Port of secure fd handling to LSM

From: richard offer (offerat_private)
Date: Mon Aug 06 2001 - 17:50:51 PDT

  • Next message: Greg KH: "Re: Port of secure fd handling to LSM"

    Attached is a quick port of that part of grsecurity (1.6) that deals with
    handling fds 0,1,2 securely. (thanks to Matt Block for pointing out the 2.4
    Its a proof of concept, its not an example of good coding (there's a huge
    memory leak there)
    There is also a patch to add a new hook 
        static void dummy_binprm_flush (struct linux_binprm *bprm);
    that is called from flush_old_exec().
    Here is a test case to prove that the policy is working
    int main(int argc, char **argv)
            int     fd;
            return 0;
        % touch sfd.c.tmp
    Compile this and run it using strace,
        % strace ./sfd 1>&-
    you'll see the value of fd changes from 1 to 3 when the module is present.
    Can we have our fds in now please ? :-)
        Should we create a new de-facto standard directory for policies to be
    located in the kernel tree ? It would make it easier if we all had a single
    location for them... 
    Richard Offer                     Technical Lead, Trust Technology, SGI
    "Specialization is for insects"

    _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module

    This archive was generated by hypermail 2b30 : Mon Aug 06 2001 - 17:54:33 PDT