Re: LSM patch for Linux-2.4.20-8

From: Syed Ahemed (kingkhan@private)
Date: Wed Jan 19 2005 - 00:42:34 PST 

Is there an LSM patch for linux-2.4.20-8  ?
I tried applying the patch-2.4.20-lsm1.gz to the version
linux-2.4.20-8 to find the following rejects.
The kernel doesnt compile due to these errors.

bash-2.05b# zcat /usr/src/patches/patch-2.4.20-lsm1.gz | patch -p1
patching file Documentation/Configure.help
Hunk #1 succeeded at 26233 with fuzz 2 (offset -8 lines).
patching file Documentation/DocBook/Makefile
patching file Documentation/DocBook/deviceiobook.tmpl
patching file Documentation/DocBook/kernel-api.tmpl
patching file Documentation/DocBook/lsm.tmpl
patching file Makefile
Hunk #1 FAILED at 1.
Hunk #2 FAILED at 121.
Hunk #3 succeeded at 262 (offset 10 lines).
2 out of 3 hunks FAILED -- saving rejects to file Makefile.rej
patching file arch/i386/boot/compressed/Makefile
patching file arch/i386/config.in
Hunk #1 succeeded at 506 (offset 51 lines).
patching file arch/i386/kernel/entry.S
Hunk #1 FAILED at 627.
1 out of 1 hunk FAILED -- saving rejects to file arch/i386/kernel/entry.S.rej
patching file arch/i386/kernel/ioport.c
patching file arch/i386/kernel/ptrace.c
Hunk #2 succeeded at 240 (offset 81 lines).
patching file arch/ia64/config.in
Hunk #1 succeeded at 287 (offset -6 lines).
patching file arch/ia64/ia32/sys_ia32.c
Hunk #2 succeeded at 3281 (offset 89 lines).
patching file arch/ia64/kernel/entry.S
patching file arch/ia64/kernel/ptrace.c
Hunk #1 succeeded at 16 (offset 1 line).
Hunk #2 succeeded at 1159 (offset 60 lines).
patching file drivers/char/tty_io.c
Hunk #1 succeeded at 1472 (offset 5 lines).
patching file fs/attr.c
patching file fs/buffer.c
Hunk #1 succeeded at 2877 (offset 13 lines).
patching file fs/dnotify.c
patching file fs/dquot.c
Hunk #1 succeeded at 1321 (offset -19 lines).
Hunk #2 FAILED at 1417.
1 out of 2 hunks FAILED -- saving rejects to file fs/dquot.c.rej
patching file fs/exec.c
Hunk #1 succeeded at 763 (offset 133 lines).
Hunk #3 succeeded at 819 (offset 133 lines).
Hunk #5 succeeded at 913 (offset 133 lines).
Hunk #7 succeeded at 1006 (offset 133 lines).
Hunk #9 succeeded at 1045 (offset 133 lines).
patching file fs/fcntl.c
Hunk #2 succeeded at 260 (offset -19 lines).
Hunk #4 succeeded at 333 (offset -19 lines).
Hunk #6 succeeded at 402 (offset -19 lines).
patching file fs/file_table.c
patching file fs/inode.c
Hunk #2 FAILED at 76.
Hunk #3 succeeded at 1069 (offset 2 lines).
1 out of 3 hunks FAILED -- saving rejects to file fs/inode.c.rej
patching file fs/ioctl.c
patching file fs/locks.c
Hunk #1 succeeded at 1286 (offset 11 lines).
Hunk #3 succeeded at 1411 (offset 11 lines).
Hunk #5 succeeded at 1442 (offset 11 lines).
Hunk #7 succeeded at 1484 (offset 11 lines).
Hunk #8 FAILED at 1491.
Hunk #10 succeeded at 1517 (offset 11 lines).
Hunk #12 succeeded at 1581 (offset 11 lines).
Hunk #14 succeeded at 1625 (offset 11 lines).
Hunk #15 FAILED at 1632.
Hunk #17 succeeded at 1659 (offset 11 lines).
2 out of 18 hunks FAILED -- saving rejects to file fs/locks.c.rej
patching file fs/namei.c
Hunk #4 FAILED at 346.
Hunk #5 succeeded at 357 (offset 2 lines).
Hunk #7 succeeded at 826 (offset 12 lines).
Hunk #8 succeeded at 989 (offset 2 lines).
Hunk #9 succeeded at 1040 (offset 12 lines).
Hunk #10 succeeded at 1211 (offset 2 lines).
Hunk #11 succeeded at 1290 (offset 12 lines).
Hunk #12 succeeded at 1354 (offset 2 lines).
Hunk #13 succeeded at 1463 (offset 12 lines).
Hunk #14 succeeded at 1526 (offset 2 lines).
Hunk #15 succeeded at 1608 (offset 12 lines).
Hunk #16 succeeded at 1609 (offset 2 lines).
Hunk #17 succeeded at 1687 (offset 12 lines).
Hunk #18 succeeded at 1688 (offset 2 lines).
Hunk #19 succeeded at 1813 (offset 12 lines).
Hunk #20 succeeded at 1843 (offset 2 lines).
Hunk #21 succeeded at 1888 (offset 12 lines).
Hunk #22 succeeded at 1896 (offset 2 lines).
1 out of 22 hunks FAILED -- saving rejects to file fs/namei.c.rej
patching file fs/namespace.c
patching file fs/nfsd/nfsctl.c
patching file fs/nfsd/nfsfh.c
patching file fs/open.c
patching file fs/proc/base.c
Hunk #1 FAILED at 329.
1 out of 1 hunk FAILED -- saving rejects to file fs/proc/base.c.rej
patching file fs/read_write.c
Hunk #6 succeeded at 357 (offset 7 lines).
Hunk #8 succeeded at 417 (offset 7 lines).
patching file fs/readdir.c
patching file fs/stat.c
Hunk #3 succeeded at 161 (offset 119 lines).
Hunk #4 FAILED at 200.
Hunk #5 succeeded at 184 (offset -90 lines).
Hunk #6 FAILED at 203.
2 out of 6 hunks FAILED -- saving rejects to file fs/stat.c.rej
patching file fs/super.c
Hunk #1 FAILED at 27.
Hunk #2 succeeded at 290 (offset 24 lines).
Hunk #3 succeeded at 289 with fuzz 2 (offset 3 lines).
Hunk #4 succeeded at 322 (offset 24 lines).
Hunk #5 succeeded at 867 (offset 81 lines).
Hunk #6 succeeded at 836 (offset 24 lines).
1 out of 6 hunks FAILED -- saving rejects to file fs/super.c.rej
patching file include/linux/binfmts.h
Hunk #1 succeeded at 30 (offset 3 lines).
patching file include/linux/fs.h
Hunk #2 succeeded at 484 (offset 3 lines).
Hunk #3 succeeded at 553 (offset 33 lines).
Hunk #4 succeeded at 541 (offset 3 lines).
Hunk #5 succeeded at 588 (offset 33 lines).
Hunk #6 FAILED at 652.
Hunk #7 succeeded at 730 (offset -2 lines).
1 out of 7 hunks FAILED -- saving rejects to file include/linux/fs.h.rej
patching file include/linux/input.h
Hunk #1 succeeded at 474 (offset 1 line).
patching file include/linux/ip.h
patching file include/linux/ipc.h
patching file include/linux/msg.h
patching file include/linux/netdevice.h
Hunk #1 succeeded at 445 (offset 7 lines).
patching file include/linux/sched.h
Hunk #1 succeeded at 509 with fuzz 2 (offset 99 lines).
Hunk #2 succeeded at 724 (offset -16 lines).
Hunk #3 succeeded at 855 (offset 99 lines).
patching file include/linux/security.h
patching file include/linux/shm.h
patching file include/linux/skbuff.h
patching file include/net/sock.h
Hunk #1 succeeded at 678 with fuzz 2 (offset 10 lines).
Hunk #2 succeeded at 684 (offset 1 line).
Hunk #3 succeeded at 1158 (offset 10 lines).
Hunk #4 succeeded at 1161 (offset 1 line).
patching file include/net/tcp.h
Hunk #1 succeeded at 520 (offset 1 line).
patching file init/do_mounts.c
Hunk #1 succeeded at 914 with fuzz 1 (offset 26 lines).
patching file init/main.c
Hunk #1 FAILED at 27.
