Hi, This patch makes capabilities the default when no LSM is loaded, thus resulting in more consistent behaviour with the default behaviour being independent of CONFIG_SECURITY. Enjoy, -- Kurt Garloff, Director SUSE Labs, Novell Inc.
From: Kurt Garloff <[email protected]> Subject: Default to capability rather than dummy if no LSM is loaded References: SUSE40217, SUSE39439 If a kernel is compiled with CONFIG_SECURITY to enable LSM, the default behaviour changes unless a user load capability. This is undesirable. This patch makes capability the default. capability can still be compiled as module and be loaded as LSM. If loaded as primary LSM, it won't change anything. But it can also be loaded as secondary LSM. Note that we could think of getting rid of dummy; however, it's still used as fallback for stubs that are not implemented by an LSM. I did not want to change this with this patch set, though I'd like to see it done if everyone agrees it's a good idea. This is patch 1/5 of the LSM overhaul. Makefile | 8 +++----- capability.c | 38 ++++++++++++++------------------------ commoncap.c | 37 +++++++++++++++++++++++++++++++++++++ security.c | 21 ++++++++++++--------- 4 files changed, 66 insertions(+), 38 deletions(-) Signed-off-by: Kurt Garloff <[email protected]> Index: linux-2.6.10/security/security.c =================================================================== --- linux-2.6.10.orig/security/security.c +++ linux-2.6.10/security/security.c @@ -20,10 +20,11 @@ #define SECURITY_FRAMEWORK_VERSION "1.0.0" /* things that live in dummy.c */ -extern struct security_operations dummy_security_ops; -extern void security_fixup_ops(struct security_operations *ops); +extern void security_fixup_ops (struct security_operations *ops); +/* default security ops */ +extern struct security_operations capability_security_ops; struct security_operations *security_ops; /* Initialized to NULL */ static inline int verify(struct security_operations *ops) @@ -54,15 +55,17 @@ int __init security_init(void) { printk(KERN_INFO "Security Framework v" SECURITY_FRAMEWORK_VERSION " initialized\n"); - if (verify(&dummy_security_ops)) { + if (verify(&capability_security_ops)) { printk(KERN_ERR "%s could not verify " - "dummy_security_ops structure.\n", __FUNCTION__); + "capability_security_ops structure.\n", __FUNCTION__); return -EIO; } - security_ops = &dummy_security_ops; + security_ops = &capability_security_ops; + + /* Initialize compiled-in security modules */ do_security_initcalls(); return 0; } @@ -86,9 +89,9 @@ int register_security(struct security_op "security_operations structure.\n", __FUNCTION__); return -EINVAL; } - if (security_ops != &dummy_security_ops) + if (security_ops != &capability_security_ops) return -EAGAIN; security_ops = ops; @@ -103,20 +106,20 @@ int register_security(struct security_op * previously been registered with a successful call to register_security(). * * If @ops does not match the valued previously passed to register_security() * an error is returned. Otherwise the default security options is set to the - * the dummy_security_ops structure, and 0 is returned. + * the capability_security_ops structure, and 0 is returned. */ int unregister_security(struct security_operations *ops) { if (ops != security_ops) { printk(KERN_INFO "%s: trying to unregister " - "a security_opts structure that is not " + "a security_ops structure that is not " "registered, failing.\n", __FUNCTION__); return -EINVAL; } - security_ops = &dummy_security_ops; + security_ops = &capability_security_ops; return 0; } Index: linux-2.6.10/security/commoncap.c =================================================================== --- linux-2.6.10.orig/security/commoncap.c +++ linux-2.6.10/security/commoncap.c @@ -324,8 +324,45 @@ int cap_vm_enough_memory(long pages) cap_sys_admin = 1; return __vm_enough_memory(pages, cap_sys_admin); } +#ifdef CONFIG_SECURITY +struct security_operations capability_security_ops = { + .ptrace = cap_ptrace, + .capget = cap_capget, + .capset_check = cap_capset_check, + .capset_set = cap_capset_set, + .capable = cap_capable, + .settime = cap_settime, + .netlink_send = cap_netlink_send, + .netlink_recv = cap_netlink_recv, + + .bprm_apply_creds = cap_bprm_apply_creds, + .bprm_set_security = cap_bprm_set_security, + .bprm_secureexec = cap_bprm_secureexec, + + .inode_setxattr = cap_inode_setxattr, + .inode_removexattr = cap_inode_removexattr, + + .task_post_setuid = cap_task_post_setuid, + .task_reparent_to_init = cap_task_reparent_to_init, + + .syslog = cap_syslog, + + .vm_enough_memory = cap_vm_enough_memory, +}; + +EXPORT_SYMBOL(capability_security_ops); +/* Note: If the capability security module is loaded, we do NOT register + * the capability_security_ops but a second structure that has the + * identical entries. The reason is that this way, + * - we could stack on top of capability if it was stackable + * - a loaded capability module will prevent others to register, which + * is the previous behaviour; if capabilities are used as default (not + * because the module has been loaded), we allow the replacement. + */ +#endif + EXPORT_SYMBOL(cap_capable); EXPORT_SYMBOL(cap_settime); EXPORT_SYMBOL(cap_ptrace); EXPORT_SYMBOL(cap_capget); Index: linux-2.6.10/security/Makefile =================================================================== --- linux-2.6.10.orig/security/Makefile +++ linux-2.6.10/security/Makefile @@ -4,16 +4,14 @@ obj-$(CONFIG_KEYS) += keys/ subdir-$(CONFIG_SECURITY_SELINUX) += selinux -# if we don't select a security model, use the default capabilities -ifneq ($(CONFIG_SECURITY),y) +# We always need commoncap as it's default obj-y += commoncap.o -endif # Object file lists obj-$(CONFIG_SECURITY) += security.o dummy.o # Must precede capability.o in order to stack properly. obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o -obj-$(CONFIG_SECURITY_CAPABILITIES) += commoncap.o capability.o -obj-$(CONFIG_SECURITY_ROOTPLUG) += commoncap.o root_plug.o +obj-$(CONFIG_SECURITY_CAPABILITIES) += capability.o +obj-$(CONFIG_SECURITY_ROOTPLUG) += root_plug.o obj-$(CONFIG_SECURITY_SECLVL) += seclvl.o Index: linux-2.6.10/security/capability.c =================================================================== --- linux-2.6.10.orig/security/capability.c +++ linux-2.6.10/security/capability.c @@ -23,32 +23,21 @@ #include <linux/netlink.h> #include <linux/ptrace.h> #include <linux/moduleparam.h> -static struct security_operations capability_ops = { - .ptrace = cap_ptrace, - .capget = cap_capget, - .capset_check = cap_capset_check, - .capset_set = cap_capset_set, - .capable = cap_capable, - .settime = cap_settime, - .netlink_send = cap_netlink_send, - .netlink_recv = cap_netlink_recv, - - .bprm_apply_creds = cap_bprm_apply_creds, - .bprm_set_security = cap_bprm_set_security, - .bprm_secureexec = cap_bprm_secureexec, - - .inode_setxattr = cap_inode_setxattr, - .inode_removexattr = cap_inode_removexattr, - - .task_post_setuid = cap_task_post_setuid, - .task_reparent_to_init = cap_task_reparent_to_init, - - .syslog = cap_syslog, - - .vm_enough_memory = cap_vm_enough_memory, -}; +/* Note: If the capability security module is loaded, we do NOT register + * the capability_security_ops but a second structure capability_ops + * that has the identical entries. The reasons: + * - we could stack on top of capability if it was stackable + * - a loaded capability module will prevent others to register, which + * is the previous behaviour; if capabilities are used as default (not + * because the module has been loaded), we allow the replacement. + */ + +/* Struct from commoncaps */ +extern struct security_operations capability_security_ops; +/* Struct to hold the copy */ +static struct security_operations capability_ops; #define MY_NAME __stringify(KBUILD_MODNAME) /* flag to keep track of how we were registered */ @@ -59,8 +48,9 @@ module_param_named(disable, capability_d MODULE_PARM_DESC(disable, "To disable capabilities module set disable = 1"); static int __init capability_init (void) { + memcpy(&capability_ops, &capability_security_ops, sizeof(capability_ops)); if (capability_disable) { printk(KERN_INFO "Capabilities disabled at initialization\n"); return 0; }
Attachment:
pgpDNvCkx2hCB.pgp
Description: PGP signature
- Follow-Ups:
- Re: [PATCH 1/3] Make cap default
- From: Tony Jones <[email protected]>
- Re: [PATCH 1/3] Make cap default
- Prev by Date: [PATCH 0/3] LSM hooks consolidation
- Next by Date: [PATCH 2a/3] Reorder the security stubs
- Previous by thread: [PATCH 0/3] LSM hooks consolidation
- Next by thread: Re: [PATCH 1/3] Make cap default
- Index(es):