On Fri, Aug 10, 2001 at 01:43:38PM +1000, James Morris wrote:
> On Thu, 9 Aug 2001, Lachlan McIlroy wrote:
>
> > None that I can see, maybe I can preserve the original
> > behaviour when there is no LSM installed.
>
> Further to my previous email, the original behaviour can also be preserved
> by leaving the hook where it is in your patch, and adding a
> capable(CAP_NET_RAW) call in the dummy LSM module for this hook.
Much like this does?
diff -Nru a/include/linux/ip.h b/include/linux/ip.h
--- a/include/linux/ip.h Fri Aug 10 00:20:54 2001
+++ b/include/linux/ip.h Fri Aug 10 00:20:54 2001
@@ -58,6 +58,7 @@
#define IPOPT_SEC (2 |IPOPT_CONTROL|IPOPT_COPY)
#define IPOPT_LSRR (3 |IPOPT_CONTROL|IPOPT_COPY)
#define IPOPT_TIMESTAMP (4 |IPOPT_MEASUREMENT)
+#define IPOPT_CIPSO (6 |IPOPT_CONTROL|IPOPT_COPY)
#define IPOPT_RR (7 |IPOPT_CONTROL)
#define IPOPT_SID (8 |IPOPT_CONTROL|IPOPT_COPY)
#define IPOPT_SSRR (9 |IPOPT_CONTROL|IPOPT_COPY)
diff -Nru a/include/linux/security.h b/include/linux/security.h
--- a/include/linux/security.h Fri Aug 10 00:20:54 2001
+++ b/include/linux/security.h Fri Aug 10 00:20:54 2001
@@ -175,6 +175,7 @@
int (* defragment) (struct sk_buff *skb);
void (* encapsulate) (struct sk_buff *skb);
void (* decapsulate) (struct sk_buff *skb);
+ int (* decode_options) (struct sk_buff *skb, const char *optptr);
};
struct netdev_security_ops {
diff -Nru a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c
--- a/net/ipv4/ip_options.c Fri Aug 10 00:20:54 2001
+++ b/net/ipv4/ip_options.c Fri Aug 10 00:20:54 2001
@@ -433,7 +433,13 @@
opt->router_alert = optptr - iph;
break;
case IPOPT_SEC:
+ case IPOPT_CIPSO:
case IPOPT_SID:
+ if (security_ops->ip_ops->decode_options(skb, optptr)) {
+ pp_ptr = optptr;
+ goto error;
+ }
+ break;
default:
if (!skb && !capable(CAP_NET_RAW)) {
pp_ptr = optptr;
diff -Nru a/security/capability_plug.c b/security/capability_plug.c
--- a/security/capability_plug.c Fri Aug 10 00:20:54 2001
+++ b/security/capability_plug.c Fri Aug 10 00:20:54 2001
@@ -334,6 +334,12 @@
static int cap_ip_defragment (struct sk_buff *skb) {return 0;}
static void cap_ip_encapsulate (struct sk_buff *skb) {return;}
static void cap_ip_decapsulate (struct sk_buff *skb) {return;}
+static void cap_ip_decode_options (struct sk_buff *skb, const char *optptr)
+{
+ if (!skb && !capable(CAP_NET_RAW))
+ return -EACCESS;
+ return 0;
+}
static int cap_netdev_ioctl (struct net_device *dev, int cmd, void *arg) {return 0;}
static void cap_netdev_unregister (struct net_device *dev) {return;}
@@ -503,6 +509,7 @@
defragment: cap_ip_defragment,
encapsulate: cap_ip_encapsulate,
decapsulate: cap_ip_decapsulate,
+ decode_options: cap_ip_decode_options,
};
static struct netdev_security_ops cap_netdev_ops = {
diff -Nru a/security/security.c b/security/security.c
--- a/security/security.c Fri Aug 10 00:20:54 2001
+++ b/security/security.c Fri Aug 10 00:20:54 2001
@@ -170,6 +170,12 @@
static int dummy_ip_defragment (struct sk_buff *skb) {return 0;}
static void dummy_ip_decapsulate (struct sk_buff *skb) {return;}
static void dummy_ip_encapsulate (struct sk_buff *skb) {return;}
+static void dummy_ip_decode_options (struct sk_buff *skb, const char *optptr)
+{
+ if (!skb && !capable(CAP_NET_RAW))
+ return -EACCES;
+ return 0;
+}
static int dummy_netdev_ioctl (struct net_device *dev, int cmd, void *arg) {return 0;}
static void dummy_netdev_unregister (struct net_device *dev) {return;}
@@ -337,6 +343,7 @@
defragment: dummy_ip_defragment,
encapsulate: dummy_ip_encapsulate,
decapsulate: dummy_ip_decapsulate,
+ decode_options: dummy_ip_decode_options,
};
static struct netdev_security_ops dummy_netdev_ops = {
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Fri Aug 10 2001 - 00:19:10 PDT