From: Michael Cassaniti <m.cassaniti@gmail.com>
To: Linux Security Module mailing list
<linux-security-module@vger.kernel.org>,
linux-kernel@vger.kernel.org
Subject: [PATCH 1/2] Security: hooks for seccomp as extended attribute
Date: Thu, 20 Dec 2012 08:30:20 +1100 [thread overview]
Message-ID: <50D231EC.2000804@gmail.com> (raw)
From Michael Cassaniti <m.cassaniti@gmail.com>
Superficial patch showing hooks for seccomp extended attribute filter code
Written against Linux 3.5
Signed-off-by: Michael Cassaniti <m.cassaniti@gmail.com>
---
diff -uprN -X linux-3.5-rp1/Documentation/dontdiff linux-3.5/fs/exec.c
linux-3.5-rp1/fs/exec.c
--- linux-3.5/fs/exec.c 2012-07-22 06:58:29.000000000 +1000
+++ linux-3.5-rp1/fs/exec.c 2012-09-13 12:27:14.966076904 +1000
@@ -1537,6 +1537,10 @@ static int do_execve_common(const char *
if (retval < 0)
goto out;
+ retval = security_seccomp_from_vfs(bprm);
+ if (retval < 0)
+ goto out;
+
retval = copy_strings_kernel(1, &bprm->filename, bprm);
if (retval < 0)
goto out;
diff -uprN -X linux-3.5-rp1/Documentation/dontdiff
linux-3.5/include/linux/seccomp.h linux-3.5-rp1/include/linux/seccomp.h
--- linux-3.5/include/linux/seccomp.h 2012-07-22 06:58:29.000000000
+1000
+++ linux-3.5-rp1/include/linux/seccomp.h 2012-09-21
12:43:28.215772113 +1000
@@ -119,6 +119,14 @@ static inline int seccomp_mode(struct se
extern void put_seccomp_filter(struct task_struct *tsk);
extern void get_seccomp_filter(struct task_struct *tsk);
extern u32 seccomp_bpf_load(int off);
+
+#define SECCOMP_XATTR_NAME "security.seccomp"
+#define SECCOMP_XATTR_LEN 128
+#define SECCOMP_XATTR_BIT_EN 0
+#define SECCOMP_XATTR_BIT_DEF_ACTION 1
+#define SECCOMP_XATTR_BIT_DEF_RETURN 2
+#define SECCOMP_XATTR_BITMAP_START 3
+
#else /* CONFIG_SECCOMP_FILTER */
static inline void put_seccomp_filter(struct task_struct *tsk)
{
diff -uprN -X linux-3.5-rp1/Documentation/dontdiff
linux-3.5/include/linux/security.h linux-3.5-rp1/include/linux/security.h
--- linux-3.5/include/linux/security.h 2012-07-22 06:58:29.000000000
+1000
+++ linux-3.5-rp1/include/linux/security.h 2012-09-21
12:00:24.026007169 +1000
@@ -3023,5 +3023,23 @@ static inline void free_secdata(void *se
{ }
#endif /* CONFIG_SECURITY */
+#ifdef CONFIG_SECCOMP_FILTER
+
+extern int append_seccomp_from_vfs(struct linux_binprm *bprm);
+
+static inline int security_seccomp_from_vfs(struct linux_binprm *bprm)
+{
+ return append_seccomp_from_vfs(bprm);
+}
+
+#else
+
+static inline int security_seccomp_from_vfs(struct linux_binprm *bprm)
+{
+ return 0;
+}
+
+#endif /* CONFIG_SECCOMP_FILTER */
+
#endif /* ! __LINUX_SECURITY_H */
diff -uprN -X linux-3.5-rp1/Documentation/dontdiff
linux-3.5/kernel/seccomp.c linux-3.5-rp1/kernel/seccomp.c
--- linux-3.5/kernel/seccomp.c 2012-07-22 06:58:29.000000000 +1000
+++ linux-3.5-rp1/kernel/seccomp.c 2012-09-21 13:23:52.254969072 +1000
@@ -502,3 +502,9 @@ long prctl_set_seccomp(unsigned long sec
out:
return ret;
}
+
+int append_seccomp_from_vfs(struct linux_binprm *bprm)
+{
+ pr_debug("Entered stub %s\n", __func__);
+ return 0;
+}
reply other threads:[~2012-12-19 21:30 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50D231EC.2000804@gmail.com \
--to=m.cassaniti@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).