lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Wed, 27 Apr 2011 14:34:14 +0200
From:	Roberto Sassu <roberto.sassu@...ito.it>
To:	linux-security-module@...r.kernel.org
Cc:	linux-fsdevel@...r.kernel.org, linux-kernel@...r.kernel.org,
	dhowells@...hat.com, jmorris@...ei.org, zohar@...ux.vnet.ibm.com,
	safford@...son.ibm.com, tyhicks@...ux.vnet.ibm.com,
	kirkland@...onical.com, ecryptfs-devel@...ts.launchpad.net,
	casey@...aufler-ca.com, eparis@...hat.com, sds@...ho.nsa.gov,
	selinux@...ho.nsa.gov, viro@...iv.linux.org.uk,
	Roberto Sassu <roberto.sassu@...ito.it>
Subject: [RFC][PATCH 6/7] security: new LSM hook security_file_getsecid()

The new LSM hook security_file_getsecid() and its implementation in the
capability module, SELinux and SMACK allows to obtain the security
identifier associated to a file descriptor.

Signed-off-by: Roberto Sassu <roberto.sassu@...ito.it>
---
 include/linux/security.h   |   12 ++++++++++++
 security/capability.c      |    6 ++++++
 security/security.c        |    6 ++++++
 security/selinux/hooks.c   |    7 +++++++
 security/smack/smack_lsm.c |   11 +++++++++++
 5 files changed, 42 insertions(+), 0 deletions(-)

diff --git a/include/linux/security.h b/include/linux/security.h
index ca02f17..6e73a1a 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -630,6 +630,11 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *	to receive an open file descriptor via socket IPC.
  *	@file contains the file structure being received.
  *	Return 0 if permission is granted.
+ * @file_getsecid:
+ *	Get the secid associated with the file descriptor.
+ *	@file contains a pointer to the file descriptor.
+ *	@secid contains a pointer to the location where result will be saved.
+ *	In case of failure, @secid will be set to zero.
  *
  * Security hook for dentry
  *
@@ -1492,6 +1497,7 @@ struct security_operations {
 	int (*file_send_sigiotask) (struct task_struct *tsk,
 				    struct fown_struct *fown, int sig);
 	int (*file_receive) (struct file *file);
+	void (*file_getsecid)(const struct file *file, u32 *secid);
 	int (*dentry_open) (struct file *file, const struct cred *cred);
 
 	int (*task_create) (unsigned long clone_flags);
@@ -1751,6 +1757,7 @@ int security_file_set_fowner(struct file *file);
 int security_file_send_sigiotask(struct task_struct *tsk,
 				 struct fown_struct *fown, int sig);
 int security_file_receive(struct file *file);
+void security_file_getsecid(const struct file *file, u32 *secid);
 int security_dentry_open(struct file *file, const struct cred *cred);
 int security_task_create(unsigned long clone_flags);
 int security_cred_alloc_blank(struct cred *cred, gfp_t gfp);
@@ -2251,6 +2258,11 @@ static inline int security_file_receive(struct file *file)
 	return 0;
 }
 
+static inline void security_file_getsecid(const struct file *file, u32 *secid)
+{
+	*secid = 0;
+}
+
 static inline int security_dentry_open(struct file *file,
 				       const struct cred *cred)
 {
diff --git a/security/capability.c b/security/capability.c
index 2984ea4..fcb569d 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -349,6 +349,11 @@ static int cap_file_receive(struct file *file)
 	return 0;
 }
 
+static void cap_file_getsecid(const struct file *file, u32 *secid)
+{
+	*secid = 0;
+}
+
 static int cap_dentry_open(struct file *file, const struct cred *cred)
 {
 	return 0;
@@ -953,6 +958,7 @@ void __init security_fixup_ops(struct security_operations *ops)
 	set_to_cap_if_null(ops, file_set_fowner);
 	set_to_cap_if_null(ops, file_send_sigiotask);
 	set_to_cap_if_null(ops, file_receive);
+	set_to_cap_if_null(ops, file_getsecid);
 	set_to_cap_if_null(ops, dentry_open);
 	set_to_cap_if_null(ops, task_create);
 	set_to_cap_if_null(ops, cred_alloc_blank);
diff --git a/security/security.c b/security/security.c
index 1011423..9973dab 100644
--- a/security/security.c
+++ b/security/security.c
@@ -688,6 +688,12 @@ int security_file_receive(struct file *file)
 	return security_ops->file_receive(file);
 }
 
+void security_file_getsecid(const struct file *file, u32 *secid)
+{
+	security_ops->file_getsecid(file, secid);
+}
+EXPORT_SYMBOL(security_file_getsecid);
+
 int security_dentry_open(struct file *file, const struct cred *cred)
 {
 	int ret;
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6772687..e1e787c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3179,6 +3179,12 @@ static int selinux_file_receive(struct file *file)
 	return file_has_perm(cred, file, file_to_av(file));
 }
 
+static void selinux_file_getsecid(const struct file *file, u32 *secid)
+{
+	struct file_security_struct *fsec = file->f_security;
+	*secid = fsec->sid;
+}
+
 static int selinux_dentry_open(struct file *file, const struct cred *cred)
 {
 	struct file_security_struct *fsec;
@@ -5498,6 +5504,7 @@ static struct security_operations selinux_ops = {
 	.file_set_fowner =		selinux_file_set_fowner,
 	.file_send_sigiotask =		selinux_file_send_sigiotask,
 	.file_receive =			selinux_file_receive,
+	.file_getsecid =		selinux_file_getsecid,
 
 	.dentry_open =			selinux_dentry_open,
 
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 6612ba1..a583736 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1304,6 +1304,16 @@ static int smack_file_receive(struct file *file)
 	return smk_curacc(file->f_security, may, &ad);
 }
 
+/**
+ * smack_file_getsecid - Extract file descriptor's security id
+ * @file: file descriptor to extract the info from
+ * @secid: where result will be saved
+ */
+static void smack_file_getsecid(const struct file *file, u32 *secid)
+{
+	*secid = smack_to_secid(file->f_security);
+}
+
 /*
  * Task hooks
  */
@@ -3434,6 +3444,7 @@ struct security_operations smack_ops = {
 	.file_set_fowner = 		smack_file_set_fowner,
 	.file_send_sigiotask = 		smack_file_send_sigiotask,
 	.file_receive = 		smack_file_receive,
+	.file_getsecid =		smack_file_getsecid,
 
 	.cred_alloc_blank =		smack_cred_alloc_blank,
 	.cred_free =			smack_cred_free,
-- 
1.7.4.4


Download attachment "smime.p7s" of type "application/x-pkcs7-signature" (2061 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