I would love to use Linux 2.6 ,but the 2.4 kernel i mentioned is there
on our production machine for quite sometime .
I intend to convince myself if LSM is the way to go in the long run .
The reason i got drawn towards it cos LSM addressess security beyond
the conventional file , process permissions in the linux model.
If you could see the other questions i have putforth on the mailing
list ,u know what am addressing .
Just a thought , Any specific reasons why isn't there a LSM module
that takes care of length checking of strings that cause buffer
overflow ( hooks for strcpy or memcpy ) .? Even 2.6 doesn't address
this.
Maybe am missing a fundamental point but considering LSM implements
OWL patch for non-executable stack that actually is a "consequence" of
a buffer overflow attack ,I felt it makes sense to implement.
Thanks
kingkhan
On Wed, 19 Jan 2005 00:47:28 -0800, Crispin Cowan <crispin@private> wrote:
> LSM is only really standardized for Linux 2.6. LSM for various 2.4
> kernels is always somebody's custom port of something.
>
> Are you doing all this work for learning for for production?
>
> * If for learning, then you should use the 2.6 kernel, as it is much
> more constructive and useful to work on building your module than
> to mess with trying to make patches fit.
> * If for production, then you should seriously look again at
> existing modules. It will be a long time before the from-scratch
> module you appear to be trying to build will be production-ready
> and secure.
>
> Crispin
>
> Syed Ahemed wrote:
>
> >Is there an LSM patch for linux-2.4.20-8 ?
> >I tried applying the patch-2.4.20-lsm1.gz to the version
> >linux-2.4.20-8 to find the following rejects.
> >The kernel doesnt compile due to these errors.
> >
> >bash-2.05b# zcat /usr/src/patches/patch-2.4.20-lsm1.gz | patch -p1
> >patching file Documentation/Configure.help
> >Hunk #1 succeeded at 26233 with fuzz 2 (offset -8 lines).
> >patching file Documentation/DocBook/Makefile
> >patching file Documentation/DocBook/deviceiobook.tmpl
> >patching file Documentation/DocBook/kernel-api.tmpl
> >patching file Documentation/DocBook/lsm.tmpl
> >patching file Makefile
> >Hunk #1 FAILED at 1.
> >Hunk #2 FAILED at 121.
> >Hunk #3 succeeded at 262 (offset 10 lines).
> >2 out of 3 hunks FAILED -- saving rejects to file Makefile.rej
> >patching file arch/i386/boot/compressed/Makefile
> >patching file arch/i386/config.in
> >Hunk #1 succeeded at 506 (offset 51 lines).
> >patching file arch/i386/kernel/entry.S
> >Hunk #1 FAILED at 627.
> >1 out of 1 hunk FAILED -- saving rejects to file arch/i386/kernel/entry.S.rej
> >patching file arch/i386/kernel/ioport.c
> >patching file arch/i386/kernel/ptrace.c
> >Hunk #2 succeeded at 240 (offset 81 lines).
> >patching file arch/ia64/config.in
> >Hunk #1 succeeded at 287 (offset -6 lines).
> >patching file arch/ia64/ia32/sys_ia32.c
> >Hunk #2 succeeded at 3281 (offset 89 lines).
> >patching file arch/ia64/kernel/entry.S
> >patching file arch/ia64/kernel/ptrace.c
> >Hunk #1 succeeded at 16 (offset 1 line).
> >Hunk #2 succeeded at 1159 (offset 60 lines).
> >patching file drivers/char/tty_io.c
> >Hunk #1 succeeded at 1472 (offset 5 lines).
> >patching file fs/attr.c
> >patching file fs/buffer.c
> >Hunk #1 succeeded at 2877 (offset 13 lines).
> >patching file fs/dnotify.c
> >patching file fs/dquot.c
> >Hunk #1 succeeded at 1321 (offset -19 lines).
> >Hunk #2 FAILED at 1417.
> >1 out of 2 hunks FAILED -- saving rejects to file fs/dquot.c.rej
> >patching file fs/exec.c
> >Hunk #1 succeeded at 763 (offset 133 lines).
> >Hunk #3 succeeded at 819 (offset 133 lines).
> >Hunk #5 succeeded at 913 (offset 133 lines).
> >Hunk #7 succeeded at 1006 (offset 133 lines).
> >Hunk #9 succeeded at 1045 (offset 133 lines).
> >patching file fs/fcntl.c
> >Hunk #2 succeeded at 260 (offset -19 lines).
> >Hunk #4 succeeded at 333 (offset -19 lines).
> >Hunk #6 succeeded at 402 (offset -19 lines).
> >patching file fs/file_table.c
> >patching file fs/inode.c
> >Hunk #2 FAILED at 76.
> >Hunk #3 succeeded at 1069 (offset 2 lines).
> >1 out of 3 hunks FAILED -- saving rejects to file fs/inode.c.rej
> >patching file fs/ioctl.c
> >patching file fs/locks.c
> >Hunk #1 succeeded at 1286 (offset 11 lines).
> >Hunk #3 succeeded at 1411 (offset 11 lines).
> >Hunk #5 succeeded at 1442 (offset 11 lines).
> >Hunk #7 succeeded at 1484 (offset 11 lines).
> >Hunk #8 FAILED at 1491.
> >Hunk #10 succeeded at 1517 (offset 11 lines).
> >Hunk #12 succeeded at 1581 (offset 11 lines).
> >Hunk #14 succeeded at 1625 (offset 11 lines).
> >Hunk #15 FAILED at 1632.
> >Hunk #17 succeeded at 1659 (offset 11 lines).
> >2 out of 18 hunks FAILED -- saving rejects to file fs/locks.c.rej
> >patching file fs/namei.c
> >Hunk #4 FAILED at 346.
> >Hunk #5 succeeded at 357 (offset 2 lines).
> >Hunk #7 succeeded at 826 (offset 12 lines).
> >Hunk #8 succeeded at 989 (offset 2 lines).
> >Hunk #9 succeeded at 1040 (offset 12 lines).
> >Hunk #10 succeeded at 1211 (offset 2 lines).
> >Hunk #11 succeeded at 1290 (offset 12 lines).
> >Hunk #12 succeeded at 1354 (offset 2 lines).
> >Hunk #13 succeeded at 1463 (offset 12 lines).
> >Hunk #14 succeeded at 1526 (offset 2 lines).
> >Hunk #15 succeeded at 1608 (offset 12 lines).
> >Hunk #16 succeeded at 1609 (offset 2 lines).
> >Hunk #17 succeeded at 1687 (offset 12 lines).
> >Hunk #18 succeeded at 1688 (offset 2 lines).
> >Hunk #19 succeeded at 1813 (offset 12 lines).
> >Hunk #20 succeeded at 1843 (offset 2 lines).
> >Hunk #21 succeeded at 1888 (offset 12 lines).
> >Hunk #22 succeeded at 1896 (offset 2 lines).
> >1 out of 22 hunks FAILED -- saving rejects to file fs/namei.c.rej
> >patching file fs/namespace.c
> >patching file fs/nfsd/nfsctl.c
> >patching file fs/nfsd/nfsfh.c
> >patching file fs/open.c
> >patching file fs/proc/base.c
> >Hunk #1 FAILED at 329.
> >1 out of 1 hunk FAILED -- saving rejects to file fs/proc/base.c.rej
> >patching file fs/read_write.c
> >Hunk #6 succeeded at 357 (offset 7 lines).
> >Hunk #8 succeeded at 417 (offset 7 lines).
> >patching file fs/readdir.c
> >patching file fs/stat.c
> >Hunk #3 succeeded at 161 (offset 119 lines).
> >Hunk #4 FAILED at 200.
> >Hunk #5 succeeded at 184 (offset -90 lines).
> >Hunk #6 FAILED at 203.
> >2 out of 6 hunks FAILED -- saving rejects to file fs/stat.c.rej
> >patching file fs/super.c
> >Hunk #1 FAILED at 27.
> >Hunk #2 succeeded at 290 (offset 24 lines).
> >Hunk #3 succeeded at 289 with fuzz 2 (offset 3 lines).
> >Hunk #4 succeeded at 322 (offset 24 lines).
> >Hunk #5 succeeded at 867 (offset 81 lines).
