From: "Serge E. Hallyn" <serue@us.ibm.com>
To: Michael Stone <michael@laptop.org>
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
linux-security-module@vger.kernel.org,
"Andi Kleen" <andi@firstfloor.org>, "David Lang" <david@lang.hm>,
"Oliver Hartkopp" <socketcan@hartkopp.net>,
"Alan Cox" <alan@lxorguk.ukuu.org.uk>,
"Herbert Xu" <herbert@gondor.apana.org.au>,
"Valdis Kletnieks" <Valdis.Kletnieks@vt.edu>,
"Bryan Donlan" <bdonlan@gmail.com>,
"Evgeniy Polyakov" <zbr@ioremap.net>,
"C. Scott Ananian" <cscott@cscott.net>,
"James Morris" <jmorris@namei.org>,
"Eric W. Biederman" <ebiederm@xmission.com>,
"Bernie Innocenti" <bernie@codewiz.org>,
"Mark Seaborn" <mrs@mythic-beasts.com>,
"Randy Dunlap" <randy.dunlap@oracle.com>,
"Américo Wang" <xiyou.wangcong@gmail.com>,
"Tetsuo Handa" <penguin-kernel@i-love.sakura.ne.jp>,
"Samir Bellabes" <sam@synack.fr>,
"Casey Schaufler" <casey@schaufler-ca.com>,
"Pavel Machek" <pavel@ucw.cz>
Subject: Re: [PATCH 2/3] Security: Implement disablenetwork semantics. (v4)
Date: Wed, 30 Dec 2009 12:50:53 -0600 [thread overview]
Message-ID: <20091230185053.GB18712@us.ibm.com> (raw)
In-Reply-To: <20091227010650.GA12190@heat>
Quoting Michael Stone (michael@laptop.org):
> Implement security_* hooks for socket_create, socket_bind, socket_connect,
> socket_sendmsg, and ptrace_access_check which return -EPERM when called from a
> process with networking restrictions. Exempt AF_UNIX sockets.
>
> Signed-off-by: Michael Stone <michael@laptop.org>
Acked-by: Serge Hallyn <serue@us.ibm.com>
> ---
> include/linux/disablenetwork.h | 22 +++++++++++
> security/Makefile | 1 +
> security/disablenetwork.c | 73 ++++++++++++++++++++++++++++++++++++++
> security/security.c | 76 +++++++++++++++++++++++++++++++++++++---
> 4 files changed, 167 insertions(+), 5 deletions(-)
> create mode 100644 include/linux/disablenetwork.h
> create mode 100644 security/disablenetwork.c
>
> diff --git a/include/linux/disablenetwork.h b/include/linux/disablenetwork.h
> new file mode 100644
> index 0000000..8a7bcc2
> --- /dev/null
> +++ b/include/linux/disablenetwork.h
> @@ -0,0 +1,22 @@
> +#ifndef __LINUX_DISABLENETWORK_H
> +#define __LINUX_DISABLENETWORK_H
> +
> +#ifdef CONFIG_SECURITY_DISABLENETWORK
> +
> +int disablenetwork_security_socket_create(int family, int type,
> + int protocol, int kern);
Bleh, I think disablenetwork_socket_create() is long enough :)
> +int disablenetwork_security_socket_bind(struct socket *sock,
> + struct sockaddr *address,
> + int addrlen);
> +int disablenetwork_security_socket_connect(struct socket *sock,
> + struct sockaddr *address,
> + int addrlen);
> +int disablenetwork_security_socket_sendmsg(struct socket *sock,
> + struct msghdr *msg,
> + int size);
> +int disablenetwork_security_ptrace_access_check(struct task_struct *child,
> + unsigned int mode);
> +
> +#endif /* CONFIG_SECURITY_DISABLENETWORK */
> +
> +#endif /* ! __LINUX_DISABLENETWORK_H */
> diff --git a/security/Makefile b/security/Makefile
> index da20a19..2f23b60 100644
> --- a/security/Makefile
> +++ b/security/Makefile
> @@ -20,6 +20,7 @@ obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o
> obj-$(CONFIG_AUDIT) += lsm_audit.o
> obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o
> obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
> +obj-$(CONFIG_SECURITY_DISABLENETWORK) += disablenetwork.o
>
> # Object integrity file lists
> subdir-$(CONFIG_IMA) += integrity/ima
> diff --git a/security/disablenetwork.c b/security/disablenetwork.c
> new file mode 100644
> index 0000000..f45ddfc
> --- /dev/null
> +++ b/security/disablenetwork.c
> @@ -0,0 +1,73 @@
> +/*
> + * disablenetwork security hooks.
