ldvldvl

1. #include <linux/xattr.h>
2. #include <linux/init.h>
3. #include <linux/kd.h>
4. #include <linux/kernel.h>
5. #include <linux/tracehook.h>
6. #include <linux/errno.h>
7. #include <linux/ext2_fs.h>
8. #include <linux/sched.h>
9. #include <linux/security.h>
10. #include <linux/xattr.h>
11. #include <linux/capability.h>
12. #include <linux/unistd.h>
13. #include <linux/mm.h>
14. #include <linux/mman.h>
15. #include <linux/slab.h>
16. #include <linux/pagemap.h>
17. #include <linux/proc_fs.h>
18. #include <linux/swap.h>
19. #include <linux/spinlock.h>
20. #include <linux/syscalls.h>
21. #include <linux/dcache.h>
22. #include <linux/file.h>
23. #include <linux/fdtable.h>
24. #include <linux/namei.h>
25. #include <linux/mount.h>
26. #include <linux/netfilter_ipv4.h>
27. #include <linux/netfilter_ipv6.h>
28. #include <linux/tty.h>
29. #include <net/icmp.h>
30. #include <net/ip.h> /* for local_port_range[] */
31. #include <net/tcp.h> /* struct or_callable used in sock_rcv_skb */
32. #include <net/inet_connection_sock.h>
33. #include <net/net_namespace.h>
34. #include <net/netlabel.h>
35. #include <linux/uaccess.h>
36. #include <asm/ioctls.h>
37. #include <linux/atomic.h>
38. #include <linux/bitops.h>
39. #include <linux/interrupt.h>
40. #include <linux/netdevice.h> /* for network interface checks */
41. #include <linux/netlink.h>
42. #include <linux/tcp.h>
43. #include <linux/udp.h>
44. #include <linux/dccp.h>
45. #include <linux/quota.h>
46. #include <linux/un.h> /* for Unix socket types */
47. #include <net/af_unix.h> /* for Unix socket types */
48. #include <linux/parser.h>
49. #include <linux/nfs_mount.h>
50. #include <net/ipv6.h>
51. #include <linux/hugetlb.h>
52. #include <linux/personality.h>
53. #include <linux/audit.h>
54. #include <linux/string.h>
55. #include <linux/selinux.h>
56. #include <linux/mutex.h>
57. #include <linux/posix-timers.h>
58. #include <linux/syslog.h>
59. #include <linux/user_namespace.h>
60. #include <linux/export.h>
61. #include <linux/list.h>
62. #include <linux/binfmts.h>
63.  
64. #ifdef CONFIG_SECURITY_COMPSEC
65.  
66. struct file_accesses {
67. unsigned int read;
68. unsigned int write;
69. };
70.  
71. extern struct security_operations *security_ops;
72.  
73.  
74. static int compsec_file_permission(struct file *file, int mask)
75. {
76. unsigned int fclass = 0; //file security class
77. unsigned int pclass = 0; // current process class
78. struct inode *inode = NULL;
79. char* fname = NULL;
80. char* pname = NULL;
81. if (!current)
82. return 0;
83. if (current->pid == 1 || current->pid == 0 )
84. return 0;
85. if (!file)
86. return 0;
87. if (!(file->f_path.dentry))
88. return 0;
89. if (!(file->f_path.dentry->d_inode))
90. return 0;
91. if (!(file->f_path.dentry->d_name.name))
92. return 0;
93. inode = file->f_path.dentry->d_inode; //file inode struct
94. fname = file->f_path.dentry->d_name.name; //file basename
95. if (!current_cred())
96. return 0;
97. if (!(current_cred()->security))
98. return 0;
99. pclass = (unsigned int) current_cred()->security;
100. if (!(file->f_dentry))
101. return 0;
102. if (!(file->f_dentry->d_iname))
103. return 0;
104. if (inode->i_rdev || strlen(file->f_dentry->d_iname) == 0)
105. return 0;
106. if (current->mm)
107. pname = current->mm->exe_file->f_path.dentry->d_name.name; // Getting the file assocoated to the executing process
108. else
109. return 0;
110.  
111. int error = vfs_getxattr(file->f_path.dentry,"security.classification",&fclass,sizeof(unsigned int));//TODO: Get EA of "security.class" from the requested file - use vfs_getxattr**
112. if (error == -34) {
113.  
