPROF | terminate |
| SIGPOLL/SIGIO | terminate |
| SIGSYS/SIGUNUSED | coredump |
| SIGSTKFLT | terminate |
| SIGWINCH | ignore |
| SIGPWR | terminate |
| SIGRTMIN-SIGRTMAX | terminate |
+--------------------+------------------+
| non-POSIX signal | default action |
+--------------------+------------------+
| SIGEMT | coredump |
+--------------------+------------------+
ignore - Nothing Happens
terminate - kill the process, i.e. all threads in the group, similar to exit_group. The group leader (only) report WIFSIGNALED status to its parent.
coredump - write a core dump file describing all threads using the same Memory Management and then kill all those threads
stop - stop all the threads in the group, i.e. TASK_STOPPED state
</code></pre></div></div>
<p>Note that SIGKILL and SIGSTOP cannot be caught, blocked, or ignored.</p>
<p>Example how to catch a signal.</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="cp">#include</span> <span class="cpf"><stdlib.h></span><span class="cp">
#include</span> <span class="cpf"><stdio.h></span><span class="cp">
#include</span> <span class="cpf"><unistd.h></span><span class="cp">
#include</span> <span class="cpf"><signal.h></span><span class="cp">
</span>
<span class="k">static</span> <span class="kt">void</span> <span class="nf">signal_handler</span> <span class="p">(</span><span class="kt">int</span> <span class="n">singnu</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"Caught SIGTERM</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">exit</span> <span class="p">(</span><span class="n">EXIT_SUCCESS</span><span class="p">);</span>
<span class="p">}</span>
<span class="kt">int</span> <span class="nf">main</span> <span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span> <span class="o">*</span><span class="n">argv</span><span class="p">[])</span>
<span class="p">{</span>
<span class="k">if</span> <span class="p">(</span><span class="n">signal</span> <span class="p">(</span><span class="n">SIGTERM</span><span class="p">,</span> <span class="n">signal_handler</span><span class="p">)</span> <span class="o">==</span> <span class="n">SIG_ERR</span><span class="p">)</span> <span class="p">{</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"Cannot handle signal</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="n">exit</span><span class="p">(</span><span class="n">EXIT_FAILURE</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">for</span> <span class="p">(;;)</span>
<span class="n">pause</span><span class="p">();</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span></code></pre></figure>
<p>sources</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>http://www.tldp.org/LDP/tlk/kernel/processes.html
http://elixir.free-electrons.com/linux/v4.15-rc2/source/include/linux/signal.h
</code></pre></div></div>
Understanding Daemon Process2017-11-17T15:20:23+00:00https://chandreas.github.io/2017/11/17/daemon-process<p>A daemon process is a process which runs in background and has no controlling terminal.
Normally daemon process are running on boot, running as root or other system user and handle system tasks.</p>
<p>The requirement to run a daemon it must run as a child of init process and not connected to a terminal.</p>
<p>How to create a daemon</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>Call fork() off the parent process.
Call exit() on parent process
Call setsid() to give new process group and session ID (SID) to become child process as a session leader.
Call signal() to ignore any signal sent from child to parent
Call again fork() to check that the daemon is not a session leader, which prevents it from acquiring a controlling terminal.
Call umask(0); Set new file permissions
Call chdir() to change the current working directory
Close file descriptors.
Reopen all file descriptor and redirect them to /dev/null, call open() /dev/null for stdin to return a file descriptor and the dublicate with dup() for stdout and stderr.
Call daemon code.
