That's great!! Thanks! There probably needs to be a more general mechanism for modules to notify others that "I claim the binprm security field", instead of detecting things like CONFIG_OWLSM_FD in other modules, but this works as a start. Stephen Smalley wrote: > On Mon, 1 Apr 2002, David Wheeler wrote: > > >> Can OWLSM (openwall for LSM) and/or LIDS >> be stacked with SELinux? In particular, it seems like >> Openwall would be useful to stack with SELinux. > > > Returning to this topic, the attached patch to the SELinux module enables > the use of owlsm as a secondary security module as long as CONFIG_OWLSM_FD > is disabled. If CONFIG_OWLSM_FD is accidentally enabled, then the SELinux > module detects the (mis)use of the binprm security field by the > secondary module and unregisters it with a warning to avoid subsequent > conflicts. This patch enables the use of selinux+owlsm with either the > rlimit nproc check or the link protections. However, as I noted earlier, > in order to provide selinux+owlsm+capabilities, you would need to revise > the owlsm module itself, since it currently hardcodes the traditional > superuser logic. > > -- > Stephen D. Smalley, NAI Labs > ssmalleyat_private > > > > > > ------------------------------------------------------------------------ > > Index: security/selinux/hooks.c > =================================================================== > RCS file: /cvs/lsm/lsm-2.4/security/selinux/hooks.c,v > retrieving revision 1.47 > diff -u -r1.47 hooks.c > --- security/selinux/hooks.c 2002/04/09 14:22:07 1.47 > +++ security/selinux/hooks.c 2002/04/10 13:35:38 > @@ -51,7 +51,9 @@ > static struct security_operations *original_ops = NULL; > > /* Minimal support for a secondary security module, > - just to allow the use of the capability plug. */ > + just to allow the use of the dummy or capability modules. > + The owlsm module can alternatively be used as a secondary > + module as long as CONFIG_OWLSM_FD is not enabled. */ > static struct security_operations *secondary_ops = NULL; > > /* > @@ -1788,6 +1790,28 @@ > > static int selinux_bprm_alloc_security(struct linux_binprm *bprm) > { > + int rc; > + > + /* Make sure that the secondary module doesn't use the > + bprm->security field, since we do not yet support chaining > + of multiple security structures on the field. Neither > + the dummy nor the capability module use the field. The owlsm > + module uses the field if CONFIG_OWLSM_FD is enabled. */ > + rc = secondary_ops->bprm_ops->alloc_security(bprm); > + if (rc) > + return rc; > + if (bprm->security) { > + printk(KERN_WARNING "%s: no support yet for chaining on the security field by secondary modules.\n", __FUNCTION__); > + /* Release the secondary module's security object. */ > + secondary_ops->bprm_ops->free_security(bprm); > + /* Unregister the secondary module to prevent problems > + with subsequent binprm hooks. This will revert to the > + original (dummy) module for the secondary operations. */ > + rc = security_ops->unregister_security("unknown", secondary_ops); > + if (rc) > + return rc; > + printk(KERN_WARNING "%s: Unregistered the secondary security module.\n", __FUNCTION__); > + } > bprm->security = NULL; > return 0; > } > @@ -2146,6 +2170,11 @@ > > static int selinux_inode_link(struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) > { > + int rc; > + > + rc = secondary_ops->inode_ops->link(old_dentry,dir,new_dentry); > + if (rc) > + return rc; > return may_link(dir, old_dentry, MAY_LINK); > } > > @@ -2211,6 +2240,11 @@ > > static int selinux_inode_follow_link(struct dentry *dentry, struct nameidata *nameidata) > { > + int rc; > + > + rc = secondary_ops->inode_ops->follow_link(dentry,nameidata); > + if (rc) > + return rc; > return dentry_has_perm(current, dentry, FILE__READ, NULL); > } > > selinux-owlsm.patch > > Content-Type: > > TEXT/PLAIN > Content-Encoding: > > BASE64 -- --- David A. Wheeler dwheelerat_private _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Wed Apr 10 2002 - 08:04:47 PDT