[patch] CONFIG_SECURITY_NETWORK

From: Stephen D. Smalley (sdsat_private)
Date: Mon Jan 27 2003 - 09:49:56 PST

  • Next message: James Morris: "Re: [patch] CONFIG_SECURITY_NETWORK"

    The attached patch for lsm-2.5 adds a CONFIG_SECURITY_NETWORK option
    for the socket and networking security fields and hooks.  At present,
    it excludes the netlink hooks and the ip_decode_options hooks since
    the capabilities module uses those hooks to implement capability tests
    migrated from the base kernel.  It rearranges the security_ops structure
    to move the optional socket and networking hooks to the end of the structure.
    
    The patch moves the 'security = NULL' initializations for the sock and
    open request structures into the corresponding alloc_security hooks
    since those initializations are colocated with the allocation.  In the
    sk_buff case, the patch simply #ifdef's the initialization, since other
    similar #ifdef'd initializations exist in skb_headerinit.  If desired,
    we could define a static inline function for that purpose, but it
    didn't seem to be necessary.
    
    The patch updates SELinux appropriately so that its socket and
    networking functionality (including the NetFilter-based hooks) is
    omitted if the option is not enabled.  The patch simply removes the
    socket and networking hooks from DTE since it is not really using them
    anyway.
    
    Comments?
    
    --
    Stephen Smalley, NSA
    sdsat_private
    
    
    Index: lsm-2.5/include/linux/netdevice.h
    ===================================================================
    RCS file: /home/pal/CVS/lsm-2.5/include/linux/netdevice.h,v
    retrieving revision 1.12
    diff -u -r1.12 netdevice.h
    --- lsm-2.5/include/linux/netdevice.h	17 Jan 2003 15:22:45 -0000	1.12
    +++ lsm-2.5/include/linux/netdevice.h	27 Jan 2003 14:31:38 -0000
    @@ -442,7 +442,9 @@
     
     	/* generic object representation */
     	struct kobject kobj;
    +#ifdef CONFIG_SECURITY_NETWORK
     	void			*security;
    +#endif
     };
     
     
    Index: lsm-2.5/include/linux/security.h
    ===================================================================
    RCS file: /home/pal/CVS/lsm-2.5/include/linux/security.h,v
    retrieving revision 1.35
    diff -u -r1.35 security.h
    --- lsm-2.5/include/linux/security.h	24 Jan 2003 20:32:48 -0000	1.35
    +++ lsm-2.5/include/linux/security.h	27 Jan 2003 15:59:14 -0000
    @@ -1178,10 +1178,8 @@
     
     	int (*netlink_send) (struct sk_buff * skb);
     	int (*netlink_recv) (struct sk_buff * skb);
    -
    -	int (*unix_stream_connect) (struct socket * sock,
    -				    struct socket * other, struct sock * newsk);
    -	int (*unix_may_send) (struct socket * sock, struct socket * other);
    +	int (*ip_decode_options) (struct sk_buff * skb,
    +				  const char *optptr, unsigned char **pp_ptr);
     
     	int (*bprm_alloc_security) (struct linux_binprm * bprm);
     	void (*bprm_free_security) (struct linux_binprm * bprm);
    @@ -1294,6 +1292,49 @@
     	void (*task_kmod_set_label) (void);
     	void (*task_reparent_to_init) (struct task_struct * p);
     
    +	int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag);
    +
    +	int (*msg_msg_alloc_security) (struct msg_msg * msg);
    +	void (*msg_msg_free_security) (struct msg_msg * msg);
    +
    +	int (*msg_queue_alloc_security) (struct msg_queue * msq);
    +	void (*msg_queue_free_security) (struct msg_queue * msq);
    +	int (*msg_queue_associate) (struct msg_queue * msq, int msqflg);
    +	int (*msg_queue_msgctl) (struct msg_queue * msq, int cmd);
    +	int (*msg_queue_msgsnd) (struct msg_queue * msq,
    +				 struct msg_msg * msg, int msqflg);
    +	int (*msg_queue_msgrcv) (struct msg_queue * msq,
    +				 struct msg_msg * msg,
    +				 struct task_struct * target,
    +				 long type, int mode);
    +
    +	int (*shm_alloc_security) (struct shmid_kernel * shp);
    +	void (*shm_free_security) (struct shmid_kernel * shp);
    +	int (*shm_associate) (struct shmid_kernel * shp, int shmflg);
    +	int (*shm_shmctl) (struct shmid_kernel * shp, int cmd);
    +	int (*shm_shmat) (struct shmid_kernel * shp, 
    +			  char *shmaddr, int shmflg);
    +
    +	int (*sem_alloc_security) (struct sem_array * sma);
    +	void (*sem_free_security) (struct sem_array * sma);
    +	int (*sem_associate) (struct sem_array * sma, int semflg);
    +	int (*sem_semctl) (struct sem_array * sma, int cmd);
    +	int (*sem_semop) (struct sem_array * sma, 
    +			  struct sembuf * sops, unsigned nsops, int alter);
    +
    +	/* allow module stacking */
    +	int (*register_security) (const char *name,
    +	                          struct security_operations *ops);
    +	int (*unregister_security) (const char *name,
    +	                            struct security_operations *ops);
    +
    +	void (*d_instantiate) (struct dentry * dentry, struct inode * inode);
    +
    +#ifdef CONFIG_SECURITY_NETWORK
    +	int (*unix_stream_connect) (struct socket * sock,
    +				    struct socket * other, struct sock * newsk);
    +	int (*unix_may_send) (struct socket * sock, struct socket * other);
    +
     	int (*socket_create) (int family, int type, int protocol);
     	void (*socket_post_create) (struct socket * sock, int family,
     				    int type, int protocol);
    @@ -1342,48 +1383,9 @@
     	int (*ip_defragment) (struct sk_buff * skb);
     	void (*ip_encapsulate) (struct sk_buff * skb);
     	void (*ip_decapsulate) (struct sk_buff * skb);
    -	int (*ip_decode_options) (struct sk_buff * skb,
    -				  const char *optptr, unsigned char **pp_ptr);
     
     	void (*netdev_unregister) (struct net_device * dev);
    -
    -	int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag);
    -
    -	int (*msg_msg_alloc_security) (struct msg_msg * msg);
    -	void (*msg_msg_free_security) (struct msg_msg * msg);
    -
    -	int (*msg_queue_alloc_security) (struct msg_queue * msq);
    -	void (*msg_queue_free_security) (struct msg_queue * msq);
    -	int (*msg_queue_associate) (struct msg_queue * msq, int msqflg);
    -	int (*msg_queue_msgctl) (struct msg_queue * msq, int cmd);
    -	int (*msg_queue_msgsnd) (struct msg_queue * msq,
    -				 struct msg_msg * msg, int msqflg);
    -	int (*msg_queue_msgrcv) (struct msg_queue * msq,
    -				 struct msg_msg * msg,
    -				 struct task_struct * target,
    -				 long type, int mode);
    -
    -	int (*shm_alloc_security) (struct shmid_kernel * shp);
    -	void (*shm_free_security) (struct shmid_kernel * shp);
    -	int (*shm_associate) (struct shmid_kernel * shp, int shmflg);
    -	int (*shm_shmctl) (struct shmid_kernel * shp, int cmd);
    -	int (*shm_shmat) (struct shmid_kernel * shp, 
    -			  char *shmaddr, int shmflg);
    -
    -	int (*sem_alloc_security) (struct sem_array * sma);
    -	void (*sem_free_security) (struct sem_array * sma);
    -	int (*sem_associate) (struct sem_array * sma, int semflg);
    -	int (*sem_semctl) (struct sem_array * sma, int cmd);
    -	int (*sem_semop) (struct sem_array * sma, 
    -			  struct sembuf * sops, unsigned nsops, int alter);
    -
    -	/* allow module stacking */
    -	int (*register_security) (const char *name,
    -	                          struct security_operations *ops);
    -	int (*unregister_security) (const char *name,
    -	                            struct security_operations *ops);
    -
    -	void (*d_instantiate) (struct dentry * dentry, struct inode * inode);
    +#endif
     };
     
     /* global variables */
    @@ -1500,19 +1502,11 @@
     	return security_ops->netlink_recv(skb);
     }
     
    -
    -static inline int security_unix_stream_connect(struct socket * sock,
    -					       struct socket * other, 
    -					       struct sock * newsk)
    -{
    -	return security_ops->unix_stream_connect(sock, other, newsk);
    -}
    -
    -
    -static inline int security_unix_may_send(struct socket * sock, 
    -					 struct socket * other)
    +static inline int security_ip_decode_options(struct sk_buff * skb, 
    +					     const char *optptr, 
    +					     unsigned char **pp_ptr)
     {
    -	return security_ops->unix_may_send(sock, other);
    +	return security_ops->ip_decode_options(skb, optptr, pp_ptr);
     }
     
     static inline int security_bprm_alloc (struct linux_binprm *bprm)
    @@ -1949,356 +1943,156 @@
     	security_ops->task_reparent_to_init (p);
     }
     
    -static inline int security_socket_create (int family, int type, int protocol)
    +static inline int security_ipc_permission (struct kern_ipc_perm *ipcp,
    +					   short flag)
     {
    -	return security_ops->socket_create(family, type, protocol);
    +	return security_ops->ipc_permission (ipcp, flag);
     }
     