</code></pre></div></div>
<p>Example code</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="cp">#include</span> <span class="cpf"><sys/types.h></span><span class="cp">
#include</span> <span class="cpf"><sys/stat.h></span><span class="cp">
#include</span> <span class="cpf"><stdio.h></span><span class="cp">
#include</span> <span class="cpf"><stdlib.h></span><span class="cp">
#include</span> <span class="cpf"><fcntl.h></span><span class="cp">
#include</span> <span class="cpf"><errno.h></span><span class="cp">
#include</span> <span class="cpf"><unistd.h></span><span class="cp">
#include</span> <span class="cpf"><signal.h></span><span class="cp">
#include</span> <span class="cpf"><linux/fs.h></span><span class="cp">
</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span> <span class="p">{</span>
<span class="n">pid_t</span> <span class="n">pid</span><span class="p">;</span>
<span class="kt">int</span> <span class="n">i</span><span class="p">;</span>
<span class="n">pid</span> <span class="o">=</span> <span class="n">fork</span><span class="p">();</span>
<span class="k">if</span> <span class="p">(</span><span class="n">pid</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="n">pid</span> <span class="o">!=</span> <span class="mi">0</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">exit</span><span class="p">(</span><span class="n">EXIT_SUCCESS</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="n">setsid</span><span class="p">()</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="n">signal</span><span class="p">(</span><span class="n">SIGCHLD</span><span class="p">,</span> <span class="n">SIG_IGN</span><span class="p">);</span>
<span class="n">pid</span> <span class="o">=</span> <span class="n">fork</span><span class="p">();</span>
<span class="k">if</span> <span class="p">(</span><span class="n">pid</span> <span class="o"><</span> <span class="mi">0</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">exit</span><span class="p">(</span><span class="n">EXIT_FAILURE</span><span class="p">);</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span><span class="n">pid</span> <span class="o">></span> <span class="mi">0</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">exit</span><span class="p">(</span><span class="n">EXIT_SUCCESS</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">umask</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span>
<span class="k">if</span> <span class="p">((</span><span class="n">chdir</span><span class="p">(</span><span class="s">"/"</span><span class="p">))</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">for</span> <span class="p">(</span><span class="n">i</span> <span class="o">=</span> <span class="n">sysconf</span><span class="p">(</span><span class="n">_SC_OPEN_MAX</span><span class="p">);</span> <span class="n">i</span> <span class="o">></span> <span class="mi">0</span><span class="p">;</span> <span class="n">i</span><span class="o">--</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">close</span><span class="p">(</span><span class="n">i</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">open</span><span class="p">(</span><span class="s">"/dev/null"</span><span class="p">,</span> <span class="n">O_RDWR</span><span class="p">);</span>
<span class="n">dup</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span>
<span class="n">dup</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span>
<span class="k">while</span> <span class="p">(</span><span class="mi">1</span><span class="p">)</span>
<span class="p">{</span>
<span class="cm">/* run daemon code */</span>
<span class="p">}</span>
<span class="n">exit</span><span class="p">(</span><span class="n">EXIT_SUCCESS</span><span class="p">);</span>
<span class="p">}</span></code></pre></figure>
<p>Other way on Linux systems you can call daemon() to create it.</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"> <span class="kt">int</span> <span class="nf">daemon</span><span class="p">(</span><span class="kt">int</span> <span class="n">nochdir</span><span class="p">,</span> <span class="kt">int</span> <span class="n">noclose</span><span class="p">);</span></code></pre></figure>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://stackoverflow.com/questions/17954432/creating-a-daemon-in-linux/17955149#17955149
https://linux.die.net/man/2/setsid
http://man7.org/linux/man-pages/man2/umask.2.html
http://man7.org/linux/man-pages/man3/sysconf.3.html
http://man7.org/linux/man-pages/man2/open.2.html
http://man7.org/linux/man-pages/man2/dup.2.html
</code></pre></div></div>
Understanding Zombie Process2017-11-17T15:15:51+00:00https://chandreas.github.io/2017/11/17/zombies-process<p>Zombie Process is a state of process which has completed execution but still has an entry in the process table.
