https://crates.io/crates/greenhook
Greenhook is a seccomp-unotify-based syscall hook library. It is adapted from https://github.com/pdlan/binder.
You could have it a try if you want to find alternatives other than LD_PRELOAD and ptrace. However, please note that seccomp unotify IS NOT a full replacement of these techniques, and take some time reading seccomp_unotify(2) before you start.
To fully utilize this library, you need to have a kernel version >= 5.9.0. And also you need a special seccomp policy file if you want to run this in Docker or other containers (to allow process_vm_readv() and pidfd_getfd() to run without capabilities), with this:
```console
```
Also, it is necessary to install libseccomp header and library:
$ sudo apt install libseccomp-dev
You can find some examples inside test code. Here is a simple one that makes programs like whoami(1) considering you are root (even if you are not), by hooking geteuid(2):
```rust use std::process::Command;
use greenhook::{Supervisor, UNotifyEventRequest}; use libseccomp::ScmpSyscall;
fn geteuidhandler(req: &UNotifyEventRequest) -> libseccomp::ScmpNotifResp { req.returnsyscall(0) }
fn main() { envlogger::init(); // Get argv[1] let program = std::env::args().nth(1).unwrap(); let mut supervisor = Supervisor::new(2).unwrap(); supervisor.inserthandler(ScmpSyscall::new("geteuid"), geteuidhandler); let mut cmd = Command::new(program); let (mut child, threadhandle, pool) = supervisor.exec(&mut cmd).unwrap(); let _ = Supervisor::wait(&mut child, thread_handle, pool).unwrap(); } ```
Run this with:
```console
cargo run --example geteuid -- whoami root whoami user ```
A more complicated one, that replaces /etc/passwd to /etc/resolv.conf by hooking openat(2):
```rust use std::{process::Command, ffi::CStr, fs::File, os::fd::AsRawFd};
use greenhook::{Supervisor, UNotifyEventRequest, RemoteProcess}; use libseccomp::ScmpSyscall; use log::info; use nix::{unistd::Pid, libc};
fn openathandler(req: &UNotifyEventRequest) -> libseccomp::ScmpNotifResp { let path = req.getrequest().data.args[1]; let remote = RemoteProcess::new(Pid::fromraw(req.getrequest().pid as i32)).unwrap(); let mut buf = [0u8; 256]; remote.readmem(&mut buf, path as usize).unwrap(); // debug!("open (read from remote): {:?}", buf); let path = CStr::frombytesuntilnul(&buf).unwrap(); if !req.isvalid() { return req.failsyscall(libc::EACCES); } info!("open (path CStr): {:?}", path); if path.tostr().unwrap() == "/etc/passwd" { // open /etc/resolv.conf instead let file = File::open("/etc/resolv.conf").unwrap(); let fd = file.asrawfd(); let remotefd = req.addfd(fd).unwrap(); req.returnsyscall(remotefd as i64) } else { unsafe { req.continuesyscall() } } }
fn main() {
envlogger::init();
// Get argv[1..]
let args = std::env::args().skip(1).collect::
Run this with:
```console
RUSTLOG=info cargo run --example openat -- cat /etc/passwd [2023-05-27T14:39:57Z INFO openat] open (path CStr): "/home/taoky/Projects/greenhook/target/debug/deps/glibc-hwcaps/x86-64-v3/libc.so.6" [2023-05-27T14:39:57Z INFO openat] open (path CStr): "/home/taoky/Projects/greenhook/target/debug/deps/glibc-hwcaps/x86-64-v2/libc.so.6" [2023-05-27T14:39:57Z INFO openat] open (path CStr): "/home/taoky/Projects/greenhook/target/debug/deps/libc.so.6" [2023-05-27T14:39:57Z INFO openat] open (path CStr): "/home/taoky/Projects/greenhook/target/debug/glibc-hwcaps/x86-64-v3/libc.so.6" [2023-05-27T14:39:57Z INFO openat] open (path CStr): "/home/taoky/Projects/greenhook/target/debug/glibc-hwcaps/x86-64-v2/libc.so.6" [2023-05-27T14:39:57Z INFO openat] open (path CStr): "/home/taoky/Projects/greenhook/target/debug/libc.so.6" [2023-05-27T14:39:57Z INFO openat] open (path CStr): "/home/taoky/.rustup/toolchains/stable-x8664-unknown-linux-gnu/lib/rustlib/x8664-unknown-linux-gnu/lib/glibc-hwcaps/x86-64-v3/libc.so.6" [2023-05-27T14:39:57Z INFO openat] open (path CStr): "/home/taoky/.rustup/toolchains/stable-x8664-unknown-linux-gnu/lib/rustlib/x8664-unknown-linux-gnu/lib/glibc-hwcaps/x86-64-v2/libc.so.6" [2023-05-27T14:39:57Z INFO openat] open (path CStr): "/home/taoky/.rustup/toolchains/stable-x8664-unknown-linux-gnu/lib/rustlib/x8664-unknown-linux-gnu/lib/libc.so.6" [2023-05-27T14:39:57Z INFO openat] open (path CStr): "/home/taoky/.rustup/toolchains/stable-x8664-unknown-linux-gnu/lib/glibc-hwcaps/x86-64-v3/libc.so.6" [2023-05-27T14:39:57Z INFO openat] open (path CStr): "/home/taoky/.rustup/toolchains/stable-x8664-unknown-linux-gnu/lib/glibc-hwcaps/x86-64-v2/libc.so.6" [2023-05-27T14:39:57Z INFO openat] open (path CStr): "/home/taoky/.rustup/toolchains/stable-x8664-unknown-linux-gnu/lib/libc.so.6" [2023-05-27T14:39:57Z INFO openat] open (path CStr): "/etc/ld.so.cache" [2023-05-27T14:39:57Z INFO openat] open (path CStr): "/usr/lib/libc.so.6" [2023-05-27T14:39:57Z INFO openat] open (path CStr): "/usr/lib/locale/locale-archive" [2023-05-27T14:39:57Z INFO openat] open (path CStr): "/etc/passwd"
Generated by NetworkManager
... ```
See examples/binder.rs for a more complicated example. It resembles the logic of https://github.com/pdlan/binder in Rust.
continue_syscall can be dangerous (thus it is marked as unsafe here).seccomp_unotify(2).