Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754584Ab0AOIK3 (ORCPT ); Fri, 15 Jan 2010 03:10:29 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1751879Ab0AOIK1 (ORCPT ); Fri, 15 Jan 2010 03:10:27 -0500 Received: from lists.laptop.org ([18.85.2.145]:37546 "EHLO mail.laptop.org" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1753914Ab0AOIKX (ORCPT ); Fri, 15 Jan 2010 03:10:23 -0500 Date: Fri, 15 Jan 2010 03:12:46 -0500 From: Michael Stone To: linux-kernel@vger.kernel.org Cc: netdev@vger.kernel.org, linux-security-module@vger.kernel.org, Andi Kleen , David Lang , Oliver Hartkopp , Alan Cox , Herbert Xu , Valdis Kletnieks , Bryan Donlan , Evgeniy Polyakov , "C. Scott Ananian" , James Morris , "Eric W. Biederman" , Bernie Innocenti , Mark Seaborn , Randy Dunlap , =?iso-8859-1?Q?Am=E9rico?= Wang , Tetsuo Handa , Samir Bellabes , Casey Schaufler , "Serge E. Hallyn" , Pavel Machek , Al Viro , Kyle Moffett , Andrew Morgan , Michael Stone Subject: disablenetwork (v5): Simplify the disablenetwork sendmsg hook. Message-ID: <20100115081246.GA14426@heat> References: <20100115081028.GA14004@heat> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20100115081028.GA14004@heat> User-Agent: Mutt/1.5.18 (2008-05-17) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The idea is that calls like sendto(fd, buffer, len, 0, NULL, 0); send(fd, buffer, len, 0) write(fd, buffer, len) are all to be permitted but that calls like sendto(fd, buffer, len, 0, (struct sockadr *) &addr, sizeof(addr)); are to be rejected when the current task's network is disabled on the grounds that the former calls must use previously connected sockets but that the latter socket need not have been previously connected. Signed-off-by: Michael Stone --- security/disablenetwork.c | 9 ++++----- 1 files changed, 4 insertions(+), 5 deletions(-) diff --git a/security/disablenetwork.c b/security/disablenetwork.c index f45ddfc..27b88d7 100644 --- a/security/disablenetwork.c +++ b/security/disablenetwork.c @@ -56,11 +56,10 @@ int disablenetwork_security_socket_connect(struct socket * sock, int disablenetwork_security_socket_sendmsg(struct socket * sock, struct msghdr * msg, int size) { - if (sock->sk->sk_family != PF_UNIX && - current->network && - (msg->msg_name != NULL || msg->msg_namelen != 0)) - return -EPERM; - return 0; + /* permit sockets which are PF_UNIX or connected; check others. */ + if (sock->sk->sk_family == PF_UNIX || msg->msg_name == NULL) + return 0; + return maybe_allow(); } int disablenetwork_security_ptrace_access_check(struct task_struct *child, -- 1.6.6.rc2 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/