static char about[] = "spfx v2.1b by Justin Lesarge (nijen@mail.ru)\n";

/* note: this software is untested and may be unstable or unsafe.
 * The author makes no guarantee of it's stability or effectiveness.
 *
 *   USE AT YOUR OWN RISK!
 *
 * spfx2 increases security by limiting the use of key system calls
 * to library functions.  Although spfx2 does not prevent buffer-overflow
 * related crashes, it does make it very difficult to break security with
 * with a buffer-overflow attack, preventing most root compromises.
 * 
 * this code may be freely distributed and modified, so long as credit
 * to the original author (Justin Lesarge) is left in tact.
 * 
 * to load this module, use:
     cc -O0 -c spfx2.c -o ./spfx2.o
     insmod ./spfx2.o
 * to silence dmesg logging of rejected system calls, compile with -DNO_KMSG
 * for more stability, compile with -DSAFE
 *   SAFE includes: filtering less calls and less thorough address checks
 * to terminate the source of blocked calls (recommended), compile with -DKILL
 * example with all extra options enabled:
     cc -O0 -DNO_KMSG -DSAFE -DKILL -c spfx2.c -o ./spfx2.o
 */

#define MODULE 1
#define __KERNEL__ 1

#include <linux/module.h>
#include <linux/sys.h>
#include <linux/sched.h>
#include <asm/unistd.h>
#include <asm/ptrace.h>
#include <asm/uaccess.h>

extern void *sys_call_table[];
static void *old_call_table[NR_syscalls];

#ifndef LIB_AND
# define LIB_AND 0xC0000000
#endif
#ifndef LIB_EQU
# define LIB_EQU 0x40000000
#endif
#ifndef EXE_AND
# define EXE_AND 0xC0000000
#endif
#ifndef EXE_EQU
# define EXE_EQU 0x00000000
#endif

int check_call(int nr,int i0,int i1) {
   int i[2] = {i0,i1};
   
   if ((i[1]&LIB_AND)==LIB_EQU) do {
#ifndef SAFE
      int n = 1024;
      do {
	 if (!n--) break;
	 if (copy_from_user(&i,(void *)i[0],sizeof(i))) break;
      } while ((i[1]&LIB_AND)==LIB_EQU);
      if ((i[1]&EXE_AND)!=EXE_EQU) break;
#endif
      return(0);
   } while(0);
#ifndef NO_KMSG
   printk("spfx2: syscall #%d requested from invalid source (%08lx).\n"
	  "       process=%d (%s), uid=%d, gid=%d"
# ifdef KILL
	  " -- terminating"
# endif
	  ".\n",nr,i[1],current->pid,current->comm,current->uid,current->gid);
#endif
   return(-1);
}

static int (__handler__) (struct pt_regs r) {
   __asm__ __volatile__ ("pushf;pusha;");
   if (check_call(r.orig_eax,r.ebp,r.eip)) {
      __asm__ __volatile__ ("popa;popf;");
#ifdef KILL
      __asm__ __volatile__ ("popl %%ebp;movl %0,%%eax;jmp *old_call_table(,%%eax,4);"::"i"(__NR_exit));
#endif
      return(-1);
   }   
   __asm__ __volatile__ ("popa;popf;popl %ebp;jmp *old_call_table(,%eax,4);");
}

int init_module()
{
   int n;
   
   for(n=0;n<NR_syscalls;n++) old_call_table[n]=sys_call_table[n];
#ifndef SAFE
   sys_call_table[__NR_fork]=__handler__;
   sys_call_table[__NR_nice]=__handler__;
   sys_call_table[__NR_uselib]=__handler__;
   sys_call_table[__NR_socketcall]=__handler__;
   sys_call_table[__NR_clone]=__handler__;
   sys_call_table[__NR_vfork]=__handler__;
#endif
   sys_call_table[__NR_open]=__handler__;
   sys_call_table[__NR_creat]=__handler__;
   sys_call_table[__NR_link]=__handler__;
   sys_call_table[__NR_unlink]=__handler__;
   sys_call_table[__NR_execve]=__handler__;
   sys_call_table[__NR_mknod]=__handler__;
   sys_call_table[__NR_chmod]=__handler__;
   sys_call_table[__NR_lchown]=__handler__;
   sys_call_table[__NR_mount]=__handler__;
   sys_call_table[__NR_umount]=__handler__;
   sys_call_table[__NR_kill]=__handler__;
   sys_call_table[__NR_rename]=__handler__;
   sys_call_table[__NR_mkdir]=__handler__;
   sys_call_table[__NR_rmdir]=__handler__;
   sys_call_table[__NR_umount2]=__handler__;
   sys_call_table[__NR_sethostname]=__handler__;
   sys_call_table[__NR_settimeofday]=__handler__;
   sys_call_table[__NR_symlink]=__handler__;
   sys_call_table[__NR_swapon]=__handler__;
   sys_call_table[__NR_reboot]=__handler__;
   sys_call_table[__NR_truncate]=__handler__;
   sys_call_table[__NR_ioperm]=__handler__;
   sys_call_table[__NR_iopl]=__handler__;
   sys_call_table[__NR_swapoff]=__handler__;
   sys_call_table[__NR_setdomainname]=__handler__;
   sys_call_table[__NR_modify_ldt]=__handler__;
   sys_call_table[__NR_adjtimex]=__handler__;
   sys_call_table[__NR_quotactl]=__handler__;
   sys_call_table[__NR_bdflush]=__handler__;
   sys_call_table[__NR__sysctl]=__handler__;
   sys_call_table[__NR_vm86]=__handler__;
   sys_call_table[__NR_prctl]=__handler__;
   sys_call_table[__NR_chown]=__handler__;
   sys_call_table[__NR_truncate64]=__handler__;
   sys_call_table[__NR_lchown32]=__handler__;
   sys_call_table[__NR_chown32]=__handler__;   
   printk(about);
   return(0);
}

void cleanup_module()
{
   int n;
   
   for(n=0;n<NR_syscalls;n++) sys_call_table[n]=old_call_table[n];
}