diff -durN -X dontdiff lsm-2.4/Documentation/Configure.help lsm-2.4.w1/Documentation/Configure.help --- lsm-2.4/Documentation/Configure.help Sat Jul 6 06:38:51 2002 +++ lsm-2.4.w1/Documentation/Configure.help Fri Jul 12 02:06:16 2002 @@ -24387,13 +24387,6 @@ This enables the "default" Linux capabilities functionality. If you are unsure how to answer this question, answer Y. -IP Networking Support -CONFIG_SECURITY_IP - This option enables the Netfilter-based IP networking hooks. - - Answer Y to this if using an LSM module which uses these - hooks, otherwise, answer N. - NSA SELinux Support CONFIG_SECURITY_SELINUX This enables the NSA Security-Enhanced Linux (SELinux) security module, diff -durN -X dontdiff lsm-2.4/include/linux/security.h lsm-2.4.w1/include/linux/security.h --- lsm-2.4/include/linux/security.h Sat Jul 6 06:39:08 2002 +++ lsm-2.4.w1/include/linux/security.h Fri Jul 12 15:20:10 2002 @@ -55,13 +55,6 @@ struct sched_param; struct swap_info_struct; -/* for netfilter-based hooks */ -typedef unsigned int (*ip_opfn) (unsigned int hooknum, - struct sk_buff ** skb, - const struct net_device * in, - const struct net_device * out, - int (*okfn) (struct sk_buff *)); - /** * struct security_operations - main security structure * Security hooks for program execution operations. @@ -707,82 +700,6 @@ * manage the lifecycle of security blobs for &sk_buff structures, and are not * intended to be used for access decisions. * - * IPv4 networking hooks. - * - * @ip_preroute_first: - * Hooks declared with the &ip_opfn function pointer make use of the - * Netfilter API for intercepting packets as they traverse the IP layer. - * Each Netfilter hook is grabbed twice, before and after packets are - * passed through the standard iptables-based packet filtering and - * mangling mechanisms. - * Parameters for these hooks are as follows; - * @hooknum contains the hook the packet arrived on. - * @skb contains the &sk_buff containing the packet. - * @in contains the incoming netdevice associated with the packet. - * @out contains the outgoing netdevice associated with the packet. - * @okfn contains the used internally by Netfilter. - * These hooks may return NF_ACCEPT to allow the packet through and - * NF_DROP to drop the packet. - * Further information on the Netfilter API may be found in the Netfilter - * Hacking HOWTO at http://netfilter.samba.org/ - * @ip_preroute_last: - * Netfilter API, see @preroute_first for more information. - * @ip_input_first: - * Netfilter API, see @preroute_first for more information. - * @ip_input_last: - * Netfilter API, see @preroute_first for more information. - * @ip_forward_first: - * Netfilter API, see @preroute_first for more information. - * @ip_forward_last: - * Netfilter API, see @preroute_first for more information. - * @ip_output_first: - * Netfilter API, see @preroute_first for more information. - * @ip_output_last: - * Netfilter API, see @preroute_first for more information. - * @ip_postroute_first: - * Netfilter API, see @preroute_first for more information. - * @ip_postroute_last: - * Netfilter API, see @preroute_first for more information. - * @ip_fragment: - * This is called for each fragment generated when an outgoing packet is - * being fragmented, and may be used to copy security attributes from the - * original packet to each fragment. - * @newskb contains the newly created fragment. - * @oldskb contains the original packet being fragmented. - * @ip_defragment: - * This hook is called when an incoming fragment is about to be inserted - * into a reassembly queue. It's purpose is to enable the validation of - * security attributes for each fragment. An LSM module using this hook - * will likely need to maintain its own fragment queue information, handle - * fragment expiration and implement DoS countermeasures. - * @skb contains the incoming fragment. - * Returns 0 on success. - * @ip_encapsulate: - * This hook is called when an IP packet is encapsulated, and may be used - * to update security attributes prior to reprocessing via the local_out - * or forward hooks. - * @skb contains the encapsulated packet. - * @ip_decapsulate: - * This hook is called when a packet is decapsulated, and may be used to - * process security attributes at each level of encapsulation. An example - * of this would be keeping track of nested security associations for an - * incoming packet. - * @skb contains the decapsulated packet. - * @ip_decode_options: - * This hook is used for processing IP security options at the network - * layer when labeled networking (e.g. CIPSO) is implemented. - * For outgoing packets, IP options passed down from the application or - * transport layers may be verified here prior the packet being built. - * For incoming packets, IP options may be verified and their values - * recorded via the &sk_buff security blob for later processing. - * @skb contains the &sk_buff containing IP packet (usually NULL for outgoing). - * @optptr contains the &ip_options structure. - * @pp_ptr contains the parameter problem pointer. - * Returns 0 on success. - * A non-zero return value will cause an ICMP parameter problem message to - * be generated and transmitted to the sender. The @pp_ptr parameter may - * be used to point to the offending option parameter. - * * Security hooks for network devices. * @netdev_unregister: * Update the module's state when a network device is unregistered, @@ -1347,17 +1264,6 @@ void (*skb_recv_datagram) (struct sk_buff * skb, struct sock * sk, unsigned flags); void (*skb_free_security) (struct sk_buff * skb); - - ip_opfn ip_preroute_first; - ip_opfn ip_preroute_last; - ip_opfn ip_input_first; - ip_opfn ip_input_last; - ip_opfn ip_forward_first; - ip_opfn ip_forward_last; - ip_opfn ip_output_first; - ip_opfn ip_output_last; - ip_opfn ip_postroute_first; - ip_opfn ip_postroute_last; void (*ip_fragment) (struct sk_buff * newskb, const struct sk_buff * oldskb); diff -durN -X dontdiff lsm-2.4/security/Config.in lsm-2.4.w1/security/Config.in --- lsm-2.4/security/Config.in Sat Jul 6 06:39:09 2002 +++ lsm-2.4.w1/security/Config.in Fri Jul 12 02:09:49 2002 @@ -4,7 +4,6 @@ mainmenu_option next_comment comment 'Security options' tristate 'Capabilities Support' CONFIG_SECURITY_CAPABILITIES -dep_tristate 'IP Networking Support' CONFIG_SECURITY_IP $CONFIG_NETFILTER source security/selinux/Config.in dep_tristate 'LSM port of Openwall (EXPERIMENTAL)' CONFIG_SECURITY_OWLSM $CONFIG_EXPERIMENTAL if [ "$CONFIG_SECURITY_OWLSM" = "y" -o "$CONFIG_SECURITY_OWLSM" = "m" ]; then diff -durN -X dontdiff lsm-2.4/security/Makefile lsm-2.4.w1/security/Makefile --- lsm-2.4/security/Makefile Sat Jul 6 06:39:09 2002 +++ lsm-2.4.w1/security/Makefile Fri Jul 12 02:10:15 2002 @@ -22,7 +22,6 @@ obj-$(CONFIG_SECURITY_SELINUX) += selinux/selinux-obj.o endif obj-$(CONFIG_SECURITY_CAPABILITIES) += capability.o -obj-$(CONFIG_SECURITY_IP) += lsm_ip_glue.o obj-$(CONFIG_SECURITY_OWLSM) += owlsm.o ifeq ($(CONFIG_SECURITY_DTE),y) obj-y += dte/dte_plug.o diff -durN -X dontdiff lsm-2.4/security/Makefile.in lsm-2.4.w1/security/Makefile.in --- lsm-2.4/security/Makefile.in Sat Jul 6 06:39:09 2002 +++ lsm-2.4.w1/security/Makefile.in Fri Jul 12 02:10:36 2002 @@ -15,7 +15,6 @@ select(CONFIG_M CONFIG_SECURITY_CAPABILITIES capability.o) -select(CONFIG_M CONFIG_SECURITY_IP lsm_ip_glue.o) # OpenWall select(CONFIG_M CONFIG_SECURITY_OWLSM owlsm.o) diff -durN -X dontdiff lsm-2.4/security/capability.c lsm-2.4.w1/security/capability.c --- lsm-2.4/security/capability.c Sat Jul 6 06:39:09 2002 +++ lsm-2.4.w1/security/capability.c Fri Jul 12 02:42:25 2002 @@ -15,7 +15,7 @@ #include #include #include -#include +#include #include /* flag to keep track of how we were registered */ @@ -716,96 +716,6 @@ return; } -static unsigned int cap_ip_preroute_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int cap_ip_preroute_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int cap_ip_input_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int cap_ip_input_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int cap_ip_forward_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int cap_ip_forward_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int cap_ip_output_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int cap_ip_output_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int cap_ip_postroute_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int cap_ip_postroute_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - static void cap_ip_fragment (struct sk_buff *newskb, const struct sk_buff *oldskb) { @@ -1224,16 +1134,6 @@ skb_recv_datagram: cap_skb_recv_datagram, skb_free_security: cap_skb_free_security, - ip_preroute_first: cap_ip_preroute_first, - ip_preroute_last: cap_ip_preroute_last, - ip_input_first: cap_ip_input_first, - ip_input_last: cap_ip_input_last, - ip_forward_first: cap_ip_forward_first, - ip_forward_last: cap_ip_forward_last, - ip_output_first: cap_ip_output_first, - ip_output_last: cap_ip_output_last, - ip_postroute_first: cap_ip_postroute_first, - ip_postroute_last: cap_ip_postroute_last, ip_fragment: cap_ip_fragment, ip_defragment: cap_ip_defragment, ip_encapsulate: cap_ip_encapsulate, diff -durN -X dontdiff lsm-2.4/security/dte/dte.c lsm-2.4.w1/security/dte/dte.c --- lsm-2.4/security/dte/dte.c Sat Jul 6 06:39:09 2002 +++ lsm-2.4.w1/security/dte/dte.c Fri Jul 12 02:42:19 2002 @@ -23,7 +23,7 @@ #include #include -#include +#include #include @@ -560,96 +560,6 @@ dte_secondary_ops->task_kmod_set_label(); } -static unsigned int dte_ip_preroute_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dte_ip_preroute_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dte_ip_input_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dte_ip_input_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dte_ip_forward_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dte_ip_forward_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dte_ip_output_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dte_ip_output_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dte_ip_postroute_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dte_ip_postroute_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - static void dte_ip_fragment (struct sk_buff *newskb, const struct sk_buff *oldskb) { @@ -1091,16 +1001,6 @@ skb_recv_datagram: dte_skb_recv_datagram, skb_free_security: dte_skb_free_security, - ip_preroute_first: dte_ip_preroute_first, - ip_preroute_last: dte_ip_preroute_last, - ip_input_first: dte_ip_input_first, - ip_input_last: dte_ip_input_last, - ip_forward_first: dte_ip_forward_first, - ip_forward_last: dte_ip_forward_last, - ip_output_first: dte_ip_output_first, - ip_output_last: dte_ip_output_last, - ip_postroute_first: dte_ip_postroute_first, - ip_postroute_last: dte_ip_postroute_last, ip_fragment: dte_ip_fragment, ip_defragment: dte_ip_defragment, ip_encapsulate: dte_ip_encapsulate, diff -durN -X dontdiff lsm-2.4/security/dummy.c lsm-2.4.w1/security/dummy.c --- lsm-2.4/security/dummy.c Sat Jul 6 06:39:09 2002 +++ lsm-2.4.w1/security/dummy.c Fri Jul 12 02:39:39 2002 @@ -16,7 +16,7 @@ #include #include #include -#include +#include #include static int dummy_sethostname (char *hostname) @@ -537,96 +537,6 @@ return; } -static unsigned int dummy_ip_preroute_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dummy_ip_preroute_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dummy_ip_input_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dummy_ip_input_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dummy_ip_forward_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dummy_ip_forward_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dummy_ip_output_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dummy_ip_output_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dummy_ip_postroute_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dummy_ip_postroute_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - static void dummy_ip_fragment (struct sk_buff *newskb, const struct sk_buff *oldskb) { @@ -1048,16 +958,6 @@ skb_recv_datagram: dummy_skb_recv_datagram, skb_free_security: dummy_skb_free_security, - ip_preroute_first: dummy_ip_preroute_first, - ip_preroute_last: dummy_ip_preroute_last, - ip_input_first: dummy_ip_input_first, - ip_input_last: dummy_ip_input_last, - ip_forward_first: dummy_ip_forward_first, - ip_forward_last: dummy_ip_forward_last, - ip_output_first: dummy_ip_output_first, - ip_output_last: dummy_ip_output_last, - ip_postroute_first: dummy_ip_postroute_first, - ip_postroute_last: dummy_ip_postroute_last, ip_fragment: dummy_ip_fragment, ip_defragment: dummy_ip_defragment, ip_encapsulate: dummy_ip_encapsulate, diff -durN -X dontdiff lsm-2.4/security/lids/lids_lsm.c lsm-2.4.w1/security/lids/lids_lsm.c --- lsm-2.4/security/lids/lids_lsm.c Sat Jul 6 06:39:09 2002 +++ lsm-2.4.w1/security/lids/lids_lsm.c Fri Jul 12 02:42:30 2002 @@ -16,7 +16,7 @@ #include #include #include -#include +#include #include #include #include @@ -736,96 +736,6 @@ return; } -static unsigned int lids_ip_preroute_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int lids_ip_preroute_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int lids_ip_input_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int lids_ip_input_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int lids_ip_forward_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int lids_ip_forward_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int lids_ip_output_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int lids_ip_output_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int lids_ip_postroute_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int lids_ip_postroute_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - static void lids_ip_fragment (struct sk_buff *newskb, const struct sk_buff *oldskb) { @@ -1270,16 +1180,6 @@ skb_recv_datagram: lids_skb_recv_datagram, skb_free_security: lids_skb_free_security, - ip_preroute_first: lids_ip_preroute_first, - ip_preroute_last: lids_ip_preroute_last, - ip_input_first: lids_ip_input_first, - ip_input_last: lids_ip_input_last, - ip_forward_first: lids_ip_forward_first, - ip_forward_last: lids_ip_forward_last, - ip_output_first: lids_ip_output_first, - ip_output_last: lids_ip_output_last, - ip_postroute_first: lids_ip_postroute_first, - ip_postroute_last: lids_ip_postroute_last, ip_fragment: lids_ip_fragment, ip_defragment: lids_ip_defragment, ip_encapsulate: lids_ip_encapsulate, diff -durN -X dontdiff lsm-2.4/security/lsm_ip_glue.c lsm-2.4.w1/security/lsm_ip_glue.c --- lsm-2.4/security/lsm_ip_glue.c Sat Jul 6 06:39:09 2002 +++ lsm-2.4.w1/security/lsm_ip_glue.c Thu Jan 1 10:00:00 1970 @@ -1,157 +0,0 @@ -/* - * Nefilter IPv4 Operations Glue Module for LSM - * - * Copyright (C) 2001 James Morris - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the Free - * Software Foundation; either version 2 of the License, or (at your option) - * any later version. - * - */ -#include -#include -#include -#include -#include - -#define NF_IP_PRI_LSM_FIRST (NF_IP_PRI_CONNTRACK + 5) -#define NF_IP_PRI_LSM_LAST -NF_IP_PRI_LSM_FIRST - -static unsigned int -preroute_first(unsigned int hooknum, struct sk_buff **pskb, - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return security_ops->ip_preroute_first(hooknum, pskb, in, out, okfn); -} - -static unsigned int -preroute_last(unsigned int hooknum, struct sk_buff **pskb, - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return security_ops->ip_preroute_last(hooknum, pskb, in, out, okfn); -} - -static unsigned int -input_first(unsigned int hooknum, struct sk_buff **pskb, - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return security_ops->ip_input_first(hooknum, pskb, in, out, okfn); -} - -static unsigned int -input_last(unsigned int hooknum, struct sk_buff **pskb, - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return security_ops->ip_input_last(hooknum, pskb, in, out, okfn); -} - -static unsigned int -forward_first(unsigned int hooknum, struct sk_buff **pskb, - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return security_ops->ip_forward_first(hooknum, pskb, in, out, okfn); -} - -static unsigned int -forward_last(unsigned int hooknum, struct sk_buff **pskb, - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return security_ops->ip_forward_last(hooknum, pskb, in, out, okfn); -} - -static unsigned int -output_first(unsigned int hooknum, struct sk_buff **pskb, - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return security_ops->ip_output_first(hooknum, pskb, in, out, okfn); -} - -static unsigned int -output_last(unsigned int hooknum, struct sk_buff **pskb, - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return security_ops->ip_output_last(hooknum, pskb, in, out, okfn); -} - -static unsigned int -postroute_first(unsigned int hooknum, struct sk_buff **pskb, - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return security_ops->ip_postroute_first(hooknum, pskb, in, out, okfn); -} - -static unsigned int -postroute_last(unsigned int hooknum, struct sk_buff **pskb, - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return security_ops->ip_postroute_last(hooknum, pskb, in, out, okfn); -} - -static struct nf_hook_ops lsm_ip_ops[] = { - { { NULL, NULL }, preroute_first, - PF_INET, NF_IP_PRE_ROUTING, NF_IP_PRI_LSM_FIRST }, - - { { NULL, NULL }, preroute_last, - PF_INET, NF_IP_PRE_ROUTING, NF_IP_PRI_LSM_LAST }, - - { { NULL, NULL }, input_first, - PF_INET, NF_IP_LOCAL_IN, NF_IP_PRI_LSM_FIRST }, - - { { NULL, NULL }, input_last, - PF_INET, NF_IP_LOCAL_IN, NF_IP_PRI_LSM_LAST }, - - { { NULL, NULL }, forward_first, - PF_INET, NF_IP_FORWARD, NF_IP_PRI_LSM_FIRST }, - - { { NULL, NULL }, forward_last, - PF_INET, NF_IP_FORWARD, NF_IP_PRI_LSM_LAST }, - - { { NULL, NULL }, output_first, - PF_INET, NF_IP_LOCAL_OUT, NF_IP_PRI_LSM_FIRST }, - - { { NULL, NULL }, output_last, - PF_INET, NF_IP_LOCAL_OUT, NF_IP_PRI_LSM_LAST }, - - { { NULL, NULL }, postroute_first, - PF_INET, NF_IP_POST_ROUTING, NF_IP_PRI_LSM_FIRST }, - - { { NULL, NULL }, postroute_last, - PF_INET, NF_IP_POST_ROUTING, NF_IP_PRI_LSM_LAST } -}; - -static int __init init(void) -{ - int i; - - /* Hook registration never returns error (for now) */ - for (i = 0; i < sizeof(lsm_ip_ops)/sizeof(struct nf_hook_ops); i++) - nf_register_hook(&lsm_ip_ops[i]); - - return 0; -} - -static void __exit fini(void) -{ - unsigned int i; - - for (i = 0; i < sizeof(lsm_ip_ops)/sizeof(struct nf_hook_ops); i++) - nf_unregister_hook(&lsm_ip_ops[i]); -} - -module_init(init); -module_exit(fini); - -MODULE_DESCRIPTION("Nefilter IPv4 Operations Glue for Linux Security Module"); -MODULE_LICENSE("GPL"); - diff -durN -X dontdiff lsm-2.4/security/owlsm.c lsm-2.4.w1/security/owlsm.c --- lsm-2.4/security/owlsm.c Sat Jul 6 06:39:09 2002 +++ lsm-2.4.w1/security/owlsm.c Fri Jul 12 02:42:36 2002 @@ -18,7 +18,7 @@ #include #include #include -#include +#include #include #include #include @@ -552,96 +552,6 @@ return; } -static unsigned int owlsm_ip_preroute_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int owlsm_ip_preroute_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int owlsm_ip_input_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int owlsm_ip_input_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int owlsm_ip_forward_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int owlsm_ip_forward_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int owlsm_ip_output_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int owlsm_ip_output_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int owlsm_ip_postroute_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int owlsm_ip_postroute_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - static void owlsm_ip_fragment (struct sk_buff *newskb, const struct sk_buff *oldskb) { @@ -1063,16 +973,6 @@ skb_recv_datagram: owlsm_skb_recv_datagram, skb_free_security: owlsm_skb_free_security, - ip_preroute_first: owlsm_ip_preroute_first, - ip_preroute_last: owlsm_ip_preroute_last, - ip_input_first: owlsm_ip_input_first, - ip_input_last: owlsm_ip_input_last, - ip_forward_first: owlsm_ip_forward_first, - ip_forward_last: owlsm_ip_forward_last, - ip_output_first: owlsm_ip_output_first, - ip_output_last: owlsm_ip_output_last, - ip_postroute_first: owlsm_ip_postroute_first, - ip_postroute_last: owlsm_ip_postroute_last, ip_fragment: owlsm_ip_fragment, ip_defragment: owlsm_ip_defragment, ip_encapsulate: owlsm_ip_encapsulate, diff -durN -X dontdiff lsm-2.4/security/selinux/Config.in lsm-2.4.w1/security/selinux/Config.in --- lsm-2.4/security/selinux/Config.in Sat Jul 6 06:39:09 2002 +++ lsm-2.4.w1/security/selinux/Config.in Fri Jul 12 15:09:15 2002 @@ -1,13 +1,11 @@ -tristate 'NSA SELinux Support' CONFIG_SECURITY_SELINUX +dep_tristate 'NSA SELinux Support' CONFIG_SECURITY_SELINUX $CONFIG_NETFILTER if [ "$CONFIG_SECURITY_SELINUX" != "n" ]; then bool ' NSA SELinux Development Module' CONFIG_SECURITY_SELINUX_DEVELOP if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then bool ' NSA SELinux MLS policy (EXPERIMENTAL)' CONFIG_SECURITY_SELINUX_MLS bool ' NSA SELinux extended socket calls (EXPERIMENTAL)' CONFIG_SECURITY_SELINUX_EXTSOCKET - if [ "$CONFIG_SECURITY_IP" != "n" ]; then - bool ' Labeled IP Networking Support' CONFIG_SECURITY_SELINUX_NSID - dep_tristate ' CIPSO/FIPS-188 IP Options (EXPERIMENTAL)' CONFIG_SECURITY_SELINUX_SELOPT $CONFIG_SECURITY_SELINUX_NSID $CONFIG_SECURITY_SELINUX - fi + bool ' Labeled IP Networking Support' CONFIG_SECURITY_SELINUX_NSID + dep_tristate ' CIPSO/FIPS-188 IP Options (EXPERIMENTAL)' CONFIG_SECURITY_SELINUX_SELOPT $CONFIG_SECURITY_SELINUX_NSID $CONFIG_SECURITY_SELINUX fi fi diff -durN -X dontdiff lsm-2.4/security/selinux/hooks.c lsm-2.4.w1/security/selinux/hooks.c --- lsm-2.4/security/selinux/hooks.c Sat Jul 6 06:39:09 2002 +++ lsm-2.4.w1/security/selinux/hooks.c Fri Jul 12 15:21:58 2002 @@ -43,6 +43,7 @@ #include #include #include /* for network interface checks */ +#include #include /* for network interface checks */ #include #include @@ -52,6 +53,9 @@ #include "selinux_plug.h" #include "extsocket.h" +#define NF_IP_PRI_SELINUX_FIRST (NF_IP_PRI_CONNTRACK + 5) +#define NF_IP_PRI_SELINUX_LAST -NF_IP_PRI_SELINUX_FIRST + /* Original (dummy) security module. */ static struct security_operations *original_ops = NULL; @@ -2828,15 +2832,6 @@ new->mapped = old->mapped; } -static