One more time. Sorry it took so long, I had to get our tree up to date
first. This patch is relative to the latest lsm patch, "lsm-2001_07_24
patch against kernel 2.4.7"
I'm not certain what was wrong with the last patch, I generated it from
our CVS repository and everything looked fine. I'm also curious why it had
conflicts. Very little has changed in sys/socket.c, including the newer
kernel.
chris.
On Wed, 25 Jul 2001, Greg KH wrote:
> On Wed, Jul 25, 2001 at 10:34:54AM -0400, Chris Vance wrote:
> >
> > I find it hard to believe that there have been no additional comments on
> > this patch. Should I assume that everything is fine and that it will be
> > commited shortly or should I assume that everyone has been too busy
> > thinking about file descriptors to take a look at it?
>
> In trying to apply this patch it has a number of conflicts with the
> current version of the lsm tree (yes this isn't your fault, the tree is
> now 2.4.7, and wasn't when you sent out the patch.)
>
> Also could you generate your diffs so that patch can apply them
> correctly? (it doesn't have the file name to be patched in the diff,
> this is probably a RCS bug.) It's not a big idea, but is a pain to
> apply the patches.
>
> Thanks,
>
> greg k-h
>
diff -ur linux-2.4.7-lsm-2001_07_24/include/linux/security.h lsm/include/linux/security.h
--- linux-2.4.7-lsm-2001_07_24/include/linux/security.h Thu Jul 26 09:22:53 2001
+++ lsm/include/linux/security.h Thu Jul 26 10:58:26 2001
@@ -123,6 +121,19 @@
};
struct socket_security_ops {
+ int (* create) (int family, int type, int protocol);
+ void (* post_create) (struct socket *sock, int family, int type, int protocol);
+ int (* bind) (struct socket *sock, struct sockaddr *address, int addrlen);
+ int (* connect) (struct socket *sock, struct sockaddr *address, int addrlen);
+ int (* listen) (struct socket *sock, int backlog);
+ int (* accept) (struct socket *sock, struct socket *newsock);
+ int (* sendmsg) (struct socket *sock, struct msghdr *msg, int size);
+ int (* recvmsg) (struct socket *sock, struct msghdr *msg, int size, int flags);
+ int (* getsockname) (struct socket *sock);
+ int (* getpeername) (struct socket *sock);
+ int (* getsockopt) (struct socket *sock, int level, int optname);
+ int (* setsockopt) (struct socket *sock, int level, int optname);
+ int (* shutdown) (struct socket *sock, int how);
};
struct module_security_ops {
diff -ur linux-2.4.7-lsm-2001_07_24/kernel/capability_plug.c lsm/kernel/capability_plug.c
--- linux-2.4.7-lsm-2001_07_24/kernel/capability_plug.c Thu Jul 26 09:22:53 2001
+++ lsm/kernel/capability_plug.c Thu Jul 26 10:35:30 2001
@@ -296,6 +296,20 @@
return;
}
+static int cap_socket_create (int family, int type, int protocol) {return 0;}
+static void cap_socket_post_create (struct socket *sock, int family, int type, int protocol) {return;}
+static int cap_socket_bind (struct socket *sock, struct sockaddr *address, int addrlen) {return 0;}
+static int cap_socket_connect (struct socket *sock, struct sockaddr *address, int addrlen) {return 0;}
+static int cap_socket_listen (struct socket *sock, int backlog) {return 0;}
+static int cap_socket_accept( struct socket *sock, struct socket *newsock) {return 0;}
+static int cap_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size) {return 0;}
+static int cap_socket_recvmsg(struct socket *sock, struct msghdr *msg, int size, int flags) {return 0;}
+static int cap_socket_getsockname (struct socket *sock) {return 0;}
+static int cap_socket_getpeername (struct socket *sock) {return 0;}
+static int cap_socket_setsockopt (struct socket *sock, int level, int optname) {return 0;}
+static int cap_socket_getsockopt (struct socket *sock, int level, int optname) {return 0;}
+static int cap_socket_shutdown (struct socket *sock, int how) {return 0;}
+
static int cap_module_create_module (const char *name_user, size_t size) {return 0;}
static int cap_module_init_module (const char *name_user, struct module *mod_user) {return 0;}
static int cap_module_delete_module (const char *name_user) {return 0;}
@@ -404,7 +418,21 @@
kmod_set_label: cap_task_kmod_set_label,
};
-static struct socket_security_ops cap_socket_ops = {};
+static struct socket_security_ops cap_socket_ops = {
+ create: cap_socket_create,
+ post_create: cap_socket_post_create,
+ bind: cap_socket_bind,
+ connect: cap_socket_connect,
+ listen: cap_socket_listen,
