Re: Some feedback on the hooks

From: Stephen Smalley (sdsat_private)
Date: Fri May 18 2001 - 13:48:28 PDT

  • Next message: jmjonesat_private: "Re: LSMEXAMPLE.C(.GZ)"

    The attached patch defines and inserts calls to an inode stat
    hook to allow security modules to control access to file
    status information on a per-file basis rather than merely
    requiring search access to the directory.  This patch is
    relative to the superblock alloc/free/statfs patch that 
    I just sent a little while ago.  This patch also defines
    trivial hook functions for both the statfs and stat
    hooks for the dummy security operations and the capability
    plug (an oversight in my previous patch for statfs).
    
    --
    Stephen D. Smalley, NAI Labs
    ssmalleyat_private
    
    
    
    
    Index: include/linux/security.h
    ===================================================================
    RCS file: /cvs/lsm/lsm/include/linux/security.h,v
    retrieving revision 1.3
    retrieving revision 1.4
    diff -u -r1.3 -r1.4
    --- include/linux/security.h	2001/05/18 19:23:21	1.3
    +++ include/linux/security.h	2001/05/18 20:31:16	1.4
    @@ -68,6 +68,7 @@
     	int (* revalidate)	(struct dentry *dentry);
     	int (* setattr)		(struct dentry *dentry, struct iattr *attr); // CAP_CHOWN
     	void (* attach_pathlabel)(struct dentry *dentry, struct vfsmount *mnt);	// DTE project needs this
    +	int (* stat)		        (struct inode *inode);
     };
     
     struct file_security_ops {
    Index: fs/stat.c
    ===================================================================
    RCS file: /cvs/lsm/lsm/fs/stat.c,v
    retrieving revision 1.2
    retrieving revision 1.3
    diff -u -r1.2 -r1.3
    --- fs/stat.c	2001/05/09 20:19:19	1.2
    +++ fs/stat.c	2001/05/18 20:31:16	1.3
    @@ -42,7 +42,12 @@
     {
     	static int warncount = 5;
     	struct __old_kernel_stat tmp;
    +	int retval;
     
    +	retval = security_ops->inode_ops->stat(inode);
    +	if (retval)
    +		return retval;
    +
     	if (warncount > 0) {
     		warncount--;
     		printk(KERN_WARNING "VFS: Warning: %s using old stat() call. Recompile your binary.\n",
    @@ -76,6 +81,11 @@
     {
     	struct stat tmp;
     	unsigned int blocks, indirect;
    +	int retval;
    +
    +	retval = security_ops->inode_ops->stat(inode);
    +	if (retval)
    +		return retval;
     
     	memset(&tmp, 0, sizeof(tmp));
     	tmp.st_dev = kdev_t_to_nr(inode->i_dev);
    @@ -283,6 +293,11 @@
     {
     	struct stat64 tmp;
     	unsigned int blocks, indirect;
    +	int retval;
    +
    +	retval = security_ops->inode_ops->stat(inode);
    +	if (retval)
    +		return retval;
     
     	memset(&tmp, 0, sizeof(tmp));
     	tmp.st_dev = kdev_t_to_nr(inode->i_dev);
    Index: kernel/capability_plug.c
    ===================================================================
    RCS file: /cvs/lsm/lsm/kernel/capability_plug.c,v
    retrieving revision 1.2
    retrieving revision 1.3
    diff -u -r1.2 -r1.3
    --- kernel/capability_plug.c	2001/05/11 14:17:11	1.2
    +++ kernel/capability_plug.c	2001/05/18 20:31:16	1.3
    @@ -239,6 +239,10 @@
     {
     	return;
     }
    +static int cap_sb_statfs(struct super_block *sb)
    +{
    +	return 0;
    +}
     
     /* inode security operations */
     static int cap_inode_alloc_security(struct inode *inode)
    @@ -333,6 +337,11 @@
     {
     	return;
     }
    +static int cap_inode_stat(struct inode *inode)
    +{
    +	return 0;
    +}
    +
     
     /* file security operations */
     static int cap_file_permission(struct file *file, int mask)
    @@ -507,6 +516,7 @@
     static struct super_block_security_ops cap_sb_ops = {
     	alloc_security:	cap_sb_alloc_security,
     	free_security:	cap_sb_free_security,
    +	statfs:	        cap_sb_statfs,
     };
     static struct inode_security_ops cap_inode_ops = {
     	alloc_security:	cap_inode_alloc_security,
    @@ -532,6 +542,7 @@
     	revalidate:	cap_inode_revalidate,
     	setattr:	cap_inode_setattr,
     	attach_pathlabel:cap_inode_attach_pathlabel,
    +	stat:           cap_inode_stat,
     };
     
     static struct file_security_ops	cap_file_ops = {
    Index: kernel/security.c
    ===================================================================
    RCS file: /cvs/lsm/lsm/kernel/security.c,v
    retrieving revision 1.2
    retrieving revision 1.3
    diff -u -r1.2 -r1.3
    --- kernel/security.c	2001/05/11 14:17:11	1.2
    +++ kernel/security.c	2001/05/18 20:31:16	1.3
    @@ -55,6 +55,7 @@
     
     static int dummy_sb_alloc_security(struct super_block *sb)	{return 0;}
     static void dummy_sb_free_security	(struct super_block *sb)		{return;}
    +static int dummy_sb_statfs	(struct super_block *sb)		{return 0;}
     static int dummy_inode_alloc_security	(struct inode *inode)	{return 0;}
     static void dummy_inode_free_security	(struct inode *inode)	{return;}
     static int dummy_inode_create		(struct inode *inode, struct dentry *dentry, int mask) {return 0;}
    @@ -78,6 +79,7 @@
     static int dummy_inode_revalidate	(struct dentry *inode) {return 0;}
     static int dummy_inode_setattr		(struct dentry *dentry, struct iattr *iattr) {return 0;}
     static void dummy_inode_attach_pathlabel(struct dentry *dentry, struct vfsmount *mnt) {return;}
    +static int dummy_inode_stat(struct inode *inode) {return 0;}
     
     static int dummy_file_permission	(struct file *file, int mask)	{return 0;}
     static int dummy_file_alloc_security	(struct file *file)	{return 0;}
    @@ -128,6 +130,7 @@
     static struct super_block_security_ops dummy_sb_ops = {
     	alloc_security:	dummy_sb_alloc_security,
     	free_security:	dummy_sb_free_security,
    +	statfs:	        dummy_sb_statfs,
     };
     static struct inode_security_ops dummy_inode_ops = {
     	alloc_security:	dummy_inode_alloc_security,
    @@ -153,6 +156,7 @@
     	revalidate:	dummy_inode_revalidate,
     	setattr:	dummy_inode_setattr,
     	attach_pathlabel:dummy_inode_attach_pathlabel,
    +	stat:           dummy_inode_stat,
     };
     
     static struct file_security_ops	dummy_file_ops = {
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Fri May 18 2001 - 13:51:34 PDT