Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Linux capabilities fixes #984

Merged

Conversation

gcmoreira
Copy link
Contributor

Several fixes:

  • The capabilities array was meant to be a 64bit bitwise.
  • Capabilities set has to be tested with the kernel maximum value. We can't use the plugin capabilities set, otherwise, when the plugin list of capabilities has more elements than the kernel being analyzed we will have wrong interpretations when we tried to compress the list of capabilities to "all"
  • Supports kernels >= 6.3. They changed the kernel_cap_struct::cap type again to a u64 type.

* The capabilities array was to have a 64bit bitwise.
* Capabilities set has to be tested with the kernel maximum. We can't use the plugin capabilities set, otherwise we can have wrong interpretations when we tried to compress the list of capabilities to "all"
* Supports kernels >= 6.3. They changed the kernel_cap_struct::cap type again to a u64 type.
@gcmoreira
Copy link
Contributor Author

@ikelos Regarding kernel >= 6.3 support, I couldn't test this properly. It should work but there is no Linux distribution with kernel 6.3 yet, so there is no standard .ddeb package to generate the profile. Mainland has the stripped kernel but not the .ddeb.
I compiled a kernel 6.3 from scratch with debug symbols but for some reason vol3 doesn't like it. I'm still not sure if it's the profile I created or if the 6.3 kernel has other changes that make it fail. I plan to look into it further to see why it's failing but it may take some time. In the meantime, I think it's safe to merge these changes and I will create another PR in the future if I found any issues with it.

Copy link
Member

@ikelos ikelos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks!

@ikelos ikelos merged commit 6f71781 into volatilityfoundation:develop Jul 20, 2023
@ikelos
Copy link
Member

ikelos commented Jul 20, 2023

So we've got #985 which might be a 6.3 kernel issue. Their symbol tables doesn't contain a kernel_cap_struct which because it's not marked as optional is throwing off any linux analysis. It turns out it wasn't showing any errors until the full -vvvvvvv was turned on, so that might be your issue with vol3 still not liking it? Anyway, hopefully you can take a lok and please shout if I can help at all. 5:)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants