| From: |
| "Stephen D. Smalley" <sds@epoch.ncsc.mil> |
| To: |
| linux-security-module@wirex.com |
| Subject: |
| [patch] CONFIG_SECURITY_NETWORK |
| Date: |
| Mon, 27 Jan 2003 12:49:56 -0500 (EST) |
The attached patch for lsm-2.5 adds a CONFIG_SECURITY_NETWORK option
for the socket and networking security fields and hooks. At present,
it excludes the netlink hooks and the ip_decode_options hooks since
the capabilities module uses those hooks to implement capability tests
migrated from the base kernel. It rearranges the security_ops structure
to move the optional socket and networking hooks to the end of the structure.
The patch moves the 'security = NULL' initializations for the sock and
open request structures into the corresponding alloc_security hooks
since those initializations are colocated with the allocation. In the
sk_buff case, the patch simply #ifdef's the initialization, since other
similar #ifdef'd initializations exist in skb_headerinit. If desired,
we could define a static inline function for that purpose, but it
didn't seem to be necessary.
The patch updates SELinux appropriately so that its socket and
networking functionality (including the NetFilter-based hooks) is
omitted if the option is not enabled. The patch simply removes the
socket and networking hooks from DTE since it is not really using them
anyway.
Comments?
--
Stephen Smalley, NSA
sds@epoch.ncsc.mil
Index: lsm-2.5/include/linux/netdevice.h
===================================================================
RCS file: /home/pal/CVS/lsm-2.5/include/linux/netdevice.h,v
retrieving revision 1.12
diff -u -r1.12 netdevice.h
--- lsm-2.5/include/linux/netdevice.h 17 Jan 2003 15:22:45 -0000 1.12
+++ lsm-2.5/include/linux/netdevice.h 27 Jan 2003 14:31:38 -0000
@@ -442,7 +442,9 @@
/* generic object representation */
struct kobject kobj;
+#ifdef CONFIG_SECURITY_NETWORK
void *security;
+#endif
};
Index: lsm-2.5/include/linux/security.h
===================================================================
RCS file: /home/pal/CVS/lsm-2.5/include/linux/security.h,v
retrieving revision 1.35
diff -u -r1.35 security.h
--- lsm-2.5/include/linux/security.h 24 Jan 2003 20:32:48 -0000 1.35
+++ lsm-2.5/include/linux/security.h 27 Jan 2003 15:59:14 -0000
@@ -1178,10 +1178,8 @@
int (*netlink_send) (struct sk_buff * skb);
int (*netlink_recv) (struct sk_buff * skb);
-
- int (*unix_stream_connect) (struct socket * sock,
- struct socket * other, struct sock * newsk);
- int (*unix_may_send) (struct socket * sock, struct socket * other);
+ int (*ip_decode_options) (struct sk_buff * skb,
+ const char *optptr, unsigned char **pp_ptr);
int (*bprm_alloc_security) (struct linux_binprm * bprm);
void (*bprm_free_security) (struct linux_binprm * bprm);
@@ -1294,6 +1292,49 @@
void (*task_kmod_set_label) (void);
void (*task_reparent_to_init) (struct task_struct * p);
+ int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag);
+
+ int (*msg_msg_alloc_security) (struct msg_msg * msg);
+ void (*msg_msg_free_security) (struct msg_msg * msg);
+
+ int (*msg_queue_alloc_security) (struct msg_queue * msq);
+ void (*msg_queue_free_security) (struct msg_queue * msq);
+ int (*msg_queue_associate) (struct msg_queue * msq, int msqflg);
+ int (*msg_queue_msgctl) (struct msg_queue * msq, int cmd);
+ int (*msg_queue_msgsnd) (struct msg_queue * msq,
+ struct msg_msg * msg, int msqflg);
+ int (*msg_queue_msgrcv) (struct msg_queue * msq,
+ struct msg_msg * msg,
+ struct task_struct * target,
+ long type, int mode);
+
+ int (*shm_alloc_security) (struct shmid_kernel * shp);
+ void (*shm_free_security) (struct shmid_kernel * shp);
+ int (*shm_associate) (struct shmid_kernel * shp, int shmflg);
+ int (*shm_shmctl) (struct shmid_kernel * shp, int cmd);
+ int (*shm_shmat) (struct shmid_kernel * shp,
+ char *shmaddr, int shmflg);
+
+ int (*sem_alloc_security) (struct sem_array * sma);
+ void (*sem_free_security) (struct sem_array * sma);
+ int (*sem_associate) (struct sem_array * sma, int semflg);
+ int (*sem_semctl) (struct sem_array * sma, int cmd);
+ int (*sem_semop) (struct sem_array * sma,
+ struct sembuf * sops, unsigned nsops, int alter);
+
+ /* allow module stacking */
+ int (*register_security) (const char *name,
+ struct security_operations *ops);
+ int (*unregister_security) (const char *name,
+ struct security_operations *ops);
+
+ void (*d_instantiate) (struct dentry * dentry, struct inode * inode);
+
+#ifdef CONFIG_SECURITY_NETWORK
+ int (*unix_stream_connect) (struct socket * sock,
+ struct socket * other, struct sock * newsk);
+ int (*unix_may_send) (struct socket * sock, struct socket * other);
+
int (*socket_create) (int family, int type, int protocol);
void (*socket_post_create) (struct socket * sock, int family,
int type, int protocol);
@@ -1342,48 +1383,9 @@
int (*ip_defragment) (struct sk_buff * skb);
void (*ip_encapsulate) (struct sk_buff * skb);
void (*ip_decapsulate) (struct sk_buff * skb);
- int (*ip_decode_options) (struct sk_buff * skb,
- const char *optptr, unsigned char **pp_ptr);
void (*netdev_unregister) (struct net_device * dev);
-
- int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag);
-
- int (*msg_msg_alloc_security) (struct msg_msg * msg);
- void (*msg_msg_free_security) (struct msg_msg * msg);
-
- int (*msg_queue_alloc_security) (struct msg_queue * msq);
- void (*msg_queue_free_security) (struct msg_queue * msq);
- int (*msg_queue_associate) (struct msg_queue * msq, int msqflg);
- int (*msg_queue_msgctl) (struct msg_queue * msq, int cmd);
- int (*msg_queue_msgsnd) (struct msg_queue * msq,
- struct msg_msg * msg, int msqflg);
- int (*msg_queue_msgrcv) (struct msg_queue * msq,
- struct msg_msg * msg,
- struct task_struct * target,
- long type, int mode);
-
- int (*shm_alloc_security) (struct shmid_kernel * shp);
- void (*shm_free_security) (struct shmid_kernel * shp);
- int (*shm_associate) (struct shmid_kernel * shp, int shmflg);
- int (*shm_shmctl) (struct shmid_kernel * shp, int cmd);
- int (*shm_shmat) (struct shmid_kernel * shp,
- char *shmaddr, int shmflg);
-
- int (*sem_alloc_security) (struct sem_array * sma);
- void (*sem_free_security) (struct sem_array * sma);
- int (*sem_associate) (struct sem_array * sma, int semflg);
- int (*sem_semctl) (struct sem_array * sma, int cmd);
- int (*sem_semop) (struct sem_array * sma,
- struct sembuf * sops, unsigned nsops, int alter);
-
- /* allow module stacking */
- int (*register_security) (const char *name,
- struct security_operations *ops);
- int (*unregister_security) (const char *name,
- struct security_operations *ops);
-
- void (*d_instantiate) (struct dentry * dentry, struct inode * inode);
+#endif
};
/* global variables */
@@ -1500,19 +1502,11 @@
return security_ops->netlink_recv(skb);
}
-
-static inline int security_unix_stream_connect(struct socket * sock,
- struct socket * other,
- struct sock * newsk)
-{
- return security_ops->unix_stream_connect(sock, other, newsk);
-}
-
-
-static inline int security_unix_may_send(struct socket * sock,
- struct socket * other)
+static inline int security_ip_decode_options(struct sk_buff * skb,
+ const char *optptr,
+ unsigned char **pp_ptr)
{
- return security_ops->unix_may_send(sock, other);
+ return security_ops->ip_decode_options(skb, optptr, pp_ptr);
}
static inline int security_bprm_alloc (struct linux_binprm *bprm)
@@ -1949,356 +1943,156 @@
security_ops->task_reparent_to_init (p);
}
-static inline int security_socket_create (int family, int type, int protocol)
+static inline int security_ipc_permission (struct kern_ipc_perm *ipcp,
+ short flag)
{
- return security_ops->socket_create(family, type, protocol);
+ return security_ops->ipc_permission (ipcp, flag);
}
-static inline void security_socket_post_create(struct socket * sock,
- int family,
- int type,
- int protocol)
+static inline int security_msg_msg_alloc (struct msg_msg * msg)
{
- security_ops->socket_post_create(sock, family, type, protocol);
+ return security_ops->msg_msg_alloc_security (msg);
}
-static inline int security_socket_bind(struct socket * sock,
- struct sockaddr * address,
- int addrlen)
+static inline void security_msg_msg_free (struct msg_msg * msg)
{
- return security_ops->socket_bind(sock, address, addrlen);
+ security_ops->msg_msg_free_security(msg);
}
-static inline int security_socket_connect(struct socket * sock,
- struct sockaddr * address,
- int addrlen)
+static inline int security_msg_queue_alloc (struct msg_queue *msq)
{
- return security_ops->socket_connect(sock, address, addrlen);
+ return security_ops->msg_queue_alloc_security (msq);
}
-static inline int security_socket_listen(struct socket * sock, int backlog)
+static inline void security_msg_queue_free (struct msg_queue *msq)
{
- return security_ops->socket_listen(sock, backlog);
+ security_ops->msg_queue_free_security (msq);
}
-static inline int security_socket_accept(struct socket * sock,
- struct socket * newsock)
+static inline int security_msg_queue_associate (struct msg_queue * msq,
+ int msqflg)
{
- return security_ops->socket_accept(sock, newsock);
+ return security_ops->msg_queue_associate (msq, msqflg);
}
-static inline void security_socket_post_accept(struct socket * sock,
- struct socket * newsock)
+static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd)
{
- security_ops->socket_post_accept(sock, newsock);
+ return security_ops->msg_queue_msgctl (msq, cmd);
}
-static inline int security_socket_sendmsg(struct socket * sock,
- struct msghdr * msg, int size)
+static inline int security_msg_queue_msgsnd (struct msg_queue * msq,
+ struct msg_msg * msg, int msqflg)
{
- return security_ops->socket_sendmsg(sock, msg, size);
+ return security_ops->msg_queue_msgsnd (msq, msg, msqflg);
}
-static inline int security_socket_recvmsg(struct socket * sock,
- struct msghdr * msg, int size,
- int flags)
+static inline int security_msg_queue_msgrcv (struct msg_queue * msq,
+ struct msg_msg * msg,
+ struct task_struct * target,
+ long type, int mode)
{
- return security_ops->socket_recvmsg(sock, msg, size, flags);
+ return security_ops->msg_queue_msgrcv (msq, msg, target, type, mode);
}
-static inline int security_socket_getsockname(struct socket * sock)
+static inline int security_shm_alloc (struct shmid_kernel *shp)
{
- return security_ops->socket_getsockname(sock);
+ return security_ops->shm_alloc_security (shp);
}
-static inline int security_socket_getpeername(struct socket * sock)
+static inline void security_shm_free (struct shmid_kernel *shp)
{
- return security_ops->socket_getpeername(sock);
+ security_ops->shm_free_security (shp);
}
-static inline int security_socket_getsockopt(struct socket * sock,
- int level, int optname)
+static inline int security_shm_associate (struct shmid_kernel * shp,
+ int shmflg)
{
- return security_ops->socket_getsockopt(sock, level, optname);
+ return security_ops->shm_associate(shp, shmflg);
}
-static inline int security_socket_setsockopt(struct socket * sock,
- int level, int optname)
+static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd)
{
- return security_ops->socket_setsockopt(sock, level, optname);
+ return security_ops->shm_shmctl (shp, cmd);
}
-static inline int security_socket_shutdown(struct socket * sock, int how)
+static inline int security_shm_shmat (struct shmid_kernel * shp,
+ char *shmaddr, int shmflg)
{
- return security_ops->socket_shutdown(sock, how);
+ return security_ops->shm_shmat(shp, shmaddr, shmflg);
}
-static inline int security_sock_alloc(struct sock * sk,
- int gfp_mask)
+static inline int security_sem_alloc (struct sem_array *sma)
{
- return security_ops->socket_sock_alloc_security(sk, gfp_mask);
+ return security_ops->sem_alloc_security (sma);
}
-static inline void security_sock_free(struct sock * sk)
+static inline void security_sem_free (struct sem_array *sma)
{
- security_ops->socket_sock_free_security(sk);
+ security_ops->sem_free_security (sma);
}
-static inline int security_sock_rcv_skb (struct sock * sk,
- struct sk_buff * skb)
+static inline int security_sem_associate (struct sem_array * sma, int semflg)
{
- return security_ops->socket_sock_rcv_skb (sk, skb);
+ return security_ops->sem_associate (sma, semflg);
}
-static inline int security_open_request_alloc (struct open_request * req)
+static inline int security_sem_semctl (struct sem_array * sma, int cmd)
{
- return security_ops->open_request_alloc_security (req);
+ return security_ops->sem_semctl(sma, cmd);
}
-static inline void security_open_request_free (struct open_request * req)
+static inline int security_sem_semop (struct sem_array * sma,
+ struct sembuf * sops, unsigned nsops,
+ int alter)
{
- security_ops->open_request_free_security (req);
+ return security_ops->sem_semop(sma, sops, nsops, alter);
}
-static inline void security_tcp_connection_request(struct sock * sk,
- struct sk_buff * skb,
- struct open_request * req)
+static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode)
{
- security_ops->tcp_connection_request(sk, skb, req);
+ security_ops->d_instantiate (dentry, inode);
}
-static inline void security_tcp_synack(struct sock * sk,
- struct sk_buff * skb,
- struct open_request * req)
+/* prototypes */
+extern int security_scaffolding_startup (void);
+extern int register_security (struct security_operations *ops);
+extern int unregister_security (struct security_operations *ops);
+extern int mod_reg_security (const char *name, struct security_operations *ops);
+extern int mod_unreg_security (const char *name, struct security_operations *ops);
+
+#else /* CONFIG_SECURITY */
+
+/*
+ * This is the default capabilities functionality. Most of these functions
+ * are just stubbed out, but a few must call the proper capable code.
