From: serue@us.ibm.com
To: lkml <linux-kernel@vger.kernel.org>
Cc: Chris Wright <chrisw@osdl.org>,
Stephen Smalley <sds@epoch.ncsc.mil>,
James Morris <jmorris@redhat.com>, Andrew Morton <akpm@osdl.org>,
Michael Halcrow <mhalcrow@us.ibm.com>,
David Safford <safford@watson.ibm.com>,
Reiner Sailer <sailer@us.ibm.com>,
Gerrit Huizenga <gerrit@us.ibm.com>
Subject: [patch 10/12] lsm stacking v0.2: hook completeness verification
Date: Thu, 30 Jun 2005 14:54:28 -0500 [thread overview]
Message-ID: <20050630195428.GJ23538@serge.austin.ibm.com> (raw)
In-Reply-To: <20050630194458.GA23439@serge.austin.ibm.com>
Add a script to check whether all security_operations hooks are defined
in both dummy_security_ops (through security_fixup_ops) and in stacker_ops.
Also adds a note in security.h to remind developers that all hooks must
be defined in these two modules, and to verify this using the
lsm_verify_hooks.sh script.
Signed-off-by: Serge Hallyn <serue@us.ibm.com>
---
include/linux/security.h | 4 ++++
scripts/lsm_verify_hooks.sh | 44 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 48 insertions(+)
Index: linux-2.6.13-rc1/include/linux/security.h
===================================================================
--- linux-2.6.13-rc1.orig/include/linux/security.h 2005-06-30 14:15:01.000000000 -0500
+++ linux-2.6.13-rc1/include/linux/security.h 2005-06-30 15:40:16.000000000 -0500
@@ -121,6 +121,10 @@ struct swap_info_struct;
/**
* struct security_operations - main security structure
*
+ * When adding functions to this structure, please add them to
+ * dummy.c and stacker.c, and run linux/scripts/lsm_verify_hooks.sh
+ * to verify their inclusion in these modules.
+ *
* Security hooks for program execution operations.
*
* @bprm_alloc_security:
Index: linux-2.6.13-rc1/scripts/lsm_verify_hooks.sh
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.13-rc1/scripts/lsm_verify_hooks.sh 2005-06-30 15:40:16.000000000 -0500
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+# Author: Serge E. Hallyn <serue@us.ibm.com>
+
+# Checks that both the dummy and stacker modules define all the
+# security hooks.
+
+# This probably should be done in perl
+
+# Copyright (C) 2002,2003,2004,2005 Serge E. Hallyn <serue@us.ibm.com>
+# Copyright (C) 2002 David A. Wheeler <dwheeler@dwheeler.com>.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+
+# Grab the relevant pieces of text
+sed -n '/^void security_fixup_ops /,/}/p' dummy.c > dummy.out
+sed -n '/^static struct security_operations/,/}/p' stacker.c > stack.out
+../scripts/Lindent -o tmpsec.h ../include/linux/security.h
+sed -n '/^struct security_operations {/,/}/p' tmpsec.h > sech.out
+rm tmpsec.h
+
+# Get a list of functions in security.h
+cat sech.out | sed -n '/\t[a-z]/p' | sed -e 's/^\t[a-z]* (\*\([^)]*\).*$/\1/' > sech.out
+
+# check dummy.c
+for line in `cat sech.out`; do
+ grep $line dummy.out > /dev/null 2>&1
+ if [ $? -ne 0 ]; then
+ echo "WARNING: $line missing from dummy module!"
+ fi
+done
+
+# check stacker.c
+for line in `cat sech.out`; do
+ grep $line stack.out > /dev/null 2>&1
+ if [ $? -ne 0 ]; then
+ echo "WARNING: $line missing from stacker module!"
+ fi
+done
+
+rm sech.out stack.out dummy.out
+echo "LSM hook verification done."
next prev parent reply other threads:[~2005-06-30 20:02 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-06-30 19:44 [patch 0/12] lsm stacking v0.2: intro serue
2005-06-30 19:48 ` [patch 1/12] lsm stacking v0.2: don't default to dummy_##hook serue
2005-06-30 19:48 ` [patch 2/12] lsm stacking v0.2: replace void* security with hlist serue
2005-06-30 19:49 ` [patch 3/12] lsm stacking v0.2: introduce security_*_value API serue
2005-06-30 19:49 ` [patch 4/12] lsm stacking v0.2: stacker documentation serue
2005-06-30 19:50 ` [patch 5/12] lsm stacking v0.2: actual stacker module serue
2005-07-01 2:32 ` James Morris
2005-07-01 19:24 ` serge
2005-07-01 20:35 ` Greg KH
2005-07-03 0:24 ` serge
2005-07-03 18:25 ` Tony Jones
2005-07-03 18:53 ` James Morris
2005-07-03 19:09 ` Tony Jones
2005-07-03 20:44 ` [PATCH] securityfs Greg KH
2005-07-04 12:39 ` serge
2005-07-04 15:53 ` serge
2005-07-05 6:07 ` Greg KH
2005-07-06 12:25 ` serge
2005-07-06 6:52 ` James Morris
2005-07-06 7:04 ` Greg KH
2005-07-06 12:29 ` Stephen Smalley
2005-07-06 15:35 ` James Morris
2005-07-06 16:06 ` Stephen Smalley
2005-07-06 16:16 ` Greg KH
2005-07-06 18:01 ` Chris Wright
2005-07-06 22:08 ` serue
2005-07-06 22:22 ` Greg KH
2005-07-06 23:32 ` serge
2005-07-07 17:30 ` serge
2005-07-07 17:48 ` Greg KH
2005-07-07 18:27 ` serue
2005-07-07 22:46 ` serge
2005-07-07 23:06 ` Greg KH
2005-07-07 23:12 ` serue
2005-07-08 20:44 ` serue
2005-07-08 20:49 ` Greg KH
2005-07-08 21:03 ` Chris Wright
2005-07-04 3:18 ` [patch 5/12] lsm stacking v0.2: actual stacker module Tony Jones
2005-07-04 11:51 ` serge
2005-07-04 19:37 ` Tony Jones
2005-07-04 20:06 ` serge
2005-07-04 20:41 ` Tony Jones
2005-07-05 18:17 ` serge
2005-07-08 21:43 ` serue
2005-07-08 22:12 ` serue
2005-07-11 14:40 ` Stephen Smalley
2005-07-11 17:51 ` serue
2005-07-11 19:03 ` Stephen Smalley
2005-07-13 16:39 ` serue
2005-07-13 18:27 ` serue
2005-06-30 19:51 ` [patch 6/12] lsm stacking v0.2: stackable capability lsm serue
2005-06-30 19:52 ` [patch 7/12] lsm stacking v0.2: selinux: update security structs serue
2005-06-30 19:53 ` [patch 8/12] lsm stacking v0.2: selinux: use security_*_value API serue
2005-06-30 19:53 ` [patch 9/12] lsm stacking v0.2: selinux: remove secondary support serue
2005-06-30 19:54 ` serue [this message]
2005-06-30 19:55 ` [patch 11/12] lsm stacking v0.2: /proc/$$/attr/ sharing serue
2005-06-30 19:55 ` [patch 12/12] lsm stacking v0.2: update seclvl for stacking serue
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050630195428.GJ23538@serge.austin.ibm.com \
--to=serue@us.ibm.com \
--cc=akpm@osdl.org \
--cc=chrisw@osdl.org \
--cc=gerrit@us.ibm.com \
--cc=jmorris@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mhalcrow@us.ibm.com \
--cc=safford@watson.ibm.com \
--cc=sailer@us.ibm.com \
--cc=sds@epoch.ncsc.mil \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).