The attached patch for lsm-2.5 adds a CONFIG_SECURITY_NETWORK option for the socket and networking security fields and hooks. At present, it excludes the netlink hooks and the ip_decode_options hooks since the capabilities module uses those hooks to implement capability tests migrated from the base kernel. It rearranges the security_ops structure to move the optional socket and networking hooks to the end of the structure. The patch moves the 'security = NULL' initializations for the sock and open request structures into the corresponding alloc_security hooks since those initializations are colocated with the allocation. In the sk_buff case, the patch simply #ifdef's the initialization, since other similar #ifdef'd initializations exist in skb_headerinit. If desired, we could define a static inline function for that purpose, but it didn't seem to be necessary. The patch updates SELinux appropriately so that its socket and networking functionality (including the NetFilter-based hooks) is omitted if the option is not enabled. The patch simply removes the socket and networking hooks from DTE since it is not really using them anyway. Comments? -- Stephen Smalley, NSA sdsat_private Index: lsm-2.5/include/linux/netdevice.h =================================================================== RCS file: /home/pal/CVS/lsm-2.5/include/linux/netdevice.h,v retrieving revision 1.12 diff -u -r1.12 netdevice.h --- lsm-2.5/include/linux/netdevice.h 17 Jan 2003 15:22:45 -0000 1.12 +++ lsm-2.5/include/linux/netdevice.h 27 Jan 2003 14:31:38 -0000 @@ -442,7 +442,9 @@ /* generic object representation */ struct kobject kobj; +#ifdef CONFIG_SECURITY_NETWORK void *security; +#endif }; Index: lsm-2.5/include/linux/security.h =================================================================== RCS file: /home/pal/CVS/lsm-2.5/include/linux/security.h,v retrieving revision 1.35 diff -u -r1.35 security.h --- lsm-2.5/include/linux/security.h 24 Jan 2003 20:32:48 -0000 1.35 +++ lsm-2.5/include/linux/security.h 27 Jan 2003 15:59:14 -0000 @@ -1178,10 +1178,8 @@ int (*netlink_send) (struct sk_buff * skb); int (*netlink_recv) (struct sk_buff * skb); - - int (*unix_stream_connect) (struct socket * sock, - struct socket * other, struct sock * newsk); - int (*unix_may_send) (struct socket * sock, struct socket * other); + int (*ip_decode_options) (struct sk_buff * skb, + const char *optptr, unsigned char **pp_ptr); int (*bprm_alloc_security) (struct linux_binprm * bprm); void (*bprm_free_security) (struct linux_binprm * bprm); @@ -1294,6 +1292,49 @@ void (*task_kmod_set_label) (void); void (*task_reparent_to_init) (struct task_struct * p); + int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag); + + int (*msg_msg_alloc_security) (struct msg_msg * msg); + void (*msg_msg_free_security) (struct msg_msg * msg); + + int (*msg_queue_alloc_security) (struct msg_queue * msq); + void (*msg_queue_free_security) (struct msg_queue * msq); + int (*msg_queue_associate) (struct msg_queue * msq, int msqflg); + int (*msg_queue_msgctl) (struct msg_queue * msq, int cmd); + int (*msg_queue_msgsnd) (struct msg_queue * msq, + struct msg_msg * msg, int msqflg); + int (*msg_queue_msgrcv) (struct msg_queue * msq, + struct msg_msg * msg, + struct task_struct * target, + long type, int mode); + + int (*shm_alloc_security) (struct shmid_kernel * shp); + void (*shm_free_security) (struct shmid_kernel * shp); + int (*shm_associate) (struct shmid_kernel * shp, int shmflg); + int (*shm_shmctl) (struct shmid_kernel * shp, int cmd); + int (*shm_shmat) (struct shmid_kernel * shp, + char *shmaddr, int shmflg); + + int (*sem_alloc_security) (struct sem_array * sma); + void (*sem_free_security) (struct sem_array * sma); + int (*sem_associate) (struct sem_array * sma, int semflg); + int (*sem_semctl) (struct sem_array * sma, int cmd); + int (*sem_semop) (struct sem_array * sma, + struct sembuf * sops, unsigned nsops, int alter); + + /* allow module stacking */ + int (*register_security) (const char *name, + struct security_operations *ops); + int (*unregister_security) (const char *name, + struct security_operations *ops); + + void (*d_instantiate) (struct dentry * dentry, struct inode * inode); + +#ifdef CONFIG_SECURITY_NETWORK + int (*unix_stream_connect) (struct socket * sock, + struct socket * other, struct sock * newsk); + int (*unix_may_send) (struct socket * sock, struct socket * other); + int (*socket_create) (int family, int type, int protocol); void (*socket_post_create) (struct socket * sock, int family, int type, int protocol); @@ -1342,48 +1383,9 @@ int (*ip_defragment) (struct sk_buff * skb); void (*ip_encapsulate) (struct sk_buff * skb); void (*ip_decapsulate) (struct sk_buff * skb); - int (*ip_decode_options) (struct sk_buff * skb, - const char *optptr, unsigned char **pp_ptr); void (*netdev_unregister) (struct net_device * dev); - - int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag); - - int (*msg_msg_alloc_security) (struct msg_msg * msg); - void (*msg_msg_free_security) (struct msg_msg * msg); - - int (*msg_queue_alloc_security) (struct msg_queue * msq); - void (*msg_queue_free_security) (struct msg_queue * msq); - int (*msg_queue_associate) (struct msg_queue * msq, int msqflg); - int (*msg_queue_msgctl) (struct msg_queue * msq, int cmd); - int (*msg_queue_msgsnd) (struct msg_queue * msq, - struct msg_msg * msg, int msqflg); - int (*msg_queue_msgrcv) (struct msg_queue * msq, - struct msg_msg * msg, - struct task_struct * target, - long type, int mode); - - int (*shm_alloc_security) (struct shmid_kernel * shp); - void (*shm_free_security) (struct shmid_kernel * shp); - int (*shm_associate) (struct shmid_kernel * shp, int shmflg); - int (*shm_shmctl) (struct shmid_kernel * shp, int cmd); - int (*shm_shmat) (struct shmid_kernel * shp, - char *shmaddr, int shmflg); - - int (*sem_alloc_security) (struct sem_array * sma); - void (*sem_free_security) (struct sem_array * sma); - int (*sem_associate) (struct sem_array * sma, int semflg); - int (*sem_semctl) (struct sem_array * sma, int cmd); - int (*sem_semop) (struct sem_array * sma, - struct sembuf * sops, unsigned nsops, int alter); - - /* allow module stacking */ - int (*register_security) (const char *name, - struct security_operations *ops); - int (*unregister_security) (const char *name, - struct security_operations *ops); - - void (*d_instantiate) (struct dentry * dentry, struct inode * inode); +#endif }; /* global variables */ @@ -1500,19 +1502,11 @@ return security_ops->netlink_recv(skb); } - -static inline int security_unix_stream_connect(struct socket * sock, - struct socket * other, - struct sock * newsk) -{ - return security_ops->unix_stream_connect(sock, other, newsk); -} - - -static inline int security_unix_may_send(struct socket * sock, - struct socket * other) +static inline int security_ip_decode_options(struct sk_buff * skb, + const char *optptr, + unsigned char **pp_ptr) { - return security_ops->unix_may_send(sock, other); + return security_ops->ip_decode_options(skb, optptr, pp_ptr); } static inline int security_bprm_alloc (struct linux_binprm *bprm) @@ -1949,356 +1943,156 @@ security_ops->task_reparent_to_init (p); } -static inline int security_socket_create (int family, int type, int protocol) +static inline int security_ipc_permission (struct kern_ipc_perm *ipcp, + short flag) { - return security_ops->socket_create(family, type, protocol); + return security_ops->ipc_permission (ipcp, flag); } -static inline void security_socket_post_create(struct socket * sock, - int family, - int type, - int protocol) +static inline int security_msg_msg_alloc (struct msg_msg * msg) { - security_ops->socket_post_create(sock, family, type, protocol); + return security_ops->msg_msg_alloc_security (msg); } -static inline int security_socket_bind(struct socket * sock, - struct sockaddr * address, - int addrlen) +static inline void security_msg_msg_free (struct msg_msg * msg) { - return security_ops->socket_bind(sock, address, addrlen); + security_ops->msg_msg_free_security(msg); } -static inline int security_socket_connect(struct socket * sock, - struct sockaddr * address, - int addrlen) +static inline int security_msg_queue_alloc (struct msg_queue *msq) { - return security_ops->socket_connect(sock, address, addrlen); + return security_ops->msg_queue_alloc_security (msq); } -static inline int security_socket_listen(struct socket * sock, int backlog) +static inline void security_msg_queue_free (struct msg_queue *msq) { - return security_ops->socket_listen(sock, backlog); + security_ops->msg_queue_free_security (msq); } -static inline int security_socket_accept(struct socket * sock, - struct socket * newsock) +static inline int security_msg_queue_associate (struct msg_queue * msq, + int msqflg) { - return security_ops->socket_accept(sock, newsock); + return security_ops->msg_queue_associate (msq, msqflg); } -static inline void security_socket_post_accept(struct socket * sock, - struct socket * newsock) +static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd) { - security_ops->socket_post_accept(sock, newsock); + return security_ops->msg_queue_msgctl (msq, cmd); } -static inline int security_socket_sendmsg(struct socket * sock, - struct msghdr * msg, int size) +static inline int security_msg_queue_msgsnd (struct msg_queue * msq, + struct msg_msg * msg, int msqflg) { - return security_ops->socket_sendmsg(sock, msg, size); + return security_ops->msg_queue_msgsnd (msq, msg, msqflg); } -static inline int security_socket_recvmsg(struct socket * sock, - struct msghdr * msg, int size, - int flags) +static inline int security_msg_queue_msgrcv (struct msg_queue * msq, + struct msg_msg * msg, + struct task_struct * target, + long type, int mode) { - return security_ops->socket_recvmsg(sock, msg, size, flags); + return security_ops->msg_queue_msgrcv (msq, msg, target, type, mode); } -static inline int security_socket_getsockname(struct socket * sock) +static inline int security_shm_alloc (struct shmid_kernel *shp) { - return security_ops->socket_getsockname(sock); + return security_ops->shm_alloc_security (shp); } -static inline int security_socket_getpeername(struct socket * sock) +static inline void security_shm_free (struct shmid_kernel *shp) { - return security_ops->socket_getpeername(sock); + security_ops->shm_free_security (shp); } -static inline int security_socket_getsockopt(struct socket * sock, - int level, int optname) +static inline int security_shm_associate (struct shmid_kernel * shp, + int shmflg) { - return security_ops->socket_getsockopt(sock, level, optname); + return security_ops->shm_associate(shp, shmflg); } -static inline int security_socket_setsockopt(struct socket * sock, - int level, int optname) +static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd) { - return security_ops->socket_setsockopt(sock, level, optname); + return security_ops->shm_shmctl (shp, cmd); } -static inline int security_socket_shutdown(struct socket * sock, int how) +static inline int security_shm_shmat (struct shmid_kernel * shp, + char *shmaddr, int shmflg) { - return security_ops->socket_shutdown(sock, how); + return security_ops->shm_shmat(shp, shmaddr, shmflg); } -static inline int security_sock_alloc(struct sock * sk, - int gfp_mask) +static inline int security_sem_alloc (struct sem_array *sma) { - return security_ops->socket_sock_alloc_security(sk, gfp_mask); + return security_ops->sem_alloc_security (sma); } -static inline void security_sock_free(struct sock * sk) +static inline void security_sem_free (struct sem_array *sma) { - security_ops->socket_sock_free_security(sk); + security_ops->sem_free_security (sma); } -static inline int security_sock_rcv_skb (struct sock * sk, - struct sk_buff * skb) +static inline int security_sem_associate (struct sem_array * sma, int semflg) { - return security_ops->socket_sock_rcv_skb (sk, skb); + return security_ops->sem_associate (sma, semflg); } -static inline int security_open_request_alloc (struct open_request * req) +static inline int security_sem_semctl (struct sem_array * sma, int cmd) { - return security_ops->open_request_alloc_security (req); + return security_ops->sem_semctl(sma, cmd); } -static inline void security_open_request_free (struct open_request * req) +static inline int security_sem_semop (struct sem_array * sma, + struct sembuf * sops, unsigned nsops, + int alter) { - security_ops->open_request_free_security (req); + return security_ops->sem_semop(sma, sops, nsops, alter); } -static inline void security_tcp_connection_request(struct sock * sk, - struct sk_buff * skb, - struct open_request * req) +static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode) { - security_ops->tcp_connection_request(sk, skb, req); + security_ops->d_instantiate (dentry, inode); } -static inline void security_tcp_synack(struct sock * sk, - struct sk_buff * skb, - struct open_request * req) +/* prototypes */ +extern int security_scaffolding_startup (void); +extern int register_security (struct security_operations *ops); +extern int unregister_security (struct security_operations *ops); +extern int mod_reg_security (const char *name, struct security_operations *ops); +extern int mod_unreg_security (const char *name, struct security_operations *ops); + +#else /* CONFIG_SECURITY */ + +/* + * This is the default capabilities functionality. Most of these functions + * are just stubbed out, but a few must call the proper capable code. + */ + +static inline int security_scaffolding_startup (void) { - security_ops->tcp_synack(sk, skb, req); + return 0; } -static inline void security_tcp_create_openreq_child(struct sock * sk, - struct sock * newsk, - struct sk_buff * skb, - struct open_request * req) +static inline int security_sethostname (char *hostname) { - security_ops->tcp_create_openreq_child(sk, newsk, skb, req); + return 0; } -static inline int security_skb_alloc(struct sk_buff * skb, int gfp_mask) +static inline int security_setdomainname (char *domainname) { - return security_ops->skb_alloc_security(skb, gfp_mask); + return 0; } -static inline int security_skb_clone(struct sk_buff * newskb, - const struct sk_buff * oldskb) +static inline int security_reboot (unsigned int cmd) { - return security_ops->skb_clone(newskb, oldskb); + return 0; } -static inline void security_skb_copy(struct sk_buff * newskb, - const struct sk_buff * oldskb) +static inline int security_ioperm (unsigned long from, unsigned long num, int turn_on) { - security_ops->skb_copy(newskb, oldskb); + return 0; } -static inline void security_skb_set_owner_w (struct sk_buff * skb, - struct sock * sk) -{ - security_ops->skb_set_owner_w (skb, sk); -} - -static inline void security_skb_recv_datagram(struct sk_buff * skb, - struct sock * sk, unsigned flags) -{ - security_ops->skb_recv_datagram(skb, sk, flags); -} - -static inline void security_skb_free(struct sk_buff * skb) -{ - security_ops->skb_free_security(skb); -} - -static inline void security_ip_fragment(struct sk_buff * newskb, - const struct sk_buff * oldskb) -{ - security_ops->ip_fragment(newskb, oldskb); -} - -static inline int security_ip_defragment(struct sk_buff * skb) -{ - return security_ops->ip_defragment(skb); -} - -static inline void security_ip_encapsulate(struct sk_buff * skb) -{ - security_ops->ip_encapsulate(skb); -} - -static inline void security_ip_decapsulate(struct sk_buff * skb) -{ - security_ops->ip_decapsulate(skb); -} - -static inline int security_ip_decode_options(struct sk_buff * skb, - const char *optptr, - unsigned char **pp_ptr) -{ - return security_ops->ip_decode_options(skb, optptr, pp_ptr); -} - -static inline void security_netdev_unregister(struct net_device * dev) -{ - security_ops->netdev_unregister(dev); -} - -static inline int security_ipc_permission (struct kern_ipc_perm *ipcp, - short flag) -{ - return security_ops->ipc_permission (ipcp, flag); -} - -static inline int security_msg_msg_alloc (struct msg_msg * msg) -{ - return security_ops->msg_msg_alloc_security (msg); -} - -static inline void security_msg_msg_free (struct msg_msg * msg) -{ - security_ops->msg_msg_free_security(msg); -} - -static inline int security_msg_queue_alloc (struct msg_queue *msq) -{ - return security_ops->msg_queue_alloc_security (msq); -} - -static inline void security_msg_queue_free (struct msg_queue *msq) -{ - security_ops->msg_queue_free_security (msq); -} - -static inline int security_msg_queue_associate (struct msg_queue * msq, - int msqflg) -{ - return security_ops->msg_queue_associate (msq, msqflg); -} - -static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd) -{ - return security_ops->msg_queue_msgctl (msq, cmd); -} - -static inline int security_msg_queue_msgsnd (struct msg_queue * msq, - struct msg_msg * msg, int msqflg) -{ - return security_ops->msg_queue_msgsnd (msq, msg, msqflg); -} - -static inline int security_msg_queue_msgrcv (struct msg_queue * msq, - struct msg_msg * msg, - struct task_struct * target, - long type, int mode) -{ - return security_ops->msg_queue_msgrcv (msq, msg, target, type, mode); -} - -static inline int security_shm_alloc (struct shmid_kernel *shp) -{ - return security_ops->shm_alloc_security (shp); -} - -static inline void security_shm_free (struct shmid_kernel *shp) -{ - security_ops->shm_free_security (shp); -} - -static inline int security_shm_associate (struct shmid_kernel * shp, - int shmflg) -{ - return security_ops->shm_associate(shp, shmflg); -} - -static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd) -{ - return security_ops->shm_shmctl (shp, cmd); -} - -static inline int security_shm_shmat (struct shmid_kernel * shp, - char *shmaddr, int shmflg) -{ - return security_ops->shm_shmat(shp, shmaddr, shmflg); -} - -static inline int security_sem_alloc (struct sem_array *sma) -{ - return security_ops->sem_alloc_security (sma); -} - -static inline void security_sem_free (struct sem_array *sma) -{ - security_ops->sem_free_security (sma); -} - -static inline int security_sem_associate (struct sem_array * sma, int semflg) -{ - return security_ops->sem_associate (sma, semflg); -} - -static inline int security_sem_semctl (struct sem_array * sma, int cmd) -{ - return security_ops->sem_semctl(sma, cmd); -} - -static inline int security_sem_semop (struct sem_array * sma, - struct sembuf * sops, unsigned nsops, - int alter) -{ - return security_ops->sem_semop(sma, sops, nsops, alter); -} - -static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode) -{ - security_ops->d_instantiate (dentry, inode); -} - -/* prototypes */ -extern int security_scaffolding_startup (void); -extern int register_security (struct security_operations *ops); -extern int unregister_security (struct security_operations *ops); -extern int mod_reg_security (const char *name, struct security_operations *ops); -extern int mod_unreg_security (const char *name, struct security_operations *ops); - -#else /* CONFIG_SECURITY */ - -/* - * This is the default capabilities functionality. Most of these functions - * are just stubbed out, but a few must call the proper capable code. - */ - -static inline int security_scaffolding_startup (void) -{ - return 0; -} - -static inline int security_sethostname (char *hostname) -{ - return 0; -} - -static inline int security_setdomainname (char *domainname) -{ - return 0; -} - -static inline int security_reboot (unsigned int cmd) -{ - return 0; -} - -static inline int security_ioperm (unsigned long from, unsigned long num, int turn_on) -{ - return 0; -} - -static inline int security_iopl (unsigned int old, unsigned int level) +static inline int security_iopl (unsigned int old, unsigned int level) { return 0; } @@ -2388,17 +2182,11 @@ return cap_netlink_recv(skb); } -static inline int security_unix_stream_connect(struct socket * sock, - struct socket * other, - struct sock * newsk) -{ - return 0; -} - -static inline int security_unix_may_send(struct socket * sock, - struct socket * other) +static inline int security_ip_decode_options(struct sk_buff * skb, + const char *optptr, + unsigned char **pp_ptr) { - return 0; + return cap_ip_decode_options(skb,optptr,pp_ptr); } static inline int security_bprm_alloc (struct linux_binprm *bprm) @@ -2801,123 +2589,247 @@ cap_task_reparent_to_init (p); } -static inline int security_socket_create (int family, int type, int protocol) +static inline int security_ipc_permission (struct kern_ipc_perm *ipcp, + short flag) { return 0; } -static inline void security_socket_post_create(struct socket * sock, - int family, - int type, - int protocol) +static inline int security_msg_msg_alloc (struct msg_msg * msg) { + return 0; } -static inline int security_socket_bind(struct socket * sock, - struct sockaddr * address, - int addrlen) +static inline void security_msg_msg_free (struct msg_msg * msg) +{ } + +static inline int security_msg_queue_alloc (struct msg_queue *msq) { return 0; } -static inline int security_socket_connect(struct socket * sock, - struct sockaddr * address, - int addrlen) +static inline void security_msg_queue_free (struct msg_queue *msq) +{ } + +static inline int security_msg_queue_associate (struct msg_queue * msq, + int msqflg) { return 0; } -static inline int security_socket_listen(struct socket * sock, int backlog) +static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd) { return 0; } -static inline int security_socket_accept(struct socket * sock, - struct socket * newsock) +static inline