> + *
> + * Copyright (C) 2008-2009 Michael Stone <michael@laptop.org>
> + *
> + * Implements the disablenetwork discretionary access control logic underlying
> + * the prctl(PRCTL_SET_NETWORK, PR_NETWORK_OFF) interface.
> + *
> + * See Documentation/disablenetwork.txt for more information.
> + *
> + * This program is free software; you can redistribute it and/or
> + * modify it under the terms of the GNU General Public License as
> + * published by the Free Software Foundation, version 2 of the
> + * License.
> + */
> +
> +#include <linux/errno.h>
> +#include <linux/sched.h>
> +#include <net/sock.h>
> +#include <linux/socket.h>
> +#include <linux/disablenetwork.h>
> +
> +static inline int maybe_allow(void)
> +{
> + if (current->network)
> + return -EPERM;
> + return 0;
> +}
> +
> +int disablenetwork_security_socket_create(int family, int type,
> + int protocol, int kern)
> +{
> + if (family == AF_UNIX)
> + return 0;
> + return maybe_allow();
> +}
> +
> +int disablenetwork_security_socket_bind(struct socket * sock,
> + struct sockaddr * address,
> + int addrlen)
> +{
> + if (address->sa_family == AF_UNIX)
> + return 0;
> + return maybe_allow();
> +}
> +
> +int disablenetwork_security_socket_connect(struct socket * sock,
> + struct sockaddr * address,
> + int addrlen)
> +{
> + if (address->sa_family == AF_UNIX)
> + return 0;
> + return maybe_allow();
> +}
> +
> +int disablenetwork_security_socket_sendmsg(struct socket * sock,
> + struct msghdr * msg, int size)
> +{
> + if (sock->sk->sk_family != PF_UNIX &&
> + current->network &&
> + (msg->msg_name != NULL || msg->msg_namelen != 0))
> + return -EPERM;
> + return 0;
> +}
> +
> +int disablenetwork_security_ptrace_access_check(struct task_struct *child,
> + unsigned int mode)
> +{
> + /* does current have networking restrictions not shared by child? */
> + if (current->network & ~child->network)
> + return -EPERM;
> + return 0;
> +}
> diff --git a/security/security.c b/security/security.c
> index 24e060b..40ac615 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -17,6 +17,7 @@
> #include <linux/kernel.h>
> #include <linux/security.h>
> #include <linux/ima.h>
> +#include <linux/disablenetwork.h>
>
> /* Boot-time LSM user choice */
> static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
> @@ -130,7 +131,20 @@ int register_security(struct security_operations *ops)
>
> int security_ptrace_access_check(struct task_struct *child, unsigned int mode)
> {
> - return security_ops->ptrace_access_check(child, mode);
> + int ret = 0;
> +
> + ret = security_ops->ptrace_access_check(child, mode);
> + if (ret)
> + goto out;
> +
> +#ifdef CONFIG_SECURITY_DISABLENETWORK
> + ret = disablenetwork_security_ptrace_access_check(child, mode);
> + if (ret)
> + goto out;
> +#endif
> +
> +out:
> + return ret;
> }
>
> int security_ptrace_traceme(struct task_struct *parent)
> @@ -1054,7 +1068,20 @@ EXPORT_SYMBOL(security_unix_may_send);
>
> int security_socket_create(int family, int type, int protocol, int kern)
> {
> - return security_ops->socket_create(family, type, protocol, kern);
