[PATCH] skb hooks (v.2)

• Previous message: Casey Schaufler: "Re: State of Audit Proposal ?"
• Next in thread: Chris Wright: "Re: [PATCH] skb hooks (v.2)"
• Reply: Chris Wright: "Re: [PATCH] skb hooks (v.2)"
• Reply: Greg KH: "Re: [PATCH] skb hooks (v.2)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Finally, the updated skb hooks, attached below.

Note that the 'security' field in the skb header is no longer in use by
the main kernel, and one of the networking maintainers has indicated that
we may be able to claim it's namespace for 2.6.


- James
-- 
James Morris
<jmorrisat_private>

diff -urN --exclude SCCS --exclude BitKeeper --exclude ChangeSet lsm/include/linux/security.h lsm-w3/include/linux/security.h
--- lsm/include/linux/security.h	Wed Jul 25 11:34:53 2001
+++ lsm-w3/include/linux/security.h	Thu Jul 26 02:05:54 2001
@@ -125,6 +125,14 @@
 struct socket_security_ops {
 };

+struct sk_buff;
+struct skb_security_ops {
+	int (* alloc_security)		(struct sk_buff *skb);
+	void (* clone)			(struct sk_buff *newskb, const struct sk_buff *oldskb);
+	void (* copy)			(struct sk_buff *newskb, const struct sk_buff *oldskb);
+	void (* free_security)		(struct sk_buff *skb);
+};
+
 struct module_security_ops {
  	int  (* create_module)		(const char *name_user, size_t size);
  	int  (* init_module)		(const char *name_user, struct module *mod_user);
@@ -198,6 +206,7 @@
 	struct file_security_ops	* file_ops;
 	struct task_security_ops	* task_ops;
 	struct socket_security_ops	* socket_ops;
+	struct skb_security_ops		* skb_ops;
 	struct module_security_ops 	* module_ops;
 	struct ipc_security_ops		* ipc_ops;
 	struct msg_msg_security_ops	* msg_msg_ops;
diff -urN --exclude SCCS --exclude BitKeeper --exclude ChangeSet lsm/include/linux/skbuff.h lsm-w3/include/linux/skbuff.h
--- lsm/include/linux/skbuff.h	Wed Jul 25 11:34:53 2001
+++ lsm-w3/include/linux/skbuff.h	Thu Jul 26 02:05:55 2001
@@ -213,6 +213,8 @@
 #ifdef CONFIG_NET_SCHED
        __u32           tc_index;               /* traffic control index */
 #endif
+
+	void		*lsm_security;
 };

 #define SK_WMEM_MAX	65535
diff -urN --exclude SCCS --exclude BitKeeper --exclude ChangeSet lsm/kernel/capability_plug.c lsm-w3/kernel/capability_plug.c
--- lsm/kernel/capability_plug.c	Wed Jul 25 11:34:54 2001
+++ lsm-w3/kernel/capability_plug.c	Thu Jul 26 01:59:12 2001
@@ -326,6 +326,11 @@
 static int cap_sem_semctl		(struct sem_array *sma, int semid, int cmd) {return 0;}
 static int cap_sem_semop		(struct sem_array *sma, int semid, struct sembuf *sops, unsigned nsops, int alter) {return 0;}

+static int cap_skb_alloc_security	(struct sk_buff *skb) {return 0;}
+static void cap_skb_clone		(struct sk_buff *newskb, const struct sk_buff *oldskb) {return;}
+static void cap_skb_copy		(struct sk_buff *newskb, const struct sk_buff *oldskb) {return;}
+static void cap_skb_free_security	(struct sk_buff *skb) {return;}
+
 static int cap_register			(const char *name, struct security_operations *ops)	{return -EINVAL;}
 static int cap_unregister		(const char *name, struct security_operations *ops)	{return -EINVAL;}

@@ -406,6 +411,13 @@

 static struct socket_security_ops cap_socket_ops = {};

+static struct skb_security_ops cap_skb_ops = {
+	alloc_security:	cap_skb_alloc_security,
+	clone:		cap_skb_clone,
+	copy:		cap_skb_copy,
+	free_security:	cap_skb_free_security,
+};
+
 static struct module_security_ops cap_module_ops = {
 	create_module:	cap_module_create_module,
 	init_module:	cap_module_init_module,
@@ -477,6 +489,7 @@
 	file_ops:		&cap_file_ops,
 	task_ops:		&cap_task_ops,
 	socket_ops:		&cap_socket_ops,
+	skb_ops:		&cap_skb_ops,
 	module_ops:		&cap_module_ops,
 	ipc_ops:		&cap_ipc_ops,
 	msg_msg_ops:		&cap_msg_ops,
diff -urN --exclude SCCS --exclude BitKeeper --exclude ChangeSet lsm/kernel/security.c lsm-w3/kernel/security.c
--- lsm/kernel/security.c	Wed Jul 25 11:34:54 2001
+++ lsm-w3/kernel/security.c	Thu Jul 26 01:59:51 2001
@@ -163,6 +163,11 @@
 static int dummy_sem_semctl		(struct sem_array *sma, int semid, int cmd)	{return 0;}
 static int dummy_sem_semop		(struct sem_array *sma, int semid, struct sembuf *sops, unsigned nsops, int alter) {return 0;}

