* [PATCH 1/2] Security: hooks for seccomp as extended attribute
@ 2012-12-19 21:30 Michael Cassaniti
0 siblings, 0 replies; only message in thread
From: Michael Cassaniti @ 2012-12-19 21:30 UTC (permalink / raw)
To: Linux Security Module mailing list, linux-kernel
From Michael Cassaniti <m.cassaniti@gmail.com>
Superficial patch showing hooks for seccomp extended attribute filter code
Written against Linux 3.5
Signed-off-by: Michael Cassaniti <m.cassaniti@gmail.com>
---
diff -uprN -X linux-3.5-rp1/Documentation/dontdiff linux-3.5/fs/exec.c
linux-3.5-rp1/fs/exec.c
--- linux-3.5/fs/exec.c 2012-07-22 06:58:29.000000000 +1000
+++ linux-3.5-rp1/fs/exec.c 2012-09-13 12:27:14.966076904 +1000
@@ -1537,6 +1537,10 @@ static int do_execve_common(const char *
if (retval < 0)
goto out;
+ retval = security_seccomp_from_vfs(bprm);
+ if (retval < 0)
+ goto out;
+
retval = copy_strings_kernel(1, &bprm->filename, bprm);
if (retval < 0)
goto out;
diff -uprN -X linux-3.5-rp1/Documentation/dontdiff
linux-3.5/include/linux/seccomp.h linux-3.5-rp1/include/linux/seccomp.h
--- linux-3.5/include/linux/seccomp.h 2012-07-22 06:58:29.000000000
+1000
+++ linux-3.5-rp1/include/linux/seccomp.h 2012-09-21
12:43:28.215772113 +1000
@@ -119,6 +119,14 @@ static inline int seccomp_mode(struct se
extern void put_seccomp_filter(struct task_struct *tsk);
extern void get_seccomp_filter(struct task_struct *tsk);
extern u32 seccomp_bpf_load(int off);
+
+#define SECCOMP_XATTR_NAME "security.seccomp"
+#define SECCOMP_XATTR_LEN 128
+#define SECCOMP_XATTR_BIT_EN 0
+#define SECCOMP_XATTR_BIT_DEF_ACTION 1
+#define SECCOMP_XATTR_BIT_DEF_RETURN 2
+#define SECCOMP_XATTR_BITMAP_START 3
+
#else /* CONFIG_SECCOMP_FILTER */
static inline void put_seccomp_filter(struct task_struct *tsk)
{
diff -uprN -X linux-3.5-rp1/Documentation/dontdiff
linux-3.5/include/linux/security.h linux-3.5-rp1/include/linux/security.h
--- linux-3.5/include/linux/security.h 2012-07-22 06:58:29.000000000
+1000
+++ linux-3.5-rp1/include/linux/security.h 2012-09-21
12:00:24.026007169 +1000
@@ -3023,5 +3023,23 @@ static inline void free_secdata(void *se
{ }
#endif /* CONFIG_SECURITY */
+#ifdef CONFIG_SECCOMP_FILTER
+
+extern int append_seccomp_from_vfs(struct linux_binprm *bprm);
+
+static inline int security_seccomp_from_vfs(struct linux_binprm *bprm)
+{
+ return append_seccomp_from_vfs(bprm);
+}
+
+#else
+
+static inline int security_seccomp_from_vfs(struct linux_binprm *bprm)
+{
+ return 0;
+}
+
+#endif /* CONFIG_SECCOMP_FILTER */
+
#endif /* ! __LINUX_SECURITY_H */
diff -uprN -X linux-3.5-rp1/Documentation/dontdiff
linux-3.5/kernel/seccomp.c linux-3.5-rp1/kernel/seccomp.c
--- linux-3.5/kernel/seccomp.c 2012-07-22 06:58:29.000000000 +1000
+++ linux-3.5-rp1/kernel/seccomp.c 2012-09-21 13:23:52.254969072 +1000
@@ -502,3 +502,9 @@ long prctl_set_seccomp(unsigned long sec
out:
return ret;
}
+
+int append_seccomp_from_vfs(struct linux_binprm *bprm)
+{
+ pr_debug("Entered stub %s\n", __func__);
+ return 0;
+}
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2012-12-19 21:30 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-12-19 21:30 [PATCH 1/2] Security: hooks for seccomp as extended attribute Michael Cassaniti
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.