[RFC v2 02/10] Revert "lsm: Remove the socket_post_accept() hook"
Samir Bellabes
snet needs to reintroduce this hook, as it was designed to be: a hook for
updating security informations on objects.
Signed-off-by: Samir Bellabes <s...@synack.fr>
Acked-by: Serge Hallyn <se...@us.ibm.com>
---
include/linux/security.h | 13 +++++++++++++
net/socket.c | 2 ++
security/capability.c | 5 +++++
security/security.c | 5 +++++
4 files changed, 25 insertions(+), 0 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index 74e564b..d8ad624 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -938,6 +938,11 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
* @sock contains the listening socket structure.
* @newsock contains the newly created server socket for connection.
* Return 0 if permission is granted.
+ * @socket_post_accept:
+ * This hook allows a security module to copy security
+ * information into the newly created socket's inode.
+ * @sock contains the listening socket structure.
+ * @newsock contains the newly created server socket for connection.
* @socket_sendmsg:
* Check permission before transmitting a message to another socket.
* @sock contains the socket structure.
@@ -1674,6 +1679,8 @@ struct security_operations {
struct sockaddr *address, int addrlen);
int (*socket_listen) (struct socket *sock, int backlog);
int (*socket_accept) (struct socket *sock, struct socket *newsock);
+ void (*socket_post_accept) (struct socket *sock,
+ struct socket *newsock);
int (*socket_sendmsg) (struct socket *sock,
struct msghdr *msg, int size);
int (*socket_recvmsg) (struct socket *sock,
@@ -2696,6 +2703,7 @@ int security_socket_bind(struct socket *sock, struct sockaddr *address, int addr
int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen);
int security_socket_listen(struct socket *sock, int backlog);
int security_socket_accept(struct socket *sock, struct socket *newsock);
+void security_socket_post_accept(struct socket *sock, struct socket *newsock);
int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size);
int security_socket_recvmsg(struct socket *sock, struct msghdr *msg,
int size, int flags);
@@ -2778,6 +2786,11 @@ static inline int security_socket_accept(struct socket *sock,
return 0;
}
+static inline void security_socket_post_accept(struct socket *sock,
+ struct socket *newsock)
+{
+}
+
static inline int security_socket_sendmsg(struct socket *sock,
struct msghdr *msg, int size)
{
diff --git a/net/socket.c b/net/socket.c
index b4eb361..2e66a5a 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1538,6 +1538,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
fd_install(newfd, newfile);
err = newfd;
+ security_socket_post_accept(sock, newsock);
+
out_put:
fput_light(sock->file, fput_needed);
out:
diff --git a/security/capability.c b/security/capability.c
index a9810dc..61eae40 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -641,6 +641,10 @@ static int cap_socket_accept(struct socket *sock, struct socket *newsock)
return 0;
}
+static void cap_socket_post_accept(struct socket *sock, struct socket *newsock)
+{
+}
+
static int cap_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
{
return 0;
@@ -1081,6 +1085,7 @@ void security_fixup_ops(struct security_operations *ops)