+ */
+
+static inline int security_scaffolding_startup (void)
{
- security_ops->tcp_synack(sk, skb, req);
+ return 0;
}
-static inline void security_tcp_create_openreq_child(struct sock * sk,
- struct sock * newsk,
- struct sk_buff * skb,
- struct open_request * req)
+static inline int security_sethostname (char *hostname)
{
- security_ops->tcp_create_openreq_child(sk, newsk, skb, req);
+ return 0;
}
-static inline int security_skb_alloc(struct sk_buff * skb, int gfp_mask)
+static inline int security_setdomainname (char *domainname)
{
- return security_ops->skb_alloc_security(skb, gfp_mask);
+ return 0;
}
-static inline int security_skb_clone(struct sk_buff * newskb,
- const struct sk_buff * oldskb)
+static inline int security_reboot (unsigned int cmd)
{
- return security_ops->skb_clone(newskb, oldskb);
+ return 0;
}
-static inline void security_skb_copy(struct sk_buff * newskb,
- const struct sk_buff * oldskb)
+static inline int security_ioperm (unsigned long from, unsigned long num, int turn_on)
{
- security_ops->skb_copy(newskb, oldskb);
+ return 0;
}
-static inline void security_skb_set_owner_w (struct sk_buff * skb,
- struct sock * sk)
-{
- security_ops->skb_set_owner_w (skb, sk);
-}
-
-static inline void security_skb_recv_datagram(struct sk_buff * skb,
- struct sock * sk, unsigned flags)
-{
- security_ops->skb_recv_datagram(skb, sk, flags);
-}
-
-static inline void security_skb_free(struct sk_buff * skb)
-{
- security_ops->skb_free_security(skb);
-}
-
-static inline void security_ip_fragment(struct sk_buff * newskb,
- const struct sk_buff * oldskb)
-{
- security_ops->ip_fragment(newskb, oldskb);
-}
-
-static inline int security_ip_defragment(struct sk_buff * skb)
-{
- return security_ops->ip_defragment(skb);
-}
-
-static inline void security_ip_encapsulate(struct sk_buff * skb)
-{
- security_ops->ip_encapsulate(skb);
-}
-
-static inline void security_ip_decapsulate(struct sk_buff * skb)
-{
- security_ops->ip_decapsulate(skb);
-}
-
-static inline int security_ip_decode_options(struct sk_buff * skb,
- const char *optptr,
- unsigned char **pp_ptr)
-{
- return security_ops->ip_decode_options(skb, optptr, pp_ptr);
-}
-
-static inline void security_netdev_unregister(struct net_device * dev)
-{
- security_ops->netdev_unregister(dev);
-}
-
-static inline int security_ipc_permission (struct kern_ipc_perm *ipcp,
- short flag)
-{
- return security_ops->ipc_permission (ipcp, flag);
-}
-
-static inline int security_msg_msg_alloc (struct msg_msg * msg)
-{
- return security_ops->msg_msg_alloc_security (msg);
-}
-
-static inline void security_msg_msg_free (struct msg_msg * msg)
-{
- security_ops->msg_msg_free_security(msg);
-}
-
-static inline int security_msg_queue_alloc (struct msg_queue *msq)
-{
- return security_ops->msg_queue_alloc_security (msq);
-}
-
-static inline void security_msg_queue_free (struct msg_queue *msq)
-{
- security_ops->msg_queue_free_security (msq);
-}
-
-static inline int security_msg_queue_associate (struct msg_queue * msq,
- int msqflg)
-{
- return security_ops->msg_queue_associate (msq, msqflg);
-}
-
-static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd)
-{
- return security_ops->msg_queue_msgctl (msq, cmd);
-}
-
-static inline int security_msg_queue_msgsnd (struct msg_queue * msq,
- struct msg_msg * msg, int msqflg)
-{
- return security_ops->msg_queue_msgsnd (msq, msg, msqflg);
-}
-
-static inline int security_msg_queue_msgrcv (struct msg_queue * msq,
- struct msg_msg * msg,
- struct task_struct * target,
- long type, int mode)
-{
- return security_ops->msg_queue_msgrcv (msq, msg, target, type, mode);
-}
-
-static inline int security_shm_alloc (struct shmid_kernel *shp)
-{
- return security_ops->shm_alloc_security (shp);
-}
-
-static inline void security_shm_free (struct shmid_kernel *shp)
-{
- security_ops->shm_free_security (shp);
-}
-
-static inline int security_shm_associate (struct shmid_kernel * shp,
- int shmflg)
-{
- return security_ops->shm_associate(shp, shmflg);
-}
-
-static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd)
-{
- return security_ops->shm_shmctl (shp, cmd);
-}
-
-static inline int security_shm_shmat (struct shmid_kernel * shp,
- char *shmaddr, int shmflg)
-{
- return security_ops->shm_shmat(shp, shmaddr, shmflg);
-}
-
-static inline int security_sem_alloc (struct sem_array *sma)
-{
- return security_ops->sem_alloc_security (sma);
-}
-
-static inline void security_sem_free (struct sem_array *sma)
-{
- security_ops->sem_free_security (sma);
-}
-
-static inline int security_sem_associate (struct sem_array * sma, int semflg)
-{
- return security_ops->sem_associate (sma, semflg);
-}
-
-static inline int security_sem_semctl (struct sem_array * sma, int cmd)
-{
- return security_ops->sem_semctl(sma, cmd);
-}
-
-static inline int security_sem_semop (struct sem_array * sma,
- struct sembuf * sops, unsigned nsops,
- int alter)
-{
- return security_ops->sem_semop(sma, sops, nsops, alter);
-}
-
-static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode)
-{
- security_ops->d_instantiate (dentry, inode);
-}
-
-/* prototypes */
-extern int security_scaffolding_startup (void);
-extern int register_security (struct security_operations *ops);
-extern int unregister_security (struct security_operations *ops);
-extern int mod_reg_security (const char *name, struct security_operations *ops);
-extern int mod_unreg_security (const char *name, struct security_operations *ops);
-
-#else /* CONFIG_SECURITY */
-
-/*
- * This is the default capabilities functionality. Most of these functions
- * are just stubbed out, but a few must call the proper capable code.
- */
-
-static inline int security_scaffolding_startup (void)
-{
- return 0;
-}
-
-static inline int security_sethostname (char *hostname)
-{
- return 0;
-}
-
-static inline int security_setdomainname (char *domainname)
-{
- return 0;
-}
-
-static inline int security_reboot (unsigned int cmd)
-{
- return 0;
-}
-
-static inline int security_ioperm (unsigned long from, unsigned long num, int turn_on)
-{
- return 0;
-}
-
-static inline int security_iopl (unsigned int old, unsigned int level)
+static inline int security_iopl (unsigned int old, unsigned int level)
{
return 0;
}
@@ -2388,17 +2182,11 @@
return cap_netlink_recv(skb);
}
-static inline int security_unix_stream_connect(struct socket * sock,
- struct socket * other,
- struct sock * newsk)
-{
- return 0;
-}
-
-static inline int security_unix_may_send(struct socket * sock,
- struct socket * other)
+static inline int security_ip_decode_options(struct sk_buff * skb,
+ const char *optptr,
+ unsigned char **pp_ptr)
{
- return 0;
+ return cap_ip_decode_options(skb,optptr,pp_ptr);
}
static inline int security_bprm_alloc (struct linux_binprm *bprm)
@@ -2801,123 +2589,247 @@
cap_task_reparent_to_init (p);
}
-static inline int security_socket_create (int family, int type, int protocol)
+static inline int security_ipc_permission (struct kern_ipc_perm *ipcp,
+ short flag)
{
return 0;
}
-static inline void security_socket_post_create(struct socket * sock,
- int family,
- int type,
- int protocol)
+static inline int security_msg_msg_alloc (struct msg_msg * msg)
{
+ return 0;
}
-static inline int security_socket_bind(struct socket * sock,
- struct sockaddr * address,
- int addrlen)
+static inline void security_msg_msg_free (struct msg_msg * msg)
+{ }
+
+static inline int security_msg_queue_alloc (struct msg_queue *msq)
{
return 0;
}
-static inline int security_socket_connect(struct socket * sock,
- struct sockaddr * address,
- int addrlen)
+static inline void security_msg_queue_free (struct msg_queue *msq)
+{ }
+
+static inline int security_msg_queue_associate (struct msg_queue * msq,
+ int msqflg)
{
return 0;
}
-static inline int security_socket_listen(struct socket * sock, int backlog)
+static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd)
{
return 0;
}
-static inline int security_socket_accept(struct socket * sock,
- struct socket * newsock)
+static inline int security_msg_queue_msgsnd (struct msg_queue * msq,
+ struct msg_msg * msg, int msqflg)
{
return 0;
}
-static inline void security_socket_post_accept(struct socket * sock,
- struct socket * newsock)
+static inline int security_msg_queue_msgrcv (struct msg_queue * msq,
+ struct msg_msg * msg,
+ struct task_struct * target,
+ long type, int mode)
{
+ return 0;
}
-static inline int security_socket_sendmsg(struct socket * sock,
- struct msghdr * msg, int size)
+static inline int security_shm_alloc (struct shmid_kernel *shp)
{
return 0;
}
-static inline int security_socket_recvmsg(struct socket * sock,
- struct msghdr * msg, int size,
- int flags)
-{
+static inline void security_shm_free (struct shmid_kernel *shp)
+{ }
+
+static inline int security_shm_associate (struct shmid_kernel * shp,
+ int shmflg)
+{
return 0;
}
-static inline int security_socket_getsockname(struct socket * sock)
+static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd)
{
return 0;
}
-static inline int security_socket_getpeername(struct socket * sock)
+static inline int security_shm_shmat (struct shmid_kernel * shp,
+ char *shmaddr, int shmflg)
+{
+ return 0;
+}
+
+static inline int security_sem_alloc (struct sem_array *sma)
+{
+ return 0;
+}
+
+static inline void security_sem_free (struct sem_array *sma)
+{ }
+
+static inline int security_sem_associate (struct sem_array * sma, int semflg)
+{
+ return 0;
+}
+
+static inline int security_sem_semctl (struct sem_array * sma, int cmd)
+{
+ return 0;
+}
+
+static inline int security_sem_semop (struct sem_array * sma,
+ struct sembuf * sops, unsigned nsops,
+ int alter)
{
return 0;
}
+static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode)
+{ }
+
+#endif /* CONFIG_SECURITY */
+
+#ifdef CONFIG_SECURITY_NETWORK
+
+static inline int security_unix_stream_connect(struct socket * sock,
+ struct socket * other,
+ struct sock * newsk)
+{
+ return security_ops->unix_stream_connect(sock, other, newsk);
+}
+
+
+static inline int security_unix_may_send(struct socket * sock,
+ struct socket * other)
+{
+ return security_ops->unix_may_send(sock, other);
+}
+
+static inline int security_socket_create (int family, int type, int protocol)
+{
+ return security_ops->socket_create(family, type, protocol);
+}
+
+static inline void security_socket_post_create(struct socket * sock,
+ int family,
+ int type,
+ int protocol)
+{
+ security_ops->socket_post_create(sock, family, type, protocol);
+}
+
+static inline int security_socket_bind(struct socket * sock,
+ struct sockaddr * address,
+ int addrlen)
+{
+ return security_ops->socket_bind(sock, address, addrlen);
+}
+
+static inline int security_socket_connect(struct socket * sock,
+ struct sockaddr * address,
+ int addrlen)
+{
+ return security_ops->socket_connect(sock, address, addrlen);
+}
+
+static inline int security_socket_listen(struct socket * sock, int backlog)
+{
+ return security_ops->socket_listen(sock, backlog);
+}
+
+static inline int security_socket_accept(struct socket * sock,
+ struct socket * newsock)
+{
+ return security_ops->socket_accept(sock, newsock);
+}
+
+static inline void security_socket_post_accept(struct socket * sock,
+ struct socket * newsock)
+{
+ security_ops->socket_post_accept(sock, newsock);
+}
+
+static inline int security_socket_sendmsg(struct socket * sock,
+ struct msghdr * msg, int size)
+{
+ return security_ops->socket_sendmsg(sock, msg, size);
+}
+
+static inline int security_socket_recvmsg(struct socket * sock,
+ struct msghdr * msg, int size,
+ int flags)
+{
+ return security_ops->socket_recvmsg(sock, msg, size, flags);
+}
+
+static inline int security_socket_getsockname(struct socket * sock)
+{
+ return security_ops->socket_getsockname(sock);
+}
+
+static inline int security_socket_getpeername(struct socket * sock)
+{
+ return security_ops->socket_getpeername(sock);
+}
+
static inline int security_socket_getsockopt(struct socket * sock,
int level, int optname)
{
- return 0;
+ return security_ops->socket_getsockopt(sock, level, optname);
}
static inline int security_socket_setsockopt(struct socket * sock,
int level, int optname)
{
- return 0;
+ return security_ops->socket_setsockopt(sock, level, optname);
}
static inline int security_socket_shutdown(struct socket * sock, int how)
{
- return 0;
+ return security_ops->socket_shutdown(sock, how);
}
static inline int security_sock_alloc(struct sock * sk,
int gfp_mask)
{
- return 0;
+ return security_ops->socket_sock_alloc_security(sk, gfp_mask);
}
static inline void security_sock_free(struct sock * sk)
{
+ security_ops->socket_sock_free_security(sk);
}
static inline int security_sock_rcv_skb (struct sock * sk,
struct sk_buff * skb)
{
- return 0;
+ return security_ops->socket_sock_rcv_skb (sk, skb);
}
static inline int security_open_request_alloc (struct open_request * req)
{
- return 0;
+ return security_ops->open_request_alloc_security (req);
}
static inline void security_open_request_free (struct open_request * req)
{
+ security_ops->open_request_free_security (req);
}
static inline void security_tcp_connection_request(struct sock * sk,
struct sk_buff * skb,
struct open_request * req)
{
+ security_ops->tcp_connection_request(sk, skb, req);
}
static inline void security_tcp_synack(struct sock * sk,
struct sk_buff * skb,
struct open_request * req)
{
+ security_ops->tcp_synack(sk, skb, req);
}
static inline void security_tcp_create_openreq_child(struct sock * sk,
@@ -2925,168 +2837,263 @@
struct sk_buff * skb,
struct open_request * req)
{
+ security_ops->tcp_create_openreq_child(sk, newsk, skb, req);
}
static inline int security_skb_alloc(struct sk_buff * skb, int gfp_mask)
{
- return 0;
+ return security_ops->skb_alloc_security(skb, gfp_mask);
}
static inline int security_skb_clone(struct sk_buff * newskb,
const struct sk_buff * oldskb)
{
- return 0;
+ return security_ops->skb_clone(newskb, oldskb);
}
static inline void security_skb_copy(struct sk_buff * newskb,
const struct sk_buff * oldskb)
{
+ security_ops->skb_copy(newskb, oldskb);
}
static inline void security_skb_set_owner_w (struct sk_buff * skb,
struct sock * sk)
{
+ security_ops->skb_set_owner_w (skb, sk);
}
static inline void security_skb_recv_datagram(struct sk_buff * skb,
struct sock * sk, unsigned flags)
{
+ security_ops->skb_recv_datagram(skb, sk, flags);
}
static inline void security_skb_free(struct sk_buff * skb)
{
+ security_ops->skb_free_security(skb);
}
static inline void security_ip_fragment(struct sk_buff * newskb,
const struct sk_buff * oldskb)
{
+ security_ops->ip_fragment(newskb, oldskb);
}
static inline int security_ip_defragment(struct sk_buff * skb)
{
- return 0;
+ return security_ops->ip_defragment(skb);
}
static inline void security_ip_encapsulate(struct sk_buff * skb)
{
+ security_ops->ip_encapsulate(skb);
}
static inline void security_ip_decapsulate(struct sk_buff * skb)
{
+ security_ops->ip_decapsulate(skb);
}
-static inline int security_ip_decode_options(struct sk_buff * skb,
- const char *optptr,
- unsigned char **pp_ptr)
+static inline void security_netdev_unregister(struct net_device * dev)
{
- return cap_ip_decode_options(skb,optptr,pp_ptr);
+ security_ops->netdev_unregister(dev);
}
-static inline void security_netdev_unregister(struct net_device * dev)
+#else /* CONFIG_SECURITY_NETWORK */
+
+static inline int security_unix_stream_connect(struct socket * sock,
+ struct socket * other,
+ struct sock * newsk)
{
+ return 0;
}
-static inline int security_ipc_permission (struct kern_ipc_perm *ipcp,
- short flag)
+static inline int security_unix_may_send(struct socket * sock,
+ struct socket * other)
{
return 0;
}
-static inline int security_msg_msg_alloc (struct msg_msg * msg)
+static inline int security_socket_create (int family, int type, int protocol)
{
return 0;
}
-static inline void security_msg_msg_free (struct msg_msg * msg)
-{ }
+static inline void security_socket_post_create(struct socket * sock,
+ int family,
+ int type,
+ int protocol)
+{
+}
-static inline int security_msg_queue_alloc (struct msg_queue *msq)
+static inline int security_socket_bind(struct socket * sock,
+ struct sockaddr * address,
+ int addrlen)
{
return 0;
}
-static inline void security_msg_queue_free (struct msg_queue *msq)
-{ }
+static inline int security_socket_connect(struct socket * sock,
+ struct sockaddr * address,
+ int addrlen)
+{
+ return 0;
+}
-static inline int security_msg_queue_associate (struct msg_queue * msq,
- int msqflg)
+static inline int security_socket_listen(struct socket * sock, int backlog)
{
return 0;
}
-static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd)
+static inline int security_socket_accept(struct socket * sock,
+ struct socket * newsock)
{
return 0;
}
-static inline int security_msg_queue_msgsnd (struct msg_queue * msq,
- struct msg_msg * msg, int msqflg)
+static inline void security_socket_post_accept(struct socket * sock,
+ struct socket * newsock)
+{
+}
+
+static inline int security_socket_sendmsg(struct socket * sock,
+ struct msghdr * msg, int size)
{
return 0;
}
-static inline int security_msg_queue_msgrcv (struct msg_queue * msq,
- struct msg_msg * msg,
- struct task_struct * target,
- long type, int mode)
+static inline int security_socket_recvmsg(struct socket * sock,
+ struct msghdr * msg, int size,
+ int flags)
{
return 0;
}
-static inline int security_shm_alloc (struct shmid_kernel *shp)
+static inline int security_socket_getsockname(struct socket * sock)
{
return 0;
}
-static inline void security_shm_free (struct shmid_kernel *shp)
-{ }
+static inline int security_socket_getpeername(struct socket * sock)
+{
+ return 0;
+}
-static inline int security_shm_associate (struct shmid_kernel * shp,
- int shmflg)
+static inline int security_socket_getsockopt(struct socket * sock,
+ int level, int optname)
{
return 0;
}
-static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd)
+static inline int security_socket_setsockopt(struct socket * sock,
+ int level, int optname)
{
return 0;
}
-static inline int security_shm_shmat (struct shmid_kernel * shp,
- char *shmaddr, int shmflg)
+static inline int security_socket_shutdown(struct socket * sock, int how)
{
return 0;
}
-static inline int security_sem_alloc (struct sem_array *sma)
+static inline int security_sock_alloc(struct sock * sk,
+ int gfp_mask)
{
return 0;
}
-static inline void security_sem_free (struct sem_array *sma)
-{ }
+static inline void security_sock_free(struct sock * sk)
+{
+}
-static inline int security_sem_associate (struct sem_array * sma, int semflg)
+static inline int security_sock_rcv_skb (struct sock * sk,
+ struct sk_buff * skb)
{
return 0;
}
-static inline int security_sem_semctl (struct sem_array * sma, int cmd)
+static inline int security_open_request_alloc (struct open_request * req)
{
return 0;
}
-static inline int security_sem_semop (struct sem_array * sma,
- struct sembuf * sops, unsigned nsops,
- int alter)
+static inline void security_open_request_free (struct open_request * req)
+{
+}
+
+static inline void security_tcp_connection_request(struct sock * sk,
+ struct sk_buff * skb,
+ struct open_request * req)
+{
+}
+
+static inline void security_tcp_synack(struct sock * sk,
+ struct sk_buff * skb,
+ struct open_request * req)
+{
+}
+
+static inline void security_tcp_create_openreq_child(struct sock * sk,
+ struct sock * newsk,
+ struct sk_buff * skb,
+ struct open_request * req)
+{
+}
+
+static inline int security_skb_alloc(struct sk_buff * skb, int gfp_mask)
{
return 0;
}
-static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode)
-{ }
+static inline int security_skb_clone(struct sk_buff * newskb,
+ const struct sk_buff * oldskb)
+{
+ return 0;
+}
-#endif /* CONFIG_SECURITY */
+static inline void security_skb_copy(struct sk_buff * newskb,
+ const struct sk_buff * oldskb)
+{
+}
+
+static inline void security_skb_set_owner_w (struct sk_buff * skb,
+ struct sock * sk)
+{
+}
+
+static inline void security_skb_recv_datagram(struct sk_buff * skb,
+ struct sock * sk, unsigned flags)
+{
+}
+
+static inline void security_skb_free(struct sk_buff * skb)
+{
+}
+
+static inline void security_ip_fragment(struct sk_buff * newskb,
+ const struct sk_buff * oldskb)
+{
+}
+
+static inline int security_ip_defragment(struct sk_buff * skb)
+{
+ return 0;
+}
+
+static inline void security_ip_encapsulate(struct sk_buff * skb)
+{
+}
+
+static inline void security_ip_decapsulate(struct sk_buff * skb)
+{
+}
+
+static inline void security_netdev_unregister(struct net_device * dev)
+{
+}
+
+#endif /* CONFIG_SECURITY_NETWORK */
#endif /* ! __LINUX_SECURITY_H */
Index: lsm-2.5/include/linux/skbuff.h
===================================================================
RCS file: /home/pal/CVS/lsm-2.5/include/linux/skbuff.h,v
retrieving revision 1.10
diff -u -r1.10 skbuff.h
--- lsm-2.5/include/linux/skbuff.h 13 Jan 2003 20:48:00 -0000 1.10
+++ lsm-2.5/include/linux/skbuff.h 27 Jan 2003 14:32:22 -0000
@@ -261,8 +261,9 @@
#ifdef CONFIG_NET_SCHED
__u32 tc_index; /* traffic control index */
#endif
-
+#ifdef CONFIG_SECURITY_NETWORK
void *lsm_security; /* replaces the above security field */
+#endif
};
#define SK_WMEM_MAX 65535
Index: lsm-2.5/include/linux/tcp.h
===================================================================
RCS file: /home/pal/CVS/lsm-2.5/include/linux/tcp.h,v
retrieving revision 1.6
diff -u -r1.6 tcp.h
--- lsm-2.5/include/linux/tcp.h 24 Jan 2003 15:20:00 -0000 1.6
+++ lsm-2.5/include/linux/tcp.h 27 Jan 2003 14:32:34 -0000
@@ -383,7 +383,7 @@
#define tcp_sk(__sk) (&((struct tcp_sock *)__sk)->tcp)
static inline void clone_tcp_sk(struct sock *newsk, struct sock *sk) {
-#ifdef CONFIG_SECURITY
+#ifdef CONFIG_SECURITY_NETWORK
/* Save/restore the LSM security pointer around the copy */
void *sptr = newsk->security;
memcpy(newsk, sk, sizeof(struct tcp_sock));
Index: lsm-2.5/include/net/sock.h
===================================================================
RCS file: /home/pal/CVS/lsm-2.5/include/net/sock.h,v
retrieving revision 1.18
diff -u -r1.18 sock.h
--- lsm-2.5/include/net/sock.h 4 Dec 2002 21:58:29 -0000 1.18
+++ lsm-2.5/include/net/sock.h 27 Jan 2003 14:33:16 -0000
@@ -198,8 +198,10 @@
/* RPC layer private data */
void *user_data;
+#ifdef CONFIG_SECURITY_NETWORK
/* LSM security field */
void *security;
+#endif
/* Callbacks */
void (*state_change)(struct sock *sk);
Index: lsm-2.5/include/net/tcp.h
===================================================================
RCS file: /home/pal/CVS/lsm-2.5/include/net/tcp.h,v
retrieving revision 1.8
diff -u -r1.8 tcp.h
--- lsm-2.5/include/net/tcp.h 24 Jan 2003 15:20:00 -0000 1.8
+++ lsm-2.5/include/net/tcp.h 27 Jan 2003 14:44:12 -0000
@@ -534,8 +534,10 @@
struct tcp_v6_open_req v6_req;
#endif
} af;
+#ifdef CONFIG_SECURITY_NETWORK
/* LSM security field */
void *security;
+#endif
};
/* SLAB cache for open requests. */
@@ -547,7 +549,6 @@
kmem_cache_alloc(tcp_openreq_cachep, SLAB_ATOMIC);
if (req != NULL) {
- req->security = NULL;
if (security_open_request_alloc(req)) {
kmem_cache_free(tcp_openreq_cachep, req);
return NULL;
Index: lsm-2.5/net/core/skbuff.c
===================================================================
RCS file: /home/pal/CVS/lsm-2.5/net/core/skbuff.c,v
retrieving revision 1.14
diff -u -r1.14 skbuff.c
--- lsm-2.5/net/core/skbuff.c 13 Jan 2003 20:48:08 -0000 1.14
+++ lsm-2.5/net/core/skbuff.c 27 Jan 2003 15:05:56 -0000
@@ -263,7 +263,9 @@
#ifdef CONFIG_NET_SCHED
skb->tc_index = 0;
#endif
+#ifdef CONFIG_SECURITY_NETWORK
skb->lsm_security = NULL;
+#endif
}
static void skb_drop_fraglist(struct sk_buff *skb)
Index: lsm-2.5/net/core/sock.c
===================================================================
RCS file: /home/pal/CVS/lsm-2.5/net/core/sock.c,v
retrieving revision 1.8
diff -u -r1.8 sock.c
--- lsm-2.5/net/core/sock.c 24 Jan 2003 15:20:01 -0000 1.8
+++ lsm-2.5/net/core/sock.c 27 Jan 2003 14:44:53 -0000
@@ -601,7 +601,6 @@
sk->family = family;
sock_lock_init(sk);
}
- sk->security = NULL;
if (security_sock_alloc(sk, priority)) {
kmem_cache_free(slab, sk);
return NULL;
Index: lsm-2.5/security/Kconfig
===================================================================
RCS file: /home/pal/CVS/lsm-2.5/security/Kconfig,v
retrieving revision 1.6
diff -u -r1.6 Kconfig
--- lsm-2.5/security/Kconfig 27 Dec 2002 13:45:00 -0000 1.6
+++ lsm-2.5/security/Kconfig 27 Jan 2003 15:37:29 -0000
@@ -15,6 +15,15 @@
If you are unsure how to answer this question, answer N.
