1 |
Index: trunk/1.7.x/ccs-patch/include/linux/ccsecurity.h |
2 |
=================================================================== |
3 |
--- trunk/1.7.x/ccs-patch/include/linux/ccsecurity.h (revision 3827) |
4 |
+++ trunk/1.7.x/ccs-patch/include/linux/ccsecurity.h (working copy) |
5 |
@@ -138,12 +138,12 @@ |
6 |
struct sockaddr *addr, int addr_len); |
7 |
int (*socket_bind_permission) (struct socket *sock, |
8 |
struct sockaddr *addr, int addr_len); |
9 |
- int (*socket_accept_permission) (struct socket *sock, |
10 |
- struct sockaddr *addr); |
11 |
+ int (*socket_post_accept_permission) (struct socket *sock, |
12 |
+ struct socket *newsock); |
13 |
int (*socket_sendmsg_permission) (struct socket *sock, |
14 |
struct msghdr *msg, int size); |
15 |
- int (*socket_recvmsg_permission) (struct sock *sk, struct sk_buff *skb, |
16 |
- const unsigned int flags); |
17 |
+ int (*socket_post_recvmsg_permission) (struct sock *sk, |
18 |
+ struct sk_buff *skb); |
19 |
int (*chown_permission) (struct dentry *dentry, struct vfsmount *mnt, |
20 |
uid_t user, gid_t group); |
21 |
int (*chmod_permission) (struct dentry *dentry, struct vfsmount *mnt, |
22 |
@@ -162,135 +162,145 @@ |
23 |
|
24 |
static inline int ccs_chroot_permission(struct path *path) |
25 |
{ |
26 |
- return ccsecurity_ops.chroot_permission ? |
27 |
- ccsecurity_ops.chroot_permission(path) : 0; |
28 |
+ int (*func) (struct path *) = ccsecurity_ops.chroot_permission; |
29 |
+ return func ? func(path) : 0; |
30 |
} |
31 |
|
32 |
static inline int ccs_pivot_root_permission(struct path *old_path, |
33 |
struct path *new_path) |
34 |
{ |
35 |
- return ccsecurity_ops.pivot_root_permission ? |
36 |
- ccsecurity_ops.pivot_root_permission(old_path, new_path) : 0; |
37 |
+ int (*func) (struct path *, struct path *) |
38 |
+ = ccsecurity_ops.pivot_root_permission; |
39 |
+ return func ? func(old_path, new_path) : 0; |
40 |
} |
41 |
|
42 |
static inline int ccs_may_mount(struct path *path) |
43 |
{ |
44 |
- return ccsecurity_ops.may_mount ? |
45 |
- ccsecurity_ops.may_mount(path) : 0; |
46 |
+ int (*func) (struct path *) = ccsecurity_ops.may_mount; |
47 |
+ return func ? func(path) : 0; |
48 |
} |
49 |
|
50 |
static inline int ccs_mount_permission(char *dev_name, struct path *path, |
51 |
char *type, unsigned long flags, |
52 |
void *data_page) |
53 |
{ |
54 |
- return ccsecurity_ops.mount_permission ? |
55 |
- ccsecurity_ops.mount_permission(dev_name, path, type, flags, |
56 |
- data_page) : 0; |
57 |
+ int (*func) (char *, struct path *, char *, unsigned long, void *) |
58 |
+ = ccsecurity_ops.mount_permission; |
59 |
+ return func ? func(dev_name, path, type, flags, data_page) : 0; |
60 |
} |
61 |
|
62 |
#else |
63 |
|
64 |
static inline int ccs_chroot_permission(struct nameidata *nd) |
65 |
{ |
66 |
- return ccsecurity_ops.chroot_permission ? |
67 |
- ccsecurity_ops.chroot_permission(nd) : 0; |
68 |
+ int (*func) (struct nameidata *) = ccsecurity_ops.chroot_permission; |
69 |
+ return func ? func(nd) : 0; |
70 |
} |
71 |
|
72 |
static inline int ccs_pivot_root_permission(struct nameidata *old_nd, |
73 |
struct nameidata *new_nd) |
74 |
{ |
75 |
- return ccsecurity_ops.pivot_root_permission ? |
76 |
- ccsecurity_ops.pivot_root_permission(old_nd, new_nd) : 0; |
77 |
+ int (*func) (struct nameidata *, struct nameidata *) |