114. }
115. else {
116. if (error == -61) {
117. fclass = 0;
118. }
119. else {
120. return -EACCES;
121. }
122. }
123. if (!(inode->i_sb))
124. return 0;
125. if (!(inode->i_sb->s_xattr))
126. return 0;
127. const struct xattr_handler** curr_s_xattr = inode->i_sb->s_xattr; // Helper variable to varify filesystem of inode supports EA
128. if ( mask == MAY_READ ) {
129. // Can read by DAC access...
130. if (pclass < fclass)
131. {
132. if (curr_s_xattr == 0 || error == -EOPNOTSUPP)
133. return 0; // The filesystem of the process doesnt support EA, skip that...
134. printk("compsec: Read Access Denied for Process %s security.class=%u to file %s with security.class=%u\n", pname, pclass, fname, fclass);
135. // return 0; //uncomment for debug
136. return -1;
137. }
138. else {
139. printk("compsec: Read Access for Process %s security.class=%u to file %s with security.class=%u\n", pname, pclass, fname, fclass);
140. return 1;
141. }
142. }
143.  
144. if ( mask == MAY_WRITE ) {
145. // Can write by DAC access...
146. if (pclass > fclass){
147. char test_buffer[PATH_MAX];
148. int test_buffer_len = PATH_MAX;
149. char* test_path=dentry_path_raw(file->f_path.dentry,test_buffer,test_buffer_len); // Helper function for debug printing path of the executable file, and validating it is not the login record...
150. if (curr_s_xattr == 0 || error == -EOPNOTSUPP || strcmp(test_path,"/utmp") == 0)
151. return 0; // The filesystem of the process doesnt support EA or it is the login record (utmp), skip that
152. printk("compsec: Write Access Denied for Process %s security.class=%u to file %s with security.class=%u\n", pname, pclass, fname, fclass);
153. // return 0; //uncomment for debug
154. return -1;
155. }
156. else {
157. printk("compsec: Write Access for Process %s security.class=%u to file %s with security.class=%u\n", pname, pclass, fname, fclass);
158. return 1;
159. }
160. }
161. return 0;
162. }
163.  
164.  
165. static int compsec_cred_prepare(struct cred *new, const struct cred *old,
166. gfp_t gfp)
167. {
168. new->security = old->security;
169. //TODO: handle security credentials for new process by fork, call stack: fork->copy_creds->prepare_creds...
170. return 0;
171. }
172.  
173.  
174.  
175. static int compsec_task_create(unsigned long clone_flags) {
176. return 0;
177. }
178.  
179. static int compsec_bprm_set_creds(struct linux_binprm *bprm) {
180. unsigned int fclass = 0;
181. //unsigned int bclass = 0;
182. //char* pname = NULL;
183.  
184. //bclass = (unsigned int) bprm->cred->security;
185. //pname = current->mm->exe_file->f_path.dentry->d_name.name;
186. int error = vfs_getxattr(bprm->file->f_path.dentry,"security.classification",&fclass,sizeof(unsigned int));//TODO: Get EA of "security.class" from designated executable file - use vfs_getxattr
187. bprm->cred->security=fclass;
188. //current->security->cred=bprm->cred;
189. //TODO: add handler for init
190. return cap_bprm_set_creds(bprm);
191. }
192.  
193.  
194. static struct security_operations compsec_ops = {
195. .name = "compsec",
196. .file_permission = compsec_file_permission,
197. .bprm_set_creds = compsec_bprm_set_creds,
198. .task_create = compsec_task_create,
199. .cred_prepare = compsec_cred_prepare,
200. };
201.  
202. static __init int compsec_init(void)
203. {
204. if (!security_module_enable(&compsec_ops)) {
205. printk("compsec: disabled at boot. \n");
206. return 0;
207. }
208.  
209. if (register_security(&compsec_ops))
210. panic("compsec: Unable to register compsec with kernel.\n");
211. else
212. printk("compsec: registered with the kernel\n");
213.  
214. return 0;
215. }
216. static void __exit compsec_exit (void)
217. {
218. return;
219. }
220.  
221.  
222.  
223. module_init (compsec_init);
224. module_exit (compsec_exit);
225.  
226. #endif