Hi, Attached are two alternative patches, both intended to improve upon the current settime hook. (Note, these are competing patches, not based upon each other (yet)) The first (settime.patch) simply catches stime(2), both in kernel/time.c and in irix_stime(). It also removes redundant capable(CAP_SYS_TIME) checks, and implements dummy_settime and cap_settime as calls to capable(CAP_SYS_TIME). The CAP_SYS_TIME capability is still checked for setting the real time clock, and doing clock speedup/slowdown for ntpd. The second patch (settime.long.patch) moves the settime hook up into arch-specific code. The reason is that do_settimeofday is exported from there, and so kernel modules could directly call this function, bypassing both the current capable(CAP_SYS_TIME), and the lsm security_settime calls. Moving into arch directories seems rather drastic, so I was hoping to get some opinions on this. If it is decided this is the way to go, then we can presumably still get rid of the redundant capable(CAP_SYS_TIME) calls (not yet done in this patch). It would be nice to get this into a state where we can push settime into the kernel proper, so feedback is very much appreciated. thanks, -serge Serge Hallyn LTC Security Development
This archive was generated by hypermail 2b30 : Tue Dec 02 2003 - 15:27:04 PST