Core of the functionality is to insert hooking points at appropriate

places and pass events for vetting.
Vetting works via three chain of filters. First an interception is

passed to a evaluation chain whose purpose is to decide whether the

access should be allowed or denied. Depending on the outcome either

allow or deny filter chain is run next.
Signed-off-by: Eric Paris <eparis@redhat.com>

---
 Documentation/talpa/design.txt          |  266 +++++++++++++++++++++++++++++++

 fs/open.c                               |   10 ++

 include/linux/talpa.h                   |   88 ++++++++++

 security/Kconfig                        |    1 +

 security/Makefile                       |    2 +

 security/talpa/Kconfig                  |    9 +

 security/talpa/Makefile                 |    7 +

 security/talpa/talpa.h                  |   64 ++++++++

 security/talpa/talpa_allow_calls.h      |    5 +

 security/talpa/talpa_deny_calls.h       |    5 +

 security/talpa/talpa_evaluation_calls.h |    6 +

 security/talpa/talpa_interceptor.c      |  116 ++++++++++++++

 12 files changed, 579 insertions(+), 0 deletions(-)
diff --git a/Documentation/talpa/design.txt b/Documentation/talpa/design.txt

new file mode 100644

index 0000000..5df07bf

--- /dev/null

+++ b/Documentation/talpa/design.txt

@@ -0,0 +1,266 @@

+

And while we're at it please stop cross-posting to restricted

mailinglist.
--

Each filter can choose to export a set of configuration options

which is implemented through securityfs on the low-level.
Signed-off-by: Eric Paris <eparis@redhat.com>

---

 security/talpa/Makefile              |    4 +-

 security/talpa/talpa.h               |   41 +++++++++

 security/talpa/talpa_common.c        |   54 ++++++++++++

 security/talpa/talpa_configuration.c |  155 ++++++++++++++++++++++++++++++++++

 4 files changed, 253 insertions(+), 1 deletions(-)

 create mode 100644 security/talpa/talpa_common.c

 create mode 100644 security/talpa/talpa_configuration.c
diff --git a/security/talpa/Makefile b/security/talpa/Makefile

index 676fc90..41045d7 100644

--- a/security/talpa/Makefile

+++ b/security/talpa/Makefile

@@ -4,4 +4,6 @@
 obj-$(CONFIG_TALPA) := talpa.o
-talpa-y := talpa_interceptor.o

+talpa-y :=	talpa_interceptor.o \

+		talpa_common.o \

+		talpa_configuration.o

diff --git a/security/talpa/talpa.h b/security/talpa/talpa.h

index 2c4fb6f..871b6d4 100644

--- a/security/talpa/talpa.h

+++ b/security/talpa/talpa.h

@@ -1,5 +1,6 @@

 /*

  *  Copyright 2008 Sophos Plc

+ *  Copyright (C) 2008 Red Hat, Inc., Eric Paris <eparis@redhat.com>

  *

  *  This program is free software; you can redistribute it and/or modify

  *  it under the terms of the GNU General Public License as published by

@@ -61,4 +62,44 @@ struct talpa_file_vetting {

 	int code;

 };
+/**

+ * struct talpa_configuration - configuration description for filters

+ * @name: name of the configuration

+ * @mode: access mode

+ * @data: private data to pass to get and set callbacks

+ * @get: callback to read out configuration value

+ * @set: callback to write in configuration value

+ *

+ * Filter wanting to have configurable items passes in an array of these

+ * structures at registration time. Last item should have name set to

+ * NULL.

+ * Get and set callbacks will be called with a pointer to a single

+ * configuration item.

+ * Set callback is guaranteed to provide a null-terminated ...
[ message continues ]

Cache both positive and negative access results.  All inode access starts

allowed in the cache for performance reasons.  Descriptions of the cache operation

can be found in Documentation/talpa/cache and in security/talpa/talpa_cache.c
Signed-off-by: Eric Paris <eparis@redhat.com>

---

 Documentation/talpa/cache               |   17 +++

 fs/inode.c                              |    6 +

 fs/namei.c                              |    2 +

 include/linux/fs.h                      |    5 +

 include/linux/talpa.h                   |   17 +++

 security/talpa/Kconfig                  |   13 ++

 security/talpa/Makefile                 |    2 +

 security/talpa/talpa.h                  |   10 ++

 security/talpa/talpa_allow_calls.h      |    7 +

 security/talpa/talpa_cache.c            |  207 +++++++++++++++++++++++++++++++

 security/talpa/talpa_cache.h            |   22 ++++

 security/talpa/talpa_common.c           |    2 +

 security/talpa/talpa_deny_calls.h       |    6 +

 security/talpa/talpa_evaluation_calls.h |   26 ++++-

 14 files changed, 341 insertions(+), 1 deletions(-)

 create mode 100644 Documentation/talpa/cache

 create mode 100644 security/talpa/talpa_cache.c

 create mode 100644 security/talpa/talpa_cache.h
diff --git a/Documentation/talpa/cache b/Documentation/talpa/cache

new file mode 100644

index 0000000..8010b53

--- /dev/null

+++ b/Documentation/talpa/cache

@@ -0,0 +1,17 @@

+The cache mechanism of talpa is incredibly simple.

+

+Talpa maintains a global long called talpa_cache_seqno which is initially zero and monotomically increases either when there is a talpa configuration change or when userspace signals it should be increased.  Caching of inodes is done by adding a field to each inode, i_talpa_cache_seqno.  If talpa determines authoritatively that access to an inode should be allowed or denied the value of the global sequence number will be assigned to the inode.  When allowed the inode is assigned the same value as the global and when denied the inode is assigned th...
[ message continues ]

Sometimes it is necessary for certain processes to bypass the interception

by Talpa.  For example that may be a purely userspace on-demand scanner which wouldn't

work if unable to access malicious files.
This is implemented as a process flag in the task_struct.
Signed-off-by: Eric Paris <eparis@redhat.com>

---

 Documentation/talpa/tecat.c           |   50 +++++++++++++++++++++++++

 Documentation/talpa/thread_exclude    |    6 +++

 include/linux/sched.h                 |    1 +

 security/talpa/Kconfig                |   18 +++++++++

 security/talpa/Makefile               |    2 +

 security/talpa/talpa_interceptor.c    |    5 ++

 security/talpa/talpa_thread_exclude.c |   66 +++++++++++++++++++++++++++++++++

 7 files changed, 148 insertions(+), 0 deletions(-)

 create mode 100644 Documentation/talpa/tecat.c

 create mode 100644 Documentation/talpa/thread_exclude

 create mode 100644 security/talpa/talpa_thread_exclude.c
diff --git a/Documentation/talpa/tecat.c b/Documentation/talpa/tecat.c

new file mode 100644

index 0000000..8c66d73

--- /dev/null

+++ b/Documentation/talpa/tecat.c

@@ -0,0 +1,50 @@

+#include <unistd.h>

+#include <stdio.h>

+#include <fcntl.h>

+#include <errno.h>

+#include <string.h>

+

+int main(int argc, char *argv[])

+{

+	int talpa;

+	int fd;

+	ssize_t size;

+	char buffer[4096];

+	int args = argc - 1;

+

+	/* Register as an excluded client. */

+	talpa = open("/security/talpa/exclude/talpa-exclude", O_WRONLY);

+	if (!talpa) {

+		fprintf(stderr, "Cannot connect to Talpa - errno %d!\n", errno);

+		return 1;

+	}

+

+	/* Signal Talpa that we want to be excluded. */

+	if (write(talpa, "1", 1) != 1) {

+		fprintf(stderr, "Failed to exclude - errno %d!\n", errno);

+		return 1;

+	}

+

+	/* Cat files given as arguments. */

+	while (args > 0) {

+		fd = open(argv[args], O_RDONLY);

+		if (fd > 0) {

+			while ((size = read(fd, buffer, sizeof(buffer))) > 0)

+				write(STDOUT_FILENO, buffer, size);

+			close(fd);

+		}...
[ message continues ]

Userspace vetting is an evaluation filter which passes vetting request

to an userspace daemon.
Example vetting client which allows access to everything except one very

specific file can be found in Documentation/talpa/allow_most.c.
Many vetting clients can register simultaneously but only one gets

a particular request. In other words userspace vetting clients do not

operate as a chain but as a set of consumers.
To facilitate access to the actual file a file descriptor is duplicated

into the vetting client process. In this way there is no reliance on

paths and different permission issues are bypassed.
Signed-off-by: Eric Paris <eparis@redhat.com>

---

 Documentation/talpa/allow_most.c        |  138 ++++++++

 Documentation/talpa/client              |   85 +++++

 Documentation/talpa/test_deny.c         |  356 ++++++++++++++++++++

 include/linux/talpa.h                   |   83 +++++

 security/talpa/Kconfig                  |   11 +

 security/talpa/Makefile                 |    2 +-

 security/talpa/talpa_client.c           |  543 +++++++++++++++++++++++++++++++

 security/talpa/talpa_evaluation_calls.h |    8 +

 8 files changed, 1225 insertions(+), 1 deletions(-)

 create mode 100644 Documentation/talpa/allow_most.c

 create mode 100644 Documentation/talpa/client

 create mode 100644 Documentation/talpa/test_deny.c

 create mode 100644 security/talpa/talpa_client.c
diff --git a/Documentation/talpa/allow_most.c b/Documentation/talpa/allow_most.c

new file mode 100644

index 0000000..e563ed4

--- /dev/null

+++ b/Documentation/talpa/allow_most.c

@@ -0,0 +1,138 @@

+/* This is a userspace talpa client.  It looks for a file /root/denyme and

+ * will deny access to that file if it starts with the string "bad" */

+

+#include <unistd.h>

+#include <stdio.h>

+#include <stdlib.h>

+#include <sys/types.h>

+#include <sys/stat.h>

+#include <sys/param.h>

+#include <unistd.h>

+#include <fcntl.h>

+#include <errno.h>

+#include <str...
[ message continues ]