[Patch] avc ipaddr patches

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Joshua Brindle <jbrindle@snu.edu>
To: SELinux <SELinux@tycho.nsa.gov>
Subject: [Patch] avc ipaddr patches
Date: Mon, 23 Feb 2004 00:15:27 -0600	[thread overview]
Message-ID: <40399A7F.5080909@snu.edu> (raw)

[-- Attachment #1: Type: text/plain, Size: 770 bytes --]

Attached are 2 patches, the first adds curr_ip to the task_struct and 
sets it in socket.c, and makes the info available in /proc/pid/ipaddr, 
and the second is selinux specific to add ipaddr= to avc messages.

These patches will show the ip of the client who ran an app (in /proc) 
and who got an denial.

Since these modify task_struct and socket.c I doubt there is a way for 
them to go upstream but they might be of interest to people here.

Here is the expected output:

# cat /proc/1632/ipaddr
192.168.1.100

and

avc:  denied  { add_name } for  pid=1638 exe=/bin/mv 
name=linux-2.6.3-proc_pid_ipaddr.diff ipaddr=192.168.1.100 
scontext=root:staff_r:staff_t tcontext=system_u:object_r:src_t tclass=dir

Let me know if you are interested in these..

Joshua Brindle

[-- Attachment #2: linux-2.6.3-selinux-ipaddr.patch --]
[-- Type: text/plain, Size: 563 bytes --]

diff -u linux-2.6.3/security/selinux/avc.c linux-2.6.3-openpax/security/selinux/avc.c
--- linux-2.6.3/security/selinux/avc.c	2004-02-10 11:28:19.000000000 -0600
+++ linux-2.6.3-openpax/security/selinux/avc.c	2004-02-10 13:05:07.000000000 -0600
@@ -143,6 +143,11 @@
 	char *scontext;
 	u32 scontext_len;
 
+#ifdef CONFIG_PROC_PID_IPADDR
+	if (current->curr_ip)
+		printk("ipaddr=%u.%u.%u.%u ", NIPQUAD(current->curr_ip));
+#endif /* CONFIG_PROC_PID_IPADDR */
+
  	rc = security_sid_to_context(ssid, &scontext, &scontext_len);
 	if (rc)
 		printk("ssid=%d", ssid);

[-- Attachment #3: linux-2.6.3-proc_pid_ipaddr.diff --]
[-- Type: text/x-patch, Size: 4875 bytes --]

diff -ur linux-2.6.2/fs/proc/array.c linux-2.6.2-pax/fs/proc/array.c
--- linux-2.6.2/fs/proc/array.c	2004-01-09 00:59:44.000000000 -0600
+++ linux-2.6.2-pax/fs/proc/array.c	2004-02-10 11:04:25.000000000 -0600
@@ -414,3 +414,13 @@
 	return sprintf(buffer,"%d %d %d %d %d %d %d\n",
 		       size, resident, shared, text, lib, data, 0);
 }
+
+#ifdef CONFIG_PROC_PID_IPADDR
+int proc_pid_ipaddr(struct task_struct *task, char * buffer)    
+{       
+       int len;         
+
+       len = sprintf(buffer, "%u.%u.%u.%u\n", NIPQUAD(task->curr_ip));  
+       return len;      
+}       
+#endif /* CONFIG_PROC_PID_IPADDR */
diff -ur linux-2.6.2/fs/proc/base.c linux-2.6.2-pax/fs/proc/base.c
--- linux-2.6.2/fs/proc/base.c	2004-02-08 02:41:47.000000000 -0600
+++ linux-2.6.2-pax/fs/proc/base.c	2004-02-10 11:09:41.000000000 -0600
@@ -57,6 +57,9 @@
 	PROC_TGID_CMDLINE,
 	PROC_TGID_STAT,
 	PROC_TGID_STATM,
+#ifdef CONFIG_PROC_PID_IPADDR
+	PROC_TGID_IPADDR,
+#endif /* CONFIG_PROC_PID_IPADDR */
 	PROC_TGID_MAPS,
 	PROC_TGID_MOUNTS,
 	PROC_TGID_WCHAN,
@@ -80,6 +83,9 @@
 	PROC_TID_CMDLINE,
 	PROC_TID_STAT,
 	PROC_TID_STATM,
+#ifdef CONFIG_PROC_PID_IPADDR
+        PROC_TID_IPADDR,
+#endif /* CONFIG_PROC_PID_IPADDR */
 	PROC_TID_MAPS,
 	PROC_TID_MOUNTS,
 	PROC_TID_WCHAN,
@@ -111,6 +117,9 @@
 	E(PROC_TGID_CMDLINE,   "cmdline", S_IFREG|S_IRUGO),
 	E(PROC_TGID_STAT,      "stat",    S_IFREG|S_IRUGO),
 	E(PROC_TGID_STATM,     "statm",   S_IFREG|S_IRUGO),
+#ifdef CONFIG_PROC_PID_IPADDR
+	E(PROC_TGID_IPADDR,    "ipaddr",  S_IFREG|S_IRUSR),
+#endif /* CONFIG_PROC_PID_IPADDR */
 	E(PROC_TGID_MAPS,      "maps",    S_IFREG|S_IRUGO),
 	E(PROC_TGID_MEM,       "mem",     S_IFREG|S_IRUSR|S_IWUSR),
 	E(PROC_TGID_CWD,       "cwd",     S_IFLNK|S_IRWXUGO),
@@ -181,6 +190,9 @@
 int proc_pid_status(struct task_struct*,char*);
 int proc_pid_statm(struct task_struct*,char*);
 int proc_pid_cpu(struct task_struct*,char*);
+#ifdef CONFIG_PROC_PID_IPADDR
+int proc_pid_ipaddr(struct task_struct*,char*);
+#endif /* CONFIG_PROC_PID_IPADDR */
 
