Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
d1e13e50
Commit
d1e13e50
authored
Feb 06, 2003
by
James Morris
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
[LSM]: Networking top-level socket operation hooks.
parent
3518172a
Changes
3
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
447 additions
and
2 deletions
+447
-2
include/linux/security.h
include/linux/security.h
+285
-0
net/socket.c
net/socket.c
+71
-1
security/dummy.c
security/dummy.c
+91
-1
No files found.
include/linux/security.h
View file @
d1e13e50
This diff is collapsed.
Click to expand it.
net/socket.c
View file @
d1e13e50
...
@@ -77,6 +77,7 @@
...
@@ -77,6 +77,7 @@
#include <linux/highmem.h>
#include <linux/highmem.h>
#include <linux/divert.h>
#include <linux/divert.h>
#include <linux/mount.h>
#include <linux/mount.h>
#include <linux/security.h>
#if defined(CONFIG_KMOD) && defined(CONFIG_NET)
#if defined(CONFIG_KMOD) && defined(CONFIG_NET)
#include <linux/kmod.h>
#include <linux/kmod.h>
...
@@ -527,6 +528,10 @@ static int __sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr
...
@@ -527,6 +528,10 @@ static int __sock_sendmsg(struct kiocb *iocb, struct socket *sock, struct msghdr
si
->
msg
=
msg
;
si
->
msg
=
msg
;
si
->
size
=
size
;
si
->
size
=
size
;
err
=
security_socket_sendmsg
(
sock
,
msg
,
size
);
if
(
err
)
return
err
;
err
=
scm_send
(
sock
,
msg
,
si
->
scm
);
err
=
scm_send
(
sock
,
msg
,
si
->
scm
);
if
(
err
>=
0
)
{
if
(
err
>=
0
)
{
err
=
sock
->
ops
->
sendmsg
(
iocb
,
sock
,
msg
,
size
,
si
->
scm
);
err
=
sock
->
ops
->
sendmsg
(
iocb
,
sock
,
msg
,
size
,
si
->
scm
);
...
@@ -551,6 +556,7 @@ int sock_sendmsg(struct socket *sock, struct msghdr *msg, int size)
...
@@ -551,6 +556,7 @@ int sock_sendmsg(struct socket *sock, struct msghdr *msg, int size)
int
__sock_recvmsg
(
struct
kiocb
*
iocb
,
struct
socket
*
sock
,
struct
msghdr
*
msg
,
int
size
,
int
flags
)
int
__sock_recvmsg
(
struct
kiocb
*
iocb
,
struct
socket
*
sock
,
struct
msghdr
*
msg
,
int
size
,
int
flags
)
{
{
int
err
;
struct
sock_iocb
*
si
=
kiocb_to_siocb
(
iocb
);
struct
sock_iocb
*
si
=
kiocb_to_siocb
(
iocb
);
si
->
sock
=
sock
;
si
->
sock
=
sock
;
...
@@ -560,6 +566,10 @@ int __sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
...
@@ -560,6 +566,10 @@ int __sock_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
si
->
size
=
size
;
si
->
size
=
size
;
si
->
flags
=
flags
;
si
->
flags
=
flags
;
err
=
security_socket_recvmsg
(
sock
,
msg
,
size
,
flags
);
if
(
err
)
return
err
;
memset
(
si
->
scm
,
0
,
sizeof
(
*
si
->
scm
));
memset
(
si
->
scm
,
0
,
sizeof
(
*
si
->
scm
));
size
=
sock
->
ops
->
recvmsg
(
iocb
,
sock
,
msg
,
size
,
flags
,
si
->
scm
);
size
=
sock
->
ops
->
recvmsg
(
iocb
,
sock
,
msg
,
size
,
flags
,
si
->
scm
);
...
@@ -963,6 +973,7 @@ int sock_wake_async(struct socket *sock, int how, int band)
...
