Re: [RFC] [PATCH] [1/3] LSM Stacking: stackable bsdjail(tasklookup)

[Serge Hallyn]

The next three patches add bsdjail as another example of stacking
LSMs.  This patch adds the security_task_lookup hook required for
bsdjail.

Signed-off-by: Serge E. Hallyn <serue@xxxxxxxxxx>

Index: linux-2.6.10-rc1-bk14/fs/proc/base.c
===================================================================
--- linux-2.6.10-rc1-bk14.orig/fs/proc/base.c	2004-11-04
12:28:00.402094432 -0600
+++ linux-2.6.10-rc1-bk14/fs/proc/base.c	2004-11-04 12:31:28.974386624
-0600
@@ -1687,6 +1687,8 @@
 		int tgid = p->pid;
 		if (!pid_alive(p))
 			continue;
+		if (security_task_lookup(p))
+			continue;
 		if (--index >= 0)
 			continue;
 		tgids[nr_tgids] = tgid;
Index: linux-2.6.10-rc1-bk14/include/linux/security.h
===================================================================
--- linux-2.6.10-rc1-bk14.orig/include/linux/security.h	2004-11-04
12:28:12.736219360 -0600
+++ linux-2.6.10-rc1-bk14/include/linux/security.h	2004-11-04
12:31:28.977386168 -0600
@@ -623,6 +623,11 @@
  * 	Set the security attributes in @p->security for a kernel thread
that
  * 	is being reparented to the init task.
  *	@p contains the task_struct for the kernel thread.
+ * @task_lookup:
+ *	Check permission to see the /proc/<pid> entry for process @p.
+ *	@p contains the task_struct for task <pid> which is being looked
+ *	up under /proc
+ *	return 0 if permission is granted.
  * @task_to_inode:
  * 	Set the security attributes for an inode based on an associated
task's
  * 	security attributes, e.g. for /proc/pid inodes.
@@ -1154,6 +1159,7 @@
 			   unsigned long arg3, unsigned long arg4,
 			   unsigned long arg5);
 	void (*task_reparent_to_init) (struct task_struct * p);
+	int (*task_lookup)(struct task_struct *p);
 	void (*task_to_inode)(struct task_struct *p, struct inode *inode);
 
 	int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag);
@@ -1759,6 +1765,11 @@
 	security_ops->task_reparent_to_init (p);
 }
 
+static inline int security_task_lookup(struct task_struct *p)
+{
+	return security_ops->task_lookup(p);
+}
+
 static inline void security_task_to_inode(struct task_struct *p, struct
inode *inode)
 {
 	security_ops->task_to_inode(p, inode);
@@ -2399,6 +2410,11 @@
 	cap_task_reparent_to_init (p);
 }
 
+static inline int security_task_lookup(struct task_struct *p)
+{
+	return 0;
+}
+
 static inline void security_task_to_inode(struct task_struct *p, struct
inode *inode)
 { }
 
Index: linux-2.6.10-rc1-bk14/security/dummy.c
===================================================================
--- linux-2.6.10-rc1-bk14.orig/security/dummy.c	2004-11-04
12:28:13.741066600 -0600
+++ linux-2.6.10-rc1-bk14/security/dummy.c	2004-11-04 12:31:28.979385864
-0600
@@ -622,6 +622,11 @@
 	return;
 }
 
+static int dummy_task_lookup(struct task_struct *p)
+{
+	return 0;
+}
+
 static void dummy_task_to_inode(struct task_struct *p, struct inode
*inode)
 { }
 
@@ -985,6 +990,7 @@
 	set_to_dummy_if_null(ops, task_kill);
 	set_to_dummy_if_null(ops, task_prctl);
 	set_to_dummy_if_null(ops, task_reparent_to_init);
+ 	set_to_dummy_if_null(ops, task_lookup);
  	set_to_dummy_if_null(ops, task_to_inode);
 	set_to_dummy_if_null(ops, ipc_permission);
 	set_to_dummy_if_null(ops, msg_msg_alloc_security);
Index: linux-2.6.10-rc1-bk14/security/stacker.c
===================================================================
--- linux-2.6.10-rc1-bk14.orig/security/stacker.c	2004-11-04
12:31:12.248929280 -0600
+++ linux-2.6.10-rc1-bk14/security/stacker.c	2004-11-04
12:31:28.998382976 -0600
@@ -756,6 +756,11 @@
 	CALL_ALL(task_reparent_to_init,task_reparent_to_init(p));
 }
 
+static int stacker_task_lookup(struct task_struct *p)
+{
+	RETURN_ERROR_IF_ANY_ERROR(task_lookup,task_lookup(p));
+}
+
 static void stacker_task_to_inode(struct task_struct *p, struct inode
*inode)
 {
 	CALL_ALL(task_to_inode,task_to_inode(p, inode));
@@ -1264,6 +1269,7 @@
 	.task_wait =			stacker_task_wait,
 	.task_prctl =			stacker_task_prctl,
 	.task_reparent_to_init =	stacker_task_reparent_to_init,
+	.task_lookup =			stacker_task_lookup,
 	.task_to_inode =		stacker_task_to_inode,
 
 	.ipc_permission 		= stacker_ipc_permission,


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/