 static int proc_fd_link(struct inode *inode, struct dentry **dentry, struct vfsmount **mnt)
 {
@@ -1350,6 +1362,13 @@
 			inode->i_fop = &proc_info_file_operations;
 			ei->op.proc_read = proc_pid_statm;
 			break;
+#ifdef CONFIG_PROC_PID_IPADDR
+		case PROC_TID_IPADDR:
+		case PROC_TGID_IPADDR:
+			inode->i_fop = &proc_info_file_operations;
+			ei->op.proc_read = proc_pid_ipaddr;
+			break;
+#endif /* CONFIG_PROC_PID_IPADDR */
 		case PROC_TID_MAPS:
 		case PROC_TGID_MAPS:
 			inode->i_fop = &proc_maps_operations;
diff -ur linux-2.6.2/include/linux/sched.h linux-2.6.2-pax/include/linux/sched.h
--- linux-2.6.2/include/linux/sched.h	2004-02-08 02:48:07.000000000 -0600
+++ linux-2.6.2-pax/include/linux/sched.h	2004-02-10 10:43:41.000000000 -0600
@@ -373,6 +373,11 @@
 
 	struct mm_struct *mm, *active_mm;
 
+#ifdef CONFIG_PROC_PID_IPADDR
+	u32 curr_ip;
+	u8 used_accept:1; 
+#endif /* CONFIG_PROC_PID_IPADDR */
+
 /* task state */
 	struct linux_binfmt *binfmt;
 	int exit_code, exit_signal;
diff -ur linux-2.6.2/net/socket.c linux-2.6.2-pax/net/socket.c
--- linux-2.6.2/net/socket.c	2004-02-10 10:50:22.000000000 -0600
+++ linux-2.6.2-pax/net/socket.c	2004-02-10 10:43:21.000000000 -0600
@@ -80,6 +80,8 @@
 #include <linux/security.h>
 #include <linux/compat.h>
 #include <linux/kmod.h>
+#include <linux/in.h>
+#include <linux/ip.h>
 
 #ifdef CONFIG_NET_RADIO
 #include <linux/wireless.h>		/* Note : will define WIRELESS_EXT */
@@ -267,6 +268,17 @@
 	return __put_user(klen, ulen);
 }
 
+#ifdef CONFIG_PROC_PID_IPADDR
+void op_attach_curr_ip(const struct sock *sk)
+{
+        if (unlikely(sk->sk_protocol != IPPROTO_TCP))
+                return;
+        current->curr_ip = inet_sk(sk)->daddr;
+        current->used_accept = 1;
+        return;
+}
+#endif /* CONFIG_PROC_PID_IPADDR */
+
 #define SOCKFS_MAGIC 0x534F434B
 
 static kmem_cache_t * sock_inode_cachep;
@@ -1293,8 +1307,12 @@
 	if ((err = sock_map_fd(newsock)) < 0)
 		goto out_release;
 
 	security_socket_post_accept(sock, newsock);
 
+#ifdef CONFIG_PROC_PID_IPADDR
+	op_attach_curr_ip(newsock->sk);
+#endif /* CONFIG_PROC_PID_IPADDR */
+
 out_put:
 	sockfd_put(sock);
 out:
diff -ur linux-2.6.2/net/unix/af_unix.c linux-2.6.2-pax/net/unix/af_unix.c
--- linux-2.6.2/net/unix/af_unix.c	2004-02-08 02:41:59.000000000 -0600
+++ linux-2.6.2-pax/net/unix/af_unix.c	2004-02-10 10:43:30.000000000 -0600
@@ -1003,6 +1005,16 @@
 	/* Set credentials */
 	sk->sk_peercred = other->sk_peercred;
 
+#ifdef CONFIG_PROC_PID_IPADDR
+	//I'm not even sure if this is required, but grsec had it --Method
+        struct pid *pid = find_pid(PIDTYPE_PID, other->sk_peercred.pid);
+
+        if (pid) {
+		pid->task->curr_ip = current->curr_ip;
+		pid->task->used_accept = 1;
+	}
+#endif /* CONFIG_PROC_PID_IPADDR */
+
 	sock_hold(newsk);
 	unix_peer(sk)	= newsk;
 	sock->state	= SS_CONNECTED;

                 reply	other threads:[~2004-02-23  6:15 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=40399A7F.5080909@snu.edu \
    --to=jbrindle@snu.edu \
    --cc=SELinux@tycho.nsa.gov \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.