How to change page permission from inside the kernel?

Ahmed Soliman ahmedsoliman0x666 at gmail.com
Fri Jul 6 15:29:40 EDT 2018


> So there's two questions here:
>
from inside KVM lkm (/virt/kvm and arch/x86/kvm )
> 1) Why does the page's protection need to be changed?

Implementing some kernel protection against subset of rootkits that
manipulates kernel static data (memory pages as well as their
mappings) by having them enforced by hypervisor which is KVM in our
case (it is one way enforcement only reset by reboot).  For the sake
of the question what is going here is guest virtual address -> guest
frame number -> host virtual address and then something that behaves
like mprotect but inside a loadable kernel module the protection
request is done via hypercall, so KVM should handle that internally.
The point is all memory used by KVM for virtualization is  mmapped at
userspace and then passed to KVM using an IOCTL and kvm assumed to be
free to do whatever it wants with that memory area.

> 2) And why from inside the kernel?
Because this needs to be done from inside KVM.

Note: I am aware that this won't be effective against rootkits that
live in userspace, rootkits that target kernel dynamic data, files on
disk, as well as VMM escapes, but I believe if the attack surface is
reduced by just a little bit, it is not that bad, so please lets not
discuss that :P.

Thanks.



More information about the Kernelnewbies mailing list