As threatened, here is a quick patch to remove the {re,}set_label functions.
It also adds one more (oh no) attach_pathlabel in af_unix.c, which I hadn't
noticed in my code.
The patch is against the tree generated using lsm-2001_06_20_2.4.5.patch.
-serge
==============================================================================
diff -rU 10 linux/fs/exec.c linux-lsm/fs/exec.c
--- linux/fs/exec.c Thu Jun 28 23:13:32 2001
+++ linux-lsm/fs/exec.c Thu Jun 28 23:10:14 2001
@@ -844,30 +844,27 @@
bprm.exec = bprm.p;
retval = copy_strings(bprm.envc, envp, &bprm);
if (retval < 0)
goto out;
retval = copy_strings(bprm.argc, argv, &bprm);
if (retval < 0)
goto out;
- retval = security_ops->task_ops->set_label(filename);
if (retval)
goto out;
retval = search_binary_handler(&bprm,regs);
if (retval >= 0)
/* execve success */
return retval;
- else
- security_ops->task_ops->reset_label();
out:
/* Something went wrong, return the inode and free the argument pages*/
allow_write_access(bprm.file);
if (bprm.file)
fput(bprm.file);
for (i = 0 ; i < MAX_ARG_PAGES ; i++) {
struct page * page = bprm.page[i];
if (page)
diff -rU 10 linux/include/linux/security.h linux-lsm/include/linux/security.h
--- linux/include/linux/security.h Thu Jun 28 23:13:34 2001
+++ linux-lsm/include/linux/security.h Thu Jun 28 23:10:04 2001
@@ -110,24 +110,20 @@
int (* setuid) (uid_t id0, uid_t id1, uid_t id2, int flags);
int (* post_setuid) (uid_t old_ruid /* or fsuid */, uid_t old_euid, uid_t old_suid, int flags);
int (* setgid) (gid_t id0, gid_t id1, gid_t id2, int flags);
int (* setgroups) (int gidsetsize, gid_t *grouplist);
int (* setnice) (struct task_struct *p, int nice);
int (* setrlimit) (unsigned int resource, struct rlimit *new_rlim);
int (* setscheduler) (struct task_struct *p, int policy);
int (* kill) (struct task_struct *p, struct siginfo *info, int sig);
int (* wait) (struct task_struct *p);
- /* set and (in case of exec failure) unset security label */
- int (* set_label) (char *filename);
- void (* reset_label) (void);
-
void (* kmod_set_label) (void);
};
struct socket_security_ops {
};
struct module_security_ops {
int (* create_module) (const char *name_user, size_t size);
int (* init_module) (const char *name_user, struct module *mod_user);
int (* delete_module) (const char *name_user);
diff -rU 10 linux/kernel/capability_plug.c linux-lsm/kernel/capability_plug.c
--- linux/kernel/capability_plug.c Thu Jun 28 23:13:34 2001
+++ linux-lsm/kernel/capability_plug.c Thu Jun 28 23:11:47 2001
@@ -279,23 +279,20 @@
static int cap_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) { return 0; }
static int cap_task_setgroups(int gidsetsize, gid_t *grouplist) { return 0; }
static int cap_task_setnice(struct task_struct *p, int nice) { return 0; }
static int cap_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) { return 0; }
static int cap_task_setscheduler(struct task_struct *p, int policy) { return 0; }
static int cap_task_wait (struct task_struct *p) {return 0;}
static int cap_task_kill (struct task_struct *p, struct siginfo *info, int sig) { return 0; }
-static int cap_task_set_label (char *filename) {return 0;}
-static void cap_task_reset_label (void) {return;}
-
static void cap_task_kmod_set_label(void)
{
cap_set_full(current->cap_effective);
return;
}
static int cap_module_create_module (const char *name_user, size_t size) {return 0;}
static int cap_module_init_module (const char *name_user, struct module *mod_user) {return 0;}
static int cap_module_delete_module (const char *name_user) {return 0;}
@@ -387,22 +384,20 @@
free_security: cap_task_free_security,
setuid: cap_task_setuid,
post_setuid: cap_task_post_setuid,
setgid: cap_task_setgid,
setgroups: cap_task_setgroups,
setnice: cap_task_setnice,
setrlimit: cap_task_setrlimit,
setscheduler: cap_task_setscheduler,
wait: cap_task_wait,
kill: cap_task_kill,
- set_label: cap_task_set_label,
- reset_label: cap_task_reset_label,
