type
Post
status
Published
slug
2023/07/08/Add-monitoring-system-calls-based-on-kernel-6.4.2-on-qume
summary
tags
开发
Linux
category
Linux
icon
password
new update day
Property
Oct 22, 2023 01:31 PM
created days
Last edited time
Oct 22, 2023 01:31 PM
0 前言
在进行内核修改开发的时候,发现如果一直在物理机上进行新内核的安装与测试,那么每次做一点修改都要进行物理机的重启让内核生效,而且如果因为操作不当,导致内核无法正常启动的话,就会导致重启失败内核陷入 panic 状态,容错率非常低,同时效率也不是很高,后面了解到可以使用 qemu 进行内核开发,在做好内核修改编译之后即可使用 qemu 进行启动测试。
1 环境准备
sudo apt install qemu qemu-system-x86 debootstrap qemu-utils
2 代码准备
对应的代码修改可以参考这篇文章的相关内容,我就不再进行赘述了。前面的操作完全一致,直到在安装内核部分才有所不同。
3 安装模块
make INSTALL_MOD_STRIP=1 modules_install
命令参数解释如下:
4 手动生成 initramfs
mkinitramfs 6.4.2 -o initrd.img
5 生成 rootfs
qemu 启动的时候需要对应的根文件系统,原来的 busybox 因为过于简化所以有些问题,于是使用 debian 的 rootfs,具体配置方式参考我下面的文章。
6 启动 qemu
qemu-system-x86_64 -m 1G -nographic -kernel disk/bzImage -initrd linux-6.4.2/initrd.img -drive file=./disk/rootfs.img,index=0 -drive file=./disk/ext4.img -append "root=/dev/sda console=ttyS0"
7 启动完成进行测试
- 因为在进行修改内核的时候对系统调用进行了捕捉,同时内核模块没有加载,my_audit 函数不存在,所以大部分内核日志都在抱怨这个情况。
[ 57.029624] my_audit is not exist! [ 57.030008] my_audit is not exist! [ 57.032450] my_audit is not exist! [ 57.036242] my_audit is not exist! [ 57.037026] my_audit is not exist! [ 57.037427] my_audit is not exist! [ 57.041572] my_audit is not exist! [ 57.044126] my_audit is not exist! [ 57.045016] my_audit is not exist! loptop login: [ 60.950035] my_audit is not exist! [ 60.952195] my_audit is not exist!
7.1 加载内核模块
mount /dev/sdb /mnt insmod my_audit.ko
root@loptop:/mnt# ins mo[ 416.420674] my_audit is not exist! insmod my[ 421.641489] my_audit is not exist! _audit.ko [ 422.352811] my_audit is not exist! [ 422.358156] my_audit is not exist! [ 422.360546] my_audit is not exist! [ 422.361702] my_audit is not exist! [ 422.366998] my_audit is not exist! [ 422.368717] my_audit is not exist! [ 422.379899] my_audit is not exist! [ 422.394964] my_audit is not exist! [ 422.398087] my_audit is not exist! [ 422.400850] my_audit is not exist! [ 422.403610] my_audit is not exist! [ 422.405572] my_audit is not exist! [ 422.431043] my_audit is not exist! [ 422.441023] my_audit: loading out-of-tree module taints kernel. [ 422.441566] my_audit: module verification failed: signature and/or required key missing - tainting kernel [ 422.445288] Initing System Call Auditing [ 422.448120] IN MODULE_AUDIT: notice, audit_buf near full
7.2 用户态测试程序查看
root@loptop:/mnt# ./test_syscall [ 506.591822] IN KERNEL: my system call sys_myaudit() working [ 506.592278] IN MODULE_systemcall: starting... [ 506.592504] IN MODULE_systemcall: over, current_pos is 20 num: 20 num[0], serial:[0] syscall:3 pid:175 comm:systemd-udevd time:Sat Jul 8 11:06:48 2023 num[1], serial:[1] syscall:3 pid:175 comm:systemd-udevd time:Sat Jul 8 11:06:48 2023 num[2], serial:[2] syscall:3 pid:175 comm:systemd-udevd time:Sat Jul 8 11:06:48 2023 num[3], serial:[3] syscall:3 pid:175 comm:systemd-udevd time:Sat Jul 8 11:06:48 2023 num[4], serial:[4] syscall:3 pid:175 comm:systemd-udevd time:Sat Jul 8 11:06:48 2023 num[5], serial:[5] syscall:3 pid:175 comm:systemd-udevd time:Sat Jul 8 11:06:48 2023 num[6], serial:[6] syscall:3 pid:175 comm:systemd-udevd time:Sat Jul 8 11:06:48 2023 num[7], serial:[7] syscall:3 pid:175 comm:systemd-udevd time:Sat Jul 8 11:06:48 2023 num[8], serial:[8] syscall:3 pid:175 comm:systemd-udevd time:Sat Jul 8 11:06:48 2023 num[9], serial:[9] syscall:3 pid:175 comm:systemd-udevd time:Sat Jul 8 11:06:48 2023 num[10], serial:[10] syscall:3 pid:175 comm:systemd-udevd time:Sat Jul 8 11:06:48 2023 num[11], serial:[11] syscall:3 pid:175 comm:systemd-udevd time:Sat Jul 8 11:06:48 2023 num[12], serial:[12] syscall:3 pid:175 comm:systemd-udevd time:Sat Jul 8 11:06:48 2023 num[13], serial:[13] syscall:3 pid:175 comm:systemd-udevd time:Sat Jul 8 11:06:48 2023 num[14], serial:[14] syscall:3 pid:175 comm:systemd-udevd time:Sat Jul 8 11:06:48 2023 num[15], serial:[15] syscall:3 pid:175 comm:systemd-udevd time:Sat Jul 8 11:06:48 2023 num[16], serial:[16] syscall:3 pid:175 comm:systemd-udevd time:Sat Jul 8 11:06:48 2023 num[17], serial:[17] syscall:3 pid:175 comm:systemd-udevd time:Sat Jul 8 11:06:48 2023 num[18], serial:[18] syscall:3 pid:175 comm:systemd-udevd time:Sat Jul 8 11:06:48 2023 num[19], serial:[19] syscall:3 pid:175 comm:systemd-udevd time:Sat Jul 8 11:06:48 2023 [ 506.618775] IN KERNEL: my system call sys_myaudit() working [ 506.619219] IN MODULE_systemcall: starting...
欢迎加入“喵星计算机技术研究院”,原创技术文章第一时间推送。
- 作者:tangcuyu
- 链接:https://expoli.tech/articles/2023/07/08/Add-monitoring-system-calls-based-on-kernel-6.4.2-on-qume
- 声明:本文采用 CC BY-NC-SA 4.0 许可协议,转载请注明出处。
相关文章
