[PATCH 4/4] seclvl update

From: Chris Wright (chrisw@private)
Date: Fri Feb 13 2004 - 15:05:54 PST

  • Next message: Serge E. Hallyn: "Re: is there a bsdjail patch for kernel 2.4.x ?"

    * update to new module parameters interface.  remove some of the
      StudlyCaps.
    * make sure jiffies is unsigned long in rate limiting
    * remove extraneous zeroing of static data.
    
    --- lsm-2.6/security/seclvl.c~seclvl.fix04	2004-02-12 20:03:05.000000000 -0800
    +++ lsm-2.6/security/seclvl.c	2004-02-13 14:31:59.619009544 -0800
    @@ -79,6 +79,7 @@
     
     #include <linux/config.h>
     #include <linux/module.h>
    +#include <linux/moduleparam.h>
     #include <linux/kernel.h>
     #include <linux/init.h>
     #include <linux/security.h>
    @@ -106,14 +107,14 @@
     #ifdef CONFIG_SECURITY_SECLVL_MODULE
     static int initlvl = 1;
     #else
    -static int initlvl = 0;
    +static int initlvl;
     #endif
    -MODULE_PARM(initlvl, "i");
    +module_param(initlvl, int, 0);
     MODULE_PARM_DESC(initlvl, "Initial secure level (defaults to 1)");
     
     /* Module parameter that defines the verbosity level */
    -static int verbosity = 0;
    -MODULE_PARM(verbosity, "i");
    +static int verbosity;
    +module_param(verbosity, int, 0);
     MODULE_PARM_DESC(verbosity, "Initial verbosity level (0 or 1; defaults to "
     		 "0, which is Quiet)");
     
    @@ -124,11 +125,13 @@
      *
      * This gets converted to its SHA1 hash when stored.  It's probably
      * not a good idea to use this parameter when loading seclvl from a
    - * script; use sha1Password instead.
    + * script; use sha1_passwd instead.
      */
    -static char *plaintextPassword = NULL;
    -MODULE_PARM(plaintextPassword, "s");
    -MODULE_PARM_DESC(plaintextPassword,
    +
    +#define MAX_PASSWD_SIZE	32
    +static char passwd[MAX_PASSWD_SIZE];
    +module_param_string(passwd, passwd, sizeof(passwd), 0);
    +MODULE_PARM_DESC(passwd,
     		 "Plaintext of password that sets seclvl=0 when written to "
     		 "(sysfs mount point)/seclvl/passwd\n");
     
    @@ -142,15 +145,16 @@
      *
      * echo -n "secret" | sha1sum
      */
    -static char *sha1Password = NULL;
    -MODULE_PARM(sha1Password, "s");
    -MODULE_PARM_DESC(sha1Password,
    +#define MAX_SHA1_PASSWD	41
    +static char sha1_passwd[MAX_SHA1_PASSWD];
    +module_param_string(sha1_passwd, sha1_passwd, sizeof(sha1_passwd), 0);
    +MODULE_PARM_DESC(sha1_passwd,
     		 "SHA1 hash (40 hexadecimal characters) of password that "
     		 "sets seclvl=0 when plaintext password is written to "
     		 "(sysfs mount point)/seclvl/passwd\n");
     
     static int hideHash = 1;
    -MODULE_PARM(hideHash, "i");
    +module_param(hideHash, int, 0);
     MODULE_PARM_DESC(hideHash, "When set to 0, reading seclvl/passwd from sysfs "
     		 "will return the SHA1-hashed value of the password that "
     		 "lowers the secure level to 0.\n");
    @@ -164,17 +168,18 @@
     /**
      * This time-limits log writes to one per second.
      */
    -#define seclvl_printk(verb, type, fmt, arg...)			     \
    -	do {							     \
    -		if (verbosity >= verb) {			     \
    -			static int priorTimestamp = 0;		     \
    -			if ((jiffies - priorTimestamp) < HZ)	     \
    -				break;				     \
    -			printk(type "%s: %s: " fmt,		     \
    -			       MY_NAME, __FUNCTION__,		     \
    -			       ## arg);				     \
    -			       priorTimestamp = jiffies;	     \
    -		}						     \
    +#define seclvl_printk(verb, type, fmt, arg...)			\
    +	do {							\
    +		if (verbosity >= verb) {			\
    +			static unsigned long _prior;		\
    +			unsigned long _now = jiffies;		\
    +			if ((_now - _prior) > HZ) {		\
    +				printk(type "%s: %s: " fmt,	\
    +					MY_NAME, __FUNCTION__,	\
    +					## arg);		\
    +				_prior = _now;			\
    +			}					\
    +		}						\
     	} while (0)
     
     /**
    @@ -396,7 +401,7 @@
     	unsigned char tmp[SHA1_DIGEST_SIZE];
     	int rc;
     	int len;
    -	if (!(plaintextPassword || sha1Password)) {
    +	if (!*passwd && !*sha1_passwd) {
     		seclvl_printk(0, KERN_ERR, "Attempt to password-unlock the "
     			      "seclvl module, but neither a plain text "
     			      "password nor a SHA1 hashed password was "
    @@ -683,25 +688,25 @@
     {
     	int rc = 0;
     	hashedPassword[0] = '\0';
    -	if (plaintextPassword) {
    -		if (sha1Password) {
    +	if (*passwd) {
    +		if (*sha1_passwd) {
     			seclvl_printk(0, KERN_ERR, "Error: Both "
    -				      "plaintextPassword and sha1Password "
    +				      "passwd and sha1_passwd "
     				      "were set, but they are mutually "
     				      "exclusive.\n");
     			rc = -EINVAL;
     			goto exit;
     		}
    -		if ((rc = plaintextToSha1(hashedPassword, plaintextPassword,
    -					  strlen(plaintextPassword)))) {
    +		if ((rc = plaintextToSha1(hashedPassword, passwd,
    +					  strlen(passwd)))) {
     			seclvl_printk(0, KERN_ERR, "Error: SHA1 support not "
     				      "in kernel\n");
     			goto exit;
     		}
    -		memset(plaintextPassword, strlen(plaintextPassword), 0);
    -	} else if (sha1Password) {	// Base 16
    +		//memset(passwd, 0, strlen(passwd));
    +	} else if (*sha1_passwd) {	// Base 16
     		int i;
    -		i = strlen(sha1Password);
    +		i = strlen(sha1_passwd);
     		if (i != (SHA1_DIGEST_SIZE * 2)) {
     			seclvl_printk(0, KERN_ERR, "Received [%d] bytes; "
     				      "expected [%d] for the hexadecimal "
    @@ -713,11 +718,11 @@
     		}
     		while ((i -= 2) + 2) {
     			unsigned char tmp;
    -			tmp = sha1Password[i + 2];
    -			sha1Password[i + 2] = '\0';
    +			tmp = sha1_passwd[i + 2];
    +			sha1_passwd[i + 2] = '\0';
     			hashedPassword[i / 2] = (unsigned char)
    -			    simple_strtol(&sha1Password[i], NULL, 16);
    -			sha1Password[i + 2] = tmp;
    +			    simple_strtol(&sha1_passwd[i], NULL, 16);
    +			sha1_passwd[i + 2] = tmp;
     		}
     	}
     exit:
    @@ -736,7 +741,7 @@
     		goto exit;
     	}
     	sysfs_create_file(&seclvl_subsys.kset.kobj, &seclvlfs_seclvl_attr.attr);
    -	if (plaintextPassword || sha1Password) {
    +	if (*passwd || *sha1_passwd) {
     		sysfs_create_file(&seclvl_subsys.kset.kobj,
     				  &seclvlfs_passwd_attr.attr);
     	}
    @@ -768,6 +773,7 @@
     			      "module parameter(s): rc = [%d]\n", rc);
     		goto exit;
     	}
    +	printk("%s: passwd=%s\n", __func__, passwd);
     	/* register ourselves with the security framework */
     	if (register_security(&seclvl_ops)) {
     		seclvl_printk(0, KERN_ERR,
    @@ -802,7 +808,7 @@
     static void __exit seclvl_exit(void)
     {
     	sysfs_remove_file(&seclvl_subsys.kset.kobj, &seclvlfs_seclvl_attr.attr);
    -	if (plaintextPassword || sha1Password) {
    +	if (*passwd || *sha1_passwd) {
     		sysfs_remove_file(&seclvl_subsys.kset.kobj,
     				  &seclvlfs_passwd_attr.attr);
     	}
    



    This archive was generated by hypermail 2b30 : Fri Feb 13 2004 - 15:06:41 PST