Re: [patch] Unix sockets & syscall

• Previous message: Greg KH: "Re: syscall convention"
• In reply to: Chris Vance: "Re: [patch] Unix sockets & syscall"
• Next in thread: Greg KH: "Re: [patch] Unix sockets & syscall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Here is the Unix domain socket hook patch again, this time
without the syscall changes, since Greg K-H has committed
an equivalent for those changes.

--
Stephen D. Smalley, NAI Labs
ssmalleyat_private




diff -X /home/sds/dontdiff -ru lsm-wirex/include/linux/security.h lsm/include/linux/security.h
--- lsm-wirex/include/linux/security.h	Thu Aug 23 15:01:10 2001
+++ lsm/include/linux/security.h	Thu Aug 23 15:30:49 2001
@@ -149,6 +149,8 @@
 	int (* setsockopt)		(struct socket *sock, int level, int optname);
 	int (* shutdown)		(struct socket *sock, int how);
 	int (* sock_rcv_skb)		(struct sock *sk, struct sk_buff *skb);
+	int (* unix_stream_connect)	(struct socket *sock, struct socket *other);
+	int (* unix_may_send)		(struct socket *sock, struct socket *other);
 };
 
 struct skb_security_ops {
diff -X /home/sds/dontdiff -ru lsm-wirex/net/unix/af_unix.c lsm/net/unix/af_unix.c
--- lsm-wirex/net/unix/af_unix.c	Fri Aug 17 09:21:50 2001
+++ lsm/net/unix/af_unix.c	Thu Aug 23 13:09:03 2001
@@ -794,6 +794,12 @@
 		err = -EPERM;
 		if (!unix_may_send(sk, other))
 			goto out_unlock;
+
+		err = security_ops->socket_ops->unix_may_send(sk->socket, 
+							      other->socket);
+		if (err)
+			goto out_unlock;
+
 	} else {
 		/*
 		 *	1003.1g breaking connected state with AF_UNSPEC
@@ -960,6 +966,12 @@
 
 	/* The way is open! Fastly set all the necessary fields... */
 
+	err = security_ops->socket_ops->unix_stream_connect(sock, other->socket);
+	if (err) {
+		unix_state_wunlock(sk);
+		goto out_unlock;
+	}
+
 	sock_hold(sk);
 	unix_peer(newsk)=sk;
 	newsk->state=TCP_ESTABLISHED;
@@ -1211,6 +1223,11 @@
 	unix_state_rlock(other);
 	err = -EPERM;
 	if (!unix_may_send(sk, other))
+		goto out_unlock;
+
+	err = security_ops->socket_ops->unix_may_send(sk->socket, 
+						      other->socket);
+	if (err)
 		goto out_unlock;
 
 	if (other->dead) {
diff -X /home/sds/dontdiff -ru lsm-wirex/security/capability_plug.c lsm/security/capability_plug.c
--- lsm-wirex/security/capability_plug.c	Thu Aug 23 15:01:10 2001
+++ lsm/security/capability_plug.c	Thu Aug 23 15:30:02 2001
@@ -414,6 +414,8 @@
 static int cap_socket_getsockopt	(struct socket *sock, int level, int optname) {return 0;}
 static int cap_socket_shutdown		(struct socket *sock, int how)		{return 0;}
 static int cap_sock_rcv_skb		(struct sock *sk, struct sk_buff *skb)	{return 0;}
+static int cap_socket_unix_stream_connect (struct socket *sock, struct socket *other) {return 0;}
+static int cap_socket_unix_may_send	(struct socket *sock, struct socket *other) {return 0;}
 
 static int cap_module_create_module	(const char *name_user, size_t size)			{return 0;}
 static int cap_module_init_module	(const char *name_user, struct module *mod_user)	{return 0;}
@@ -543,6 +545,8 @@
 	setsockopt:	cap_socket_setsockopt,
 	shutdown:	cap_socket_shutdown,
 	sock_rcv_skb:	cap_sock_rcv_skb,
+	unix_stream_connect:	cap_socket_unix_stream_connect,
+	unix_may_send:		cap_socket_unix_may_send,
 };
 
 static struct skb_security_ops cap_skb_ops = {
diff -X /home/sds/dontdiff -ru lsm-wirex/security/security.c lsm/security/security.c
--- lsm-wirex/security/security.c	Thu Aug 23 15:01:10 2001
+++ lsm/security/security.c	Thu Aug 23 15:10:49 2001
@@ -215,6 +215,8 @@
 static int dummy_socket_getsockopt	(struct socket *sock, int level, int optname) {return 0;}
 static int dummy_socket_shutdown	(struct socket *sock, int how) {return 0;}
 static int dummy_sock_rcv_skb		(struct sock *sk, struct sk_buff *skb) {return 0;}
+static int dummy_socket_unix_stream_connect (struct socket *sock, struct socket *other) {return 0;}
+static int dummy_socket_unix_may_send	(struct socket *sock, struct socket *other) {return 0;}
 
 static int dummy_module_create_module	(const char *name_user, size_t size)			{return 0;}
 static int dummy_module_init_module	(const char *name_user, struct module *mod_user)	{return 0;}
@@ -342,6 +344,8 @@
 	setsockopt:		dummy_socket_setsockopt,
 	shutdown:		dummy_socket_shutdown,
 	sock_rcv_skb:		dummy_sock_rcv_skb,
+	unix_stream_connect:	dummy_socket_unix_stream_connect,
+	unix_may_send:		dummy_socket_unix_may_send,
 };
 
 static struct skb_security_ops dummy_skb_ops = {

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: David Wheeler: "syscall convention - analysis of collision probability."
• Previous message: Greg KH: "Re: syscall convention"
• In reply to: Chris Vance: "Re: [patch] Unix sockets & syscall"
• Next in thread: Greg KH: "Re: [patch] Unix sockets & syscall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Aug 23 2001 - 12:40:33 PDT