int security_msg_queue_msgsnd (struct msg_queue * msq, + struct msg_msg * msg, int msqflg) { return 0; } -static inline void security_socket_post_accept(struct socket * sock, - struct socket * newsock) +static inline int security_msg_queue_msgrcv (struct msg_queue * msq, + struct msg_msg * msg, + struct task_struct * target, + long type, int mode) { + return 0; } -static inline int security_socket_sendmsg(struct socket * sock, - struct msghdr * msg, int size) +static inline int security_shm_alloc (struct shmid_kernel *shp) { return 0; } -static inline int security_socket_recvmsg(struct socket * sock, - struct msghdr * msg, int size, - int flags) -{ +static inline void security_shm_free (struct shmid_kernel *shp) +{ } + +static inline int security_shm_associate (struct shmid_kernel * shp, + int shmflg) +{ return 0; } -static inline int security_socket_getsockname(struct socket * sock) +static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd) { return 0; } -static inline int security_socket_getpeername(struct socket * sock) +static inline int security_shm_shmat (struct shmid_kernel * shp, + char *shmaddr, int shmflg) +{ + return 0; +} + +static inline int security_sem_alloc (struct sem_array *sma) +{ + return 0; +} + +static inline void security_sem_free (struct sem_array *sma) +{ } + +static inline int security_sem_associate (struct sem_array * sma, int semflg) +{ + return 0; +} + +static inline int security_sem_semctl (struct sem_array * sma, int cmd) +{ + return 0; +} + +static inline int security_sem_semop (struct sem_array * sma, + struct sembuf * sops, unsigned nsops, + int alter) { return 0; } +static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode) +{ } + +#endif /* CONFIG_SECURITY */ + +#ifdef CONFIG_SECURITY_NETWORK + +static inline int security_unix_stream_connect(struct socket * sock, + struct socket * other, + struct sock * newsk) +{ + return security_ops->unix_stream_connect(sock, other, newsk); +} + + +static inline int security_unix_may_send(struct socket * sock, + struct socket * other) +{ + return security_ops->unix_may_send(sock, other); +} + +static inline int security_socket_create (int family, int type, int protocol) +{ + return security_ops->socket_create(family, type, protocol); +} + +static inline void security_socket_post_create(struct socket * sock, + int family, + int type, + int protocol) +{ + security_ops->socket_post_create(sock, family, type, protocol); +} + +static inline int security_socket_bind(struct socket * sock, + struct sockaddr * address, + int addrlen) +{ + return security_ops->socket_bind(sock, address, addrlen); +} + +static inline int security_socket_connect(struct socket * sock, + struct sockaddr * address, + int addrlen) +{ + return security_ops->socket_connect(sock, address, addrlen); +} + +static inline int security_socket_listen(struct socket * sock, int backlog) +{ + return security_ops->socket_listen(sock, backlog); +} + +static inline int security_socket_accept(struct socket * sock, + struct socket * newsock) +{ + return security_ops->socket_accept(sock, newsock); +} + +static inline void security_socket_post_accept(struct socket * sock, + struct socket * newsock) +{ + security_ops->socket_post_accept(sock, newsock); +} + +static inline int security_socket_sendmsg(struct socket * sock, + struct msghdr * msg, int size) +{ + return security_ops->socket_sendmsg(sock, msg, size); +} + +static inline int security_socket_recvmsg(struct socket * sock, + struct msghdr * msg, int size, + int flags) +{ + return security_ops->socket_recvmsg(sock, msg, size, flags); +} + +static inline int security_socket_getsockname(struct socket * sock) +{ + return security_ops->socket_getsockname(sock); +} + +static inline int security_socket_getpeername(struct socket * sock) +{ + return security_ops->socket_getpeername(sock); +} + static inline int security_socket_getsockopt(struct socket * sock, int level, int optname) { - return 0; + return security_ops->socket_getsockopt(sock, level, optname); } static inline int security_socket_setsockopt(struct socket * sock, int level, int optname) { - return 0; + return security_ops->socket_setsockopt(sock, level, optname); } static inline int security_socket_shutdown(struct socket * sock, int how) { - return 0; + return security_ops->socket_shutdown(sock, how); } static inline int security_sock_alloc(struct sock * sk, int gfp_mask) { - return 0; + return security_ops->socket_sock_alloc_security(sk, gfp_mask); } static inline void security_sock_free(struct sock * sk) { + security_ops->socket_sock_free_security(sk); } static inline int security_sock_rcv_skb (struct sock * sk, struct sk_buff * skb) { - return 0; + return security_ops->socket_sock_rcv_skb (sk, skb); } static inline int security_open_request_alloc (struct open_request * req) { - return 0; + return security_ops->open_request_alloc_security (req); } static inline void security_open_request_free (struct open_request * req) { + security_ops->open_request_free_security (req); } static inline void security_tcp_connection_request(struct sock * sk, struct sk_buff * skb, struct open_request * req) { + security_ops->tcp_connection_request(sk, skb, req); } static inline void security_tcp_synack(struct sock * sk, struct sk_buff * skb, struct open_request * req) { + security_ops->tcp_synack(sk, skb, req); } static inline void security_tcp_create_openreq_child(struct sock * sk, @@ -2925,168 +2837,263 @@ struct sk_buff * skb, struct open_request * req) { + security_ops->tcp_create_openreq_child(sk, newsk, skb, req); } static inline int security_skb_alloc(struct sk_buff * skb, int gfp_mask) { - return 0; + return security_ops->skb_alloc_security(skb, gfp_mask); } static inline int security_skb_clone(struct sk_buff * newskb, const struct sk_buff * oldskb) { - return 0; + return security_ops->skb_clone(newskb, oldskb); } static inline void security_skb_copy(struct sk_buff * newskb, const struct sk_buff * oldskb) { + security_ops->skb_copy(newskb, oldskb); } static inline void security_skb_set_owner_w (struct sk_buff * skb, struct sock * sk) { + security_ops->skb_set_owner_w (skb, sk); } static inline void security_skb_recv_datagram(struct sk_buff * skb, struct sock * sk, unsigned flags) { + security_ops->skb_recv_datagram(skb, sk, flags); } static inline void security_skb_free(struct sk_buff * skb) { + security_ops->skb_free_security(skb); } static inline void security_ip_fragment(struct sk_buff * newskb, const struct sk_buff * oldskb) { + security_ops->ip_fragment(newskb, oldskb); } static inline int security_ip_defragment(struct sk_buff * skb) { - return 0; + return security_ops->ip_defragment(skb); } static inline void security_ip_encapsulate(struct sk_buff * skb) { + security_ops->ip_encapsulate(skb); } static inline void security_ip_decapsulate(struct sk_buff * skb) { + security_ops->ip_decapsulate(skb); } -static inline int security_ip_decode_options(struct sk_buff * skb, - const char *optptr, - unsigned char **pp_ptr) +static inline void security_netdev_unregister(struct net_device * dev) { - return cap_ip_decode_options(skb,optptr,pp_ptr); + security_ops->netdev_unregister(dev); } -static