> >Hunk #6 succeeded at 836 (offset 24 lines).
> >1 out of 6 hunks FAILED -- saving rejects to file fs/super.c.rej
> >patching file include/linux/binfmts.h
> >Hunk #1 succeeded at 30 (offset 3 lines).
> >patching file include/linux/fs.h
> >Hunk #2 succeeded at 484 (offset 3 lines).
> >Hunk #3 succeeded at 553 (offset 33 lines).
> >Hunk #4 succeeded at 541 (offset 3 lines).
> >Hunk #5 succeeded at 588 (offset 33 lines).
> >Hunk #6 FAILED at 652.
> >Hunk #7 succeeded at 730 (offset -2 lines).
> >1 out of 7 hunks FAILED -- saving rejects to file include/linux/fs.h.rej
> >patching file include/linux/input.h
> >Hunk #1 succeeded at 474 (offset 1 line).
> >patching file include/linux/ip.h
> >patching file include/linux/ipc.h
> >patching file include/linux/msg.h
> >patching file include/linux/netdevice.h
> >Hunk #1 succeeded at 445 (offset 7 lines).
> >patching file include/linux/sched.h
> >Hunk #1 succeeded at 509 with fuzz 2 (offset 99 lines).
> >Hunk #2 succeeded at 724 (offset -16 lines).
> >Hunk #3 succeeded at 855 (offset 99 lines).
> >patching file include/linux/security.h
> >patching file include/linux/shm.h
> >patching file include/linux/skbuff.h
> >patching file include/net/sock.h
> >Hunk #1 succeeded at 678 with fuzz 2 (offset 10 lines).
> >Hunk #2 succeeded at 684 (offset 1 line).
> >Hunk #3 succeeded at 1158 (offset 10 lines).
> >Hunk #4 succeeded at 1161 (offset 1 line).
> >patching file include/net/tcp.h
> >Hunk #1 succeeded at 520 (offset 1 line).
> >patching file init/do_mounts.c
> >Hunk #1 succeeded at 914 with fuzz 1 (offset 26 lines).
> >patching file init/main.c
> >Hunk #1 FAILED at 27.
> >Hunk #2 succeeded at 407 (offset -4 lines).
> >1 out of 2 hunks FAILED -- saving rejects to file init/main.c.rej
> >patching file ipc/msg.c
> >patching file ipc/sem.c
> >patching file ipc/shm.c
> >patching file ipc/util.c
> >patching file kernel/acct.c
> >Hunk #1 succeeded at 183 (offset 1 line).
> >patching file kernel/capability.c
> >Hunk #1 succeeded at 59 (offset 2 lines).
> >Hunk #2 FAILED at 88.
> >Hunk #3 FAILED at 107.
> >Hunk #5 succeeded at 178 (offset 2 lines).
> >2 out of 5 hunks FAILED -- saving rejects to file kernel/capability.c.rej
> >patching file kernel/exit.c
> >Hunk #1 FAILED at 13.
> >Hunk #2 FAILED at 48.
> >Hunk #3 succeeded at 1002 with fuzz 2 (offset 475 lines).
> >2 out of 3 hunks FAILED -- saving rejects to file kernel/exit.c.rej
> >patching file kernel/fork.c
> >Hunk #1 FAILED at 22.
> >Hunk #2 succeeded at 708 with fuzz 2 (offset 112 lines).
> >Hunk #3 FAILED at 792.
> >Hunk #4 succeeded at 846 with fuzz 2 (offset 69 lines).
> >2 out of 4 hunks FAILED -- saving rejects to file kernel/fork.c.rej
> >patching file kernel/kmod.c
> >Hunk #1 succeeded at 125 (offset -7 lines).
> >patching file kernel/ksyms.c
> >Hunk #1 succeeded at 198 (offset 26 lines).
> >patching file kernel/module.c
> >Hunk #3 succeeded at 508 (offset 3 lines).
> >Hunk #5 succeeded at 668 (offset 3 lines).
> >patching file kernel/printk.c
> >Hunk #1 succeeded at 173 (offset 1 line).
> >patching file kernel/ptrace.c
> >Reversed (or previously applied) patch detected! Assume -R? [n]
> >Apply anyway? [n] y
> >Hunk #1 FAILED at 82.