@@ -963,6 +973,7 @@ int sock_wake_async(struct socket *sock, int how, int band)
int
sock_create
(
int
family
,
int
type
,
int
protocol
,
struct
socket
**
res
)
int
sock_create
(
int
family
,
int
type
,
int
protocol
,
struct
socket
**
res
)
{
{
int
i
;
int
i
;
int
err
;
struct
socket
*
sock
;
struct
socket
*
sock
;
/*
/*
...
@@ -986,6 +997,10 @@ int sock_create(int family, int type, int protocol, struct socket **res)
...
@@ -986,6 +997,10 @@ int sock_create(int family, int type, int protocol, struct socket **res)
}
}
family
=
PF_PACKET
;
family
=
PF_PACKET
;
}
}
err
=
security_socket_create
(
family
,
type
,
protocol
);
if
(
err
)
return
err
;
#if defined(CONFIG_KMOD) && defined(CONFIG_NET)
#if defined(CONFIG_KMOD) && defined(CONFIG_NET)
/* Attempt to load a protocol module if the find failed.
/* Attempt to load a protocol module if the find failed.
...
@@ -1031,6 +1046,7 @@ int sock_create(int family, int type, int protocol, struct socket **res)
...
@@ -1031,6 +1046,7 @@ int sock_create(int family, int type, int protocol, struct socket **res)
}
}
*
res
=
sock
;
*
res
=
sock
;
security_socket_post_create
(
sock
,
family
,
type
,
protocol
);
out:
out:
net_family_read_unlock
();
net_family_read_unlock
();
...
@@ -1141,8 +1157,14 @@ asmlinkage long sys_bind(int fd, struct sockaddr *umyaddr, int addrlen)
...
@@ -1141,8 +1157,14 @@ asmlinkage long sys_bind(int fd, struct sockaddr *umyaddr, int addrlen)
if
((
sock
=
sockfd_lookup
(
fd
,
&
err
))
!=
NULL
)
if
((
sock
=
sockfd_lookup
(
fd
,
&
err
))
!=
NULL
)
{
{
if
((
err
=
move_addr_to_kernel
(
umyaddr
,
addrlen
,
address
))
>=
0
)
if
((
err
=
move_addr_to_kernel
(
umyaddr
,
addrlen
,
address
))
>=
0
)
{
err
=
security_socket_bind
(
sock
,
(
struct
sockaddr
*
)
address
,
addrlen
);
if
(
err
)
{
sockfd_put
(
sock
);
return
err
;
}
err
=
sock
->
ops
->
bind
(
sock
,
(
struct
sockaddr
*
)
address
,
addrlen
);
err
=
sock
->
ops
->
bind
(
sock
,
(
struct
sockaddr
*
)
address
,
addrlen
);
}
sockfd_put
(
sock
);
sockfd_put
(
sock
);
}
}
return
err
;
return
err
;
...
@@ -1163,6 +1185,13 @@ asmlinkage long sys_listen(int fd, int backlog)
...
@@ -1163,6 +1185,13 @@ asmlinkage long sys_listen(int fd, int backlog)
if
((
sock
=
sockfd_lookup
(
fd
,
&
err
))
!=
NULL
)
{
if
((
sock
=
sockfd_lookup
(
fd
,
&
err
))
!=
NULL
)
{
if
((
unsigned
)
backlog
>
SOMAXCONN
)
if
((
unsigned
)
backlog
>
SOMAXCONN
)
backlog
=
SOMAXCONN
;
backlog
=
SOMAXCONN
;
err
=
security_socket_listen
(
sock
,
backlog
);
if
(
err
)
{
sockfd_put
(
sock
);
return
err
;
}
err
=
sock
->
ops
->
listen
(
sock
,
backlog
);
err
=
sock
->
ops
->
listen
(
sock
,
backlog
);
sockfd_put
(
sock
);
sockfd_put
(
sock
);
}
}
...
@@ -1199,6 +1228,10 @@ asmlinkage long sys_accept(int fd, struct sockaddr *upeer_sockaddr, int *upeer_a
...
