From: Samir Bellabes <sam@synack.fr>
To: linux-security-module@vger.kernel.org
Cc: Patrick McHardy <kaber@trash.net>, jamal <hadi@cyberus.ca>,
Evgeniy Polyakov <zbr@ioremap.net>,
Neil Horman <nhorman@tuxdriver.com>,
netdev@vger.kernel.org, netfilter-devel@vger.kernel.org,
Samir Bellabes <sam@synack.fr>
Subject: [RFC 2/9] Revert "lsm: Remove the socket_post_accept() hook"
Date: Sat, 2 Jan 2010 14:04:09 +0100 [thread overview]
Message-ID: <1262437456-24476-3-git-send-email-sam@synack.fr> (raw)
In-Reply-To: <1262437456-24476-1-git-send-email-sam@synack.fr>
This reverts commit 8651d5c0b1f874c5b8307ae2b858bc40f9f02482.
snet needs to reintroduce this hook, as it was designed to be: a hook for
updating security informations on objects.
Signed-off-by: Samir Bellabes <sam@synack.fr>
---
include/linux/security.h | 13 +++++++++++++
net/socket.c | 2 ++
security/capability.c | 5 +++++
security/security.c | 5 +++++
4 files changed, 25 insertions(+), 0 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index 275dd04..c12a286 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -931,6 +931,11 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
* @sock contains the listening socket structure.
* @newsock contains the newly created server socket for connection.
* Return 0 if permission is granted.
+ * @socket_post_accept:
+ * This hook allows a security module to copy security
+ * information into the newly created socket's inode.
+ * @sock contains the listening socket structure.
+ * @newsock contains the newly created server socket for connection.
* @socket_sendmsg:
* Check permission before transmitting a message to another socket.
* @sock contains the socket structure.
@@ -1667,6 +1672,8 @@ struct security_operations {
struct sockaddr *address, int addrlen);
int (*socket_listen) (struct socket *sock, int backlog);
int (*socket_accept) (struct socket *sock, struct socket *newsock);
+ void (*socket_post_accept) (struct socket *sock,
+ struct socket *newsock);
int (*socket_sendmsg) (struct socket *sock,
struct msghdr *msg, int size);
int (*socket_recvmsg) (struct socket *sock,
@@ -2689,6 +2696,7 @@ int security_socket_bind(struct socket *sock, struct sockaddr *address, int addr
int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen);
int security_socket_listen(struct socket *sock, int backlog);
int security_socket_accept(struct socket *sock, struct socket *newsock);
+void security_socket_post_accept(struct socket *sock, struct socket *newsock);
int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size);
int security_socket_recvmsg(struct socket *sock, struct msghdr *msg,
int size, int flags);
@@ -2771,6 +2779,11 @@ static inline int security_socket_accept(struct socket *sock,
return 0;
}
+static inline void security_socket_post_accept(struct socket *sock,
+ struct socket *newsock)
+{
+}
+
static inline int security_socket_sendmsg(struct socket *sock,
struct msghdr *msg, int size)
{
diff --git a/net/socket.c b/net/socket.c
index 8984973..fcd4f2b 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1557,6 +1557,8 @@ SYSCALL_DEFINE4(accept4, int, fd, struct sockaddr __user *, upeer_sockaddr,
fd_install(newfd, newfile);
err = newfd;
+ security_socket_post_accept(sock, newsock);
+
out_put:
fput_light(sock->file, fput_needed);
out:
diff --git a/security/capability.c b/security/capability.c
index a9810dc..61eae40 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -641,6 +641,10 @@ static int cap_socket_accept(struct socket *sock, struct socket *newsock)
return 0;
}
+static void cap_socket_post_accept(struct socket *sock, struct socket *newsock)
+{
+}
+
static int cap_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
{
return 0;
@@ -1081,6 +1085,7 @@ void security_fixup_ops(struct security_operations *ops)
set_to_cap_if_null(ops, socket_connect);
set_to_cap_if_null(ops, socket_listen);
set_to_cap_if_null(ops, socket_accept);
