After merging 2.5.50 into our internal CVS tree (with lots of manual resolution of conflicts), I noticed that it differs from the public BitKeeper tree. See the attached patch. I think that this patch fixes the following aspects: 1) Sync our lsm.tmpl file with 2.5.50, removing sys_security discussion. 2) security.h: Restore #include <sys/time.h> for settime hook. Restore per-hook documentation for several hooks. Add extern decls for cap_netlink_* hooks since they will be needed when CONFIG_SECURITY is disabled. 3) capability.c: Move cap_* hook functions into the #ifdef CONFIG_SECURITY block where appropriate. Change cap_netlink_* hooks from static since they will be needed. Restore cap_sysctl. Restore capability_ops entries. 4) dummy.c: Remove duplicate hook functions. Restore dummy_ops entries. With this patch plus a minor change to selinux, I can build, boot, and run SELinux+capabilities. Any objections to committing this patch? Note that this patch does not fix the remaining hooks to use the new format, and that building without CONFIG_SECURITY enabled is broken in the lsm-2.5 tree (it was already broken, and this patch doesn't affect it). -- Stephen Smalley, NSA sdsat_private diff -X /home/sds/dontdiff -ru lsm-2.5-bk/Documentation/DocBook/lsm.tmpl lsm-2.5/Documentation/DocBook/lsm.tmpl --- lsm-2.5-bk/Documentation/DocBook/lsm.tmpl Mon Dec 2 11:33:03 2002 +++ lsm-2.5/Documentation/DocBook/lsm.tmpl Fri Nov 29 12:13:46 2002 @@ -203,29 +203,6 @@ permission when accessing an inode. </para> -<para> -LSM adds a general <function>security</function> system call that -simply invokes the <function>sys_security</function> hook. This -system call and hook permits security modules to implement new system -calls for security-aware applications. The interface is similar to -socketcall, but also has an <parameter>id</parameter> to help identify -the security module whose call is being invoked. -To eliminate the need for a central registry of ids, -the recommended convention for creating the hexadecimal id value is: -<programlisting> -<![CDATA[ - echo "Name_of_module" | md5sum | cut -c -8 -]]> -</programlisting> -C code will need to prefix this result with ``0x''. -For example, the id for ``SGI Trusted Linux'' could be used in C as: -<programlisting> -<![CDATA[ - #define SYS_SECURITY_MODID 0xc4c7be22 -]]> -</programlisting> -</para> - </sect1> <sect1 id="cap"><title>LSM Capabilities Module</title> diff -X /home/sds/dontdiff -ru lsm-2.5-bk/include/linux/security.h lsm-2.5/include/linux/security.h --- lsm-2.5-bk/include/linux/security.h Mon Dec 2 11:33:03 2002 +++ lsm-2.5/include/linux/security.h Mon Dec 2 12:10:26 2002 @@ -31,14 +31,17 @@ #include <linux/sysctl.h> #include <linux/shm.h> #include <linux/msg.h> +#include <linux/time.h> #include <linux/sched.h> - /* * These functions are in security/capability.c and are used * as the default capabilities functions */ extern int cap_capable (struct task_struct *tsk, int cap); +struct sk_buff; +extern int cap_netlink_send (struct sk_buff *skb); +extern int cap_netlink_recv (struct sk_buff *skb); extern int cap_ptrace (struct task_struct *parent, struct task_struct *child); extern int cap_capget (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); extern int cap_capset_check (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); @@ -1055,7 +1058,78 @@ * @tsk contains the task_struct for the process. * @cap contains the capability <include/linux/capability.h>. * Return 0 if the capability is granted for @tsk. + * @swapon: + * Check permission before