These process have irresponsible parent process. The responsible
Process table is a data structure in Linux kernel, that stores information about all current process.</p>
<p>The process table contain the PID, User, Scheduling value, Virtual memory, State, CPU, Memory etc.</p>
<p>Location of process is /proc and you can use ps, top, htop, pstree and many other tools to see the process or you can get the process table with a kernel module.</p>
<p>Example</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="cp">#include</span> <span class="cpf"><linux/module.h></span><span class="cp">
#include</span> <span class="cpf"><linux/printk.h></span><span class="cp">
#include</span> <span class="cpf"><linux/sched.h></span><span class="cp">
</span>
<span class="k">static</span> <span class="kt">int</span> <span class="n">__init</span> <span class="nf">proc_list</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span>
<span class="p">{</span>
<span class="k">struct</span> <span class="n">task_struct</span> <span class="o">*</span><span class="n">task</span><span class="p">;</span>
<span class="n">for_each_process</span><span class="p">(</span><span class="n">task</span><span class="p">)</span>
<span class="n">pr_info</span><span class="p">(</span><span class="s">"%s [%d]</span><span class="se">\n</span><span class="s">"</span><span class="p">,</span> <span class="n">task</span><span class="o">-></span><span class="n">comm</span><span class="p">,</span> <span class="n">task</span><span class="o">-></span><span class="n">pid</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">static</span> <span class="kt">void</span> <span class="n">__exit</span> <span class="nf">proc_exit</span><span class="p">(</span><span class="kt">void</span><span class="p">)</span>
<span class="p">{</span>
<span class="n">pr_info</span><span class="p">(</span><span class="s">"Cleaning up"</span><span class="p">);</span>
<span class="p">}</span>
<span class="n">module_init</span><span class="p">(</span><span class="n">proc_list</span><span class="p">);</span>
<span class="n">module_exit</span><span class="p">(</span><span class="n">proc_exit</span><span class="p">);</span></code></pre></figure>
<p>An easy way to create a zombie process is to run fork and exit the child immediately and the parent will sleep and will not be informed about the exit.
When a process exit(), all of the memory and resources associated with it are deallocated. Further note that if the parent process dies before the child, the kernel will reparent the child process to init.</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="cp">#include</span> <span class="cpf"><stdio.h></span><span class="cp">
#include</span> <span class="cpf"><stdlib.h></span><span class="cp">
#include</span> <span class="cpf"><unistd.h></span><span class="cp">
</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">()</span>
<span class="p">{</span>
<span class="n">pid_t</span> <span class="n">child</span><span class="p">;</span>
<span class="k">if</span> <span class="p">((</span><span class="n">child</span> <span class="o">=</span> <span class="n">fork</span><span class="p">())</span> <span class="o"><</span> <span class="mi">0</span><span class="p">)</span>
<span class="n">exit</span><span class="p">(</span><span class="mi">1</span><span class="p">);</span>
<span class="k">if</span> <span class="p">(</span><span class="n">child</span> <span class="o">==</span> <span class="mi">0</span><span class="p">)</span>
<span class="n">exit</span><span class="p">(</span><span class="mi">0</span><span class="p">);</span>
<span class="n">sleep</span><span class="p">(</span><span class="mi">120</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span></code></pre></figure>
<p>The parent process use wait() to get info about the child state.</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="k">if</span> <span class="p">(</span> <span class="n">waitpid</span><span class="p">(</span><span class="n">child</span><span class="p">,</span> <span class="o">&</span><span class="n">status</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span> <span class="p">)</span> <span class="p">{</span>
<span class="k">return</span> <span class="n">EXIT_FAILURE</span><span class="p">;</span>
<span class="p">}</span></code></pre></figure>
