I've attached a patch against the current WireX BitKeeper tree that implements all of the FIXes listed in my previous message except for changes for moving some of the hooks to more appropriate substructures. This patch does not address any of the UNRESOLVED issues in that message. If some parts of this patch are objectionable and need to be split out separately, let me know. -- Stephen D. Smalley, NAI Labs ssmalleyat_private diff -X /home/sds/dontdiff -ur lsm-wirex/fs/exec.c lsm/fs/exec.c --- lsm-wirex/fs/exec.c Fri Aug 3 08:32:08 2001 +++ lsm/fs/exec.c Fri Aug 3 14:36:32 2001 @@ -604,6 +604,7 @@ { int mode; struct inode * inode = bprm->file->f_dentry->d_inode; + int retval; mode = inode->i_mode; /* Huh? We had already checked for MAY_EXEC, WTF do we check this? */ @@ -631,8 +632,9 @@ } /* fill in binprm security blob */ - if (security_ops->bprm_ops->alloc_security(bprm)) - return -EACCES; /* hmm, is EACCES really right? */ + retval = security_ops->bprm_ops->set_security(bprm); + if (retval) + return retval; memset(bprm->buf,0,BINPRM_BUF_SIZE); return kernel_read(bprm->file,0,bprm->buf,BINPRM_BUF_SIZE); @@ -835,6 +837,10 @@ return bprm.envc; } + retval = security_ops->bprm_ops->alloc_security(&bprm); + if (retval) + goto out; + retval = prepare_binprm(&bprm); if (retval < 0) goto out; @@ -871,7 +877,9 @@ __free_page(page); } - security_ops->bprm_ops->free_security(&bprm); + if (bprm.security) + security_ops->bprm_ops->free_security(&bprm); + return retval; } diff -X /home/sds/dontdiff -ur lsm-wirex/fs/fcntl.c lsm/fs/fcntl.c --- lsm-wirex/fs/fcntl.c Fri Jun 22 09:06:59 2001 +++ lsm/fs/fcntl.c Fri Aug 3 15:26:18 2001 @@ -352,7 +352,7 @@ if (!filp) goto out; - err = security_ops->file_ops->fcntl64(filp, cmd, arg); + err = security_ops->file_ops->fcntl(filp, cmd, arg); if (err) { fput(filp); return err; diff -X /home/sds/dontdiff -ur lsm-wirex/fs/inode.c lsm/fs/inode.c --- lsm-wirex/fs/inode.c Thu Aug 2 13:33:13 2001 +++ lsm/fs/inode.c Fri Aug 3 15:17:18 2001 @@ -74,12 +74,25 @@ static kmem_cache_t * inode_cachep; -#define alloc_inode() \ - ((struct inode *) kmem_cache_alloc(inode_cachep, SLAB_KERNEL)) +static inline struct inode *alloc_inode(void) +{ + struct inode *inode; + + inode = ((struct inode *) kmem_cache_alloc(inode_cachep, SLAB_KERNEL)); + if (!inode) + return NULL; + if (security_ops->inode_ops->alloc_security(inode)) { + kmem_cache_free(inode_cachep, (inode)); + return NULL; + } + return inode; +} + static void destroy_inode(struct inode *inode) { if (!list_empty(&inode->i_dirty_buffers)) BUG(); + security_ops->inode_ops->free_security(inode); kmem_cache_free(inode_cachep, (inode)); } @@ -502,7 +515,6 @@ cdput(inode->i_cdev); inode->i_cdev = NULL; } - security_ops->inode_ops->free_security(inode); inode->i_state = I_CLEAR; } @@ -761,7 +773,6 @@ inode->i_data.host = inode; inode->i_data.gfp_mask = GFP_HIGHUSER; inode->i_mapping = &inode->i_data; - security_ops->inode_ops->alloc_security(inode); /* hmm, no way to preserve error */ } /** @@ -1022,6 +1033,8 @@ if (inode->i_data.nrpages) truncate_inode_pages(&inode->i_data, 0); + + security_ops->inode_ops->delete(inode); if (op && op->delete_inode) { void (*delete)(struct inode *) = op->delete_inode; diff -X /home/sds/dontdiff -ur lsm-wirex/fs/locks.c lsm/fs/locks.c --- lsm-wirex/fs/locks.c Thu Aug 2 13:33:13 2001 +++ lsm/fs/locks.c Fri Aug 3 15:22:28 2001 @@ -1312,7 +1312,7 @@ if (!filp) goto out; - error = security_ops->file_ops->lock(filp); + error = security_ops->file_ops->lock(filp, cmd); if(error) goto out_putf; diff -X /home/sds/dontdiff -ur lsm-wirex/fs/namei.c lsm/fs/namei.c --- lsm-wirex/fs/namei.c Thu Aug 2 13:33:13 2001 +++ lsm/fs/namei.c Fri Aug 3 16:28:34 2001 @@ -178,21 +178,22 @@ int permission(struct inode * inode,int mask) { int retval; - - retval = security_ops->inode_ops->permission(inode, mask); - if (retval) - return retval; + int submask; /* Ordinary permission routines do not understand MAY_APPEND. */ - mask &= ~MAY_APPEND; + submask = mask & ~MAY_APPEND; if (inode->i_op && inode->i_op->permission) { lock_kernel(); - retval = inode->i_op->permission(inode, mask); + retval = inode->i_op->permission(inode, submask); unlock_kernel(); - return retval; + } else { + retval = vfs_permission(inode, submask); } - return vfs_permission(inode, mask); + if (retval) + return retval; + + return security_ops->inode_ops->permission(inode, mask); } /* diff -X /home/sds/dontdiff -ur lsm-wirex/fs/stat.c lsm/fs/stat.c --- lsm-wirex/fs/stat.c Fri Jun 22 09:06:59 2001 +++ lsm/fs/stat.c Fri Aug 3 14:58:50 2001 @@ -274,7 +274,7 @@ error = -EINVAL; if (inode->i_op && inode->i_op->readlink && !(error = do_revalidate(nd.dentry))) { - error = security_ops->inode_ops->readlink(nd.dentry, buf, bufsiz); + error = security_ops->inode_ops->readlink(nd.dentry); if (!error) { UPDATE_ATIME(inode); error = inode->i_op->readlink(nd.dentry, buf, bufsiz); diff -X /home/sds/dontdiff -ur lsm-wirex/fs/super.c lsm/fs/super.c --- lsm-wirex/fs/super.c Thu Aug 2 13:33:13 2001 +++ lsm/fs/super.c Fri Aug 3 15:32:40 2001 @@ -745,8 +745,6 @@ s = sb_entry(s->s_list.next)) { if (s->s_dev) continue; - if (security_ops->sb_ops->alloc_security(s)) - return NULL; return s; } /* Need a new one... */ @@ -756,10 +754,6 @@ if (s) { nr_super_blocks++; memset(s, 0, sizeof(struct super_block)); - if (security_ops->sb_ops->alloc_security(s)) { - kfree(s); - return NULL; - } INIT_LIST_HEAD(&s->s_dirty); INIT_LIST_HEAD(&s->s_locked_inodes); list_add (&s->s_list, super_blocks.prev); @@ -790,7 +784,10 @@ s->s_type = type; s->s_dquot.flags = 0; s->s_maxbytes = MAX_NON_LFS; + s->s_security = NULL; lock_super(s); + if (security_ops->sb_ops->alloc_security(s)) + goto out_fail; if (!type->read_super(s, data, silent)) goto out_fail; unlock_super(s); @@ -804,7 +801,8 @@ s->s_dev = 0; s->s_bdev = 0; s->s_type = NULL; - security_ops->sb_ops->free_security(s); + if (s->s_security) + security_ops->sb_ops->free_security(s); unlock_super(s); return NULL; } @@ -1285,10 +1283,6 @@ if (nd->dentry != nd->mnt->mnt_root) return -EINVAL; - - retval = security_ops->remount(nd->mnt, flags, data); - if (retval) - return retval; retval = do_remount_sb(nd->mnt->mnt_sb, flags, data); if (!retval) diff -X /home/sds/dontdiff -ur lsm-wirex/include/linux/security.h lsm/include/linux/security.h --- lsm-wirex/include/linux/security.h Fri Aug 3 08:32:08 2001 +++ lsm/include/linux/security.h Fri Aug 3 16:34:24 2001 @@ -29,7 +29,6 @@ #ifdef __KERNEL__ -#include <linux/sched.h> #include <linux/fs.h> #include <linux/binfmts.h> #include <linux/signal.h> @@ -44,13 +43,14 @@ #define SECURITY_INTERFACE_VERSION 0x00000101 /* change this every time the security_operations structure changes */ struct binprm_security_ops { - /* this alloc may be called multiple times in one code - * path. make sure you check if brpm is NULL or has - * already been allocated. -chris - */ int (* alloc_security) (struct linux_binprm *bprm); /* create per binprm security stuff */ void (* free_security) (struct linux_binprm *bprm); /* free it */ void (* compute_creds) (struct linux_binprm *bprm); /* transfer credentials to current during exec */ + /* set_security may be called multiple times on a single + execve, e.g. for interpreters. It can tell whether + it has already been called by checking to see if + bprm->security is non-NULL. */ + int (* set_security) (struct linux_binprm *bprm); /* set per binprm security stuff */ }; struct super_block_security_ops { @@ -79,7 +79,7 @@ struct inode *new_dir, struct dentry *new_dentry); void (* post_rename) (struct inode *old_dir, struct dentry *old_dentry, struct inode *new_dir, struct dentry *new_dentry); - int (* readlink) (struct dentry *dentry, char *buf, int bufsiz); + int (* readlink) (struct dentry *dentry); int (* follow_link) (struct dentry *dentry, struct nameidata *nd); int (* truncate) (struct inode *inode); int (* permission) (struct inode *inode, int mask); @@ -87,8 +87,11 @@ int (* setattr) (struct dentry *dentry, struct iattr *attr); int (* stat) (struct inode *inode); void (* post_lookup) (struct inode *ino, struct dentry *d); + void (* delete) (struct inode *ino); }; +struct sched_param; + struct file_security_ops { int (* permission) (struct file *file, int mask); int (* alloc_security) (struct file *file); @@ -96,14 +99,15 @@ int (* llseek) (struct file *file); int (* read) (struct file *file); int (* write) (struct file *file); + /* Warning! The arg parameter may be a user space pointer for some commands. Handle with care. */ int (* ioctl) (struct file *file, unsigned int cmd, unsigned long arg); int (* mmap) (struct file *file, unsigned long prot, unsigned long flags); int (* mprotect) (struct vm_area_struct *vma, unsigned long prot); - int (* lock) (struct file *file); + int (* lock) (struct file *file, unsigned int cmd); int (* readv) (struct file *file); int (* writev) (struct file *file); + /* Warning! The arg parameter may be a user space pointer for some commands. Handle with care. */ int (* fcntl) (struct file *file, unsigned int cmd, unsigned long arg); - int (* fcntl64) (struct file *file, unsigned int cmd, unsigned long arg); int (* set_fowner) (struct file *file); int (* send_sigiotask) (struct task_struct *tsk, struct fown_struct *fown, int fd, int reason); int (* receive) (struct file *file); @@ -185,9 +189,9 @@ }; struct module_security_ops { - int (* create_module) (const char *name_user, size_t size); - int (* init_module) (const char *name_user, struct module *mod_user); - int (* delete_module) (const char *name_user); + int (* create_module) (const char *name, size_t size); + int (* init_module) (const char *name, struct module *mod); + int (* delete_module) (const char *name); }; struct ipc_security_ops { @@ -232,14 +236,13 @@ /* syscalls that are checked for permissions */ int (* sethostname) (char *hostname); int (* setdomainname) (char *domainname); - int (* reboot) (unsigned int cmd, void *arg); + int (* reboot) (unsigned int cmd); int (* mount) (char * dev_name, struct nameidata *nd, char * type, unsigned long flags, void * data); int (* umount) (struct vfsmount *mnt, int flags); void (* umount_close) (struct vfsmount *mnt); void (* umount_busy) (struct vfsmount *mnt); - int (* remount) (struct vfsmount *mnt, unsigned long flags, void *data); void (* post_remount) (struct vfsmount *mnt, unsigned long flags, void *data); int (* ioperm) (unsigned long from, unsigned long num, int turn_on); int (* iopl) (unsigned int old, unsigned int level); diff -X /home/sds/dontdiff -ur lsm-wirex/kernel/capability_plug.c lsm/kernel/capability_plug.c --- lsm-wirex/kernel/capability_plug.c Thu Aug 2 13:33:10 2001 +++ lsm/kernel/capability_plug.c Fri Aug 3 15:31:50 2001 @@ -28,12 +28,11 @@ static int cap_sethostname (char *hostname) {return 0;} static int cap_setdomainname (char *domainname) {return 0;} -static int cap_reboot (unsigned int cmd, void *arg) {return 0;} +static int cap_reboot (unsigned int cmd) {return 0;} static int cap_mount (char * dev_name, struct nameidata *nd, char * type, unsigned long flags, void * data) {return 0;} static int cap_umount (struct vfsmount *mnt, int flags) {return 0;} static void cap_umount_close (struct vfsmount *mnt) {return;} static void cap_umount_busy (struct vfsmount *mnt) {return;} -static int cap_remount (struct vfsmount *mnt, unsigned long flags, void *data) {return 0;} static void cap_post_remount (struct vfsmount *mnt, unsigned long flags, void *data) {return;} static int cap_ioperm (unsigned long from, unsigned long num, int turn_on) {return 0;} static int cap_iopl (unsigned int old, unsigned int level) {return 0;} @@ -64,7 +63,9 @@ static int cap_acct (struct file *file) {return 0;} static int cap_sysctl (ctl_table * table, int op) {return 0;} -static int cap_binprm_alloc_security(struct linux_binprm *bprm) +static int cap_binprm_alloc_security (struct linux_binprm *bprm) {return 0;} + +static int cap_binprm_set_security(struct linux_binprm *bprm) { /* Copied from fs/exec.c:prepare_binprm. */ @@ -164,7 +165,7 @@ static void cap_inode_post_mknod (struct inode *inode, struct dentry *dentry, int major, dev_t minor) {return;} static int cap_inode_rename (struct inode *old_inode, struct dentry *old_dentry, struct inode *new_inode, struct dentry *new_dentry) {return 0;} static void cap_inode_post_rename (struct inode *old_inode, struct dentry *old_dentry, struct inode *new_inode, struct dentry *new_dentry) {return;} -static int cap_inode_readlink (struct dentry *dentry, char *name, int mask) {return 0;} +static int cap_inode_readlink (struct dentry *dentry) {return 0;} static int cap_inode_follow_link (struct dentry *dentry, struct nameidata *nameidata) {return 0;} static int cap_inode_truncate (struct inode *inode) {return 0;} static int cap_inode_permission (struct inode *inode, int mask) {return 0;} @@ -172,6 +173,7 @@ static int cap_inode_setattr (struct dentry *dentry, struct iattr *iattr) {return 0;} static int cap_inode_stat (struct inode *inode) {return 0;} static void cap_post_lookup (struct inode *ino, struct dentry *d) {return;} +static void cap_delete (struct inode *ino) {return;} static int cap_file_permission (struct file *file, int mask) {return 0;} static int cap_file_alloc_security (struct file *file) {return 0;} @@ -183,11 +185,10 @@ , unsigned long arg) {return 0;} static int cap_file_mmap (struct file *file, unsigned long prot, unsigned long flags) {return 0;} static int cap_file_mprotect (struct vm_area_struct *vma, unsigned long prot) {return 0;} -static int cap_file_lock (struct file *file) {return 0;} +static int cap_file_lock (struct file *file, unsigned int cmd) {return 0;} static int cap_file_readv (struct file *file) {return 0;} static int cap_file_writev (struct file *file) {return 0;} static int