set_to_cap_if_null(ops, socket_connect);
set_to_cap_if_null(ops, socket_listen);
set_to_cap_if_null(ops, socket_accept);
+ set_to_cap_if_null(ops, socket_post_accept);
set_to_cap_if_null(ops, socket_sendmsg);
set_to_cap_if_null(ops, socket_recvmsg);
set_to_cap_if_null(ops, socket_getsockname);
diff --git a/security/security.c b/security/security.c
index 288c3a8..673979f 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1082,6 +1082,11 @@ int security_socket_accept(struct socket *sock, struct socket *newsock)
return security_ops->socket_accept(sock, newsock);
}
+void security_socket_post_accept(struct socket *sock, struct socket *newsock)
+{
+ security_ops->socket_post_accept(sock, newsock);
+}
+
int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
{
return security_ops->socket_sendmsg(sock, msg, size);
--
1.6.3.3
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majo...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Samir Bellabes
Signed-off-by: Samir Bellabes <s...@synack.fr>
---
security/snet/snet_utils.c | 38 ++++++++++++++++++++++++++++++++++++++
security/snet/snet_utils.h | 10 ++++++++++
2 files changed, 48 insertions(+), 0 deletions(-)
create mode 100644 security/snet/snet_utils.c
create mode 100644 security/snet/snet_utils.h
diff --git a/security/snet/snet_utils.c b/security/snet/snet_utils.c
new file mode 100644
index 0000000..e9178d7
--- /dev/null
+++ b/security/snet/snet_utils.c
@@ -0,0 +1,38 @@
+#include <linux/types.h>
+#include <linux/snet.h>
+
+const char *snet_verdict_name(const enum snet_verdict cmd)
+{
+ static const char *const verdict_name[] = {
+ [SNET_VERDICT_GRANT] = "Grant",
+ [SNET_VERDICT_DENY] = "Deny",
+ [SNET_VERDICT_PENDING] = "Pending",
+ [SNET_VERDICT_NONE] = "None",
+ };
+
+ if (cmd >= SNET_NR_VERDICT_TYPES)
+ return "INVALID";
+ else
+ return verdict_name[cmd];
+}
+
+const char *snet_syscall_name(const enum snet_syscall sys)
+{
+ static const char *const syscall_name[] = {
+ [SNET_SOCKET_CREATE] = "Create",
+ [SNET_SOCKET_BIND] = "Bind",
+ [SNET_SOCKET_CONNECT] = "Connect",
+ [SNET_SOCKET_LISTEN] = "Listen",
+ [SNET_SOCKET_ACCEPT] = "Accept",
+ [SNET_SOCKET_POST_ACCEPT] = "Post Accept",
+ [SNET_SOCKET_SENDMSG] = "Sendmsg",
+ [SNET_SOCKET_RECVMSG] = "Recvmsg",
+ [SNET_SOCKET_SOCK_RCV_SKB] = "Sock Rcv Skb",
+ [SNET_SOCKET_CLOSE] = "Close",
+ };
+
+ if (sys >= SNET_NR_SOCKET_TYPES)
+ return "INVALID";
+ else
+ return syscall_name[sys];
+}
diff --git a/security/snet/snet_utils.h b/security/snet/snet_utils.h
new file mode 100644
index 0000000..4dad18b
--- /dev/null
+++ b/security/snet/snet_utils.h
@@ -0,0 +1,10 @@
+#ifndef _SNET_UTILS_H
+#define _SNET_UTILS_H
+
+#include <linux/skbuff.h>
+
+int snet_data_fill(struct sk_buff *skb_rsp, struct snet_info *info);
+const char *snet_verdict_name(const enum snet_verdict cmd);
+const char *snet_syscall_name(const enum snet_syscall sys);
+
+#endif /* _SNET_UTILS_H */
Samir Bellabes
snet is using the word 'event' for a couple of values [syscall, protocol].
For example, [listen, tcp] or [sendmsg, dccp] are events.
This patch introduces a hastable 'event_hash' and operations (add/remove/search..)
in order to manage which events have to be protected.
With the help of the communication's subsystem, managing orders are coming from
userspace.
Signed-off-by: Samir Bellabes <s...@synack.fr>
---
security/snet/snet_event.c | 189 ++++++++++++++++++++++++++++++++++++++++++++
security/snet/snet_event.h | 21 +++++
2 files changed, 210 insertions(+), 0 deletions(-)
create mode 100644 security/snet/snet_event.c
create mode 100644 security/snet/snet_event.h
diff --git a/security/snet/snet_event.c b/security/snet/snet_event.c
new file mode 100644
index 0000000..9e3f7d2
--- /dev/null
+++ b/security/snet/snet_event.c
@@ -0,0 +1,189 @@
+#include <linux/spinlock.h>
+#include <linux/list.h>
+#include <linux/jhash.h>
+#include <linux/slab.h>
+#include <linux/netlink.h>
+#include <linux/snet.h>
+#include "snet_event.h"
+#include "snet_netlink.h"
+#include "snet_utils.h"
+
+static struct list_head *snet_evh;
+static rwlock_t snet_evh_lock = __RW_LOCK_UNLOCKED();
+
+struct snet_event_entry {
+ struct list_head list;
+ struct snet_event se;
+};
+
+/* lookup for a snet_evh - before using this function, lock snet_evh_lock */
+static struct snet_event_entry *__snet_event_lookup(const enum snet_syscall syscall,
+ const u8 protocol)
+{
+ unsigned int h = 0;
+ struct list_head *l;
+ struct snet_event_entry *s;
+
+ /* computing its hash value */
+ h = jhash_2words(syscall, protocol, 0) % snet_evh_size;
+ l = &snet_evh[h];
+
+ list_for_each_entry(s, l, list) {
+ if ((s->se.protocol == protocol) &&
+ (s->se.syscall == syscall)) {
+ return s;
+ }
+ }
+ return NULL;
+}
+
+int snet_event_fill_info(struct sk_buff *skb, struct netlink_callback *cb)
+{
+ unsigned int i = 0, n = 0;
+ int ret = -1;
+ unsigned hashs_to_skip = cb->args[0];
+ unsigned events_to_skip = cb->args[1];
+ struct list_head *l;
+ struct snet_event_entry *s;
+
+ read_lock_bh(&snet_evh_lock);
+
+ for (i = 0; i < snet_evh_size; i++) {
+ if (i < hashs_to_skip)
+ continue;
+ l = &snet_evh[i];
+ n = 0;
+ list_for_each_entry(s, l, list) {
+ if (++n < events_to_skip)
+ continue;
+ ret = snet_nl_list_fill_info(skb,
+ NETLINK_CB(cb->skb).pid,
+ cb->nlh->nlmsg_seq,
+ NLM_F_MULTI,
+ s->se.protocol,
+ s->se.syscall);
+ if (ret < 0)
+ goto errout;
+ }
+ }
+
+errout:
+ read_unlock_bh(&snet_evh_lock);
+
+ cb->args[0] = i;
+ cb->args[1] = n;
+ return skb->len;
+}
+
+/*
+ * check if a event is registered or not
+ * return 1 if event is registered, 0 if not
+ */
+int snet_event_is_registered(const enum snet_syscall syscall, const u8 protocol)
+{
+ int ret = 0;
+
+ read_lock_bh(&snet_evh_lock);
+ if (__snet_event_lookup(syscall, protocol) != NULL)
+ ret = 1;
+ read_unlock_bh(&snet_evh_lock);
+ return ret;
+}
+
+/* adding a event */
+int snet_event_insert(const enum snet_syscall syscall, const u8 protocol)
+{
+ struct snet_event_entry *data = NULL;
+ unsigned int h = 0;
+ int err = 0;
+
+ data = kzalloc(sizeof(struct snet_event_entry), GFP_KERNEL);
+ if (!data) {
+ err = -ENOMEM;
+ goto out;
+ }
+
+ write_lock_bh(&snet_evh_lock);
+ /* check if event is already registered */
+ if (__snet_event_lookup(syscall, protocol) != NULL) {
+ write_unlock_bh(&snet_evh_lock);
+ kfree(data);
+ err = -EINVAL;
+ goto out;
+ }
+
+ data->se.syscall = syscall;
+ data->se.protocol = protocol;
+ INIT_LIST_HEAD(&(data->list));
+ h = jhash_2words(data->se.syscall, data->se.protocol, 0) % snet_evh_size;
+ list_add_tail(&data->list, &snet_evh[h]);
+ write_unlock_bh(&snet_evh_lock);
+ pr_debug("[%u]=(syscall=%s, protocol=%u)\n",
+ h, snet_syscall_name(syscall), protocol);
+out:
+ return err;
+}
+
+/* removing a event */
+int snet_event_remove(const enum snet_syscall syscall, const u8 protocol)
+{
+ struct snet_event_entry *data = NULL;
+
+ write_lock_bh(&snet_evh_lock);
+ data = __snet_event_lookup(syscall, protocol);
+ if (data == NULL) {
+ write_unlock_bh(&snet_evh_lock);
+ return -EINVAL;
+ }
+ pr_debug("(syscall=%s, protocol=%u)\n",
+ snet_syscall_name(syscall), protocol);
+ list_del(&data->list);
+ write_unlock_bh(&snet_evh_lock);
+ kfree(data);
+ return 0;
+}
+
+/* flushing all events */
+void snet_event_flush(void)
+{
+ unsigned int i = 0;
+
+ write_lock_bh(&snet_evh_lock);
+ for (i = 0; i < snet_evh_size; i++) {
+ struct snet_event_entry *data, *tmp;
+ list_for_each_entry_safe(data, tmp, &snet_evh[i], list) {
+ list_del(&data->list);
+ kfree(data);
+ }
+ }
+ write_unlock_bh(&snet_evh_lock);
+ return;
+}
+
+/* init function */
+int snet_event_init(void)
+{
+ int err = 0, i = 0;
+
+ snet_evh = kzalloc(sizeof(struct list_head) * snet_evh_size,
+ GFP_KERNEL);
+ if (!snet_evh) {
+ printk(KERN_WARNING
+ "snet: can't alloc memory for snet_evh\n");
+ err = -ENOMEM;
+ goto out;
+ }
+
+ for (i = 0; i < snet_evh_size; i++)
+ INIT_LIST_HEAD(&snet_evh[i]);
+
+out:
+ return err;
+}
+
+/* exit function */
+void snet_event_exit(void)
+{
+ kfree(snet_evh);
+ snet_evh = NULL;
+}
diff --git a/security/snet/snet_event.h b/security/snet/snet_event.h
new file mode 100644
index 0000000..fa991c7
--- /dev/null
+++ b/security/snet/snet_event.h
@@ -0,0 +1,21 @@
+#ifndef _SNET_EVENT_H
+#define _SNET_EVENT_H
+
+#include <linux/skbuff.h>
+
+extern unsigned int snet_evh_size;
+
+/* manipulate the events hash table */
+int snet_event_fill_info(struct sk_buff *skb, struct netlink_callback *cb);
+int snet_event_is_registered(const enum snet_syscall syscall, const u8 protocol);
+int snet_event_insert(const enum snet_syscall syscall, const u8 protocol);
+int snet_event_remove(const enum snet_syscall syscall, const u8 protocol);
+void snet_event_flush(void);
+void snet_event_dumpall(void);
+
+/* init function */
+int snet_event_init(void);
+/* exit funtion */
+void snet_event_exit(void);
+
+#endif /* _SNET_EVENT_H */
Samir Bellabes
Signed-off-by: Samir Bellabes <s...@synack.fr>
---
security/Kconfig | 6 ++++++
security/Makefile | 2 ++
security/snet/Kconfig | 11 +++++++++++
security/snet/Makefile | 14 ++++++++++++++
4 files changed, 33 insertions(+), 0 deletions(-)
create mode 100644 security/snet/Kconfig
create mode 100644 security/snet/Makefile
diff --git a/security/Kconfig b/security/Kconfig
index 226b955..eb37e9a 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -140,6 +140,7 @@ config LSM_MMAP_MIN_ADDR
source security/selinux/Kconfig
source security/smack/Kconfig
source security/tomoyo/Kconfig
+source security/snet/Kconfig
source security/integrity/ima/Kconfig
@@ -148,6 +149,7 @@ choice
default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
+ default DEFAULT_SECURITY_SNET if SECURITY_SNET
default DEFAULT_SECURITY_DAC
help
@@ -163,6 +165,9 @@ choice
config DEFAULT_SECURITY_TOMOYO
bool "TOMOYO" if SECURITY_TOMOYO=y
+ config DEFAULT_SECURITY_SNET
+ bool "snet" if SECURITY_SNET=y
+
config DEFAULT_SECURITY_DAC
bool "Unix Discretionary Access Controls"
@@ -173,6 +178,7 @@ config DEFAULT_SECURITY
default "selinux" if DEFAULT_SECURITY_SELINUX
default "smack" if DEFAULT_SECURITY_SMACK
default "tomoyo" if DEFAULT_SECURITY_TOMOYO
+ default "snet" if DEFAULT_SECURITY_SNET
default "" if DEFAULT_SECURITY_DAC
endmenu
diff --git a/security/Makefile b/security/Makefile
index da20a19..9374523 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -6,6 +6,7 @@ obj-$(CONFIG_KEYS) += keys/
subdir-$(CONFIG_SECURITY_SELINUX) += selinux
subdir-$(CONFIG_SECURITY_SMACK) += smack
subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo
+subdir-$(CONFIG_SECURITY_SNET) += snet
# always enable default capabilities
obj-y += commoncap.o
@@ -19,6 +20,7 @@ obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o
obj-$(CONFIG_AUDIT) += lsm_audit.o
obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o
+obj-$(CONFIG_SECURITY_SNET) += snet/built-in.o
obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
# Object integrity file lists
diff --git a/security/snet/Kconfig b/security/snet/Kconfig
new file mode 100644
index 0000000..6dabd7d
--- /dev/null
+++ b/security/snet/Kconfig
@@ -0,0 +1,11 @@
+#
+# snet
+#
+
+config SECURITY_SNET
+ bool "snet - Security for NETwork syscalls"
+ depends on SECURITY_NETWORK
+ default n
+ ---help---
+ If this option is enabled, the kernel will include support for reporting
+ networking's syscalls to userspace and wait for a verdict
diff --git a/security/snet/Makefile b/security/snet/Makefile
new file mode 100644
index 0000000..e8f52f1
--- /dev/null
+++ b/security/snet/Makefile
@@ -0,0 +1,14 @@
+#
+# Makefile for building the Security Network Events module.
+#
+obj-$(CONFIG_SECURITY_SNET) := snet.o
+
+snet-y := snet_event.o \
+ snet_netlink_helper.o \
+ snet_netlink.o \
+ snet_verdict.o \
+ snet_ticket_helper.o \
+ snet_ticket.o \
+ snet_hooks.o \
+ snet_core.o \
+ snet_utils.o
Samir Bellabes
snet's subsystems, and include/linux/snet.h, which provides interface with
userspace
subsytems are:
- snet_hooks : LSM hooks
- snet_netlink : kernel-user communication (genetlink)
- snet_event : manages the list of protected syscalls
- snet_verdict : provides a waitqueue for syscalls and manage verdicts
from userspace
- snet_ticket : provides a granted-access ticket mecanism
Signed-off-by: Samir Bellabes <s...@synack.fr>
---
include/linux/snet.h | 120 +++++++++++++++++++++++++++++++++++++++++++++
security/snet/snet_core.c | 76 ++++++++++++++++++++++++++++
2 files changed, 196 insertions(+), 0 deletions(-)
create mode 100644 include/linux/snet.h
create mode 100644 security/snet/snet_core.c
diff --git a/include/linux/snet.h b/include/linux/snet.h
new file mode 100644
index 0000000..739601d
--- /dev/null
+++ b/include/linux/snet.h
@@ -0,0 +1,120 @@
+#ifndef _LINUX_SNET_H
+#define _LINUX_SNET_H
+
+#include <linux/in6.h>
+
+#define SNET_VERSION 0x1
+#define SNET_NAME "snet"
+
+enum snet_syscall {
+ SNET_SOCKET_CREATE = 0,
+ SNET_SOCKET_BIND,
+ SNET_SOCKET_CONNECT,
+ SNET_SOCKET_LISTEN,
+ SNET_SOCKET_ACCEPT,
+ SNET_SOCKET_POST_ACCEPT,
+ SNET_SOCKET_SENDMSG,
+ SNET_SOCKET_RECVMSG,
+ SNET_SOCKET_SOCK_RCV_SKB,
+ SNET_SOCKET_CLOSE,
+ SNET_SOCKET_INVALID,
+};
+
+#define SNET_NR_SOCKET_TYPES SNET_SOCKET_INVALID
+
+struct snet_event {
+ enum snet_syscall syscall;
+ u8 protocol;
+};
+
+enum snet_verdict {
+ SNET_VERDICT_GRANT = 0, /* grant the syscall */
+ SNET_VERDICT_DENY, /* deny the syscall */
+ SNET_VERDICT_PENDING, /* waiting for a decision */
+ SNET_VERDICT_NONE, /* no decision can be set */
+ SNET_VERDICT_INVALID,
+};
+
+#define SNET_NR_VERDICT_TYPES SNET_VERDICT_INVALID
+
+enum snet_ticket_mode {
+ SNET_TICKET_OFF = 0,
+ SNET_TICKET_FIX,
+ SNET_TICKET_EXTEND,
+};
+
+/* genetlink commands */
+enum {
+ SNET_C_UNSPEC,
+ SNET_C_VERSION,
+ SNET_C_REGISTER,
+ SNET_C_UNREGISTER,
+ SNET_C_INSERT,
+ SNET_C_REMOVE,
+ SNET_C_FLUSH,
+ SNET_C_LIST,
+ SNET_C_VERDICT,
+ SNET_C_CONFIG,
+ __SNET_C_MAX,
+};
+
+#define SNET_C_MAX (__SNET_C_MAX - 1)
+
+/* genetlink attributes */
+enum {
+ SNET_A_UNSPEC,
+ SNET_A_VERSION, /* (NLA_U32) the snet protocol version */
+ SNET_A_VERDICT_ID,
+ SNET_A_FAMILY,
+ SNET_A_SYSCALL, /* (NLA_U8) a syscall identifier */
+ SNET_A_PROTOCOL, /* (NLA_U8) a protocol identifier */
+ SNET_A_UID,
+ SNET_A_PID,
+ SNET_A_TYPE,
+ SNET_A_IPV4SADDR,
+ SNET_A_IPV6SADDR,
+ SNET_A_IPV4DADDR,
+ SNET_A_IPV6DADDR,
+ SNET_A_SPORT,
+ SNET_A_DPORT,
+ SNET_A_BUFFER,
+ SNET_A_BUFFER_LEN,
+ SNET_A_VERDICT,
+ SNET_A_VERDICT_DELAY,
+ SNET_A_TICKET_DELAY,
+ SNET_A_TICKET_MODE,
+ __SNET_A_MAX,
+};
+
+#define SNET_A_MAX (__SNET_A_MAX - 1)
+
+#define SNET_GENL_NAME "SNET"
+#define SNET_GENL_VERSION SNET_VERSION
+
+struct snet_sock_half {
+ struct {
+ union {
+ __be32 ip;
+ struct in6_addr ip6;
+ };
+ } u3;
+ struct {
+ __be16 port;
+ } u;
+};
+
+struct snet_info {
+ u32 verdict_id;
+
+ enum snet_syscall syscall;
+ u8 protocol;
+ u8 family;
+
+ int type;
+ struct snet_sock_half src;
+ struct snet_sock_half dst;
+ void *buffer;
+ int len;
+};
+
+#endif /* _LINUX_SNET_H */
diff --git a/security/snet/snet_core.c b/security/snet/snet_core.c