    -static inline void security_socket_post_create(struct socket * sock, 
    -					       int family,
    -					       int type, 
    -					       int protocol)
    +static inline int security_msg_msg_alloc (struct msg_msg * msg)
     {
    -	security_ops->socket_post_create(sock, family, type, protocol);
    +	return security_ops->msg_msg_alloc_security (msg);
     }
     
    -static inline int security_socket_bind(struct socket * sock, 
    -				       struct sockaddr * address, 
    -				       int addrlen)
    +static inline void security_msg_msg_free (struct msg_msg * msg)
     {
    -	return security_ops->socket_bind(sock, address, addrlen);
    +	security_ops->msg_msg_free_security(msg);
     }
     
    -static inline int security_socket_connect(struct socket * sock, 
    -					  struct sockaddr * address, 
    -					  int addrlen)
    +static inline int security_msg_queue_alloc (struct msg_queue *msq)
     {
    -	return security_ops->socket_connect(sock, address, addrlen);
    +	return security_ops->msg_queue_alloc_security (msq);
     }
     
    -static inline int security_socket_listen(struct socket * sock, int backlog)
    +static inline void security_msg_queue_free (struct msg_queue *msq)
     {
    -	return security_ops->socket_listen(sock, backlog);
    +	security_ops->msg_queue_free_security (msq);
     }
     
    -static inline int security_socket_accept(struct socket * sock, 
    -					 struct socket * newsock)
    +static inline int security_msg_queue_associate (struct msg_queue * msq, 
    +						int msqflg)
     {
    -	return security_ops->socket_accept(sock, newsock);
    +	return security_ops->msg_queue_associate (msq, msqflg);
     }
     
    -static inline void security_socket_post_accept(struct socket * sock, 
    -					       struct socket * newsock)
    +static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd)
     {
    -	security_ops->socket_post_accept(sock, newsock);
    +	return security_ops->msg_queue_msgctl (msq, cmd);
     }
     
    -static inline int security_socket_sendmsg(struct socket * sock, 
    -					  struct msghdr * msg, int size)
    +static inline int security_msg_queue_msgsnd (struct msg_queue * msq,
    +					     struct msg_msg * msg, int msqflg)
     {
    -	return security_ops->socket_sendmsg(sock, msg, size);
    +	return security_ops->msg_queue_msgsnd (msq, msg, msqflg);
     }
     
    -static inline int security_socket_recvmsg(struct socket * sock, 
    -					  struct msghdr * msg, int size, 
    -					  int flags)
    +static inline int security_msg_queue_msgrcv (struct msg_queue * msq,
    +					     struct msg_msg * msg,
    +					     struct task_struct * target,
    +					     long type, int mode)
     {
    -	return security_ops->socket_recvmsg(sock, msg, size, flags);
    +	return security_ops->msg_queue_msgrcv (msq, msg, target, type, mode);
     }
     
    -static inline int security_socket_getsockname(struct socket * sock)
    +static inline int security_shm_alloc (struct shmid_kernel *shp)
     {
    -	return security_ops->socket_getsockname(sock);
    +	return security_ops->shm_alloc_security (shp);
     }
     
    -static inline int security_socket_getpeername(struct socket * sock)
    +static inline void security_shm_free (struct shmid_kernel *shp)
     {
    -	return security_ops->socket_getpeername(sock);
    +	security_ops->shm_free_security (shp);
     }
     
    -static inline int security_socket_getsockopt(struct socket * sock, 
    -					     int level, int optname)
    +static inline int security_shm_associate (struct shmid_kernel * shp, 
    +					  int shmflg)
     {
    -	return security_ops->socket_getsockopt(sock, level, optname);
    +	return security_ops->shm_associate(shp, shmflg);
     }
     
    -static inline int security_socket_setsockopt(struct socket * sock, 
    -					     int level, int optname)
    +static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd)
     {
    -	return security_ops->socket_setsockopt(sock, level, optname);
    +	return security_ops->shm_shmctl (shp, cmd);
     }
     
    -static inline int security_socket_shutdown(struct socket * sock, int how)
    +static inline int security_shm_shmat (struct shmid_kernel * shp, 
    +				      char *shmaddr, int shmflg)
     {
    -	return security_ops->socket_shutdown(sock, how);
    +	return security_ops->shm_shmat(shp, shmaddr, shmflg);
     }
     
    -static inline int security_sock_alloc(struct sock * sk, 
    -				      int gfp_mask)
    +static inline int security_sem_alloc (struct sem_array *sma)
     {
    -	return security_ops->socket_sock_alloc_security(sk, gfp_mask);
    +	return security_ops->sem_alloc_security (sma);
     }
     
    -static inline void security_sock_free(struct sock * sk)
    +static inline void security_sem_free (struct sem_array *sma)
     {
    -	security_ops->socket_sock_free_security(sk);
    +	security_ops->sem_free_security (sma);
     }
     
    -static inline int security_sock_rcv_skb (struct sock * sk, 
    -					 struct sk_buff * skb)
    +static inline int security_sem_associate (struct sem_array * sma, int semflg)
     {
    -	return security_ops->socket_sock_rcv_skb (sk, skb);
    +	return security_ops->sem_associate (sma, semflg);
     }
     
    -static inline int security_open_request_alloc (struct open_request * req)
    +static inline int security_sem_semctl (struct sem_array * sma, int cmd)
     {
    -	return security_ops->open_request_alloc_security (req);
    +	return security_ops->sem_semctl(sma, cmd);
     }
     
    -static inline void security_open_request_free (struct open_request * req)
    +static inline int security_sem_semop (struct sem_array * sma, 
    +				      struct sembuf * sops, unsigned nsops, 
    +				      int alter)
     {
    -	security_ops->open_request_free_security (req);
    +	return security_ops->sem_semop(sma, sops, nsops, alter);
     }
     
    -static inline void security_tcp_connection_request(struct sock * sk, 
    -						   struct sk_buff * skb,
    -						   struct open_request * req)
    +static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode)
     {
    -	security_ops->tcp_connection_request(sk, skb, req);
    +	security_ops->d_instantiate (dentry, inode);
     }
     
    -static inline void security_tcp_synack(struct sock * sk, 
    -				       struct sk_buff * skb, 
    -				       struct open_request * req)
    +/* prototypes */
    +extern int security_scaffolding_startup	(void);
    +extern int register_security	(struct security_operations *ops);
    +extern int unregister_security	(struct security_operations *ops);
    +extern int mod_reg_security	(const char *name, struct security_operations *ops);
    +extern int mod_unreg_security	(const char *name, struct security_operations *ops);
    +
    +#else /* CONFIG_SECURITY */
    +
    +/*
    + * This is the default capabilities functionality.  Most of these functions
    + * are just stubbed out, but a few must call the proper capable code.
    + */
    +
    +static inline int security_scaffolding_startup (void)
     {
    -	security_ops->tcp_synack(sk, skb, req);
    +	return 0;
     }
     
    -static inline void security_tcp_create_openreq_child(struct sock * sk, 
    -						     struct sock * newsk, 
    -						     struct sk_buff * skb, 
    -						     struct open_request * req)
    +static inline int security_sethostname (char *hostname)
     {
    -	security_ops->tcp_create_openreq_child(sk, newsk, skb, req);
    +	return 0;
     }
     
    -static inline int security_skb_alloc(struct sk_buff * skb, int gfp_mask)
    +static inline int security_setdomainname (char *domainname)
     {
    -	return security_ops->skb_alloc_security(skb, gfp_mask);
    +	return 0;
     }
     
    -static inline int security_skb_clone(struct sk_buff * newskb, 
    -				     const struct sk_buff * oldskb)
    +static inline int security_reboot (unsigned int cmd)
     {
    -	return security_ops->skb_clone(newskb, oldskb);
    +	return 0;
     }
     
    -static inline void security_skb_copy(struct sk_buff * newskb, 
    -				     const struct sk_buff * oldskb)
    +static inline int security_ioperm (unsigned long from, unsigned long num, int turn_on)
     {
    -	security_ops->skb_copy(newskb, oldskb);
    +	return 0;
     }
     
    -static inline void security_skb_set_owner_w (struct sk_buff * skb, 
    -					     struct sock * sk)
    -{
    -	security_ops->skb_set_owner_w (skb, sk);
    -}
    -
    -static inline void security_skb_recv_datagram(struct sk_buff * skb, 
    -					      struct sock * sk, unsigned flags)
    -{
    -	security_ops->skb_recv_datagram(skb, sk, flags);
    -}
    -
    -static inline void security_skb_free(struct sk_buff * skb)
    -{
    -	security_ops->skb_free_security(skb);
    -}
    -
    -static inline void security_ip_fragment(struct sk_buff * newskb, 
    -					const struct sk_buff * oldskb)
    -{
    -	security_ops->ip_fragment(newskb, oldskb);
    -}
    -
    -static inline int security_ip_defragment(struct sk_buff * skb)
    -{
    -	return security_ops->ip_defragment(skb);
    -}
    -
    -static inline void security_ip_encapsulate(struct sk_buff * skb)
    -{
    -	security_ops->ip_encapsulate(skb);
    -}
    -
    -static inline void security_ip_decapsulate(struct sk_buff * skb)
    -{
    -	security_ops->ip_decapsulate(skb);
    -}
    -
    -static inline int security_ip_decode_options(struct sk_buff * skb, 
    -					     const char *optptr, 
    -					     unsigned char **pp_ptr)
    -{
    -	return security_ops->ip_decode_options(skb, optptr, pp_ptr);
    -}
    -
    -static inline void security_netdev_unregister(struct net_device * dev)
    -{
    -	security_ops->netdev_unregister(dev);
    -}
    -
    -static inline int security_ipc_permission (struct kern_ipc_perm *ipcp,
    -					   short flag)
    -{
    -	return security_ops->ipc_permission (ipcp, flag);
    -}
    -
    -static inline int security_msg_msg_alloc (struct msg_msg * msg)
    -{
    -	return security_ops->msg_msg_alloc_security (msg);
    -}
    -
    -static inline void security_msg_msg_free (struct msg_msg * msg)
    -{
    -	security_ops->msg_msg_free_security(msg);
    -}
    -
    -static inline int security_msg_queue_alloc (struct msg_queue *msq)
    -{
    -	return security_ops->msg_queue_alloc_security (msq);
    -}
    -
    -static inline void security_msg_queue_free (struct msg_queue *msq)
    -{
    -	security_ops->msg_queue_free_security (msq);
    -}
    -
    -static inline int security_msg_queue_associate (struct msg_queue * msq, 
    -						int msqflg)
    -{
    -	return security_ops->msg_queue_associate (msq, msqflg);
    -}
    -
    -static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd)
    -{
    -	return security_ops->msg_queue_msgctl (msq, cmd);
    -}
    -
    -static inline int security_msg_queue_msgsnd (struct msg_queue * msq,
    -					     struct msg_msg * msg, int msqflg)
    -{
    -	return security_ops->msg_queue_msgsnd (msq, msg, msqflg);
    -}
    -
    -static inline int security_msg_queue_msgrcv (struct msg_queue * msq,
    -					     struct msg_msg * msg,
    -					     struct task_struct * target,
    -					     long type, int mode)
    -{
    -	return security_ops->msg_queue_msgrcv (msq, msg, target, type, mode);
    -}
    -
    -static inline int security_shm_alloc (struct shmid_kernel *shp)
    -{
    -	return security_ops->shm_alloc_security (shp);
    -}
    -
    -static inline void security_shm_free (struct shmid_kernel *shp)
    -{
    -	security_ops->shm_free_security (shp);
    -}
    -
    -static inline int security_shm_associate (struct shmid_kernel * shp, 
    -					  int shmflg)
    -{
    -	return security_ops->shm_associate(shp, shmflg);
    -}
    -
    -static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd)
    -{
    -	return security_ops->shm_shmctl (shp, cmd);
    -}
    -
    -static inline int security_shm_shmat (struct shmid_kernel * shp, 
    -				      char *shmaddr, int shmflg)
    -{
    -	return security_ops->shm_shmat(shp, shmaddr, shmflg);
    -}
    -
    -static inline int security_sem_alloc (struct sem_array *sma)
    -{
    -	return security_ops->sem_alloc_security (sma);
    -}
    -
    -static inline void security_sem_free (struct sem_array *sma)
    -{
    -	security_ops->sem_free_security (sma);
    -}
    -
    -static inline int security_sem_associate (struct sem_array * sma, int semflg)
    -{
    -	return security_ops->sem_associate (sma, semflg);
    -}
    -
    -static inline int security_sem_semctl (struct sem_array * sma, int cmd)
    -{
    -	return security_ops->sem_semctl(sma, cmd);
    -}
    -
    -static inline int security_sem_semop (struct sem_array * sma, 
    -				      struct sembuf * sops, unsigned nsops, 
    -				      int alter)
    -{
    -	return security_ops->sem_semop(sma, sops, nsops, alter);
    -}
    -
    -static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode)
    -{
    -	security_ops->d_instantiate (dentry, inode);
    -}
    -
    -/* prototypes */
    -extern int security_scaffolding_startup	(void);
    -extern int register_security	(struct security_operations *ops);
    -extern int unregister_security	(struct security_operations *ops);
    -extern int mod_reg_security	(const char *name, struct security_operations *ops);
    -extern int mod_unreg_security	(const char *name, struct security_operations *ops);
    -
    -#else /* CONFIG_SECURITY */
    -
    -/*
    - * This is the default capabilities functionality.  Most of these functions
    - * are just stubbed out, but a few must call the proper capable code.
    - */
    -
    -static inline int security_scaffolding_startup (void)
    -{
    -	return 0;
    -}
    -
    -static inline int security_sethostname (char *hostname)
    -{
    -	return 0;
    -}
    -
    -static inline int security_setdomainname (char *domainname)
    -{
    -	return 0;
    -}
    -
    -static inline int security_reboot (unsigned int cmd)
    -{
    -	return 0;
    -}
    -
    -static inline int security_ioperm (unsigned long from, unsigned long num, int turn_on)
    -{
    -	return 0;
    -}
    -
    -static inline int security_iopl (unsigned int old, unsigned int level)
    +static inline int security_iopl (unsigned int old, unsigned int level)
     {
     	return 0;
     }
    @@ -2388,17 +2182,11 @@
     	return cap_netlink_recv(skb);
     }
     
    -static inline int security_unix_stream_connect(struct socket * sock,
    -					       struct socket * other, 
    -					       struct sock * newsk)
    -{
    -	return 0;
    -}
    -
    -static inline int security_unix_may_send(struct socket * sock, 
    -					 struct socket * other)
    +static inline int security_ip_decode_options(struct sk_buff * skb, 
    +					     const char *optptr, 
    +					     unsigned char **pp_ptr)
     {
    -	return 0;
    +	return cap_ip_decode_options(skb,optptr,pp_ptr);
     }
     
     static inline int security_bprm_alloc (struct linux_binprm *bprm)
    @@ -2801,123 +2589,247 @@
     	cap_task_reparent_to_init (p);
     }
     
    -static inline int security_socket_create (int family, int type, int protocol)
    +static inline int security_ipc_permission (struct kern_ipc_perm *ipcp,
    +					   short flag)
     {
     	return 0;
     }
     
    -static inline void security_socket_post_create(struct socket * sock, 
    -					       int family,
    -					       int type, 
    -					       int protocol)
    +static inline int security_msg_msg_alloc (struct msg_msg * msg)
     {
    +	return 0;
     }
     
    -static inline int security_socket_bind(struct socket * sock, 
    -				       struct sockaddr * address, 
    -				       int addrlen)
    +static inline void security_msg_msg_free (struct msg_msg * msg)
    +{ }
    +
    +static inline int security_msg_queue_alloc (struct msg_queue *msq)
     {
     	return 0;
     }
     
    -static inline int security_socket_connect(struct socket * sock, 
    -					  struct sockaddr * address, 
    -					  int addrlen)
    +static inline void security_msg_queue_free (struct msg_queue *msq)
    +{ }
    +
    +static inline int security_msg_queue_associate (struct msg_queue * msq, 
    +						int msqflg)
     {
     	return 0;
     }
     
    -static inline int security_socket_listen(struct socket * sock, int backlog)
    +static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd)
     {
     	return 0;
     }
     
    -static inline int security_socket_accept(struct socket * sock, 
    -					 struct socket * newsock)
    +static inline int security_msg_queue_msgsnd (struct msg_queue * msq,
    +					     struct msg_msg * msg, int msqflg)
     {
     	return 0;
     }
     
    -static inline void security_socket_post_accept(struct socket * sock, 
    -					       struct socket * newsock)
    +static inline int security_msg_queue_msgrcv (struct msg_queue * msq,
    +					     struct msg_msg * msg,
    +					     struct task_struct * target,
    +					     long type, int mode)
     {
    +	return 0;
     }
     
    -static inline int security_socket_sendmsg(struct socket * sock, 
    -					  struct msghdr * msg, int size)
    +static inline int security_shm_alloc (struct shmid_kernel *shp)
     {
     	return 0;
     }
     
    -static inline int security_socket_recvmsg(struct socket * sock, 
    -					  struct msghdr * msg, int size, 
    -					  int flags)
    -{
    +static inline void security_shm_free (struct shmid_kernel *shp)
    +{ }
    +
    +static inline int security_shm_associate (struct shmid_kernel * shp, 
    +					  int shmflg)
    +{
     	return 0;
     }
     
    -static inline int security_socket_getsockname(struct socket * sock)
    +static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd)
     {
     	return 0;
     }
     
    -static inline int security_socket_getpeername(struct socket * sock)
    +static inline int security_shm_shmat (struct shmid_kernel * shp, 
    +				      char *shmaddr, int shmflg)
    +{
    +	return 0;
    +}
    +
    +static inline int security_sem_alloc (struct sem_array *sma)
    +{
    +	return 0;
    +}
    +
    +static inline void security_sem_free (struct sem_array *sma)
    +{ }
    +
    +static inline int security_sem_associate (struct sem_array * sma, int semflg)
    +{
    +	return 0;
    +}
    +
    +static inline int security_sem_semctl (struct sem_array * sma, int cmd)
    +{
    +	return 0;
    +}
    +
    +static inline int security_sem_semop (struct sem_array * sma, 
    +				      struct sembuf * sops, unsigned nsops, 
    +				      int alter)
     {
     	return 0;
     }
     
    +static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode)
    +{ }
    +
    +#endif	/* CONFIG_SECURITY */
    +
    +#ifdef CONFIG_SECURITY_NETWORK
    +
    +static inline int security_unix_stream_connect(struct socket * sock,
    +					       struct socket * other, 
    +					       struct sock * newsk)
    +{
    +	return security_ops->unix_stream_connect(sock, other, newsk);
    +}
    +
    +
    +static inline int security_unix_may_send(struct socket * sock, 
    +					 struct socket * other)
    +{
    +	return security_ops->unix_may_send(sock, other);
    +}
    +
    +static inline int security_socket_create (int family, int type, int protocol)
    +{
    +	return security_ops->socket_create(family, type, protocol);
    +}
    +
    +static inline void security_socket_post_create(struct socket * sock, 
    +					       int family,
    +					       int type, 
    +					       int protocol)
    +{
    +	security_ops->socket_post_create(sock, family, type, protocol);
    +}
    +
    +static inline int security_socket_bind(struct socket * sock, 
    +				       struct sockaddr * address, 
    +				       int addrlen)
    +{
    +	return security_ops->socket_bind(sock, address, addrlen);
    +}
    +
    +static inline int security_socket_connect(struct socket * sock, 
    +					  struct sockaddr * address, 
    +					  int addrlen)
    +{
    +	return security_ops->socket_connect(sock, address, addrlen);
    +}
    +
    +static inline int security_socket_listen(struct socket * sock, int backlog)
    +{
    +	return security_ops->socket_listen(sock, backlog);
    +}
    +
    +static inline int security_socket_accept(struct socket * sock, 
    +					 struct socket * newsock)
    +{
    +	return security_ops->socket_accept(sock, newsock);
    +}
    +
    +static inline void security_socket_post_accept(struct socket * sock, 
    +					       struct socket * newsock)
    +{
    +	security_ops->socket_post_accept(sock, newsock);
    +}
    +
    +static inline int security_socket_sendmsg(struct socket * sock, 
    +					  struct msghdr * msg, int size)
    +{
    +	return security_ops->socket_sendmsg(sock, msg, size);
    +}
    +
    +static inline int security_socket_recvmsg(struct socket * sock, 
    +					  struct msghdr * msg, int size, 
    +					  int flags)
    +{
    +	return security_ops->socket_recvmsg(sock, msg, size, flags);
    +}
    +
    +static inline int security_socket_getsockname(struct socket * sock)
    +{
    +	return security_ops->socket_getsockname(sock);
    +}
    +
    +static inline int security_socket_getpeername(struct socket * sock)
    +{
    +	return security_ops->socket_getpeername(sock);
    +}
    +
     static inline int security_socket_getsockopt(struct socket * sock, 
     					     int level, int optname)
     {
    -	return 0;
    +	return security_ops->socket_getsockopt(sock, level, optname);
     }
     
     static inline int security_socket_setsockopt(struct socket * sock, 
     					     int level, int optname)
     {
    -	return 0;
    +	return security_ops->socket_setsockopt(sock, level, optname);
     }
     
     static inline int security_socket_shutdown(struct socket * sock, int how)
     {
    -	return 0;
    +	return security_ops->socket_shutdown(sock, how);
     }
     
     static inline int security_sock_alloc(struct sock * sk, 
     				      int gfp_mask)
     {
    -	return 0;
    +	return security_ops->socket_sock_alloc_security(sk, gfp_mask);
     }
     
     static inline void security_sock_free(struct sock * sk)
     {
    +	security_ops->socket_sock_free_security(sk);
     }
     
     static inline int security_sock_rcv_skb (struct sock * sk, 
     					 struct sk_buff * skb)
     {
    -	return 0;
    +	return security_ops->socket_sock_rcv_skb (sk, skb);
     }
     
     static inline int security_open_request_alloc (struct open_request * req)
     {
    -	return 0;
    +	return security_ops->open_request_alloc_security (req);
     }
     
     static inline void security_open_request_free (struct open_request * req)
     {
    +	security_ops->open_request_free_security (req);
     }
     
     static inline void security_tcp_connection_request(struct sock * sk, 
     						   struct sk_buff * skb,
     						   struct open_request * req)
     {
    +	security_ops->tcp_connection_request(sk, skb, req);
     }
     
     static inline void security_tcp_synack(struct sock * sk, 
     				       struct sk_buff * skb, 
     				       struct open_request * req)
     {
    +	security_ops->tcp_synack(sk, skb, req);
     }
     
     static inline void security_tcp_create_openreq_child(struct sock * sk, 
    @@ -2925,168 +2837,263 @@
     						     struct sk_buff * skb, 
     						     struct open_request * req)
     {
    +	security_ops->tcp_create_openreq_child(sk, newsk, skb, req);
     }
     
     static inline int security_skb_alloc(struct sk_buff * skb, int gfp_mask)
     {
    -	return 0;
    +	return security_ops->skb_alloc_security(skb, gfp_mask);
     }
     
     static inline int security_skb_clone(struct sk_buff * newskb, 
     				     const struct sk_buff * oldskb)
     {
    -	return 0;
    +	return security_ops->skb_clone(newskb, oldskb);
     }
     
     static inline void security_skb_copy(struct sk_buff * newskb, 
     				     const struct sk_buff * oldskb)
     {
    +	security_ops->skb_copy(newskb, oldskb);
     }
     
     static inline void security_skb_set_owner_w (struct sk_buff * skb, 
     					     struct sock * sk)
     {
    +	security_ops->skb_set_owner_w (skb, sk);
     }
     
     static inline void security_skb_recv_datagram(struct sk_buff * skb, 
     					      struct sock * sk, unsigned flags)
     {
    +	security_ops->skb_recv_datagram(skb, sk, flags);
     }
     
     static inline void security_skb_free(struct sk_buff * skb)
     {
    +	security_ops->skb_free_security(skb);
     }
     
     static inline void security_ip_fragment(struct sk_buff * newskb, 
     					const struct sk_buff * oldskb)
     {
    +	security_ops->ip_fragment(newskb, oldskb);
     }
     
     static inline int security_ip_defragment(struct sk_buff * skb)
     {
    -	return 0;
    +	return security_ops->ip_defragment(skb);
     }
     
     static inline void security_ip_encapsulate(struct sk_buff * skb)
     {
    +	security_ops->ip_encapsulate(skb);
     }
     
     static inline void security_ip_decapsulate(struct sk_buff * skb)
     {
    +	security_ops->ip_decapsulate(skb);
     }
     
    -static inline int security_ip_decode_options(struct sk_buff * skb, 
    -					     const char *optptr, 
    -					     unsigned char **pp_ptr)
    +static inline void security_netdev_unregister(struct net_device * dev)
     {
    -	return cap_ip_decode_options(skb,optptr,pp_ptr);
    +	security_ops->netdev_unregister(dev);
     }
     
    -static inline void security_netdev_unregister(struct net_device * dev)
    +#else /* CONFIG_SECURITY_NETWORK */
    +
    +static inline int security_unix_stream_connect(struct socket * sock,
    +					       struct socket * other, 
    +					       struct sock * newsk)
     {
    +	return 0;
     }
     
    -static inline int security_ipc_permission (struct kern_ipc_perm *ipcp,
    -					   short flag)
    +static inline int security_unix_may_send(struct socket * sock, 
    +					 struct socket * other)
     {
     	return 0;
     }
     
    -static inline int security_msg_msg_alloc (struct msg_msg * msg)
    +static inline int security_socket_create (int family, int type, int protocol)
     {
     	return 0;
     }
     
    -static inline void security_msg_msg_free (struct msg_msg * msg)
    -{ }
    +static inline void security_socket_post_create(struct socket * sock, 
    +					       int family,
    +					       int type, 
    +					       int protocol)
    +{
    +}
     
    -static inline int security_msg_queue_alloc (struct msg_queue *msq)
    +static inline int security_socket_bind(struct socket * sock, 
    +				       struct sockaddr * address, 
    +				       int addrlen)
     {
     	return 0;
     }
     
    -static inline void security_msg_queue_free (struct msg_queue *msq)
    -{ }
    +static inline int security_socket_connect(struct socket * sock, 
    +					  struct sockaddr * address, 
    +					  int addrlen)
    +{
    +	return 0;
    +}
     
    -static inline int security_msg_queue_associate (struct msg_queue * msq, 
    -						int msqflg)
    +static inline int security_socket_listen(struct socket * sock, int backlog)
     {
     	return 0;
     }
     
    -static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd)
    +static inline int security_socket_accept(struct socket * sock, 
    +					 struct socket * newsock)
     {
     	return 0;
     }
     
    -static inline int security_msg_queue_msgsnd (struct msg_queue * msq,
    -					     struct msg_msg * msg, int msqflg)
    +static inline void security_socket_post_accept(struct socket * sock, 
    +					       struct socket * newsock)
    +{
    +}
    +
    +static inline int security_socket_sendmsg(struct socket * sock, 
    +					  struct msghdr * msg, int size)
     {
     	return 0;
     }
     
    -static inline int security_msg_queue_msgrcv (struct msg_queue * msq,
    -					     struct msg_msg * msg,
    -					     struct task_struct * target,
    -					     long type, int mode)
    +static inline int security_socket_recvmsg(struct socket * sock, 
    +					  struct msghdr * msg, int size, 
    +					  int flags)
     {
     	return 0;
     }
     
    -static inline int security_shm_alloc (struct shmid_kernel *shp)
    +static inline int security_socket_getsockname(struct socket * sock)
     {
     	return 0;
     }
     
    -static inline void security_shm_free (struct shmid_kernel *shp)
    -{ }
    +static inline int security_socket_getpeername(struct socket * sock)
    +{
    +	return 0;
    +}
     
    -static inline int security_shm_associate (struct shmid_kernel * shp, 
    -					  int shmflg)
    +static inline int security_socket_getsockopt(struct socket * sock, 
    +					     int level, int optname)
     {
     	return 0;
     }
     
    -static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd)
    +static inline int security_socket_setsockopt(struct socket * sock, 
    +					     int level, int optname)
     {
     	return 0;
     }
     
    -static inline int security_shm_shmat (struct shmid_kernel * shp, 
    -				      char *shmaddr, int shmflg)
    +static inline int security_socket_shutdown(struct socket * sock, int how)
     {
     	return 0;
     }
     
    -static inline int security_sem_alloc (struct sem_array *sma)
    +static inline int security_sock_alloc(struct sock * sk, 
    +				      int gfp_mask)
     {
     	return 0;
     }
     
    -static inline void security_sem_free (struct sem_array *sma)
    -{ }
    +static inline void security_sock_free(struct sock * sk)
    +{
    +}
     
    -static inline int security_sem_associate (struct sem_array * sma, int semflg)
    +static inline int security_sock_rcv_skb (struct sock * sk, 
    +					 struct sk_buff * skb)
     {
     	return 0;
     }
     
    -static inline int security_sem_semctl (struct sem_array * sma, int cmd)
    +static inline int security_open_request_alloc (struct open_request * req)
     {
     	return 0;
     }
     
    -static inline int security_sem_semop (struct sem_array * sma, 
    -				      struct sembuf * sops, unsigned nsops, 
    -				      int alter)
    +static inline void security_open_request_free (struct open_request * req)
    +{
    +}
    +
    +static inline void security_tcp_connection_request(struct sock * sk, 
    +						   struct sk_buff * skb,
    +						   struct open_request * req)
    +{
    +}
    +
    +static inline void security_tcp_synack(struct sock * sk, 
    +				       struct sk_buff * skb, 
    +				       struct open_request * req)
    +{
    +}
    +
    +static inline void security_tcp_create_openreq_child(struct sock * sk, 
    +						     struct sock * newsk, 
    +						     struct sk_buff * skb, 
    +						     struct open_request * req)
    +{
    +}
    +
    +static inline int security_skb_alloc(struct sk_buff * skb, int gfp_mask)
     {
     	return 0;
     }
     
    -static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode)
    -{ }
    +static inline int security_skb_clone(struct sk_buff * newskb, 
    +				     const struct sk_buff * oldskb)
    +{
    +	return 0;
    +}
     
    -#endif	/* CONFIG_SECURITY */
    +static inline void security_skb_copy(struct sk_buff * newskb, 
    +				     const struct sk_buff * oldskb)
    +{
    +}
    +
    +static inline void security_skb_set_owner_w (struct sk_buff * skb, 
    +					     struct sock * sk)
    +{
    +}
    +
    +static inline void security_skb_recv_datagram(struct sk_buff * skb, 
    +					      struct sock * sk, unsigned flags)
    +{
    +}
    +
    +static inline void security_skb_free(struct sk_buff * skb)
    +{
    +}
    +
    +static inline void security_ip_fragment(struct sk_buff * newskb, 
    +					const struct sk_buff * oldskb)
    +{
    +}
    +
    +static inline int security_ip_defragment(struct sk_buff * skb)
    +{
    +	return 0;
    +}
    +
    +static inline void security_ip_encapsulate(struct sk_buff * skb)
    +{
    +}
    +
    +static inline void security_ip_decapsulate(struct sk_buff * skb)
    +{
    +}
    +
    +static inline void security_netdev_unregister(struct net_device * dev)
    +{
    +}
    +
    +#endif /* CONFIG_SECURITY_NETWORK */
     
     #endif /* ! __LINUX_SECURITY_H */
     
    Index: lsm-2.5/include/linux/skbuff.h
    ===================================================================
    RCS file: /home/pal/CVS/lsm-2.5/include/linux/skbuff.h,v
    retrieving revision 1.10
    diff -u -r1.10 skbuff.h
    --- lsm-2.5/include/linux/skbuff.h	13 Jan 2003 20:48:00 -0000	1.10
    +++ lsm-2.5/include/linux/skbuff.h	27 Jan 2003 14:32:22 -0000
    @@ -261,8 +261,9 @@
     #ifdef CONFIG_NET_SCHED
            __u32			tc_index;               /* traffic control index */
     #endif
    -
    +#ifdef CONFIG_SECURITY_NETWORK
     	void		*lsm_security;		/* replaces the above security field */
    +#endif
     };
     
     #define SK_WMEM_MAX	65535
    Index: lsm-2.5/include/linux/tcp.h
    ===================================================================
    RCS file: /home/pal/CVS/lsm-2.5/include/linux/tcp.h,v
    retrieving revision 1.6
    diff -u -r1.6 tcp.h
    --- lsm-2.5/include/linux/tcp.h	24 Jan 2003 15:20:00 -0000	1.6
    +++ lsm-2.5/include/linux/tcp.h	27 Jan 2003 14:32:34 -0000
    @@ -383,7 +383,7 @@
     #define tcp_sk(__sk) (&((struct tcp_sock *)__sk)->tcp)
     
     static inline void clone_tcp_sk(struct sock *newsk, struct sock *sk) {
    -#ifdef CONFIG_SECURITY 
    +#ifdef CONFIG_SECURITY_NETWORK
     /* Save/restore the LSM security pointer around the copy */
     	void *sptr = newsk->security;
     	memcpy(newsk, sk, sizeof(struct tcp_sock));
    Index: lsm-2.5/include/net/sock.h
    ===================================================================
    RCS file: /home/pal/CVS/lsm-2.5/include/net/sock.h,v
    retrieving revision 1.18
    diff -u -r1.18 sock.h
    --- lsm-2.5/include/net/sock.h	4 Dec 2002 21:58:29 -0000	1.18
    +++ lsm-2.5/include/net/sock.h	27 Jan 2003 14:33:16 -0000
    @@ -198,8 +198,10 @@
     	/* RPC layer private data */
     	void			*user_data;
     
    +#ifdef CONFIG_SECURITY_NETWORK
     	/* LSM security field */
     	void			*security;
    +#endif
       
     	/* Callbacks */
     	void			(*state_change)(struct sock *sk);
    Index: lsm-2.5/include/net/tcp.h
    ===================================================================
    RCS file: /home/pal/CVS/lsm-2.5/include/net/tcp.h,v
    retrieving revision 1.8
    diff -u -r1.8 tcp.h
    --- lsm-2.5/include/net/tcp.h	24 Jan 2003 15:20:00 -0000	1.8
    +++ lsm-2.5/include/net/tcp.h	27 Jan 2003 14:44:12 -0000
    @@ -534,8 +534,10 @@
     		struct tcp_v6_open_req v6_req;
     #endif
     	} af;
    +#ifdef CONFIG_SECURITY_NETWORK
     	/* LSM security field */
     	void			*security;
    +#endif
     };
     
     /* SLAB cache for open requests. */
    @@ -547,7 +549,6 @@
     		kmem_cache_alloc(tcp_openreq_cachep, SLAB_ATOMIC);
     
     	if (req != NULL) {
    -		req->security = NULL;
     		if (security_open_request_alloc(req)) {
     			kmem_cache_free(tcp_openreq_cachep, req);
     			return NULL;
    Index: lsm-2.5/net/core/skbuff.c
    ===================================================================
    RCS file: /home/pal/CVS/lsm-2.5/net/core/skbuff.c,v
    retrieving revision 1.14
    diff -u -r1.14 skbuff.c
    --- lsm-2.5/net/core/skbuff.c	13 Jan 2003 20:48:08 -0000	1.14
    +++ lsm-2.5/net/core/skbuff.c	27 Jan 2003 15:05:56 -0000
    @@ -263,7 +263,9 @@
     #ifdef CONFIG_NET_SCHED
     	skb->tc_index	  = 0;
     #endif
    +#ifdef CONFIG_SECURITY_NETWORK
     	skb->lsm_security = NULL;
    +#endif
     }
     
     static void skb_drop_fraglist(struct sk_buff *skb)
    Index: lsm-2.5/net/core/sock.c
    ===================================================================
    RCS file: /home/pal/CVS/lsm-2.5/net/core/sock.c,v
    retrieving revision 1.8
    diff -u -r1.8 sock.c
    --- lsm-2.5/net/core/sock.c	24 Jan 2003 15:20:01 -0000	1.8
    +++ lsm-2.5/net/core/sock.c	27 Jan 2003 14:44:53 -0000
    @@ -601,7 +601,6 @@
     			sk->family = family;
     			sock_lock_init(sk);
     		}
    -		sk->security = NULL;
     		if (security_sock_alloc(sk, priority)) {
     			kmem_cache_free(slab, sk);
     			return NULL;
    Index: lsm-2.5/security/Kconfig
    ===================================================================
    RCS file: /home/pal/CVS/lsm-2.5/security/Kconfig,v
    retrieving revision 1.6
    diff -u -r1.6 Kconfig
    --- lsm-2.5/security/Kconfig	27 Dec 2002 13:45:00 -0000	1.6
    +++ lsm-2.5/security/Kconfig	27 Jan 2003 15:37:29 -0000
    @@ -15,6 +15,15 @@
     
     	  If you are unsure how to answer this question, answer N.
     
