Re: OpenWall SECURE_FIFO as a LSM

From: Nick Bellinger (nickbat_private)
Date: Mon Nov 12 2001 - 17:28:43 PST

  • Next message: Chris Wright: "Re: OpenWall SECURE_FIFO as a LSM" 

    On Mon, 2001-11-12 at 02:14, Chris Wright wrote:
> * Chris Wright (chrisat_private) wrote:
> > * Nick Bellinger (nickbat_private) wrote:
> > > 
> > > Salutations,
> > > 
> > > 	     Attached is Solar Designer's OpenWall SECURE_FIFO feature as an
> > > LSM,  thanks again to the dilligent developers of LSM which have created
> > > this excellent method of kernel exploration.
> > > 
> > > 		
> > > 						Nick Bellinger  
> > 
> > Excellent Nick, thanks.  I'm taking these in and combining them into one
> > module.  I really appreciate your contributions! ;-)
> 
> i haven't added this part to the new owlsm module yet.  if you'd like,
> you could regenerate this patch against the new module ;-)
> 
> cheers,
> -chris
> 

Attached are the patches for SECURE_FIFO against the owlsm setup, thanks
for the cleanup!


						Nick Bellinger


--- Config.in.orig      Mon Nov 12 21:35:57 2001
+++ Config.in   Mon Nov 12 20:54:36 2001
@@ -9,6 +9,7 @@
 if [ "$CONFIG_SECURITY_OWLSM" = "y" -o "$CONFIG_SECURITY_OWLSM" = "m"
]; then
        bool 'Add RLIMITS_NPROC check to execve'
CONFIG_OWLSM_RLIMIT_NPROC
        bool 'Restricted links in /tmp' CONFIG_OWLSM_LINK
+        bool 'Restricted FIFOs in /tmp' CONFIG_OWLSM_FIFO
 fi
 dep_tristate 'Domain and Type Enforcement (EXPERIMENTAL)'
CONFIG_SECURITY_DTE $CONFIG_EXPERIMENTAL
 endmenu


--- owlsm.h.orig        Mon Nov 12 21:36:42 2001
+++ owlsm.h     Mon Nov 12 21:34:12 2001
@@ -124,4 +124,38 @@
 }
 #endif /* CONFIG_OWLSM_LINK */

+#ifdef CONFIG_OWLSM_FIFO
+
+static inline int do_owlsm_file_permissions (struct file *file, int
mask)
+{
+       struct inode *inode = file->f_dentry->d_inode;
+       struct inode *parent = file->f_dentry->d_parent->d_inode;
+
+        if (S_ISFIFO(inode->i_mode) && !(inode->i_flags & O_EXCL) &&
+           (parent->i_mode & S_ISVTX) &&
+           (inode->i_uid != parent->i_uid) &&
+           (current->fsuid != inode->i_uid))
+        {
+          if (!permission(inode, ACC_MODE(inode->i_flags))) {
+            security_alert("denied writing FIFO of %d.%d by UID %d,
EUID %d, process %s:%d\n",
+                           "writes into a FIFO denied",
+                            inode->i_uid, inode->i_gid,
+                            current->uid, current->gid,
+                            current->comm, current->pid);
+            return -EACCES;
+          }
+        }
+
+        return 0;
+}
+
+#else
+
+static inline int do_owlsm_file_permissions (struct file *file, int
mask)
+{
+       return 0;
+}
+
+#endif /* CONFIG_OWLSM_FIFO */
+
 #endif /* _OWLSM_H */


--- owlsm.c.orig        Mon Nov 12 21:36:26 2001
+++ owlsm.c     Mon Nov 12 20:53:57 2001
@@ -374,7 +374,7 @@

 static int owlsm_file_permission (struct file *file, int mask)
 {
-       return 0;
+       return do_owlsm_file_permissions (file, mask);
 }

 static int owlsm_file_alloc_security (struct file *file)




_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

    This archive was generated by hypermail 2b30 : Mon Nov 12 2001 - 18:31:53 PST