Quoting Stephen Smalley ([email protected]):
> These hooks pose a similar problem for stacking as with the
> [gs]etprocattr hooks, although [gs]etsecurity have the benefit of
> already taking a distinguishing name suffix (the part after the
> security. prefix). Note also that inode_getsecurity returns the number
> of bytes used/required on success.
The attached patch tries to handle the get,set, and listsecurity hooks.
> The proposed inode_init_security hook will likewise have an issue for
> stacking.
I guess I'll wait to patch that until the hook shows up in 2.6.13-rc?,
since my patches are generally against that tree.
thanks,
-serge
Signed-off-by: Serge Hallyn <[email protected]>
--
stacker.c | 79 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++---
1 files changed, 76 insertions(+), 3 deletions(-)
Index: linux-2.6.13-rc3/security/stacker.c
===================================================================
--- linux-2.6.13-rc3.orig/security/stacker.c 2005-07-13 15:21:01.000000000 -0500
+++ linux-2.6.13-rc3/security/stacker.c 2005-07-13 15:21:05.000000000 -0500
@@ -569,19 +569,92 @@ static int stacker_inode_removexattr (st
RETURN_ERROR_IF_ANY_ERROR(inode_removexattr,inode_removexattr(dentry,name));
}
+/*
+ * inode_getsecurity: We loop through all modules until one does not return
+ * -EOPNOTSUPP.
+ * Note that if some LSM returns -EPERM, stacker assumes the LSM knows what
+ * it's doing. If you don't want to control the name, then return
+ * -EOPNOTSUPP!
+ */
static int stacker_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size)
{
- RETURN_ERROR_IF_ANY_ERROR(inode_getsecurity,inode_getsecurity(inode,name,buffer,size));
+ struct module_entry *m;
+ int ret = -EOPNOTSUPP;
+
+ rcu_read_lock();
+ stack_for_each_entry(m, &stacked_modules, lsm_list) {
+ if (!m->module_operations.inode_getsecurity)
+ continue;
+ rcu_read_unlock();
+ ret = m->module_operations.inode_getsecurity(inode,name,buffer,size);
+ rcu_read_lock();
+ if (ret != -EOPNOTSUPP)
+ break;
+ }
+ rcu_read_unlock();
+
+ return ret;
}
+/*
+ * inode_setsecurity: We loop through all modules until one does not return
+ * -EOPNOTSUPP.
+ * Note that if some LSM returns -EPERM, stacker assumes the LSM knows what
+ * it's doing. If you don't want to control the name, then return
+ * -EOPNOTSUPP!
+ */
static int stacker_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
{
- RETURN_ERROR_IF_ANY_ERROR(inode_setsecurity,inode_setsecurity(inode,name,value,size,flags));
+ struct module_entry *m;
+ int ret = -EOPNOTSUPP;
+
+ rcu_read_lock();
+ stack_for_each_entry(m, &stacked_modules, lsm_list) {
+ if (!m->module_operations.inode_setsecurity)
+ continue;
+ rcu_read_unlock();
+ ret = m->module_operations.inode_setsecurity(inode, name,
+ value, size, flags);
+ rcu_read_lock();
+ if (ret != -EOPNOTSUPP)
+ break;
+ }
+ rcu_read_unlock();
+
+ return ret;
}
+/*
+ * inode_listsecurity: We loop through all modules appending to buffer, and return
+ * the newline-separated list of security names defined for this inode.
+ */
static int stacker_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
{
- RETURN_ERROR_IF_ANY_ERROR(inode_listsecurity,inode_listsecurity(inode,buffer, buffer_size));
+ int ret = 0;
+ struct module_entry *m;
+
+ rcu_read_lock();
+ stack_for_each_entry(m, &stacked_modules, lsm_list) {
+ int thislen;
+
+ if (!m->module_operations.inode_listsecurity)
+ continue;
+ rcu_read_unlock();
+ thislen = m->module_operations.inode_listsecurity(inode,
+ buffer+ret, buffer_size-ret);
+ rcu_read_lock();
+ if (thislen < 0)
+ continue;
+ ret += thislen;
+ if (ret >= buffer_size) {
+ ret = -ERANGE;
+ break;
+ }
+ buffer[ret++] = '\n';
+ }
+ rcu_read_unlock();
+
+ return ret;
}
static int stacker_file_permission (struct file *file, int mask)
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
|
|