[PATCH] LSM networking: netlink hooks for 2.5.59 (6/8)

From: James Morris (jmorrisat_private)
Date: Thu Jan 30 2003 - 15:10:41 PST

  • Next message: James Morris: "[PATCH] LSM networking: af_unix hooks for 2.5.59 (7/8)"

     include/linux/security.h      |   39 +++++++++++++++++++++++++++++++++++++++
     net/core/rtnetlink.c          |    3 ++-
     net/ipv4/netfilter/ip_queue.c |    3 ++-
     net/netlink/af_netlink.c      |    8 +++++++-
     security/capability.c         |   17 +++++++++++++++++
     security/dummy.c              |   18 ++++++++++++++++++
     6 files changed, 85 insertions(+), 3 deletions(-)
    
    diff -urN -X dontdiff linux-2.5.59.w0/include/linux/security.h linux-2.5.59.w1/include/linux/security.h
    --- linux-2.5.59.w0/include/linux/security.h	Thu Jan 30 21:36:34 2003
    +++ linux-2.5.59.w1/include/linux/security.h	Thu Jan 30 21:36:14 2003
    @@ -39,6 +39,8 @@
      */
     extern int cap_capable (struct task_struct *tsk, int cap);
     struct sk_buff;
    +extern int cap_netlink_send (struct sk_buff *skb);
    +extern int cap_netlink_recv (struct sk_buff *skb);
     extern int cap_ip_decode_options (struct sk_buff *skb, const char *optptr,
     				  unsigned char **pp_ptr);
     extern int cap_ptrace (struct task_struct *parent, struct task_struct *child);
    @@ -1002,6 +1004,20 @@
      *	@cap contains the capability <include/linux/capability.h>.
      *	Return 0 if the capability is granted for @tsk.
      *
    + * @netlink_send:
    + *	Save security information for a netlink message so that permission
    + *	checking can be performed when the message is processed.  The security
    + *	information can either be saved using the existing eff_cap field of the
    + *	netlink_skb_parms structure or it can be saved using the skbuff
    + *	lsm_security field.
    + *	@skb contains the sk_buff structure for the netlink message.
    + *	Return 0 if the information was successfully saved.
    + * @netlink_recv:
    + *	Check permission before processing the received netlink message in
    + *	@skb.
    + *	@skb contains the sk_buff structure for the netlink message.
    + *	Return 0 if permission is granted.
    + *
      * @register_security:
      * 	allow module stacking.
      * 	@name contains the name of the security module being stacked.
    @@ -1031,6 +1047,9 @@
     	int (*quotactl) (int cmds, int type, int id, struct super_block * sb);
     	int (*quota_on) (struct file * f);
     
    +	int (*netlink_send) (struct sk_buff * skb);
    +	int (*netlink_recv) (struct sk_buff * skb);
    +
     	int (*ip_decode_options) (struct sk_buff * skb,
     				  const char *optptr, unsigned char **pp_ptr);
     
    @@ -1275,6 +1294,16 @@
     	return security_ops->quota_on (file);
     }
     
    +static inline int security_netlink_send(struct sk_buff * skb)
    +{
    +	return security_ops->netlink_send(skb);
    +}
    +
    +static inline int security_netlink_recv(struct sk_buff * skb)
    +{
    +	return security_ops->netlink_recv(skb);
    +}
    +
     static inline int security_ip_decode_options(struct sk_buff * skb, 
     					     const char *optptr, 
     					     unsigned char **pp_ptr)
    @@ -1887,6 +1916,16 @@
     	return 0;
     }
     
    +static inline int security_netlink_send(struct sk_buff * skb)
    +{
    +	return cap_netlink_send(skb);
    +}
    +
    +static inline int security_netlink_recv(struct sk_buff * skb)
    +{
    +	return cap_netlink_recv(skb);
    +}
    +
     static inline int security_ip_decode_options(struct sk_buff * skb, 
     					     const char *optptr, 
     					     unsigned char **pp_ptr)
    diff -urN -X dontdiff linux-2.5.59.w0/net/core/rtnetlink.c linux-2.5.59.w1/net/core/rtnetlink.c
    --- linux-2.5.59.w0/net/core/rtnetlink.c	Fri Jan 17 19:46:08 2003
    +++ linux-2.5.59.w1/net/core/rtnetlink.c	Thu Jan 30 21:36:14 2003
    @@ -34,6 +34,7 @@
     #include <linux/capability.h>
     #include <linux/skbuff.h>
     #include <linux/init.h>
    +#include <linux/security.h>
     
     #include <asm/uaccess.h>
     #include <asm/system.h>
    @@ -363,7 +364,7 @@
     	sz_idx = type>>2;
     	kind = type&3;
     
    -	if (kind != 2 && !cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN)) {
    +	if (kind != 2 && security_netlink_recv(skb)) {
     		*errp = -EPERM;
     		return -1;
     	}
    diff -urN -X dontdiff linux-2.5.59.w0/net/ipv4/netfilter/ip_queue.c linux-2.5.59.w1/net/ipv4/netfilter/ip_queue.c
    --- linux-2.5.59.w0/net/ipv4/netfilter/ip_queue.c	Sun Aug 11 12:20:40 2002
    +++ linux-2.5.59.w1/net/ipv4/netfilter/ip_queue.c	Thu Jan 30 21:36:14 2003
    @@ -26,6 +26,7 @@
     #include <linux/brlock.h>
     #include <linux/sysctl.h>
     #include <linux/proc_fs.h>
    +#include <linux/security.h>
     #include <net/sock.h>
     #include <net/route.h>
     