> >Hunk #2 FAILED at 96.
> >Hunk #3 FAILED at 104.
> >Hunk #4 FAILED at 127.
> >4 out of 4 hunks FAILED -- saving rejects to file kernel/ptrace.c.rej
> >patching file kernel/sched.c
> >Hunk #1 FAILED at 29.
> >Hunk #2 FAILED at 862.
> >Hunk #3 FAILED at 883.
> >Hunk #4 succeeded at 1597 with fuzz 2 (offset 640 lines).
> >Hunk #5 FAILED at 1638.
> >Hunk #6 FAILED at 1664.
> >Hunk #7 FAILED at 1788.
> >Hunk #8 FAILED at 1935.
> >7 out of 8 hunks FAILED -- saving rejects to file kernel/sched.c.rej
> >patching file kernel/signal.c
> >Hunk #1 FAILED at 525.
> >1 out of 1 hunk FAILED -- saving rejects to file kernel/signal.c.rej
> >patching file kernel/sys.c
> >Hunk #1 FAILED at 14.
> >Hunk #2 FAILED at 212.
> >Hunk #3 FAILED at 220.
> >Hunk #4 succeeded at 358 (offset 80 lines).
> >Hunk #6 succeeded at 519 (offset 80 lines).
> >Hunk #7 FAILED at 548.
> >Hunk #9 succeeded at 634 (offset 80 lines).
> >Hunk #11 succeeded at 679 (offset 80 lines).
> >Hunk #13 succeeded at 725 (offset 80 lines).
> >Hunk #15 succeeded at 798 (offset 80 lines).
> >Hunk #17 succeeded at 830 (offset 80 lines).
> >Hunk #18 FAILED at 923.
> >Hunk #19 succeeded at 880 (offset 13 lines).
> >Hunk #20 FAILED at 908.
> >Hunk #21 FAILED at 970.
> >Hunk #22 succeeded at 1110 (offset 86 lines).
> >Hunk #23 succeeded at 1081 (offset 13 lines).
> >Hunk #24 succeeded at 1209 (offset 86 lines).
> >Hunk #25 FAILED at 1224.
> >Hunk #26 succeeded at 1233 (offset 14 lines).
> >8 out of 26 hunks FAILED -- saving rejects to file kernel/sys.c.rej
> >patching file kernel/sysctl.c
> >Hunk #1 succeeded at 406 (offset 14 lines).
> >patching file kernel/time.c
> >patching file kernel/uid16.c
> >patching file mm/filemap.c
> >Hunk #1 succeeded at 24 with fuzz 2 (offset 1 line).
> >Hunk #2 succeeded at 1896 (offset 130 lines).
> >Hunk #3 succeeded at 1785 (offset 1 line).
> >patching file mm/memory.c
> >Hunk #1 FAILED at 45.
> >1 out of 1 hunk FAILED -- saving rejects to file mm/memory.c.rej
> >patching file mm/mmap.c
> >Hunk #1 FAILED at 14.
> >Hunk #2 succeeded at 480 (offset 1 line).
> >1 out of 2 hunks FAILED -- saving rejects to file mm/mmap.c.rej
> >patching file mm/mprotect.c
> >Hunk #1 FAILED at 7.
> >Hunk #2 succeeded at 307 (offset 7 lines).
> >1 out of 2 hunks FAILED -- saving rejects to file mm/mprotect.c.rej
> >patching file mm/oom_kill.c
> >patching file mm/swapfile.c
> >Hunk #1 succeeded at 748 (offset 18 lines).
> >Hunk #2 succeeded at 917 (offset 2 lines).
> >patching file net/core/datagram.c
> >patching file net/core/dev.c
> >Hunk #2 succeeded at 2617 (offset 37 lines).