    +config SECURITY_NETWORK
    +	bool "Socket and Networking Security Hooks"
    +	depends on SECURITY!=n
    +	help
    +	  This enables the socket and networking security hooks.
    +	  If enabled, a security module can use these hooks to
    +	  implement socket and networking access controls.
    +	  If you are unsure how to answer this question, answer N.
    +
     config SECURITY_CAPABILITIES
     	tristate "Default Linux Capabilities"
     	depends on SECURITY!=n
    Index: lsm-2.5/security/dummy.c
    ===================================================================
    RCS file: /home/pal/CVS/lsm-2.5/security/dummy.c,v
    retrieving revision 1.35
    diff -u -r1.35 dummy.c
    --- lsm-2.5/security/dummy.c	24 Jan 2003 20:32:49 -0000	1.35
    +++ lsm-2.5/security/dummy.c	27 Jan 2003 16:32:48 -0000
    @@ -20,6 +20,8 @@
     #include <linux/security.h>
     #include <linux/skbuff.h>
     #include <linux/netlink.h>
    +#include <net/sock.h>
    +#include <net/tcp.h>
     
     static int dummy_sethostname (char *hostname)
     {
    @@ -664,6 +666,18 @@
     	return 0;
     }
     
    +static int dummy_ip_decode_options (struct sk_buff *skb, const char *optptr,
    +				    unsigned char **pp_ptr)
    +{
    +	if (!skb && !capable (CAP_NET_RAW)) {
    +		(const unsigned char *) *pp_ptr = optptr;
    +		return -EPERM;
    +	}
    +	return 0;
    +}
    +
    +#ifdef CONFIG_SECURITY_NETWORK
    +
     static void dummy_ip_fragment (struct sk_buff *newskb,
     			       const struct sk_buff *oldskb)
     {
    @@ -685,16 +699,6 @@
     	return;
     }
     
    -static int dummy_ip_decode_options (struct sk_buff *skb, const char *optptr,
    -				    unsigned char **pp_ptr)
    -{
    -	if (!skb && !capable (CAP_NET_RAW)) {
    -		(const unsigned char *) *pp_ptr = optptr;
    -		return -EPERM;
    -	}
    -	return 0;
    -}
    -
     static void dummy_netdev_unregister (struct net_device *dev)
     {
     	return;
    @@ -778,6 +782,7 @@
     
     static int dummy_socket_sock_alloc_security(struct sock *sk, int gfp_mask)
     {
    +	sk->security = NULL;
     	return 0;
     }
     
    @@ -793,6 +798,7 @@
     
     static int dummy_open_request_alloc_security(struct open_request * req)
     {
    +	req->security = NULL;
     	return 0;
     }
     
    @@ -866,6 +872,8 @@
     	return;
     }
     
    +#endif
    +
     static int dummy_register_security (const char *name, struct security_operations *ops)
     {
     	return -EINVAL;
    @@ -1002,6 +1010,7 @@
     	set_to_dummy_if_null(ops, sem_semop);
     	set_to_dummy_if_null(ops, register_security);
     	set_to_dummy_if_null(ops, unregister_security);
    +	set_to_dummy_if_null(ops, d_instantiate);
     	set_to_dummy_if_null(ops, sethostname);
     	set_to_dummy_if_null(ops, setdomainname);
     	set_to_dummy_if_null(ops, reboot);
    @@ -1012,11 +1021,12 @@
     	set_to_dummy_if_null(ops, settime);
     	set_to_dummy_if_null(ops, netlink_send);
     	set_to_dummy_if_null(ops, netlink_recv);
    +	set_to_dummy_if_null(ops, ip_decode_options);
    +#ifdef CONFIG_SECURITY_NETWORK
     	set_to_dummy_if_null(ops, ip_fragment);
     	set_to_dummy_if_null(ops, ip_defragment);
     	set_to_dummy_if_null(ops, ip_decapsulate);
     	set_to_dummy_if_null(ops, ip_encapsulate);
    -	set_to_dummy_if_null(ops, ip_decode_options);
     	set_to_dummy_if_null(ops, netdev_unregister);
     	set_to_dummy_if_null(ops, socket_create);
     	set_to_dummy_if_null(ops, socket_post_create);
    @@ -1048,6 +1058,6 @@
     	set_to_dummy_if_null(ops, skb_set_owner_w);
     	set_to_dummy_if_null(ops, skb_recv_datagram);
     	set_to_dummy_if_null(ops, skb_free_security);
    -	set_to_dummy_if_null(ops, d_instantiate);
    +#endif
     }
     
    Index: lsm-2.5/security/dte/dte.c
    ===================================================================
    RCS file: /home/pal/CVS/lsm-2.5/security/dte/dte.c,v
    retrieving revision 1.25
    diff -u -r1.25 dte.c
    --- lsm-2.5/security/dte/dte.c	24 Jan 2003 20:32:50 -0000	1.25
    +++ lsm-2.5/security/dte/dte.c	27 Jan 2003 16:13:45 -0000
    @@ -586,27 +586,6 @@
     		dte_secondary_ops->task_reparent_to_init(p);
     }
     
    -static void dte_ip_fragment (struct sk_buff *newskb,
    -			     const struct sk_buff *oldskb)
    -{
    -	return;
    -}
    -
    -static int dte_ip_defragment (struct sk_buff *skb)
    -{
    -	return 0;
    -}
    -
    -static void dte_ip_encapsulate (struct sk_buff *skb)
    -{
    -	return;
    -}
    -
    -static void dte_ip_decapsulate (struct sk_buff *skb)
    -{
    -	return;
    -}
    -
     static int dte_ip_decode_options (struct sk_buff *skb, const char *optptr,
     				  unsigned char **pp_ptr)
     {
    @@ -617,146 +596,6 @@
     	return 0;
     }
     
    -static void dte_netdev_unregister (struct net_device *dev)
    -{
    -	return;
    -}
    -
    -static int dte_socket_create (int family, int type, int protocol)
    -{
    -	return 0;
    -}
    -
    -static void dte_socket_post_create (struct socket *sock, int family, int type,
    -				    int protocol)
    -{
    -	return;
    -}
    -
    -static int dte_socket_bind (struct socket *sock, struct sockaddr *address,
    -			    int addrlen)
    -{
    -	return 0;
    -}
    -
    -static int dte_socket_connect (struct socket *sock, struct sockaddr *address,
    -			       int addrlen)
    -{
    -	return 0;
    -}
    -
    -static int dte_socket_listen (struct socket *sock, int backlog)
    -{
    -	return 0;
    -}
    -
    -static int dte_socket_accept (struct socket *sock, struct socket *newsock)
    -{
    -	return 0;
    -}
    -
    -static void dte_socket_post_accept (struct socket *sock, 
    -				    struct socket *newsock)
    -{
    -	return;
    -}
    -
    -static int dte_socket_sendmsg (struct socket *sock, struct msghdr *msg,
    -			       int size)
    -{
    -	return 0;
    -}
    -
    -static int dte_socket_recvmsg (struct socket *sock, struct msghdr *msg,
    -			       int size, int flags)
    -{
    -	return 0;
    -}
    -
    -static int dte_socket_getsockname (struct socket *sock)
    -{
    -	return 0;
    -}
    -
    -static int dte_socket_getpeername (struct socket *sock)
    -{
    -	return 0;
    -}
    -
    -static int dte_socket_setsockopt (struct socket *sock, int level, int optname)
    -{
    -	return 0;
    -}
    -
    -static int dte_socket_getsockopt (struct socket *sock, int level, int optname)
    -{
    -	return 0;
    -}
    -
    -static int dte_socket_shutdown (struct socket *sock, int how)
    -{
    -	return 0;
    -}
    -
    -static int dte_socket_sock_alloc_security (struct sock *sk, int gfp_mask)
    -{
    -	return 0;
    -}
    -
    -static void dte_socket_sock_free_security (struct sock *sk)
    -{
    -	return;
    -}
    -
    -static int dte_sock_rcv_skb (struct sock *sk, struct sk_buff *skb)
    -{
    -	return 0;
    -}
    -
    -static int dte_open_request_alloc_security (struct open_request *req)
    -{
    -	return 0;
    -}
    -
    -static void dte_open_request_free_security (struct open_request *req)
    -{
    -	return;
    -}
    -
    -static void dte_tcp_connection_request (struct sock *sk,
    -					struct sk_buff *skb,
    -					struct open_request *req)
    -{
    -	return;
    -}
    -
    -static void dte_tcp_synack (struct sock *sk, struct sk_buff *skb,
    -			    struct open_request *req)
    -{
    -	return;
    -}
    -
    -
    -static void dte_tcp_create_openreq_child (struct sock *sk,
    -					  struct sock *newsk,
    -					  struct sk_buff *skb,
    -					  struct open_request *req)
    -{
    -	return;
    -}
    -
    -static int dte_socket_unix_stream_connect (struct socket *sock,
    -					   struct socket *other,
    -					   struct sock *newsk)
    -{
    -	return 0;
    -}
    -
    -static int dte_socket_unix_may_send (struct socket *sock, struct socket *other)
    -{
    -	return 0;
    -}
    -
     static int dte_ipc_permission (struct kern_ipc_perm *ipcp, short flag)
     {
     	return 0;
    @@ -852,37 +691,6 @@
     	return 0;
     }
     