+ accept: cap_socket_accept,
+ sendmsg: cap_socket_sendmsg,
+ recvmsg: cap_socket_recvmsg,
+ getsockname: cap_socket_getsockname,
+ getpeername: cap_socket_getpeername,
+ getsockopt: cap_socket_getsockopt,
+ setsockopt: cap_socket_setsockopt,
+ shutdown: cap_socket_shutdown,
+};
static struct module_security_ops cap_module_ops = {
create_module: cap_module_create_module,
diff -ur linux-2.4.7-lsm-2001_07_24/kernel/security.c lsm/kernel/security.c
--- linux-2.4.7-lsm-2001_07_24/kernel/security.c Thu Jul 26 09:22:53 2001
+++ lsm/kernel/security.c Thu Jul 26 11:15:13 2001
@@ -97,7 +95,7 @@
static int dummy_inode_revalidate (struct dentry *inode) {return 0;}
static int dummy_inode_setattr (struct dentry *dentry, struct iattr *iattr) {return 0;}
static int dummy_inode_stat (struct inode *inode) {return 0;}
-static void dummy_post_lookup (struct inode *ino, struct dentry *d) {return;};
+static void dummy_post_lookup (struct inode *ino, struct dentry *d) {return;}
static int dummy_file_permission (struct file *file, int mask) {return 0;}
static int dummy_file_alloc_security (struct file *file) {return 0;}
@@ -133,6 +131,20 @@
static void dummy_task_kmod_set_label (void) {return;}
+static int dummy_socket_create(int family, int type, int protocol) {return 0;}
+static void dummy_socket_post_create(struct socket *sock, int family, int type, int protocol) {return;}
+static int dummy_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) {return 0;}
+static int dummy_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) {return 0;}
+static int dummy_socket_listen(struct socket *sock, int backlog) {return 0;}
+static int dummy_socket_accept(struct socket *sock, struct socket *newsock) {return 0;}
+static int dummy_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size) {return 0;}
+static int dummy_socket_recvmsg(struct socket *sock, struct msghdr *msg, int size, int flags) {return 0;}
+static int dummy_socket_getsockname(struct socket *sock) {return 0;}
+static int dummy_socket_getpeername(struct socket *sock) {return 0;}
+static int dummy_socket_setsockopt(struct socket *sock, int level, int optname) {return 0;}
+static int dummy_socket_getsockopt(struct socket *sock, int level, int optname) {return 0;}
+static int dummy_socket_shutdown(struct socket *sock, int how) {return 0;}
+
static int dummy_module_create_module (const char *name_user, size_t size) {return 0;}
static int dummy_module_init_module (const char *name_user, struct module *mod_user) {return 0;}
static int dummy_module_delete_module (const char *name_user) {return 0;}
@@ -239,7 +251,21 @@
kmod_set_label: dummy_task_kmod_set_label,
};
-static struct socket_security_ops dummy_socket_ops = {};
+static struct socket_security_ops dummy_socket_ops = {
+ create: dummy_socket_create,
+ post_create: dummy_socket_post_create,
+ bind: dummy_socket_bind,
+ connect: dummy_socket_connect,
+ listen: dummy_socket_listen,
+ accept: dummy_socket_accept,
+ sendmsg: dummy_socket_sendmsg,
+ recvmsg: dummy_socket_recvmsg,
+ getsockname: dummy_socket_getsockname,
+ getpeername: dummy_socket_getpeername,
+ getsockopt: dummy_socket_getsockopt,
+ setsockopt: dummy_socket_setsockopt,
+ shutdown: dummy_socket_shutdown,
+};
static struct module_security_ops dummy_module_ops = {
create_module: dummy_module_create_module,
diff -ur linux-2.4.7-lsm-2001_07_24/net/socket.c lsm/net/socket.c
--- linux-2.4.7-lsm-2001_07_24/net/socket.c Thu Jul 19 21:11:13 2001
+++ lsm/net/socket.c Thu Jul 26 10:35:30 2001
@@ -507,6 +507,10 @@
int err;
struct scm_cookie scm;
+ err = security_ops->socket_ops->sendmsg(sock, msg, size);
+ if (err)
+ return err;
+
err = scm_send(sock, msg, &scm);
if (err >= 0) {
err = sock->ops->sendmsg(sock, msg, size, &scm);
@@ -518,6 +522,11 @@
int sock_recvmsg(struct socket *sock, struct msghdr *msg, int size, int flags)
{
struct scm_cookie scm;
+ int err;
+
+ err = security_ops->socket_ops->recvmsg(sock, msg, size, flags);
+ if (err)
+ return err;
memset(&scm, 0, sizeof(scm));
@@ -836,6 +845,7 @@
int sock_create(int family, int type, int protocol, struct socket **res)
{
int i;
+ int err;
struct socket *sock;
/*
@@ -859,6 +869,10 @@
}
family = PF_PACKET;
}
+
+ err = security_ops->socket_ops->create(family, type, protocol);
+ if (err)
+ return err;
#if defined(CONFIG_KMOD) && defined(CONFIG_NET)
/* Attempt to load a protocol module if the find failed.