new file mode 100644
index 0000000..9f2eb2e
--- /dev/null
+++ b/security/snet/snet_core.c
@@ -0,0 +1,76 @@
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <net/genetlink.h>
+#include <linux/snet.h>
+#include "snet_hooks.h"
+#include "snet_event.h"
+#include "snet_verdict.h"
+#include "snet_ticket.h"
+#include "snet_utils.h"
+
+unsigned int snet_evh_size = 16;
+module_param(snet_evh_size, uint, 0400);
+MODULE_PARM_DESC(snet_evh_size, "Set the size of the event hash table");
+
+unsigned int snet_vdh_size = 16;
+module_param(snet_vdh_size, uint, 0400);
+MODULE_PARM_DESC(snet_vdh_size, "Set the size of the verdict hash table");
+
+unsigned int snet_verdict_delay = 5;
+module_param(snet_verdict_delay, uint, 0600);
+MODULE_PARM_DESC(snet_verdict_delay, "Set the timeout for verdicts in secs");
+
+unsigned int snet_verdict_policy = SNET_VERDICT_GRANT; /* permissive by default */
+module_param(snet_verdict_policy, uint, 0400);
+MODULE_PARM_DESC(snet_verdict_policy, "Set the default verdict");
+
+unsigned int snet_ticket_delay = 15;
+module_param(snet_ticket_delay, uint, 0600);
+MODULE_PARM_DESC(snet_ticket_delay, "Set the timeout for tickets in secs");
+
+unsigned int snet_ticket_mode = SNET_TICKET_FIX;
+module_param(snet_ticket_mode, uint, 0600);
+MODULE_PARM_DESC(snet_ticket_mode, "Set the mode for tickets");
+
+static __init int snet_init(void)
+{
+ int ret;
+
+ pr_debug("initializing: event_hash_size=%u "
+ "verdict_hash_size=%u verdict_delay=%usecs "
+ "default_policy=%s\n",
+ snet_evh_size, snet_vdh_size, snet_verdict_delay,
+ snet_verdict_name(snet_verdict_policy));
+
+ ret = snet_event_init();
+ if (ret < 0)
+ goto event_failed;
+
+ ret = snet_verdict_init();
+ if (ret < 0)
+ goto verdict_failed;
+
+ ret = snet_ticket_init();
+ if (ret < 0)
+ goto ticket_failed;
+
+ /* snet_hooks_init() returns 0 or execute panic() */
+ snet_hooks_init();
+
+ pr_debug("started\n");
+ return 0;
+
+ticket_failed:
+ snet_verdict_exit();
+verdict_failed:
+ snet_event_exit();
+event_failed:
+ pr_debug("stopped\n");
+ return ret;
+}
+
+security_initcall(snet_init);
+
+MODULE_DESCRIPTION("snet - Security for NETwork syscalls");
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Samir Bellabes <s...@synack.fr>");
Samir Bellabes
Signed-off-by: Samir Bellabes <s...@synack.fr>
---
include/linux/security.h | 10 ++++++++++
net/socket.c | 1 +
security/capability.c | 5 +++++
security/security.c | 5 +++++
4 files changed, 21 insertions(+), 0 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index 2c627d3..74e564b 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -981,6 +981,9 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
* @sock contains the socket structure.
* @how contains the flag indicating how future sends and receives are handled.
* Return 0 if permission is granted.
+ * @socket_close:
+ * Allow a module to update security informations when a socket is closed
+ * @sock is closed.