cap_file_fcntl (struct file *file, unsigned int cmd, unsigned long arg) {return 0;} -static int cap_file_fcntl64 (struct file *file, unsigned int cmd, unsigned long arg) {return 0;} static int cap_file_set_fowner (struct file *file) {return 0;} static int cap_file_send_sigiotask (struct task_struct *tsk, struct fown_struct *fown, int fd, int reason) { return 0; } static int cap_file_receive (struct file *file) {return 0;} @@ -397,6 +398,7 @@ alloc_security: cap_binprm_alloc_security, free_security: cap_binprm_free_security, compute_creds: cap_binprm_compute_creds, + set_security: cap_binprm_set_security, }; static struct super_block_security_ops cap_sb_ops = { @@ -430,6 +432,7 @@ setattr: cap_inode_setattr, stat: cap_inode_stat, post_lookup: cap_post_lookup, + delete: cap_delete, }; static struct file_security_ops cap_file_ops = { @@ -446,7 +449,6 @@ readv: cap_file_readv, writev: cap_file_writev, fcntl: cap_file_fcntl, - fcntl64: cap_file_fcntl64, set_fowner: cap_file_set_fowner, send_sigiotask: cap_file_send_sigiotask, receive: cap_file_receive, @@ -570,7 +572,6 @@ umount: cap_umount, umount_close: cap_umount_close, umount_busy: cap_umount_busy, - remount: cap_remount, post_remount: cap_post_remount, ioperm: cap_ioperm, iopl: cap_iopl, diff -X /home/sds/dontdiff -ur lsm-wirex/kernel/security.c lsm/kernel/security.c --- lsm-wirex/kernel/security.c Fri Aug 3 08:32:08 2001 +++ lsm/kernel/security.c Fri Aug 3 15:36:59 2001 @@ -41,12 +41,11 @@ /* Stub functions for the default security function pointers in case no security model is loaded */ static int dummy_sethostname (char *hostname) {return 0;} static int dummy_setdomainname (char *domainname) {return 0;} -static int dummy_reboot (unsigned int cmd, void *arg) {return 0;} +static int dummy_reboot (unsigned int cmd) {return 0;} static int dummy_mount (char * dev_name, struct nameidata *nd, char * type, unsigned long flags, void * data) {return 0;} static int dummy_umount (struct vfsmount *mnt, int flags) {return 0;} static void dummy_umount_close (struct vfsmount *mnt) {return;} static void dummy_umount_busy (struct vfsmount *mnt) {return;} -static int dummy_remount (struct vfsmount *mnt, unsigned long flags, void *data) {return 0;} static void dummy_post_remount (struct vfsmount *mnt, unsigned long flags, void *data) {return;} static int dummy_ioperm (unsigned long from, unsigned long num, int turn_on) {return 0;} static int dummy_iopl (unsigned int old, unsigned int level) {return 0;} @@ -70,6 +69,7 @@ static int dummy_binprm_alloc_security (struct linux_binprm *bprm) {return 0;} static void dummy_binprm_free_security (struct linux_binprm *bprm) {return;} static void dummy_binprm_compute_creds (struct linux_binprm *bprm) {return;} +static int dummy_binprm_set_security (struct linux_binprm *bprm) {return 0;} static int dummy_sb_alloc_security (struct super_block *sb) {return 0;} static void dummy_sb_free_security (struct super_block *sb) {return;} @@ -91,14 +91,15 @@ static void dummy_inode_post_mknod (struct inode *inode, struct dentry *dentry, int major, dev_t minor) {return;} static int dummy_inode_rename (struct inode *old_inode, struct dentry *old_dentry, struct inode *new_inode, struct dentry *new_dentry) {return 0;} static void dummy_inode_post_rename (struct inode *old_inode, struct dentry *old_dentry, struct inode *new_inode, struct dentry *new_dentry) {return;} -static int dummy_inode_readlink (struct dentry *dentry, char *name, int mask) {return 0;} +static int dummy_inode_readlink (struct dentry *dentry) {return 0;} static int dummy_inode_follow_link (struct dentry *dentry, struct nameidata *nameidata) {return 0;} static int dummy_inode_truncate (struct inode *inode) {return 0;} static int dummy_inode_permission (struct inode *inode, int mask) { return 0; } static int dummy_inode_revalidate (struct dentry *inode) {return 0;} static int dummy_inode_setattr (struct dentry *dentry, struct iattr *iattr) {return 0;} static int dummy_inode_stat (struct inode *inode) {return 0;} -static void dummy_post_lookup (struct inode *ino, struct dentry *d) {return;}; +static void dummy_post_lookup (struct inode *ino, struct dentry *d) {return;} +static void dummy_delete (struct inode *ino) {return;} static int dummy_file_permission (struct file *file, int mask) {return 0;} static int dummy_file_alloc_security (struct file *file) {return 0;} @@ -109,11 +110,10 @@ static int dummy_file_ioctl (struct file *file, unsigned int command, unsigned long arg) {return 0;} static int dummy_file_mmap (struct file *file, unsigned long prot, unsigned long flags) {return 0;} static int dummy_file_mprotect (struct vm_area_struct *vma, unsigned long prot) {return 0;} -static int dummy_file_lock (struct file *file) {return 0;} +static int dummy_file_lock (struct file *file, unsigned int cmd) {return 0;} static int dummy_file_readv (struct file *file) {return 0;} static int dummy_file_writev (struct file *file) {return 0;} static int dummy_file_fcntl (struct file *file, unsigned int cmd, unsigned long arg) {return 0;} -static int dummy_file_fcntl64 (struct file *file, unsigned int cmd, unsigned long arg) {return 0;} static int dummy_file_set_fowner (struct file *file) {return 0;} static int dummy_file_send_sigiotask (struct task_struct *tsk, struct fown_struct *fown, int fd, int reason) {return 0;} static int dummy_file_receive (struct file *file) {return 0;} @@ -233,6 +233,7 @@ alloc_security: dummy_binprm_alloc_security, free_security: dummy_binprm_free_security, compute_creds: dummy_binprm_compute_creds, + set_security: dummy_binprm_set_security, }; static struct super_block_security_ops dummy_sb_ops = { alloc_security: dummy_sb_alloc_security, @@ -264,6 +265,7 @@ setattr: dummy_inode_setattr, stat: dummy_inode_stat, post_lookup: dummy_post_lookup, + delete: dummy_delete, }; static struct file_security_ops dummy_file_ops = { @@ -280,7 +282,6 @@ readv: dummy_file_readv, writev: dummy_file_writev, fcntl: dummy_file_fcntl, - fcntl64: dummy_file_fcntl64, set_fowner: dummy_file_set_fowner, send_sigiotask: dummy_file_send_sigiotask, receive: dummy_file_receive, @@ -404,7 +405,6 @@ umount: dummy_umount, umount_close: dummy_umount_close, umount_busy: dummy_umount_busy, - remount: dummy_remount, post_remount: dummy_post_remount, ioperm: dummy_ioperm, iopl: dummy_iopl, @@ -478,7 +478,6 @@ !ops->umount || !ops->umount_close || !ops->umount_busy || - !ops->remount || !ops->post_remount || !ops->ioperm || !ops->iopl || diff -X /home/sds/dontdiff -ur lsm-wirex/kernel/sys.c lsm/kernel/sys.c --- lsm-wirex/kernel/sys.c Thu Aug 2 13:33:10 2001 +++ lsm/kernel/sys.c Fri Aug 3 15:30:04 2001 @@ -282,7 +282,7 @@ if (!capable(CAP_SYS_BOOT)) return -EPERM; - retval = security_ops->reboot(cmd, arg); + retval = security_ops->reboot(cmd); if (retval) { return retval; } _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Aug 03 2001 - 14:04:29 PDT