Hunk #2 succeeded at 407 (offset -4 lines).
1 out of 2 hunks FAILED -- saving rejects to file init/main.c.rej
patching file ipc/msg.c
patching file ipc/sem.c
patching file ipc/shm.c
patching file ipc/util.c
patching file kernel/acct.c
Hunk #1 succeeded at 183 (offset 1 line).
patching file kernel/capability.c
Hunk #1 succeeded at 59 (offset 2 lines).
Hunk #2 FAILED at 88.
Hunk #3 FAILED at 107.
Hunk #5 succeeded at 178 (offset 2 lines).
2 out of 5 hunks FAILED -- saving rejects to file kernel/capability.c.rej
patching file kernel/exit.c
Hunk #1 FAILED at 13.
Hunk #2 FAILED at 48.
Hunk #3 succeeded at 1002 with fuzz 2 (offset 475 lines).
2 out of 3 hunks FAILED -- saving rejects to file kernel/exit.c.rej
patching file kernel/fork.c
Hunk #1 FAILED at 22.
Hunk #2 succeeded at 708 with fuzz 2 (offset 112 lines).
Hunk #3 FAILED at 792.
Hunk #4 succeeded at 846 with fuzz 2 (offset 69 lines).
2 out of 4 hunks FAILED -- saving rejects to file kernel/fork.c.rej
patching file kernel/kmod.c
Hunk #1 succeeded at 125 (offset -7 lines).
patching file kernel/ksyms.c
Hunk #1 succeeded at 198 (offset 26 lines).
patching file kernel/module.c
Hunk #3 succeeded at 508 (offset 3 lines).
Hunk #5 succeeded at 668 (offset 3 lines).
patching file kernel/printk.c
Hunk #1 succeeded at 173 (offset 1 line).
patching file kernel/ptrace.c
Reversed (or previously applied) patch detected!  Assume -R? [n]
Apply anyway? [n] y
Hunk #1 FAILED at 82.
Hunk #2 FAILED at 96.
Hunk #3 FAILED at 104.
Hunk #4 FAILED at 127.
4 out of 4 hunks FAILED -- saving rejects to file kernel/ptrace.c.rej
patching file kernel/sched.c
Hunk #1 FAILED at 29.
Hunk #2 FAILED at 862.
Hunk #3 FAILED at 883.
Hunk #4 succeeded at 1597 with fuzz 2 (offset 640 lines).
Hunk #5 FAILED at 1638.
Hunk #6 FAILED at 1664.
Hunk #7 FAILED at 1788.
Hunk #8 FAILED at 1935.
7 out of 8 hunks FAILED -- saving rejects to file kernel/sched.c.rej
patching file kernel/signal.c
Hunk #1 FAILED at 525.
1 out of 1 hunk FAILED -- saving rejects to file kernel/signal.c.rej
patching file kernel/sys.c
Hunk #1 FAILED at 14.
Hunk #2 FAILED at 212.
Hunk #3 FAILED at 220.
Hunk #4 succeeded at 358 (offset 80 lines).
Hunk #6 succeeded at 519 (offset 80 lines).
Hunk #7 FAILED at 548.
Hunk #9 succeeded at 634 (offset 80 lines).
Hunk #11 succeeded at 679 (offset 80 lines).
Hunk #13 succeeded at 725 (offset 80 lines).
Hunk #15 succeeded at 798 (offset 80 lines).
Hunk #17 succeeded at 830 (offset 80 lines).
Hunk #18 FAILED at 923.
Hunk #19 succeeded at 880 (offset 13 lines).
Hunk #20 FAILED at 908.
Hunk #21 FAILED at 970.
Hunk #22 succeeded at 1110 (offset 86 lines).
Hunk #23 succeeded at 1081 (offset 13 lines).
Hunk #24 succeeded at 1209 (offset 86 lines).
Hunk #25 FAILED at 1224.
Hunk #26 succeeded at 1233 (offset 14 lines).
8 out of 26 hunks FAILED -- saving rejects to file kernel/sys.c.rej
patching file kernel/sysctl.c
Hunk #1 succeeded at 406 (offset 14 lines).
patching file kernel/time.c
patching file kernel/uid16.c
patching file mm/filemap.c
Hunk #1 succeeded at 24 with fuzz 2 (offset 1 line).