@@ -1199,6 +1228,10 @@ asmlinkage long sys_accept(int fd, struct sockaddr *upeer_sockaddr, int *upeer_a
newsock
->
type
=
sock
->
type
;
newsock
->
type
=
sock
->
type
;
newsock
->
ops
=
sock
->
ops
;
newsock
->
ops
=
sock
->
ops
;
err
=
security_socket_accept
(
sock
,
newsock
);
if
(
err
)
goto
out_release
;
err
=
sock
->
ops
->
accept
(
sock
,
newsock
,
sock
->
file
->
f_flags
);
err
=
sock
->
ops
->
accept
(
sock
,
newsock
,
sock
->
file
->
f_flags
);
if
(
err
<
0
)
if
(
err
<
0
)
goto
out_release
;
goto
out_release
;
...
@@ -1218,6 +1251,8 @@ asmlinkage long sys_accept(int fd, struct sockaddr *upeer_sockaddr, int *upeer_a
...
@@ -1218,6 +1251,8 @@ asmlinkage long sys_accept(int fd, struct sockaddr *upeer_sockaddr, int *upeer_a
if
((
err
=
sock_map_fd
(
newsock
))
<
0
)
if
((
err
=
sock_map_fd
(
newsock
))
<
0
)
goto
out_release
;
goto
out_release
;
security_socket_post_accept
(
sock
,
newsock
);
out_put:
out_put:
sockfd_put
(
sock
);
sockfd_put
(
sock
);
out:
out:
...
@@ -1253,6 +1288,11 @@ asmlinkage long sys_connect(int fd, struct sockaddr *uservaddr, int addrlen)
...
@@ -1253,6 +1288,11 @@ asmlinkage long sys_connect(int fd, struct sockaddr *uservaddr, int addrlen)
err
=
move_addr_to_kernel
(
uservaddr
,
addrlen
,
address
);
err
=
move_addr_to_kernel
(
uservaddr
,
addrlen
,
address
);
if
(
err
<
0
)
if
(
err
<
0
)
goto
out_put
;
goto
out_put
;
err
=
security_socket_connect
(
sock
,
(
struct
sockaddr
*
)
address
,
addrlen
);
if
(
err
)
goto
out_put
;
err
=
sock
->
ops
->
connect
(
sock
,
(
struct
sockaddr
*
)
address
,
addrlen
,
err
=
sock
->
ops
->
connect
(
sock
,
(
struct
sockaddr
*
)
address
,
addrlen
,
sock
->
file
->
f_flags
);
sock
->
file
->
f_flags
);
out_put:
out_put:
...
@@ -1275,6 +1315,11 @@ asmlinkage long sys_getsockname(int fd, struct sockaddr *usockaddr, int *usockad
...
@@ -1275,6 +1315,11 @@ asmlinkage long sys_getsockname(int fd, struct sockaddr *usockaddr, int *usockad
sock
=
sockfd_lookup
(
fd
,
&
err
);
sock
=
sockfd_lookup
(
fd
,
&
err
);
if
(
!
sock
)
if
(
!
sock
)
goto
out
;
goto
out
;
err
=
security_socket_getsockname
(
sock
);
if
(
err
)
goto
out_put
;
err
=
sock
->
ops
->
getname
(
sock
,
(
struct
sockaddr
*
)
address
,
&
len
,
0
);
err
=
sock
->
ops
->
getname
(
sock
,
(
struct
sockaddr
*
)
address
,
&
len
,
0
);
if
(
err
)
if
(
err
)
goto
out_put
;
goto
out_put
;
...
@@ -1299,6 +1344,12 @@ asmlinkage long sys_getpeername(int fd, struct sockaddr *usockaddr, int *usockad
...
@@ -1299,6 +1344,12 @@ asmlinkage long sys_getpeername(int fd, struct sockaddr *usockaddr, int *usockad
if
((
sock
=
sockfd_lookup
(
fd
,
&
err
))
!=
NULL
)
if
((
sock
=
sockfd_lookup
(
fd
,
&
err
))
!=
NULL
)
{
{
err
=
security_socket_getpeername
(
sock
);
if
(
err
)
{
sockfd_put
(
sock
);
return
err
;
}
err
=
sock
->
ops
->
getname
(
sock
,
(
struct
sockaddr
*
)
address
,
&
len
,
1
);
err
=
sock
->
ops
->
getname
(
sock
,
(
struct
sockaddr
*
)
address
,
&
len
,
1
);
if
(
!
err
)
if
(
!
err
)
err
=
move_addr_to_user
(
address
,
len
,
usockaddr
,
usockaddr_len
);
err
=
move_addr_to_user
(
address
,
len
,
usockaddr
,
usockaddr_len
);
...
@@ -1427,6 +1478,12 @@ asmlinkage long sys_setsockopt(int fd, int level, int optname, char *optval, int
...
@@ -1427,6 +1478,12 @@ asmlinkage long sys_setsockopt(int fd, int level, int optname, char *optval, int
if
((
sock
=
sockfd_lookup
(
fd
,
&
err
))
!=
NULL
)
if
((
sock
=
sockfd_lookup
(
fd
,
&
err
))
!=
NULL
)
{
{
err
=
security_socket_setsockopt
(
sock
,
level
,
optname
);
if
(
err
)
{
sockfd_put
(
sock
);
return
err
;
}
if
(
level
==
SOL_SOCKET
)
if
(
level
==
SOL_SOCKET
)
err
=
sock_setsockopt
(
sock
,
level
,
optname
,
optval
,
optlen
);
err
=
sock_setsockopt
(
sock
,
level
,
optname
,
optval
,
optlen
);
else
else
...
@@ -1448,6 +1505,13 @@ asmlinkage long sys_getsockopt(int fd, int level, int optname, char *optval, int
...
@@ -1448,6 +1505,13 @@ asmlinkage long sys_getsockopt(int fd, int level, int optname, char *optval, int
if
((
sock
=
sockfd_lookup
(
fd
,
&
err
))
!=
NULL
)
if
((
sock
=
sockfd_lookup
(
fd
,
&
err
))
!=
NULL
)
{
{
err
=
security_socket_getsockopt
(
sock
,
level
,
optname
);
if
(
err
)
{
sockfd_put
(
sock
);
return
err
;
}
if
(
level
==
SOL_SOCKET
)
if
(
level
==
SOL_SOCKET
)
err
=
sock_getsockopt
(
sock
,
level
,
optname
,
optval
,
optlen
);
err
=
sock_getsockopt
(
sock
,
level
,
optname
,
optval
,
optlen
);
else
else
...
@@ -1469,6 +1533,12 @@ asmlinkage long sys_shutdown(int fd, int how)
...
@@ -1469,6 +1533,12 @@ asmlinkage long sys_shutdown(int fd, int how)
if
((
sock
=
sockfd_lookup
(
fd
,
&
err
))
!=
NULL
)
if
((
sock
=
sockfd_lookup
(
fd
,
&
err
))
!=
NULL
)
{
{
err
=
security_socket_shutdown
(
sock
,
how
);
if
(
err
)
{
sockfd_put
(
sock
);
return
err
;
}
err
=
sock
->
ops
->
shutdown
(
sock
,
how
);
err
=
sock
->
ops
->
shutdown
(
sock
,
how
);
sockfd_put
(
sock
);
sockfd_put
(
sock
);
}
}
...
...
security/dummy.c
View file @
d1e13e50
...
@@ -20,7 +20,7 @@
...
@@ -20,7 +20,7 @@
#include <linux/security.h>
#include <linux/security.h>
#include <linux/skbuff.h>
#include <linux/skbuff.h>
#include <linux/netlink.h>
#include <linux/netlink.h>
#include <net/sock.h>
static
int
dummy_ptrace
(
struct
task_struct
*
parent
,
struct
task_struct
*
child
)
static
int
dummy_ptrace
(
struct
task_struct
*
parent
,
struct
task_struct
*
child
)
{
{
...
@@ -598,6 +598,82 @@ static int dummy_sem_semop (struct sem_array *sma,
...
@@ -598,6 +598,82 @@ static int dummy_sem_semop (struct sem_array *sma,
}
}
#ifdef CONFIG_SECURITY_NETWORK
#ifdef CONFIG_SECURITY_NETWORK
static
int
dummy_socket_create
(
int
family
,
int
type
,
int
protocol
)
{
return
0
;
}
static
void
dummy_socket_post_create
(
struct
socket
*
sock
,
int
family
,
int
type
,
int
protocol
)
{
return
;
}
static
int
dummy_socket_bind
(
struct
socket
*
sock
,
struct
sockaddr
*
address
,
int
addrlen
)
{
return
0
;
}
static
int
dummy_socket_connect
(
struct
socket
*
sock
,
struct
sockaddr
*
address
,
int
addrlen
)
{
return
0
;
}
static
int
dummy_socket_listen
(
struct
socket
*
sock
,
int
backlog
)
{
return
0
;
}
static
int
dummy_socket_accept
(
struct
socket
*
sock
,
struct
socket
*
newsock
)
{
return
0
;
}
static
void
dummy_socket_post_accept
(
struct
socket
*
sock
,
struct
socket
*
newsock
)
{
return
;
}
static
int
dummy_socket_sendmsg
(
struct
socket
*
sock
,
struct
msghdr
*
msg
,
int
size
)
{
return
0
;
}
static
int
dummy_socket_recvmsg
(
struct
socket
*
sock
,
struct
msghdr
*
msg
,
int
size
,
int
flags
)
{
return
0
;
}
static
int
dummy_socket_getsockname
(
struct
socket
*
sock
)
{
return
0
;
}
static
int
dummy_socket_getpeername
(
struct
socket
*
sock
)
{
return
0
;
}
static
int
dummy_socket_setsockopt
(
struct
socket
*
sock
,
int
level
,
int
optname
)
{
return
0
;
}
static
int
dummy_socket_getsockopt
(
struct
socket
*
sock
,
int
level
,
int
optname
)
{
return
0
;
}
static
int
dummy_socket_shutdown
(
struct
socket
*
sock
,
int
how
)
{
return
0
;
}
#endif
/* CONFIG_SECURITY_NETWORK */
#endif
/* CONFIG_SECURITY_NETWORK */
static
int
dummy_register_security
(
const
char
*
name
,
struct
security_operations
*
ops
)
static
int
dummy_register_security
(
const
char
*
name
,
struct
security_operations
*
ops
)
...
@@ -729,6 +805,20 @@ void security_fixup_ops (struct security_operations *ops)
...
@@ -729,6 +805,20 @@ void security_fixup_ops (struct security_operations *ops)
set_to_dummy_if_null
(
ops
,
register_security
);
set_to_dummy_if_null
(
ops
,
register_security
);
set_to_dummy_if_null
(
ops
,
unregister_security
);
set_to_dummy_if_null
(
ops
,
unregister_security
);
#ifdef CONFIG_SECURITY_NETWORK
#ifdef CONFIG_SECURITY_NETWORK
set_to_dummy_if_null
(
ops
,
socket_create
);
set_to_dummy_if_null
(
ops
,
socket_post_create
);
set_to_dummy_if_null
(
ops
,
socket_bind
);
set_to_dummy_if_null
(
ops
,
socket_connect
);
set_to_dummy_if_null
(
ops
,
socket_listen
);
set_to_dummy_if_null
(
ops
,
socket_accept
);
set_to_dummy_if_null
(
ops
,
socket_post_accept
);
set_to_dummy_if_null
(
ops
,
socket_sendmsg
);
set_to_dummy_if_null
(
ops
,
socket_recvmsg
);
set_to_dummy_if_null
(
ops
,
socket_getsockname
);
set_to_dummy_if_null
(
ops
,
socket_getpeername
);
set_to_dummy_if_null
(
ops
,
socket_setsockopt
);
set_to_dummy_if_null
(
ops
,
socket_getsockopt
);
set_to_dummy_if_null
(
ops
,
socket_shutdown
);
#endif
/* CONFIG_SECURITY_NETWORK */
#endif
/* CONFIG_SECURITY_NETWORK */
}
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment