login
Search
As per James's request, I am reposting the MultiAdmin LSM in its current form (2.6.23.1, still with the modular LSM interface). -
[PATCH 3/4] task_post_setgid()
- Implement the task_post_setgid() LSM hook which is required by
MultiAdmin to switch between classes.
(task_post_setuid also switches between classes -- and already exists)
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>, May 01 2006
Modified July 11 2006
---
include/linux/security.h | 13 +++++++++++++
kernel/sys.c | 15 ++++++++++++---
security/dummy.c | 7 +++++++
3 files changed, 32 insertions(+), 3 deletions(-)
Index: linux-2.6.23.1/include/linux/security.h
===================================================================
--- linux-2.6.23.1.orig/include/linux/security.h
+++ linux-2.6.23.1/include/linux/security.h
@@ -1400,6 +1400,7 @@ struct security_operations {
#endif /* CONFIG_KEYS */
int (*cap_extra)(struct task_struct *, unsigned int);
+ int (*task_post_setgid)(gid_t, gid_t, gid_t, unsigned int);
};
/* global variables */
@@ -2139,6 +2140,12 @@ static inline int security_cap_extra(str
return security_ops->cap_extra(task, cap);
}
+static inline int security_task_post_setgid(gid_t real, gid_t effective,
+ gid_t saved, unsigned int type)
+{
+ return security_ops->task_post_setgid(real, effective, saved, type);
+}
+
/* prototypes */
extern int security_init (void);
extern int register_security (struct security_operations *ops);
@@ -2799,6 +2806,12 @@ static inline int security_cap_extra(str
return 0;
}
+static inline int security_task_post_setgid(gid_t real, gid_t effective,
+ gid_t saved, unsigned int type)
+{
+ return 0;
+}
+
static inline struct dentry *securityfs_create_dir(const char *name,
struct dentry *parent)
{
Index: linux-2.6.23.1/kernel/sys.c
===================================================================
--- linux-2.6.23.1.orig/kernel/sys.c
+++ linux-2.6.23.1/kernel/sys.c
@@ -1052,7 +1052,8 @@ asmlinkage long sys_setregid(gid_t rgid,
current->gid = new_rgid;
key_fsgid_changed(current);
...[PATCH 1/4] security_cap_extra() and more
- Renames capable() to capable_light().
This function is used if only a capability is to be checked.
- Implement a new capable that calls security_cap_extra().
Since a subadmin has almost the same capabilities as a
superadmin, an extra helper is needed to decide whether an
action is allowed, based on the philosophy of the LSM.
- implement the .cap_extra LSM hook
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>, May 01 2006
July 11 2006
---
include/linux/capability.h | 2 ++
include/linux/security.h | 13 +++++++++++++
kernel/capability.c | 19 ++++++++++++++++++-
security/dummy.c | 6 ++++++
4 files changed, 39 insertions(+), 1 deletion(-)
Index: linux-2.6.23.1/include/linux/capability.h
===================================================================
--- linux-2.6.23.1.orig/include/linux/capability.h
+++ linux-2.6.23.1/include/linux/capability.h
@@ -358,6 +358,8 @@ static inline kernel_cap_t cap_invert(ke
#define cap_is_fs_cap(c) (CAP_TO_MASK(c) & CAP_FS_MASK)
+bool capable_light(unsigned int);
+bool __capable_light(struct task_struct *, unsigned int);
int capable(int cap);
int __capable(struct task_struct *t, int cap);
Index: linux-2.6.23.1/include/linux/security.h
===================================================================
--- linux-2.6.23.1.orig/include/linux/security.h
+++ linux-2.6.23.1/include/linux/security.h
@@ -1399,6 +1399,7 @@ struct security_operations {
#endif /* CONFIG_KEYS */
+ int (*cap_extra)(struct task_struct *, unsigned int);
};
/* global variables */
@@ -2132,6 +2133,12 @@ static inline void security_release_secc
return security_ops->release_secctx(secdata, seclen);
}
+static inline int security_cap_extra(struct task_struct *task,
+ unsigned int cap)
+{
+ return security_ops->cap_extra(task, cap);
+}
+
/* prototypes */
extern int security_init (void);
extern ...[PATCH 3/4] task_post_setgid()
- Implement the task_post_setgid() LSM hook which is required by
MultiAdmin to switch between classes.
(task_post_setuid also switches between classes -- and already exists)
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>, May 01 2006
Modified July 11 2006
---
include/linux/security.h | 13 +++++++++++++
kernel/sys.c | 15 ++++++++++++---
security/dummy.c | 7 +++++++
3 files changed, 32 insertions(+), 3 deletions(-)
Index: linux-2.6.23.1/include/linux/security.h
===================================================================
--- linux-2.6.23.1.orig/include/linux/security.h
+++ linux-2.6.23.1/include/linux/security.h
@@ -1400,6 +1400,7 @@ struct security_operations {
#endif /* CONFIG_KEYS */
int (*cap_extra)(struct task_struct *, unsigned int);
+ int (*task_post_setgid)(gid_t, gid_t, gid_t, unsigned int);
};
/* global variables */
@@ -2139,6 +2140,12 @@ static inline int security_cap_extra(str
return security_ops->cap_extra(task, cap);
}
+static inline int security_task_post_setgid(gid_t real, gid_t effective,
+ gid_t saved, unsigned int type)
+{
+ return security_ops->task_post_setgid(real, effective, saved, type);
+}
+
/* prototypes */
extern int security_init (void);
extern int register_security (struct security_operations *ops);
@@ -2799,6 +2806,12 @@ static inline int security_cap_extra(str
return 0;
}
+static inline int security_task_post_setgid(gid_t real, gid_t effective,
+ gid_t saved, unsigned int type)
+{
+ return 0;
+}
+
static inline struct dentry *securityfs_create_dir(const char *name,
struct dentry *parent)
{
Index: linux-2.6.23.1/kernel/sys.c
===================================================================
--- linux-2.6.23.1.orig/kernel/sys.c
+++ linux-2.6.23.1/kernel/sys.c
@@ -1052,7 +1052,8 @@ asmlinkage long sys_setregid(gid_t rgid,
current->gid = new_rgid;
key_fsgid_changed(current);
...[PATCH 2/4] Use of capable_light()
capable() now behaves like (capable_light() && is_superadm). Since some
operations are allowed by subadmins too, it suffices to use
capable_light().
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>, May 01 2006
Modified July 11 2006
---
arch/alpha/kernel/pci-noop.c | 2 +-
drivers/char/lp.c | 2 +-
drivers/firmware/efivars.c | 2 +-
drivers/pci/pci-sysfs.c | 2 +-
drivers/pci/proc.c | 2 +-
drivers/pci/syscall.c | 2 +-
fs/quota.c | 8 ++++----
ipc/msg.c | 2 +-
ipc/sem.c | 2 +-
ipc/shm.c | 4 ++--
10 files changed, 14 insertions(+), 14 deletions(-)
Index: linux-2.6.23.1/arch/alpha/kernel/pci-noop.c
===================================================================
--- linux-2.6.23.1.orig/arch/alpha/kernel/pci-noop.c
+++ linux-2.6.23.1/arch/alpha/kernel/pci-noop.c
@@ -89,7 +89,7 @@ asmlinkage long
sys_pciconfig_read(unsigned long bus, unsigned long dfn,
unsigned long off, unsigned long len, void *buf)
{
- if (!capable(CAP_SYS_ADMIN))
+ if (!capable_light(CAP_SYS_ADMIN))
return -EPERM;
else
return -ENODEV;
Index: linux-2.6.23.1/drivers/char/lp.c
===================================================================
--- linux-2.6.23.1.orig/drivers/char/lp.c
+++ linux-2.6.23.1/drivers/char/lp.c
@@ -627,7 +627,7 @@ static int lp_ioctl(struct inode *inode,
if (copy_to_user(argp, &LP_STAT(minor),
sizeof(struct lp_stats)))
return -EFAULT;
- if (capable(CAP_SYS_ADMIN))
+ if (capable_light(CAP_SYS_ADMIN))
memset(&LP_STAT(minor), 0,
sizeof(struct lp_stats));
break;
Index: linux-2.6.23.1/drivers/firmware/efivars.c
===================================================================
--- linux-2.6.23.1.orig/drivers/firmware/efivars.c
+++ linux-2.6.23.1/drivers/firmware/efivars.c
@@ -351,7 +351,7 @@ static ssize_t efivar_attr_show(struct k
...[PATCH 4/4] MultiAdmin module
- Add the MultiAdmin to the mainline tree.
I hope the rest is self-explanatory :)
Signed-off-by: Jan Engelhardt <jengelh@gmx.de>, May 01 2006
Modified July 11 2006
---
security/Kconfig | 17 +
security/Makefile | 3
security/multiadm.c | 628 ++++++++++++++++++++++++++++++++++++++++++++++++++++
3 files changed, 648 insertions(+)
Index: linux-2.6.23.1/security/Kconfig
===================================================================
--- linux-2.6.23.1.orig/security/Kconfig
+++ linux-2.6.23.1/security/Kconfig
@@ -81,6 +81,23 @@ config SECURITY_NETWORK_XFRM
IPSec.
If you are unsure how to answer this question, answer N.
+config SECURITY_MULTIADM
+ tristate "MultiAdmin security module"
+ depends on SECURITY
+ select SECURITY_CAPABILITIES
+ ---help---
+ The MultiAdmin security kernel module provides means to have multiple
+ "root" users with unique UIDs. This fixes collation order problems
+ which for example appear with NSCD, allows to have files with
+ determinable owner and allows to track the quota usage for every
+ user, since they now have a unique uid.
+
+ It also implements a "sub-admin", a partially restricted root user
+ (or enhanced normal user, depending on the way you see it), who has
+ full read-only access to most subsystems, and additional write rights
+ only to a limited subset, e.g. writing to files or killing processes
+ only of certain users.
+
config SECURITY_CAPABILITIES
tristate "Default Linux Capabilities"
depends on SECURITY
Index: linux-2.6.23.1/security/Makefile
===================================================================
--- linux-2.6.23.1.orig/security/Makefile
+++ linux-2.6.23.1/security/Makefile
@@ -2,6 +2,9 @@
# Makefile for the kernel security code
#
+obj-$(CONFIG_SECURITY_MULTIADM) += multiadm.o
+CFLAGS_multiadm.o += $(if $(wildcard security/apparmor),-DAPPARMOR,)
+
...On Sun, 21 Oct 2007 01:51:50 +0200 (CEST) That's very nice, but ... what is it? It would be really helpful if each patch series came with some kind of description of what problem the patches try to solve and how it solves it :) -- "Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it." - Brian W. Kernighan -