diff -durN -X dontdiff lsm-2.4/Documentation/Configure.help lsm-2.4.w1/Documentation/Configure.help --- lsm-2.4/Documentation/Configure.help Sat Jul 6 06:38:51 2002 +++ lsm-2.4.w1/Documentation/Configure.help Fri Jul 12 23:46:34 2002 @@ -24387,13 +24387,6 @@ This enables the "default" Linux capabilities functionality. If you are unsure how to answer this question, answer Y. -IP Networking Support -CONFIG_SECURITY_IP - This option enables the Netfilter-based IP networking hooks. - - Answer Y to this if using an LSM module which uses these - hooks, otherwise, answer N. - NSA SELinux Support CONFIG_SECURITY_SELINUX This enables the NSA Security-Enhanced Linux (SELinux) security module, diff -durN -X dontdiff lsm-2.4/include/linux/security.h lsm-2.4.w1/include/linux/security.h --- lsm-2.4/include/linux/security.h Fri Jul 12 23:19:33 2002 +++ lsm-2.4.w1/include/linux/security.h Fri Jul 12 23:57:11 2002 @@ -55,13 +55,6 @@ struct sched_param; struct swap_info_struct; -/* for netfilter-based hooks */ -typedef unsigned int (*ip_opfn) (unsigned int hooknum, - struct sk_buff ** skb, - const struct net_device * in, - const struct net_device * out, - int (*okfn) (struct sk_buff *)); - /** * struct security_operations - main security structure * Security hooks for program execution operations. @@ -713,40 +706,6 @@ * * IPv4 networking hooks. * - * @ip_preroute_first: - * Hooks declared with the &ip_opfn function pointer make use of the - * Netfilter API for intercepting packets as they traverse the IP layer. - * Each Netfilter hook is grabbed twice, before and after packets are - * passed through the standard iptables-based packet filtering and - * mangling mechanisms. - * Parameters for these hooks are as follows; - * @hooknum contains the hook the packet arrived on. - * @skb contains the &sk_buff containing the packet. - * @in contains the incoming netdevice associated with the packet. - * @out contains the outgoing netdevice associated with the packet. - * @okfn contains the used internally by Netfilter. - * These hooks may return NF_ACCEPT to allow the packet through and - * NF_DROP to drop the packet. - * Further information on the Netfilter API may be found in the Netfilter - * Hacking HOWTO at http://netfilter.samba.org/ - * @ip_preroute_last: - * Netfilter API, see @preroute_first for more information. - * @ip_input_first: - * Netfilter API, see @preroute_first for more information. - * @ip_input_last: - * Netfilter API, see @preroute_first for more information. - * @ip_forward_first: - * Netfilter API, see @preroute_first for more information. - * @ip_forward_last: - * Netfilter API, see @preroute_first for more information. - * @ip_output_first: - * Netfilter API, see @preroute_first for more information. - * @ip_output_last: - * Netfilter API, see @preroute_first for more information. - * @ip_postroute_first: - * Netfilter API, see @preroute_first for more information. - * @ip_postroute_last: - * Netfilter API, see @preroute_first for more information. * @ip_fragment: * This is called for each fragment generated when an outgoing packet is * being fragmented, and may be used to copy security attributes from the @@ -1352,17 +1311,6 @@ void (*skb_recv_datagram) (struct sk_buff * skb, struct sock * sk, unsigned flags); void (*skb_free_security) (struct sk_buff * skb); - - ip_opfn ip_preroute_first; - ip_opfn ip_preroute_last; - ip_opfn ip_input_first; - ip_opfn ip_input_last; - ip_opfn ip_forward_first; - ip_opfn ip_forward_last; - ip_opfn ip_output_first; - ip_opfn ip_output_last; - ip_opfn ip_postroute_first; - ip_opfn ip_postroute_last; void (*ip_fragment) (struct sk_buff * newskb, const struct sk_buff * oldskb); diff -durN -X dontdiff lsm-2.4/security/Config.in lsm-2.4.w1/security/Config.in --- lsm-2.4/security/Config.in Sat Jul 6 06:39:09 2002 +++ lsm-2.4.w1/security/Config.in Fri Jul 12 23:46:34 2002 @@ -4,7 +4,6 @@ mainmenu_option next_comment comment 'Security options' tristate 'Capabilities Support' CONFIG_SECURITY_CAPABILITIES -dep_tristate 'IP Networking Support' CONFIG_SECURITY_IP $CONFIG_NETFILTER source security/selinux/Config.in dep_tristate 'LSM port of Openwall (EXPERIMENTAL)' CONFIG_SECURITY_OWLSM $CONFIG_EXPERIMENTAL if [ "$CONFIG_SECURITY_OWLSM" = "y" -o "$CONFIG_SECURITY_OWLSM" = "m" ]; then diff -durN -X dontdiff lsm-2.4/security/Makefile lsm-2.4.w1/security/Makefile --- lsm-2.4/security/Makefile Sat Jul 6 06:39:09 2002 +++ lsm-2.4.w1/security/Makefile Fri Jul 12 23:46:34 2002 @@ -22,7 +22,6 @@ obj-$(CONFIG_SECURITY_SELINUX) += selinux/selinux-obj.o endif obj-$(CONFIG_SECURITY_CAPABILITIES) += capability.o -obj-$(CONFIG_SECURITY_IP) += lsm_ip_glue.o obj-$(CONFIG_SECURITY_OWLSM) += owlsm.o ifeq ($(CONFIG_SECURITY_DTE),y) obj-y += dte/dte_plug.o diff -durN -X dontdiff lsm-2.4/security/Makefile.in lsm-2.4.w1/security/Makefile.in --- lsm-2.4/security/Makefile.in Sat Jul 6 06:39:09 2002 +++ lsm-2.4.w1/security/Makefile.in Fri Jul 12 23:46:34 2002 @@ -15,7 +15,6 @@ select(CONFIG_M CONFIG_SECURITY_CAPABILITIES capability.o) -select(CONFIG_M CONFIG_SECURITY_IP lsm_ip_glue.o) # OpenWall select(CONFIG_M CONFIG_SECURITY_OWLSM owlsm.o) diff -durN -X dontdiff lsm-2.4/security/capability.c lsm-2.4.w1/security/capability.c --- lsm-2.4/security/capability.c Fri Jul 12 23:19:33 2002 +++ lsm-2.4.w1/security/capability.c Fri Jul 12 23:46:34 2002 @@ -15,7 +15,7 @@ #include #include #include -#include +#include #include /* flag to keep track of how we were registered */ @@ -725,96 +725,6 @@ return; } -static unsigned int cap_ip_preroute_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int cap_ip_preroute_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int cap_ip_input_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int cap_ip_input_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int cap_ip_forward_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int cap_ip_forward_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int cap_ip_output_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int cap_ip_output_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int cap_ip_postroute_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int cap_ip_postroute_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - static void cap_ip_fragment (struct sk_buff *newskb, const struct sk_buff *oldskb) { @@ -1234,16 +1144,6 @@ skb_recv_datagram: cap_skb_recv_datagram, skb_free_security: cap_skb_free_security, - ip_preroute_first: cap_ip_preroute_first, - ip_preroute_last: cap_ip_preroute_last, - ip_input_first: cap_ip_input_first, - ip_input_last: cap_ip_input_last, - ip_forward_first: cap_ip_forward_first, - ip_forward_last: cap_ip_forward_last, - ip_output_first: cap_ip_output_first, - ip_output_last: cap_ip_output_last, - ip_postroute_first: cap_ip_postroute_first, - ip_postroute_last: cap_ip_postroute_last, ip_fragment: cap_ip_fragment, ip_defragment: cap_ip_defragment, ip_encapsulate: cap_ip_encapsulate, diff -durN -X dontdiff lsm-2.4/security/dte/dte.c lsm-2.4.w1/security/dte/dte.c --- lsm-2.4/security/dte/dte.c Fri Jul 12 23:19:33 2002 +++ lsm-2.4.w1/security/dte/dte.c Fri Jul 12 23:46:34 2002 @@ -23,7 +23,7 @@ #include #include -#include +#include #include @@ -566,96 +566,6 @@ dte_secondary_ops->task_reparent_to_init(p); } -static unsigned int dte_ip_preroute_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dte_ip_preroute_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dte_ip_input_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dte_ip_input_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dte_ip_forward_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dte_ip_forward_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dte_ip_output_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dte_ip_output_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dte_ip_postroute_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dte_ip_postroute_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - static void dte_ip_fragment (struct sk_buff *newskb, const struct sk_buff *oldskb) { @@ -1098,16 +1008,6 @@ skb_recv_datagram: dte_skb_recv_datagram, skb_free_security: dte_skb_free_security, - ip_preroute_first: dte_ip_preroute_first, - ip_preroute_last: dte_ip_preroute_last, - ip_input_first: dte_ip_input_first, - ip_input_last: dte_ip_input_last, - ip_forward_first: dte_ip_forward_first, - ip_forward_last: dte_ip_forward_last, - ip_output_first: dte_ip_output_first, - ip_output_last: dte_ip_output_last, - ip_postroute_first: dte_ip_postroute_first, - ip_postroute_last: dte_ip_postroute_last, ip_fragment: dte_ip_fragment, ip_defragment: dte_ip_defragment, ip_encapsulate: dte_ip_encapsulate, diff -durN -X dontdiff lsm-2.4/security/dummy.c lsm-2.4.w1/security/dummy.c --- lsm-2.4/security/dummy.c Fri Jul 12 23:19:33 2002 +++ lsm-2.4.w1/security/dummy.c Fri Jul 12 23:46:34 2002 @@ -16,7 +16,7 @@ #include #include #include -#include +#include #include static int dummy_sethostname (char *hostname) @@ -543,96 +543,6 @@ return; } -static unsigned int dummy_ip_preroute_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dummy_ip_preroute_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dummy_ip_input_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dummy_ip_input_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dummy_ip_forward_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dummy_ip_forward_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dummy_ip_output_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dummy_ip_output_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dummy_ip_postroute_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int dummy_ip_postroute_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - static void dummy_ip_fragment (struct sk_buff *newskb, const struct sk_buff *oldskb) { @@ -1055,16 +965,6 @@ skb_recv_datagram: dummy_skb_recv_datagram, skb_free_security: dummy_skb_free_security, - ip_preroute_first: dummy_ip_preroute_first, - ip_preroute_last: dummy_ip_preroute_last, - ip_input_first: dummy_ip_input_first, - ip_input_last: dummy_ip_input_last, - ip_forward_first: dummy_ip_forward_first, - ip_forward_last: dummy_ip_forward_last, - ip_output_first: dummy_ip_output_first, - ip_output_last: dummy_ip_output_last, - ip_postroute_first: dummy_ip_postroute_first, - ip_postroute_last: dummy_ip_postroute_last, ip_fragment: dummy_ip_fragment, ip_defragment: dummy_ip_defragment, ip_encapsulate: dummy_ip_encapsulate, diff -durN -X dontdiff lsm-2.4/security/lids/lids_lsm.c lsm-2.4.w1/security/lids/lids_lsm.c --- lsm-2.4/security/lids/lids_lsm.c Fri Jul 12 23:19:33 2002 +++ lsm-2.4.w1/security/lids/lids_lsm.c Fri Jul 12 23:46:34 2002 @@ -16,7 +16,7 @@ #include #include #include -#include +#include #include #include #include @@ -741,96 +741,6 @@ return; } -static unsigned int lids_ip_preroute_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int lids_ip_preroute_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int lids_ip_input_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int lids_ip_input_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int lids_ip_forward_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int lids_ip_forward_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int lids_ip_output_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int lids_ip_output_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int lids_ip_postroute_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int lids_ip_postroute_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn) (struct sk_buff *)) -{ - return NF_ACCEPT; -} - static void lids_ip_fragment (struct sk_buff *newskb, const struct sk_buff *oldskb) { @@ -1276,16 +1186,6 @@ skb_recv_datagram: lids_skb_recv_datagram, skb_free_security: lids_skb_free_security, - ip_preroute_first: lids_ip_preroute_first, - ip_preroute_last: lids_ip_preroute_last, - ip_input_first: lids_ip_input_first, - ip_input_last: lids_ip_input_last, - ip_forward_first: lids_ip_forward_first, - ip_forward_last: lids_ip_forward_last, - ip_output_first: lids_ip_output_first, - ip_output_last: lids_ip_output_last, - ip_postroute_first: lids_ip_postroute_first, - ip_postroute_last: lids_ip_postroute_last, ip_fragment: lids_ip_fragment, ip_defragment: lids_ip_defragment, ip_encapsulate: lids_ip_encapsulate, diff -durN -X dontdiff lsm-2.4/security/lsm_ip_glue.c lsm-2.4.w1/security/lsm_ip_glue.c --- lsm-2.4/security/lsm_ip_glue.c Sat Jul 6 06:39:09 2002 +++ lsm-2.4.w1/security/lsm_ip_glue.c Thu Jan 1 10:00:00 1970 @@ -1,157 +0,0 @@ -/* - * Nefilter IPv4 Operations Glue Module for LSM - * - * Copyright (C) 2001 James Morris - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the Free - * Software Foundation; either version 2 of the License, or (at your option) - * any later version. - * - */ -#include -#include -#include -#include -#include - -#define NF_IP_PRI_LSM_FIRST (NF_IP_PRI_CONNTRACK + 5) -#define NF_IP_PRI_LSM_LAST -NF_IP_PRI_LSM_FIRST - -static unsigned int -preroute_first(unsigned int hooknum, struct sk_buff **pskb, - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return security_ops->ip_preroute_first(hooknum, pskb, in, out, okfn); -} - -static unsigned int -preroute_last(unsigned int hooknum, struct sk_buff **pskb, - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return security_ops->ip_preroute_last(hooknum, pskb, in, out, okfn); -} - -static unsigned int -input_first(unsigned int hooknum, struct sk_buff **pskb, - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return security_ops->ip_input_first(hooknum, pskb, in, out, okfn); -} - -static unsigned int -input_last(unsigned int hooknum, struct sk_buff **pskb, - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return security_ops->ip_input_last(hooknum, pskb, in, out, okfn); -} - -static unsigned int -forward_first(unsigned int hooknum, struct sk_buff **pskb, - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return security_ops->ip_forward_first(hooknum, pskb, in, out, okfn); -} - -static unsigned int -forward_last(unsigned int hooknum, struct sk_buff **pskb, - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return security_ops->ip_forward_last(hooknum, pskb, in, out, okfn); -} - -static unsigned int -output_first(unsigned int hooknum, struct sk_buff **pskb, - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return security_ops->ip_output_first(hooknum, pskb, in, out, okfn); -} - -static unsigned int -output_last(unsigned int hooknum, struct sk_buff **pskb, - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return security_ops->ip_output_last(hooknum, pskb, in, out, okfn); -} - -static unsigned int -postroute_first(unsigned int hooknum, struct sk_buff **pskb, - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return security_ops->ip_postroute_first(hooknum, pskb, in, out, okfn); -} - -static unsigned int -postroute_last(unsigned int hooknum, struct sk_buff **pskb, - const struct net_device *in, const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return security_ops->ip_postroute_last(hooknum, pskb, in, out, okfn); -} - -static struct nf_hook_ops lsm_ip_ops[] = { - { { NULL, NULL }, preroute_first, - PF_INET, NF_IP_PRE_ROUTING, NF_IP_PRI_LSM_FIRST }, - - { { NULL, NULL }, preroute_last, - PF_INET, NF_IP_PRE_ROUTING, NF_IP_PRI_LSM_LAST }, - - { { NULL, NULL }, input_first, - PF_INET, NF_IP_LOCAL_IN, NF_IP_PRI_LSM_FIRST }, - - { { NULL, NULL }, input_last, - PF_INET, NF_IP_LOCAL_IN, NF_IP_PRI_LSM_LAST }, - - { { NULL, NULL }, forward_first, - PF_INET, NF_IP_FORWARD, NF_IP_PRI_LSM_FIRST }, - - { { NULL, NULL }, forward_last, - PF_INET, NF_IP_FORWARD, NF_IP_PRI_LSM_LAST }, - - { { NULL, NULL }, output_first, - PF_INET, NF_IP_LOCAL_OUT, NF_IP_PRI_LSM_FIRST }, - - { { NULL, NULL }, output_last, - PF_INET, NF_IP_LOCAL_OUT, NF_IP_PRI_LSM_LAST }, - - { { NULL, NULL }, postroute_first, - PF_INET, NF_IP_POST_ROUTING, NF_IP_PRI_LSM_FIRST }, - - { { NULL, NULL }, postroute_last, - PF_INET, NF_IP_POST_ROUTING, NF_IP_PRI_LSM_LAST } -}; - -static int __init init(void) -{ - int i; - - /* Hook registration never returns error (for now) */ - for (i = 0; i < sizeof(lsm_ip_ops)/sizeof(struct nf_hook_ops); i++) - nf_register_hook(&lsm_ip_ops[i]); - - return 0; -} - -static void __exit fini(void) -{ - unsigned int i; - - for (i = 0; i < sizeof(lsm_ip_ops)/sizeof(struct nf_hook_ops); i++) - nf_unregister_hook(&lsm_ip_ops[i]); -} - -module_init(init); -module_exit(fini); - -MODULE_DESCRIPTION("Nefilter IPv4 Operations Glue for Linux Security Module"); -MODULE_LICENSE("GPL"); - diff -durN -X dontdiff lsm-2.4/security/owlsm.c lsm-2.4.w1/security/owlsm.c --- lsm-2.4/security/owlsm.c Fri Jul 12 23:19:33 2002 +++ lsm-2.4.w1/security/owlsm.c Fri Jul 12 23:46:34 2002 @@ -18,7 +18,7 @@ #include #include #include -#include +#include #include #include #include @@ -558,96 +558,6 @@ return; } -static unsigned int owlsm_ip_preroute_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int owlsm_ip_preroute_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int owlsm_ip_input_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int owlsm_ip_input_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int owlsm_ip_forward_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int owlsm_ip_forward_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int owlsm_ip_output_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int owlsm_ip_output_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int owlsm_ip_postroute_first (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int owlsm_ip_postroute_last (unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - static void owlsm_ip_fragment (struct sk_buff *newskb, const struct sk_buff *oldskb) { @@ -1070,16 +980,6 @@ skb_recv_datagram: owlsm_skb_recv_datagram, skb_free_security: owlsm_skb_free_security, - ip_preroute_first: owlsm_ip_preroute_first, - ip_preroute_last: owlsm_ip_preroute_last, - ip_input_first: owlsm_ip_input_first, - ip_input_last: owlsm_ip_input_last, - ip_forward_first: owlsm_ip_forward_first, - ip_forward_last: owlsm_ip_forward_last, - ip_output_first: owlsm_ip_output_first, - ip_output_last: owlsm_ip_output_last, - ip_postroute_first: owlsm_ip_postroute_first, - ip_postroute_last: owlsm_ip_postroute_last, ip_fragment: owlsm_ip_fragment, ip_defragment: owlsm_ip_defragment, ip_encapsulate: owlsm_ip_encapsulate, diff -durN -X dontdiff lsm-2.4/security/selinux/Config.in lsm-2.4.w1/security/selinux/Config.in --- lsm-2.4/security/selinux/Config.in Sat Jul 6 06:39:09 2002 +++ lsm-2.4.w1/security/selinux/Config.in Sat Jul 13 00:03:25 2002 @@ -4,10 +4,8 @@ if [ "$CONFIG_EXPERIMENTAL" = "y" ]; then bool ' NSA SELinux MLS policy (EXPERIMENTAL)' CONFIG_SECURITY_SELINUX_MLS bool ' NSA SELinux extended socket calls (EXPERIMENTAL)' CONFIG_SECURITY_SELINUX_EXTSOCKET - if [ "$CONFIG_SECURITY_IP" != "n" ]; then - bool ' Labeled IP Networking Support' CONFIG_SECURITY_SELINUX_NSID - dep_tristate ' CIPSO/FIPS-188 IP Options (EXPERIMENTAL)' CONFIG_SECURITY_SELINUX_SELOPT $CONFIG_SECURITY_SELINUX_NSID $CONFIG_SECURITY_SELINUX - fi + dep_bool ' Labeled IP Networking Support' CONFIG_SECURITY_SELINUX_NSID $CONFIG_NETFILTER + dep_tristate ' CIPSO/FIPS-188 IP Options (EXPERIMENTAL)' CONFIG_SECURITY_SELINUX_SELOPT $CONFIG_SECURITY_SELINUX_NSID fi fi diff -durN -X dontdiff lsm-2.4/security/selinux/hooks.c lsm-2.4.w1/security/selinux/hooks.c --- lsm-2.4/security/selinux/hooks.c Fri Jul 12 23:19:33 2002 +++ lsm-2.4.w1/security/selinux/hooks.c Fri Jul 12 23:51:10 2002 @@ -43,6 +43,7 @@ #include #include #include /* for network interface checks */ +#include #include /* for network interface checks */ #include #include @@ -2845,14 +2846,7 @@ new->mapped = old->mapped; } -static unsigned int selinux_ip_preroute_first(unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} +#ifdef CONFIG_NETFILTER /* * Helper function for the selinux_ip_preroute_last hook and @@ -2989,24 +2983,6 @@ return selinux_ip_input_helper(skb, ssec, (struct