[patch 10/11] lsm stacking: hook completeness verification
From: serue
Date: Wed Jun 08 2005 - 19:44:11 EST
Add a script to check whether all security_operations hooks are defined
in both dummy_security_ops (through security_fixup_ops) and in stacker_ops.
Also adds a note in security.h to remind developers that all hooks must
be defined in these two modules, and to verify this using the
lsm_verify_hooks.sh script.
Signed-off-by: Serge Hallyn <serue@xxxxxxxxxx>
---
include/linux/security.h | 4 ++++
scripts/lsm_verify_hooks.sh | 44 ++++++++++++++++++++++++++++++++++++++++++++
2 files changed, 48 insertions(+)
Index: linux-2.6.12-rc2/include/linux/security.h
===================================================================
--- linux-2.6.12-rc2.orig/include/linux/security.h 2005-05-23 15:01:00.000000000 -0500
+++ linux-2.6.12-rc2/include/linux/security.h 2005-05-23 15:01:43.000000000 -0500
@@ -121,6 +121,10 @@
/**
* struct security_operations - main security structure
*
+ * When adding functions to this structure, please add them to
+ * dummy.c and stacker.c, and run linux/scripts/lsm_verify_hooks.sh
+ * to verify their inclusion in these modules.
+ *
* Security hooks for program execution operations.
*
* @bprm_alloc_security:
Index: linux-2.6.12-rc2/scripts/lsm_verify_hooks.sh
===================================================================
--- /dev/null 1970-01-01 00:00:00.000000000 +0000
+++ linux-2.6.12-rc2/scripts/lsm_verify_hooks.sh 2005-05-23 15:01:43.000000000 -0500
@@ -0,0 +1,44 @@
+#!/bin/sh
+
+# Author: Serge E. Hallyn <serue@xxxxxxxxxx>
+
+# Checks that both the dummy and stacker modules define all the
+# security hooks.
+
+# This probably should be done in perl
+
+# Copyright (C) 2002,2003,2004,2005 Serge E. Hallyn <serue@xxxxxxxxxx>
+# Copyright (C) 2002 David A. Wheeler <dwheeler@xxxxxxxxxxxx>.
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+
+# Grab the relevant pieces of text
+sed -n '/^void security_fixup_ops /,/}/p' dummy.c > dummy.out
+sed -n '/^static struct security_operations/,/}/p' stacker.c > stack.out
+../scripts/Lindent -o tmpsec.h ../include/linux/security.h
+sed -n '/^struct security_operations {/,/}/p' tmpsec.h > sech.out
+rm tmpsec.h
+
+# Get a list of functions in security.h
+cat sech.out | sed -n '/\t[a-z]/p' | sed -e 's/^\t[a-z]* (\*\([^)]*\).*$/\1/' > sech.out
+
+# check dummy.c
+for line in `cat sech.out`; do
+ grep $line dummy.out > /dev/null 2>&1
+ if [ $? -ne 0 ]; then
+ echo "WARNING: $line missing from dummy module!"
+ fi
+done
+
+# check stacker.c
+for line in `cat sech.out`; do
+ grep $line stack.out > /dev/null 2>&1
+ if [ $? -ne 0 ]; then
+ echo "WARNING: $line missing from stacker module!"
+ fi
+done
+
+rm sech.out stack.out dummy.out
+echo "LSM hook verification done."
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/