* [PATCH] atuomatic type transitions for pts in devfs
@ 2002-07-10 15:14 Debian User
2002-07-10 16:38 ` Stephen Smalley
2002-07-12 16:24 ` Stephen Smalley
0 siblings, 2 replies; 3+ messages in thread
From: Debian User @ 2002-07-10 15:14 UTC (permalink / raw)
To: selinux
[-- Attachment #1: Type: text/plain, Size: 124 bytes --]
This patch only works properly with a devfsd less system. Devfsd needs
to be patched for this to work on systems using it.
[-- Attachment #2: automatic_transition_in_devfs.diff --]
[-- Type: text/plain, Size: 1176 bytes --]
--- /root/tmp/lsm-2.4/security/selinux/hooks.c Wed Jul 10 01:11:11 2002
+++ security/selinux/hooks.c Wed Jul 10 03:45:14 2002
@@ -689,7 +689,7 @@
{
struct superblock_security_struct *sbsec = NULL;
struct inode_security_struct *isec = inode->i_security;
- security_id_t sid;
+ security_id_t sid, devfs_pts_sid;
char *buffer, *path;
struct dentry *dentry;
int rc;
@@ -779,10 +779,21 @@
path = avc_d_path(dentry, buffer,
PAGE_SIZE);
if (path) {
+
+ if ( (!memcmp(inode->i_sb->s_type->name, "devfs", 5)) && (!memcmp(path, "/pts/", 5)) ) {
+ security_genfs_sid("devfs", "/pts", SECCLASS_DIR, &devfs_pts_sid);
+ /* Try to obtain a transition SID. */
+ rc = security_transition_sid(isec->task_sid,
+ devfs_pts_sid,
+ isec->sclass,
+ &sid);
+
+ } else {
rc = security_genfs_sid(inode->i_sb->s_type->name,
path,
isec->sclass,
&sid);
+ }
if (!rc)
isec->sid = sid;
}
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] atuomatic type transitions for pts in devfs
2002-07-10 15:14 [PATCH] atuomatic type transitions for pts in devfs Debian User
@ 2002-07-10 16:38 ` Stephen Smalley
2002-07-12 16:24 ` Stephen Smalley
1 sibling, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2002-07-10 16:38 UTC (permalink / raw)
To: Debian User; +Cc: selinux
On Wed, 10 Jul 2002, Debian User wrote:
> This patch only works properly with a devfsd less system. Devfsd needs
> to be patched for this to work on systems using it.
Just to further clarify, when devfsd is used, the allocating task SID is
the SID of devfsd rather than the SID of the requesting process, so the
kernel cannot automatically determine an appropriate type transition
for the requesting process. To support such functionality while using
devfsd, you would need to patch devfsd to permit passing the SID of the
requesting process to an action (much like the current support for passing
the uid). A devfsd module for nodes within pts could then call
security_transition_sid based on the requesting process SID and the base
devpts SID to obtain a transition SID for the pty.
As a separate issue (previously mentioned on the list), fully supporting
labeling by devfsd would also require patches to the kernel devfs code to
preserve and restore SIDs on devfs entries labeled by devfsd, as the
entries may be evicted from the dcache.
Hence, at present, devfs labeling support is only reliable without devfsd
through the use of genfs_contexts and this patch.
--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com
--
You have received this message because you are subscribed to the selinux list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] atuomatic type transitions for pts in devfs
2002-07-10 15:14 [PATCH] atuomatic type transitions for pts in devfs Debian User
2002-07-10 16:38 ` Stephen Smalley
@ 2002-07-12 16:24 ` Stephen Smalley
1 sibling, 0 replies; 3+ messages in thread
From: Stephen Smalley @ 2002-07-12 16:24 UTC (permalink / raw)
To: Debian User; +Cc: selinux
[-- Attachment #1: Type: TEXT/PLAIN, Size: 256 bytes --]
The attached patch is a slightly revised version of your patch that has
been merged into our tree for future releases. It has also been committed
to the sourceforge CVS tree. Thanks for contributing.
--
Stephen D. Smalley, NAI Labs
ssmalley@nai.com
[-- Attachment #2: Type: TEXT/PLAIN, Size: 1683 bytes --]
Index: security/selinux/hooks.c
===================================================================
RCS file: /cvsroot/selinux/nsa/lsm-2.4/security/selinux/hooks.c,v
retrieving revision 1.13
diff -u -r1.13 hooks.c
--- security/selinux/hooks.c 5 Jul 2002 11:06:37 -0000 1.13
+++ security/selinux/hooks.c 12 Jul 2002 15:13:15 -0000
@@ -13,6 +13,8 @@
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
+ *
+ * [Jul 2002, Rogelio M. Serrano Jr.] Added type transitions for pts in devfs.
*/
#include <linux/config.h>
@@ -689,7 +691,7 @@
{
struct superblock_security_struct *sbsec = NULL;
struct inode_security_struct *isec = inode->i_security;
- security_id_t sid;
+ security_id_t sid, devfs_pts_sid;
char *buffer, *path;
struct dentry *dentry;
int rc;
@@ -779,10 +781,22 @@
path = avc_d_path(dentry, buffer,
PAGE_SIZE);
if (path) {
- rc = security_genfs_sid(inode->i_sb->s_type->name,
- path,
- isec->sclass,
- &sid);
+ if (!strcmp(inode->i_sb->s_type->name,
+ "devfs") &&
+ !memcmp(path, "/pts/", 5)) {
+ rc = security_genfs_sid("devfs", "/pts", SECCLASS_DIR, &devfs_pts_sid);
+ if (!rc)
+ rc = security_transition_sid(
+ isec->task_sid,
+ devfs_pts_sid,
+ isec->sclass,
+ &sid);
+ } else {
+ rc = security_genfs_sid(inode->i_sb->s_type->name,
+ path,
+ isec->sclass,
+ &sid);
+ }
if (!rc)
isec->sid = sid;
}
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2002-07-12 16:24 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-07-10 15:14 [PATCH] atuomatic type transitions for pts in devfs Debian User
2002-07-10 16:38 ` Stephen Smalley
2002-07-12 16:24 ` Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.