Re: [PATCH] BSD Secure Levels LSM

From: Chris Wright (chrisw@private)
Date: Mon Nov 24 2003 - 15:04:36 PST

  • Next message: Chris Wright: "Re: [PATCH] BSD Secure Levels LSM"

    * Michael A. Halcrow (mahalcro@private) wrote:
    > Attached are patches against the 2.6.0-test kernel to implement BSD
    > Secure Levels as an LSM.  seclvl-hooks.diff contains requisite hooks
    
    Thanks very much for splitting the patch like that.
    
    > to implement some of the Secure Levels policies.  Note that a settime
    > hook currently exists in the LSM BK tree.  It is not, however, in the
    
    Yes, it's in the LSM BK tree, and it's done slightly differently.  The
    warp_clock() bit is not done until after it's passed the hook in the BK
    tree.
    
    Some simple notes on the hooks:
    
    > diff -Pru linux-2.6.0-test7/include/linux/security.h linux-2.6.0-test7-hooks/include/linux/security.h
    > --- linux-2.6.0-test7/include/linux/security.h	2003-10-08 14:24:26.000000000 -0500
    > +++ linux-2.6.0-test7-hooks/include/linux/security.h	2003-10-20 11:47:53.000000000 -0500
    > @@ -91,6 +91,24 @@
    >   *
    >   * Security hooks for program execution operations.
    >   *
    > + *
    > + * @settime:
    > + *	Check permission to reset the system time.
    > + *	@tv contains the new time
    > + *	Return 0 if permission is granted
    > + *
    > + * @module_load:
    > + *	Check permission for the current process to load the kernel
    > + * 	module @mod.
    > + *	@mod is the module whose deletion has been requested.  Is
    > + *	only the @mod->name trustworthy?
    > + *	Return 0 if permission is granted.
    > + * @module_delete:
    > + *	Check permission for the current process to unload the kernel
    > + * 	module @mod.
    > + *	@mod is the module whose deletion has been requested.
    > + *	Return 0 if permission is granted.
    
    The reason all three of these hooks were rejected is because they are
    too redundant with the existing capability check.  In these cases, the
    right thing to do is to collapse the capability check into the hook.  So
    this means, the security_module_delete() hook implementation in the
    capability code would be a simple cap_capable(current, CAP_SYS_MODULE)
    or smth. like that.
    
    thanks,
    -chris
    -- 
    Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
    



    This archive was generated by hypermail 2b30 : Mon Nov 24 2003 - 15:05:21 PST