[PATCH] accessfs v0.5 ported to LSM - 1/2

From: Olaf Dietsche (olaf.dietsche--list.linux-kernelat_private)
Date: Tue Sep 24 2002 - 08:39:43 PDT

  • Next message: Olaf Dietsche: "[PATCH] accessfs v0.5 ported to LSM - 2/2"

    Hi,
    
    Accessfs is a new file system to control access to system resources.
    For further information see the help text.
    
    Changes:
    - ported to LSM
    - support capabilities
    - merged ipv4/ipv6 into ip
    
    This part (1/2) adds a hook to LSM to enable control based on the port
    number.
    
    The patch is attached below. It is also available at:
    <http://home.t-online.de/home/olaf.dietsche/linux/accessfs-2.5.34-0.5-1_2.patch.gz>
    
    It applies to 2.5.3[5-8] as well.
    
    I did minimal testing using uml 0.58-2.5.34.
    
    Regards, Olaf.
    
    diff -urN v2.5.34/include/linux/security.h v2.5.34-accessfs/include/linux/security.h
    --- v2.5.34/include/linux/security.h	Sun Sep  1 00:04:51 2002
    +++ v2.5.34-accessfs/include/linux/security.h	Tue Sep 24 13:25:50 2002
    @@ -642,6 +642,13 @@
      *	@args contains the call arguments (user space pointer).
      *	The module should return -ENOSYS if it does not implement any new
      *	system calls.
    + * @ip_prot_sock:
    + *	Check, whether this is a protected port.
    + *	Security modules may use this hook to implement fine grained control
    + *	based on the port number.
    + *	@port contains the requested port
    + *	The module should return true if port is a protected port (e.g. < 1024),
    + *	false otherwise.
      *
      * @register_security:
      * 	allow module stacking.
    @@ -785,6 +792,7 @@
     			   unsigned long arg5);
     	void (*task_kmod_set_label) (void);
     	void (*task_reparent_to_init) (struct task_struct * p);
    +	int (*ip_prot_sock) (int port);
     
     	/* allow module stacking */
     	int (*register_security) (const char *name,
    diff -urN v2.5.34/net/ipv4/af_inet.c v2.5.34-accessfs/net/ipv4/af_inet.c
    --- v2.5.34/net/ipv4/af_inet.c	Tue Sep 24 11:52:15 2002
    +++ v2.5.34-accessfs/net/ipv4/af_inet.c	Tue Sep 24 13:21:29 2002
    @@ -531,7 +531,7 @@
     
     	snum = ntohs(addr->sin_port);
     	err = -EACCES;
    -	if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))
    +	if (security_ops->ip_prot_sock(snum) && !capable(CAP_NET_BIND_SERVICE))
     		goto out;
     
     	/*      We keep a pair of addresses. rcv_saddr is the one
    diff -urN v2.5.34/net/ipv6/af_inet6.c v2.5.34-accessfs/net/ipv6/af_inet6.c
    --- v2.5.34/net/ipv6/af_inet6.c	Tue Sep 24 11:52:15 2002
    +++ v2.5.34-accessfs/net/ipv6/af_inet6.c	Tue Sep 24 13:21:56 2002
    @@ -313,7 +313,7 @@
     	}
     
     	snum = ntohs(addr->sin6_port);
    -	if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))
    +	if (security_ops->ip_prot_sock(snum) && !capable(CAP_NET_BIND_SERVICE))
     		return -EACCES;
     
     	lock_sock(sk);
    diff -urN v2.5.34/security/capability.c v2.5.34-accessfs/security/capability.c
    --- v2.5.34/security/capability.c	Sun Sep  1 00:04:55 2002
    +++ v2.5.34-accessfs/security/capability.c	Tue Sep 24 13:20:08 2002
    @@ -18,6 +18,7 @@
     #include <linux/smp_lock.h>
     #include <linux/skbuff.h>
     #include <linux/netlink.h>
    +#include <net/sock.h>
     
     /* flag to keep track of how we were registered */
     static int secondary;
    @@ -679,6 +680,11 @@
     	return;
     }
     
    +static int cap_ip_prot_sock (int port)
    +{
    +	return port && port < PROT_SOCK;
    +}
    +
     static int cap_register (const char *name, struct security_operations *ops)
     {
     	return -EINVAL;
    @@ -781,6 +787,8 @@
     	.task_prctl =			cap_task_prctl,
     	.task_kmod_set_label =		cap_task_kmod_set_label,
     	.task_reparent_to_init =	cap_task_reparent_to_init,
    +
    +	.ip_prot_sock =	cap_ip_prot_sock,
     
     	.register_security =		cap_register,
     	.unregister_security =		cap_unregister,
    diff -urN v2.5.34/security/dummy.c v2.5.34-accessfs/security/dummy.c
    --- v2.5.34/security/dummy.c	Sun Sep  1 00:04:52 2002
    +++ v2.5.34-accessfs/security/dummy.c	Tue Sep 24 13:19:21 2002
    @@ -18,6 +18,7 @@
     #include <linux/security.h>
     #include <linux/skbuff.h>
     #include <linux/netlink.h>
    +#include <net/sock.h>
     
     static int dummy_ptrace (struct task_struct *parent, struct task_struct *child)
     {
    @@ -493,6 +494,11 @@
     	return;
     }
     
    +static int dummy_ip_prot_sock (int port)
    +{
    +	return port && port < PROT_SOCK;
    +}
    +
     static int dummy_register (const char *name, struct security_operations *ops)
     {
     	return -EINVAL;
    @@ -595,6 +601,8 @@
     	.task_prctl =			dummy_task_prctl,
     	.task_kmod_set_label =		dummy_task_kmod_set_label,
     	.task_reparent_to_init =	dummy_task_reparent_to_init,
    +
    +	.ip_prot_sock =	dummy_ip_prot_sock,
     
     	.register_security =		dummy_register,
     	.unregister_security =		dummy_unregister,
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Tue Sep 24 2002 - 08:40:26 PDT