[BK PATCH] LSM changes for 2.5.52

[BK PATCH] LSM changes for 2.5.52

[Greg KH]

Here are some minor cleanups for the existing LSM code, and a
capabilities patch from Bill Irwin.

Please pull from:
	bk://lsm.bkbits.net/linus-2.5

thanks,

greg k-h

 kernel/capability.c  |   14 +++---
 security/Kconfig     |    7 ++-
 security/dummy.c     |  108 ---------------------------------------------------
 security/root_plug.c |    3 +
 security/security.c  |    8 +++
 5 files changed, 25 insertions(+), 115 deletions(-)
-----

ChangeSet@1.901, 2002-12-18 15:10:25-08:00, greg@kroah.com
  LSM: update the copyright dates for my entry.

 security/dummy.c    |    2 +-
 security/security.c |    2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)
------

ChangeSet@1.900, 2002-12-18 15:09:33-08:00, greg@kroah.com
  LSM: Fix up the description of the root_plug code to try to make it clearer.

 security/Kconfig     |    7 +++++--
 security/root_plug.c |    3 +++
 2 files changed, 8 insertions(+), 2 deletions(-)
------

ChangeSet@1.899, 2002-12-18 14:58:27-08:00, wli@holomorphy.com
  [PATCH] converting cap_set_pg() to for_each_task_pid()
  
  cap_set_pg() wants to find all processes in a given process group. This
  converts it to use for_each_task_pid().

 kernel/capability.c |   14 ++++++++------
 1 files changed, 8 insertions(+), 6 deletions(-)
------

ChangeSet@1.898, 2002-12-18 14:57:38-08:00, greg@kroah.com
  LSM: changed the dummy code to use the default operations logic.

 security/dummy.c    |  106 ----------------------------------------------------
 security/security.c |    6 ++
 2 files changed, 7 insertions(+), 105 deletions(-)
------

[BK PATCH] LSM changes for 2.5.52

[Greg KH]

ChangeSet 1.898, 2002/12/18 14:57:38-08:00, greg@kroah.com

LSM: changed the dummy code to use the default operations logic.


diff -Nru a/security/dummy.c b/security/dummy.c
--- a/security/dummy.c	Wed Dec 18 15:13:41 2002
+++ b/security/dummy.c	Wed Dec 18 15:13:41 2002
@@ -542,111 +542,7 @@
 	return -EINVAL;
 }
 
-struct security_operations dummy_security_ops = {
-	.ptrace =			dummy_ptrace,
-	.capget =			dummy_capget,
-	.capset_check =			dummy_capset_check,
-	.capset_set =			dummy_capset_set,
-	.acct =				dummy_acct,
-	.capable =			dummy_capable,
-	.quotactl =			dummy_quotactl,
-	.quota_on =			dummy_quota_on,
-
-	.bprm_alloc_security =		dummy_bprm_alloc_security,
-	.bprm_free_security =		dummy_bprm_free_security,
-	.bprm_compute_creds =		dummy_bprm_compute_creds,
-	.bprm_set_security =		dummy_bprm_set_security,
-	.bprm_check_security =		dummy_bprm_check_security,
-
-	.sb_alloc_security =		dummy_sb_alloc_security,
-	.sb_free_security =		dummy_sb_free_security,
-	.sb_statfs =			dummy_sb_statfs,
-	.sb_mount =			dummy_sb_mount,
-	.sb_check_sb =			dummy_sb_check_sb,
-	.sb_umount =			dummy_sb_umount,
-	.sb_umount_close =		dummy_sb_umount_close,
-	.sb_umount_busy =		dummy_sb_umount_busy,
-	.sb_post_remount =		dummy_sb_post_remount,
-	.sb_post_mountroot =		dummy_sb_post_mountroot,
-	.sb_post_addmount =		dummy_sb_post_addmount,
-	.sb_pivotroot =			dummy_sb_pivotroot,
-	.sb_post_pivotroot =		dummy_sb_post_pivotroot,
-	
-	.inode_alloc_security =		dummy_inode_alloc_security,
-	.inode_free_security =		dummy_inode_free_security,
-	.inode_create =			dummy_inode_create,
-	.inode_post_create =		dummy_inode_post_create,
-	.inode_link =			dummy_inode_link,
-	.inode_post_link =		dummy_inode_post_link,
-	.inode_unlink =			dummy_inode_unlink,
-	.inode_symlink =		dummy_inode_symlink,
-	.inode_post_symlink =		dummy_inode_post_symlink,
-	.inode_mkdir =			dummy_inode_mkdir,
-	.inode_post_mkdir =		dummy_inode_post_mkdir,
-	.inode_rmdir =			dummy_inode_rmdir,
-	.inode_mknod =			dummy_inode_mknod,
-	.inode_post_mknod =		dummy_inode_post_mknod,
-	.inode_rename =			dummy_inode_rename,
-	.inode_post_rename =		dummy_inode_post_rename,
-	.inode_readlink =		dummy_inode_readlink,
-	.inode_follow_link =		dummy_inode_follow_link,
-	.inode_permission =		dummy_inode_permission,
-	.inode_permission_lite =	dummy_inode_permission_lite,
-	.inode_setattr =		dummy_inode_setattr,
-	.inode_getattr =		dummy_inode_getattr,
-	.inode_post_lookup =		dummy_inode_post_lookup,
-	.inode_delete =			dummy_inode_delete,
-	.inode_setxattr =		dummy_inode_setxattr,
-	.inode_getxattr =		dummy_inode_getxattr,
-	.inode_listxattr =		dummy_inode_listxattr,
-	.inode_removexattr =		dummy_inode_removexattr,
-
-	.file_permission =		dummy_file_permission,
-	.file_alloc_security =		dummy_file_alloc_security,
-	.file_free_security =		dummy_file_free_security,
-	.file_ioctl =			dummy_file_ioctl,
-	.file_mmap =			dummy_file_mmap,
-	.file_mprotect =		dummy_file_mprotect,
-	.file_lock =			dummy_file_lock,
-	.file_fcntl =			dummy_file_fcntl,
-	.file_set_fowner =		dummy_file_set_fowner,
-	.file_send_sigiotask =		dummy_file_send_sigiotask,
-	.file_receive =			dummy_file_receive,
-
-	.task_create =			dummy_task_create,
-	.task_alloc_security =		dummy_task_alloc_security,
-	.task_free_security =		dummy_task_free_security,
-	.task_setuid =			dummy_task_setuid,
-	.task_post_setuid =		dummy_task_post_setuid,
-	.task_setgid =			dummy_task_setgid,
-	.task_setpgid =			dummy_task_setpgid,
-	.task_getpgid =			dummy_task_getpgid,
-	.task_getsid =			dummy_task_getsid,
-	.task_setgroups =		dummy_task_setgroups,
-	.task_setnice =			dummy_task_setnice,
-	.task_setrlimit =		dummy_task_setrlimit,
-	.task_setscheduler =		dummy_task_setscheduler,
-	.task_getscheduler =		dummy_task_getscheduler,
-	.task_wait =			dummy_task_wait,
-	.task_kill =			dummy_task_kill,
-	.task_prctl =			dummy_task_prctl,
-	.task_kmod_set_label =		dummy_task_kmod_set_label,
-	.task_reparent_to_init =	dummy_task_reparent_to_init,
-
-	.ipc_permission =		dummy_ipc_permission,
-	
-	.msg_queue_alloc_security =	dummy_msg_queue_alloc_security,
-	.msg_queue_free_security =	dummy_msg_queue_free_security,
-	
-	.shm_alloc_security =		dummy_shm_alloc_security,
-	.shm_free_security =		dummy_shm_free_security,
-	
-	.sem_alloc_security =		dummy_sem_alloc_security,
-	.sem_free_security =		dummy_sem_free_security,
-
-	.register_security =		dummy_register_security,
-	.unregister_security =		dummy_unregister_security,
-};
+struct security_operations dummy_security_ops;
 
 #define set_to_dummy_if_null(ops, function)				\
 	do {								\
diff -Nru a/security/security.c b/security/security.c
--- a/security/security.c	Wed Dec 18 15:13:41 2002
+++ b/security/security.c	Wed Dec 18 15:13:41 2002
@@ -48,6 +48,12 @@
 	printk (KERN_INFO "Security Scaffold v" SECURITY_SCAFFOLD_VERSION
 		" initialized\n");
 
+	if (verify (&dummy_security_ops)) {
+		printk (KERN_ERR "%s could not verify "
+			"dummy_security_ops structure.\n", __FUNCTION__);
+		return -EIO;
+	}
+
 	security_ops = &dummy_security_ops;
 
 	return 0;

[PATCH] LSM changes for 2.5.52

[Greg KH]

ChangeSet 1.899, 2002/12/18 14:58:27-08:00, wli@holomorphy.com

[PATCH] converting cap_set_pg() to for_each_task_pid()

cap_set_pg() wants to find all processes in a given process group. This
converts it to use for_each_task_pid().


diff -Nru a/kernel/capability.c b/kernel/capability.c
--- a/kernel/capability.c	Wed Dec 18 15:13:37 2002
+++ b/kernel/capability.c	Wed Dec 18 15:13:37 2002
@@ -84,13 +84,15 @@
 			      kernel_cap_t *inheritable,
 			      kernel_cap_t *permitted)
 {
-     task_t *g, *target;
+	task_t *g, *target;
+	struct list_head *l;
+	struct pid *pid;
 
-     do_each_thread(g, target) {
-             if (target->pgrp != pgrp)
-                     continue;
-	     security_capset_set(target, effective, inheritable, permitted);
-     } while_each_thread(g, target);
+	for_each_task_pid(pgrp, PIDTYPE_PGID, g, l, pid) {
+		target = g;
+		while_each_thread(g, target)
+			security_capset_set(target, effective, inheritable, permitted);
+	}
 }
 
 /*

Re: [PATCH] LSM changes for 2.5.52

[Greg KH]

ChangeSet 1.900, 2002/12/18 15:09:33-08:00, greg@kroah.com

LSM: Fix up the description of the root_plug code to try to make it clearer.


diff -Nru a/security/Kconfig b/security/Kconfig
--- a/security/Kconfig	Wed Dec 18 15:13:33 2002
+++ b/security/Kconfig	Wed Dec 18 15:13:33 2002
@@ -27,8 +27,11 @@
 	depends on SECURITY!=n
 	help
 	  This is a sample LSM module that should only be used as such.
-	  It enables control over processes being created by root users
-	  if a specific USB device is not present in the system.
+	  It prevents any programs running with egid == 0 if a specific
+	  USB device is not present in the system.
+
+	  See <http://www.linuxjournal.com/article.php?sid=6279> for
+	  more information about this module.
 	  
 	  If you are unsure how to answer this question, answer N.
 
diff -Nru a/security/root_plug.c b/security/root_plug.c
--- a/security/root_plug.c	Wed Dec 18 15:13:33 2002
+++ b/security/root_plug.c	Wed Dec 18 15:13:33 2002
@@ -13,6 +13,9 @@
  * If you want to turn this into something with a semblance of security,
  * you need to hook the task_* functions also.
  *
+ * See http://www.linuxjournal.com/article.php?sid=6279 for more information
+ * about this code.
+ *
  *	This program is free software; you can redistribute it and/or
  *	modify it under the terms of the GNU General Public License as
  *	published by the Free Software Foundation, version 2 of the

Re: [PATCH] LSM changes for 2.5.52

[Greg KH]

ChangeSet 1.901, 2002/12/18 15:10:25-08:00, greg@kroah.com

LSM: update the copyright dates for my entry.


diff -Nru a/security/dummy.c b/security/dummy.c
--- a/security/dummy.c	Wed Dec 18 15:13:29 2002
+++ b/security/dummy.c	Wed Dec 18 15:13:29 2002
@@ -3,7 +3,7 @@
  * security model is loaded.
  *
  * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com>
- * Copyright (C) 2001 Greg Kroah-Hartman <greg@kroah.com>
+ * Copyright (C) 2001-2002  Greg Kroah-Hartman <greg@kroah.com>
  * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com>
  *
  *	This program is free software; you can redistribute it and/or modify
diff -Nru a/security/security.c b/security/security.c
--- a/security/security.c	Wed Dec 18 15:13:29 2002
+++ b/security/security.c	Wed Dec 18 15:13:29 2002
@@ -2,7 +2,7 @@
  * Security plug functions
  *
  * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com>
- * Copyright (C) 2001 Greg Kroah-Hartman <greg@kroah.com>
+ * Copyright (C) 2001-2002 Greg Kroah-Hartman <greg@kroah.com>
  * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com>
  *
  *	This program is free software; you can redistribute it and/or modify