+config SECURITY_NETWORK
+ bool "Socket and Networking Security Hooks"
+ depends on SECURITY!=n
+ help
+ This enables the socket and networking security hooks.
+ If enabled, a security module can use these hooks to
+ implement socket and networking access controls.
+ If you are unsure how to answer this question, answer N.
+
config SECURITY_CAPABILITIES
tristate "Default Linux Capabilities"
depends on SECURITY!=n
Index: lsm-2.5/security/dummy.c
===================================================================
RCS file: /home/pal/CVS/lsm-2.5/security/dummy.c,v
retrieving revision 1.35
diff -u -r1.35 dummy.c
--- lsm-2.5/security/dummy.c 24 Jan 2003 20:32:49 -0000 1.35
+++ lsm-2.5/security/dummy.c 27 Jan 2003 16:32:48 -0000
@@ -20,6 +20,8 @@
#include <linux/security.h>
#include <linux/skbuff.h>
#include <linux/netlink.h>
+#include <net/sock.h>
+#include <net/tcp.h>
static int dummy_sethostname (char *hostname)
{
@@ -664,6 +666,18 @@
return 0;
}
+static int dummy_ip_decode_options (struct sk_buff *skb, const char *optptr,
+ unsigned char **pp_ptr)
+{
+ if (!skb && !capable (CAP_NET_RAW)) {
+ (const unsigned char *) *pp_ptr = optptr;
+ return -EPERM;
+ }
+ return 0;
+}
+
+#ifdef CONFIG_SECURITY_NETWORK
+
static void dummy_ip_fragment (struct sk_buff *newskb,
const struct sk_buff *oldskb)
{
@@ -685,16 +699,6 @@
return;
}
-static int dummy_ip_decode_options (struct sk_buff *skb, const char *optptr,
- unsigned char **pp_ptr)
-{
- if (!skb && !capable (CAP_NET_RAW)) {
- (const unsigned char *) *pp_ptr = optptr;
- return -EPERM;
- }
- return 0;
-}
-
static void dummy_netdev_unregister (struct net_device *dev)
{
return;
@@ -778,6 +782,7 @@
static int dummy_socket_sock_alloc_security(struct sock *sk, int gfp_mask)
{
+ sk->security = NULL;
return 0;
}
@@ -793,6 +798,7 @@
static int dummy_open_request_alloc_security(struct open_request * req)
{
+ req->security = NULL;
return 0;
}
@@ -866,6 +872,8 @@
return;
}
+#endif
+
static int dummy_register_security (const char *name, struct security_operations *ops)
{
return -EINVAL;
@@ -1002,6 +1010,7 @@
set_to_dummy_if_null(ops, sem_semop);
set_to_dummy_if_null(ops, register_security);
set_to_dummy_if_null(ops, unregister_security);
+ set_to_dummy_if_null(ops, d_instantiate);
set_to_dummy_if_null(ops, sethostname);
set_to_dummy_if_null(ops, setdomainname);
set_to_dummy_if_null(ops, reboot);
@@ -1012,11 +1021,12 @@
set_to_dummy_if_null(ops, settime);
set_to_dummy_if_null(ops, netlink_send);
set_to_dummy_if_null(ops, netlink_recv);
+ set_to_dummy_if_null(ops, ip_decode_options);
+#ifdef CONFIG_SECURITY_NETWORK
set_to_dummy_if_null(ops, ip_fragment);
set_to_dummy_if_null(ops, ip_defragment);
set_to_dummy_if_null(ops, ip_decapsulate);
set_to_dummy_if_null(ops, ip_encapsulate);
- set_to_dummy_if_null(ops, ip_decode_options);
set_to_dummy_if_null(ops, netdev_unregister);
set_to_dummy_if_null(ops, socket_create);
set_to_dummy_if_null(ops, socket_post_create);
@@ -1048,6 +1058,6 @@
set_to_dummy_if_null(ops, skb_set_owner_w);
set_to_dummy_if_null(ops, skb_recv_datagram);
set_to_dummy_if_null(ops, skb_free_security);
- set_to_dummy_if_null(ops, d_instantiate);
+#endif
}
Index: lsm-2.5/security/dte/dte.c
===================================================================
RCS file: /home/pal/CVS/lsm-2.5/security/dte/dte.c,v
retrieving revision 1.25
diff -u -r1.25 dte.c
--- lsm-2.5/security/dte/dte.c 24 Jan 2003 20:32:50 -0000 1.25
+++ lsm-2.5/security/dte/dte.c 27 Jan 2003 16:13:45 -0000
@@ -586,27 +586,6 @@
dte_secondary_ops->task_reparent_to_init(p);
}
-static void dte_ip_fragment (struct sk_buff *newskb,
- const struct sk_buff *oldskb)
-{
- return;
-}
-
-static int dte_ip_defragment (struct sk_buff *skb)
-{
- return 0;
-}
-
-static void dte_ip_encapsulate (struct sk_buff *skb)
-{
- return;
-}
-
-static void dte_ip_decapsulate (struct sk_buff *skb)
-{
- return;
-}
-
static int dte_ip_decode_options (struct sk_buff *skb, const char *optptr,
unsigned char **pp_ptr)
{
@@ -617,146 +596,6 @@
return 0;
}
-static void dte_netdev_unregister (struct net_device *dev)
-{
- return;
-}
-
-static int dte_socket_create (int family, int type, int protocol)
-{
- return 0;
-}
-
-static void dte_socket_post_create (struct socket *sock, int family, int type,
- int protocol)
-{
- return;
-}
-
-static int dte_socket_bind (struct socket *sock, struct sockaddr *address,
- int addrlen)
-{
- return 0;
-}
-
-static int dte_socket_connect (struct socket *sock, struct sockaddr *address,
- int addrlen)
-{
- return 0;
-}
-
-static int dte_socket_listen (struct socket *sock, int backlog)
-{
- return 0;
-}
-
-static int dte_socket_accept (struct socket *sock, struct socket *newsock)
-{
- return 0;
-}
-
-static void dte_socket_post_accept (struct socket *sock,
- struct socket *newsock)
-{
- return;
-}
-
-static int dte_socket_sendmsg (struct socket *sock, struct msghdr *msg,
- int size)
-{
- return 0;
-}
-
-static int dte_socket_recvmsg (struct socket *sock, struct msghdr *msg,
- int size, int flags)
-{
- return 0;
-}
-
-static int dte_socket_getsockname (struct socket *sock)
-{
- return 0;
-}
-
-static int dte_socket_getpeername (struct socket *sock)
-{
- return 0;
-}
-
-static int dte_socket_setsockopt (struct socket *sock, int level, int optname)
-{
- return 0;
-}
-
-static int dte_socket_getsockopt (struct socket *sock, int level, int optname)
-{
- return 0;
-}
-
-static int dte_socket_shutdown (struct socket *sock, int how)
-{
- return 0;
-}
-
-static int dte_socket_sock_alloc_security (struct sock *sk, int gfp_mask)
-{
- return 0;
-}
-
-static void dte_socket_sock_free_security (struct sock *sk)
-{
- return;
-}
-
-static int dte_sock_rcv_skb (struct sock *sk, struct sk_buff *skb)
-{
- return 0;
-}
-
-static int dte_open_request_alloc_security (struct open_request *req)
-{
- return 0;
-}
-
-static void dte_open_request_free_security (struct open_request *req)
-{
- return;
-}
-
-static void dte_tcp_connection_request (struct sock *sk,
- struct sk_buff *skb,
- struct open_request *req)
-{
- return;
-}
-
-static void dte_tcp_synack (struct sock *sk, struct sk_buff *skb,
- struct open_request *req)
-{
- return;
-}
-
-
-static void dte_tcp_create_openreq_child (struct sock *sk,
- struct sock *newsk,
- struct sk_buff *skb,
- struct open_request *req)
-{
- return;
-}
-
-static int dte_socket_unix_stream_connect (struct socket *sock,
- struct socket *other,
- struct sock *newsk)
-{
- return 0;
-}
-
-static int dte_socket_unix_may_send (struct socket *sock, struct socket *other)
-{
- return 0;
-}
-
static int dte_ipc_permission (struct kern_ipc_perm *ipcp, short flag)
{
return 0;
@@ -852,37 +691,6 @@
return 0;
}
-static int dte_skb_alloc_security (struct sk_buff *skb, int gfp_mask)
-{
- return 0;
-}
-
-static int dte_skb_clone (struct sk_buff *newskb, const struct sk_buff *oldskb)
-{
- return 0;
-}
-
-static void dte_skb_copy (struct sk_buff *newskb, const struct sk_buff *oldskb)
-{
- return;
-}
-
-static void dte_skb_set_owner_w (struct sk_buff *skb, struct sock *sk)
-{
- return;
-}
-
-static void dte_skb_recv_datagram (struct sk_buff *skb, struct sock *sk,
- unsigned flags)
-{
- return;
-}
-
-static void dte_skb_free_security (struct sk_buff *skb)
-{
- return;
-}
-
static int dte_register (const char *name, struct security_operations *ops)
{
int rc;
@@ -940,8 +748,6 @@
netlink_send: dte_netlink_send,
netlink_recv: dte_netlink_recv,
- unix_stream_connect: dte_socket_unix_stream_connect,
- unix_may_send: dte_socket_unix_may_send,
bprm_alloc_security: dte_binprm_alloc_security,
bprm_free_security: dte_binprm_free_security,
@@ -1024,43 +830,7 @@
task_kmod_set_label: dte_task_kmod_set_label,
task_reparent_to_init: dte_task_reparent_to_init,
- socket_create: dte_socket_create,
- socket_post_create: dte_socket_post_create,
- socket_bind: dte_socket_bind,
- socket_connect: dte_socket_connect,
- socket_listen: dte_socket_listen,
- socket_accept: dte_socket_accept,
- socket_post_accept: dte_socket_post_accept,
- socket_sendmsg: dte_socket_sendmsg,
- socket_recvmsg: dte_socket_recvmsg,
- socket_getsockname: dte_socket_getsockname,
- socket_getpeername: dte_socket_getpeername,
- socket_getsockopt: dte_socket_getsockopt,
- socket_setsockopt: dte_socket_setsockopt,
- socket_shutdown: dte_socket_shutdown,
- socket_sock_alloc_security: dte_socket_sock_alloc_security,
- socket_sock_free_security: dte_socket_sock_free_security,
- socket_sock_rcv_skb: dte_sock_rcv_skb,
- open_request_alloc_security: dte_open_request_alloc_security,
- open_request_free_security: dte_open_request_free_security,
- tcp_connection_request: dte_tcp_connection_request,
- tcp_synack: dte_tcp_synack,
- tcp_create_openreq_child: dte_tcp_create_openreq_child,
-
- skb_alloc_security: dte_skb_alloc_security,
- skb_clone: dte_skb_clone,
- skb_copy: dte_skb_copy,
- skb_set_owner_w: dte_skb_set_owner_w,
- skb_recv_datagram: dte_skb_recv_datagram,
- skb_free_security: dte_skb_free_security,
-
- ip_fragment: dte_ip_fragment,
- ip_defragment: dte_ip_defragment,
- ip_encapsulate: dte_ip_encapsulate,
- ip_decapsulate: dte_ip_decapsulate,
ip_decode_options: dte_ip_decode_options,
-
- netdev_unregister: dte_netdev_unregister,
ipc_permission: dte_ipc_permission,
Index: lsm-2.5/security/selinux/Kconfig
===================================================================
RCS file: /home/pal/CVS/lsm-2.5/security/selinux/Kconfig,v
retrieving revision 1.2
diff -u -r1.2 Kconfig
--- lsm-2.5/security/selinux/Kconfig 3 Dec 2002 14:11:28 -0000 1.2
+++ lsm-2.5/security/selinux/Kconfig 27 Jan 2003 15:38:16 -0000
@@ -33,7 +33,7 @@
config SECURITY_SELINUX_EXTSOCKET
bool "NSA SELinux extended socket call API (EXPERIMENTAL)"
- depends on SECURITY_SELINUX && EXPERIMENTAL
+ depends on SECURITY_SELINUX && SECURITY_NETWORK && EXPERIMENTAL
default n
help
This enables the NSA SELinux extended socket call API.
@@ -45,7 +45,7 @@
config SECURITY_SELINUX_NSID
bool "NSA SELinux network SID API (EXPERIMENTAL)"
- depends on SECURITY_SELINUX && NETFILTER && EXPERIMENTAL
+ depends on SECURITY_SELINUX && SECURITY_NETWORK && NETFILTER && EXPERIMENTAL
default n
help
This enables the NSA SELinux network SID API.
@@ -55,7 +55,7 @@
config SECURITY_SELINUX_SELOPT
tristate "NSA SELinux CIPSO/FIPS-188 (EXPERIMENTAL)"
- depends on SECURITY_SELINUX_NSID && NETFILTER && EXPERIMENTAL
+ depends on SECURITY_SELINUX_NSID && EXPERIMENTAL
default n
help
This enables the NSA SELinux CIPSO/FIPS-188 IP options for
Index: lsm-2.5/security/selinux/extsocket.h
===================================================================
RCS file: /home/pal/CVS/lsm-2.5/security/selinux/extsocket.h,v
retrieving revision 1.9
diff -u -r1.9 extsocket.h
--- lsm-2.5/security/selinux/extsocket.h 21 Jan 2003 20:32:30 -0000 1.9
+++ lsm-2.5/security/selinux/extsocket.h 27 Jan 2003 16:05:21 -0000
@@ -33,7 +33,7 @@
static spinlock_t open_request_alloc_lock = SPIN_LOCK_UNLOCKED;
-static int extsocket_open_request_alloc_security(struct open_request *req)
+static inline int extsocket_open_request_alloc_security(struct open_request *req)
{
struct open_request_security_struct *orsec, *new_orsec;
unsigned long flags;
@@ -62,7 +62,7 @@
return 0;
}
-static void extsocket_open_request_free_security(struct open_request *req)
+static inline void extsocket_open_request_free_security(struct open_request *req)
{
struct open_request_security_struct *orsec;
unsigned long flags;
@@ -673,12 +673,12 @@
#else
-static int extsocket_open_request_alloc_security(struct open_request *req)
+static inline int extsocket_open_request_alloc_security(struct open_request *req)
{
return 0;
}
-static void extsocket_open_request_free_security(struct open_request *req)
+static inline void extsocket_open_request_free_security(struct open_request *req)
{
return;
}
Index: lsm-2.5/security/selinux/hooks.c
===================================================================
RCS file: /home/pal/CVS/lsm-2.5/security/selinux/hooks.c,v
retrieving revision 1.92
diff -u -r1.92 hooks.c
--- lsm-2.5/security/selinux/hooks.c 24 Jan 2003 20:32:51 -0000 1.92
+++ lsm-2.5/security/selinux/hooks.c 27 Jan 2003 16:42:58 -0000
@@ -148,6 +148,8 @@
kfree(tsec);
}
+#ifdef CONFIG_SECURITY_NETWORK
+
/*
* Functions used to allocate/free sock security structures.