    -static int dte_skb_alloc_security (struct sk_buff *skb, int gfp_mask)
    -{
    -	return 0;
    -}
    -
    -static int dte_skb_clone (struct sk_buff *newskb, const struct sk_buff *oldskb)
    -{
    -	return 0;
    -}
    -
    -static void dte_skb_copy (struct sk_buff *newskb, const struct sk_buff *oldskb)
    -{
    -	return;
    -}
    -
    -static void dte_skb_set_owner_w (struct sk_buff *skb, struct sock *sk)
    -{
    -	return;
    -}
    -
    -static void dte_skb_recv_datagram (struct sk_buff *skb, struct sock *sk,
    -				   unsigned flags)
    -{
    -	return;
    -}
    -
    -static void dte_skb_free_security (struct sk_buff *skb)
    -{
    -	return;
    -}
    -
     static int dte_register (const char *name, struct security_operations *ops)
     {
     	int rc;
    @@ -940,8 +748,6 @@
     
     	netlink_send:			dte_netlink_send,
     	netlink_recv:			dte_netlink_recv,
    -	unix_stream_connect:		dte_socket_unix_stream_connect,
    -	unix_may_send:			dte_socket_unix_may_send,
     
     	bprm_alloc_security:		dte_binprm_alloc_security,
     	bprm_free_security:		dte_binprm_free_security,
    @@ -1024,43 +830,7 @@
     	task_kmod_set_label:		dte_task_kmod_set_label,
     	task_reparent_to_init:		dte_task_reparent_to_init,
     
    -	socket_create:			dte_socket_create,
    -	socket_post_create:		dte_socket_post_create,
    -	socket_bind:			dte_socket_bind,
    -	socket_connect:			dte_socket_connect,
    -	socket_listen:			dte_socket_listen,
    -	socket_accept:			dte_socket_accept,
    -	socket_post_accept:		dte_socket_post_accept,
    -	socket_sendmsg:			dte_socket_sendmsg,
    -	socket_recvmsg:			dte_socket_recvmsg,
    -	socket_getsockname:		dte_socket_getsockname,
    -	socket_getpeername:		dte_socket_getpeername,
    -	socket_getsockopt:		dte_socket_getsockopt,
    -	socket_setsockopt:		dte_socket_setsockopt,
    -	socket_shutdown:		dte_socket_shutdown,
    -	socket_sock_alloc_security:	dte_socket_sock_alloc_security,
    -	socket_sock_free_security:	dte_socket_sock_free_security,
    -	socket_sock_rcv_skb:		dte_sock_rcv_skb,
    -	open_request_alloc_security:	dte_open_request_alloc_security,
    -	open_request_free_security:	dte_open_request_free_security,
    -	tcp_connection_request:		dte_tcp_connection_request,
    -	tcp_synack:			dte_tcp_synack,
    -	tcp_create_openreq_child:	dte_tcp_create_openreq_child,
    -	
    -	skb_alloc_security:		dte_skb_alloc_security,
    -	skb_clone:			dte_skb_clone,
    -	skb_copy:			dte_skb_copy,
    -	skb_set_owner_w:		dte_skb_set_owner_w,
    -	skb_recv_datagram:		dte_skb_recv_datagram,
    -	skb_free_security:		dte_skb_free_security,
    -	
    -	ip_fragment:			dte_ip_fragment,
    -	ip_defragment:			dte_ip_defragment,
    -	ip_encapsulate:			dte_ip_encapsulate,
    -	ip_decapsulate:			dte_ip_decapsulate,
     	ip_decode_options:		dte_ip_decode_options,
    -	
    -	netdev_unregister:		dte_netdev_unregister,
     	
     	ipc_permission:			dte_ipc_permission,
     	
    Index: lsm-2.5/security/selinux/Kconfig
    ===================================================================
    RCS file: /home/pal/CVS/lsm-2.5/security/selinux/Kconfig,v
    retrieving revision 1.2
    diff -u -r1.2 Kconfig
    --- lsm-2.5/security/selinux/Kconfig	3 Dec 2002 14:11:28 -0000	1.2
    +++ lsm-2.5/security/selinux/Kconfig	27 Jan 2003 15:38:16 -0000
    @@ -33,7 +33,7 @@
     
     config SECURITY_SELINUX_EXTSOCKET
     	bool "NSA SELinux extended socket call API (EXPERIMENTAL)"
    -	depends on SECURITY_SELINUX && EXPERIMENTAL
    +	depends on SECURITY_SELINUX && SECURITY_NETWORK && EXPERIMENTAL
     	default n
     	help
     	  This enables the NSA SELinux extended socket call API.
    @@ -45,7 +45,7 @@
     
     config SECURITY_SELINUX_NSID
     	bool "NSA SELinux network SID API (EXPERIMENTAL)"
    -	depends on SECURITY_SELINUX && NETFILTER && EXPERIMENTAL
    +	depends on SECURITY_SELINUX && SECURITY_NETWORK && NETFILTER && EXPERIMENTAL
     	default n
     	help
     	  This enables the NSA SELinux network SID API.
    @@ -55,7 +55,7 @@
     
     config SECURITY_SELINUX_SELOPT
     	tristate "NSA SELinux CIPSO/FIPS-188 (EXPERIMENTAL)"
    -	depends on SECURITY_SELINUX_NSID && NETFILTER && EXPERIMENTAL
    +	depends on SECURITY_SELINUX_NSID && EXPERIMENTAL
     	default n
     	help
     	  This enables the NSA SELinux CIPSO/FIPS-188 IP options for
    Index: lsm-2.5/security/selinux/extsocket.h
    ===================================================================
    RCS file: /home/pal/CVS/lsm-2.5/security/selinux/extsocket.h,v
    retrieving revision 1.9
    diff -u -r1.9 extsocket.h
    --- lsm-2.5/security/selinux/extsocket.h	21 Jan 2003 20:32:30 -0000	1.9
    +++ lsm-2.5/security/selinux/extsocket.h	27 Jan 2003 16:05:21 -0000
    @@ -33,7 +33,7 @@
     
     static spinlock_t open_request_alloc_lock = SPIN_LOCK_UNLOCKED;
     
    -static int extsocket_open_request_alloc_security(struct open_request *req)
    +static inline int extsocket_open_request_alloc_security(struct open_request *req)
     {
     	struct open_request_security_struct *orsec, *new_orsec;
     	unsigned long flags;
    @@ -62,7 +62,7 @@
     	return 0;
     }
     
    -static void extsocket_open_request_free_security(struct open_request *req)
    +static inline void extsocket_open_request_free_security(struct open_request *req)
     {
     	struct open_request_security_struct *orsec;
     	unsigned long flags;
    @@ -673,12 +673,12 @@
     
     #else
     
    -static int extsocket_open_request_alloc_security(struct open_request *req)
    +static inline int extsocket_open_request_alloc_security(struct open_request *req)
     {
     	return 0;
     }
     
    -static void extsocket_open_request_free_security(struct open_request *req)
    +static inline void extsocket_open_request_free_security(struct open_request *req)
     {
     	return;
     }
    Index: lsm-2.5/security/selinux/hooks.c
    ===================================================================
    RCS file: /home/pal/CVS/lsm-2.5/security/selinux/hooks.c,v
    retrieving revision 1.92
    diff -u -r1.92 hooks.c
    --- lsm-2.5/security/selinux/hooks.c	24 Jan 2003 20:32:51 -0000	1.92
    +++ lsm-2.5/security/selinux/hooks.c	27 Jan 2003 16:42:58 -0000
    @@ -148,6 +148,8 @@
     	kfree(tsec);
     }
     
    +#ifdef CONFIG_SECURITY_NETWORK
    +
     /* 
      * Functions used to allocate/free sock security structures.
      */
    @@ -198,6 +200,8 @@
     	kfree(sksec);
     }
     
    +#endif
    +
     static spinlock_t inode_alloc_lock = SPIN_LOCK_UNLOCKED;
     
     static int inode_alloc_security(struct inode *inode)
    @@ -349,6 +353,8 @@
     	kfree(sbsec);
     }
     
    +#ifdef CONFIG_SECURITY_NETWORK
    +
     static spinlock_t skb_alloc_lock = SPIN_LOCK_UNLOCKED;
     
     static int skb_alloc_security(struct sk_buff *skb, int gfp_mask)
    @@ -445,6 +451,8 @@
     	kfree(nsec);
     }
     
    +#endif
    +
     /* The security server must be initialized before
        any labeling or access decisions can be provided. */
     extern int ss_initialized;
    @@ -770,6 +778,8 @@
     	return 0;
     }
     