<p>To get information if the process exit() correctly</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="k">if</span> <span class="p">(</span><span class="n">WIFEXITED</span> <span class="p">(</span><span class="n">status</span><span class="p">))</span>
<span class="k">return</span> <span class="nf">WEXITSTATUS</span><span class="p">(</span><span class="n">status</span><span class="p">);</span></code></pre></figure>
<p>To fix and remove zombie process entry from process table we need to inform parent process that child called exit.</p>
<p>We need to make the parent to wait() the status of child so it can report the exit of the child.</p>
<p>First we need to find the process parent id and zombie id, then we need to use gdb to attach on parent and call waitpid within the zombie id.</p>
<p>Example</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="n">ps</span> <span class="n">axo</span> <span class="n">stat</span><span class="p">,</span><span class="n">ppid</span><span class="p">,</span><span class="n">pid</span><span class="p">,</span><span class="n">comm</span> <span class="o">|</span> <span class="n">grep</span> <span class="o">-</span><span class="n">w</span> <span class="n">defunct</span>
<span class="n">gdb</span>
<span class="n">attach</span> <span class="o"><</span><span class="n">process</span> <span class="n">id</span> <span class="n">of</span> <span class="n">parent</span> <span class="n">process</span><span class="o">></span>
<span class="n">call</span> <span class="n">waitpid</span> <span class="p">(</span><span class="o"><</span><span class="n">zombie</span> <span class="n">id</span><span class="o">></span><span class="p">,</span><span class="mi">0</span><span class="p">,</span><span class="mi">0</span><span class="p">)</span>
<span class="n">detach</span></code></pre></figure>
<p>sources</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://linux.die.net/man/2/waitpid:
https://en.wikipedia.org/wiki/Zombie_process
</code></pre></div></div>
Limiting syscalls with seccomp2017-09-20T14:15:51+00:00https://chandreas.github.io/2017/09/20/seccomp<p>Seccomp and Seccomp-BPF are used to limit the system calls available to a Linux process. System call filtering isn’t a sandbox. It provides a clearly defined mechanism for minimizing the exposed kernel surface.</p>
<p>The initial implementation, also known as “mode 1 seccomp” only allowed ‘read’, ‘write’, ‘exit’ and ‘sigreturn’ syscalls to be only possible to read/write to already opened files and exit.</p>
<p>Example how we call seccomp:</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="cp">#include</span> <span class="cpf"><stdio.h></span><span class="cp">
#include</span> <span class="cpf"><stdlib.h></span><span class="cp">
#include</span> <span class="cpf"><sys/prctl.h></span><span class="cp">
#include</span> <span class="cpf"><linux/seccomp.h></span><span class="cp">
#include</span> <span class="cpf"><unistd.h></span><span class="cp">
</span><span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span><span class="o">*</span> <span class="n">argv</span><span class="p">[])</span>
<span class="p">{</span>
<span class="n">prctl</span><span class="p">(</span><span class="n">PR_SET_SECCOMP</span><span class="p">,</span> <span class="n">SECCOMP_MODE_STRICT</span><span class="p">);</span>
<span class="cm">/* Redirect stderr to stdout */</span>
<span class="n">dup2</span><span class="p">(</span><span class="mi">1</span><span class="p">,</span> <span class="mi">2</span><span class="p">);</span>
<span class="n">printf</span><span class="p">(</span><span class="s">"Nothing.</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span></code></pre></figure>
<p>Seccomp is good for absolute restrictions, a more fine grained approach is required when attempting to lock down more complex applications. In order to solve this problem Seccomp - Berkley Packet Filter (Seccomp-BPF) was introduced.</p>
<p>Seccomp-BPF program receives the following struct as an input argument. We can filter based on the system call number and on the arguments.</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="k">struct</span> <span class="n">seccomp_data</span> <span class="p">{</span>
<span class="kt">int</span> <span class="n">nr</span><span class="p">;</span> <span class="cm">/* System call number */</span>
<span class="n">__u32</span> <span class="n">arch</span><span class="p">;</span> <span class="cm">/* AUDIT_ARCH_* value (see <linux/audit.h>)*/</span>
<span class="n">__u64</span> <span class="n">instruction_pointer</span><span class="p">;</span> <span class="cm">/* CPU instruction pointer */</span>
<span class="n">__u64</span> <span class="n">args</span><span class="p">[</span><span class="mi">6</span><span class="p">];</span> <span class="cm">/* Up to 6 system call arguments */</span>
<span class="p">};</span></code></pre></figure>
<p>Seccomp using Linux Socket Filtering aka Berkeley Packet Filter (BPF) which contains the following structures</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="k">struct</span> <span class="n">sock_filter</span> <span class="p">{</span><span class="cm">/* Filter block */</span>
<span class="n">__u16code</span><span class="p">;</span> <span class="cm">/* Actual filter code */</span>
<span class="n">__u8jt</span><span class="p">;</span> <span class="cm">/* Jump true */</span>
<span class="n">__u8jf</span><span class="p">;</span> <span class="cm">/* Jump false */</span>
<span class="n">__u32k</span><span class="p">;</span> <span class="cm">/* Generic multiuse field */</span>
<span class="p">};</span>
<span class="k">struct</span> <span class="n">sock_fprog</span> <span class="p">{</span> <span class="cm">/* Required for SO_ATTACH_FILTER. */</span>
<span class="kt">unsigned</span> <span class="kt">short</span> <span class="n">len</span><span class="p">;</span> <span class="cm">/* Number of filter blocks */</span>
<span class="k">struct</span> <span class="n">sock_filter</span> <span class="n">__user</span> <span class="o">*</span><span class="n">filter</span><span class="p">;</span>
<span class="p">};</span></code></pre></figure>
<p>So basically what BPFs do in seccomp is to operate on this data, and return a value that tells the kernel what to do next: allow the process to perform the call (SECCOMP_RET_ALLOW), kill it (SECCOMP_RET_KILL), or other options.</p>
<p>As per the documentation of seccomp the best practice is to check the arch system call numbers with seccomp_data->arch to avoid any issues like if the syscall numbers in the different calling conventions overlap, then checks in the filters may be abused.</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="n">BPF_STMT</span><span class="p">(</span><span class="n">BPF_LD</span> <span class="o">|</span> <span class="n">BPF_W</span> <span class="o">|</span> <span class="n">BPF_ABS</span><span class="p">,</span> <span class="p">(</span><span class="n">offsetof</span><span class="p">(</span><span class="k">struct</span> <span class="n">seccomp_data</span><span class="p">,</span> <span class="n">arch</span><span class="p">))),</span>
<span class="n">BPF_JUMP</span><span class="p">(</span><span class="n">BPF_JMP</span> <span class="o">|</span> <span class="n">BPF_JEQ</span> <span class="o">|</span> <span class="n">BPF_K</span><span class="p">,</span> <span class="n">AUDIT_ARCH_X86_64</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">0</span><span class="p">),</span>
<span class="n">BPF_STMT</span><span class="p">(</span><span class="n">BPF_RET</span> <span class="o">|</span> <span class="n">BPF_K</span><span class="p">,</span> <span class="n">SECCOMP_RET_KILL</span><span class="p">),</span></code></pre></figure>
<p>Example filter to allow open syscall</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="k">struct</span> <span class="n">sock_filter</span> <span class="n">filter</span> <span class="p">[]</span> <span class="o">=</span> <span class="p">{</span>
<span class="n">BPF_STMT</span><span class="p">(</span><span class="n">BPF_LD</span><span class="o">+</span><span class="n">BPF_W</span><span class="o">+</span><span class="n">BPF_ABS</span><span class="p">,</span> <span class="n">offsetof</span><span class="p">(</span><span class="k">struct</span> <span class="n">seccomp_data</span><span class="p">,</span> <span class="n">nr</span><span class="p">)),</span>
<span class="n">BPF_JUMP</span><span class="p">(</span><span class="n">BPF_JMP</span><span class="o">+</span><span class="n">BPF_JEQ</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">__NR_open</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">),</span>
<span class="n">BPF_STMT</span><span class="p">(</span><span class="n">BPF_RET</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">SECCOMP_RET_ALLOW</span><span class="p">),</span>
<span class="n">BPF_STMT</span><span class="p">(</span><span class="n">BPF_RET</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">SECCOMP_RET_KILL</span><span class="p">),</span>
<span class="p">};</span></code></pre></figure>
<p>PR_SET_NO_NEW_PRIVS, which impedes child processes to have more privileges than those of the parent. This is needed to make the following call to prctl, which sets the seccomp filter using the PR_SET_SECCOMP option, succeed even when not being root.</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="k">if</span> <span class="p">(</span><span class="n">prctl</span><span class="p">(</span><span class="n">PR_SET_NO_NEW_PRIVS</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span>
<span class="n">perror</span><span class="p">(</span><span class="s">"setting new privileges"</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">1</span><span class="p">;</span>
<span class="p">}</span></code></pre></figure>
<p>Set seccomp</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="k">if</span> <span class="p">(</span><span class="n">prctl</span><span class="p">(</span><span class="n">PR_SET_SECCOMP</span><span class="p">,</span> <span class="n">SECCOMP_MODE_FILTER</span><span class="p">,</span> <span class="o">&</span><span class="n">prog</span><span class="p">)</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span><span class="p">)</span> <span class="p">{</span>
<span class="n">perror</span><span class="p">(</span><span class="s">"seccomp filter error"</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">1</span><span class="p">;</span>
<span class="p">}</span></code></pre></figure>
<p>Simple example</p>
<figure class="highlight"><pre><code class="language-c" data-lang="c"><span class="cp">#include</span> <span class="cpf"><stdio.h></span><span class="cp">
#include</span> <span class="cpf"><stdlib.h></span><span class="cp">
#include</span> <span class="cpf"><fcntl.h></span><span class="cp">
#include</span> <span class="cpf"><unistd.h></span><span class="cp">
#include</span> <span class="cpf"><stddef.h></span><span class="cp">
#include</span> <span class="cpf"><sys/prctl.h></span><span class="cp">
#include</span> <span class="cpf"><linux/seccomp.h></span><span class="cp">
#include</span> <span class="cpf"><linux/filter.h></span><span class="cp">
#include</span> <span class="cpf"><linux/unistd.h></span><span class="cp">
#include</span> <span class="cpf"><linux/audit.h></span><span class="cp">
</span>
<span class="kt">int</span> <span class="nf">main</span><span class="p">(</span><span class="kt">int</span> <span class="n">argc</span><span class="p">,</span> <span class="kt">char</span><span class="o">*</span> <span class="n">argv</span><span class="p">[])</span>
<span class="p">{</span>
<span class="kt">int</span> <span class="n">fd</span><span class="p">;</span>
<span class="cp">#define syscall_nr (offsetof(struct seccomp_data, nr))
</span> <span class="cp">#define arch_nr (offsetof(struct seccomp_data, arch))
</span>
<span class="cm">/* architecture x86_64 */</span>
<span class="cp">#define REG_SYSCALL REG_RAX
</span> <span class="cp">#define ARCH_NR AUDIT_ARCH_X86_64
</span>
<span class="k">struct</span> <span class="n">sock_filter</span> <span class="n">filter</span><span class="p">[]</span> <span class="o">=</span> <span class="p">{</span>
<span class="cm">/* Validate architecture. */</span>
<span class="n">BPF_STMT</span><span class="p">(</span><span class="n">BPF_LD</span><span class="o">+</span><span class="n">BPF_W</span><span class="o">+</span><span class="n">BPF_ABS</span><span class="p">,</span> <span class="n">arch_nr</span><span class="p">),</span>
<span class="n">BPF_JUMP</span><span class="p">(</span><span class="n">BPF_JMP</span><span class="o">+</span><span class="n">BPF_JEQ</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">ARCH_NR</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">0</span><span class="p">),</span>
<span class="n">BPF_STMT</span><span class="p">(</span><span class="n">BPF_RET</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">SECCOMP_RET_KILL</span><span class="p">),</span>
<span class="cm">/* Get system call number. */</span>
<span class="n">BPF_STMT</span><span class="p">(</span><span class="n">BPF_LD</span><span class="o">+</span><span class="n">BPF_W</span><span class="o">+</span><span class="n">BPF_ABS</span><span class="p">,</span> <span class="n">syscall_nr</span><span class="p">),</span>
<span class="cm">/* List allowed syscalls. */</span>
<span class="n">BPF_JUMP</span><span class="p">(</span><span class="n">BPF_JMP</span><span class="o">+</span><span class="n">BPF_JEQ</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">__NR_rt_sigreturn</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">),</span>
<span class="n">BPF_STMT</span><span class="p">(</span><span class="n">BPF_RET</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">SECCOMP_RET_ALLOW</span><span class="p">),</span>
<span class="n">BPF_JUMP</span><span class="p">(</span><span class="n">BPF_JMP</span><span class="o">+</span><span class="n">BPF_JEQ</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">__NR_exit_group</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">),</span>
<span class="n">BPF_STMT</span><span class="p">(</span><span class="n">BPF_RET</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">SECCOMP_RET_ALLOW</span><span class="p">),</span>
<span class="n">BPF_JUMP</span><span class="p">(</span><span class="n">BPF_JMP</span><span class="o">+</span><span class="n">BPF_JEQ</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">__NR_exit</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">),</span>
<span class="n">BPF_STMT</span><span class="p">(</span><span class="n">BPF_RET</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">SECCOMP_RET_ALLOW</span><span class="p">),</span>
<span class="n">BPF_JUMP</span><span class="p">(</span><span class="n">BPF_JMP</span><span class="o">+</span><span class="n">BPF_JEQ</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">__NR_read</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">),</span>
<span class="n">BPF_STMT</span><span class="p">(</span><span class="n">BPF_RET</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">SECCOMP_RET_ALLOW</span><span class="p">),</span>
<span class="n">BPF_JUMP</span><span class="p">(</span><span class="n">BPF_JMP</span><span class="o">+</span><span class="n">BPF_JEQ</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">__NR_write</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">),</span>
<span class="n">BPF_STMT</span><span class="p">(</span><span class="n">BPF_RET</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">SECCOMP_RET_ALLOW</span><span class="p">),</span>
<span class="n">BPF_JUMP</span><span class="p">(</span><span class="n">BPF_JMP</span><span class="o">+</span><span class="n">BPF_JEQ</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">__NR_open</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">),</span>
<span class="n">BPF_STMT</span><span class="p">(</span><span class="n">BPF_RET</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">SECCOMP_RET_ALLOW</span><span class="p">),</span>
<span class="n">BPF_JUMP</span><span class="p">(</span><span class="n">BPF_JMP</span><span class="o">+</span><span class="n">BPF_JEQ</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">__NR_dup</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">),</span>
<span class="n">BPF_STMT</span><span class="p">(</span><span class="n">BPF_RET</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">SECCOMP_RET_ALLOW</span><span class="p">),</span>
<span class="n">BPF_JUMP</span><span class="p">(</span><span class="n">BPF_JMP</span><span class="o">+</span><span class="n">BPF_JEQ</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">__NR_fcntl</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">),</span>
<span class="n">BPF_STMT</span><span class="p">(</span><span class="n">BPF_RET</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">SECCOMP_RET_ALLOW</span><span class="p">),</span>
<span class="n">BPF_JUMP</span><span class="p">(</span><span class="n">BPF_JMP</span><span class="o">+</span><span class="n">BPF_JEQ</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">__NR_brk</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">),</span>
<span class="n">BPF_STMT</span><span class="p">(</span><span class="n">BPF_RET</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">SECCOMP_RET_ALLOW</span><span class="p">),</span>
