logo

basic-core-handler

Basic Linux coredump handler to process coredump data right away git clone https://anongit.hacktivis.me/git/basic-core-handler.git
commit: 969d655f57bd604fd6df183d94f41d2d5bc7a122
Author: Haelwenn (lanodan) Monnier <contact@hacktivis.me>
Date:   Fri, 30 May 2025 21:11:20 +0200

init

Diffstat:

ALICENSES/MIT.txt18++++++++++++++++++
AREADME.md27+++++++++++++++++++++++++++
Acore-handler66++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 111 insertions(+), 0 deletions(-)

diff --git a/LICENSES/MIT.txt b/LICENSES/MIT.txt @@ -0,0 +1,18 @@ +MIT License + +Copyright (c) <year> <copyright holders> + +Permission is hereby granted, free of charge, to any person obtaining a copy of this software and +associated documentation files (the "Software"), to deal in the Software without restriction, including +without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the +following conditions: + +The above copyright notice and this permission notice shall be included in all copies or substantial +portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT +LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO +EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER +IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE +USE OR OTHER DEALINGS IN THE SOFTWARE. diff --git a/README.md b/README.md @@ -0,0 +1,27 @@ +# basic-core-handler + +To install dump it into a root-controlled directory where executables can be launched, +say `/usr/local/bin/` and set it as the coredump handler via the `kernel.core_pattern` setting in `/etc/sysctl.conf` like so: +``` +kernel.core_pattern = |/usr/local/bin/core-handler %P %u %g %s %t %c %e %E +``` + +It will then create the following files in `/var/crash`, prefixed by the crash timestamp, pid, uid, command: + * `*.core`: Coredump, as given by kernel on stdin + * `*.info`: Textual dump of information given by kernel as arguments + * `*.backtrace.txt`: lldb(1) generated coredump information, mainly the backtrace but also some other related information + +## Dependencies + * POSIX Shell & Utilities + * applyuidgid(1) provider, such as daemontools, daemontools-encore or s6 + * lldb(1) from LLVM + +## Security + * `/var/crash` is verified to be root-controlled before creating any files in it + * No information about the process is extracted from `/proc` or equivalent (hardening against attacker killing the crashed process) + +--- +``` +Copyright © 2024 Haelwenn (lanodan) Monnier <contact+core-handler@hacktivis.me> +SPDX-License-Identifier: MIT +``` diff --git a/core-handler b/core-handler @@ -0,0 +1,66 @@ +#!/bin/sh +# Copyright © 2024 Haelwenn (lanodan) Monnier <contact+core-handler@hacktivis.me> +# SPDX-License-Identifier: MIT + +applyuidgid=$(command -v applyuidgid 2>/dev/null || echo s6-applyuidgid) + +# kernel.core_pattern = |/usr/local/bin/core-handler %P %u %g %s %t %c %e %E +grep -q "$0"' %P %u %g %s %t %c %e %E$' /proc/sys/kernel/core_pattern || exit 1 + +pid="$1"; shift +uid="$1"; shift +gid="$1"; shift +signum="$1"; shift +epoch="$1"; shift +core_limit="$1"; shift +comm="$1"; shift +full_path="$1"; shift + +destdir="/var/crash/" +dest="${destdir}/${epoch}-${pid}-${uid}-${comm}" + +umask u=r,og= + +# Using this script, /var/crash should be "0755/drwxr-xr-x root root" +# Let's make sure it both exists and is safe before writing anything +mkdir -m 0755 -p "${destdir}" +chown 0:0 "${destdir}" +chmod 0755 "${destdir}" + +cat - >"${dest}.core" +chown -- "${uid}:${gid}" "${dest}.core" +sync -d "${dest}.core" + +{ + printf 'pid: %s\n' "$pid" + printf 'uid: %s\n' "$uid" + printf 'gid: %s\n' "$gid" + printf 'signum: %s\n' "$signum" + printf 'epoch: %s\n' "$epoch" + printf 'core_limit: %s\n' "$core_limit" + printf 'comm: %s\n' "$comm" + printf 'full_path: %s\n' "${full_path}" | tr '!' '/' +} > "${dest}.info" +chown -- "${uid}:${gid}" "${dest}.info" +sync -d "${dest}.info" + +# Extract the following from a coredump with LLDB: +# - backtrace, all threads +# - current frame for readability +# - global and frame-local variables +# - registers +# - dissasembly of current frame (with mixed source code when available) +nice -n 20 -- "${applyuidgid?}" -u "$uid" -g "$gid" -G '' lldb \ + --core "${dest}.core" \ + -b \ + -o 'bt all' \ + -o 'f' \ + -o 'v -A -g -P2 -c -s' \ + -o 'register read' \ + -o 'di -m' \ + -o 'quit' \ + >"${dest}.backtrace.txt" 2>&1 +# -o "session save \"${dest}.backtrace.txt\"" + +chown -- "${uid}:${gid}" "${dest}.backtrace.txt" +sync -d "${dest}.backtrace.txt"