* Stephen D. Smalley (sdsat_private) wrote: > > The attached patch for lsm-2.5 adds a CONFIG_SECURITY_NETWORK option > for the socket and networking security fields and hooks. At present, > it excludes the netlink hooks and the ip_decode_options hooks since > the capabilities module uses those hooks to implement capability tests > migrated from the base kernel. It rearranges the security_ops structure > to move the optional socket and networking hooks to the end of the structure. > > The patch moves the 'security = NULL' initializations for the sock and > open request structures into the corresponding alloc_security hooks > since those initializations are colocated with the allocation. In the > sk_buff case, the patch simply #ifdef's the initialization, since other > similar #ifdef'd initializations exist in skb_headerinit. If desired, > we could define a static inline function for that purpose, but it > didn't seem to be necessary. agreed. > The patch updates SELinux appropriately so that its socket and > networking functionality (including the NetFilter-based hooks) is > omitted if the option is not enabled. The patch simply removes the > socket and networking hooks from DTE since it is not really using them > anyway. > > Comments? First pass this looks fine to me. I've compiled both with and w/out CONFIG_SECURITY_NETWORK, although I haven't booted the kernels. [chris@vas lsm-2.5]$ grep CONFIG_SECURITY_NETWORK .config # CONFIG_SECURITY_NETWORK is not set [chris@vas lsm-2.5]$ size security/security.o security/dummy.o security/capability.o net/core/built-in.o net/ipv4/built-in.o vmlinux text data bss dec hex filename 1662 0 4 1666 682 security/security.o 4906 0 480 5386 150a security/dummy.o 2537 960 4 3501 dad security/capability.o 71918 4052 3840 79810 137c2 net/core/built-in.o 289033 10772 21156 320961 4e5c1 net/ipv4/built-in.o 3087730 602396 216544 3906670 3b9c6e vmlinux [chris@vas lsm-2.5]$ grep CONFIG_SECURITY_NETWORK .config CONFIG_SECURITY_NETWORK=y [chris@vas lsm-2.5]$ size security/security.o security/dummy.o security/capability.o net/core/built-in.o net/ipv4/built-in.o vmlinux text data bss dec hex filename 1662 0 4 1666 682 security/security.o 6234 0 640 6874 1ada security/dummy.o 2537 1120 4 3661 e4d security/capability.o 72222 4052 3840 80114 138f2 net/core/built-in.o 289657 10772 21156 321585 4e831 net/ipv4/built-in.o 3097170 604244 216672 3918086 3bc906 vmlinux > --- lsm-2.5/security/Kconfig 27 Dec 2002 13:45:00 -0000 1.6 > +++ lsm-2.5/security/Kconfig 27 Jan 2003 15:37:29 -0000 > @@ -15,6 +15,15 @@ > > If you are unsure how to answer this question, answer N. > > +config SECURITY_NETWORK > + bool "Socket and Networking Security Hooks" > + depends on SECURITY!=n this isn't necessary. "depends on SECURITY" is sufficient. > --- lsm-2.5/security/dummy.c 24 Jan 2003 20:32:49 -0000 1.35 > +++ lsm-2.5/security/dummy.c 27 Jan 2003 16:32:48 -0000 > @@ -20,6 +20,8 @@ > #include <linux/security.h> > #include <linux/skbuff.h> > #include <linux/netlink.h> > +#include <net/sock.h> > +#include <net/tcp.h> hrm ok, this comes from the need to set security = NULL on both sock and openreq during allocation/initialization. > static int dummy_socket_sock_alloc_security(struct sock *sk, int gfp_mask) > { > + sk->security = NULL; > return 0; > } > > @@ -793,6 +798,7 @@ > > static int dummy_open_request_alloc_security(struct open_request * req) > { > + req->security = NULL; > return 0; > } this does embed some framework functionality in the dummy module. any reason not to put it in the static inline in security.h before the call to the module? thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 15:32:23 PST