<span class="n">BPF_JUMP</span><span class="p">(</span><span class="n">BPF_JMP</span><span class="o">+</span><span class="n">BPF_JEQ</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">__NR_fstat</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">),</span>
<span class="n">BPF_STMT</span><span class="p">(</span><span class="n">BPF_RET</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">SECCOMP_RET_ALLOW</span><span class="p">),</span>
<span class="n">BPF_JUMP</span><span class="p">(</span><span class="n">BPF_JMP</span><span class="o">+</span><span class="n">BPF_JEQ</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">__NR_close</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">1</span><span class="p">),</span>
<span class="n">BPF_STMT</span><span class="p">(</span><span class="n">BPF_RET</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">SECCOMP_RET_ALLOW</span><span class="p">),</span>
<span class="cm">/* Kill Process */</span>
<span class="n">BPF_STMT</span><span class="p">(</span><span class="n">BPF_RET</span><span class="o">+</span><span class="n">BPF_K</span><span class="p">,</span> <span class="n">SECCOMP_RET_KILL</span><span class="p">),</span>
<span class="p">};</span>
<span class="k">struct</span> <span class="n">sock_fprog</span> <span class="n">prog</span> <span class="o">=</span> <span class="p">{</span>
<span class="p">.</span><span class="n">len</span> <span class="o">=</span> <span class="p">(</span><span class="kt">unsigned</span> <span class="kt">short</span><span class="p">)(</span><span class="k">sizeof</span><span class="p">(</span><span class="n">filter</span><span class="p">)</span><span class="o">/</span><span class="k">sizeof</span><span class="p">(</span><span class="n">filter</span><span class="p">[</span><span class="mi">0</span><span class="p">])),</span>
<span class="p">.</span><span class="n">filter</span> <span class="o">=</span> <span class="n">filter</span><span class="p">,</span>
<span class="p">};</span>
<span class="k">if</span> <span class="p">(</span> <span class="n">prctl</span><span class="p">(</span><span class="n">PR_SET_NO_NEW_PRIVS</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">,</span> <span class="mi">0</span><span class="p">)</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span> <span class="p">)</span> <span class="p">{</span>
<span class="n">perror</span><span class="p">(</span><span class="s">"prctl(PR_SET_NO_NEW_PRIVS)</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span> <span class="n">prctl</span><span class="p">(</span><span class="n">PR_SET_SECCOMP</span><span class="p">,</span> <span class="n">SECCOMP_MODE_FILTER</span><span class="p">,</span> <span class="o">&</span><span class="n">prog</span><span class="p">)</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span> <span class="p">)</span> <span class="p">{</span>
<span class="n">perror</span><span class="p">(</span><span class="s">"Seccomp filter error</span><span class="se">\n</span><span class="s">"</span><span class="p">);</span>
<span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="k">if</span> <span class="p">(</span> <span class="n">fd</span> <span class="o">=</span> <span class="n">open</span><span class="p">(</span><span class="s">"/etc/passwd"</span><span class="p">,</span> <span class="n">O_RDONLY</span><span class="p">)</span> <span class="o">==</span> <span class="o">-</span><span class="mi">1</span> <span class="p">){</span>
<span class="n">perror</span><span class="p">(</span><span class="s">"Error"</span><span class="p">);</span>
<span class="k">return</span> <span class="o">-</span><span class="mi">1</span><span class="p">;</span>
<span class="p">}</span>
<span class="n">close</span><span class="p">(</span><span class="n">fd</span><span class="p">);</span>
<span class="k">return</span> <span class="mi">0</span><span class="p">;</span>
<span class="p">}</span></code></pre></figure>
<p>sources</p>
<div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>https://outflux.net/teach-seccomp/
http://www.alfonsobeato.net/c/filter-and-modify-system-calls-with-seccomp-and-ptrace/
https://www.illogicalexpressions.com/linux/2016/08/31/seccomp-and-seccomp-bpf.html
https://www.kernel.org/doc/Documentation/networking/filter.txt
https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt
http://elixir.free-electrons.com/linux/latest/source/include/uapi/linux/seccomp.h#L47
</code></pre></div></div>