Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S261564AbVBHQR5 (ORCPT ); Tue, 8 Feb 2005 11:17:57 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S261555AbVBHQQA (ORCPT ); Tue, 8 Feb 2005 11:16:00 -0500 Received: from vds-320151.amen-pro.com ([62.193.204.86]:49099 "EHLO vds-320151.amen-pro.com") by vger.kernel.org with ESMTP id S261573AbVBHQPD (ORCPT ); Tue, 8 Feb 2005 11:15:03 -0500 Subject: [PATCH] New sys_chmod() hook for the LSM framework From: Lorenzo =?ISO-8859-1?Q?Hern=E1ndez_?= =?ISO-8859-1?Q?Garc=EDa-Hierro?= To: "linux-kernel@vger.kernel.org" Cc: "linux-security-module@wirex.com" Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-+YdP7z6PBrYZghRwHwKV" Date: Tue, 08 Feb 2005 17:14:35 +0100 Message-Id: <1107879275.3754.279.camel@localhost.localdomain> Mime-Version: 1.0 X-Mailer: Evolution 2.0.2 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 6137 Lines: 119 --=-+YdP7z6PBrYZghRwHwKV Content-Type: multipart/mixed; boundary="=-oFF48iPDxCwcLZTBfb3U" --=-oFF48iPDxCwcLZTBfb3U Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hi, As commented yesterday, I was going to release a few more hooks for some *critical* syscalls, this one adds a hook to sys_chmod(), and makes us able to apply checks and logics before releasing the operation to sys_chmod(). The main goal is to provide a simple way to handle chmod() calls and apply security restrictions & checks to them, and also add add auditing capabilities (ie.: log chmod() calls in chroot()'ed environments, etc). Patch attached and available at: http://pearls.tuxedo-es.org/patches/sys_chmod_lsm-hook-2.6.11-rc3.patch I would like to see this merged, Chris should decide :) An user of this will be, as commented in my past emails, vSecurity 0.2 release, and any other LSM module that wants to have control over chmod()'ing. I will make available another hook for sys_fchmod() ASAP. Cheers and thanks in advance, --=20 Lorenzo Hern=E1ndez Garc=EDa-Hierro =20 [1024D/6F2B2DEC] & [2048g/9AE91A22][http://tuxedo-es.org] --=-oFF48iPDxCwcLZTBfb3U Content-Disposition: attachment; filename=sys_chmod_lsm-hook-2.6.11-rc3.patch Content-Transfer-Encoding: base64 Content-Type: text/x-patch; name=sys_chmod_lsm-hook-2.6.11-rc3.patch; charset=ISO-8859-1 ZGlmZiAtTnVyIGxpbnV4LTIuNi4xMS1yYzMvZnMvb3Blbi5jIGxpbnV4LTIuNi4xMS1yYzMuY2ht L2ZzL29wZW4uYw0KLS0tIGxpbnV4LTIuNi4xMS1yYzMvZnMvb3Blbi5jCTIwMDUtMDItMDYgMjE6 NDA6NDAuMDAwMDAwMDAwICswMTAwDQorKysgbGludXgtMi42LjExLXJjMy5jaG0vZnMvb3Blbi5j CTIwMDUtMDItMDggMTY6MTA6MDkuOTAxMjkzNTYwICswMTAwDQpAQCAtNjUwLDYgKzY1MCwxMSBA QA0KIAlkb3duKCZpbm9kZS0+aV9zZW0pOw0KIAlpZiAobW9kZSA9PSAobW9kZV90KSAtMSkNCiAJ CW1vZGUgPSBpbm9kZS0+aV9tb2RlOw0KKwkJDQorCWVycm9yID0gc2VjdXJpdHlfY2htb2QoJm5k LCBpbm9kZSwgbW9kZSk7DQorCWlmIChlcnJvcikNCisJCWdvdG8gZHB1dF9hbmRfb3V0OwkNCisJ DQogCW5ld2F0dHJzLmlhX21vZGUgPSAobW9kZSAmIFNfSUFMTFVHTykgfCAoaW5vZGUtPmlfbW9k ZSAmIH5TX0lBTExVR08pOw0KIAluZXdhdHRycy5pYV92YWxpZCA9IEFUVFJfTU9ERSB8IEFUVFJf Q1RJTUU7DQogCWVycm9yID0gbm90aWZ5X2NoYW5nZShuZC5kZW50cnksICZuZXdhdHRycyk7DQpk aWZmIC1OdXIgbGludXgtMi42LjExLXJjMy9pbmNsdWRlL2xpbnV4L3NlY3VyaXR5LmggbGludXgt Mi42LjExLXJjMy5jaG0vaW5jbHVkZS9saW51eC9zZWN1cml0eS5oDQotLS0gbGludXgtMi42LjEx LXJjMy9pbmNsdWRlL2xpbnV4L3NlY3VyaXR5LmgJMjAwNS0wMi0wNiAyMTo0MDoyNy4wMDAwMDAw MDAgKzAxMDANCisrKyBsaW51eC0yLjYuMTEtcmMzLmNobS9pbmNsdWRlL2xpbnV4L3NlY3VyaXR5 LmgJMjAwNS0wMi0wOCAxNjoxMDozNy42NzAwNzIwNjQgKzAxMDANCkBAIC0xMDA4LDYgKzEwMDgs MTIgQEANCiAgKglAdHMgY29udGFpbnMgbmV3IHRpbWUNCiAgKglAdHogY29udGFpbnMgbmV3IHRp bWV6b25lDQogICoJUmV0dXJuIDAgaWYgcGVybWlzc2lvbiBpcyBncmFudGVkLg0KKyAqIEBjaG1v ZDoNCisgKglDaGVjayBwZXJtaXNzaW9uIGJlZm9yZSBjaGFuZ2luZyBmaWxlIG1vZGVzIGJ5IHN5 c19jaG1vZCgpLg0KKyAqCUBuZCBjb250YWlucyB0aGUgbmFtZWlkYXRhIHN0cnVjdC4NCisgKglA aW5vZGUgY29udGFpbnMgdGhlIGlub2RlIHN0cnVjdC4NCisgKglAbW9kZSBjb250YWlucyB0aGUg bW9kZSB2YWx1ZS4NCisgKglSZXR1cm4gMCBpZiBwZXJtaXNzaW9uIGlzIGdyYW50ZWQuDQogICog QHZtX2Vub3VnaF9tZW1vcnk6DQogICoJQ2hlY2sgcGVybWlzc2lvbnMgZm9yIGFsbG9jYXRpbmcg YSBuZXcgdmlydHVhbCBtYXBwaW5nLg0KICAqICAgICAgQHBhZ2VzIGNvbnRhaW5zIHRoZSBudW1i ZXIgb2YgcGFnZXMuDQpAQCAtMTA0NCw2ICsxMDUwLDcgQEANCiAJaW50ICgqcXVvdGFfb24pIChz dHJ1Y3QgZGVudHJ5ICogZGVudHJ5KTsNCiAJaW50ICgqc3lzbG9nKSAoaW50IHR5cGUpOw0KIAlp bnQgKCpzZXR0aW1lKSAoc3RydWN0IHRpbWVzcGVjICp0cywgc3RydWN0IHRpbWV6b25lICp0eik7 DQorCWludCAoKmNobW9kKSAoc3RydWN0IG5hbWVpZGF0YSAqbmQsIHN0cnVjdCBpbm9kZSAqaW5v ZGUsIG1vZGVfdCBtb2RlKTsNCiAJaW50ICgqdm1fZW5vdWdoX21lbW9yeSkgKGxvbmcgcGFnZXMp Ow0KIA0KIAlpbnQgKCpicHJtX2FsbG9jX3NlY3VyaXR5KSAoc3RydWN0IGxpbnV4X2JpbnBybSAq IGJwcm0pOw0KQEAgLTEzMDQsNiArMTMxMSwxMCBAQA0KIAlyZXR1cm4gc2VjdXJpdHlfb3BzLT5z ZXR0aW1lKHRzLCB0eik7DQogfQ0KIA0KK3N0YXRpYyBpbmxpbmUgaW50IHNlY3VyaXR5X2NobW9k KHN0cnVjdCBuYW1laWRhdGEgKm5kLCBzdHJ1Y3QgaW5vZGUgKmlub2RlLCBtb2RlX3QgbW9kZSkN Cit7DQorCXJldHVybiBzZWN1cml0eV9vcHMtPmNobW9kKG5kLCBpbm9kZSwgbW9kZSk7DQorfQ0K IA0KIHN0YXRpYyBpbmxpbmUgaW50IHNlY3VyaXR5X3ZtX2Vub3VnaF9tZW1vcnkobG9uZyBwYWdl cykNCiB7DQpAQCAtMTk4Niw2ICsxOTk3LDExIEBADQogCXJldHVybiBjYXBfc2V0dGltZSh0cywg dHopOw0KIH0NCiANCitzdGF0aWMgaW5saW5lIGludCBzZWN1cml0eV9jaG1vZChzdHJ1Y3QgbmFt ZWlkYXRhICpuZCwgc3RydWN0IGlub2RlICppbm9kZSwgbW9kZV90IG1vZGUpDQorew0KKwlyZXR1 cm4gMDsNCit9DQorDQogc3RhdGljIGlubGluZSBpbnQgc2VjdXJpdHlfdm1fZW5vdWdoX21lbW9y eShsb25nIHBhZ2VzKQ0KIHsNCiAJcmV0dXJuIGNhcF92bV9lbm91Z2hfbWVtb3J5KHBhZ2VzKTsN CmRpZmYgLU51ciBsaW51eC0yLjYuMTEtcmMzL3NlY3VyaXR5L2R1bW15LmMgbGludXgtMi42LjEx LXJjMy5jaG0vc2VjdXJpdHkvZHVtbXkuYw0KLS0tIGxpbnV4LTIuNi4xMS1yYzMvc2VjdXJpdHkv ZHVtbXkuYwkyMDA1LTAyLTA2IDIxOjQwOjU3LjAwMDAwMDAwMCArMDEwMA0KKysrIGxpbnV4LTIu Ni4xMS1yYzMuY2htL3NlY3VyaXR5L2R1bW15LmMJMjAwNS0wMi0wOCAxNTo1ODoyNi4wMDAwMDAw MDAgKzAxMDANCkBAIC0xMDgsNiArMTA4LDExIEBADQogCXJldHVybiAwOw0KIH0NCiANCitzdGF0 aWMgaW50IGR1bW15X2NobW9kKHN0cnVjdCBuYW1laWRhdGEgKm5kLCBzdHJ1Y3QgaW5vZGUgKmlu b2RlLCBtb2RlX3QgbW9kZSkNCit7DQorCXJldHVybiAwOw0KK30NCisNCiBzdGF0aWMgaW50IGR1 bW15X3ZtX2Vub3VnaF9tZW1vcnkobG9uZyBwYWdlcykNCiB7DQogCWludCBjYXBfc3lzX2FkbWlu ID0gMDsNCkBAIC04NTgsNiArODYzLDcgQEANCiAJc2V0X3RvX2R1bW15X2lmX251bGwob3BzLCBz eXNjdGwpOw0KIAlzZXRfdG9fZHVtbXlfaWZfbnVsbChvcHMsIHN5c2xvZyk7DQogCXNldF90b19k dW1teV9pZl9udWxsKG9wcywgc2V0dGltZSk7DQorCXNldF90b19kdW1teV9pZl9udWxsKG9wcywg Y2htb2QpOw0KIAlzZXRfdG9fZHVtbXlfaWZfbnVsbChvcHMsIHZtX2Vub3VnaF9tZW1vcnkpOw0K IAlzZXRfdG9fZHVtbXlfaWZfbnVsbChvcHMsIGJwcm1fYWxsb2Nfc2VjdXJpdHkpOw0KIAlzZXRf dG9fZHVtbXlfaWZfbnVsbChvcHMsIGJwcm1fZnJlZV9zZWN1cml0eSk7DQo= --=-oFF48iPDxCwcLZTBfb3U-- --=-+YdP7z6PBrYZghRwHwKV Content-Type: application/pgp-signature; name=signature.asc Content-Description: Esta parte del mensaje =?ISO-8859-1?Q?est=E1?= firmada digitalmente -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux) iD8DBQBCCOVrDcEopW8rLewRArzwAKDiHiuVAgGBP1XZ/xgZxmq9w076QgCg4bQO TKRvzkwpJdcYqG4xIJVNECw= =5e2Q -----END PGP SIGNATURE----- --=-+YdP7z6PBrYZghRwHwKV-- - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/