@@ -905,6 +919,8 @@
*res = sock;
+ security_ops->socket_ops->post_create(sock, family, type, protocol);
+
out:
net_family_read_unlock();
return i;
@@ -1014,8 +1030,14 @@
if((sock = sockfd_lookup(fd,&err))!=NULL)
{
- if((err=move_addr_to_kernel(umyaddr,addrlen,address))>=0)
+ if((err=move_addr_to_kernel(umyaddr,addrlen,address))>=0) {
+ err = security_ops->socket_ops->bind(sock, (struct sockaddr *)address, addrlen);
+ if (err) {
+ sockfd_put(sock);
+ return err;
+ }
err = sock->ops->bind(sock, (struct sockaddr *)address, addrlen);
+ }
sockfd_put(sock);
}
return err;
@@ -1036,6 +1058,13 @@
if ((sock = sockfd_lookup(fd, &err)) != NULL) {
if ((unsigned) backlog > SOMAXCONN)
backlog = SOMAXCONN;
+
+ err = security_ops->socket_ops->listen(sock, backlog);
+ if (err) {
+ sockfd_put(sock);
+ return err;
+ }
+
err=sock->ops->listen(sock, backlog);
sockfd_put(sock);
}
@@ -1072,6 +1101,10 @@
newsock->type = sock->type;
newsock->ops = sock->ops;
+ err = security_ops->socket_ops->accept(sock, newsock);
+ if (err)
+ goto out_release;
+
err = sock->ops->accept(sock, newsock, sock->file->f_flags);
if (err < 0)
goto out_release;
@@ -1126,8 +1159,14 @@
err = move_addr_to_kernel(uservaddr, addrlen, address);
if (err < 0)
goto out_put;
+
+ err = security_ops->socket_ops->connect(sock, (struct sockaddr *)address, addrlen);
+ if (err)
+ goto out_put;
+
err = sock->ops->connect(sock, (struct sockaddr *) address, addrlen,
sock->file->f_flags);
+
out_put:
sockfd_put(sock);
out:
@@ -1148,6 +1187,11 @@
sock = sockfd_lookup(fd, &err);
if (!sock)
goto out;
+
+ err = security_ops->socket_ops->getsockname(sock);
+ if (err)
+ goto out_put;
+
err = sock->ops->getname(sock, (struct sockaddr *)address, &len, 0);
if (err)
goto out_put;
@@ -1172,6 +1216,12 @@
if ((sock = sockfd_lookup(fd, &err))!=NULL)
{
+ err = security_ops->socket_ops->getpeername(sock);
+ if (err) {
+ sockfd_put(sock);
+ return err;
+ }
+
err = sock->ops->getname(sock, (struct sockaddr *)address, &len, 1);
if (!err)
err=move_addr_to_user(address,len, usockaddr, usockaddr_len);
@@ -1299,6 +1349,12 @@
if ((sock = sockfd_lookup(fd, &err))!=NULL)
{
+ err = security_ops->socket_ops->setsockopt(sock,level,optname);
+ if (err) {
+ sockfd_put(sock);
+ return err;
+ }
+
if (level == SOL_SOCKET)
err=sock_setsockopt(sock,level,optname,optval,optlen);
else
@@ -1320,6 +1376,13 @@
if ((sock = sockfd_lookup(fd, &err))!=NULL)
{
+ err = security_ops->socket_ops->getsockopt(sock, level,
+ optname);
+ if (err) {
+ sockfd_put(sock);
+ return err;
+ }
+
if (level == SOL_SOCKET)
err=sock_getsockopt(sock,level,optname,optval,optlen);
else
@@ -1341,6 +1404,12 @@
if ((sock = sockfd_lookup(fd, &err))!=NULL)
{
+ err = security_ops->socket_ops->shutdown(sock, how);
+ if (err) {
+ sockfd_put(sock);
+ return err;
+ }
+
err=sock->ops->shutdown(sock, how);
sockfd_put(sock);
}
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Thu Jul 26 2001 - 11:24:18 PDT