SOURCES: linux-2.6-security-opt.patch (NEW) - backport security= option
arekm
arekm at pld-linux.org
Wed Jun 25 12:57:06 CEST 2008
Author: arekm Date: Wed Jun 25 10:57:06 2008 GMT
Module: SOURCES Tag: HEAD
---- Log message:
- backport security= option
---- Files affected:
SOURCES:
linux-2.6-security-opt.patch (NONE -> 1.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/linux-2.6-security-opt.patch
diff -u /dev/null SOURCES/linux-2.6-security-opt.patch:1.1
--- /dev/null Wed Jun 25 12:57:07 2008
+++ SOURCES/linux-2.6-security-opt.patch Wed Jun 25 12:57:01 2008
@@ -0,0 +1,260 @@
+commit 076c54c5bcaed2081c0cba94a6f77c4d470236ad
+Author: Ahmed S. Darwish <darwish.07 at gmail.com>
+Date: Thu Mar 6 18:09:10 2008 +0200
+
+ Security: Introduce security= boot parameter
+
+ Add the security= boot parameter. This is done to avoid LSM
+ registration clashes in case of more than one bult-in module.
+
+ User can choose a security module to enable at boot. If no
+ security= boot parameter is specified, only the first LSM
+ asking for registration will be loaded. An invalid security
+ module name will be treated as if no module has been chosen.
+
+ LSM modules must check now if they are allowed to register
+ by calling security_module_enable(ops) first. Modify SELinux
+ and SMACK to do so.
+
+ Do not let SMACK register smackfs if it was not chosen on
+ boot. Smackfs assumes that smack hooks are registered and
+ the initial task security setup (swapper->security) is done.
+
+ Signed-off-by: Ahmed S. Darwish <darwish.07 at gmail.com>
+ Acked-by: James Morris <jmorris at namei.org>
+
+diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
+index 256a216..4b0f1ae 100644
+--- a/Documentation/kernel-parameters.txt
++++ b/Documentation/kernel-parameters.txt
+@@ -366,6 +366,12 @@ and is between 256 and 4096 characters. It is defined in the file
+ possible to determine what the correct size should be.
+ This option provides an override for these situations.
+
++ security= [SECURITY] Choose a security module to enable at boot.
++ If this boot parameter is not specified, only the first
++ security module asking for security registration will be
++ loaded. An invalid security module name will be treated
++ as if no module has been chosen.
++
+ capability.disable=
+ [SECURITY] Disable capabilities. This would normally
+ be used only if an alternative security model is to be
+diff --git a/include/linux/security.h b/include/linux/security.h
+index 697f228..f4116d6 100644
+--- a/include/linux/security.h
++++ b/include/linux/security.h
+@@ -36,6 +36,9 @@
+
+ extern unsigned securebits;
+
++/* Maximum number of letters for an LSM name string */
++#define SECURITY_NAME_MAX 10
++
+ struct ctl_table;
+ struct audit_krule;
+
+@@ -137,6 +140,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
+ /**
+ * struct security_operations - main security structure
+ *
++ * Security module identifier.
++ *
++ * @name:
++ * A string that acts as a unique identifeir for the LSM with max number
++ * of characters = SECURITY_NAME_MAX.
++ *
+ * Security hooks for program execution operations.
+ *
+ * @bprm_alloc_security:
+@@ -1270,6 +1279,8 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
+ * This is the main security structure.
+ */
+ struct security_operations {
++ char name[SECURITY_NAME_MAX + 1];
++
+ int (*ptrace) (struct task_struct * parent, struct task_struct * child);
+ int (*capget) (struct task_struct * target,
+ kernel_cap_t * effective,
+@@ -1537,6 +1548,7 @@ struct security_operations {
+
+ /* prototypes */
+ extern int security_init (void);
++extern int security_module_enable(struct security_operations *ops);
+ extern int register_security (struct security_operations *ops);
+ extern int mod_reg_security (const char *name, struct security_operations *ops);
+ extern struct dentry *securityfs_create_file(const char *name, mode_t mode,
+diff --git a/security/dummy.c b/security/dummy.c
+index 1ac9f8e..d797a41 100644
+--- a/security/dummy.c
++++ b/security/dummy.c
+@@ -1017,7 +1017,9 @@ static inline void dummy_audit_rule_free(void *lsmrule)
+
+ #endif /* CONFIG_AUDIT */
+
+-struct security_operations dummy_security_ops;
++struct security_operations dummy_security_ops = {
++ .name = "dummy",
++};
+
+ #define set_to_dummy_if_null(ops, function) \
+ do { \
+diff --git a/security/security.c b/security/security.c
+index 2ef593e..dd0c6ba 100644
+--- a/security/security.c
++++ b/security/security.c
+@@ -17,6 +17,8 @@
+ #include <linux/kernel.h>
+ #include <linux/security.h>
+
++/* Boot-time LSM user choice */
++static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1];
+
+ /* things that live in dummy.c */
+ extern struct security_operations dummy_security_ops;
+@@ -67,13 +69,47 @@ int __init security_init(void)
+ return 0;
+ }
+
++/* Save user chosen LSM */
++static int __init choose_lsm(char *str)
++{
++ strncpy(chosen_lsm, str, SECURITY_NAME_MAX);
++ return 1;
++}
++__setup("security=", choose_lsm);
++
++/**
++ * security_module_enable - Load given security module on boot ?
++ * @ops: a pointer to the struct security_operations that is to be checked.
++ *
++ * Each LSM must pass this method before registering its own operations
++ * to avoid security registration races. This method may also be used
++ * to check if your LSM is currently loaded.
++ *
++ * Return true if:
++ * -The passed LSM is the one chosen by user at boot time,
++ * -or user didsn't specify a specific LSM and we're the first to ask
++ * for registeration permissoin,
++ * -or the passed LSM is currently loaded.
++ * Otherwise, return false.
++ */
++int __init security_module_enable(struct security_operations *ops)
++{
++ if (!*chosen_lsm)
++ strncpy(chosen_lsm, ops->name, SECURITY_NAME_MAX);
++ else if (strncmp(ops->name, chosen_lsm, SECURITY_NAME_MAX))
++ return 0;
++
++ return 1;
++}
++
+ /**
+ * register_security - registers a security framework with the kernel
+ * @ops: a pointer to the struct security_options that is to be registered
+ *
+ * This function is to allow a security module to register itself with the
+ * kernel security subsystem. Some rudimentary checking is done on the @ops
+- * value passed to this function.
++ * value passed to this function. You'll need to check first if your LSM
++ * is allowed to register its @ops by calling security_module_enable(@ops).
+ *
+ * If there is already a security module registered with the kernel,
+ * an error will be returned. Otherwise 0 is returned on success.
+diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
+index a2f7e9c..f9927f0 100644
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -5295,6 +5295,8 @@ static int selinux_key_permission(key_ref_t key_ref,
+ #endif
+
+ static struct security_operations selinux_ops = {
++ .name = "selinux",
++
+ .ptrace = selinux_ptrace,
+ .capget = selinux_capget,
+ .capset_check = selinux_capset_check,
+@@ -5492,6 +5494,11 @@ static __init int selinux_init(void)
+ {
+ struct task_security_struct *tsec;
+
++ if (!security_module_enable(&selinux_ops)) {
++ selinux_enabled = 0;
++ return 0;
++ }
++
+ if (!selinux_enabled) {
+ printk(KERN_INFO "SELinux: Disabled at boot.\n");
+ return 0;
+diff --git a/security/smack/smack.h b/security/smack/smack.h
+index 62c1e98..4a4477f 100644
+--- a/security/smack/smack.h
++++ b/security/smack/smack.h
+@@ -15,6 +15,7 @@
+
+ #include <linux/capability.h>
+ #include <linux/spinlock.h>
++#include <linux/security.h>
+ #include <net/netlabel.h>
+
+ /*
+@@ -187,6 +188,7 @@ extern struct smack_known smack_known_star;
+ extern struct smack_known smack_known_unset;
+
+ extern struct smk_list_entry *smack_list;
++extern struct security_operations smack_ops;
+
+ /*
+ * Stricly for CIPSO level manipulation.
+diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
+index 732ba27..904bdc0 100644
+--- a/security/smack/smack_lsm.c
++++ b/security/smack/smack_lsm.c
+@@ -2424,7 +2424,9 @@ static void smack_release_secctx(char *secdata, u32 seclen)
+ {
+ }
+
+-static struct security_operations smack_ops = {
++struct security_operations smack_ops = {
++ .name = "smack",
++
+ .ptrace = smack_ptrace,
+ .capget = cap_capget,
+ .capset_check = cap_capset_check,
+@@ -2557,6 +2559,9 @@ static struct security_operations smack_ops = {
+ */
+ static __init int smack_init(void)
+ {
++ if (!security_module_enable(&smack_ops))
++ return 0;
++
+ printk(KERN_INFO "Smack: Initializing.\n");
+
+ /*
+diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
+index cfae8af..6ba2837 100644
+--- a/security/smack/smackfs.c
++++ b/security/smack/smackfs.c
+@@ -965,12 +965,21 @@ static struct vfsmount *smackfs_mount;
+ *
+ * register the smackfs
+ *
+- * Returns 0 unless the registration fails.
++ * Do not register smackfs if Smack wasn't enabled
++ * on boot. We can not put this method normally under the
++ * smack_init() code path since the security subsystem get
++ * initialized before the vfs caches.
++ *
++ * Returns true if we were not chosen on boot or if
++ * we were chosen and filesystem registration succeeded.
+ */
+ static int __init init_smk_fs(void)
+ {
+ int err;
+
++ if (!security_module_enable(&smack_ops))
++ return 0;
++
+ err = register_filesystem(&smk_fs_type);
+ if (!err) {
+ smackfs_mount = kern_mount(&smk_fs_type);
================================================================
More information about the pld-cvs-commit
mailing list