Re: OWLSM - please update! Also, here are tweaks to stack it.

• Previous message: Oliver Tennert: "Re: LSM adapted to support XFS"
• Reply: Emily Ratliff: "Re: OWLSM - please update! Also, here are tweaks to stack it."
• Reply: David Wheeler: "Re: OWLSM - please update! Also, here are tweaks to stack it."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Dec 16, 2002 at 09:37:08AM -0500, David Wheeler wrote:
> 
> Greg KH sagely proclaimed:
> > I also fixed up the owlsm module, based on the fact that we don't have
> > to have a bunch of "NULL" functions around anymore.  But in doing that I
> > realized that it doesn't have a lot of the default capabilities
> > functionality in it.  Now that the capability functions are exported,
> > this is easy to add, if it's wanted.
> >
> > So should I add this?  Or is owlsm just a "test" module that will never
> > be added to the main kernel tree?
> 
> 
> Yes, yes, yes!  Please add capability support to owlsm, so that people can
> "just use it".  I think that owlsm should go into the mainline
> Linux tree, since it's really quite useful.  It simply prevents some
> activities that are _known_ to be dangerous, and by enabling it, people
> can improve the security of their boxes at little cost.

Ok, I've applied the following patch to the lsm tree which adds more
capabilities functionality to the owlsm module.  Can others who know how
to test the owlsm module out, please do so before I send this off for
the main kernel tree?

I do not think the logic is entirely correct if CONFIG_OWLSM_FD is
enabled, as we are bypassing a lot of default capabilities logic.  Any
opinions?

> While you're making these changes,
> can you make it "stack" more cleanly, so that when I update the
> "stacker" module owlsm will play nicely?  Basically, you need to
> (1) set secondary=1 BEFORE calling mod_reg_security(), _not_ afterwards, and
> (2) in areas where you'll call (or reimplement) the capability module, do an
> "if (secondary) {return capability_result()} else {return 0; /* no err */}".

I've applied the patch you sent to do these changes (hint, hint, hint).

thanks,

greg k-h


diff -Nru a/security/owlsm.c b/security/owlsm.c
--- a/security/owlsm.c	Mon Dec 16 14:08:27 2002
+++ b/security/owlsm.c	Mon Dec 16 14:08:27 2002
@@ -30,35 +30,6 @@
 /* flag to keep track of how we were registered */
 static int secondary;
 
-static int owlsm_capable (struct task_struct *tsk, int cap)
-{
-	/* from dummy.c */
-	if (cap_is_fs_cap (cap) ? tsk->fsuid == 0 : tsk->euid == 0)
-		/* capability granted */
-		return 0;
-
-	/* capability denied */
-	return -EPERM;
-}
-
-static int owlsm_netlink_send (struct sk_buff *skb)
-{
-	/* from dummy.c */
-	if (current->euid == 0)
-		cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN);
-	else
-		NETLINK_CB (skb).eff_cap = 0;
-	return 0;
-}
-
-static int owlsm_netlink_recv (struct sk_buff *skb)
-{
-	/* from dummy.c */
-	if (!cap_raised (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN))
-		return -EPERM;
-	return 0;
-}
-
 static int owlsm_binprm_alloc_security(struct linux_binprm *bprm)
 {
 	int exec_return, fd_return;
@@ -96,12 +67,6 @@
 	return do_owlsm_follow_link(dentry, nameidata);
 }
 
-static void owlsm_task_reparent_to_init (struct task_struct *p) 
-{ 
-	p->euid = p->fsuid = 0;
-	return; 
-}
-
 static int owlsm_decode_options (struct sk_buff *skb, const char *optptr,
 				unsigned char **pp_ptr)
 {
@@ -115,23 +80,26 @@
 
 
 static struct security_operations owlsm_ops = {
-	capable:			owlsm_capable,
-
-	netlink_send:			owlsm_netlink_send,
-	netlink_recv:			owlsm_netlink_recv,
-	
-	bprm_alloc_security:		owlsm_binprm_alloc_security,
-	bprm_free_security:		owlsm_binprm_free_security,
-	bprm_compute_creds:		owlsm_binprm_compute_creds,
-	bprm_set_security:		owlsm_binprm_set_security,
+	/* Use the capability functions for some of the hooks */
+	.ptrace =			cap_ptrace,
+	.capget =			cap_capget,
+	.capset_check =			cap_capset_check,
+	.capset_set =			cap_capset_set,
+	.capable =			cap_capable,
+
+	.task_post_setuid =		cap_task_post_setuid,
+	.task_kmod_set_label =		cap_task_kmod_set_label,
+	.task_reparent_to_init =	cap_task_reparent_to_init,
+
+	.bprm_alloc_security =		owlsm_binprm_alloc_security,
+	.bprm_free_security =		owlsm_binprm_free_security,
+	.bprm_compute_creds =		owlsm_binprm_compute_creds,
+	.bprm_set_security =		owlsm_binprm_set_security,
 	
-	inode_link:			owlsm_inode_link,
-
-	inode_follow_link:		owlsm_inode_follow_link,
-
-	task_reparent_to_init:		owlsm_task_reparent_to_init,
+	.inode_link =			owlsm_inode_link,
+	.inode_follow_link =		owlsm_inode_follow_link,
 
-	ip_decode_options:		owlsm_decode_options,
+	.ip_decode_options =		owlsm_decode_options,
 };
 
 #if defined(CONFIG_SECURITY_owlsm_MODULE)
diff -Nru a/security/owlsm.h b/security/owlsm.h
--- a/security/owlsm.h	Mon Dec 16 14:08:27 2002
+++ b/security/owlsm.h	Mon Dec 16 14:08:27 2002
@@ -277,12 +277,12 @@
 
 static inline int do_owlsm_sfd_set (struct linux_binprm *bprm)
 {
-	return 0;
+	return cap_bprm_set_security(bprm);
 }
 
 static inline void do_owlsm_sfd_compute (struct linux_binprm *bprm)
 {
-	return;
+	return cap_bprm_compute_creds(bprm);
 }
 #endif /* CONFIG_OWLSM_FD */
 
_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: David Wheeler: "OWLSM - please update! Also, here are tweaks to stack it."
• Previous message: Oliver Tennert: "Re: LSM adapted to support XFS"
• Reply: Emily Ratliff: "Re: OWLSM - please update! Also, here are tweaks to stack it."
• Reply: David Wheeler: "Re: OWLSM - please update! Also, here are tweaks to stack it."
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Dec 18 2002 - 16:24:39 PST