[PATCH] accessfs v0.5 ported to LSM - 1/2

• Previous message: Greg KH: "Re: [patch] Hook in do_kern_mount"
• Next in thread: Greg KH: "Re: [PATCH] accessfs v0.5 ported to LSM - 1/2"
• Reply: Greg KH: "Re: [PATCH] accessfs v0.5 ported to LSM - 1/2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

Accessfs is a new file system to control access to system resources.
For further information see the help text.

Changes:
- ported to LSM
- support capabilities
- merged ipv4/ipv6 into ip

This part (1/2) adds a hook to LSM to enable control based on the port
number.

The patch is attached below. It is also available at:
<http://home.t-online.de/home/olaf.dietsche/linux/accessfs-2.5.34-0.5-1_2.patch.gz>

It applies to 2.5.3[5-8] as well.

I did minimal testing using uml 0.58-2.5.34.

Regards, Olaf.

diff -urN v2.5.34/include/linux/security.h v2.5.34-accessfs/include/linux/security.h
--- v2.5.34/include/linux/security.h	Sun Sep  1 00:04:51 2002
+++ v2.5.34-accessfs/include/linux/security.h	Tue Sep 24 13:25:50 2002
@@ -642,6 +642,13 @@
  *	@args contains the call arguments (user space pointer).
  *	The module should return -ENOSYS if it does not implement any new
  *	system calls.
+ * @ip_prot_sock:
+ *	Check, whether this is a protected port.
+ *	Security modules may use this hook to implement fine grained control
+ *	based on the port number.
+ *	@port contains the requested port
+ *	The module should return true if port is a protected port (e.g. < 1024),
+ *	false otherwise.
  *
  * @register_security:
  * 	allow module stacking.
@@ -785,6 +792,7 @@
 			   unsigned long arg5);
 	void (*task_kmod_set_label) (void);
 	void (*task_reparent_to_init) (struct task_struct * p);
+	int (*ip_prot_sock) (int port);
 
 	/* allow module stacking */
 	int (*register_security) (const char *name,
diff -urN v2.5.34/net/ipv4/af_inet.c v2.5.34-accessfs/net/ipv4/af_inet.c
--- v2.5.34/net/ipv4/af_inet.c	Tue Sep 24 11:52:15 2002
+++ v2.5.34-accessfs/net/ipv4/af_inet.c	Tue Sep 24 13:21:29 2002
@@ -531,7 +531,7 @@
 
 	snum = ntohs(addr->sin_port);
 	err = -EACCES;
-	if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))
+	if (security_ops->ip_prot_sock(snum) && !capable(CAP_NET_BIND_SERVICE))
 		goto out;
 
 	/*      We keep a pair of addresses. rcv_saddr is the one
diff -urN v2.5.34/net/ipv6/af_inet6.c v2.5.34-accessfs/net/ipv6/af_inet6.c
--- v2.5.34/net/ipv6/af_inet6.c	Tue Sep 24 11:52:15 2002
+++ v2.5.34-accessfs/net/ipv6/af_inet6.c	Tue Sep 24 13:21:56 2002
@@ -313,7 +313,7 @@
 	}
 
 	snum = ntohs(addr->sin6_port);
-	if (snum && snum < PROT_SOCK && !capable(CAP_NET_BIND_SERVICE))
+	if (security_ops->ip_prot_sock(snum) && !capable(CAP_NET_BIND_SERVICE))
 		return -EACCES;
 
 	lock_sock(sk);
diff -urN v2.5.34/security/capability.c v2.5.34-accessfs/security/capability.c
--- v2.5.34/security/capability.c	Sun Sep  1 00:04:55 2002
+++ v2.5.34-accessfs/security/capability.c	Tue Sep 24 13:20:08 2002
@@ -18,6 +18,7 @@
 #include <linux/smp_lock.h>
 #include <linux/skbuff.h>
 #include <linux/netlink.h>
+#include <net/sock.h>
 
 /* flag to keep track of how we were registered */
 static int secondary;
@@ -679,6 +680,11 @@
 	return;
 }
 
+static int cap_ip_prot_sock (int port)
+{
+	return port && port < PROT_SOCK;
+}
+
 static int cap_register (const char *name, struct security_operations *ops)
 {
 	return -EINVAL;
@@ -781,6 +787,8 @@
 	.task_prctl =			cap_task_prctl,
 	.task_kmod_set_label =		cap_task_kmod_set_label,
 	.task_reparent_to_init =	cap_task_reparent_to_init,
+
+	.ip_prot_sock =	cap_ip_prot_sock,
 
 	.register_security =		cap_register,
 	.unregister_security =		cap_unregister,
diff -urN v2.5.34/security/dummy.c v2.5.34-accessfs/security/dummy.c
--- v2.5.34/security/dummy.c	Sun Sep  1 00:04:52 2002
+++ v2.5.34-accessfs/security/dummy.c	Tue Sep 24 13:19:21 2002
@@ -18,6 +18,7 @@
 #include <linux/security.h>
 #include <linux/skbuff.h>
 #include <linux/netlink.h>
+#include <net/sock.h>
 
 static int dummy_ptrace (struct task_struct *parent, struct task_struct *child)
 {
@@ -493,6 +494,11 @@
 	return;
 }
 
+static int dummy_ip_prot_sock (int port)
+{
+	return port && port < PROT_SOCK;
+}
+
 static int dummy_register (const char *name, struct security_operations *ops)
 {
 	return -EINVAL;
@@ -595,6 +601,8 @@
 	.task_prctl =			dummy_task_prctl,
 	.task_kmod_set_label =		dummy_task_kmod_set_label,
 	.task_reparent_to_init =	dummy_task_reparent_to_init,
+
+	.ip_prot_sock =	dummy_ip_prot_sock,
 
 	.register_security =		dummy_register,
 	.unregister_security =		dummy_unregister,
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Olaf Dietsche: "[PATCH] accessfs v0.5 ported to LSM - 2/2"
• Previous message: Greg KH: "Re: [patch] Hook in do_kern_mount"
• Next in thread: Greg KH: "Re: [PATCH] accessfs v0.5 ported to LSM - 1/2"
• Reply: Greg KH: "Re: [PATCH] accessfs v0.5 ported to LSM - 1/2"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Sep 24 2002 - 08:40:26 PDT