xorl %eax, %eax

GRKERNSEC_TIME Time Change Logging

leave a comment »

Another feature of grsecurity! In this post I’ll talk about this:

config GRKERNSEC_TIME
	bool "Time change logging"
	help
	  If you say Y here, any changes of the system clock will be logged.
	  If the sysctl option is enabled, a sysctl option with name
	  "timechange_logging" is created.

Although it’s not an everyday situation. There have been cases where an attacker was changing the system’s time mostly for logging evasion stuff. To avoid this, grsecurity provides the above option that introduces the following code from grsecurity/grsec_time.c.

#include <linux/kernel.h>
#include <linux/sched.h>
#include <linux/grinternal.h>

void
gr_log_timechange(void)
{
#ifdef CONFIG_GRKERNSEC_TIME
	if (grsec_enable_time)
		gr_log_noargs(GR_DONT_AUDIT_GOOD, GR_TIME_MSG);
#endif
	return;
}

This is nothing more than a call to the grsecurity’s generic logging routine gr_log_noargs() that will log the time change. Administrators can update ‘grsec_enable_time’ value through ‘timechange_logging’ /proc entry as we can read at grsecurity/grsec_sysctl.c where we can find the following definition.

#if defined(CONFIG_GRKERNSEC_SYSCTL) || defined(CONFIG_GRKERNSEC_ROFS)
struct ctl_table grsecurity_table[] = {
#ifdef CONFIG_GRKERNSEC_SYSCTL
#ifdef CONFIG_GRKERNSEC_SYSCTL_DISTRO
	},
#endif
	{ }
};
     ...
#ifdef CONFIG_GRKERNSEC_TIME
	{
		.procname	= "timechange_logging",
		.data		= &grsec_enable_time,
		.maxlen		= sizeof(int),
		.mode		= 0600,
		.proc_handler	= &proc_dointvec,
	},
#endif
     ...
	},
#endif
	{ }
};
#endif

Finally, this newly added routine is used inside kernel/time.c file and specifically in stime(2) system call.

/*
 * sys_stime() can be implemented in user-level using
 * sys_settimeofday().  Is this for backwards compatibility?  If so,
 * why not move it into the appropriate arch directory (for those
 * architectures that need it).
 */

SYSCALL_DEFINE1(stime, time_t __user *, tptr)
{
        struct timespec tv;
        int err;

        if (get_user(tv.tv_sec, tptr))
                return -EFAULT;

        tv.tv_nsec = 0;

        err = security_settime(&tv, NULL);
        if (err)
                return err;

        do_settimeofday(&tv);

        gr_log_timechange();

        return 0;
}

Just before the function’s return, and a similar patch is implemented for settimeofday(2) system call in the same source code file.

SYSCALL_DEFINE2(settimeofday, struct timeval __user *, tv,
                struct timezone __user *, tz)
{
        struct timeval user_tv;
        struct timespec new_ts;
        struct timezone new_tz;

        if (tv) {
                if (copy_from_user(&user_tv, tv, sizeof(*tv)))
                        return -EFAULT;
                new_ts.tv_sec = user_tv.tv_sec;
                new_ts.tv_nsec = user_tv.tv_usec * NSEC_PER_USEC;
        }
        if (tz) {
                if (copy_from_user(&new_tz, tz, sizeof(*tz)))
                        return -EFAULT;
        }

        gr_log_timechange();

        return do_sys_settimeofday(tv ? &new_ts : NULL, tz ? &new_tz : NULL);
}

Written by xorl

November 18, 2010 at 07:29

Posted in grsecurity, linux, security

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s