> + int ret = 0;
> +
> + ret = security_ops->socket_create(family, type, protocol, kern);
> + if (ret)
> + goto out;
> +
> +#ifdef CONFIG_SECURITY_DISABLENETWORK
> + ret = disablenetwork_security_socket_create(family, type, protocol, kern);
> + if (ret)
> + goto out;
> +#endif
> +
> +out:
> + return ret;
> }
>
> int security_socket_post_create(struct socket *sock, int family,
> @@ -1066,12 +1093,38 @@ int security_socket_post_create(struct socket *sock, int family,
>
> int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
> {
> - return security_ops->socket_bind(sock, address, addrlen);
> + int ret = 0;
> +
> + ret = security_ops->socket_bind(sock, address, addrlen);
> + if (ret)
> + goto out;
> +
> +#ifdef CONFIG_SECURITY_DISABLENETWORK
> + ret = disablenetwork_security_socket_bind(sock, address, addrlen);
> + if (ret)
> + goto out;
> +#endif
> +
> +out:
> + return ret;
> }
>
> int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
> {
> - return security_ops->socket_connect(sock, address, addrlen);
> + int ret = 0;
> +
> + ret = security_ops->socket_connect(sock, address, addrlen);
> + if (ret)
> + goto out;
> +
> +#ifdef CONFIG_SECURITY_DISABLENETWORK
> + ret = disablenetwork_security_socket_connect(sock, address, addrlen);
> + if (ret)
> + goto out;
> +#endif
> +
> +out:
> + return ret;
> }
>
> int security_socket_listen(struct socket *sock, int backlog)
> @@ -1086,7 +1139,20 @@ int security_socket_accept(struct socket *sock, struct socket *newsock)
>
> int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
> {
> - return security_ops->socket_sendmsg(sock, msg, size);
> + int ret = 0;
> +
> + ret = security_ops->socket_sendmsg(sock, msg, size);
> + if (ret)
> + goto out;
> +
> +#ifdef CONFIG_SECURITY_DISABLENETWORK
> + ret = disablenetwork_security_socket_sendmsg(sock, msg, size);
> + if (ret)
> + goto out;
> +#endif
> +
> +out:
> + return ret;
> }
>
> int security_socket_recvmsg(struct socket *sock, struct msghdr *msg,
> --
> 1.6.6.rc2
next prev parent reply other threads:[~2009-12-30 18:50 UTC|newest]
Thread overview: 157+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-12-27 1:04 RFC: disablenetwork facility. (v4) Michael Stone
2009-12-27 1:06 ` [PATCH 1/3] Security: Add disablenetwork interface. (v4) Michael Stone
2009-12-27 3:26 ` Serge E. Hallyn
2009-12-28 18:13 ` Serge E. Hallyn
2009-12-29 1:21 ` Michael Stone
2009-12-29 5:26 ` Serge E. Hallyn
2009-12-27 7:53 ` Pavel Machek
2009-12-29 1:25 ` Michael Stone
2009-12-30 10:09 ` Pavel Machek
2009-12-30 18:47 ` Serge E. Hallyn
2009-12-27 1:06 ` [PATCH 2/3] Security: Implement disablenetwork semantics. (v4) Michael Stone
2009-12-27 1:20 ` Tetsuo Handa
2009-12-30 18:50 ` Serge E. Hallyn [this message]
2010-01-01 14:31 ` Pavel Machek
2010-01-10 21:11 ` James Morris
2010-01-10 21:16 ` Pavel Machek
2010-01-10 21:44 ` James Morris
2010-01-10 21:54 ` Michael Stone
2010-01-10 21:58 ` Pavel Machek
2010-01-10 22:40 ` Michael Stone
2010-01-11 1:07 ` Tetsuo Handa
2010-01-11 1:45 ` Michael Stone
2010-01-11 17:49 ` Serge E. Hallyn
2010-01-12 6:10 ` Michael Stone
2010-01-12 15:52 ` Serge E. Hallyn
2010-01-14 9:23 ` Pavel Machek
2010-01-14 15:00 ` Serge E. Hallyn
2010-01-14 16:36 ` Michael Stone
2010-01-14 16:47 ` Serge E. Hallyn
[not found] ` <20100114171309.GA6372@heat>
2010-01-14 17:36 ` Serge E. Hallyn
2010-01-15 8:10 ` disablenetwork (v5) patches Michael Stone
2010-01-15 8:12 ` disablenetwork (v5): Remove a TOCTTOU race by passing flags by value Michael Stone
2010-01-15 8:12 ` disablenetwork (v5): Simplify the disablenetwork sendmsg hook Michael Stone
2010-01-15 8:13 ` disablenetwork (v5): Require CAP_SETPCAP to enable disablenetwork Michael Stone
2010-01-17 2:58 ` Andrew G. Morgan
[not found] ` <20100117044825.GA2712@heat>
2010-01-17 4:58 ` disablenetwork (v5): Require CAP_SETPCAP to enable Andrew G. Morgan
2010-01-18 19:30 ` Serge E. Hallyn
2010-01-15 8:13 ` disablenetwork (v5): Update documentation for PR_NETWORK_ENABLE_DN Michael Stone
2010-01-17 6:01 ` disablenetwork (v5) patches Kyle Moffett
[not found] ` <20100117180728.GA2848@heat>
2010-01-17 21:17 ` Kyle Moffett
2010-01-11 1:46 ` [PATCH 2/3] Security: Implement disablenetwork semantics. (v4) Casey Schaufler
2010-01-12 3:19 ` Valdis.Kletnieks
2010-01-12 4:01 ` Casey Schaufler
2010-01-11 12:01 ` Pavel Machek
2010-01-12 2:54 ` Valdis.Kletnieks
2010-01-12 7:59 ` Pavel Machek
2010-01-12 14:28 ` Valdis.Kletnieks
2010-01-14 9:22 ` Pavel Machek
2010-01-18 12:54 ` Valdis.Kletnieks
2010-01-18 15:56 ` Andrew G. Morgan
2010-01-10 22:18 ` Kyle Moffett
2010-01-10 23:08 ` Michael Stone
2010-01-10 23:41 ` Bryan Donlan
2010-01-11 1:50 ` Casey Schaufler
2010-01-11 2:15 ` Bryan Donlan
2010-01-11 11:53 ` Pavel Machek
2010-01-10 22:58 ` James Morris
2009-12-27 1:07 ` [PATCH 3/3] Security: Document disablenetwork. (v4) Michael Stone
2009-12-27 1:39 ` Tetsuo Handa
2009-12-27 16:25 ` Michael Stone
2009-12-27 8:36 ` RFC: disablenetwork facility. (v4) Tetsuo Handa
2009-12-27 8:38 ` Pavel Machek
2009-12-27 11:49 ` Tetsuo Handa
2009-12-27 12:18 ` Al Viro
2009-12-27 15:03 ` Serge E. Hallyn
2009-12-27 15:47 ` Michael Stone
2009-12-27 16:12 ` Serge E. Hallyn
2009-12-27 16:36 ` Michael Stone
2009-12-27 18:06 ` Pavel Machek
2009-12-27 19:08 ` Pavel Machek
2009-12-28 6:07 ` Michael Stone
2009-12-28 10:10 ` Pavel Machek
2009-12-28 14:37 ` Valdis.Kletnieks
2009-12-28 20:55 ` Pavel Machek
2009-12-28 21:28 ` Valdis.Kletnieks
2009-12-28 21:33 ` Bryan Donlan
2009-12-29 6:08 ` Serge E. Hallyn
2010-01-01 15:06 ` Pavel Machek
2009-12-28 16:31 ` Michael Stone
2009-12-28 21:08 ` Pavel Machek
2009-12-28 21:24 ` Valdis.Kletnieks
2009-12-28 18:13 ` Serge E. Hallyn
2009-12-29 5:01 ` Michael Stone
2009-12-29 5:56 ` Serge E. Hallyn
2009-12-29 16:31 ` Michael Stone
2009-12-29 11:06 ` Eric W. Biederman
2009-12-29 15:11 ` Serge E. Hallyn
2009-12-29 16:05 ` Bryan Donlan
2009-12-29 16:39 ` Serge E. Hallyn
2009-12-29 17:01 ` Bryan Donlan
2009-12-29 18:36 ` Eric W. Biederman
2009-12-29 19:08 ` Bryan Donlan
2009-12-29 20:56 ` Eric W. Biederman
2009-12-29 21:27 ` Serge E. Hallyn
2009-12-29 21:46 ` Valdis.Kletnieks
2009-12-29 22:16 ` Serge E. Hallyn
2009-12-29 20:10 ` Benny Amorsen