    +#ifdef CONFIG_SECURITY_NETWORK
    +
     /* The network interface security attributes must be initialized before 
      * first use. */
     int netdev_precondition(struct net_device *dev) 
    @@ -795,6 +805,8 @@
     	return 1;
     }
     
    +#endif
    +
     /* Convert a Linux signal to an access vector. */
     static inline access_vector_t signal_to_av(int sig) 
     {
    @@ -1312,36 +1324,6 @@
     
     /* assorted security operations  (mostly syscall interposition) */
     
    -static int selinux_sethostname(char *hostname)
    -{
    -	/* Controlled via the capable hook - CAP_SYS_ADMIN */
    -	return 0;
    -}
    -
    -static int selinux_setdomainname(char *domainname)
    -{
    -	/* Controlled via the capable hook - CAP_SYS_ADMIN */
    -	return 0;
    -}
    -
    -static int selinux_reboot(unsigned int cmd)
    -{
    -	/* Controlled via the capable hook - CAP_SYS_BOOT */
    -	return 0;
    -}
    -
    -static int selinux_ioperm(unsigned long from, unsigned long num, int turn_on)
    -{
    -	/* Controlled via the capable hook - CAP_SYS_RAWIO */
    -	return 0;
    -}
    -
    -static int selinux_iopl(unsigned int old, unsigned int level)
    -{
    -	/* Controlled via the capable hook - CAP_SYS_RAWIO */
    -	return 0;
    -}
    -
     static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
     {
     	int rc;
    @@ -1386,12 +1368,6 @@
     	return secondary_ops->capset_set(target, effective, inheritable, permitted);
     }
     
    -static int selinux_acct(struct file *file)
    -{
    -	/* Controlled via the capable hook - CAP_SYS_PACCT */
    -	return 0;
    -}
    -
     static int selinux_capable(struct task_struct *tsk, int cap)
     {
     	int rc;
    @@ -1548,11 +1524,6 @@
     	return rc;
     }
     
    -static int selinux_settime (struct timeval *tv, struct timezone *tz)
    -{
    -        return 0;
    -}
    -
     static int selinux_netlink_send(struct sk_buff *skb)  
     {
     	if (capable(CAP_NET_ADMIN))
    @@ -2482,6 +2453,8 @@
     	return;
     }
     
    +#ifdef CONFIG_SECURITY_NETWORK
    +
     static void skb_copy_security(struct skb_security_struct *new,
                                   struct skb_security_struct *old)
     {
    @@ -3111,6 +3084,7 @@
     
     static int selinux_socket_sock_alloc_security(struct sock *sk, int gfp_mask)
     {
    +	sk->security = NULL;
     	return sock_alloc_security(sk, gfp_mask);
     }
     
    @@ -3226,6 +3200,7 @@
     
     static int selinux_open_request_alloc_security(struct open_request *req)
     {
    +	req->security = NULL;
     	return extsocket_open_request_alloc_security(req);
     }
     
    @@ -3334,6 +3309,8 @@
     	return extsocket_unix_may_send(isec, other_isec, &ad);
     }
     
    +#endif
    +
     static spinlock_t ipc_alloc_lock = SPIN_LOCK_UNLOCKED;
     
     static int ipc_alloc_security(struct task_struct *task, 
    @@ -3889,6 +3866,8 @@
     	return ipc_has_perm(ipcp, sclass, av);
     }
     
    +#ifdef CONFIG_SECURITY_NETWORK
    +
     static int selinux_skb_alloc_security(struct sk_buff *skb, int gfp_mask)
     {
     	return skb_alloc_security(skb, gfp_mask);
    @@ -3977,6 +3956,8 @@
     	skb_free_security(skb);
     }
     
    +#endif
    +
     /* module stacking operations */
     int selinux_register_security (const char *name, struct security_operations *ops)
     {
    @@ -4013,16 +3994,10 @@
     }
     
     struct security_operations selinux_ops = {
    -	sethostname:			selinux_sethostname,
    -	setdomainname:			selinux_setdomainname,
    -	reboot:				selinux_reboot,
    -	ioperm:				selinux_ioperm,
    -	iopl:				selinux_iopl,
     	ptrace:				selinux_ptrace,
     	capget:			        selinux_capget,
     	capset_check:		        selinux_capset_check,
     	capset_set:		        selinux_capset_set,	
    -	acct:				selinux_acct,
     	sysctl:				selinux_sysctl,
     	capable:	                selinux_capable,
     	swapon:				selinux_swapon,
    @@ -4030,12 +4005,9 @@
     	quotactl:			selinux_quotactl,
     	quota_on:			selinux_quota_on,
     	syslog:				selinux_syslog,
    -	settime:                        selinux_settime,	
     
     	netlink_send:			selinux_netlink_send,
             netlink_recv:			selinux_netlink_recv,
    -        unix_stream_connect:		selinux_socket_unix_stream_connect,
    -	unix_may_send:			selinux_socket_unix_may_send,
     
     	bprm_alloc_security:		selinux_bprm_alloc_security,
     	bprm_free_security:		selinux_bprm_free_security,
    @@ -4118,6 +4090,39 @@
     	task_kmod_set_label:		selinux_task_kmod_set_label,
     	task_reparent_to_init:		selinux_task_reparent_to_init,
     
    +	ipc_permission:			selinux_ipc_permission,
    +	
    +	msg_msg_alloc_security:		selinux_msg_msg_alloc_security,
    +	msg_msg_free_security:		selinux_msg_msg_free_security,
    +	
    +	msg_queue_alloc_security:	selinux_msg_queue_alloc_security,
    +	msg_queue_free_security:	selinux_msg_queue_free_security,
    +	msg_queue_associate:		selinux_msg_queue_associate,
    +	msg_queue_msgctl:		selinux_msg_queue_msgctl,
    +	msg_queue_msgsnd:		selinux_msg_queue_msgsnd,
    +	msg_queue_msgrcv:		selinux_msg_queue_msgrcv,
    +	
    +	shm_alloc_security:		selinux_shm_alloc_security,
    +	shm_free_security:		selinux_shm_free_security,
    +	shm_associate:			selinux_shm_associate,
    +	shm_shmctl:			selinux_shm_shmctl,
    +	shm_shmat:			selinux_shm_shmat,
    +	
    +	sem_alloc_security: 		selinux_sem_alloc_security,
    +	sem_free_security:  		selinux_sem_free_security,
    +	sem_associate:			selinux_sem_associate,
    +	sem_semctl:			selinux_sem_semctl,
    +	sem_semop:			selinux_sem_semop,
    +	
    +	register_security:		&selinux_register_security,
    +	unregister_security:		&selinux_unregister_security,
    +
    +	d_instantiate:                  selinux_d_instantiate,
    +
    +#ifdef CONFIG_SECURITY_NETWORK
    +        unix_stream_connect:		selinux_socket_unix_stream_connect,
    +	unix_may_send:			selinux_socket_unix_may_send,
    +
     	socket_create:			selinux_socket_create,
     	socket_post_create:		selinux_socket_post_create,
     	socket_bind:			selinux_socket_bind,
    @@ -4155,35 +4160,8 @@
     	ip_decode_options:		selinux_ip_decode_options,
     	
     	netdev_unregister:		selinux_netdev_unregister,
    -	
    -	ipc_permission:			selinux_ipc_permission,
    -	
    -	msg_msg_alloc_security:		selinux_msg_msg_alloc_security,
    -	msg_msg_free_security:		selinux_msg_msg_free_security,
    -	
    -	msg_queue_alloc_security:	selinux_msg_queue_alloc_security,
    -	msg_queue_free_security:	selinux_msg_queue_free_security,
    -	msg_queue_associate:		selinux_msg_queue_associate,
    -	msg_queue_msgctl:		selinux_msg_queue_msgctl,
    -	msg_queue_msgsnd:		selinux_msg_queue_msgsnd,
    -	msg_queue_msgrcv:		selinux_msg_queue_msgrcv,
    -	
    -	shm_alloc_security:		selinux_shm_alloc_security,
    -	shm_free_security:		selinux_shm_free_security,
    -	shm_associate:			selinux_shm_associate,
    -	shm_shmctl:			selinux_shm_shmctl,
    -	shm_shmat:			selinux_shm_shmat,
    -	
    -	sem_alloc_security: 		selinux_sem_alloc_security,
    -	sem_free_security:  		selinux_sem_free_security,
    -	sem_associate:			selinux_sem_associate,
    -	sem_semctl:			selinux_sem_semctl,
    -	sem_semop:			selinux_sem_semop,
    -	
    -	register_security:		&selinux_register_security,
    -	unregister_security:		&selinux_unregister_security,
     
    -	d_instantiate:                  selinux_d_instantiate,
    +#endif
     };
     
     extern long sys_security_selinux(struct pt_regs regs);
    @@ -4250,7 +4228,7 @@
     __initcall(selinux_init);
     #endif
     
    -#ifdef CONFIG_NETFILTER
    +#if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER)
     
     #define NF_IP_PRI_SELINUX_FIRST	(NF_IP_PRI_CONNTRACK + 5)
     #define NF_IP_PRI_SELINUX_LAST	-NF_IP_PRI_SELINUX_FIRST
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 09:44:59 PST