[BK PATCH] LSM changes for 2.5.59

[BK PATCH] LSM changes for 2.5.59

[Greg KH]

Hi,

These changesets include some new LSM hooks, all of which have been sent
to lkml with no dissenting comments.  Some of these hooks are the same
ones I sent for 2.5.58, but were not picked up.  These include hooks for
syslog and sysctl, restores some previously lost hooks, and reworked the
hooks for the security structures for private files.

Please pull from:  bk://lsm.bkbits.net/linus-2.5

thanks,

greg k-h


 fs/dcache.c              |    6 +++
 fs/exportfs/expfs.c      |    5 +--
 fs/file_table.c          |   35 +++++++++++++++++------
 fs/namei.c               |   18 +++--------
 fs/nfsd/vfs.c            |    9 +----
 fs/super.c               |   16 ++++++++++
 include/linux/fs.h       |   10 +++++-
 include/linux/security.h |   71 +++++++++++++++++++++++++++++++++++++----------
 kernel/ksyms.c           |    6 ++-
 kernel/printk.c          |    7 +++-
 kernel/sys.c             |   21 ++++++++++---
 kernel/sysctl.c          |    5 +++
 security/capability.c    |   10 ++++++
 security/dummy.c         |   33 +++++++++++++++++----
 14 files changed, 191 insertions(+), 61 deletions(-)
-----

ChangeSet@1.984, 2003-02-05 14:37:12+11:00, sds@epoch.ncsc.mil
  [PATCH] LSM: Add LSM syslog hook to 2.5.59
  
  This patch adds the LSM security_syslog hook for controlling the
  syslog(2) interface relative to 2.5.59 plus the previously posted
  security_sysctl patch.  In response to earlier comments by Christoph,
  the existing capability check for syslog(2) is moved into the
  capability security module hook function, and a corresponding dummy
  security module hook function is defined that provides traditional
  superuser behavior.  The LSM hook is placed in do_syslog rather than
  sys_syslog so that it is called when either the system call interface
  or the /proc/kmsg interface is used.  SELinux uses this hook to
  control access to the kernel message ring and to the console log
  level.

 include/linux/security.h |   18 ++++++++++++++++++
 kernel/printk.c          |    7 +++++--
 security/capability.c    |   10 ++++++++++
 security/dummy.c         |    8 ++++++++
 4 files changed, 41 insertions(+), 2 deletions(-)
------

ChangeSet@1.983, 2003-02-05 14:32:08+11:00, sds@epoch.ncsc.mil
  [PATCH] LSM: Add LSM sysctl hook to 2.5.59
  
  This patch adds a LSM sysctl hook for controlling access to
  sysctl variables to 2.5.59, split out from the lsm-2.5 BitKeeper tree.
  SELinux uses this hook to control such accesses in accordance with the
  security policy configuration.

 include/linux/security.h |   17 +++++++++++++++++
 kernel/sysctl.c          |    5 +++++
 security/dummy.c         |    6 ++++++
 3 files changed, 28 insertions(+)
------

ChangeSet@1.982, 2003-02-04 15:07:23-08:00, gregkh@kernel.bkbits.net
  Merge bk://lsm.bkbits.net/linus-2.5
  into kernel.bkbits.net:/home/gregkh/linux/lsm-2.5

 fs/dcache.c        |    3 +++
 fs/namei.c         |    9 +++------
 fs/super.c         |    8 ++++++++
 include/linux/fs.h |    5 ++++-
 kernel/ksyms.c     |    3 ++-
 5 files changed, 20 insertions(+), 8 deletions(-)
------

ChangeSet@1.952.1.4, 2003-01-16 14:54:42-08:00, sds@epoch.ncsc.mil
  [PATCH] Restore LSM hook calls to setpriority and setpgid
  
  This patch restores the LSM hook calls in setpriority and setpgid to
  2.5.58.  These hooks were previously added as of 2.5.27, but the hook
  calls were subsequently lost as a result of other changes to the code
  as of 2.5.37.
  
  Ingo has signed off on this patch, and no one else has objected.

 kernel/sys.c |   21 ++++++++++++++++-----
 1 files changed, 16 insertions(+), 5 deletions(-)
------

ChangeSet@1.952.1.3, 2003-01-16 14:35:24-08:00, sds@epoch.ncsc.mil
  [PATCH] allocate and free security structures for private files
  
  This patch adds a security_file_alloc call to init_private_file and
  creates a close_private_file function to encapsulate the release of
  private file structures.  These changes ensure that security
  structures for private files will be allocated and freed
  appropriately.  Per Andi Kleen's comments, the patch also renames
  init_private_file to open_private_file to force updating of all
  callers, since they will also need to be updated to use
  close_private_file to avoid a leak of the security structure.  Per
  Christoph Hellwig's comments, the patch also replaces the 'mode'
  argument with a 'flags' argument, computing the f_mode from the flags,
  and it explicitly tests f_op prior to dereferencing, as in
  dentry_open().

 fs/exportfs/expfs.c |    5 ++---
 fs/file_table.c     |   35 +++++++++++++++++++++++++++--------
 fs/nfsd/vfs.c       |    9 +++------
 include/linux/fs.h  |    5 ++++-
 kernel/ksyms.c      |    3 ++-
 5 files changed, 38 insertions(+), 19 deletions(-)
------

ChangeSet@1.952.1.2, 2003-01-16 14:23:59-08:00, sds@epoch.ncsc.mil
  [PATCH] Replace inode_post_lookup hook with d_instantiate hook
  
  This patch removes the security_inode_post_lookup hook entirely and
  adds a security_d_instantiate hook call to the d_instantiate function
  and the d_splice_alias function.  The inode_post_lookup hook was
  subject to races since the inode is already accessible through the
  dcache before it is called, didn't handle filesystems that directly
  populate the dcache, and wasn't always called in the desired context
  (e.g. for pipe, shmem, and devpts inodes).  The d_instantiate hook
  enables initialization of the inode security information.  This hook
  is used by SELinux and by DTE to setup the inode security state, and
  eliminated the need for the inode_precondition function in SELinux.

 fs/dcache.c              |    3 +++
 fs/namei.c               |    9 +++------
 include/linux/security.h |   25 ++++++++++---------------
 security/dummy.c         |   13 +++++++------
 4 files changed, 23 insertions(+), 27 deletions(-)
------

ChangeSet@1.952.1.1, 2003-01-16 14:18:05-08:00, sds@epoch.ncsc.mil
  [PATCH] Add LSM hook to do_kern_mount
  
  This patch adds a security_sb_kern_mount hook call to the do_kern_mount
  function.  This hook enables initialization of the superblock security
  information of all superblock objects.  Placing a hook in do_kern_mount
  was originally suggested by Al Viro.  This hook is used by SELinux to
  setup the superblock security state and eliminated the need for the
  superblock_precondition function.

 fs/super.c               |    8 ++++++++
 include/linux/security.h |   11 +++++++++++
 security/dummy.c         |    6 ++++++
 3 files changed, 25 insertions(+)
------

[PATCH] LSM changes for 2.5.59

[Greg KH]

ChangeSet 1.952.1.1, 2003/01/16 14:18:05-08:00, sds@epoch.ncsc.mil

[PATCH] Add LSM hook to do_kern_mount

This patch adds a security_sb_kern_mount hook call to the do_kern_mount
function.  This hook enables initialization of the superblock security
information of all superblock objects.  Placing a hook in do_kern_mount
was originally suggested by Al Viro.  This hook is used by SELinux to
setup the superblock security state and eliminated the need for the
superblock_precondition function.


diff -Nru a/fs/super.c b/fs/super.c
--- a/fs/super.c	Wed Feb  5 14:58:37 2003
+++ b/fs/super.c	Wed Feb  5 14:58:37 2003
@@ -610,6 +610,7 @@
 	struct file_system_type *type = get_fs_type(fstype);
 	struct super_block *sb = ERR_PTR(-ENOMEM);
 	struct vfsmount *mnt;
+	int error;
 
 	if (!type)
 		return ERR_PTR(-ENODEV);
@@ -620,6 +621,13 @@
 	sb = type->get_sb(type, flags, name, data);
 	if (IS_ERR(sb))
 		goto out_mnt;
+ 	error = security_sb_kern_mount(sb);
+ 	if (error) {
+ 		up_write(&sb->s_umount);
+ 		deactivate_super(sb);
+ 		sb = ERR_PTR(error);
+ 		goto out_mnt;
+ 	}
 	mnt->mnt_sb = sb;
 	mnt->mnt_root = dget(sb->s_root);
 	mnt->mnt_mountpoint = sb->s_root;
diff -Nru a/include/linux/security.h b/include/linux/security.h
--- a/include/linux/security.h	Wed Feb  5 14:58:37 2003
+++ b/include/linux/security.h	Wed Feb  5 14:58:37 2003
@@ -814,6 +814,7 @@
 
 	int (*sb_alloc_security) (struct super_block * sb);
 	void (*sb_free_security) (struct super_block * sb);
+	int (*sb_kern_mount) (struct super_block *sb);
 	int (*sb_statfs) (struct super_block * sb);
 	int (*sb_mount) (char *dev_name, struct nameidata * nd,
 			 char *type, unsigned long flags, void *data);
@@ -1034,6 +1035,11 @@
 	security_ops->sb_free_security (sb);
 }
 
+static inline int security_sb_kern_mount (struct super_block *sb)
+{
+	return security_ops->sb_kern_mount (sb);
+}
+
 static inline int security_sb_statfs (struct super_block *sb)
 {
 	return security_ops->sb_statfs (sb);
@@ -1638,6 +1644,11 @@
 
 static inline void security_sb_free (struct super_block *sb)
 { }
+
+static inline int security_sb_kern_mount (struct super_block *sb)
+{
+	return 0;
+}
 
 static inline int security_sb_statfs (struct super_block *sb)
 {
diff -Nru a/security/dummy.c b/security/dummy.c
--- a/security/dummy.c	Wed Feb  5 14:58:37 2003
+++ b/security/dummy.c	Wed Feb  5 14:58:37 2003
@@ -120,6 +120,11 @@
 	return;
 }
 
+static int dummy_sb_kern_mount (struct super_block *sb)
+{
+	return 0;
+}
+
 static int dummy_sb_statfs (struct super_block *sb)
 {
 	return 0;
@@ -635,6 +640,7 @@
 	set_to_dummy_if_null(ops, bprm_check_security);
 	set_to_dummy_if_null(ops, sb_alloc_security);
 	set_to_dummy_if_null(ops, sb_free_security);
+	set_to_dummy_if_null(ops, sb_kern_mount);
 	set_to_dummy_if_null(ops, sb_statfs);
 	set_to_dummy_if_null(ops, sb_mount);
 	set_to_dummy_if_null(ops, sb_check_sb);

Re: [PATCH] LSM changes for 2.5.59

[Greg KH]

ChangeSet 1.952.1.2, 2003/01/16 14:23:59-08:00, sds@epoch.ncsc.mil

[PATCH] Replace inode_post_lookup hook with d_instantiate hook

This patch removes the security_inode_post_lookup hook entirely and
adds a security_d_instantiate hook call to the d_instantiate function
and the d_splice_alias function.  The inode_post_lookup hook was
subject to races since the inode is already accessible through the
dcache before it is called, didn't handle filesystems that directly
populate the dcache, and wasn't always called in the desired context
(e.g. for pipe, shmem, and devpts inodes).  The d_instantiate hook
enables initialization of the inode security information.  This hook
is used by SELinux and by DTE to setup the inode security state, and
eliminated the need for the inode_precondition function in SELinux.


diff -Nru a/fs/dcache.c b/fs/dcache.c
--- a/fs/dcache.c	Wed Feb  5 14:58:34 2003
+++ b/fs/dcache.c	Wed Feb  5 14:58:34 2003
@@ -25,6 +25,7 @@
 #include <linux/module.h>
 #include <linux/mount.h>
 #include <asm/uaccess.h>
+#include <linux/security.h>
 
 #define DCACHE_PARANOIA 1
 /* #define DCACHE_DEBUG 1 */
@@ -699,6 +700,7 @@
 void d_instantiate(struct dentry *entry, struct inode * inode)
 {
 	if (!list_empty(&entry->d_alias)) BUG();
+	security_d_instantiate(entry, inode);
 	spin_lock(&dcache_lock);
 	if (inode)
 		list_add(&entry->d_alias, &inode->i_dentry);
@@ -825,6 +827,7 @@
 	struct dentry *new = NULL;
 
 	if (inode && S_ISDIR(inode->i_mode)) {
+		security_d_instantiate(dentry, inode);
 		spin_lock(&dcache_lock);
 		if (!list_empty(&inode->i_dentry)) {
 			new = list_entry(inode->i_dentry.next, struct dentry, d_alias);
diff -Nru a/fs/namei.c b/fs/namei.c
--- a/fs/namei.c	Wed Feb  5 14:58:34 2003
+++ b/fs/namei.c	Wed Feb  5 14:58:34 2003
@@ -372,10 +372,8 @@
 			result = dir->i_op->lookup(dir, dentry);
 			if (result)
 				dput(dentry);
-			else {
+			else
 				result = dentry;
-				security_inode_post_lookup(dir, result);
-			}
 		}
 		up(&dir->i_sem);
 		return result;
@@ -916,10 +914,9 @@
 		if (!new)
 			goto out;
 		dentry = inode->i_op->lookup(inode, new);
-		if (!dentry) {
+		if (!dentry)
 			dentry = new;
-			security_inode_post_lookup(inode, dentry);
-		} else
+		else
 			dput(new);
 	}
 out:
diff -Nru a/include/linux/security.h b/include/linux/security.h
--- a/include/linux/security.h	Wed Feb  5 14:58:34 2003
+++ b/include/linux/security.h	Wed Feb  5 14:58:34 2003
@@ -339,10 +339,6 @@
  *	@mnt is the vfsmount where the dentry was looked up
  *	@dentry contains the dentry structure for the file.
  *	Return 0 if permission is granted.
- * @inode_post_lookup:
- *	Set the security attributes for a file after it has been looked up.
- *	@inode contains the inode structure for parent directory.
- *	@d contains the dentry structure for the file.
  * @inode_delete:
  *	@inode contains the inode structure for deleted inode.
  *	This hook is called when a deleted inode is released (i.e. an inode
@@ -868,7 +864,6 @@
 	int (*inode_permission_lite) (struct inode *inode, int mask);
 	int (*inode_setattr)	(struct dentry *dentry, struct iattr *attr);
 	int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry);
-	void (*inode_post_lookup) (struct inode *inode, struct dentry *d);
         void (*inode_delete) (struct inode *inode);
 	int (*inode_setxattr) (struct dentry *dentry, char *name, void *value,
 			       size_t size, int flags);
@@ -953,6 +948,8 @@
 	                          struct security_operations *ops);
 	int (*unregister_security) (const char *name,
 	                            struct security_operations *ops);
+
+	void (*d_instantiate) (struct dentry * dentry, struct inode * inode);
 };
 
 /* global variables */
@@ -1246,12 +1243,6 @@
 	return security_ops->inode_getattr (mnt, dentry);
 }
 
-static inline void security_inode_post_lookup (struct inode *inode,
-					       struct dentry *dentry)
-{
-	security_ops->inode_post_lookup (inode, dentry);
-}
-
 static inline void security_inode_delete (struct inode *inode)
 {
 	security_ops->inode_delete (inode);
@@ -1549,6 +1540,11 @@
 	return security_ops->sem_semop(sma, sops, nsops, alter);
 }
 
+static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode)
+{
+	security_ops->d_instantiate (dentry, inode);
+}
+
 /* prototypes */
 extern int security_scaffolding_startup	(void);
 extern int register_security	(struct security_operations *ops);
@@ -1828,10 +1824,6 @@
 	return 0;
 }
 
-static inline void security_inode_post_lookup (struct inode *inode,
-					       struct dentry *dentry)
-{ }
-
 static inline void security_inode_delete (struct inode *inode)
 { }
 
@@ -2114,6 +2106,9 @@
 {
 	return 0;
 }
+
+static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode)
+{ }
 
 #endif	/* CONFIG_SECURITY */
 
diff -Nru a/security/dummy.c b/security/dummy.c
--- a/security/dummy.c	Wed Feb  5 14:58:34 2003
+++ b/security/dummy.c	Wed Feb  5 14:58:34 2003
@@ -311,11 +311,6 @@
 	return 0;
 }
 
-static void dummy_inode_post_lookup (struct inode *ino, struct dentry *d)
-{
-	return;
-}
-
 static void dummy_inode_delete (struct inode *ino)
 {
 	return;
@@ -612,6 +607,12 @@
 	return -EINVAL;
 }
 
+static void dummy_d_instantiate (struct dentry *dentry, struct inode *inode)
+{
+	return;
+}
+
+
 struct security_operations dummy_security_ops;
 
 #define set_to_dummy_if_null(ops, function)				\
@@ -674,7 +675,6 @@
 	set_to_dummy_if_null(ops, inode_permission_lite);
 	set_to_dummy_if_null(ops, inode_setattr);
 	set_to_dummy_if_null(ops, inode_getattr);
-	set_to_dummy_if_null(ops, inode_post_lookup);
 	set_to_dummy_if_null(ops, inode_delete);
 	set_to_dummy_if_null(ops, inode_setxattr);
 	set_to_dummy_if_null(ops, inode_getxattr);
@@ -731,5 +731,6 @@
 	set_to_dummy_if_null(ops, sem_semop);
 	set_to_dummy_if_null(ops, register_security);
 	set_to_dummy_if_null(ops, unregister_security);
+	set_to_dummy_if_null(ops, d_instantiate);
 }
 

Re: [PATCH] LSM changes for 2.5.59

[Greg KH]

ChangeSet 1.952.1.3, 2003/01/16 14:35:24-08:00, sds@epoch.ncsc.mil

[PATCH] allocate and free security structures for private files

This patch adds a security_file_alloc call to init_private_file and
creates a close_private_file function to encapsulate the release of
private file structures.  These changes ensure that security
structures for private files will be allocated and freed
appropriately.  Per Andi Kleen's comments, the patch also renames
init_private_file to open_private_file to force updating of all
callers, since they will also need to be updated to use
close_private_file to avoid a leak of the security structure.  Per
Christoph Hellwig's comments, the patch also replaces the 'mode'
argument with a 'flags' argument, computing the f_mode from the flags,
and it explicitly tests f_op prior to dereferencing, as in
dentry_open().


diff -Nru a/fs/exportfs/expfs.c b/fs/exportfs/expfs.c
--- a/fs/exportfs/expfs.c	Wed Feb  5 14:58:30 2003
+++ b/fs/exportfs/expfs.c	Wed Feb  5 14:58:30 2003
@@ -353,7 +353,7 @@
 	/*
 	 * Open the directory ...
 	 */
-	error = init_private_file(&file, dentry, FMODE_READ);
+	error = open_private_file(&file, dentry, O_RDONLY);
 	if (error)
 		goto out;
 	error = -EINVAL;
@@ -381,8 +381,7 @@
 	}
 
 out_close:
-	if (file.f_op->release)
-		file.f_op->release(dir, &file);
+	close_private_file(&file);
 out:
 	return error;
 }
diff -Nru a/fs/file_table.c b/fs/file_table.c
--- a/fs/file_table.c	Wed Feb  5 14:58:30 2003
+++ b/fs/file_table.c	Wed Feb  5 14:58:30 2003
@@ -93,23 +93,42 @@
 
 /*
  * Clear and initialize a (private) struct file for the given dentry,
- * and call the open function (if any).  The caller must verify that
- * inode->i_fop is not NULL.
+ * allocate the security structure, and call the open function (if any).  
+ * The file should be released using close_private_file.
  */
-int init_private_file(struct file *filp, struct dentry *dentry, int mode)
+int open_private_file(struct file *filp, struct dentry *dentry, int flags)
 {
+	int error;
 	memset(filp, 0, sizeof(*filp));
 	eventpoll_init_file(filp);
-	filp->f_mode   = mode;
+	filp->f_flags  = flags;
+	filp->f_mode   = (flags+1) & O_ACCMODE;
 	atomic_set(&filp->f_count, 1);
 	filp->f_dentry = dentry;
 	filp->f_uid    = current->fsuid;
 	filp->f_gid    = current->fsgid;
 	filp->f_op     = dentry->d_inode->i_fop;
-	if (filp->f_op->open)
-		return filp->f_op->open(dentry->d_inode, filp);
-	else
-		return 0;
+	error = security_file_alloc(filp);
+	if (!error)
+		if (filp->f_op && filp->f_op->open) {
+			error = filp->f_op->open(dentry->d_inode, filp);
+			if (error)
+				security_file_free(filp);
+		}
+	return error;
+}
+
+/*
+ * Release a private file by calling the release function (if any) and
+ * freeing the security structure.
+ */
+void close_private_file(struct file *file)
+{
+	struct inode * inode = file->f_dentry->d_inode;
+
+	if (file->f_op && file->f_op->release)
+		file->f_op->release(inode, file);
+	security_file_free(file);
 }
 
 void fput(struct file * file)
diff -Nru a/fs/nfsd/vfs.c b/fs/nfsd/vfs.c
--- a/fs/nfsd/vfs.c	Wed Feb  5 14:58:30 2003
+++ b/fs/nfsd/vfs.c	Wed Feb  5 14:58:30 2003
@@ -426,7 +426,7 @@
 {
 	struct dentry	*dentry;
 	struct inode	*inode;
-	int		flags = O_RDONLY|O_LARGEFILE, mode = FMODE_READ, err;
+	int		flags = O_RDONLY|O_LARGEFILE, err;
 
 	/*
 	 * If we get here, then the client has already done an "open",
@@ -463,14 +463,12 @@
 			goto out_nfserr;
 
 		flags = O_WRONLY|O_LARGEFILE;
-		mode  = FMODE_WRITE;
 
 		DQUOT_INIT(inode);
 	}
 
-	err = init_private_file(filp, dentry, mode);
+	err = open_private_file(filp, dentry, flags);
 	if (!err) {
-		filp->f_flags = flags;
 		filp->f_vfsmnt = fhp->fh_export->ex_mnt;
 	} else if (access & MAY_WRITE)
 		put_write_access(inode);
@@ -491,8 +489,7 @@
 	struct dentry	*dentry = filp->f_dentry;
 	struct inode	*inode = dentry->d_inode;
 
-	if (filp->f_op->release)
-		filp->f_op->release(inode, filp);
+	close_private_file(filp);
 	if (filp->f_mode & FMODE_WRITE)
 		put_write_access(inode);
 }
diff -Nru a/include/linux/fs.h b/include/linux/fs.h
--- a/include/linux/fs.h	Wed Feb  5 14:58:30 2003
+++ b/include/linux/fs.h	Wed Feb  5 14:58:30 2003
@@ -489,7 +489,10 @@
 #define get_file(x)	atomic_inc(&(x)->f_count)
 #define file_count(x)	atomic_read(&(x)->f_count)
 
-extern int init_private_file(struct file *, struct dentry *, int);
+/* Initialize and open a private file and allocate its security structure. */
+extern int open_private_file(struct file *, struct dentry *, int);
+/* Release a private file and free its security structure. */
+extern void close_private_file(struct file *file);
 
 #define	MAX_NON_LFS	((1UL<<31) - 1)
 
diff -Nru a/kernel/ksyms.c b/kernel/ksyms.c
--- a/kernel/ksyms.c	Wed Feb  5 14:58:30 2003
+++ b/kernel/ksyms.c	Wed Feb  5 14:58:30 2003
@@ -179,7 +179,8 @@
 EXPORT_SYMBOL(end_buffer_io_sync);
 EXPORT_SYMBOL(__mark_inode_dirty);
 EXPORT_SYMBOL(get_empty_filp);
-EXPORT_SYMBOL(init_private_file);
+EXPORT_SYMBOL(open_private_file);
+EXPORT_SYMBOL(close_private_file);
 EXPORT_SYMBOL(filp_open);
 EXPORT_SYMBOL(filp_close);
 EXPORT_SYMBOL(put_filp);

Re: [PATCH] LSM changes for 2.5.59

[Greg KH]

ChangeSet 1.952.1.4, 2003/01/16 14:54:42-08:00, sds@epoch.ncsc.mil

[PATCH] Restore LSM hook calls to setpriority and setpgid

This patch restores the LSM hook calls in setpriority and setpgid to
2.5.58.  These hooks were previously added as of 2.5.27, but the hook
calls were subsequently lost as a result of other changes to the code
as of 2.5.37.

Ingo has signed off on this patch, and no one else has objected.


diff -Nru a/kernel/sys.c b/kernel/sys.c
--- a/kernel/sys.c	Wed Feb  5 14:58:27 2003
+++ b/kernel/sys.c	Wed Feb  5 14:58:27 2003
@@ -212,18 +212,25 @@
 
 static int set_one_prio(struct task_struct *p, int niceval, int error)
 {
+	int no_nice;
+
 	if (p->uid != current->euid &&
 		p->uid != current->uid && !capable(CAP_SYS_NICE)) {
 		error = -EPERM;
 		goto out;
 	}
-
+	if (niceval < task_nice(p) && !capable(CAP_SYS_NICE)) {
+		error = -EACCES;
+		goto out;
+	}
+	no_nice = security_task_setnice(p, niceval);
+	if (no_nice) {
+		error = no_nice;
+		goto out;
+	}
 	if (error == -ESRCH)
 		error = 0;
-	if (niceval < task_nice(p) && !capable(CAP_SYS_NICE))
-		error = -EACCES;
-	else
-		set_user_nice(p, niceval);
+	set_user_nice(p, niceval);
 out:
 	return error;
 }
@@ -944,6 +951,10 @@
 	}
 
 ok_pgid:
+	err = security_task_setpgid(p, pgid);
+	if (err)
+		goto out;
+
 	if (p->pgrp != pgid) {
 		detach_pid(p, PIDTYPE_PGID);
 		p->pgrp = pgid;

Re: [PATCH] LSM changes for 2.5.59

[Greg KH]

ChangeSet 1.983, 2003/02/05 14:32:08+11:00, sds@epoch.ncsc.mil

[PATCH] LSM: Add LSM sysctl hook to 2.5.59

This patch adds a LSM sysctl hook for controlling access to
sysctl variables to 2.5.59, split out from the lsm-2.5 BitKeeper tree.
SELinux uses this hook to control such accesses in accordance with the
security policy configuration.


diff -Nru a/include/linux/security.h b/include/linux/security.h
--- a/include/linux/security.h	Wed Feb  5 14:58:19 2003
+++ b/include/linux/security.h	Wed Feb  5 14:58:19 2003
@@ -767,6 +767,12 @@
  *	is NULL.
  *	@file contains the file structure for the accounting file (may be NULL).
  *	Return 0 if permission is granted.
+ * @sysctl:
+ *	Check permission before accessing the @table sysctl variable in the
+ *	manner specified by @op.
+ *	@table contains the ctl_table structure for the sysctl variable.
+ *	@op contains the operation (001 = search, 002 = write, 004 = read).
+ *	Return 0 if permission is granted.
  * @capable:
  *	Check whether the @tsk process has the @cap capability.
  *	@tsk contains the task_struct for the process.
@@ -798,6 +804,7 @@
 			    kernel_cap_t * inheritable,
 			    kernel_cap_t * permitted);
 	int (*acct) (struct file * file);
+	int (*sysctl) (ctl_table * table, int op);
 	int (*capable) (struct task_struct * tsk, int cap);
 	int (*quotactl) (int cmds, int type, int id, struct super_block * sb);
 	int (*quota_on) (struct file * f);
@@ -990,6 +997,11 @@
 	return security_ops->acct (file);
 }
 
+static inline int security_sysctl(ctl_table * table, int op)
+{
+	return security_ops->sysctl(table, op);
+}
+
 static inline int security_quotactl (int cmds, int type, int id,
 				     struct super_block *sb)
 {
@@ -1595,6 +1607,11 @@
 }
 
 static inline int security_acct (struct file *file)
+{
+	return 0;
+}
+
+static inline int security_sysctl(ctl_table * table, int op)
 {
 	return 0;
 }
diff -Nru a/kernel/sysctl.c b/kernel/sysctl.c
--- a/kernel/sysctl.c	Wed Feb  5 14:58:19 2003
+++ b/kernel/sysctl.c	Wed Feb  5 14:58:19 2003
@@ -33,6 +33,7 @@
 #include <linux/highuid.h>
 #include <linux/writeback.h>
 #include <linux/hugetlb.h>
+#include <linux/security.h>
 #include <asm/uaccess.h>
 
 #ifdef CONFIG_ROOT_NFS
@@ -432,6 +433,10 @@
 
 static inline int ctl_perm(ctl_table *table, int op)
 {
+	int error;
+	error = security_sysctl(table, op);
+	if (error)
+		return error;
 	return test_perm(table->mode, op);
 }
 
diff -Nru a/security/dummy.c b/security/dummy.c
--- a/security/dummy.c	Wed Feb  5 14:58:19 2003
+++ b/security/dummy.c	Wed Feb  5 14:58:19 2003
@@ -75,6 +75,11 @@
 	return -EPERM;
 }
 
+static int dummy_sysctl (ctl_table * table, int op)
+{
+	return 0;
+}
+
 static int dummy_quotactl (int cmds, int type, int id, struct super_block *sb)
 {
 	return 0;
@@ -634,6 +639,7 @@
 	set_to_dummy_if_null(ops, capable);
 	set_to_dummy_if_null(ops, quotactl);
 	set_to_dummy_if_null(ops, quota_on);
+	set_to_dummy_if_null(ops, sysctl);
 	set_to_dummy_if_null(ops, bprm_alloc_security);
 	set_to_dummy_if_null(ops, bprm_free_security);
 	set_to_dummy_if_null(ops, bprm_compute_creds);

Re: [PATCH] LSM changes for 2.5.59

[Greg KH]

ChangeSet 1.984, 2003/02/05 14:37:12+11:00, sds@epoch.ncsc.mil

[PATCH] LSM: Add LSM syslog hook to 2.5.59

This patch adds the LSM security_syslog hook for controlling the
syslog(2) interface relative to 2.5.59 plus the previously posted
security_sysctl patch.  In response to earlier comments by Christoph,
the existing capability check for syslog(2) is moved into the
capability security module hook function, and a corresponding dummy
security module hook function is defined that provides traditional
superuser behavior.  The LSM hook is placed in do_syslog rather than
sys_syslog so that it is called when either the system call interface
or the /proc/kmsg interface is used.  SELinux uses this hook to
control access to the kernel message ring and to the console log
level.


diff -Nru a/include/linux/security.h b/include/linux/security.h
--- a/include/linux/security.h	Wed Feb  5 14:58:15 2003
+++ b/include/linux/security.h	Wed Feb  5 14:58:15 2003
@@ -47,6 +47,7 @@
 extern int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags);
 extern void cap_task_kmod_set_label (void);
 extern void cap_task_reparent_to_init (struct task_struct *p);
+extern int cap_syslog (int type);
 
 /*
  * Values used in the task_security_ops calls
@@ -778,6 +779,12 @@
  *	@tsk contains the task_struct for the process.
  *	@cap contains the capability <include/linux/capability.h>.
  *	Return 0 if the capability is granted for @tsk.
+ * @syslog:
+ *	Check permission before accessing the kernel message ring or changing
+ *	logging to the console.
+ *	See the syslog(2) manual page for an explanation of the @type values.  
+ *	@type contains the type of action.
+ *	Return 0 if permission is granted.
  *
  * @register_security:
  * 	allow module stacking.
@@ -808,6 +815,7 @@
 	int (*capable) (struct task_struct * tsk, int cap);
 	int (*quotactl) (int cmds, int type, int id, struct super_block * sb);
 	int (*quota_on) (struct file * f);
+	int (*syslog) (int type);
 
 	int (*bprm_alloc_security) (struct linux_binprm * bprm);
 	void (*bprm_free_security) (struct linux_binprm * bprm);
@@ -1013,6 +1021,11 @@
 	return security_ops->quota_on (file);
 }
 
+static inline int security_syslog(int type)
+{
+	return security_ops->syslog(type);
+}
+
 static inline int security_bprm_alloc (struct linux_binprm *bprm)
 {
 	return security_ops->bprm_alloc_security (bprm);
@@ -1625,6 +1638,11 @@
 static inline int security_quota_on (struct file * file)
 {
 	return 0;
+}
+
+static inline int security_syslog(int type)
+{
+	return cap_syslog(type);
 }
 
 static inline int security_bprm_alloc (struct linux_binprm *bprm)
diff -Nru a/kernel/printk.c b/kernel/printk.c
--- a/kernel/printk.c	Wed Feb  5 14:58:15 2003
+++ b/kernel/printk.c	Wed Feb  5 14:58:15 2003
@@ -28,6 +28,7 @@
 #include <linux/config.h>
 #include <linux/delay.h>
 #include <linux/smp.h>
+#include <linux/security.h>
 