    @@ -496,7 +497,7 @@
     	if (type <= IPQM_BASE)
     		return;
     		
    -	if(!cap_raised(NETLINK_CB(skb).eff_cap, CAP_NET_ADMIN))
    +	if (security_netlink_recv(skb))
     		RCV_SKB_FAIL(-EPERM);
     	
     	write_lock_bh(&queue_lock);
    diff -urN -X dontdiff linux-2.5.59.w0/net/netlink/af_netlink.c linux-2.5.59.w1/net/netlink/af_netlink.c
    --- linux-2.5.59.w0/net/netlink/af_netlink.c	Tue Dec 10 15:02:03 2002
    +++ linux-2.5.59.w1/net/netlink/af_netlink.c	Thu Jan 30 21:36:14 2003
    @@ -42,6 +42,7 @@
     #include <linux/proc_fs.h>
     #include <linux/smp_lock.h>
     #include <linux/notifier.h>
    +#include <linux/security.h>
     #include <net/sock.h>
     #include <net/scm.h>
     
    @@ -636,7 +637,12 @@
     	   check them, when this message will be delivered
     	   to corresponding kernel module.   --ANK (980802)
     	 */
    -	NETLINK_CB(skb).eff_cap = current->cap_effective;
    +
    +	err = security_netlink_send(skb);
    +	if (err) {
    +		kfree_skb(skb);
    +		goto out;
    +	}
     
     	err = -EFAULT;
     	if (memcpy_fromiovec(skb_put(skb,len), msg->msg_iov, len)) {
    diff -urN -X dontdiff linux-2.5.59.w0/security/capability.c linux-2.5.59.w1/security/capability.c
    --- linux-2.5.59.w0/security/capability.c	Thu Jan 30 21:36:34 2003
    +++ linux-2.5.59.w1/security/capability.c	Thu Jan 30 21:36:14 2003
    @@ -28,6 +28,19 @@
     		return -EPERM;
     }
     
    +int cap_netlink_send (struct sk_buff *skb)
    +{
    +	NETLINK_CB (skb).eff_cap = current->cap_effective;
    +	return 0;
    +}
    +
    +int cap_netlink_recv (struct sk_buff *skb)
    +{
    +	if (!cap_raised (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN))
    +		return -EPERM;
    +	return 0;
    +}
    +
     int cap_ptrace (struct task_struct *parent, struct task_struct *child)
     {
     	/* Derived from arch/i386/kernel/ptrace.c:sys_ptrace. */
    @@ -286,6 +299,8 @@
     EXPORT_SYMBOL(cap_task_post_setuid);
     EXPORT_SYMBOL(cap_task_kmod_set_label);
     EXPORT_SYMBOL(cap_task_reparent_to_init);
    +EXPORT_SYMBOL(cap_netlink_send);
    +EXPORT_SYMBOL(cap_netlink_recv);
     EXPORT_SYMBOL(cap_ip_decode_options);
     
     #ifdef CONFIG_SECURITY
    @@ -297,6 +312,8 @@
     	.capset_check =			cap_capset_check,
     	.capset_set =			cap_capset_set,
     	.capable =			cap_capable,
    +	.netlink_send =			cap_netlink_send,
    +	.netlink_recv =			cap_netlink_recv,
     
     	.bprm_compute_creds =		cap_bprm_compute_creds,
     	.bprm_set_security =		cap_bprm_set_security,
    diff -urN -X dontdiff linux-2.5.59.w0/security/dummy.c linux-2.5.59.w1/security/dummy.c
    --- linux-2.5.59.w0/security/dummy.c	Thu Jan 30 21:36:34 2003
    +++ linux-2.5.59.w1/security/dummy.c	Thu Jan 30 21:36:14 2003
    @@ -85,6 +85,22 @@
     	return 0;
     }
     
    +static int dummy_netlink_send (struct sk_buff *skb)
    +{
    +	if (current->euid == 0)
    +		cap_raise (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN);
    +	else
    +		NETLINK_CB (skb).eff_cap = 0;
    +	return 0;
    +}
    +
    +static int dummy_netlink_recv (struct sk_buff *skb)
    +{
    +	if (!cap_raised (NETLINK_CB (skb).eff_cap, CAP_NET_ADMIN))
    +		return -EPERM;
    +	return 0;
    +}
    +
     static int dummy_bprm_alloc_security (struct linux_binprm *bprm)
     {
     	return 0;
    @@ -890,6 +906,8 @@
     	set_to_dummy_if_null(ops, sem_semop);
     	set_to_dummy_if_null(ops, register_security);
     	set_to_dummy_if_null(ops, unregister_security);
    +	set_to_dummy_if_null(ops, netlink_send);
    +	set_to_dummy_if_null(ops, netlink_recv);	
     	set_to_dummy_if_null(ops, ip_decode_options);
     #ifdef CONFIG_SECURITY_NETWORK
     	set_to_dummy_if_null(ops, socket_create);
    
    
    _______________________________________________
    linux-security-module mailing list
    linux-security-moduleat_private
    http://mail.wirex.com/mailman/listinfo/linux-security-module
    



    This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 15:14:35 PST