[PATCH 2/2] Default hooks protecting the XATTR_SECURITY_PREFIX namespace

• Previous message: Chris Wright: "[PATCH 1/2] Move XATTR_SECURITY_PREFIX macro to common location"
• In reply to: Chris Wright: "[PATCH 1/2] Move XATTR_SECURITY_PREFIX macro to common location"
• Next in thread: Andreas Gruenbacher: "Re: [PATCH 2/2] Default hooks protecting the XATTR_SECURITY_PREFIX namespace"
• Reply: Andreas Gruenbacher: "Re: [PATCH 2/2] Default hooks protecting the XATTR_SECURITY_PREFIX namespace"
• Reply: Theodore Ts'o: "Re: [PATCH 2/2] Default hooks protecting the XATTR_SECURITY_PREFIX namespace"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Add default hooks for both the dummy and capability code to protect the
XATTR_SECURITY_PREFIX namespace.  These EAs were fully accessible to
unauthorized users, so a user that rebooted from an SELinux kernel to a
default kernel would leave those critical EAs unprotected.

 include/linux/security.h |    6 ++++--
 security/capability.c    |    3 +++
 security/commoncap.c     |   22 ++++++++++++++++++++++
 security/dummy.c         |    9 +++++++++
 4 files changed, 38 insertions(+), 2 deletions(-)

===== include/linux/security.h 1.26 vs edited =====
--- 1.26/include/linux/security.h	Thu Oct  2 00:12:10 2003
+++ edited/include/linux/security.h	Fri Jan 16 12:14:15 2004
@@ -46,6 +46,8 @@
 extern int cap_bprm_set_security (struct linux_binprm *bprm);
 extern void cap_bprm_compute_creds (struct linux_binprm *bprm);
 extern int cap_bprm_secureexec(struct linux_binprm *bprm);
+extern int cap_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags);
+extern int cap_inode_removexattr(struct dentry *dentry, char *name);
 extern int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags);
 extern void cap_task_reparent_to_init (struct task_struct *p);
 extern int cap_syslog (int type);
@@ -2136,7 +2138,7 @@
 static inline int security_inode_setxattr (struct dentry *dentry, char *name,
 					   void *value, size_t size, int flags)
 {
-	return 0;
+	return cap_inode_setxattr(dentry, name, value, size, flags);
 }
 
 static inline void security_inode_post_setxattr (struct dentry *dentry, char *name,
@@ -2155,7 +2157,7 @@
 
 static inline int security_inode_removexattr (struct dentry *dentry, char *name)
 {
-	return 0;
+	return cap_inode_removexattr(dentry, name);
 }
 
 static inline int security_inode_getsecurity(struct dentry *dentry, const char *name, void *buffer, size_t size)
===== security/capability.c 1.21 vs edited =====
--- 1.21/security/capability.c	Fri Sep 12 08:47:26 2003
+++ edited/security/capability.c	Fri Jan 16 12:14:15 2004
@@ -39,6 +39,9 @@
 	.bprm_set_security =		cap_bprm_set_security,
 	.bprm_secureexec =		cap_bprm_secureexec,
 
+	.inode_setxattr =		cap_inode_setxattr,
+	.inode_removexattr =		cap_inode_removexattr,
+
 	.task_post_setuid =		cap_task_post_setuid,
 	.task_reparent_to_init =	cap_task_reparent_to_init,
 
===== security/commoncap.c 1.1 vs edited =====
--- 1.1/security/commoncap.c	Fri Sep 12 08:47:26 2003
+++ edited/security/commoncap.c	Fri Jan 16 12:14:15 2004
@@ -21,6 +21,7 @@
 #include <linux/skbuff.h>
 #include <linux/netlink.h>
 #include <linux/ptrace.h>
+#include <linux/xattr.h>
 
 int cap_capable (struct task_struct *tsk, int cap)
 {
@@ -171,6 +172,25 @@
 		current->egid != current->gid);
 }
 
+int cap_inode_setxattr(struct dentry *dentry, char *name, void *value,
+		       size_t size, int flags)
+{
+	if (!strncmp(name, XATTR_SECURITY_PREFIX, 
+		     sizeof(XATTR_SECURITY_PREFIX) - 1)  &&
+	    !capable(CAP_SYS_ADMIN))
+		return -EPERM;
+	return 0;
+}
+
+int cap_inode_removexattr(struct dentry *dentry, char *name)
+{
+	if (!strncmp(name, XATTR_SECURITY_PREFIX, 
+		     sizeof(XATTR_SECURITY_PREFIX) - 1)  &&
+	    !capable(CAP_SYS_ADMIN))
+		return -EPERM;
+	return 0;
+}
+
 /* moved from kernel/sys.c. */
 /* 
  * cap_emulate_setxuid() fixes the effective / permitted capabilities of
@@ -344,6 +364,8 @@
 EXPORT_SYMBOL(cap_bprm_set_security);
 EXPORT_SYMBOL(cap_bprm_compute_creds);
 EXPORT_SYMBOL(cap_bprm_secureexec);
+EXPORT_SYMBOL(cap_inode_setxattr);
+EXPORT_SYMBOL(cap_inode_removexattr);
 EXPORT_SYMBOL(cap_task_post_setuid);
 EXPORT_SYMBOL(cap_task_reparent_to_init);
 EXPORT_SYMBOL(cap_syslog);
===== security/dummy.c 1.28 vs edited =====
--- 1.28/security/dummy.c	Thu Oct  2 00:12:10 2003
+++ edited/security/dummy.c	Fri Jan 16 12:29:24 2004
@@ -24,6 +24,7 @@
 #include <linux/skbuff.h>
 #include <linux/netlink.h>
 #include <net/sock.h>
+#include <linux/xattr.h>
 
 static int dummy_ptrace (struct task_struct *parent, struct task_struct *child)
 {
@@ -387,6 +388,10 @@
 static int dummy_inode_setxattr (struct dentry *dentry, char *name, void *value,
 				size_t size, int flags)
 {
+	if (!strncmp(name, XATTR_SECURITY_PREFIX,
+		     sizeof(XATTR_SECURITY_PREFIX) - 1) &&
+	    !capable(CAP_SYS_ADMIN))
+		return -EPERM;
 	return 0;
 }
 
@@ -407,6 +412,10 @@
 
 static int dummy_inode_removexattr (struct dentry *dentry, char *name)
 {
+	if (!strncmp(name, XATTR_SECURITY_PREFIX,
+		     sizeof(XATTR_SECURITY_PREFIX) - 1) &&
+	    !capable(CAP_SYS_ADMIN))
+		return -EPERM;
 	return 0;
 }
 

• Next message: Andreas Gruenbacher: "Re: [PATCH 2/2] Default hooks protecting the XATTR_SECURITY_PREFIX namespace"
• Previous message: Chris Wright: "[PATCH 1/2] Move XATTR_SECURITY_PREFIX macro to common location"
• In reply to: Chris Wright: "[PATCH 1/2] Move XATTR_SECURITY_PREFIX macro to common location"
• Next in thread: Andreas Gruenbacher: "Re: [PATCH 2/2] Default hooks protecting the XATTR_SECURITY_PREFIX namespace"
• Reply: Andreas Gruenbacher: "Re: [PATCH 2/2] Default hooks protecting the XATTR_SECURITY_PREFIX namespace"
• Reply: Theodore Ts'o: "Re: [PATCH 2/2] Default hooks protecting the XATTR_SECURITY_PREFIX namespace"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jan 16 2004 - 13:21:09 PST