kmod_set_label: cap_task_kmod_set_label
};
static struct socket_security_ops cap_socket_ops = {};
static struct module_security_ops cap_module_ops = {
create_module: cap_module_create_module,
init_module: cap_module_init_module,
delete_module: cap_module_delete_module,
diff -rU 10 linux/kernel/security.c linux-lsm/kernel/security.c
--- linux/kernel/security.c Thu Jun 28 23:13:34 2001
+++ linux-lsm/kernel/security.c Thu Jun 28 23:10:42 2001
@@ -117,22 +117,20 @@
static void dummy_task_free_security (struct task_struct *p) {return;}
static int dummy_task_setuid (uid_t id0, uid_t id1, uid_t id2, int flags) {return 0;}
static int dummy_task_post_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) { return 0; }
static int dummy_task_setgid (gid_t id0, gid_t id1, gid_t id2, int flags) {return 0;}
static int dummy_task_setgroups (int gidsetsize, gid_t *grouplist) {return 0;}
static int dummy_task_setnice (struct task_struct *p, int nice) {return 0;}
static int dummy_task_setrlimit (unsigned int resource, struct rlimit *new_rlim) {return 0;}
static int dummy_task_setscheduler (struct task_struct *p, int policy) {return 0;}
static int dummy_task_wait (struct task_struct *p) {return 0;}
static int dummy_task_kill (struct task_struct *p, struct siginfo *info, int sig) {return 0;}
-static int dummy_task_set_label (char *filename) {return 0;}
-static void dummy_task_reset_label (void) {return;}
static void dummy_task_kmod_set_label (void) {return;}
static int dummy_module_create_module (const char *name_user, size_t size) {return 0;}
static int dummy_module_init_module (const char *name_user, struct module *mod_user) {return 0;}
static int dummy_module_delete_module (const char *name_user) {return 0;}
static int dummy_ipc_permission (struct kern_ipc_perm *ipcp, short flag) { return 0; }
static int dummy_ipc_getinfo (int id, int cmd) {return 0;}
static int dummy_msg_queue_create (key_t key) {return 0;}
@@ -220,22 +218,20 @@
free_security: dummy_task_free_security,
setuid: dummy_task_setuid,
post_setuid: dummy_task_post_setuid,
setgid: dummy_task_setgid,
setgroups: dummy_task_setgroups,
setnice: dummy_task_setnice,
setrlimit: dummy_task_setrlimit,
setscheduler: dummy_task_setscheduler,
wait: dummy_task_wait,
kill: dummy_task_kill,
- set_label: dummy_task_set_label,
- reset_label: dummy_task_reset_label,
kmod_set_label: dummy_task_kmod_set_label
};
static struct socket_security_ops dummy_socket_ops = {};
static struct module_security_ops dummy_module_ops = {
create_module: dummy_module_create_module,
init_module: dummy_module_init_module,
delete_module: dummy_module_delete_module,
diff -rU 10 linux/net/unix/af_unix.c linux-lsm/net/unix/af_unix.c
--- linux/net/unix/af_unix.c Thu Apr 12 15:11:39 2001
+++ linux-lsm/net/unix/af_unix.c Thu Jun 28 23:07:58 2001
@@ -101,20 +101,21 @@
#include <linux/skbuff.h>
#include <linux/netdevice.h>
#include <net/sock.h>
#include <net/tcp.h>
#include <net/af_unix.h>
#include <linux/proc_fs.h>
#include <net/scm.h>
#include <linux/init.h>
#include <linux/poll.h>
#include <linux/smp_lock.h>
+#include <linux/security.h>
#include <asm/checksum.h>
#define min(a,b) (((a)<(b))?(a):(b))
int sysctl_unix_max_dgram_qlen = 10;
unix_socket *unix_socket_table[UNIX_HASH_SIZE+1];
rwlock_t unix_table_lock = RW_LOCK_UNLOCKED;
static atomic_t unix_nr_socks = ATOMIC_INIT(0);
@@ -711,20 +712,21 @@
if (nd.last.name[nd.last.len] && !dentry->d_inode)
goto out_mknod_dput;
/*
* All right, let's create it.
*/
err = vfs_mknod(nd.dentry->d_inode, dentry,
S_IFSOCK|sock->inode->i_mode, 0);
if (err)
goto out_mknod_dput;
up(&nd.dentry->d_inode->i_sem);
+ security_ops->inode_ops->attach_pathlabel(dentry, nd.mnt);
dput(nd.dentry);
nd.dentry = dentry;
addr->hash = UNIX_HASH_SIZE;
}
write_lock(&unix_table_lock);
if (!sunaddr->sun_path[0]) {
err = -EADDRINUSE;
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Jun 29 2001 - 03:39:28 PDT