* @socket_sock_rcv_skb:
* Check permissions on incoming network packets. This hook is distinct
* from Netfilter's IP input hooks since it is the first time that the
@@ -1680,6 +1683,7 @@ struct security_operations {
int (*socket_getsockopt) (struct socket *sock, int level, int optname);
int (*socket_setsockopt) (struct socket *sock, int level, int optname);
int (*socket_shutdown) (struct socket *sock, int how);
+ void (*socket_close) (struct socket *sock);
int (*socket_sock_rcv_skb) (struct sock *sk, struct sk_buff *skb);
int (*socket_getpeersec_stream) (struct socket *sock, char __user *optval, int __user *optlen, unsigned len);
int (*socket_getpeersec_dgram) (struct socket *sock, struct sk_buff *skb, u32 *secid);
@@ -2700,6 +2704,7 @@ int security_socket_getpeername(struct socket *sock);
int security_socket_getsockopt(struct socket *sock, int level, int optname);
int security_socket_setsockopt(struct socket *sock, int level, int optname);
int security_socket_shutdown(struct socket *sock, int how);
+void security_socket_close(struct socket *sock);
int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb);
int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
int __user *optlen, unsigned len);
@@ -2812,6 +2817,11 @@ static inline int security_socket_shutdown(struct socket *sock, int how)
{
return 0;
}
+
+static inline void security_socket_close(struct socket *sock)
+{
+}
+
static inline int security_sock_rcv_skb(struct sock *sk,
struct sk_buff *skb)
{
diff --git a/net/socket.c b/net/socket.c
index 769c386..b4eb361 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1055,6 +1055,7 @@ static int sock_close(struct inode *inode, struct file *filp)
printk(KERN_DEBUG "sock_close: NULL inode\n");
return 0;
}
+ security_socket_close(SOCKET_I(inode));
sock_release(SOCKET_I(inode));
return 0;
}
diff --git a/security/capability.c b/security/capability.c
index 5c700e1..a9810dc 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -677,6 +677,10 @@ static int cap_socket_shutdown(struct socket *sock, int how)
return 0;
}
+static void cap_socket_close(struct socket *sock)
+{
+}
+
static int cap_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
return 0;
@@ -1084,6 +1088,7 @@ void security_fixup_ops(struct security_operations *ops)
set_to_cap_if_null(ops, socket_setsockopt);
set_to_cap_if_null(ops, socket_getsockopt);
set_to_cap_if_null(ops, socket_shutdown);
+ set_to_cap_if_null(ops, socket_close);
set_to_cap_if_null(ops, socket_sock_rcv_skb);
set_to_cap_if_null(ops, socket_getpeersec_stream);
set_to_cap_if_null(ops, socket_getpeersec_dgram);
diff --git a/security/security.c b/security/security.c
index 122b748..288c3a8 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1118,6 +1118,11 @@ int security_socket_shutdown(struct socket *sock, int how)
return security_ops->socket_shutdown(sock, how);
}
+void security_socket_close(struct socket *sock)
+{
+ return security_ops->socket_close(sock);
+}
+
int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
return security_ops->socket_sock_rcv_skb(sk, skb);
Greg KH
> this patch creates folder security/snet and adds changes for Kconfig and Makefile
But it breaks the build, as you are referring to files here that are not
present yet. Please put this at the end of your patch series to make
the tree always build for every individual patch.
thanks,
greg k-h
Samir Bellabes
> On Tue, Mar 02, 2010 at 09:23:07PM +0100, Samir Bellabes wrote:
>> this patch creates folder security/snet and adds changes for Kconfig and Makefile
>
> But it breaks the build, as you are referring to files here that are not
> present yet. Please put this at the end of your patch series to make
> the tree always build for every individual patch.
yes, sure.
thank you Greg
sam
Jan Engelhardt
On Tuesday 2010-03-02 21:23, Samir Bellabes wrote:
>This patch provides helper functions for other subsystems
What subsystems would that be? (Just trying to prevent premature code
bloat.)
Samir Bellabes
> On Tuesday 2010-03-02 21:23, Samir Bellabes wrote:
>
>>This patch provides helper functions for other subsystems
>
> What subsystems would that be? (Just trying to prevent premature code
> bloat.)
snet_verdict_name() is used in :
- security/snet/snet_core.c
- security/snet/snet_ticket_helper.c
snet_syscall_name() is used in :
- security/snet/snet_event.c
- security/snet/snet_netlink.c
- security/snet/snet_ticket_helper.c
this functions are used for debug.
in the same time, I found an unused function declaration in security/snet/snet_utils.h:
int snet_data_fill(struct sk_buff *skb_rsp, struct snet_info *info);
I deleted it.
Thanks Jan,
sam