我可以使用 Kprobe 阻止新进程的执行吗？

Question

Kprobe 有一个预处理函数，模糊记录如下：

User's pre-handler (kp->pre_handler)::

    #include <linux/kprobes.h>
    #include <linux/ptrace.h>
    int pre_handler(struct kprobe *p, struct pt_regs *regs);

Called with p pointing to the kprobe associated with the breakpoint,
and regs pointing to the struct containing the registers saved when
the breakpoint was hit.  Return 0 here unless you're a Kprobes geek.

我想知道是否可以使用此功能（或任何其他 Kprobe 功能）来防止进程被执行\分叉。

Answer 1

如内核文档中所述，您可以通过更改适当的寄存器（例如，x86 中的 IP 寄存器）来更改执行路径：

Changing Execution Path
-----------------------

Since kprobes can probe into a running kernel code, it can change the
register set, including instruction pointer. This operation requires
maximum care, such as keeping the stack frame, recovering the execution
path etc. Since it operates on a running kernel and needs deep knowledge
of computer architecture and concurrent computing, you can easily shoot
your foot.

If you change the instruction pointer (and set up other related
registers) in pre_handler, you must return !0 so that kprobes stops
single stepping and just returns to the given address.
This also means post_handler should not be called anymore.

Note that this operation may be harder on some architectures which use
TOC (Table of Contents) for function call, since you have to setup a new
TOC for your function in your module, and recover the old one after
returning from it.

因此，您可以通过跳过一些代码来阻止进程的执行。我不会推荐它；与成功停止新进程的执行相比，您更有可能导致内核崩溃。

seccomp-bpf 可能更适合您的用例。 This StackOverflow answer 为您提供利用 seccomp-bpf 所需的所有信息。