LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Kernel page

Recent Features

LWN.net Weekly Edition for June 20, 2013

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Discarding networking privilege via LSM

From:  Michael Stone <michael@laptop.org>
To:  Alan Cox <alan@lxorguk.ukuu.org.uk>
Subject:  [PATCH 0/3] Discarding networking privilege via LSM
Date:  Wed, 23 Dec 2009 20:42:58 -0500
Message-ID:  <20091224014258.GA24115@heat>
Cc:  Michael Stone <michael@laptop.org>, linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-security-module@vger.kernel.org, Andi Kleen <andi@firstfloor.org>, David Lang <david@lang.hm>, Oliver Hartkopp <socketcan@hartkopp.net>, Alan Cox <alan@lxorguk.ukuu.org.uk>, Herbert Xu <herbert@gondor.apana.org.au>, Valdis Kletnieks <Valdis.Kletnieks@vt.edu>, Bryan Donlan <bdonlan@gmail.com>, Evgeniy Polyakov <zbr@ioremap.net>, "C. Scott Ananian" <cscott@cscott.net>, James Morris <jmorris@namei.org>, "Eric W. Biederman" <ebiederm@xmission.com>, Bernie Innocenti <bernie@codewiz.org>, Mark Seaborn <mrs@mythic-beasts.com>, Randy Dunlap <randy.dunlap@oracle.com>, =?iso-8859-1?Q?Am=E9rico?= Wang <xiyou.wangcong@gmail.com>
Archive-link:  Article, Thread 

Alan,

As you requested, here's a (rough) draft of my patch series which uses the
security_* hooks instead of direct modification of the networking functions. 

Have you further suggestions for improvement?

Regards,

Michael

P.S. - The most notable behavioral difference between this patch and the
previous one is that abstract unix sockets are exempted from control in this
patch but are restricted by the previous one. We can revisit this detail in
subsequent patches if this approach seems viable.

Michael Stone (3):
   Security: Add prctl(PR_{GET,SET}_NETWORK) interface. (v3)
   Security: Implement prctl(PR_SET_NETWORK, PR_NETWORK_OFF) semantics. (v3)
   Security: Document prctl(PR_{GET,SET}_NETWORK). (v3)

  Documentation/prctl/network.txt |   74 ++++++++++++++++++++++++++
  include/linux/prctl.h           |    7 +++
  include/linux/prctl_network.h   |    7 +++
  include/linux/sched.h           |    2 +
  kernel/sys.c                    |   32 +++++++++++
  security/Kconfig                |   13 +++++
  security/Makefile               |    1 +
  security/prctl_network.c        |  110 +++++++++++++++++++++++++++++++++++++++
  8 files changed, 246 insertions(+), 0 deletions(-)
  create mode 100644 Documentation/prctl/network.txt
  create mode 100644 include/linux/prctl_network.h
  create mode 100644 security/prctl_network.c
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Copyright © 2009, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds