Re: [PATCH 11/12] AppArmor hooks to interface with the LSM, module parameters and initialization.

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: "Serge E. Hallyn" <serue@us.ibm.com>
To: john.johansen@canonical.com
Cc: linux-kernel@vger.kernel.org, linux-security-module@vger.kernel.org
Subject: Re: [PATCH 11/12] AppArmor hooks to interface with the LSM, module parameters and initialization.
Date: Mon, 22 Feb 2010 16:14:12 -0600	[thread overview]
Message-ID: <20100222221412.GA22194@us.ibm.com> (raw)
In-Reply-To: <1266572188-26529-12-git-send-email-john.johansen@canonical.com>

Quoting john.johansen@canonical.com (john.johansen@canonical.com):
> From: John Johansen <john.johansen@canonical.com>
> 
> Signed-off-by: John Johansen <john.johansen@canonical.com>
> ---
>  security/apparmor/lsm.c | 1091 +++++++++++++++++++++++++++++++++++++++++++++++
>  1 files changed, 1091 insertions(+), 0 deletions(-)
>  create mode 100644 security/apparmor/lsm.c
> 
> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> new file mode 100644
> index 0000000..8d58905
> --- /dev/null
> +++ b/security/apparmor/lsm.c
> @@ -0,0 +1,1091 @@
> +/*
> + * AppArmor security module
> + *
> + * This file contains AppArmor LSM hooks.
> + *
> + * Copyright (C) 1998-2008 Novell/SUSE
> + * Copyright 2009-2010 Canonical Ltd.
> + *
> + * This program is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU General Public License as
> + * published by the Free Software Foundation, version 2 of the
> + * License.
> + */
> +
> +#include <linux/security.h>
> +#include <linux/moduleparam.h>
> +#include <linux/mm.h>
> +#include <linux/mman.h>
> +#include <linux/mount.h>
> +#include <linux/namei.h>
> +#include <linux/ptrace.h>
> +#include <linux/ctype.h>
> +#include <linux/sysctl.h>
> +#include <linux/audit.h>
> +#include <net/sock.h>
> +
> +#include "include/apparmor.h"
> +#include "include/apparmorfs.h"
> +#include "include/audit.h"
> +#include "include/capability.h"
> +#include "include/context.h"
> +#include "include/file.h"
> +#include "include/ipc.h"
> +#include "include/net.h"
> +#include "include/path.h"
> +#include "include/policy.h"
> +#include "include/procattr.h"
> +
> +/* Flag indicating whether initialization completed */
> +int apparmor_initialized;
> +
> +/*
> + * LSM hook functions
> + */
> +
> +/*
> + * free the associated aa_task_cxt and put its profiles
> + */
> +static void apparmor_cred_free(struct cred *cred)
> +{
> +	aa_free_task_context(cred->security);
> +	cred->security = NULL;
> +}
> +
> +/*
> + * allocate the apparmor part of blank credentials
> + */
> +static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
> +{
> +	/* freed by apparmor_cred_free */
> +	struct aa_task_cxt *cxt = aa_alloc_task_context(gfp);
> +	if (cxt)
> +		return -ENOMEM;

if (!cxt)?  :)

> +
> +	cred->security = cxt;
> +	return 0;
> +}
> +
> +/*
> + * prepare new aa_task_cxt for modification by prepare_cred block
> + */
> +static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
> +				 gfp_t gfp)
> +{
> +	/* freed by apparmor_cred_free */
> +	struct aa_task_cxt *cxt = aa_alloc_task_context(gfp);
> +	if (!cxt)
> +		return -ENOMEM;
> +
> +	aa_dup_task_context(cxt, old->security);
> +	new->security = cxt;
> +	return 0;
> +}

Don't see any other problems on my first readthrough of this one, but
I'm trying walking backward through the set so will likely have to
come back to it...

thanks,
-serge

next prev parent reply	other threads:[~2010-02-22 22:14 UTC|newest]

Thread overview: 29+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-02-19  9:36 [AppArmor #4 0/12] AppArmor security module john.johansen
2010-02-19  9:36 ` [PATCH 01/12] Miscellaneous functions and defines needed by AppArmor, including the base path resolution routines john.johansen
2010-02-19 11:03   ` Al Viro
2010-02-20 12:17     ` John Johansen
2010-02-20 17:25       ` John Johansen
2010-02-20 19:10         ` John Johansen
2010-02-20 12:24     ` John Johansen
2010-02-19  9:36 ` [PATCH 02/12] Update kenel audit range comments to show AppArmor's registered range of 1500-1599. This range used to be reserved for LSPP but LSPP uses the SELinux range and the range was given to AppArmor. Patch is not in mainline -- pending AppArmor code submission to lkml john.johansen
2010-02-19  9:36 ` [PATCH 03/12] AppArmor contexts attach profiles and state to tasks, files, etc. when a direct profile reference is not sufficient john.johansen
2010-02-19  9:36 ` [PATCH 04/12] The basic routines and defines for AppArmor policy. AppArmor policy is defined by a few basic components. profiles - the basic unit of confinement contain all the information to enforce policy on a task john.johansen
2010-02-19  9:36 ` [PATCH 05/12] A basic dfa matching engine based off the dfa engine in the Dragon Book. It uses simple row comb compression with a check field john.johansen
2010-02-19  9:36 ` [PATCH 06/12] AppArmor policy is loaded in a platform independent flattened binary stream. Verify and unpack the data converting it to the internal format needed for enforcement john.johansen
2010-02-19  9:36 ` [PATCH 07/12] AppArmor /proc/<pid>/attr/* and apparmorfs interfaces to userspace john.johansen
2010-02-19  9:36 ` [PATCH 08/12] AppArmor: file enforcement routines john.johansen
2010-02-19  9:36 ` [PATCH 09/12] AppArmor ipc, rlimit, network and capability routines john.johansen
2010-02-19  9:36 ` [PATCH 10/12] AppArmor routines for controlling domain transitions john.johansen
2010-02-19  9:36 ` [PATCH 11/12] AppArmor hooks to interface with the LSM, module parameters and initialization john.johansen
2010-02-22 22:14   ` Serge E. Hallyn [this message]
2010-02-23  7:58     ` John Johansen
2010-02-19  9:36 ` [PATCH 12/12] Kconfig and Makefiles to enable configuration and building of AppArmor john.johansen
2010-02-22 22:16   ` Serge E. Hallyn
2010-02-23  7:45     ` John Johansen
2010-03-03  7:50       ` Kees Cook
2010-02-23  1:59 ` [AppArmor #4 0/12] AppArmor security module Tetsuo Handa
2010-02-23  8:38   ` John Johansen
2010-02-23  8:31 ` Tetsuo Handa
2010-02-23  9:17   ` John Johansen
2010-02-26  3:22 ` Tetsuo Handa
2010-02-26  6:31 ` Tetsuo Handa

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20100222221412.GA22194@us.ibm.com \
    --to=serue@us.ibm.com \
    --cc=john.johansen@canonical.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-security-module@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox