Re: [patch] CONFIG_SECURITY_NETWORK

From: Chris Wright (chrisat_private)
Date: Mon Jan 27 2003 - 15:30:35 PST

  • Next message: Stephen D. Smalley: "Re: [patch] CONFIG_SECURITY_NETWORK"

    * Stephen D. Smalley (sdsat_private) wrote:
    > 
    > The attached patch for lsm-2.5 adds a CONFIG_SECURITY_NETWORK option
    > for the socket and networking security fields and hooks.  At present,
    > it excludes the netlink hooks and the ip_decode_options hooks since
    > the capabilities module uses those hooks to implement capability tests
    > migrated from the base kernel.  It rearranges the security_ops structure
    > to move the optional socket and networking hooks to the end of the structure.
    > 
    > The patch moves the 'security = NULL' initializations for the sock and
    > open request structures into the corresponding alloc_security hooks
    > since those initializations are colocated with the allocation.  In the
    > sk_buff case, the patch simply #ifdef's the initialization, since other
    > similar #ifdef'd initializations exist in skb_headerinit.  If desired,
    > we could define a static inline function for that purpose, but it
    > didn't seem to be necessary.
    
    agreed.
    
    > The patch updates SELinux appropriately so that its socket and
    > networking functionality (including the NetFilter-based hooks) is
    > omitted if the option is not enabled.  The patch simply removes the
    > socket and networking hooks from DTE since it is not really using them
    > anyway.
    > 
    > Comments?
    
    First pass this looks fine to me.  I've compiled both with and w/out
    CONFIG_SECURITY_NETWORK, although I haven't booted the kernels.
    
    [chris@vas lsm-2.5]$ grep CONFIG_SECURITY_NETWORK .config
    # CONFIG_SECURITY_NETWORK is not set
    [chris@vas lsm-2.5]$ size security/security.o security/dummy.o security/capability.o net/core/built-in.o net/ipv4/built-in.o vmlinux 
       text    data     bss     dec     hex filename
       1662       0       4    1666     682 security/security.o
       4906       0     480    5386    150a security/dummy.o
       2537     960       4    3501     dad security/capability.o
      71918    4052    3840   79810   137c2 net/core/built-in.o
    289033   10772   21156  320961   4e5c1 net/ipv4/built-in.o
    3087730  602396  216544 3906670  3b9c6e vmlinux
    
    [chris@vas lsm-2.5]$ grep CONFIG_SECURITY_NETWORK .config
    CONFIG_SECURITY_NETWORK=y
    [chris@vas lsm-2.5]$ size security/security.o security/dummy.o security/capability.o net/core/built-in.o net/ipv4/built-in.o vmlinux 
       text    data     bss     dec     hex filename
       1662       0       4    1666     682 security/security.o
       6234       0     640    6874    1ada security/dummy.o
       2537    1120       4    3661     e4d security/capability.o
      72222    4052    3840   80114   138f2 net/core/built-in.o
     289657   10772   21156  321585   4e831 net/ipv4/built-in.o
    3097170  604244  216672 3918086  3bc906 vmlinux
    
    
    > --- lsm-2.5/security/Kconfig	27 Dec 2002 13:45:00 -0000	1.6
    > +++ lsm-2.5/security/Kconfig	27 Jan 2003 15:37:29 -0000
    > @@ -15,6 +15,15 @@
    >  
    >  	  If you are unsure how to answer this question, answer N.
    >  
    > +config SECURITY_NETWORK
    > +	bool "Socket and Networking Security Hooks"
    > +	depends on SECURITY!=n
    
    this isn't necessary.  "depends on SECURITY" is sufficient.
    
    > --- lsm-2.5/security/dummy.c	24 Jan 2003 20:32:49 -0000	1.35
    > +++ lsm-2.5/security/dummy.c	27 Jan 2003 16:32:48 -0000
    > @@ -20,6 +20,8 @@
    >  #include <linux/security.h>
    >  #include <linux/skbuff.h>
    >  #include <linux/netlink.h>
    > +#include <net/sock.h>
    > +#include <net/tcp.h>
    
    hrm ok, this comes from the need to set security = NULL on both sock and
    openreq during allocation/initialization.
    
    >  static int dummy_socket_sock_alloc_security(struct sock *sk, int gfp_mask)
    >  {
    > +	sk->security = NULL;
    >  	return 0;
    >  }
    >  
    > @@ -793,6 +798,7 @@
    >  
    >  static int dummy_open_request_alloc_security(struct open_request * req)
    >  {
    > +	req->security = NULL;
    >  	return 0;
    >  }
    
    this does embed some framework functionality in the dummy module.  any
    reason not to put it in the static inline in security.h before the call
    to the module?
    
    thanks,
    -chris
    -- 
    Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Mon Jan 27 2003 - 15:32:23 PST