inline void security_netdev_unregister(struct net_device * dev) +#else /* CONFIG_SECURITY_NETWORK */ + +static inline int security_unix_stream_connect(struct socket * sock, + struct socket * other, + struct sock * newsk) { + return 0; } -static inline int security_ipc_permission (struct kern_ipc_perm *ipcp, - short flag) +static inline int security_unix_may_send(struct socket * sock, + struct socket * other) { return 0; } -static inline int security_msg_msg_alloc (struct msg_msg * msg) +static inline int security_socket_create (int family, int type, int protocol) { return 0; } -static inline void security_msg_msg_free (struct msg_msg * msg) -{ } +static inline void security_socket_post_create(struct socket * sock, + int family, + int type, + int protocol) +{ +} -static inline int security_msg_queue_alloc (struct msg_queue *msq) +static inline int security_socket_bind(struct socket * sock, + struct sockaddr * address, + int addrlen) { return 0; } -static inline void security_msg_queue_free (struct msg_queue *msq) -{ } +static inline int security_socket_connect(struct socket * sock, + struct sockaddr * address, + int addrlen) +{ + return 0; +} -static inline int security_msg_queue_associate (struct msg_queue * msq, - int msqflg) +static inline int security_socket_listen(struct socket * sock, int backlog) { return 0; } -static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd) +static inline int security_socket_accept(struct socket * sock, + struct socket * newsock) { return 0; } -static inline int security_msg_queue_msgsnd (struct msg_queue * msq, - struct msg_msg * msg, int msqflg) +static inline void security_socket_post_accept(struct socket * sock, + struct socket * newsock) +{ +} + +static inline int security_socket_sendmsg(struct socket * sock, + struct msghdr * msg, int size) { return 0; } -static inline int security_msg_queue_msgrcv (struct msg_queue * msq, - struct msg_msg * msg, - struct task_struct * target, - long type, int mode) +static inline int security_socket_recvmsg(struct socket * sock, + struct msghdr * msg, int size, + int flags) { return 0; } -static inline int security_shm_alloc (struct shmid_kernel *shp) +static inline int security_socket_getsockname(struct socket * sock) { return 0; } -static inline void security_shm_free (struct shmid_kernel *shp) -{ } +static inline int security_socket_getpeername(struct socket * sock) +{ + return 0; +} -static inline int security_shm_associate (struct shmid_kernel * shp, - int shmflg) +static inline int security_socket_getsockopt(struct socket * sock, + int level, int optname) { return 0; } -static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd) +static inline int security_socket_setsockopt(struct socket * sock, + int level, int optname) { return 0; } -static inline int security_shm_shmat (struct shmid_kernel * shp, - char *shmaddr, int shmflg) +static inline int security_socket_shutdown(struct socket * sock, int how) { return 0; } -static inline int security_sem_alloc (struct sem_array *sma) +static inline int security_sock_alloc(struct sock * sk, + int gfp_mask) { return 0; } -static inline void security_sem_free (struct sem_array *sma) -{ } +static inline void security_sock_free(struct sock * sk) +{ +} -static inline int security_sem_associate (struct sem_array * sma, int semflg) +static inline int security_sock_rcv_skb (struct sock * sk, + struct sk_buff * skb) { return 0; } -static inline int security_sem_semctl (struct sem_array * sma, int cmd) +static inline int security_open_request_alloc (struct open_request * req) { return 0; } -static inline int security_sem_semop (struct sem_array * sma, - struct sembuf * sops, unsigned nsops, - int alter) +static inline void security_open_request_free (struct open_request * req) +{ +} + +static inline void security_tcp_connection_request(struct sock * sk, + struct sk_buff * skb, + struct open_request * req) +{ +} + +static inline void security_tcp_synack(struct sock * sk, + struct sk_buff * skb, + struct open_request * req) +{ +} + +static inline void security_tcp_create_openreq_child(struct sock * sk, + struct sock * newsk, + struct sk_buff * skb, + struct open_request * req) +{ +} + +static inline int security_skb_alloc(struct sk_buff * skb, int gfp_mask) { return 0; } -static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode) -{ } +static inline int security_skb_clone(struct sk_buff * newskb, + const struct sk_buff * oldskb) +{ + return 0; +} -#endif /* CONFIG_SECURITY */ +static inline void security_skb_copy(struct sk_buff * newskb, + const struct sk_buff * oldskb) +{ +} + +static inline void security_skb_set_owner_w (struct sk_buff * skb, + struct sock * sk) +{ +} + +static inline void security_skb_recv_datagram(struct sk_buff * skb, + struct sock * sk, unsigned flags) +{ +} + +static inline void security_skb_free(struct sk_buff * skb) +{ +} + +static inline void security_ip_fragment(struct sk_buff * newskb, + const struct sk_buff * oldskb) +{ +} + +static inline int security_ip_defragment(struct sk_buff * skb) +{ + return 0; +} + +static inline void security_ip_encapsulate(struct sk_buff * skb) +{ +} + +static inline void security_ip_decapsulate(struct sk_buff * skb) +{ +} + +static inline void security_netdev_unregister(struct net_device * dev) +{ +} + +#endif /* CONFIG_SECURITY_NETWORK */ #endif /* ! __LINUX_SECURITY_H */ Index: lsm-2.5/include/linux/skbuff.h =================================================================== RCS file: /home/pal/CVS/lsm-2.5/include/linux/skbuff.h,v retrieving revision 1.10 diff -u -r1.10 skbuff.h --- lsm-2.5/include/linux/skbuff.h 13 Jan 2003 20:48:00 -0000 1.10 +++ lsm-2.5/include/linux/skbuff.h 27 Jan 2003 14:32:22 -0000 @@ -261,8 +261,9 @@ #ifdef CONFIG_NET_SCHED __u32 tc_index; /* traffic control index */ #endif - +#ifdef CONFIG_SECURITY_NETWORK void *lsm_security; /* replaces the above security field */ +#endif }; #define SK_WMEM_MAX 65535 Index: lsm-2.5/include/linux/tcp.h =================================================================== RCS file: /home/pal/CVS/lsm-2.5/include/linux/tcp.h,v retrieving revision 1.6 diff -u -r1.6 tcp.h --- lsm-2.5/include/linux/tcp.h 24 Jan 2003 15:20:00 -0000 1.6 +++ lsm-2.5/include/linux/tcp.h 27 Jan 2003 14:32:34 -0000 @@ -383,7 +383,7 @@ #define tcp_sk(__sk) (&((struct tcp_sock *)__sk)->tcp) static inline void clone_tcp_sk(struct sock *newsk, struct sock *sk) { -#ifdef CONFIG_SECURITY +#ifdef CONFIG_SECURITY_NETWORK /* Save/restore the LSM security pointer around the copy */ void *sptr = newsk->security; memcpy(newsk, sk, sizeof(struct tcp_sock)); Index: lsm-2.5/include/net/sock.h =================================================================== RCS file: /home/pal/CVS/lsm-2.5/include/net/sock.h,v retrieving revision 1.18 diff -u -r1.18 sock.h --- lsm-2.5/include/net/sock.h 4 Dec 2002 21:58:29 -0000 1.18 +++ lsm-2.5/include/net/sock.h 27 Jan 2003 14:33:16 -0000 @@ -198,8 +198,10 @@ /* RPC layer private data */ void *user_data; +#ifdef CONFIG_SECURITY_NETWORK /* LSM security field */ void *security; +#endif /* Callbacks */ void (*state_change)(struct sock *sk); Index: lsm-2.5/include/net/tcp.h =================================================================== RCS file: /home/pal/CVS/lsm-2.5/include/net/tcp.h,v retrieving revision 1.8 diff -u -r1.8 tcp.h --- lsm-2.5/include/net/tcp.h 24 Jan 2003 15:20:00 -0000 1.8 +++ lsm-2.5/include/net/tcp.h 27 Jan 2003 14:44:12 -0000 @@ -534,8 +534,10 @@ struct tcp_v6_open_req v6_req; #endif } af; +#ifdef CONFIG_SECURITY_NETWORK /* LSM security field */ void *security; +#endif }; /* SLAB cache for open requests. */ @@ -547,7 +549,6 @@ kmem_cache_alloc(tcp_openreq_cachep, SLAB_ATOMIC); if (req != NULL) { - req->security = NULL; if (security_open_request_alloc(req)) { kmem_cache_free(tcp_openreq_cachep, req); return NULL; Index: lsm-2.5/net/core/skbuff.c =================================================================== RCS file: /home/pal/CVS/lsm-2.5/net/core/skbuff.c,v retrieving revision 1.14 diff -u -r1.14 skbuff.c --- lsm-2.5/net/core/skbuff.c 13 Jan 2003 20:48:08 -0000 1.14 +++ lsm-2.5/net/core/skbuff.c 27 Jan 2003 15:05:56 -0000 @@ -263,7 +263,9 @@ #ifdef CONFIG_NET_SCHED skb->tc_index = 0; #endif +#ifdef CONFIG_SECURITY_NETWORK skb->lsm_security = NULL; +#endif } static void skb_drop_fraglist(struct sk_buff *skb) Index: lsm-2.5/net/core/sock.c =================================================================== RCS file: /home/pal/CVS/lsm-2.5/net/core/sock.c,v retrieving revision 1.8 diff -u -r1.8 sock.c --- lsm-2.5/net/core/sock.c 24 Jan 2003 15:20:01 -0000 1.8 +++ lsm-2.5/net/core/sock.c 27 Jan 2003 14:44:53 -0000 @@ -601,7 +601,6 @@ sk->family = family; sock_lock_init(sk); } - sk->security = NULL; if (security_sock_alloc(sk, priority)) { kmem_cache_free(slab, sk); return NULL; Index: lsm-2.5/security/Kconfig =================================================================== RCS file: /home/pal/CVS/lsm-2.5/security/Kconfig,v retrieving revision 1.6 diff -u -r1.6 Kconfig --- lsm-2.5/security/Kconfig 27 Dec 2002 13:45:00 -0000 1.6 +++ lsm-2.5/security/Kconfig 27 Jan 2003 15:37:29 -0000 @@ -15,6 +15,15 @@ If you are unsure how to answer this question, answer N. +config SECURITY_NETWORK + bool "Socket and Networking Security Hooks" + depends on SECURITY!=n + help + This enables the socket and networking security hooks. + If enabled, a security module can use these hooks to + implement socket and networking access controls. + If you are unsure how to answer this question, answer N. + config SECURITY_CAPABILITIES tristate "Default Linux Capabilities" depends on SECURITY!=n Index: lsm-2.5/security/dummy.c =================================================================== RCS file: /home/pal/CVS/lsm-2.5/security/dummy.c,v retrieving revision 1.35 diff -u -r1.35 dummy.c --- lsm-2.5/security/dummy.c 24 Jan 2003 20:32:49 -0000 1.35 +++ lsm-2.5/security/dummy.c 27 Jan 2003 16:32:48 -0000 @@ -20,6 +20,8 @@ #include <linux/security.h> #include <linux/skbuff.h> #include <linux/netlink.h> +#include <net/sock.h> +#include <net/tcp.h> static int dummy_sethostname (char *hostname) { @@ -664,6 +666,18 @@ return 0; } +static int dummy_ip_decode_options (struct sk_buff *skb, const char *optptr, + unsigned char **pp_ptr) +{ + if (!skb && !capable (CAP_NET_RAW)) { + (const unsigned char *) *pp_ptr = optptr; + return -EPERM; + } + return 0; +} + +#ifdef CONFIG_SECURITY_NETWORK + static void dummy_ip_fragment (struct sk_buff *newskb, const struct sk_buff *oldskb) { @@ -685,16 +699,6 @@ return; } -static int dummy_ip_decode_options (struct sk_buff *skb, const char *optptr, - unsigned char **pp_ptr) -{ - if (!skb && !capable (CAP_NET_RAW)) { - (const unsigned char *) *pp_ptr = optptr; - return -EPERM; - } - return 0; -} - static void dummy_netdev_unregister (struct net_device *dev) { return; @@ -778,6 +782,7 @@ static int dummy_socket_sock_alloc_security(struct sock *sk, int gfp_mask) { + sk->security = NULL; return 0; } @@ -793,6 +798,7 @@ static int dummy_open_request_alloc_security(struct open_request * req) { + req->security = NULL; return 0; } @@ -866,6 +872,8 @@ return; } +#endif + static int dummy_register_security (const char *name, struct security_operations *ops) { return -EINVAL; @@ -1002,6 +1010,7 @@ set_to_dummy_if_null(ops, sem_semop); set_to_dummy_if_null(ops, register_security); set_to_dummy_if_null(ops, unregister_security); + set_to_dummy_if_null(ops, d_instantiate); set_to_dummy_if_null(ops, sethostname); set_to_dummy_if_null(ops, setdomainname); set_to_dummy_if_null(ops, reboot); @@ -1012,11 +1021,12 @@ set_to_dummy_if_null(ops, settime); set_to_dummy_if_null(ops, netlink_send); set_to_dummy_if_null(ops, netlink_recv); + set_to_dummy_if_null(ops, ip_decode_options); +#ifdef CONFIG_SECURITY_NETWORK set_to_dummy_if_null(ops, ip_fragment); set_to_dummy_if_null(ops, ip_defragment); set_to_dummy_if_null(ops, ip_decapsulate); set_to_dummy_if_null(ops, ip_encapsulate); - set_to_dummy_if_null(ops, ip_decode_options); set_to_dummy_if_null(ops, netdev_unregister); set_to_dummy_if_null(ops, socket_create); set_to_dummy_if_null(ops, socket_post_create); @@ -1048,6 +1058,6 @@ set_to_dummy_if_null(ops, skb_set_owner_w); set_to_dummy_if_null(ops, skb_recv_datagram); set_to_dummy_if_null(ops, skb_free_security); - set_to_dummy_if_null(ops, d_instantiate); +#endif } Index: lsm-2.5/security/dte/dte.c =================================================================== RCS file: /home/pal/CVS/lsm-2.5/security/dte/dte.c,v retrieving revision 1.25 diff -u -r1.25 dte.c --- lsm-2.5/security/dte/dte.c 24 Jan 2003 20:32:50 -0000 1.25 +++ lsm-2.5/security/dte/dte.c 27 Jan 2003 16:13:45 -0000 @@ -586,27 +586,6 @@ dte_secondary_ops->task_reparent_to_init(p); } -static void dte_ip_fragment (struct sk_buff *newskb, - const struct sk_buff *oldskb) -{ - return; -} - -static int dte_ip_defragment (struct sk_buff *skb) -{ - return 0; -} - -static void dte_ip_encapsulate (struct sk_buff *skb) -{ - return; -} - -static void dte_ip_decapsulate (struct sk_buff *skb) -{ - return; -} - static int dte_ip_decode_options (struct sk_buff *skb, const char *optptr, unsigned char **pp_ptr) { @@ -617,146 +596,6 @@ return 0; } -static void dte_netdev_unregister (struct net_device *dev) -{ - return; -} - -static int dte_socket_create (int family, int type, int protocol) -{ - return 0; -} - -static void dte_socket_post_create (struct socket *sock, int family, int type, - int protocol) -{ - return; -} - -static int dte_socket_bind (struct socket *sock, struct sockaddr *address, - int addrlen) -{ - return 0; -} - -static int dte_socket_connect (struct socket *sock, struct sockaddr *address, - int addrlen) -{ - return 0; -} - -static int dte_socket_listen (struct socket *sock, int backlog) -{ - return 0; -} - -static int dte_socket_accept (struct socket *sock, struct socket *newsock) -{ - return 0; -} - -static void dte_socket_post_accept (struct socket *sock, - struct socket *newsock) -{ - return; -} - -static int dte_socket_sendmsg (struct socket *sock, struct msghdr *msg, - int size) -{ - return 0; -} - -static int dte_socket_recvmsg (struct socket *sock, struct msghdr *msg, - int size, int flags) -{ - return 0; -} - -static int dte_socket_getsockname (struct socket *sock) -{ - return 0; -} - -static int dte_socket_getpeername (struct socket *sock) -{ - return 0; -} - -static int dte_socket_setsockopt (struct socket *sock, int level, int optname) -{ - return 0; -} - -static int dte_socket_getsockopt (struct socket *sock, int level, int optname) -{ - return 0; -} - -static int dte_socket_shutdown (struct socket *sock, int how) -{ - return 0; -} - -static int dte_socket_sock_alloc_security (struct sock *sk, int gfp_mask) -{ - return 0; -} - -static void dte_socket_sock_free_security (struct sock *sk) -{ - return; -} - -static int dte_sock_rcv_skb (struct sock *sk, struct sk_buff *skb) -{ - return 0; -} - -static int dte_open_request_alloc_security (struct open_request *req) -{ - return 0; -} - -static void dte_open_request_free_security (struct open_request *req) -{ - return; -} - -static void dte_tcp_connection_request (struct sock *sk, - struct sk_buff *skb, - struct open_request *req) -{ - return; -} - -static void dte_tcp_synack (struct sock *sk, struct sk_buff *skb, - struct open_request *req) -{ - return; -} - - -static void dte_tcp_create_openreq_child (struct sock *sk, - struct sock *newsk, - struct sk_buff *skb, - struct open_request *req) -{ - return; -} - -static int dte_socket_unix_stream_connect (struct socket *sock, - struct socket *other, - struct sock *newsk) -{ - return 0; -} - -static int dte_socket_unix_may_send (struct socket *sock, struct socket *other) -{ - return 0; -} - static int dte_ipc_permission (struct kern_ipc_perm *ipcp, short flag) { return 0; @@ -852,37 +691,6 @@ return 0; } -static int dte_skb_alloc_security (struct sk_buff *skb, int gfp_mask) -{ - return 0; -} - -static int dte_skb_clone (struct sk_buff *newskb, const struct sk_buff *oldskb) -{ - return 0; -} - -static void dte_skb_copy (struct sk_buff *newskb, const struct sk_buff *oldskb) -{ - return; -} - -static void dte_skb_set_owner_w (struct sk_buff *skb, struct sock *sk) -{ - return; -} - -static void dte_skb_recv_datagram (struct sk_buff *skb, struct sock *sk, - unsigned flags) -{ - return; -} - -static void dte_skb_free_security (struct sk_buff *skb) -{ - return; -} - static int dte_register (const char *name, struct security_operations *ops) { int rc; @@ -940,8 +748,6 @@ netlink_send: dte_netlink_send, netlink_recv: dte_netlink_recv, - unix_stream_connect: dte_socket_unix_stream_connect, - unix_may_send: dte_socket_unix_may_send, bprm_alloc_security: dte_binprm_alloc_security, bprm_free_security: dte_binprm_free_security, @@ -1024,43 +830,7 @@ task_kmod_set_label: dte_task_kmod_set_label, task_reparent_to_init: dte_task_reparent_to_init, - socket_create: dte_socket_create, - socket_post_create: dte_socket_post_create, - socket_bind: dte_socket_bind, - socket_connect: dte_socket_connect, - socket_listen: dte_socket_listen, - socket_accept: dte_socket_accept, - socket_post_accept: dte_socket_post_accept, - socket_sendmsg: dte_socket_sendmsg, - socket_recvmsg: dte_socket_recvmsg, - socket_getsockname: dte_socket_getsockname, - socket_getpeername: dte_socket_getpeername, - socket_getsockopt: dte_socket_getsockopt, - socket_setsockopt: dte_socket_setsockopt, - socket_shutdown: dte_socket_shutdown, - socket_sock_alloc_security: dte_socket_sock_alloc_security, - socket_sock_free_security: dte_socket_sock_free_security, - socket_sock_rcv_skb: dte_sock_rcv_skb, - open_request_alloc_security: dte_open_request_alloc_security, - open_request_free_security: dte_open_request_free_security, - tcp_connection_request: dte_tcp_connection_request, - tcp_synack: dte_tcp_synack, - tcp_create_openreq_child: dte_tcp_create_openreq_child, - - skb_alloc_security: dte_skb_alloc_security, - skb_clone: dte_skb_clone, - skb_copy: dte_skb_copy, - skb_set_owner_w: dte_skb_set_owner_w, - skb_recv_datagram: dte_skb_recv_datagram, - skb_free_security: dte_skb_free_security, - - ip_fragment: dte_ip_fragment, - ip_defragment: dte_ip_defragment, - ip_encapsulate: dte_ip_encapsulate, - ip_decapsulate: dte_ip_decapsulate, ip_decode_options: dte_ip_decode_options, - - netdev_unregister: dte_netdev_unregister, ipc_permission: dte_ipc_permission, Index: lsm-2.5/security/selinux/Kconfig =================================================================== RCS file: /home/pal/CVS/lsm-2.5/security/selinux/Kconfig,v retrieving revision 1.2 diff -u -r1.2 Kconfig --- lsm-2.5/security/selinux/Kconfig 3 Dec 2002 14:11:28 -0000 1.2 +++ lsm-2.5/security/selinux/Kconfig 27 Jan 2003 15:38:16 -0000 @@ -33,7 +33,7 @@ config SECURITY_SELINUX_EXTSOCKET bool "NSA SELinux extended socket call API (EXPERIMENTAL)" - depends on SECURITY_SELINUX && EXPERIMENTAL + depends on SECURITY_SELINUX && SECURITY_NETWORK && EXPERIMENTAL default n help This enables the NSA SELinux extended socket call API. @@ -45,7 +45,7 @@ config SECURITY_SELINUX_NSID bool "NSA SELinux network SID API (EXPERIMENTAL)" - depends on SECURITY_SELINUX && NETFILTER && EXPERIMENTAL + depends on SECURITY_SELINUX && SECURITY_NETWORK && NETFILTER && EXPERIMENTAL default n help This enables the NSA SELinux network SID API. @@ -55,7 +55,7 @@ config SECURITY_SELINUX_SELOPT tristate "NSA SELinux CIPSO/FIPS-188 (EXPERIMENTAL)" - depends on SECURITY_SELINUX_NSID && NETFILTER && EXPERIMENTAL + depends on SECURITY_SELINUX_NSID && EXPERIMENTAL default n help This enables the NSA SELinux CIPSO/FIPS-188 IP options for Index: lsm-2.5/security/selinux/extsocket.h =================================================================== RCS file: /home/pal/CVS/lsm-2.5/security/selinux/extsocket.h,v retrieving revision 1.9 diff -u -r1.9 extsocket.h --- lsm-2.5/security/selinux/extsocket.h 21 Jan 2003 20:32:30 -0000 1.9 +++ lsm-2.5/security/selinux/extsocket.h 27 Jan 2003 16:05:21 -0000 @@ -33,7 +33,7 @@ static spinlock_t open_request_alloc_lock = SPIN_LOCK_UNLOCKED; -static int extsocket_open_request_alloc_security(struct open_request *req) +static inline int extsocket_open_request_alloc_security(struct open_request *req) { struct open_request_security_struct *orsec, *new_orsec; unsigned long flags; @@ -62,7 +62,7 @@ return 0; } -static void extsocket_open_request_free_security(struct open_request *req) +static inline void extsocket_open_request_free_security(struct open_request *req) { struct open_request_security_struct *orsec; unsigned long flags; @@ -673,12 +673,12 @@ #else -static int extsocket_open_request_alloc_security(struct open_request *req) +static inline int extsocket_open_request_alloc_security(struct open_request *req) { return 0; } -static void extsocket_open_request_free_security(struct open_request *req) +static inline void extsocket_open_request_free_security(struct open_request *req) { return; } Index: lsm-2.5/security/selinux/hooks.c =================================================================== RCS file: /home/pal/CVS/lsm-2.5/security/selinux/hooks.c,v retrieving revision 1.92 diff -u -r1.92 hooks.c --- lsm-2.5/security/selinux/hooks.c 24 Jan 2003 20:32:51 -0000 1.92 +++ lsm-2.5/security/selinux/hooks.c 27 Jan 2003 16:42:58 -0000 @@ -148,6 +148,8 @@ kfree(tsec); } +#ifdef CONFIG_SECURITY_NETWORK + /* * Functions used to allocate/free sock