Kprobe has a pre-handler function vaguely documented as followed:
JavaScript
x
User's pre-handler (kp->pre_handler):: #include <linux/kprobes.h> #include <linux/ptrace.h> int pre_handler(struct kprobe *p, struct pt_regs *regs);Called with p pointing to the kprobe associated with the breakpoint,and regs pointing to the struct containing the registers saved whenthe breakpoint was hit. Return 0 here unless you're a Kprobes geek.I was wondering if one can use this function (or any other Kprobe feature) to prevent a process from being executed forked.
Advertisement
Answer
As documented in the kernel documentation, you can change the execution path by changing the appropriate register (e.g., IP register in x86):
JavaScript
Changing Execution Path-----------------------Since kprobes can probe into a running kernel code, it can change theregister set, including instruction pointer. This operation requiresmaximum care, such as keeping the stack frame, recovering the executionpath etc. Since it operates on a running kernel and needs deep knowledgeof computer architecture and concurrent computing, you can easily shootyour foot.If you change the instruction pointer (and set up other relatedregisters) in pre_handler, you must return !0 so that kprobes stopssingle stepping and just returns to the given address.This also means post_handler should not be called anymore.Note that this operation may be harder on some architectures which useTOC (Table of Contents) for function call, since you have to setup a newTOC for your function in your module, and recover the old one afterreturning from it.So you might be able to block a process’ execution by jumping over some code. I wouldn’t recommend it; you’re more likely to cause a kernel crash than to succeed in stopping the execution of a new process.
seccomp-bpf is probably better suited for your use case. This StackOverflow answer gives you all the information you need to leverage seccomp-bpf.