分类: LINUX
2011-05-30 19:57:49
|
/dev/mem类型的rootkit很可能会再次发挥作用,它默认是没开启的。。。 kernel hacking -> Filter access to /dev/mem 不过rhel系列的内核已经开启了这个选项,所以还是很安全的。 大于1m的物理内存是不能被映射的, 因此想读内核空间是不可能的。 重新升级内核到2.6.30, 没开启filter选项, 又可以读写内核空间了。。。 看下代码/drivers/char/mem.c: /* * This funcion reads the *physical* memory. The f_pos points directly to the * memory location. */ static ssize_t read_mem(struct file * file, char __user * buf, size_t count, loff_t *ppos) { ... while (count > 0) { /* * Handle first page in case it's not aligned */ if (-p & (PAGE_SIZE - 1)) sz = -p & (PAGE_SIZE - 1); else sz = PAGE_SIZE; sz = min_t(unsigned long, sz, count); if (!range_is_allowed(p >> PAGE_SHIFT, count)) return -EPERM; .... } >> range_is_allowed #ifdef CONFIG_STRICT_DEVMEM static inline int range_is_allowed(unsigned long pfn, unsigned long size) { u64 from = ((u64)pfn) << PAGE_SHIFT; u64 to = from + size; u64 cursor = from; while (cursor < to) { if (!devmem_is_allowed(pfn)) { printk(KERN_INFO "Program %s tried to access /dev/mem between %Lx->%Lx.\n", current->comm, from, to); return 0; } cursor += PAGE_SIZE; pfn++; } return 1; } #else static inline int range_is_allowed(unsigned long pfn, unsigned long size) { return 1; } #endif >> devmem_is_allowed /* * devmem_is_allowed() checks to see if /dev/mem access to a certain address is * valid. The argument is a physical page number. * * * On x86-64, access has to be given to the first megabyte of ram because that area * contains bios code and data regions used by X and dosemu and similar apps. * Access has to be given to non-kernel-ram areas as well, these contain the PCI * mmio resources as well as potential bios/acpi data regions. */ int devmem_is_allowed(unsigned long pagenr) { if (pagenr <= 256) return 1; if (!page_is_ram(pagenr)) return 1; return 0; } |