> >patching file net/core/rtnetlink.c
> >patching file net/core/scm.c
> >patching file net/core/skbuff.c
> >patching file net/core/sock.c
> >patching file net/ipv4/devinet.c
> >patching file net/ipv4/ip_fragment.c
> >patching file net/ipv4/ip_gre.c
> >patching file net/ipv4/ip_options.c
> >patching file net/ipv4/ip_output.c
> >patching file net/ipv4/ipip.c
> >patching file net/ipv4/ipmr.c
> >patching file net/ipv4/netfilter/ip_queue.c
> >patching file net/ipv4/syncookies.c
> >patching file net/ipv4/tcp_ipv4.c
> >Hunk #1 succeeded at 1309 (offset 10 lines).
> >Hunk #3 succeeded at 1770 (offset 10 lines).
> >patching file net/ipv4/tcp_minisocks.c
> >Hunk #2 succeeded at 790 (offset 5 lines).
> >patching file net/netlink/af_netlink.c
> >patching file net/socket.c
> >Hunk #1 succeeded at 514 (offset 12 lines).
> >Hunk #3 succeeded at 847 (offset 14 lines).
> >Hunk #5 succeeded at 921 (offset 14 lines).
> >Hunk #7 succeeded at 1060 (offset 14 lines).
> >Hunk #9 succeeded at 1126 (offset 14 lines).
> >Hunk #11 succeeded at 1191 (offset 14 lines).
> >Hunk #13 succeeded at 1354 (offset 14 lines).
> >Hunk #15 succeeded at 1409 (offset 14 lines).
> >patching file net/unix/af_unix.c
> >patching file security/Config.in
> >patching file security/Makefile
> >patching file security/Makefile.in
> >patching file security/capability.c
> >patching file security/dte/Makefile
> >patching file security/dte/Makefile.in
> >patching file security/dte/dte.c
> >patching file security/dte/dte.h
> >patching file security/dte/inode.c
> >patching file security/dte/module.c
> >patching file security/dte/mount.c
> >patching file security/dte/path.c
> >patching file security/dte/read_policy.c
> >patching file security/dte/syscall.c
> >patching file security/dte/task.c
> >patching file security/dummy.c
> >patching file security/lids/Config.help
> >patching file security/lids/Config.in
> >patching file security/lids/Makefile
> >patching file security/lids/Makefile.in
> >patching file security/lids/include/linux/lids.h
> >patching file security/lids/include/linux/lidsext.h
> >patching file security/lids/include/linux/lidsif.h
> >patching file security/lids/include/linux/rmd160.h
> >patching file security/lids/klids.c
> >patching file security/lids/lids_acl.c
> >patching file security/lids/lids_cap.c
> >patching file security/lids/lids_check_scan.c
> >patching file security/lids/lids_exec.c
> >patching file security/lids/lids_init.c
> >patching file security/lids/lids_logs.c
> >patching file security/lids/lids_lsm.c
> >patching file security/lids/lids_mail_script.c
> >patching file security/lids/lids_net.c
> >patching file security/lids/lids_sysctl.c
> >patching file security/lids/lids_syslog_script.c
> >patching file security/lids/rmd160.c
> >patching file security/owlsm.c
> >patching file security/owlsm.h
> >patching file security/security.c
> >patching file security/selinux/Config.in
> >patching file security/selinux/Makefile
> >patching file security/selinux/Makefile.in
> >patching file security/selinux/arch/i386/Makefile
> >patching file security/selinux/arch/i386/wrapper.c
> >patching file security/selinux/avc.c
> >patching file security/selinux/extsocket.h
> >patching file security/selinux/flask/Makefile
> >patching file security/selinux/flask/access_vectors
> >patching file security/selinux/flask/initial_sids
> >patching file security/selinux/flask/mkaccess_vector.sh
> >patching file security/selinux/flask/mkflask.sh
> >patching file security/selinux/flask/security_classes
> >patching file security/selinux/hooks.c
> >patching file security/selinux/include/asm-i386/flask/syscallaccess.h
> >patching file security/selinux/include/linux/flask/av_inherit.h
> >patching file security/selinux/include/linux/flask/av_perm_to_string.h
> >patching file security/selinux/include/linux/flask/av_permissions.h
> >patching file security/selinux/include/linux/flask/avc.h
> >patching file security/selinux/include/linux/flask/avc_ss.h
> >patching file security/selinux/include/linux/flask/class_to_string.h
> >patching file security/selinux/include/linux/flask/common_perm_to_string.h
> >patching file security/selinux/include/linux/flask/flask.h
> >patching file security/selinux/include/linux/flask/flask_types.h
> >patching file security/selinux/include/linux/flask/flnetlink.h
> >patching file security/selinux/include/linux/flask/initial_sid_to_string.h
> >patching file security/selinux/include/linux/flask/nsid.h
> >patching file security/selinux/include/linux/flask/psid.h
> >patching file security/selinux/include/linux/flask/security.h
> >patching file security/selinux/include/linux/flask/selopt.h
> >patching file security/selinux/include/linux/flask/syscalls.h
> >patching file security/selinux/include/linux/flask/syscalls_proto.h
> >patching file security/selinux/nsid.c
> >patching file security/selinux/psid.c
> >patching file security/selinux/selinux_plug.h
> >patching file security/selinux/selopt/Makefile
> >patching file security/selinux/selopt/cache.c
> >patching file security/selinux/selopt/cache.h
> >patching file security/selinux/selopt/flnetlink.c
> >patching file security/selinux/selopt/perimtab.c
> >patching file security/selinux/selopt/perimtab.h
> >patching file security/selinux/selopt/queue.c
> >patching file security/selinux/selopt/queue.h
> >patching file security/selinux/selopt/selopt_core.c
> >patching file security/selinux/ss/Makefile
> >patching file security/selinux/ss/Makefile.in
> >patching file security/selinux/ss/avtab.c
> >patching file security/selinux/ss/avtab.h
> >patching file security/selinux/ss/constraint.h
> >patching file security/selinux/ss/context.h
> >patching file security/selinux/ss/ebitmap.c
> >patching file security/selinux/ss/ebitmap.h
> >patching file security/selinux/ss/global.h
> >patching file security/selinux/ss/hashtab.c
> >patching file security/selinux/ss/hashtab.h
> >patching file security/selinux/ss/mls.c
> >patching file security/selinux/ss/mls.h
> >patching file security/selinux/ss/mls_types.h
> >patching file security/selinux/ss/policydb.c
> >patching file security/selinux/ss/policydb.h
> >patching file security/selinux/ss/policydb_inflate.c
> >patching file security/selinux/ss/queue.c
> >patching file security/selinux/ss/queue.h
> >patching file security/selinux/ss/services.c
> >patching file security/selinux/ss/services.h
> >patching file security/selinux/ss/services_private.h
> >patching file security/selinux/ss/sidtab.c
> >patching file security/selinux/ss/sidtab.h
> >patching file security/selinux/ss/symtab.c
> >patching file security/selinux/ss/symtab.h
> >patching file security/selinux/ss/syscalls.c
> >patching file security/selinux/syscalls.c
> >bash-2.05b#
> >
> >Thanks
> >king khan
> >
> >
> >
> >
> >On Wed, 19 Jan 2005 13:17:21 +0530, Syed Ahemed <kingkhan@private> wrote:
> >
> >
> >>The below mentioned lines of code is an excerpt from the kernel
> >>source after the LSM patch is applied.
> >>To try and make the question precise i have deleted non-lsm lines
> >>from the code.
> >>
> >>1] The /usr/src/linux-2.4/include/security.h defines the
> >>security_operations struct with socket_create field .
> >>2] /usr/src/linux-2.4/net/socket.c has the function sock_create which calls
> >>[ security_ops->socket_create(family, type, protocol); ] to check for
> >>extended LSM security of socket creation
> >>3] /usr/src/linux-2.4/security/selinux/hooks.c has the LSM
> >>implementation of function call
> >>selinux_socket_create (int family, int type, int protocol, struct
> >>socket **res) .
> >>
> >>Question 1 :
> >>--------------------
> >>Everytime a user application tries to create the socket the
> >>net/socket.c : sock_create is invoked and this function intern calls
> >>the security_ops->socket_create function for LSM check , Now where
> >>and how does the selinux_socket_create come into picture .I mean how
> >>does it get invoked ?
> >>
> >>Question 2 :
> >>------------------
> >>security_ops->socket_create( ) is the hook employed by the LSM framework
> >>selinux_socket_create ( ) is the implementation of the security module
> >>function
> >>Am i right ?
> >>If not where is the function code to the hook call made from socket.c ?
> >>
> >> */usr/src/linux-2.4/include/security.h
> >> * @socket_create:
> >> * Check permissions prior to creating a new socket.
> >> * @family contains the requested protocol family.
> >> * @type contains the requested communications type.
> >> * @protocol contains the requested protocol.
> >> * Return 0 if permission is granted.
> >> * @socket_post_create:
> >> * This hook allows a module to update or allocate a per-socket security
> >> * structure. Note that the security field was not added directly to the
> >> * socket structure, but rather, the socket security information is stored
> >> * in the associated inode. Typically, the inode alloc_security hook will
> >> * allocate and and attach security information to
> >> * sock->inode->i_security. This hook may be used to update the
> >> * sock->inode->i_security field with additional information that wasn't
> >> * available when the inode was allocated.
> >> * @sock contains the newly created socket structure.
> >> * @family contains the requested protocol family.
> >> * @type contains the requested communications type.
> >> * @protocol contains the requested protocol.
> >> * @socket_bind:
> >>
> >>struct security_operations {
> >> int (*socket_create) (int family, int type, int protocol);
> >> void (*socket_post_create) (struct socket * sock, int family,
> >>}
> >>
> >>********************************************************************************************************
> >>* /usr/src/linux-2.4/net/socket.c
> >>
> >>int sock_create(int family, int type, int protocol, struct socket **res)
> >>{
> >> int i;
> >> int err;
> >> struct socket *sock;
> >> err = security_ops->socket_create(family, type, protocol);
> >> if (err)
> >> return err;
> >>
> >> return i;
> >>}
> >>********************************************************************************
> >>
> >>/* /usr/src/linux-2.4/security/selinux/hooks.c */
> >>
> >>static int selinux_socket_create(int family, int type, int protocol)
> >>{
> >> int err;
> >> struct task_security_struct *tsec;
> >> security_id_t tsid;
> >>
> >> tsec = current->security;
> >>
> >> tsid = extsocket_create(tsec);
> >>
> >> err = avc_has_perm(tsec->sid, tsid,
> >> socket_type_to_security_class(family, type),
> >> SOCKET__CREATE);
> >>
> >> return err;
> >>}
> >>*******************************************************************************
> >>
> >>Thanks
> >>KIng Khan
> >>
> >>
> >>On Tue, 18 Jan 2005 15:03:13 -0800, Chris Wright <chrisw@private> wrote:
> >>
> >>
> >>>* Syed Ahemed (kingkhan@private) wrote:
> >>>
> >>>
> >>>>Solution 2
> >>>>---------------
> >>>>a] LSM with SELINUX : what it does that LIDS[with/without LSM ] cant ?
> >>>> Note : I haven't seen a debate LIDS VS SELINUX , maybe they aren't
> >>>>alike at all.But we have a co-existence problem to solve too.
> >>>>
> >>>>
> >>>For the purpose of your examples, consider LIDS and SELinux to have very
> >>>similar properties.
> >>>
> >>>
> >>>
> >>>>b] Implement my own strncpy or strcpy with better length checking
> >>>>
> >>>>
> >>>For user-space buffer overflow? Sure, it's always useful to carefully
> >>>audit that kind of code.
> >>>
> >>>
> >>>
> >>>>c] Openwall patch is a part of base kernel will take care of
> >>>>executable stack issue
> >>>>
> >>>>
> >>>Base 2.6 has some support for NX stack. Also, you can look at
> >>>exec-shield in Fedora kernels, or the SSP patch to gcc.
> >>>
> >>>Stopping the buffer overflow is fundamentally different from limiting
> >>>that damage domain. Point is...there is no single silver bullet.
> >>>Best solution is to employ best security practices at each relevant
> >>>layer.
> >>>
> >>>thanks,
> >>>-chris
> >>>--
> >>>Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net
> >>>
> >>>
> >>>
> >
> >
> >
>
> --
> Crispin Cowan, Ph.D. http://immunix.com/~crispin/
> CTO, Immunix http://immunix.com
>
>
This archive was generated by hypermail 2.1.3 : Thu Jan 20 2005 - 06:36:03 PST