[TOMOYO 14/15](repost) LSM expansion for TOMOYO Linux.

2007-10-02 Thread Kentaro Takeda 
LSM expansion for TOMOYO Linux.

LSM hooks for sending signal:
   * task_kill_unlocked is added in sys_kill
   * task_tkill_unlocked is added in sys_tkill
   * task_tgkill_unlocked is added in sys_tgkill
LSM hooks for network accept and recv:
   * socket_post_accept is modified to return int.
   * post_recv_datagram is added in skb_recv_datagram.

You can try TOMOYO Linux without this patch, but in that case, you
can't use access control functionality for restricting signal
transmission and incoming network data.

Signed-off-by: Kentaro Takeda [EMAIL PROTECTED]
Signed-off-by: Tetsuo Handa [EMAIL PROTECTED]
---
 include/linux/security.h |   91 +++
 kernel/signal.c  |   17 
 net/core/datagram.c  |   22 +++
 net/socket.c |7 ++-
 security/dummy.c |   32 ++--
 5 files changed, 157 insertions(+), 12 deletions(-)

--- linux-2.6.orig/include/linux/security.h 2007-10-02 11:11:51.0 
+0900
+++ linux-2.6/include/linux/security.h  2007-10-02 11:26:23.0 +0900
@@ -628,6 +628,22 @@ struct request_sock;
  * @sig contains the signal value.
  * @secid contains the sid of the process where the signal originated
  * Return 0 if permission is granted.
+ * @task_kill_unlocked:
+ * Check permission before sending signal @sig to the process of @pid
+ * with sys_kill.
+ * @pid contains the pid of target process.
+ * @sig contains the signal value.
+ * @task_tkill_unlocked:
+ * Check permission before sending signal @sig to the process of @pid
+ * with sys_tkill.
+ * @pid contains the pid of target process.
+ * @sig contains the signal value.
+ * @task_tgkill_unlocked:
+ * Check permission before sending signal @sig to the process of @pid
+ * with sys_tgkill.
+ * @tgid contains the thread group id.
+ * @pid contains the pid of target process.
+ * @sig contains the signal value.
  * @task_wait:
  * Check permission before allowing a process to reap a child process @p
  * and collect its status information.
@@ -749,8 +765,12 @@ struct request_sock;
  * @socket_post_accept:
  * This hook allows a security module to copy security
  * information into the newly created socket's inode.
+ * This hook also allows a security module to filter connections
+ * from unwanted peers.
+ * The connection will be aborted if this hook returns nonzero.
  * @sock contains the listening socket structure.
  * @newsock contains the newly created server socket for connection.
+ * Return 0 if permission is granted.
  * @socket_sendmsg:
  * Check permission before transmitting a message to another socket.
  * @sock contains the socket structure.
@@ -764,6 +784,11 @@ struct request_sock;
  * @size contains the size of message structure.
  * @flags contains the operational flags.
  * Return 0 if permission is granted.  
+ * @post_recv_datagram:
+ * Check permission after receiving a datagram.
+ * @sk contains the socket.
+ * @skb contains the socket buffer (may be NULL).
+ * @flags contains the operational flags.
  * @socket_getsockname:
  * Check permission before the local address (name) of the socket object
  * @sock is retrieved.
@@ -1279,6 +1304,9 @@ struct security_operations {
int (*task_movememory) (struct task_struct * p);
int (*task_kill) (struct task_struct * p,
  struct siginfo * info, int sig, u32 secid);
+   int (*task_kill_unlocked) (int pid, int sig);
+   int (*task_tkill_unlocked) (int pid, int sig);
+   int (*task_tgkill_unlocked) (int tgid, int pid, int sig);
int (*task_wait) (struct task_struct * p);
int (*task_prctl) (int option, unsigned long arg2,
   unsigned long arg3, unsigned long arg4,
@@ -1346,12 +1374,16 @@ struct security_operations {
   struct sockaddr * address, int addrlen);
int (*socket_listen) (struct socket * sock, int backlog);
int (*socket_accept) (struct socket * sock, struct socket * newsock);
-   void (*socket_post_accept) (struct socket * sock,
-   struct socket * newsock);
+#define TMY_LSM_EXPANSION
+   int (*socket_post_accept) (struct socket *sock,
+  struct socket *newsock);
int (*socket_sendmsg) (struct socket * sock,
   struct msghdr * msg, int size);
int (*socket_recvmsg) (struct socket * sock,
   struct msghdr * msg, int size, int flags);
+   int (*post_recv_datagram) (struct sock *sk,
+  struct sk_buff *skb,
+  unsigned int flags);
int (*socket_getsockname) (struct socket * sock);
int (*socket_getpeername) (struct socket * sock);
int (*socket_getsockopt) (struct socket *

Re: [TOMOYO 14/15](repost) LSM expansion for TOMOYO Linux.

2007-10-02 Thread James Morris 
On Tue, 2 Oct 2007, Kentaro Takeda wrote:

 LSM expansion for TOMOYO Linux.
 
 LSM hooks for sending signal:
* task_kill_unlocked is added in sys_kill
* task_tkill_unlocked is added in sys_tkill
* task_tgkill_unlocked is added in sys_tgkill

Why do you need racy unlocked versions, in addition to the existing 
security_task_kill() hook which is called safely via 
check_kill_permission() ?


- James
-- 
James Morris
[EMAIL PROTECTED]
-
To unsubscribe from this list: send the line unsubscribe 
linux-security-module in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [TOMOYO 14/15](repost) LSM expansion for TOMOYO Linux.

2007-10-02 Thread Tetsuo Handa 
Hello.

James Morris wrote:
 Why do you need racy unlocked versions, in addition to the existing 
 security_task_kill() hook which is called safely via 
 check_kill_permission() ?

TOMOYO Linux provides delayed enforcing mode which allows administrator
judge interactively for requests that violated policy.

Sometimes, especially after updating software packages, irregular behavior 
arise.
So, the administrator prepares for such irregular behavior
by invoking ccs-queryd userland program.
The ccs-queryd prints the contents of policy violation and
asks the administrator whether to grant the request that violated policy.
This can reduce the possibility of restarting process failed due to permission 
denied.

Thus, security_task_kill() which is called with tasklist_lock held
is not what TOMOYO Linux wants.

I know this approach is racy, but TOMOYO Linux wants these unlocked versions
to avoid failure due to permission denial caused by MAC's policy.

Regards.

-
To unsubscribe from this list: send the line unsubscribe 
linux-security-module in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [TOMOYO 14/15](repost) LSM expansion for TOMOYO Linux.

2007-10-02 Thread Tetsuo Handa 
Hello.

Thank you for your comment.

James Morris wrote:
 I'm guessing you need this to determine the receiving process, rather than 
 the socket (which is available via security_sock_rcv_skb()).
Use of security_sock_rcv_skb() was discussed at 
http://lkml.org/lkml/2007/8/28/74 ,
and answer is at http://lkml.org/lkml/2007/10/2/56 .

 If so, is this to interactively determine from the user or admin whether 
 the packet should be accepted/denied for the receiving process?
Yes, it is to determine whether the packet should be accepted/denied
based on the receiving process (like what anti-virus software's firewall does).

Regards.

-
To unsubscribe from this list: send the line unsubscribe 
linux-security-module in
the body of a message to [EMAIL PROTECTED]
More majordomo info at  http://vger.kernel.org/majordomo-info.html