From: Samir Bellabes <sam@synack.fr>
To: linux-security-module@vger.kernel.org
Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
netfilter-devel@vger.kernel.org, jamal <hadi@cyberus.ca>,
Patrick McHardy <kaber@trash.net>,
Evgeniy Polyakov <zbr@ioremap.net>,
Neil Horman <nhorman@tuxdriver.com>,
Grzegorz Nosek <root@localdomain.pl>,
Samir Bellabes <sam@synack.fr>
Subject: [RFC v2 01/10] lsm: add security_socket_closed()
Date: Tue, 2 Mar 2010 21:23:05 +0100 [thread overview]
Message-ID: <1267561394-13626-2-git-send-email-sam@synack.fr> (raw)
In-Reply-To: <1267561394-13626-1-git-send-email-sam@synack.fr>
Allow a security module to update security informations when a socket is closed.
Signed-off-by: Samir Bellabes <sam@synack.fr>
---
include/linux/security.h | 10 ++++++++++
net/socket.c | 1 +
security/capability.c | 5 +++++
security/security.c | 5 +++++
4 files changed, 21 insertions(+), 0 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index 2c627d3..74e564b 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -981,6 +981,9 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
* @sock contains the socket structure.
* @how contains the flag indicating how future sends and receives are handled.
* Return 0 if permission is granted.
+ * @socket_close:
+ * Allow a module to update security informations when a socket is closed
+ * @sock is closed.
* @socket_sock_rcv_skb:
* Check permissions on incoming network packets. This hook is distinct
* from Netfilter's IP input hooks since it is the first time that the
@@ -1680,6 +1683,7 @@ struct security_operations {
int (*socket_getsockopt) (struct socket *sock, int level, int optname);
int (*socket_setsockopt) (struct socket *sock, int level, int optname);
int (*socket_shutdown) (struct socket *sock, int how);
+ void (*socket_close) (struct socket *sock);
int (*socket_sock_rcv_skb) (struct sock *sk, struct sk_buff *skb);
int (*socket_getpeersec_stream) (struct socket *sock, char __user *optval, int __user *optlen, unsigned len);
int (*socket_getpeersec_dgram) (struct socket *sock, struct sk_buff *skb, u32 *secid);
@@ -2700,6 +2704,7 @@ int security_socket_getpeername(struct socket *sock);
int security_socket_getsockopt(struct socket *sock, int level, int optname);
int security_socket_setsockopt(struct socket *sock, int level, int optname);
int security_socket_shutdown(struct socket *sock, int how);
+void security_socket_close(struct socket *sock);
int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb);
int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
int __user *optlen, unsigned len);
@@ -2812,6 +2817,11 @@ static inline int security_socket_shutdown(struct socket *sock, int how)
{
return 0;
}
+
+static inline void security_socket_close(struct socket *sock)
+{
+}
+
static inline int security_sock_rcv_skb(struct sock *sk,
struct sk_buff *skb)
{
diff --git a/net/socket.c b/net/socket.c
index 769c386..b4eb361 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -1055,6 +1055,7 @@ static int sock_close(struct inode *inode, struct file *filp)
printk(KERN_DEBUG "sock_close: NULL inode\n");
return 0;
}
+ security_socket_close(SOCKET_I(inode));
sock_release(SOCKET_I(inode));
return 0;
}
diff --git a/security/capability.c b/security/capability.c
index 5c700e1..a9810dc 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -677,6 +677,10 @@ static int cap_socket_shutdown(struct socket *sock, int how)
return 0;
}
+static void cap_socket_close(struct socket *sock)
+{
+}
+
static int cap_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
return 0;
@@ -1084,6 +1088,7 @@ void security_fixup_ops(struct security_operations *ops)
set_to_cap_if_null(ops, socket_setsockopt);
set_to_cap_if_null(ops, socket_getsockopt);
set_to_cap_if_null(ops, socket_shutdown);
+ set_to_cap_if_null(ops, socket_close);
set_to_cap_if_null(ops, socket_sock_rcv_skb);
set_to_cap_if_null(ops, socket_getpeersec_stream);
set_to_cap_if_null(ops, socket_getpeersec_dgram);
diff --git a/security/security.c b/security/security.c
index 122b748..288c3a8 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1118,6 +1118,11 @@ int security_socket_shutdown(struct socket *sock, int how)
return security_ops->socket_shutdown(sock, how);
}
+void security_socket_close(struct socket *sock)
+{
+ return security_ops->socket_close(sock);
+}
+
int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
return security_ops->socket_sock_rcv_skb(sk, skb);
--
1.6.3.3
next prev parent reply other threads:[~2010-03-02 20:23 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-03-02 20:23 [RFC v2 00/10] snet: Security for NETwork syscalls Samir Bellabes
2010-03-02 20:23 ` Samir Bellabes [this message]
2010-03-02 20:23 ` [RFC v2 02/10] Revert "lsm: Remove the socket_post_accept() hook" Samir Bellabes
2010-03-02 20:23 ` [RFC v2 03/10] snet: introduce security/snet, Makefile and Kconfig changes Samir Bellabes
2010-03-03 0:03 ` Greg KH
2010-03-03 0:23 ` Samir Bellabes
2010-03-02 20:23 ` [RFC v2 04/10] snet: introduce snet_core Samir Bellabes
2010-03-02 20:23 ` [RFC v2 05/10] snet: introduce snet_event Samir Bellabes
2010-03-02 20:23 ` [RFC v2 06/10] snet: introduce snet_hooks Samir Bellabes
2010-03-02 20:23 ` [RFC v2 07/10] snet: introduce snet_netlink Samir Bellabes
2010-03-02 20:23 ` [RFC v2 08/10] snet: introduce snet_verdict Samir Bellabes
2010-03-02 20:23 ` [RFC v2 09/10] snet: introduce snet_ticket Samir Bellabes
2010-03-02 20:23 ` [RFC v2 10/10] snet: introduce snet_utils Samir Bellabes
2010-03-03 17:55 ` Jan Engelhardt
2010-03-03 1:56 ` [RFC v2 00/10] snet: Security for NETwork syscalls Tetsuo Handa
2010-03-06 18:16 ` Samir Bellabes
2010-03-06 18:17 ` Samir Bellabes
2010-03-06 18:20 ` Samir Bellabes
2010-03-06 18:40 ` Samir Bellabes
2010-03-07 5:47 ` Tetsuo Handa
2010-03-06 18:47 ` Samir Bellabes
2010-03-07 5:45 ` Tetsuo Handa
2010-03-15 16:43 ` Samir Bellabes
2010-03-06 18:50 ` Samir Bellabes
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1267561394-13626-2-git-send-email-sam@synack.fr \
--to=sam@synack.fr \
--cc=hadi@cyberus.ca \
--cc=kaber@trash.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=root@localdomain.pl \
--cc=zbr@ioremap.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).