linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* LSM hook addition?
@ 2005-01-24  5:58 John Richard Moser
  2005-01-24  6:28 ` Chris Wright
  2005-01-24  8:42 ` Valdis.Kletnieks
  0 siblings, 2 replies; 3+ messages in thread
From: John Richard Moser @ 2005-01-24  5:58 UTC (permalink / raw)
  To: linux-kernel

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Can someone point me to documentation or give me a small patch to add an
LSM hook to kernel 2.6.10 in fs/namei.c at line 1986:

        new_dentry = lookup_create(&nd, 0);
        error = PTR_ERR(new_dentry);
        if (!IS_ERR(new_dentry)) {
                error = security_inode_make_hardlink(old_nd); // ADD
                error = vfs_link(old_nd.dentry, nd.dentry->d_inode,
new_dentry);

I believe this would be sufficient to finish an LSM module to implement
linking restrictions from GrSecurity.  I did Symlinks in an LSM module,
but haven't tested it out; it's purely academic.  I guess adding an LSM
hook would be an interesting academic experience; I'd enjoy examining a
patch that adds this hook, and then trying to add another hook myself.

The hook here would be used (in my academic exploration) to prevent hard
links from being created to files you don't own, unless you're root.

- --
All content of all messages exchanged herein are left in the
Public Domain, unless otherwise explicitly stated.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFB9I5vhDd4aOud5P8RAmNNAJ44riGGJ6CP1sCC/CHfIJiD0u6augCeNFEI
PjjmHxipSD2wRyv4z+JElig=
=VDIo
-----END PGP SIGNATURE-----

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: LSM hook addition?
  2005-01-24  5:58 LSM hook addition? John Richard Moser
@ 2005-01-24  6:28 ` Chris Wright
  2005-01-24  8:42 ` Valdis.Kletnieks
  1 sibling, 0 replies; 3+ messages in thread
From: Chris Wright @ 2005-01-24  6:28 UTC (permalink / raw)
  To: John Richard Moser; +Cc: linux-kernel

* John Richard Moser (nigelenki@comcast.net) wrote:
> Can someone point me to documentation or give me a small patch to add an
> LSM hook to kernel 2.6.10 in fs/namei.c at line 1986:
> 
>         new_dentry = lookup_create(&nd, 0);
>         error = PTR_ERR(new_dentry);
>         if (!IS_ERR(new_dentry)) {
>                 error = security_inode_make_hardlink(old_nd); // ADD
>                 error = vfs_link(old_nd.dentry, nd.dentry->d_inode,
> new_dentry);

It's already there.  Look at the code in vfs_link.  The security_inode_link
hook is documented in include/linux/security.h.  And the restrictive policy
you're referring to is already codified in the owlsm module.  See the
do_owlsm_link() function here (code's a bit old, but basic idea is still
relevant):

http://lsm.bkbits.net:8080/lsm-2.6/anno/security/owlsm.h@1.9?nav=index.html|src/|src/security

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: LSM hook addition?
  2005-01-24  5:58 LSM hook addition? John Richard Moser
  2005-01-24  6:28 ` Chris Wright
@ 2005-01-24  8:42 ` Valdis.Kletnieks
  1 sibling, 0 replies; 3+ messages in thread
From: Valdis.Kletnieks @ 2005-01-24  8:42 UTC (permalink / raw)
  To: John Richard Moser; +Cc: linux-kernel

[-- Attachment #1: Type: text/plain, Size: 2000 bytes --]

On Mon, 24 Jan 2005 00:58:08 EST, John Richard Moser said:

> I believe this would be sufficient to finish an LSM module to implement
> linking restrictions from GrSecurity.  I did Symlinks in an LSM module,
> but haven't tested it out; it's purely academic. 
> The hook here would be used (in my academic exploration) to prevent hard
> links from being created to files you don't own, unless you're root.

You don't need a hook there to do that.  The inode_link hook should be sufficient,
using code something like this:

+int vtkit_link (struct dentry *old_entry, struct inode *dir, struct dentry *new_entry)
+{
+       struct inode *i_target = old_entry->d_inode;
+       struct inode *i_new = new_entry->d_inode;
+       int perm_check = 0;
+
+       /* We check as follows - if the target of the link isn't owned by us,
+        * and we're not a privileged user, then we complain if any of the
+        * following are true:
+        * 1) It's not a special file
+        * 2) the target is set-uid or set-gid
+        * 3) user doesn't have permission to the target
+        *
+        * Yes, a "current->uid" check is pig-headed and wrong in the context of a
+        * system that uses priv separation...
+        */
+       perm_check = generic_permission(i_target, MAY_READ | MAY_WRITE, NULL);
+       if (security_safe_hardlink && (current->fsuid != i_target->i_uid) &&
+               !capable(CAP_FOWNER) && current->uid &&
+               (!S_ISREG(i_target->i_mode) || (i_target->i_mode & S_ISUID) ||
+               ((i_target->i_mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
+               perm_check)) {
+                       printk(KERN_NOTICE "vtkit - rejecting hard link (target UID %d) by PID %d (uid=%d, comm=%s)\n",
+                               i_target->i_uid, current->pid, current->uid, current->comm);
+                       return (perm_check ? perm_check:-EPERM);
+       }
+       return 0;
+}

If I'm missing something here, please let me know... ;)


[-- Attachment #2: Type: application/pgp-signature, Size: 226 bytes --]

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2005-01-24  8:42 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2005-01-24  5:58 LSM hook addition? John Richard Moser
2005-01-24  6:28 ` Chris Wright
2005-01-24  8:42 ` Valdis.Kletnieks

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).