The attached patch defines and inserts calls to an inode stat hook to allow security modules to control access to file status information on a per-file basis rather than merely requiring search access to the directory. This patch is relative to the superblock alloc/free/statfs patch that I just sent a little while ago. This patch also defines trivial hook functions for both the statfs and stat hooks for the dummy security operations and the capability plug (an oversight in my previous patch for statfs). -- Stephen D. Smalley, NAI Labs ssmalleyat_private Index: include/linux/security.h =================================================================== RCS file: /cvs/lsm/lsm/include/linux/security.h,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- include/linux/security.h 2001/05/18 19:23:21 1.3 +++ include/linux/security.h 2001/05/18 20:31:16 1.4 @@ -68,6 +68,7 @@ int (* revalidate) (struct dentry *dentry); int (* setattr) (struct dentry *dentry, struct iattr *attr); // CAP_CHOWN void (* attach_pathlabel)(struct dentry *dentry, struct vfsmount *mnt); // DTE project needs this + int (* stat) (struct inode *inode); }; struct file_security_ops { Index: fs/stat.c =================================================================== RCS file: /cvs/lsm/lsm/fs/stat.c,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- fs/stat.c 2001/05/09 20:19:19 1.2 +++ fs/stat.c 2001/05/18 20:31:16 1.3 @@ -42,7 +42,12 @@ { static int warncount = 5; struct __old_kernel_stat tmp; + int retval; + retval = security_ops->inode_ops->stat(inode); + if (retval) + return retval; + if (warncount > 0) { warncount--; printk(KERN_WARNING "VFS: Warning: %s using old stat() call. Recompile your binary.\n", @@ -76,6 +81,11 @@ { struct stat tmp; unsigned int blocks, indirect; + int retval; + + retval = security_ops->inode_ops->stat(inode); + if (retval) + return retval; memset(&tmp, 0, sizeof(tmp)); tmp.st_dev = kdev_t_to_nr(inode->i_dev); @@ -283,6 +293,11 @@ { struct stat64 tmp; unsigned int blocks, indirect; + int retval; + + retval = security_ops->inode_ops->stat(inode); + if (retval) + return retval; memset(&tmp, 0, sizeof(tmp)); tmp.st_dev = kdev_t_to_nr(inode->i_dev); Index: kernel/capability_plug.c =================================================================== RCS file: /cvs/lsm/lsm/kernel/capability_plug.c,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- kernel/capability_plug.c 2001/05/11 14:17:11 1.2 +++ kernel/capability_plug.c 2001/05/18 20:31:16 1.3 @@ -239,6 +239,10 @@ { return; } +static int cap_sb_statfs(struct super_block *sb) +{ + return 0; +} /* inode security operations */ static int cap_inode_alloc_security(struct inode *inode) @@ -333,6 +337,11 @@ { return; } +static int cap_inode_stat(struct inode *inode) +{ + return 0; +} + /* file security operations */ static int cap_file_permission(struct file *file, int mask) @@ -507,6 +516,7 @@ static struct super_block_security_ops cap_sb_ops = { alloc_security: cap_sb_alloc_security, free_security: cap_sb_free_security, + statfs: cap_sb_statfs, }; static struct inode_security_ops cap_inode_ops = { alloc_security: cap_inode_alloc_security, @@ -532,6 +542,7 @@ revalidate: cap_inode_revalidate, setattr: cap_inode_setattr, attach_pathlabel:cap_inode_attach_pathlabel, + stat: cap_inode_stat, }; static struct file_security_ops cap_file_ops = { Index: kernel/security.c =================================================================== RCS file: /cvs/lsm/lsm/kernel/security.c,v retrieving revision 1.2 retrieving revision 1.3 diff -u -r1.2 -r1.3 --- kernel/security.c 2001/05/11 14:17:11 1.2 +++ kernel/security.c 2001/05/18 20:31:16 1.3 @@ -55,6 +55,7 @@ static int dummy_sb_alloc_security(struct super_block *sb) {return 0;} static void dummy_sb_free_security (struct super_block *sb) {return;} +static int dummy_sb_statfs (struct super_block *sb) {return 0;} static int dummy_inode_alloc_security (struct inode *inode) {return 0;} static void dummy_inode_free_security (struct inode *inode) {return;} static int dummy_inode_create (struct inode *inode, struct dentry *dentry, int mask) {return 0;} @@ -78,6 +79,7 @@ static int dummy_inode_revalidate (struct dentry *inode) {return 0;} static int dummy_inode_setattr (struct dentry *dentry, struct iattr *iattr) {return 0;} static void dummy_inode_attach_pathlabel(struct dentry *dentry, struct vfsmount *mnt) {return;} +static int dummy_inode_stat(struct inode *inode) {return 0;} static int dummy_file_permission (struct file *file, int mask) {return 0;} static int dummy_file_alloc_security (struct file *file) {return 0;} @@ -128,6 +130,7 @@ static struct super_block_security_ops dummy_sb_ops = { alloc_security: dummy_sb_alloc_security, free_security: dummy_sb_free_security, + statfs: dummy_sb_statfs, }; static struct inode_security_ops dummy_inode_ops = { alloc_security: dummy_inode_alloc_security, @@ -153,6 +156,7 @@ revalidate: dummy_inode_revalidate, setattr: dummy_inode_setattr, attach_pathlabel:dummy_inode_attach_pathlabel, + stat: dummy_inode_stat, }; static struct file_security_ops dummy_file_ops = { _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri May 18 2001 - 13:51:34 PDT