Environment setup

Dockerfile

/dev files

/dev or device files represents different hardware devices attatched to the computer.

Types of device files

There are 2 types of device files:

  1. Character device: they read data in unbuffered manner, one character at a time example microphone.
  2. Block device: read data in buffered manner, one block at a time from block sizes ranging from 512 bytes, 1KB, 4KB etc.

/proc files

/proc files contains subdirectories for each process running on the system. These direcotires contain important process specific information example fd.

both /dev and /proc are controlled by kernel

Modules

read and write

device_read: kernel entrypoint, used when reading data from hardware device
device_write: kernel entrypoint, used fow writing to hardware device \

ioctl

ioctl: used for controlling/setting input/output control on hardware device. example:

  1. read from camera using device_read.
  2. ioctl is used to define the resolution of camera.

Kernel module

Used for programming interaction between hardware device and software. it :

  1. reads data
  2. writes data
  3. uses ioctl to controlling/setting data
  4. after doing its operation returns to userspace

How does kernel take/return data from/to userland ?

copy_from_user: copy data from the userspace to the kernel.
copy_to_user: copy data from the kernel to the userspace.

Module loading: insmod is used to load a module. (requires root permission)

listing module: lsmod lists loaded modules.

remove module: rmmod unloads a module. (requires root permission)

Random Stuff

reading /proc/kallsyms: see where kernel modules/functions are loaded

Privilege escalation

commit_creds(prepare_kernel_cred(0)): get root !
current->thread_info.flag &= ~(1 << TIF_SECCOMP): escape seccomp
run_cmd(const char* cmd): run command cmd