security structures. */ @@ -198,6 +200,8 @@ kfree(sksec); } +#endif + static spinlock_t inode_alloc_lock = SPIN_LOCK_UNLOCKED; static int inode_alloc_security(struct inode *inode) @@ -349,6 +353,8 @@ kfree(sbsec); } +#ifdef CONFIG_SECURITY_NETWORK + static spinlock_t skb_alloc_lock = SPIN_LOCK_UNLOCKED; static int skb_alloc_security(struct sk_buff *skb, int gfp_mask) @@ -445,6 +451,8 @@ kfree(nsec); } +#endif + /* The security server must be initialized before any labeling or access decisions can be provided. */ extern int ss_initialized; @@ -770,6 +778,8 @@ return 0; } +#ifdef CONFIG_SECURITY_NETWORK + /* The network interface security attributes must be initialized before * first use. */ int netdev_precondition(struct net_device *dev) @@ -795,6 +805,8 @@ return 1; } +#endif + /* Convert a Linux signal to an access vector. */ static inline access_vector_t signal_to_av(int sig) { @@ -1312,36 +1324,6 @@ /* assorted security operations (mostly syscall interposition) */ -static int selinux_sethostname(char *hostname) -{ - /* Controlled via the capable hook - CAP_SYS_ADMIN */ - return 0; -} - -static int selinux_setdomainname(char *domainname) -{ - /* Controlled via the capable hook - CAP_SYS_ADMIN */ - return 0; -} - -static int selinux_reboot(unsigned int cmd) -{ - /* Controlled via the capable hook - CAP_SYS_BOOT */ - return 0; -} - -static int selinux_ioperm(unsigned long from, unsigned long num, int turn_on) -{ - /* Controlled via the capable hook - CAP_SYS_RAWIO */ - return 0; -} - -static int selinux_iopl(unsigned int old, unsigned int level) -{ - /* Controlled via the capable hook - CAP_SYS_RAWIO */ - return 0; -} - static int selinux_ptrace(struct task_struct *parent, struct task_struct *child) { int rc; @@ -1386,12 +1368,6 @@ return secondary_ops->capset_set(target, effective, inheritable, permitted); } -static int selinux_acct(struct file *file) -{ - /* Controlled via the capable hook - CAP_SYS_PACCT */ - return 0; -} - static int selinux_capable(struct task_struct *tsk, int cap) { int rc; @@ -1548,11 +1524,6 @@ return rc; } -static int selinux_settime (struct timeval *tv, struct timezone *tz) -{ - return 0; -} - static int selinux_netlink_send(struct sk_buff *skb) { if (capable(CAP_NET_ADMIN)) @@ -2482,6 +2453,8 @@ return; } +#ifdef CONFIG_SECURITY_NETWORK + static void skb_copy_security(struct skb_security_struct *new, struct skb_security_struct *old) { @@ -3111,6 +3084,7 @@ static int selinux_socket_sock_alloc_security(struct sock *sk, int gfp_mask) { + sk->security = NULL; return sock_alloc_security(sk, gfp_mask); } @@ -3226,6 +3200,7 @@ static int selinux_open_request_alloc_security(struct open_request *req) { + req->security = NULL; return extsocket_open_request_alloc_security(req); } @@ -3334,6 +3309,8 @@ return extsocket_unix_may_send(isec, other_isec, &ad); } +#endif + static spinlock_t ipc_alloc_lock = SPIN_LOCK_UNLOCKED; static int ipc_alloc_security(struct task_struct *task, @@ -3889,6 +3866,8 @@ return ipc_has_perm(ipcp, sclass, av); } +#ifdef CONFIG_SECURITY_NETWORK + static int selinux_skb_alloc_security(struct sk_buff *skb, int gfp_mask) { return skb_alloc_security(skb, gfp_mask); @@ -3977,6 +3956,8 @@ skb_free_security(skb); } +#endif + /* module stacking operations */ int selinux_register_security (const char *name, struct security_operations *ops) { @@ -4013,16 +3994,10 @@ } struct security_operations selinux_ops = { - sethostname: selinux_sethostname, - setdomainname: selinux_setdomainname, - reboot: selinux_reboot, - ioperm: selinux_ioperm, - iopl: selinux_iopl, ptrace: selinux_ptrace, capget: selinux_capget, capset_check: selinux_capset_check, capset_set: selinux_capset_set, - acct: selinux_acct, sysctl: selinux_sysctl, capable: selinux_capable, swapon: selinux_swapon, @@ -4030,12 +4005,9 @@ quotactl: selinux_quotactl, quota_on: selinux_quota_on, syslog: selinux_syslog, - settime: selinux_settime, netlink_send: selinux_netlink_send, netlink_recv: selinux_netlink_recv, - unix_stream_connect: selinux_socket_unix_stream_connect, - unix_may_send: selinux_socket_unix_may_send, bprm_alloc_security: selinux_bprm_alloc_security, bprm_free_security: selinux_bprm_free_security, @@ -4118,6 +4090,39 @@ task_kmod_set_label: selinux_task_kmod_set_label, task_reparent_to_init: selinux_task_reparent_to_init, + ipc_permission: selinux_ipc_permission, + + msg_msg_alloc_security: selinux_msg_msg_alloc_security, + msg_msg_free_security: selinux_msg_msg_free_security, + + msg_queue_alloc_security: selinux_msg_queue_alloc_security, + msg_queue_free_security: selinux_msg_queue_free_security, + msg_queue_associate: selinux_msg_queue_associate, + msg_queue_msgctl: selinux_msg_queue_msgctl, + msg_queue_msgsnd: selinux_msg_queue_msgsnd, + msg_queue_msgrcv: selinux_msg_queue_msgrcv, + + shm_alloc_security: selinux_shm_alloc_security, + shm_free_security: selinux_shm_free_security, + shm_associate: selinux_shm_associate, + shm_shmctl: selinux_shm_shmctl, + shm_shmat: selinux_shm_shmat, + + sem_alloc_security: selinux_sem_alloc_security, + sem_free_security: selinux_sem_free_security, + sem_associate: selinux_sem_associate, + sem_semctl: selinux_sem_semctl, + sem_semop: selinux_sem_semop, + + register_security: &selinux_register_security, + unregister_security: &selinux_unregister_security, + + d_instantiate: selinux_d_instantiate, + +#ifdef CONFIG_SECURITY_NETWORK + unix_stream_connect: selinux_socket_unix_stream_connect, + unix_may_send: selinux_socket_unix_may_send, + socket_create: selinux_socket_create, socket_post_create: selinux_socket_post_create, socket_bind: selinux_socket_bind, @@ -4155,35 +4160,8 @@ ip_decode_options: selinux_ip_decode_options, netdev_unregister: selinux_netdev_unregister, - - ipc_permission: selinux_ipc_permission, - - msg_msg_alloc_security: selinux_msg_msg_alloc_security, - msg_msg_free_security: selinux_msg_msg_free_security, - - msg_queue_alloc_security: selinux_msg_queue_alloc_security, - msg_queue_free_security: selinux_msg_queue_free_security, - msg_queue_associate: selinux_msg_queue_associate, - msg_queue_msgctl: selinux_msg_queue_msgctl, - msg_queue_msgsnd: selinux_msg_queue_msgsnd, - msg_queue_msgrcv: selinux_msg_queue_msgrcv, - - shm_alloc_security: selinux_shm_alloc_security, - shm_free_security: selinux_shm_free_security, - shm_associate: selinux_shm_associate, - shm_shmctl: selinux_shm_shmctl, - shm_shmat: selinux_shm_shmat, - - sem_alloc_security: selinux_sem_alloc_security, - sem_free_security: selinux_sem_free_security, - sem_associate: selinux_sem_associate, - sem_semctl: selinux_sem_semctl, - sem_semop: selinux_sem_semop, - - register_security: &selinux_register_security, - unregister_security: &selinux_unregister_security, - d_instantiate: selinux_d_instantiate, +#endif }; extern long sys_security_selinux(struct pt_regs regs); @@ -4250,7 +4228,7 @@ __initcall(selinux_init); #endif -#ifdef CONFIG_NETFILTER +#if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER) #define NF_IP_PRI_SELINUX_FIRST (NF_IP_PRI_CONNTRACK + 5) #define NF_IP_PRI_SELINUX_LAST -NF_IP_PRI_SELINUX_FIRST _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 09:44:59 PST