net_device*)in); } -static unsigned int selinux_ip_forward_first(unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int selinux_ip_forward_last(unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - static void selinux_skb_set_owner_w(struct sk_buff *skb, struct sock *sk); /* @@ -3068,24 +3044,6 @@ return nsid_ip_label_output(hooknum, pskb, in, out, okfn); } -static unsigned int selinux_ip_output_last(unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - -static unsigned int selinux_ip_postroute_first(unsigned int hooknum, - struct sk_buff **pskb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) -{ - return NF_ACCEPT; -} - static unsigned int selinux_ip_postroute_last(unsigned int hooknum, struct sk_buff **pskb, const struct net_device *in, @@ -3181,6 +3139,8 @@ return NF_ACCEPT; } +#endif /* CONFIG_NETFILTER */ + static void selinux_ip_fragment(struct sk_buff *newskb, const struct sk_buff *oldskb) { @@ -4752,16 +4712,6 @@ skb_recv_datagram: selinux_skb_recv_datagram, skb_free_security: selinux_skb_free_security, - ip_preroute_first: selinux_ip_preroute_first, - ip_preroute_last: selinux_ip_preroute_last, - ip_input_first: selinux_ip_input_first, - ip_input_last: selinux_ip_input_last, - ip_forward_first: selinux_ip_forward_first, - ip_forward_last: selinux_ip_forward_last, - ip_output_first: selinux_ip_output_first, - ip_output_last: selinux_ip_output_last, - ip_postroute_first: selinux_ip_postroute_first, - ip_postroute_last: selinux_ip_postroute_last, ip_fragment: selinux_ip_fragment, ip_defragment: selinux_ip_defragment, ip_encapsulate: selinux_ip_encapsulate, @@ -4824,6 +4774,54 @@ #endif +#ifdef CONFIG_NETFILTER + +#define NF_IP_PRI_SELINUX_FIRST (NF_IP_PRI_CONNTRACK + 5) +#define NF_IP_PRI_SELINUX_LAST -NF_IP_PRI_SELINUX_FIRST + +static struct nf_hook_ops selinux_ip_ops[] = { + { { NULL, NULL }, selinux_ip_preroute_last, + PF_INET, NF_IP_PRE_ROUTING, NF_IP_PRI_SELINUX_LAST }, + + { { NULL, NULL }, selinux_ip_input_first, + PF_INET, NF_IP_LOCAL_IN, NF_IP_PRI_SELINUX_FIRST }, + + { { NULL, NULL }, selinux_ip_input_last, + PF_INET, NF_IP_LOCAL_IN, NF_IP_PRI_SELINUX_LAST }, + + { { NULL, NULL }, selinux_ip_output_first, + PF_INET, NF_IP_LOCAL_OUT, NF_IP_PRI_SELINUX_FIRST }, + + { { NULL, NULL }, selinux_ip_postroute_last, + PF_INET, NF_IP_POST_ROUTING, NF_IP_PRI_SELINUX_LAST } +}; + +static int __init selinux_nf_ip_init(void) +{ + int i; + + /* Hook registration never returns error (for now) */ + for (i = 0; i < sizeof(selinux_ip_ops)/sizeof(struct nf_hook_ops); i++) + nf_register_hook(&selinux_ip_ops[i]); + + return 0; +} + +static void __exit selinux_nf_ip_exit(void) +{ + unsigned int i; + + for (i = 0; i < sizeof(selinux_ip_ops)/sizeof(struct nf_hook_ops); i++) + nf_unregister_hook(&selinux_ip_ops[i]); +} + +#else + +#define selinux_nf_ip_init() (0) +#define selinux_nf_ip_exit() do { } while (0) + +#endif /* CONFIG_NETFILTER */ + static int __init selinux_plug_init (void) { int rc = 0; @@ -4849,6 +4847,12 @@ printk(KERN_INFO "SELinux: failed to initialize NSID API\n"); return rc; } + + rc = selinux_nf_ip_init(); + if (rc) { + printk(KERN_INFO "SELinux: failed to initialize IP hooks\n"); + return rc; + } /* Replace the LSM security syscall with our own entrypoint function so that the registers on the stack are available @@ -4863,6 +4867,7 @@ if (rc) { printk (KERN_INFO "Failure registering SELinux with the kernel\n"); sys_call_table[__NR_security] = orig_syscall; + selinux_nf_ip_exit(); return rc; } @@ -4893,6 +4898,8 @@ sys_call_table[__NR_security] = orig_syscall; + selinux_nf_ip_exit(); + /* Deallocate all of the security blobs created by this module and clear the security fields in the corresponding objects. */ @@ -4937,10 +4944,6 @@ p = p->next; msg_msg_free_security(msgsec->msg); } - - /* Synchronize with net_rx_action() and Netfilter hook iteration. */ - br_write_lock_bh(BR_NETPROTO_LOCK); - br_write_unlock_bh(BR_NETPROTO_LOCK); /* TBD: assert or override refcounts */ p = skb_security_head.next;