unsigned int selinux_ip_preroute_first(unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - /* * Helper function for the selinux_ip_preroute_last hook and * selinux_ip_input_last hook. @@ -2972,24 +2967,6 @@ return selinux_ip_input_helper(skb, ssec, (struct net_device*)in); } -static unsigned int selinux_ip_forward_first(unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int selinux_ip_forward_last(unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - static void selinux_skb_set_owner_w(struct sk_buff *skb, struct sock *sk); /* @@ -3051,24 +3028,6 @@ return nsid_ip_label_output(hooknum, pskb, in, out, okfn); } -static unsigned int selinux_ip_output_last(unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int selinux_ip_postroute_first(unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - static unsigned int selinux_ip_postroute_last(unsigned int hooknum, struct sk_buff **pskb, const struct net_device *in, @@ -4734,16 +4693,6 @@ skb_recv_datagram: selinux_skb_recv_datagram, skb_free_security: selinux_skb_free_security, - ip_preroute_first: selinux_ip_preroute_first, - ip_preroute_last: selinux_ip_preroute_last, - ip_input_first: selinux_ip_input_first, - ip_input_last: selinux_ip_input_last, - ip_forward_first: selinux_ip_forward_first, - ip_forward_last: selinux_ip_forward_last, - ip_output_first: selinux_ip_output_first, - ip_output_last: selinux_ip_output_last, - ip_postroute_first: selinux_ip_postroute_first, - ip_postroute_last: selinux_ip_postroute_last, ip_fragment: selinux_ip_fragment, ip_defragment: selinux_ip_defragment, ip_encapsulate: selinux_ip_encapsulate, @@ -4806,6 +4755,42 @@ #endif +static struct nf_hook_ops selinux_ip_ops[] = { + { { NULL, NULL }, selinux_ip_preroute_last, + PF_INET, NF_IP_PRE_ROUTING, NF_IP_PRI_SELINUX_LAST }, + + { { NULL, NULL }, selinux_ip_input_first, + PF_INET, NF_IP_LOCAL_IN, NF_IP_PRI_SELINUX_FIRST }, + + { { NULL, NULL }, selinux_ip_input_last, + PF_INET, NF_IP_LOCAL_IN, NF_IP_PRI_SELINUX_LAST }, + + { { NULL, NULL }, selinux_ip_output_first, + PF_INET, NF_IP_LOCAL_OUT, NF_IP_PRI_SELINUX_FIRST }, + + { { NULL, NULL }, selinux_ip_postroute_last, + PF_INET, NF_IP_POST_ROUTING, NF_IP_PRI_SELINUX_LAST } +}; + +static int __init selinux_nf_ip_init(void) +{ + int i; + + /* Hook registration never returns error (for now) */ + for (i = 0; i < sizeof(selinux_ip_ops)/sizeof(struct nf_hook_ops); i++) + nf_register_hook(&selinux_ip_ops[i]); + + return 0; +} + +static void __exit selinux_nf_ip_exit(void) +{ + unsigned int i; + + for (i = 0; i < sizeof(selinux_ip_ops)/sizeof(struct nf_hook_ops); i++) + nf_unregister_hook(&selinux_ip_ops[i]); +} + static int __init selinux_plug_init (void) { int rc = 0; @@ -4831,6 +4816,12 @@ printk(KERN_INFO "SELinux: failed to initialize NSID API\n"); return rc; } + + rc = selinux_nf_ip_init(); + if (rc) { + printk(KERN_INFO "SELinux: failed to initialize IP hooks\n"); + return rc; + } /* Replace the LSM security syscall with our own entrypoint function so that the registers on the stack are available @@ -4845,6 +4836,7 @@ if (rc) { printk (KERN_INFO "Failure registering SELinux with the kernel\n"); sys_call_table[__NR_security] = orig_syscall; + selinux_nf_ip_exit(); return rc; } @@ -4875,6 +4867,8 @@ sys_call_table[__NR_security] = orig_syscall; + selinux_nf_ip_exit(); + /* Deallocate all of the security blobs created by this module and clear the security fields in the corresponding objects. */ @@ -4919,10 +4913,6 @@ p = p->next; msg_msg_free_security(msgsec->msg); } - - /* Synchronize with net_rx_action() and Netfilter hook iteration. */ - br_write_lock_bh(BR_NETPROTO_LOCK); - br_write_unlock_bh(BR_NETPROTO_LOCK); /* TBD: assert or override refcounts */ p = skb_security_head.next;