LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Kernel page

Recent Features

LWN.net Weekly Edition for May 24, 2012

A uTouch architecture introduction

LWN.net Weekly Edition for May 17, 2012

Tasting the Ice Cream Sandwich

Highlights from the PostgreSQL 9.2 beta

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

lids 2.0.1pre4 for kernel 2.5.31-lsm1

From:  Huagang Xie <xie@www.lids.org>
To:  Chris Wright <chris@wirex.com>
Subject:  lids 2.0.1pre4 for kernel 2.5.31-lsm1
Date:  Thu, 15 Aug 2002 15:48:26 -0700 (PDT)
Cc:  LIDS Mailing List <lids-user@lists.sourceforge.net>, linux-security-module@wirex.com

Hi,

This version,
	1. Move the ACL file open permission checking from
	   file_permssion() to  inode_permission().
	2. fixed "major/minor" to "MAJOR/MINOR" which prevent the lids
	   from compiling correctly.
	3. This only work with kernel 2.5.31 now.

Thanks,
Huagang	

-- 
LIDS secure linux kernel
http://www.lids.org/
1024D/B6EFB028 		4731 2BF7 7735 4DBD 3771  4E24 B53B B60A B6EF B028

diff -Nru security/lids_old/include/linux/lids.h security/lids/include/linux/lids.h
--- security/lids_old/include/linux/lids.h	Fri May  3 10:54:55 2002
+++ security/lids/include/linux/lids.h	Thu Aug 15 14:34:07 2002
@@ -18,7 +18,7 @@
 #define KERNEL_VERSION(x,y,z) (((x)<<16)+((y)<<8)+(z))
 #endif
 
-#define LIDS_VERSION	"2.0.1pre3"
+#define LIDS_VERSION	"2.0.1pre4"
 /* FIXME: some more externals in kernel/signal.c and kernel/sysctl.c */
 
 typedef struct
diff -Nru security/lids_old/lids_exec.c security/lids/lids_exec.c
--- security/lids_old/lids_exec.c	Thu Aug 15 14:05:38 2002
+++ security/lids/lids_exec.c	Thu Aug 15 14:34:07 2002
@@ -203,8 +203,8 @@
 #ifdef CONFIG_LIDS_NO_EXEC_UP
 			lids_security_alert("Attempt to exec unprotected program %s (dev %d:%d inode %ld) before sealing LIDS",
 					    bprm->filename,
-					    major(dentry->d_inode->i_dev),
-					    minor(dentry->d_inode->i_dev),
+					    MAJOR(dentry->d_inode->i_dev),
+					    MINOR(dentry->d_inode->i_dev),
 					    dentry->d_inode->i_ino);
 			if (dentry)
 				dput(dentry);
@@ -212,8 +212,8 @@
 #else
 			lids_security_alert("Exec'ed unprotected program %s (dev %d:%d inode %ld) before sealing LIDS",
 					    bprm->filename,
-					    major(dentry->d_inode->i_dev),
-					    minor(dentry->d_inode->i_dev),
+					    MAJOR(dentry->d_inode->i_dev),
+					    MINOR(dentry->d_inode->i_dev),
 					    dentry->d_inode->i_ino);
 #endif
 		}
diff -Nru security/lids_old/lids_lsm.c security/lids/lids_lsm.c
--- security/lids_old/lids_lsm.c	Thu Aug 15 14:05:38 2002
+++ security/lids/lids_lsm.c	Thu Aug 15 15:03:12 2002
@@ -463,18 +463,46 @@
 
 static int lids_inode_permission (struct inode *inode, int mask)
 {
-	if(lids_load && lids_local_load ) {
-		if(lids_check_hidden_inode(inode->i_ino, to_kdev_t(inode->i_dev))) {
-			if(lids_check_acl_inode(inode,LIDS_READONLY,0)) {
-                        	lids_security_alert("Attempt to read (dev %d:%d, ino %ld)",
-					MAJOR(inode->i_dev),
-					MINOR(inode->i_dev),
-					inode->i_ino);
-				return -EPERM;
+	struct 	list_head *head, *next, *tmp;
+	struct 	dentry *d;
+	int 	error = 0;
+
+	if(!(lids_load&&lids_local_load)) return 0; 
+	
+	spin_lock(&dcache_lock);
+	head = &inode->i_dentry;
+	next = inode->i_dentry.next;
+
+	while (next != head) {
+		tmp = next;
+		next = tmp->next;
+		d = list_entry(tmp, struct dentry, d_alias);
+
+       		if( (mask&MAY_APPEND)) {
+                	error = lids_check_base(d,LIDS_APPEND);
+			if(error) {
+                		lids_security_alert("Attempt to open %.1024s  appending",d->d_iname);
+              			error=-EPERM;
+			}
+		}
+        	else if( (mask&MAY_WRITE)){
+               		error = lids_check_base(d,LIDS_WRITE);
+			if(error) {
+                 		lids_security_alert("Attempt to open %.1024s for writing",d->d_iname);
+              			error=-EPERM;
 			}
 		}
+        	else if( (mask&MAY_EXEC)){
+			error = lids_check_base(d,LIDS_READONLY);
+			if(error) {
+                 		lids_security_alert("Attempt to for reading %.1024s",d->d_iname);
+				error = -ENOENT;
+			}
+			
+		}
 	}
-	return 0;
+	spin_unlock(&dcache_lock);
+	return error;
 }
 
 static int lids_inode_permission_lite (struct inode *inode, int mask)
@@ -533,36 +561,7 @@
 
 static int lids_file_permission (struct file *file, int mask)
 {
-	int error = 0;
-
-	if(lids_load && lids_local_load ) {
-
-       		if( (mask&MAY_APPEND)) {
-          		if(mask & O_APPEND) {
-                		error = lids_check_base(file->f_dentry,LIDS_APPEND);
-			}
-			if(error) {
-                		lids_security_alert("Attempt to open %.1024s  appending,mask=%d",file->f_dentry->d_iname, mask);
-              			error=-EPERM;
-			}
-		}
-        	else if( (mask&MAY_WRITE)){
-               		error = lids_check_base(file->f_dentry,LIDS_WRITE);
-			if(error) {
-                 		lids_security_alert("Attempt to open %.1024s for writing,mask=%d",file->f_dentry->d_iname,mask);
-              			error=-EPERM;
-			}
-		}
-        	else if( (mask&MAY_EXEC)){
-			error = lids_check_base(file->f_dentry,LIDS_READONLY);
-			if(error) {
-                 		lids_security_alert("Attempt to for reading %.1024s ,mask=%d",file->f_dentry->d_iname, mask);
-				error = -ENOENT;
-				}
-			
-		}
-	}
-	return error;
+	return 0;
 }
 
 static int lids_file_alloc_security (struct file *file)

Copyright © 2002, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds