Re: Stacking LSM proof-of-concept

From: John Richard Moser (nigelenki@private)
Date: Sat Jan 29 2005 - 09:34:44 PST


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You found a bug, wow.

Thanks, but i was more looking for comment on what I did in
security/grsecurity/grsecurity.c and securit/grsecurity/grfunctions.c

I think this may have outlived its usefulness, so I might abandon it
soon, since I think I've learned all I can about LSM and how it works
(and how to write my own) from it.

Greg KH wrote:
> On Thu, Jan 27, 2005 at 11:20:03PM -0500, John Richard Moser wrote:
> 
>>diff -urNp linux-2.6.10/drivers/pci/proc.c linux-2.6.10-grs/drivers/pci/proc.c
>>--- linux-2.6.10/drivers/pci/proc.c	2004-12-24 16:34:58.000000000 -0500
>>+++ linux-2.6.10-grs/drivers/pci/proc.c	2005-01-25 21:01:26.312458000 -0500
>>@@ -12,6 +12,9 @@
>> #include <linux/proc_fs.h>
>> #include <linux/seq_file.h>
>> #include <linux/smp_lock.h>
>>+#ifdef CONFIG_GRSECURITY
>>+# include <linux/grsecurity.h>
>>+#endif
> 
> 
> Don't put ifdefs in .c files.
> 
> 
>> #include <asm/uaccess.h>
>> #include <asm/byteorder.h>
>>@@ -565,7 +568,19 @@ static struct file_operations proc_pci_o
>> 
>> static void legacy_proc_init(void)
>> {
>>-	struct proc_dir_entry * entry = create_proc_entry("pci", 0, NULL);
>>+	struct proc_dir_entry * entry = NULL;
>>+#ifdef CONFIG_GRSECURITY
>>+	int error;
>>+	error = gr_proc_pci_legacy_init(&entry);
>>+	/*
>>+	 * If this returns 0, we generate the entry as normal.
>>+	 * If it returns non-zero, we assume entry was or will not be
>>+	 * generated
>>+	 */
>>+	if (!error)
>>+#else
>>+	entry = create_proc_entry("pci", 0, NULL);
>>+#endif
> 
> 
> So, no pci proc entry if your option is enabled?  That's broken.
> 

should be #endif instead of #else, and dump the other #endif

> Again, no #ifdefs in .c files please.

Trying to dump the hooks when disabled.
> 
> thanks,
> 
> greg k-h
> 

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB+8kzhDd4aOud5P8RAkA/AJ99J+6pIHVqI6iSEgvr5dQSHllm0ACfS5gU
m6LnWt2LpWqHXNCmXGQFHRw=
=V9gK
-----END PGP SIGNATURE-----



This archive was generated by hypermail 2.1.3 : Sat Jan 29 2005 - 09:34:42 PST