 #include <asm/uaccess.h>
 
@@ -161,6 +162,10 @@
 	char c;
 	int error = 0;
 
+	error = security_syslog(type);
+	if (error)
+		return error;
+
 	switch (type) {
 	case 0:		/* Close log */
 		break;
@@ -273,8 +278,6 @@
 
 asmlinkage long sys_syslog(int type, char * buf, int len)
 {
-	if ((type != 3) && !capable(CAP_SYS_ADMIN))
-		return -EPERM;
 	return do_syslog(type, buf, len);
 }
 
diff -Nru a/security/capability.c b/security/capability.c
--- a/security/capability.c	Wed Feb  5 14:58:15 2003
+++ b/security/capability.c	Wed Feb  5 14:58:15 2003
@@ -262,6 +262,13 @@
 	return;
 }
 
+int cap_syslog (int type)
+{
+	if ((type != 3) && !capable(CAP_SYS_ADMIN))
+		return -EPERM;
+	return 0;
+}
+
 EXPORT_SYMBOL(cap_capable);
 EXPORT_SYMBOL(cap_ptrace);
 EXPORT_SYMBOL(cap_capget);
@@ -272,6 +279,7 @@
 EXPORT_SYMBOL(cap_task_post_setuid);
 EXPORT_SYMBOL(cap_task_kmod_set_label);
 EXPORT_SYMBOL(cap_task_reparent_to_init);
+EXPORT_SYMBOL(cap_syslog);
 
 #ifdef CONFIG_SECURITY
 
@@ -289,6 +297,8 @@
 	.task_post_setuid =		cap_task_post_setuid,
 	.task_kmod_set_label =		cap_task_kmod_set_label,
 	.task_reparent_to_init =	cap_task_reparent_to_init,
+
+	.syslog =                       cap_syslog,
 };
 
 #if defined(CONFIG_SECURITY_CAPABILITIES_MODULE)
diff -Nru a/security/dummy.c b/security/dummy.c
--- a/security/dummy.c	Wed Feb  5 14:58:15 2003
+++ b/security/dummy.c	Wed Feb  5 14:58:15 2003
@@ -90,6 +90,13 @@
 	return 0;
 }
 
+static int dummy_syslog (int type)
+{
+	if ((type != 3) && current->euid)
+		return -EPERM;
+	return 0;
+}
+
 static int dummy_bprm_alloc_security (struct linux_binprm *bprm)
 {
 	return 0;
@@ -640,6 +647,7 @@
 	set_to_dummy_if_null(ops, quotactl);
 	set_to_dummy_if_null(ops, quota_on);
 	set_to_dummy_if_null(ops, sysctl);
+	set_to_dummy_if_null(ops, syslog);
 	set_to_dummy_if_null(ops, bprm_alloc_security);
 	set_to_dummy_if_null(ops, bprm_free_security);
 	set_to_dummy_if_null(ops, bprm_compute_creds);

Re: [PATCH] LSM changes for 2.5.59

[Christoph Hellwig]

On Tue, Feb 04, 2003 at 08:16:11PM -0800, Greg KH wrote:
> diff -Nru a/fs/super.c b/fs/super.c
> --- a/fs/super.c	Wed Feb  5 14:58:37 2003
> +++ b/fs/super.c	Wed Feb  5 14:58:37 2003
> @@ -610,6 +610,7 @@
>  	struct file_system_type *type = get_fs_type(fstype);
>  	struct super_block *sb = ERR_PTR(-ENOMEM);
>  	struct vfsmount *mnt;
> +	int error;
>  
>  	if (!type)
>  		return ERR_PTR(-ENODEV);
> @@ -620,6 +621,13 @@
>  	sb = type->get_sb(type, flags, name, data);
>  	if (IS_ERR(sb))
>  		goto out_mnt;
> + 	error = security_sb_kern_mount(sb);
> + 	if (error) {
> + 		up_write(&sb->s_umount);
> + 		deactivate_super(sb);
> + 		sb = ERR_PTR(error);
> + 		goto out_mnt;
> + 	}

it would be nice if you could follow the syle in this function/file
and put the error handling code out of line.  This is a general
complaint, btw - the LSM hooks seldomly follow the style of the
code around :(

Re: [BK PATCH] LSM changes for 2.5.59

[Christoph Hellwig]

On Tue, Feb 04, 2003 at 08:15:38PM -0800, Greg KH wrote:
> Hi,
> 
> These changesets include some new LSM hooks, all of which have been sent
> to lkml with no dissenting comments.  Some of these hooks are the same
> ones I sent for 2.5.58, but were not picked up.  These include hooks for
> syslog and sysctl, restores some previously lost hooks, and reworked the
> hooks for the security structures for private files.

I still don't see the issue of each LSM module having to duplicate the list
of sysctls beeing addressed.  Coul you please work something out for that
before sending it for inclusion?