Hunk #2 succeeded at 1896 (offset 130 lines).
Hunk #3 succeeded at 1785 (offset 1 line).
patching file mm/memory.c
Hunk #1 FAILED at 45.
1 out of 1 hunk FAILED -- saving rejects to file mm/memory.c.rej
patching file mm/mmap.c
Hunk #1 FAILED at 14.
Hunk #2 succeeded at 480 (offset 1 line).
1 out of 2 hunks FAILED -- saving rejects to file mm/mmap.c.rej
patching file mm/mprotect.c
Hunk #1 FAILED at 7.
Hunk #2 succeeded at 307 (offset 7 lines).
1 out of 2 hunks FAILED -- saving rejects to file mm/mprotect.c.rej
patching file mm/oom_kill.c
patching file mm/swapfile.c
Hunk #1 succeeded at 748 (offset 18 lines).
Hunk #2 succeeded at 917 (offset 2 lines).
patching file net/core/datagram.c
patching file net/core/dev.c
Hunk #2 succeeded at 2617 (offset 37 lines).
patching file net/core/rtnetlink.c
patching file net/core/scm.c
patching file net/core/skbuff.c
patching file net/core/sock.c
patching file net/ipv4/devinet.c
patching file net/ipv4/ip_fragment.c
patching file net/ipv4/ip_gre.c
patching file net/ipv4/ip_options.c
patching file net/ipv4/ip_output.c
patching file net/ipv4/ipip.c
patching file net/ipv4/ipmr.c
patching file net/ipv4/netfilter/ip_queue.c
patching file net/ipv4/syncookies.c
patching file net/ipv4/tcp_ipv4.c
Hunk #1 succeeded at 1309 (offset 10 lines).
Hunk #3 succeeded at 1770 (offset 10 lines).
patching file net/ipv4/tcp_minisocks.c
Hunk #2 succeeded at 790 (offset 5 lines).
patching file net/netlink/af_netlink.c
patching file net/socket.c
Hunk #1 succeeded at 514 (offset 12 lines).
Hunk #3 succeeded at 847 (offset 14 lines).
Hunk #5 succeeded at 921 (offset 14 lines).
Hunk #7 succeeded at 1060 (offset 14 lines).
Hunk #9 succeeded at 1126 (offset 14 lines).
Hunk #11 succeeded at 1191 (offset 14 lines).
Hunk #13 succeeded at 1354 (offset 14 lines).
Hunk #15 succeeded at 1409 (offset 14 lines).
patching file net/unix/af_unix.c
patching file security/Config.in
patching file security/Makefile
patching file security/Makefile.in
patching file security/capability.c
patching file security/dte/Makefile
patching file security/dte/Makefile.in
patching file security/dte/dte.c
patching file security/dte/dte.h
patching file security/dte/inode.c
patching file security/dte/module.c
patching file security/dte/mount.c
patching file security/dte/path.c
patching file security/dte/read_policy.c
patching file security/dte/syscall.c
patching file security/dte/task.c
patching file security/dummy.c
patching file security/lids/Config.help
patching file security/lids/Config.in
patching file security/lids/Makefile
patching file security/lids/Makefile.in
patching file security/lids/include/linux/lids.h
patching file security/lids/include/linux/lidsext.h
patching file security/lids/include/linux/lidsif.h
patching file security/lids/include/linux/rmd160.h
patching file security/lids/klids.c
patching file security/lids/lids_acl.c
patching file security/lids/lids_cap.c
patching file security/lids/lids_check_scan.c
patching file security/lids/lids_exec.c
patching file security/lids/lids_init.c
patching file security/lids/lids_logs.c
patching file security/lids/lids_lsm.c
patching file security/lids/lids_mail_script.c
patching file security/lids/lids_net.c
patching file security/lids/lids_sysctl.c
patching file security/lids/lids_syslog_script.c
patching file security/lids/rmd160.c
patching file security/owlsm.c
patching file security/owlsm.h
patching file security/security.c
patching file security/selinux/Config.in
patching file security/selinux/Makefile
patching file security/selinux/Makefile.in
patching file security/selinux/arch/i386/Makefile
patching file security/selinux/arch/i386/wrapper.c
patching file security/selinux/avc.c
patching file security/selinux/extsocket.h
patching file security/selinux/flask/Makefile
patching file security/selinux/flask/access_vectors
patching file security/selinux/flask/initial_sids
patching file security/selinux/flask/mkaccess_vector.sh