+static int dummy_skb_alloc_security	(struct sk_buff *skb) {return 0;}
+static void dummy_skb_clone		(struct sk_buff *newskb, const struct sk_buff *oldskb) {return;}
+static void dummy_skb_copy		(struct sk_buff *newskb, const struct sk_buff *oldskb) {return;}
+static void dummy_skb_free_security	(struct sk_buff *skb) {return;}
+
 static int dummy_register		(const char *name, struct security_operations *ops)	{return -EINVAL;}
 static int dummy_unregister		(const char *name, struct security_operations *ops)	{return -EINVAL;}

@@ -241,6 +246,13 @@

 static struct socket_security_ops dummy_socket_ops = {};

+static struct skb_security_ops dummy_skb_ops = {
+	alloc_security:	dummy_skb_alloc_security,
+	clone:		dummy_skb_clone,
+	copy:		dummy_skb_copy,
+	free_security:	dummy_skb_free_security,
+};
+
 static struct module_security_ops dummy_module_ops = {
 	create_module:	dummy_module_create_module,
 	init_module:	dummy_module_init_module,
@@ -312,6 +324,7 @@
 	file_ops:		&dummy_file_ops,
 	task_ops:		&dummy_task_ops,
 	socket_ops:		&dummy_socket_ops,
+	skb_ops:		&dummy_skb_ops,
 	ipc_ops:		&dummy_ipc_ops,
 	module_ops:		&dummy_module_ops,
 	msg_msg_ops:		&dummy_msg_msg_ops,
@@ -382,6 +395,7 @@
 	    !ops->file_ops ||
 	    !ops->task_ops ||
 	    !ops->socket_ops ||
+	    !ops->skb_ops ||
 	    !ops->module_ops ||
 	    !ops->ipc_ops ||
 	    !ops->msg_msg_ops ||
diff -urN --exclude SCCS --exclude BitKeeper --exclude ChangeSet lsm/net/core/skbuff.c lsm-w3/net/core/skbuff.c
--- lsm/net/core/skbuff.c	Wed Jul 25 11:35:03 2001
+++ lsm-w3/net/core/skbuff.c	Thu Jul 26 02:08:44 2001
@@ -51,6 +51,7 @@
 #include <linux/cache.h>
 #include <linux/init.h>
 #include <linux/highmem.h>
+#include <linux/security.h>

 #include <net/ip.h>
 #include <net/protocol.h>
@@ -191,6 +192,11 @@
 	if (data == NULL)
 		goto nodata;

+	if (security_ops->skb_ops->alloc_security(skb)) {
+		kfree(data);
+		goto nodata;
+	}
+
 	/* XXX: does not include slab overhead */
 	skb->truesize = size + sizeof(struct sk_buff);

@@ -250,6 +256,7 @@
 #ifdef CONFIG_NET_SCHED
 	skb->tc_index = 0;
 #endif
+	skb->lsm_security = NULL;
 }

 static void skb_drop_fraglist(struct sk_buff *skb)
@@ -327,6 +334,7 @@
 #ifdef CONFIG_NETFILTER
 	nf_conntrack_put(skb->nfct);
 #endif
+	security_ops->skb_ops->free_security(skb);
 	skb_headerinit(skb, NULL, 0);  /* clean state */
 	kfree_skbmem(skb);
 }
@@ -399,7 +407,7 @@
 #ifdef CONFIG_NET_SCHED
 	C(tc_index);
 #endif
-
+	security_ops->skb_ops->clone(n, skb);
 	atomic_inc(&(skb_shinfo(skb)->dataref));
 	skb->cloned = 1;
 #ifdef CONFIG_NETFILTER
@@ -442,6 +450,7 @@
 #ifdef CONFIG_NET_SCHED
 	new->tc_index = old->tc_index;
 #endif
+	security_ops->skb_ops->copy(new, old);
 }

 /**


_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Casey Schaufler: "Re: File descriptors: LSM should support them in phase 1."
• Previous message: Casey Schaufler: "Re: State of Audit Proposal ?"
• Next in thread: Chris Wright: "Re: [PATCH] skb hooks (v.2)"
• Reply: Chris Wright: "Re: [PATCH] skb hooks (v.2)"
• Reply: Greg KH: "Re: [PATCH] skb hooks (v.2)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Jul 25 2001 - 09:28:14 PDT