Hikari linux kernel patch


1. Overview
2. Download
3. Features
4. Userland tool
5. Userland configuration
---5.1. File flags
---5.2. Process flags
---5.3. Process' ACL file flags
---5.4. Configuration examples
6. Author

1. Overview

Hikari is a kernel patch providing a basic ACL system, allowing global and per-process access restriction to files and directories. It also implements some grsec features such as /dev/*mem and /dev/port protection, modules stopping and dmesg protection.

2. Download

Patch file and userland tool are located here.

3. Features

4. Userland tool

The hikari features can be controlled with the userland tool hikarictl. After the first installation of hikari (or, in other words, if the file /etc/hikari/pw does not exist), you have to set the sysadmin password with hikarictl --setpw. You can then auth yourself with hikarictl --auth. If you were authed successfully, you have now sysadmin privileges, allowing you to use other commands of hikarictl tool, as well as bypassing files restrictions.

Once you have set the password and authed yourself, you can start ACL configuration by editing /etc/hikari/hikari_acl (see below). When you're done with editing, use hikarictl --loadacl in order to load the acl file into the kernel.

On further reboots, you should use hikarictl --enable which will load the saved password as well as the ACL file into the kernel.

For more informations about hikarictl commands, see hikarictl --help

5. Userland configuration

The main configuration file is located in /etc/hikari/hikari_acl. Each line contains an access definition for a file or a process.

5.1. File flags

5.2. Process flags

5.3. Process' ACL file flags

5.4. Configuration examples

Here are some configuration examples

# Deny recursive read/write access to /boot directory
/boot RWP

# Deny execution of passwd
/bin/passwd X

# Completely hides /etc/hikari directory
/etc/hikari RWHP

# Deny write access to root .bashrc file
/root/.bashrc W

# Deny write on and execution of emerge (we have to specify the full path
# of the emerge script, not the /usr/bin/emerge symlink
/usr/lib/portage/bin/emerge WX

# Deny read/write access to id_rsa
/home/foo/.ssh/id_rsa RW

# Allow ssh processes to read id_rsa
P:/usr/bin/ssh {
  /home/foo/.ssh/id_rsa r

# Give full privileges to bash on execution, allowing it to access to all
# protected files (DON'T DO THIS AT HOME !)
P:/bin/bash S

# Same as previous, but prevent privileges heritage
P:/bin/bash SN

/home/foo/.vlockrc RW

# Prevent vlock from being killed by a non-sysadmin process, and allow it to read .vlockrc
P:/usr/bin/vlock K {
  /home/foo/.vlockrc r


Hikari is written by target0 (target0@geeknode.org).
Please note that I've written this kernel patch for my own entertainment and knowledge improvement. You should not consider using it in production environment. If you discard this note, do it at your own risk.

Special thanks to roidelapluie for using and testing hikari since first version (and testing its security after 25 beers)