patching file security/selinux/flask/mkflask.sh
patching file security/selinux/flask/security_classes
patching file security/selinux/hooks.c
patching file security/selinux/include/asm-i386/flask/syscallaccess.h
patching file security/selinux/include/linux/flask/av_inherit.h
patching file security/selinux/include/linux/flask/av_perm_to_string.h
patching file security/selinux/include/linux/flask/av_permissions.h
patching file security/selinux/include/linux/flask/avc.h
patching file security/selinux/include/linux/flask/avc_ss.h
patching file security/selinux/include/linux/flask/class_to_string.h
patching file security/selinux/include/linux/flask/common_perm_to_string.h
patching file security/selinux/include/linux/flask/flask.h
patching file security/selinux/include/linux/flask/flask_types.h
patching file security/selinux/include/linux/flask/flnetlink.h
patching file security/selinux/include/linux/flask/initial_sid_to_string.h
patching file security/selinux/include/linux/flask/nsid.h
patching file security/selinux/include/linux/flask/psid.h
patching file security/selinux/include/linux/flask/security.h
patching file security/selinux/include/linux/flask/selopt.h
patching file security/selinux/include/linux/flask/syscalls.h
patching file security/selinux/include/linux/flask/syscalls_proto.h
patching file security/selinux/nsid.c
patching file security/selinux/psid.c
patching file security/selinux/selinux_plug.h
patching file security/selinux/selopt/Makefile
patching file security/selinux/selopt/cache.c
patching file security/selinux/selopt/cache.h
patching file security/selinux/selopt/flnetlink.c
patching file security/selinux/selopt/perimtab.c
patching file security/selinux/selopt/perimtab.h
patching file security/selinux/selopt/queue.c
patching file security/selinux/selopt/queue.h
patching file security/selinux/selopt/selopt_core.c
patching file security/selinux/ss/Makefile
patching file security/selinux/ss/Makefile.in
patching file security/selinux/ss/avtab.c
patching file security/selinux/ss/avtab.h
patching file security/selinux/ss/constraint.h
patching file security/selinux/ss/context.h
patching file security/selinux/ss/ebitmap.c
patching file security/selinux/ss/ebitmap.h
patching file security/selinux/ss/global.h
patching file security/selinux/ss/hashtab.c
patching file security/selinux/ss/hashtab.h
patching file security/selinux/ss/mls.c
patching file security/selinux/ss/mls.h
patching file security/selinux/ss/mls_types.h
patching file security/selinux/ss/policydb.c
patching file security/selinux/ss/policydb.h
patching file security/selinux/ss/policydb_inflate.c
patching file security/selinux/ss/queue.c
patching file security/selinux/ss/queue.h
patching file security/selinux/ss/services.c
patching file security/selinux/ss/services.h
patching file security/selinux/ss/services_private.h
patching file security/selinux/ss/sidtab.c
patching file security/selinux/ss/sidtab.h
patching file security/selinux/ss/symtab.c
patching file security/selinux/ss/symtab.h
patching file security/selinux/ss/syscalls.c
patching file security/selinux/syscalls.c
bash-2.05b#

Thanks
king khan




On Wed, 19 Jan 2005 13:17:21 +0530, Syed Ahemed <kingkhan@private> wrote:
> The below mentioned lines  of code is an excerpt from the kernel
> source after the LSM patch is applied.
> To try and make the  question precise i have deleted non-lsm lines
> from the code.
> 
> 1] The /usr/src/linux-2.4/include/security.h  defines the
> security_operations struct with socket_create field .
> 2] /usr/src/linux-2.4/net/socket.c  has the function sock_create which  calls
> [ security_ops->socket_create(family, type, protocol); ] to check for
> extended LSM security of socket creation
> 3] /usr/src/linux-2.4/security/selinux/hooks.c has the LSM
> implementation of function call
> selinux_socket_create (int family, int type, int protocol, struct
> socket **res) .