2009-12-29 20:40 ` Eric W. Biederman
2009-12-29 20:43 ` Bryan Donlan
2009-12-29 21:11 ` Alan Cox
2009-12-29 21:14 ` Bryan Donlan
2009-12-29 21:35 ` Alan Cox
2009-12-29 21:29 ` Eric W. Biederman
2009-12-29 22:36 ` Serge E. Hallyn
2009-12-30 3:26 ` Eric W. Biederman
2009-12-30 3:50 ` Serge E. Hallyn
2009-12-30 4:29 ` Eric W. Biederman
2009-12-30 18:00 ` Serge E. Hallyn
2009-12-30 21:12 ` Eric W. Biederman
2009-12-30 3:35 ` [RFC][PATCH] Unprivileged: Disable acquisition of privileges Eric W. Biederman
2009-12-30 3:54 ` Bryan Donlan
2009-12-30 4:33 ` Eric W. Biederman
2009-12-30 4:57 ` Bryan Donlan
2009-12-30 12:47 ` Eric W. Biederman
2009-12-30 12:49 ` [RFC][PATCH v2] Unprivileged: Disable raising " Eric W. Biederman
2009-12-30 14:52 ` Andrew G. Morgan
2009-12-30 18:35 ` Serge E. Hallyn
2009-12-30 20:07 ` Eric W. Biederman
2009-12-30 20:17 ` Serge E. Hallyn
2009-12-30 21:15 ` [RFC][PATCH v3] " Eric W. Biederman
2009-12-30 21:29 ` Alan Cox
2009-12-30 21:36 ` Eric W. Biederman
2009-12-30 23:00 ` Alan Cox
2009-12-31 2:44 ` Bryan Donlan
2009-12-31 17:33 ` Alan Cox
2009-12-31 17:52 ` Serge E. Hallyn
2009-12-31 18:20 ` Andrew G. Morgan
2009-12-31 18:32 ` Eric W. Biederman
2010-01-01 14:43 ` Alan Cox
2010-01-01 14:53 ` Pavel Machek
2010-01-01 16:26 ` Eric W. Biederman
2010-01-01 21:35 ` Casey Schaufler
2010-01-01 22:39 ` Alan Cox
2010-01-01 23:18 ` Casey Schaufler
2010-01-02 0:42 ` Peter Dolding
[not found] ` <4B3FB0FC.3030809@schaufler-ca.com>
2010-01-03 1:43 ` Peter Dolding
2009-12-31 18:41 ` Eric W. Biederman
2009-12-31 21:46 ` Serge E. Hallyn
2010-01-01 21:17 ` Andrew G. Morgan
2010-01-01 14:57 ` Alan Cox
2009-12-31 8:57 ` Eric W. Biederman
2009-12-31 13:00 ` Samir Bellabes
2009-12-31 14:08 ` Peter Dolding
2009-12-31 17:06 ` Alan Cox
2010-01-01 0:12 ` Peter Dolding
2010-01-01 10:28 ` Pavel Machek
2009-12-31 15:25 ` Serge E. Hallyn
2009-12-31 16:48 ` Eric W. Biederman
2009-12-30 18:29 ` [RFC][PATCH v2] " Serge E. Hallyn
2009-12-30 20:45 ` Eric W. Biederman
2009-12-29 18:03 ` RFC: disablenetwork facility. (v4) Eric W. Biederman
2009-12-29 16:06 ` Michael Stone
2010-01-01 15:11 ` Pavel Machek
2009-12-27 8:51 ` Al Viro
2009-12-27 11:23 ` Valdis.Kletnieks
2009-12-27 12:45 ` Andi Kleen
2009-12-27 15:55 ` Michael Stone
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091230185053.GB18712@us.ibm.com \
--to=serue@us.ibm.com \
--cc=Valdis.Kletnieks@vt.edu \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=andi@firstfloor.org \
--cc=bdonlan@gmail.com \
--cc=bernie@codewiz.org \
--cc=casey@schaufler-ca.com \
--cc=cscott@cscott.net \
--cc=david@lang.hm \
--cc=ebiederm@xmission.com \
--cc=herbert@gondor.apana.org.au \
--cc=jmorris@namei.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=michael@laptop.org \
--cc=mrs@mythic-beasts.com \
--cc=netdev@vger.kernel.org \
--cc=pavel@ucw.cz \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=randy.dunlap@oracle.com \
--cc=sam@synack.fr \
--cc=socketcan@hartkopp.net \
--cc=xiyou.wangcong@gmail.com \
--cc=zbr@ioremap.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).