Re: [PATCH] Realtime LSM

[Chris Wright]

* Jack O'Quin (joq@xxxxxx) wrote:
> Chris Wright <chrisw@xxxxxxxx> writes:
> > The egid makes a setgid-audio program be meaningful as well.
> 
> That works already, because we test the e_gid from the bprm structure,
> right?  Is that redundant?

You're right.  It's not quite redundant, because current->egid test is
before current->egid would be reset on setgid (happens in apply_creds).
Using apply_creds actually makes a bit more sense here, and simplifies
things a touch.

- use apply_creds and update gid_ok accordingly
- only upgrade cap_effective
- less generic variable names
  - s/any/rt_any/
  - s/gid/rt_gid/
  - s/mlock/rt_mlock/

thanks,
-chris
-- 
Linux Security Modules     http://lsm.immunix.org     http://lsm.bkbits.net

--- security/realtime.c~in_egroup	2004-10-08 22:17:23.499153832 -0700
+++ security/realtime.c	2004-10-09 15:49:38.048243488 -0700
@@ -45,34 +45,37 @@
  *  each is referenced only once in each function call.  Nothing
  *  depends on parameters having the same value every time.
  */
-static int any;			/* if TRUE, any process is realtime */
-module_param(any, int, 0644);
+
+/* if TRUE, any process is realtime */
+static int rt_any;
+module_param_named(any, rt_any, int, 0644);
 MODULE_PARM_DESC(any, " grant realtime privileges to any process.");
 
-static int gid = -1;			/* realtime group id, or NO_GROUP */
-module_param(gid, int, 0644);
+/* realtime group id, or NO_GROUP */
+static int rt_gid = -1;
+module_param_named(gid, rt_gid, int, 0644);
 MODULE_PARM_DESC(gid, " the group ID with access to realtime privileges.");
 
-static int mlock = 1;			/* enable mlock() privileges */
-module_param(mlock, int, 0644);
+/* enable mlock() privileges */
+static int rt_mlock = 1;
+module_param_named(mlock, rt_mlock, int, 0644);
 MODULE_PARM_DESC(mlock, " enable memory locking privileges.");
 
 /* helper function for testing group membership */
-static inline int gid_ok(int gid, int e_gid)
+static inline int gid_ok(int gid)
 {
 	if (gid == -1)
 		return 0;
 
-	if ((gid == e_gid) || (gid == current->gid))
+	if (gid == current->gid)
 		return 1;
 
 	return in_egroup_p(gid);
 }
 
-static int realtime_bprm_set_security(struct linux_binprm *bprm)
+static void realtime_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
 {
-
-	cap_bprm_set_security(bprm);
+	cap_bprm_apply_creds(bprm, unsafe);
 
 	/*  If a non-zero `any' parameter was specified, we grant
 	 *  realtime privileges to every process.  If the `gid'
@@ -81,17 +84,13 @@
 	 *  groups, we grant realtime capabilites.
 	 */
 
-	if (any || gid_ok(gid, bprm->e_gid)) {
-		cap_raise(bprm->cap_effective, CAP_SYS_NICE);
-		cap_raise(bprm->cap_permitted, CAP_SYS_NICE);
-		if (mlock) {
-			cap_raise(bprm->cap_effective, CAP_IPC_LOCK);
-			cap_raise(bprm->cap_permitted, CAP_IPC_LOCK);
-			cap_raise(bprm->cap_effective, CAP_SYS_RESOURCE);
-			cap_raise(bprm->cap_permitted, CAP_SYS_RESOURCE);
+	if (rt_any || gid_ok(rt_gid)) {
+		cap_raise(current->cap_effective, CAP_SYS_NICE);
+		if (rt_mlock) {
+			cap_raise(current->cap_effective, CAP_IPC_LOCK);
+			cap_raise(current->cap_effective, CAP_SYS_RESOURCE);
 		}
 	}
-	return 0;
 }
 
 static struct security_operations capability_ops = {
@@ -102,8 +101,8 @@
 	.capable =			cap_capable,
 	.netlink_send =			cap_netlink_send,
 	.netlink_recv =			cap_netlink_recv,
-	.bprm_apply_creds =		cap_bprm_apply_creds,
-	.bprm_set_security =		realtime_bprm_set_security,
+	.bprm_apply_creds =		realtime_bprm_apply_creds,
+	.bprm_set_security =		cap_bprm_set_security,
 	.bprm_secureexec =		cap_bprm_secureexec,
 	.task_post_setuid =		cap_task_post_setuid,
 	.task_reparent_to_init =	cap_task_reparent_to_init,
@@ -117,14 +116,14 @@
 {
 	{ .ctl_name	= 1,
 	  .procname	= "any",
-	  .data		= &any,
+	  .data		= &rt_any,
 	  .maxlen	= sizeof(int),
 	  .mode		= 0644,
 	  .proc_handler	= &proc_dointvec,
 	},
 	{ .ctl_name	= 2,
 	  .procname	= "gid",
-	  .data		= &gid,
+	  .data		= &rt_gid,
 	  .maxlen	= sizeof(int),
 	  .mode		= 0644,
 	  .proc_handler	= &proc_dointvec_minmax,
@@ -133,7 +132,7 @@
 	},
 	{ .ctl_name	= 3,
 	  .procname	= "mlock",
-	  .data		= &mlock,
+	  .data		= &rt_mlock,
 	  .maxlen	= sizeof(int),
 	  .mode		= 0644,
 	  .proc_handler	= &proc_dointvec,
@@ -205,15 +204,15 @@
 		return -ENOMEM;
 	}
 
-	if (any)
+	if (rt_any)
 		printk(KERN_INFO RT_LSM
-		       "initialized (all groups, mlock=%d)\n", mlock);
-	else if (gid == -1)
+		       "initialized (all groups, mlock=%d)\n", rt_mlock);
+	else if (rt_gid == -1)
 		printk(KERN_INFO RT_LSM
-		       "initialized (no groups, mlock=%d)\n", mlock);
+		       "initialized (no groups, mlock=%d)\n", rt_mlock);
 	else
 		printk(KERN_INFO RT_LSM
-		       "initialized (group %d, mlock=%d)\n", gid, mlock);
+		       "initialized (group %d, mlock=%d)\n", rt_gid, rt_mlock);
 		
 	return 0;
 }
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/