*/
@@ -198,6 +200,8 @@
kfree(sksec);
}
+#endif
+
static spinlock_t inode_alloc_lock = SPIN_LOCK_UNLOCKED;
static int inode_alloc_security(struct inode *inode)
@@ -349,6 +353,8 @@
kfree(sbsec);
}
+#ifdef CONFIG_SECURITY_NETWORK
+
static spinlock_t skb_alloc_lock = SPIN_LOCK_UNLOCKED;
static int skb_alloc_security(struct sk_buff *skb, int gfp_mask)
@@ -445,6 +451,8 @@
kfree(nsec);
}
+#endif
+
/* The security server must be initialized before
any labeling or access decisions can be provided. */
extern int ss_initialized;
@@ -770,6 +778,8 @@
return 0;
}
+#ifdef CONFIG_SECURITY_NETWORK
+
/* The network interface security attributes must be initialized before
* first use. */
int netdev_precondition(struct net_device *dev)
@@ -795,6 +805,8 @@
return 1;
}
+#endif
+
/* Convert a Linux signal to an access vector. */
static inline access_vector_t signal_to_av(int sig)
{
@@ -1312,36 +1324,6 @@
/* assorted security operations (mostly syscall interposition) */
-static int selinux_sethostname(char *hostname)
-{
- /* Controlled via the capable hook - CAP_SYS_ADMIN */
- return 0;
-}
-
-static int selinux_setdomainname(char *domainname)
-{
- /* Controlled via the capable hook - CAP_SYS_ADMIN */
- return 0;
-}
-
-static int selinux_reboot(unsigned int cmd)
-{
- /* Controlled via the capable hook - CAP_SYS_BOOT */
- return 0;
-}
-
-static int selinux_ioperm(unsigned long from, unsigned long num, int turn_on)
-{
- /* Controlled via the capable hook - CAP_SYS_RAWIO */
- return 0;
-}
-
-static int selinux_iopl(unsigned int old, unsigned int level)
-{
- /* Controlled via the capable hook - CAP_SYS_RAWIO */
- return 0;
-}
-
static int selinux_ptrace(struct task_struct *parent, struct task_struct *child)
{
int rc;
@@ -1386,12 +1368,6 @@
return secondary_ops->capset_set(target, effective, inheritable, permitted);
}
-static int selinux_acct(struct file *file)
-{
- /* Controlled via the capable hook - CAP_SYS_PACCT */
- return 0;
-}
-
static int selinux_capable(struct task_struct *tsk, int cap)
{
int rc;
@@ -1548,11 +1524,6 @@
return rc;
}
-static int selinux_settime (struct timeval *tv, struct timezone *tz)
-{
- return 0;
-}
-
static int selinux_netlink_send(struct sk_buff *skb)
{
if (capable(CAP_NET_ADMIN))
@@ -2482,6 +2453,8 @@
return;
}
+#ifdef CONFIG_SECURITY_NETWORK
+
static void skb_copy_security(struct skb_security_struct *new,
struct skb_security_struct *old)
{
@@ -3111,6 +3084,7 @@
static int selinux_socket_sock_alloc_security(struct sock *sk, int gfp_mask)
{
+ sk->security = NULL;
return sock_alloc_security(sk, gfp_mask);
}
@@ -3226,6 +3200,7 @@
static int selinux_open_request_alloc_security(struct open_request *req)
{
+ req->security = NULL;
return extsocket_open_request_alloc_security(req);
}
@@ -3334,6 +3309,8 @@
return extsocket_unix_may_send(isec, other_isec, &ad);
}
+#endif
+
static spinlock_t ipc_alloc_lock = SPIN_LOCK_UNLOCKED;
static int ipc_alloc_security(struct task_struct *task,
@@ -3889,6 +3866,8 @@
return ipc_has_perm(ipcp, sclass, av);
}
+#ifdef CONFIG_SECURITY_NETWORK
+
static int selinux_skb_alloc_security(struct sk_buff *skb, int gfp_mask)
{
return skb_alloc_security(skb, gfp_mask);
@@ -3977,6 +3956,8 @@
skb_free_security(skb);
}
+#endif
+
/* module stacking operations */
int selinux_register_security (const char *name, struct security_operations *ops)
{
@@ -4013,16 +3994,10 @@
}
struct security_operations selinux_ops = {
- sethostname: selinux_sethostname,
- setdomainname: selinux_setdomainname,
- reboot: selinux_reboot,
- ioperm: selinux_ioperm,
- iopl: selinux_iopl,
ptrace: selinux_ptrace,
capget: selinux_capget,
capset_check: selinux_capset_check,
capset_set: selinux_capset_set,
- acct: selinux_acct,
sysctl: selinux_sysctl,
capable: selinux_capable,
swapon: selinux_swapon,
@@ -4030,12 +4005,9 @@
quotactl: selinux_quotactl,
quota_on: selinux_quota_on,
syslog: selinux_syslog,
- settime: selinux_settime,
netlink_send: selinux_netlink_send,
netlink_recv: selinux_netlink_recv,
- unix_stream_connect: selinux_socket_unix_stream_connect,
- unix_may_send: selinux_socket_unix_may_send,
bprm_alloc_security: selinux_bprm_alloc_security,
bprm_free_security: selinux_bprm_free_security,
@@ -4118,6 +4090,39 @@
task_kmod_set_label: selinux_task_kmod_set_label,
task_reparent_to_init: selinux_task_reparent_to_init,
+ ipc_permission: selinux_ipc_permission,
+
+ msg_msg_alloc_security: selinux_msg_msg_alloc_security,
+ msg_msg_free_security: selinux_msg_msg_free_security,
+
+ msg_queue_alloc_security: selinux_msg_queue_alloc_security,
+ msg_queue_free_security: selinux_msg_queue_free_security,
+ msg_queue_associate: selinux_msg_queue_associate,
+ msg_queue_msgctl: selinux_msg_queue_msgctl,
+ msg_queue_msgsnd: selinux_msg_queue_msgsnd,
+ msg_queue_msgrcv: selinux_msg_queue_msgrcv,
+
+ shm_alloc_security: selinux_shm_alloc_security,
+ shm_free_security: selinux_shm_free_security,
+ shm_associate: selinux_shm_associate,
+ shm_shmctl: selinux_shm_shmctl,
+ shm_shmat: selinux_shm_shmat,
+
+ sem_alloc_security: selinux_sem_alloc_security,
+ sem_free_security: selinux_sem_free_security,
+ sem_associate: selinux_sem_associate,
+ sem_semctl: selinux_sem_semctl,
+ sem_semop: selinux_sem_semop,
+
+ register_security: &selinux_register_security,
+ unregister_security: &selinux_unregister_security,
+
+ d_instantiate: selinux_d_instantiate,
+
+#ifdef CONFIG_SECURITY_NETWORK
+ unix_stream_connect: selinux_socket_unix_stream_connect,
+ unix_may_send: selinux_socket_unix_may_send,
+
socket_create: selinux_socket_create,
socket_post_create: selinux_socket_post_create,
socket_bind: selinux_socket_bind,
@@ -4155,35 +4160,8 @@
ip_decode_options: selinux_ip_decode_options,
netdev_unregister: selinux_netdev_unregister,
-
- ipc_permission: selinux_ipc_permission,
-
- msg_msg_alloc_security: selinux_msg_msg_alloc_security,
- msg_msg_free_security: selinux_msg_msg_free_security,
-
- msg_queue_alloc_security: selinux_msg_queue_alloc_security,
- msg_queue_free_security: selinux_msg_queue_free_security,
- msg_queue_associate: selinux_msg_queue_associate,
- msg_queue_msgctl: selinux_msg_queue_msgctl,
- msg_queue_msgsnd: selinux_msg_queue_msgsnd,
- msg_queue_msgrcv: selinux_msg_queue_msgrcv,
-
- shm_alloc_security: selinux_shm_alloc_security,
- shm_free_security: selinux_shm_free_security,
- shm_associate: selinux_shm_associate,
- shm_shmctl: selinux_shm_shmctl,
- shm_shmat: selinux_shm_shmat,
-
- sem_alloc_security: selinux_sem_alloc_security,
- sem_free_security: selinux_sem_free_security,
- sem_associate: selinux_sem_associate,
- sem_semctl: selinux_sem_semctl,
- sem_semop: selinux_sem_semop,
-
- register_security: &selinux_register_security,
- unregister_security: &selinux_unregister_security,
- d_instantiate: selinux_d_instantiate,
+#endif
};
extern long sys_security_selinux(struct pt_regs regs);
@@ -4250,7 +4228,7 @@
__initcall(selinux_init);
#endif
-#ifdef CONFIG_NETFILTER
+#if defined(CONFIG_SECURITY_NETWORK) && defined(CONFIG_NETFILTER)
#define NF_IP_PRI_SELINUX_FIRST (NF_IP_PRI_CONNTRACK + 5)
#define NF_IP_PRI_SELINUX_LAST -NF_IP_PRI_SELINUX_FIRST