enabling swapping to the file or block device + * identified by @swap. + * @swap contains the swap_info_struct structure for the swap file and device. + * Return 0 if permission is granted. + * @swapoff: + * Check permission before disabling swapping to the file or block device + * identified by @swap. + * @swap contains the swap_info_struct structure for the swap file and device. + * Return 0 if permission is granted. + * @quotactl: + * Check permission before performing the quota operation identified by + * @cmd for the specified @type, @id, and @sb. The @sb parameter may be + * NULL, e.g. for the Q_SYNC and Q_GETSTATS commands. + * @cmd contains the command value. + * @type contains the type of quota (USRQUOTA or GRPQUOTA). + * @id contains the user or group identifier. + * @sb contains the super_block structure for the filesystem (may be NULL). + * Return 0 if permission is granted. + * @quota_on: + * Check permission before enabling quotas for a file system using @f as + * the quota file. + * @f contains the open file for storing quotas. + * Return 0 if permission is granted. + * @syslog: + * Check permission before accessing the kernel message ring or changing + * logging to the console. + * See the syslog(2) manual page for an explanation of the @type values. + * @type contains the type of action. + * Return 0 if permission is granted. + * @settime: + * Check permission to change the system time. + * struct timeval and timezone are defined in include/linux/time.h + * @tv contains new time + * @tz contains new timezone + * Return 0 if permission is granted. + * + * @netlink_send: + * Save security information for a netlink message so that permission + * checking can be performed when the message is processed. The security + * information can either be saved using the existing eff_cap field of the + * netlink_skb_parms structure or it can be saved using the skbuff + * lsm_security field. + * @skb contains the sk_buff structure for the netlink message. + * Return 0 if the information was successfully saved. + * @netlink_recv: + * Check permission before processing the received netlink message in + * @skb. + * @skb contains the sk_buff structure for the netlink message. + * Return 0 if permission is granted. + * @unix_stream_connect: + * Check permissions before establishing a Unix domain stream connection + * between @sock and @other. + * @sock contains the socket structure. + * @other contains the peer socket structure. + * Return 0 if permission is granted. + * @unix_may_send: + * Check permissions before connecting or sending datagrams from @sock to + * @other. + * @sock contains the socket structure. + * @sock contains the peer socket structure. + * Return 0 if permission is granted. * + * The @unix_stream_connect and @unix_may_send hooks were necessary because + * Linux provides an alternative to the conventional file name space for Unix + * domain sockets. Whereas binding and connecting to sockets in the file name + * space is mediated by the typical file permissions (and caught by the mknod + * and permission hooks in inode_security_ops), binding and connecting to + * sockets in the abstract name space is completely unmediated. Sufficient + * control of Unix domain sockets in the abstract name space isn't possible + * using only the socket layer hooks, since we need to know the actual target + * socket, which is not looked up until we are inside the af_unix code. * * @register_security: * allow module stacking. diff -X /home/sds/dontdiff -ru lsm-2.5-bk/security/capability.c lsm-2.5/security/capability.c --- lsm-2.5-bk/security/capability.c Mon Dec 2 11:33:03 2002 +++ lsm-2.5/security/capability.c Mon Dec 2 12:10:26 2002 @@ -28,43 +28,13 @@ return -EPERM; } -static int cap_swapon (struct swap_info_struct *swap) -{ - return 0; -} - -static int cap_swapoff (struct swap_info_struct *swap) -{ - return 0; -} - -static int cap_quotactl (int cmds, int type, int id, struct super_block *sb) -{ - return 0; -} - -static int cap_quota_on (struct file *f) -{ - return 0; -} - -static int cap_syslog (int type) -{ - return 0; -} - -static int cap_settime (struct timeval *tv, struct timezone *tz) -{ - return 0; -} - -static int cap_netlink_send (struct sk_buff *skb) +int cap_netlink_send (struct sk_buff *skb) { NETLINK_CB (skb).eff_cap = current->cap_effective; return 0; } -static int cap_netlink_recv (struct sk_buff *skb) +int cap_netlink_recv (struct sk_buff *skb) { if (!cap_raised (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN)) return -EPERM; @@ -322,6 +292,41 @@ #ifdef CONFIG_SECURITY +static int cap_sethostname (char *hostname) +{ + return 0; +} + +static int cap_setdomainname (char *domainname) +{ + return 0; +} + +static int cap_reboot (unsigned int cmd) +{ + return 0; +} + +static int cap_ioperm (unsigned long from, unsigned long num, int turn_on) +{ + return 0; +} + +static int cap_iopl (unsigned int old, unsigned int level) +{ + return 0; +} + +static int cap_swapon (struct swap_info_struct *swap) +{ + return 0; +} + +static int cap_swapoff (struct swap_info_struct *swap) +{ + return 0; +} + static int cap_quotactl (int cmds, int type, int id, struct super_block *sb) { return 0; @@ -337,6 +342,21 @@ return 0; } +static int cap_syslog (int type) +{ + return 0; +} + +static int cap_settime (struct timeval *tv, struct timezone *tz) +{ + return 0; +} + +static int cap_sysctl (ctl_table * table, int op) +{ + return 0; +} + static int cap_bprm_alloc_security (struct linux_binprm *bprm) { return 0; @@ -1027,14 +1047,30 @@ } static struct security_operations capability_ops = { + .sethostname = cap_sethostname, + .setdomainname = cap_setdomainname, + .reboot = cap_reboot, + .ioperm = cap_ioperm, + .iopl = cap_iopl, .ptrace = cap_ptrace, .capget = cap_capget, .capset_check = cap_capset_check, .capset_set = cap_capset_set, .acct = cap_acct, + .sysctl = cap_sysctl, .capable = cap_capable, + .swapon = cap_swapon, + .swapoff = cap_swapoff, .quotactl = cap_quotactl, .quota_on = cap_quota_on, + .syslog = cap_syslog, + .settime = cap_settime, + + .netlink_send = cap_netlink_send, + .netlink_recv = cap_netlink_recv, + + .unix_stream_connect = cap_socket_unix_stream_connect, + .unix_may_send = cap_socket_unix_may_send, .bprm_alloc_security = cap_bprm_alloc_security, .bprm_free_security = cap_bprm_free_security, @@ -1044,6 +1080,7 @@ .sb_alloc_security = cap_sb_alloc_security, .sb_free_security = cap_sb_free_security, + .sb_kern_mount = cap_sb_kern_mount, .sb_statfs = cap_sb_statfs, .sb_mount = cap_mount, .sb_check_sb = cap_check_sb, @@ -1055,7 +1092,7 @@ .sb_post_addmount = cap_post_addmount, .sb_pivotroot = cap_pivotroot, .sb_post_pivotroot = cap_post_pivotroot, - + .inode_alloc_security = cap_inode_alloc_security, .inode_free_security = cap_inode_free_security, .inode_create = cap_inode_create, @@ -1084,7 +1121,7 @@ .inode_getxattr = cap_inode_getxattr, .inode_listxattr = cap_inode_listxattr, .inode_removexattr = cap_inode_removexattr, - + .file_permission = cap_file_permission, .file_alloc_security = cap_file_alloc_security, .file_free_security = cap_file_free_security, @@ -1117,16 +1154,66 @@ .task_kmod_set_label = cap_task_kmod_set_label, .task_reparent_to_init = cap_task_reparent_to_init, + .socket_create = cap_socket_create, + .socket_post_create = cap_socket_post_create, + .socket_bind = cap_socket_bind, + .socket_connect = cap_socket_connect, + .socket_listen = cap_socket_listen, + .socket_accept = cap_socket_accept, + .socket_post_accept = cap_socket_post_accept, + .socket_sendmsg = cap_socket_sendmsg, + .socket_recvmsg = cap_socket_recvmsg, + .socket_getsockname = cap_socket_getsockname, + .socket_getpeername = cap_socket_getpeername, + .socket_getsockopt = cap_socket_getsockopt, + .socket_setsockopt = cap_socket_setsockopt, + .socket_shutdown = cap_socket_shutdown, + .socket_sock_alloc_security = cap_socket_sock_alloc_security, + .socket_sock_free_security = cap_socket_sock_free_security, + .socket_sock_rcv_skb = cap_socket_sock_rcv_skb, + .open_request_alloc_security = cap_open_request_alloc_security, + .open_request_free_security = cap_open_request_free_security, + .tcp_connection_request = cap_tcp_connection_request, + .tcp_synack = cap_tcp_synack, + .tcp_create_openreq_child = cap_tcp_create_openreq_child, + + .skb_alloc_security = cap_skb_alloc_security, + .skb_clone = cap_skb_clone, + .skb_copy = cap_skb_copy, + .skb_set_owner_w = cap_skb_set_owner_w, + .skb_recv_datagram = cap_skb_recv_datagram, + .skb_free_security = cap_skb_free_security, + + .ip_fragment = cap_ip_fragment, + .ip_defragment = cap_ip_defragment, + .ip_encapsulate = cap_ip_encapsulate, + .ip_decapsulate = cap_ip_decapsulate, + .ip_decode_options = cap_ip_decode_options, + + .netdev_unregister = cap_netdev_unregister, + .ipc_permission = cap_ipc_permission, + .msg_msg_alloc_security = cap_msg_msg_alloc_security, + .msg_msg_free_security = cap_msg_msg_free_security, + .msg_queue_alloc_security = cap_msg_queue_alloc_security, .msg_queue_free_security = cap_msg_queue_free_security, - + .msg_queue_associate = cap_msg_queue_associate, + .msg_queue_msgctl = cap_msg_queue_msgctl, + .msg_queue_msgsnd = cap_msg_queue_msgsnd, + .msg_queue_msgrcv = cap_msg_queue_msgrcv, + .shm_alloc_security = cap_shm_alloc_security, .shm_free_security = cap_shm_free_security, - + .shm_associate = cap_shm_associate, + .shm_shmctl = cap_shm_shmctl, + .shm_shmat = cap_shm_shmat, + .sem_alloc_security = cap_sem_alloc_security, .sem_free_security = cap_sem_free_security, + .sem_associate = cap_sem_associate, + .sem_semctl = cap_sem_semctl, .register_security = cap_register, .unregister_security = cap_unregister, diff -X /home/sds/dontdiff -ru lsm-2.5-bk/security/dummy.c lsm-2.5/security/dummy.c --- lsm-2.5-bk/security/dummy.c Mon Dec 2 11:33:03 2002 +++ lsm-2.5/security/dummy.c Mon Dec 2 12:10:26 2002 @@ -97,12 +97,7 @@ return -EPERM; } -static int dummy_quotactl (int cmds, int type, int id, struct super_block *sb) -{ - return 0; -} - -static int dummy_quota_on (struct file *f) +static int dummy_sysctl (ctl_table * table, int op) { return 0; } @@ -877,14 +872,30 @@ } struct security_operations dummy_security_ops = { + .sethostname = dummy_sethostname, + .setdomainname = dummy_setdomainname, + .reboot = dummy_reboot, + .ioperm = dummy_ioperm, + .iopl = dummy_iopl, .ptrace = dummy_ptrace, .capget = dummy_capget, .capset_check = dummy_capset_check, .capset_set = dummy_capset_set, .acct = dummy_acct, .capable = dummy_capable, + .sysctl = dummy_sysctl, + .swapon = dummy_swapon, + .swapoff = dummy_swapoff, .quotactl = dummy_quotactl, .quota_on = dummy_quota_on, + .syslog = dummy_syslog, + .settime = dummy_settime, + + .netlink_send = dummy_netlink_send, + .netlink_recv = dummy_netlink_recv, + + .unix_stream_connect = dummy_socket_unix_stream_connect, + .unix_may_send = dummy_socket_unix_may_send, .bprm_alloc_security = dummy_bprm_alloc_security, .bprm_free_security = dummy_bprm_free_security, @@ -894,6 +905,7 @@ .sb_alloc_security = dummy_sb_alloc_security, .sb_free_security = dummy_sb_free_security, + .sb_kern_mount = dummy_sb_kern_mount, .sb_statfs = dummy_sb_statfs, .sb_mount = dummy_mount, .sb_check_sb = dummy_check_sb, @@ -905,7 +917,7 @@ .sb_post_addmount = dummy_post_addmount, .sb_pivotroot = dummy_pivotroot, .sb_post_pivotroot = dummy_post_pivotroot, - + .inode_alloc_security = dummy_inode_alloc_security, .inode_free_security = dummy_inode_free_security, .inode_create = dummy_inode_create, @@ -967,16 +979,66 @@ .task_kmod_set_label = dummy_task_kmod_set_label, .task_reparent_to_init = dummy_task_reparent_to_init, + .socket_create = dummy_socket_create, + .socket_post_create = dummy_socket_post_create, + .socket_bind = dummy_socket_bind, + .socket_connect = dummy_socket_connect, + .socket_listen = dummy_socket_listen, + .socket_accept = dummy_socket_accept, + .socket_post_accept = dummy_socket_post_accept, + .socket_sendmsg = dummy_socket_sendmsg, + .socket_recvmsg = dummy_socket_recvmsg, + .socket_getsockname = dummy_socket_getsockname, + .socket_getpeername = dummy_socket_getpeername, + .socket_getsockopt = dummy_socket_getsockopt, + .socket_setsockopt = dummy_socket_setsockopt, + .socket_shutdown = dummy_socket_shutdown, + .socket_sock_alloc_security = dummy_socket_sock_alloc_security, + .socket_sock_free_security = dummy_socket_sock_free_security, + .socket_sock_rcv_skb = dummy_socket_sock_rcv_skb, + .open_request_alloc_security = dummy_open_request_alloc_security, + .open_request_free_security = dummy_open_request_free_security, + .tcp_connection_request = dummy_tcp_connection_request, + .tcp_synack = dummy_tcp_synack, + .tcp_create_openreq_child = dummy_tcp_create_openreq_child, + + .skb_alloc_security = dummy_skb_alloc_security, + .skb_clone = dummy_skb_clone, + .skb_copy = dummy_skb_copy, + .skb_set_owner_w = dummy_skb_set_owner_w, + .skb_recv_datagram = dummy_skb_recv_datagram, + .skb_free_security = dummy_skb_free_security, + + .ip_fragment = dummy_ip_fragment, + .ip_defragment = dummy_ip_defragment, + .ip_encapsulate = dummy_ip_encapsulate, + .ip_decapsulate = dummy_ip_decapsulate, + .ip_decode_options = dummy_ip_decode_options, + .ipc_permission = dummy_ipc_permission, - + + .netdev_unregister = dummy_netdev_unregister, + + .msg_msg_alloc_security = dummy_msg_msg_alloc_security, + .msg_msg_free_security = dummy_msg_msg_free_security, + .msg_queue_alloc_security = dummy_msg_queue_alloc_security, .msg_queue_free_security = dummy_msg_queue_free_security, - + .msg_queue_associate = dummy_msg_queue_associate, + .msg_queue_msgctl = dummy_msg_queue_msgctl, + .msg_queue_msgsnd = dummy_msg_queue_msgsnd, + .msg_queue_msgrcv = dummy_msg_queue_msgrcv, + .shm_alloc_security = dummy_shm_alloc_security, .shm_free_security = dummy_shm_free_security, - + .shm_associate = dummy_shm_associate, + .shm_shmctl = dummy_shm_shmctl, + .shm_shmat = dummy_shm_shmat, + .sem_alloc_security = dummy_sem_alloc_security, .sem_free_security = dummy_sem_free_security, + .sem_associate = dummy_sem_associate, + .sem_semctl = dummy_sem_semctl, .register_security = dummy_register, .unregister_security = dummy_unregister, _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Dec 02 2002 - 09:35:20 PST