+ set_to_cap_if_null(ops, socket_post_accept);
set_to_cap_if_null(ops, socket_sendmsg);
set_to_cap_if_null(ops, socket_recvmsg);
set_to_cap_if_null(ops, socket_getsockname);
diff --git a/security/security.c b/security/security.c
index 7457ed5..20ae0b8 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1084,6 +1084,11 @@ int security_socket_accept(struct socket *sock, struct socket *newsock)
return security_ops->socket_accept(sock, newsock);
}
+void security_socket_post_accept(struct socket *sock, struct socket *newsock)
+{
+ security_ops->socket_post_accept(sock, newsock);
+}
+
int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
{
return security_ops->socket_sendmsg(sock, msg, size);
--
1.6.3.3
next prev parent reply other threads:[~2010-01-02 13:04 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-01-02 13:04 [RFC 0/9] snet: Security for NETwork syscalls Samir Bellabes
2010-01-02 13:04 ` [RFC 1/9] lsm: add security_socket_closed() Samir Bellabes
2010-01-04 18:33 ` Serge E. Hallyn
2010-01-02 13:04 ` Samir Bellabes [this message]
2010-01-04 18:36 ` [RFC 2/9] Revert "lsm: Remove the socket_post_accept() hook" Serge E. Hallyn
2010-01-05 0:31 ` Tetsuo Handa
2010-01-05 0:38 ` Serge E. Hallyn
2010-01-02 13:04 ` [RFC 3/9] snet: introduce security/snet, Makefile and Kconfig changes Samir Bellabes
2010-01-04 18:39 ` Serge E. Hallyn
2010-01-06 6:04 ` Samir Bellabes
2010-01-02 13:04 ` [RFC 4/9] snet: introduce snet_core.c and snet.h Samir Bellabes
2010-01-04 14:43 ` Patrick McHardy
2010-01-06 18:23 ` Samir Bellabes
2010-01-06 19:46 ` Samir Bellabes
2010-01-06 19:58 ` Evgeniy Polyakov
2010-01-23 2:07 ` Samir Bellabes
2010-01-23 2:18 ` Evgeniy Polyakov
2010-01-07 14:34 ` Samir Bellabes
2010-01-07 14:53 ` Samir Bellabes
2010-01-07 14:58 ` Samir Bellabes
2010-01-08 4:32 ` Samir Bellabes
2010-01-04 18:42 ` Serge E. Hallyn
2010-01-06 6:12 ` Samir Bellabes
2010-01-02 13:04 ` [RFC 5/9] snet: introduce snet_event.c and snet_event.h Samir Bellabes
2010-01-02 20:09 ` Evgeniy Polyakov
2010-01-02 23:38 ` Samir Bellabes
2010-01-04 19:08 ` Serge E. Hallyn
2010-01-08 7:21 ` Samir Bellabes
2010-01-08 15:34 ` Serge E. Hallyn
2010-01-08 17:44 ` Samir Bellabes
2010-01-08 17:51 ` Samir Bellabes
2010-01-08 18:10 ` Serge E. Hallyn
2010-01-02 13:04 ` [RFC 6/9] snet: introduce snet_hooks.c and snet_hook.h Samir Bellabes
2010-01-02 20:13 ` Evgeniy Polyakov
2010-01-03 11:10 ` Samir Bellabes
2010-01-03 19:16 ` Stephen Hemminger
2010-01-03 22:26 ` Samir Bellabes
2010-01-02 13:04 ` [RFC 7/9] snet: introduce snet_netlink.c and snet_netlink.h Samir Bellabes
2010-01-04 15:08 ` Patrick McHardy
2010-01-13 4:19 ` Samir Bellabes
2010-01-13 4:28 ` Samir Bellabes
2010-01-13 5:36 ` Patrick McHardy
2010-01-13 4:36 ` Samir Bellabes
2010-01-13 4:41 ` Samir Bellabes
2010-01-13 6:03 ` Samir Bellabes
2010-01-13 6:20 ` Samir Bellabes
2010-01-15 7:02 ` Samir Bellabes
2010-01-15 9:15 ` Samir Bellabes
2010-01-16 1:59 ` Samir Bellabes
2010-01-17 5:42 ` Samir Bellabes
2010-01-23 19:33 ` Samir Bellabes
2010-01-02 13:04 ` [RFC 8/9] snet: introduce snet_verdict.c and snet_verdict.h Samir Bellabes
2010-01-02 13:04 ` [RFC 9/9] snet: introduce snet_utils.c and snet_utils.h Samir Bellabes
2010-01-03 16:57 ` [RFC 0/9] snet: Security for NETwork syscalls jamal
2010-01-05 7:26 ` Samir Bellabes
2010-01-05 8:20 ` Tetsuo Handa
2010-01-05 14:09 ` Serge E. Hallyn
2010-01-06 0:23 ` [PATCH] LSM: Update comment on security_sock_rcv_skb Tetsuo Handa
2010-01-06 3:27 ` Serge E. Hallyn
2010-01-10 21:53 ` James Morris
2010-01-10 16:20 ` [RFC 0/9] snet: Security for NETwork syscalls jamal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1262437456-24476-3-git-send-email-sam@synack.fr \
--to=sam@synack.fr \
--cc=hadi@cyberus.ca \
--cc=kaber@trash.net \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=zbr@ioremap.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).