> 
> Question 1 :
> --------------------
> Everytime a user application tries to create the socket the
> net/socket.c : sock_create is invoked and this function intern calls
> the security_ops->socket_create function for LSM check ,  Now where
> and how  does the selinux_socket_create come into picture .I mean how
> does it get invoked ?
> 
> Question 2 :
> ------------------
> security_ops->socket_create( ) is the hook employed by the LSM framework
> selinux_socket_create ( ) is the implementation of the security module
> function
> Am i right ?
> If not where is the function code to the hook call made from socket.c ?
> 
>  */usr/src/linux-2.4/include/security.h
>  * @socket_create:
>  *      Check permissions prior to creating a new socket.
>  *      @family contains the requested protocol family.
>  *      @type contains the requested communications type.
>  *      @protocol contains the requested protocol.
>  *      Return 0 if permission is granted.
>  * @socket_post_create:
>  *      This hook allows a module to update or allocate a per-socket security
>  *      structure. Note that the security field was not added directly to the
>  *      socket structure, but rather, the socket security information is stored
>  *      in the associated inode.  Typically, the inode alloc_security hook will
>  *      allocate and and attach security information to
>  *      sock->inode->i_security.  This hook may be used to update the
>  *      sock->inode->i_security field with additional information that wasn't
>  *      available when the inode was allocated.
>  *      @sock contains the newly created socket structure.
>  *      @family contains the requested protocol family.
>  *      @type contains the requested communications type.
>  *      @protocol contains the requested protocol.
>  * @socket_bind:
> 
> struct security_operations {
>         int (*socket_create) (int family, int type, int protocol);
>         void (*socket_post_create) (struct socket * sock, int family,
> }
> 
> ********************************************************************************************************
> * /usr/src/linux-2.4/net/socket.c
> 
> int sock_create(int family, int type, int protocol, struct socket **res)
> {
>         int i;
>         int err;
>         struct socket *sock;
>         err = security_ops->socket_create(family, type, protocol);
>         if (err)
>                 return err;
> 
>                 return i;
> }
> ********************************************************************************
> 
> /*  /usr/src/linux-2.4/security/selinux/hooks.c */
> 
> static int selinux_socket_create(int family, int type, int protocol)
> {
>         int err;
>         struct task_security_struct *tsec;
>         security_id_t tsid;
> 
>         tsec = current->security;
> 
>         tsid = extsocket_create(tsec);
> 
>         err = avc_has_perm(tsec->sid, tsid,
>                            socket_type_to_security_class(family, type),
>                            SOCKET__CREATE);
> 
>         return err;
> }
> *******************************************************************************
> 
> Thanks
> KIng Khan
> 
> 
> On Tue, 18 Jan 2005 15:03:13 -0800, Chris Wright <chrisw@private> wrote:
> > * Syed Ahemed (kingkhan@private) wrote:
> > > Solution 2
> > > ---------------
> > > a] LSM with SELINUX    :  what it does that LIDS[with/without LSM ] cant  ?
> > >     Note : I haven't seen a debate LIDS VS SELINUX , maybe they aren't
> > > alike at all.But we   have a co-existence problem to solve too.
> >
> > For the purpose of your examples, consider LIDS and SELinux to have very
> > similar properties.
> >
> > > b]   Implement my own strncpy or strcpy with better length checking
> >
> > For user-space buffer overflow?  Sure, it's always useful to carefully
> > audit that kind of code.
> >
> > > c] Openwall patch is a part of base kernel will take care of
> > > executable stack issue
> >
> > Base 2.6 has some support for NX stack.  Also, you can look at
> > exec-shield in Fedora kernels, or the SSP patch to gcc.
> >
> > Stopping the buffer overflow is fundamentally different from limiting
> > that damage domain.  Point is...there is no single silver bullet.
> > Best solution is to employ best security practices at each relevant
> > layer.
> >
> > thanks,
> > -chris
> > --
> > Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net
> >
>

This archive was generated by hypermail 2.1.3 : Wed Jan 19 2005 - 00:43:42 PST