78 |
+ = ccsecurity_ops.pivot_root_permission; |
79 |
+ return func ? func(old_nd, new_nd) : 0; |
80 |
} |
81 |
|
82 |
static inline int ccs_may_mount(struct nameidata *nd) |
83 |
{ |
84 |
- return ccsecurity_ops.may_mount ? ccsecurity_ops.may_mount(nd) : 0; |
85 |
+ int (*func) (struct nameidata *) = ccsecurity_ops.may_mount; |
86 |
+ return func ? func(nd) : 0; |
87 |
} |
88 |
|
89 |
static inline int ccs_mount_permission(char *dev_name, struct nameidata *nd, |
90 |
char *type, unsigned long flags, |
91 |
void *data_page) |
92 |
{ |
93 |
- return ccsecurity_ops.mount_permission ? |
94 |
- ccsecurity_ops.mount_permission(dev_name, nd, type, flags, |
95 |
- data_page) : 0; |
96 |
+ int (*func) (char *, struct nameidata *, char *, unsigned long, void *) |
97 |
+ = ccsecurity_ops.mount_permission; |
98 |
+ return func ? func(dev_name, nd, type, flags, data_page) : 0; |
99 |
} |
100 |
#endif |
101 |
|
102 |
static inline int ccs_umount_permission(struct vfsmount *mnt, int flags) |
103 |
{ |
104 |
- return ccsecurity_ops.umount_permission ? |
105 |
- ccsecurity_ops.umount_permission(mnt, flags) : 0; |
106 |
+ int (*func) (struct vfsmount *, int) |
107 |
+ = ccsecurity_ops.umount_permission; |
108 |
+ return func ? func(mnt, flags) : 0; |
109 |
} |
110 |
|
111 |
static inline _Bool ccs_lport_reserved(const u16 port) |
112 |
{ |
113 |
- return ccsecurity_ops.lport_reserved ? |
114 |
- ccsecurity_ops.lport_reserved(port) : 0; |
115 |
+ _Bool (*func) (const u16) = ccsecurity_ops.lport_reserved; |
116 |
+ return func ? func(port) : 0; |
117 |
} |
118 |
|
119 |
static inline int ccs_ptrace_permission(long request, long pid) |
120 |
{ |
121 |
- return ccsecurity_ops.ptrace_permission ? |
122 |
- ccsecurity_ops.ptrace_permission(request, pid) : 0; |
123 |
+ int (*func) (long, long) = ccsecurity_ops.ptrace_permission; |
124 |
+ return func ? func(request, pid) : 0; |
125 |
} |
126 |
|
127 |
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 34) |
128 |
static inline void ccs_save_open_mode(int mode) |
129 |
{ |
130 |
- if (ccsecurity_ops.save_open_mode) |
131 |
- ccsecurity_ops.save_open_mode(mode); |
132 |
+ void (*func) (int) = ccsecurity_ops.save_open_mode; |
133 |
+ if (func) |
134 |
+ func(mode); |
135 |
} |
136 |
|
137 |
static inline void ccs_clear_open_mode(void) |
138 |
{ |
139 |
- if (ccsecurity_ops.clear_open_mode) |
140 |
- ccsecurity_ops.clear_open_mode(); |
141 |
+ void (*func) (void) = ccsecurity_ops.clear_open_mode; |
142 |
+ if (func) |
143 |
+ func(); |
144 |
} |
145 |
#endif |
146 |
|
147 |
static inline int ccs_open_permission(struct dentry *dentry, |
148 |
struct vfsmount *mnt, const int flag) |
149 |
{ |
150 |
- return ccsecurity_ops.open_permission ? |
151 |
- ccsecurity_ops.open_permission(dentry, mnt, flag) : 0; |
152 |
+ int (*func) (struct dentry *, struct vfsmount *, const int) |
153 |
+ = ccsecurity_ops.open_permission; |
154 |
+ return func ? func(dentry, mnt, flag) : 0; |
155 |
} |
156 |
|
157 |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 33) |
158 |
static inline int ccs_fcntl_permission(struct file *file, unsigned int cmd, |
159 |
unsigned long arg) |
160 |
{ |
161 |
- return ccsecurity_ops.fcntl_permission ? |
162 |
- ccsecurity_ops.fcntl_permission(file, cmd, arg) : 0; |
163 |
+ int (*func) (struct file *, unsigned int, unsigned long) |
164 |
+ = ccsecurity_ops.fcntl_permission; |
165 |
+ return func ? func(file, cmd, arg) : 0; |
166 |
} |
167 |
#else |
168 |
static inline int ccs_rewrite_permission(struct file *filp) |
169 |
{ |
170 |
- return ccsecurity_ops.rewrite_permission ? |
171 |
- ccsecurity_ops.rewrite_permission(filp) : 0; |
172 |
+ int (*func) (struct file *) = ccsecurity_ops.rewrite_permission; |
173 |
+ return func ? func(filp) : 0; |
174 |
} |
175 |
#endif |
176 |
|
177 |
static inline int ccs_ioctl_permission(struct file *filp, unsigned int cmd, |
178 |
unsigned long arg) |
179 |
{ |
180 |
- return ccsecurity_ops.ioctl_permission ? |
181 |
- ccsecurity_ops.ioctl_permission(filp, cmd, arg) : 0; |
182 |
+ int (*func) (struct file *, unsigned int, unsigned long) |
183 |
+ = ccsecurity_ops.ioctl_permission; |
184 |
+ return func ? func(filp, cmd, arg) : 0; |
185 |
} |
186 |
|
187 |
static inline int ccs_parse_table(int __user *name, int nlen, |
188 |
void __user *oldval, void __user *newval, |
189 |
struct ctl_table *table) |
190 |
{ |
191 |
- return ccsecurity_ops.parse_table ? |
192 |
- ccsecurity_ops.parse_table(name, nlen, oldval, newval, table) : |
193 |
- 0; |
194 |
+ int (*func) (int __user *, int, void __user *, void __user *, |
195 |
+ struct ctl_table *) = ccsecurity_ops.parse_table; |
196 |
+ return func ? func(name, nlen, oldval, newval, table) : 0; |
197 |
} |
198 |
|
199 |
static inline _Bool ccs_capable(const u8 operation) |
200 |
{ |
201 |
- return ccsecurity_ops.capable ? ccsecurity_ops.capable(operation) : 1; |
202 |
+ _Bool (*func) (const u8) = ccsecurity_ops.capable; |
203 |
+ return func ? func(operation) : 1; |
204 |
} |
205 |
|
206 |
static inline int ccs_mknod_permission(struct inode *dir, |
207 |
@@ -298,33 +308,37 @@ |
208 |
struct vfsmount *mnt, unsigned int mode, |
209 |
unsigned int dev) |
210 |
{ |
211 |
- return ccsecurity_ops.mknod_permission ? |
212 |
- ccsecurity_ops.mknod_permission(dir, dentry, mnt, mode, dev) : |
213 |
- 0; |
214 |
+ int (*func) (struct inode *, struct dentry *, struct vfsmount *, |
215 |
+ unsigned int, unsigned int) |
216 |
+ = ccsecurity_ops.mknod_permission; |
217 |
+ return func ? func(dir, dentry, mnt, mode, dev) : 0; |
218 |
} |
219 |
|
220 |
static inline int ccs_mkdir_permission(struct inode *dir, |
221 |
struct dentry *dentry, |
222 |
struct vfsmount *mnt, unsigned int mode) |
223 |
{ |
224 |
- return ccsecurity_ops.mkdir_permission ? |
225 |
- ccsecurity_ops.mkdir_permission(dir, dentry, mnt, mode) : 0; |
226 |
+ int (*func) (struct inode *, struct dentry *, struct vfsmount *, |
227 |
+ unsigned int) = ccsecurity_ops.mkdir_permission; |
228 |
+ return func ? func(dir, dentry, mnt, mode) : 0; |
229 |
} |
230 |
|
231 |
static inline int ccs_rmdir_permission(struct inode *dir, |
232 |
struct dentry *dentry, |
233 |
struct vfsmount *mnt) |
234 |
{ |
235 |
- return ccsecurity_ops.rmdir_permission ? |
236 |
- ccsecurity_ops.rmdir_permission(dir, dentry, mnt) : 0; |
237 |
+ int (*func) (struct inode *, struct dentry *, struct vfsmount *) |
238 |
+ = ccsecurity_ops.rmdir_permission; |
239 |
+ return func ? func(dir, dentry, mnt) : 0; |
240 |
} |
241 |
|
242 |
static inline int ccs_unlink_permission(struct inode *dir, |
243 |
struct dentry *dentry, |
244 |
struct vfsmount *mnt) |
245 |
{ |
246 |
- return ccsecurity_ops.unlink_permission ? |
247 |
- ccsecurity_ops.unlink_permission(dir, dentry, mnt) : 0; |
248 |
+ int (*func) (struct inode *, struct dentry *, struct vfsmount *) |
249 |
+ = ccsecurity_ops.unlink_permission; |
250 |
+ return func ? func(dir, dentry, mnt) : 0; |
251 |
} |
252 |
|
253 |
static inline int ccs_symlink_permission(struct inode *dir, |
254 |
@@ -332,16 +346,18 @@ |
255 |
struct vfsmount *mnt, |
256 |
const char *from) |
257 |
{ |
258 |
- return ccsecurity_ops.symlink_permission ? |
259 |
- ccsecurity_ops.symlink_permission(dir, dentry, mnt, from) : 0; |
260 |
+ int (*func) (struct inode *, struct dentry *, struct vfsmount *, |
261 |
+ const char *) = ccsecurity_ops.symlink_permission; |
262 |
+ return func ? func(dir, dentry, mnt, from) : 0; |
263 |
} |
264 |
|
265 |
static inline int ccs_truncate_permission(struct dentry *dentry, |
266 |
struct vfsmount *mnt, loff_t length, |
267 |
unsigned int time_attrs) |
268 |
{ |
269 |
- return ccsecurity_ops.truncate_permission ? |
270 |
- ccsecurity_ops.truncate_permission(dentry, mnt) : 0; |
271 |
+ int (*func) (struct dentry *, struct vfsmount *) |
272 |
+ = ccsecurity_ops.truncate_permission; |
273 |
+ return func ? func(dentry, mnt) : 0; |
274 |
} |
275 |
|
276 |
static inline int ccs_rename_permission(struct inode *old_dir, |
277 |
@@ -350,9 +366,10 @@ |
278 |
struct dentry *new_dentry, |
279 |
struct vfsmount *mnt) |
280 |
{ |
281 |
- return ccsecurity_ops.rename_permission ? |
282 |
- ccsecurity_ops.rename_permission(old_dir, old_dentry, new_dir, |
283 |
- new_dentry, mnt) : 0; |
284 |
+ int (*func) (struct inode *, struct dentry *, struct inode *, |
285 |
+ struct dentry *, struct vfsmount *) |
286 |
+ = ccsecurity_ops.rename_permission; |
287 |
+ return func ? func(old_dir, old_dentry, new_dir, new_dentry, mnt) : 0; |
288 |
} |
289 |
|
290 |
static inline int ccs_link_permission(struct dentry *old_dentry, |
291 |
@@ -360,125 +377,131 @@ |
292 |
struct dentry *new_dentry, |
293 |
struct vfsmount *mnt) |
294 |
{ |
295 |
- return ccsecurity_ops.link_permission ? |
296 |
- ccsecurity_ops.link_permission(old_dentry, new_dir, new_dentry, |
297 |
- mnt) : 0; |
298 |
+ int (*func) (struct dentry *, struct inode *, struct dentry *, |
299 |
+ struct vfsmount *) = ccsecurity_ops.link_permission; |
300 |
+ return func ? func(old_dentry, new_dir, new_dentry, mnt) : 0; |
301 |
} |
302 |
|
303 |
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 30) |
304 |
static inline int ccs_open_exec_permission(struct dentry *dentry, |
305 |
struct vfsmount *mnt) |
306 |
{ |
307 |
- return ccsecurity_ops.open_exec_permission ? |
308 |
- ccsecurity_ops.open_exec_permission(dentry, mnt) : 0; |
309 |
+ int (*func) (struct dentry *, struct vfsmount *) |
310 |
+ = ccsecurity_ops.open_exec_permission; |
311 |
+ return func ? func(dentry, mnt) : 0; |
312 |
} |
313 |
|
314 |
static inline int ccs_uselib_permission(struct dentry *dentry, |
315 |
struct vfsmount *mnt) |
316 |
{ |
317 |
- return ccsecurity_ops.uselib_permission ? |
318 |
- ccsecurity_ops.uselib_permission(dentry, mnt) : 0; |
319 |
+ int (*func) (struct dentry *, struct vfsmount *) |
320 |
+ = ccsecurity_ops.uselib_permission; |
321 |
+ return func ? func(dentry, mnt) : 0; |
322 |
} |
323 |
#endif |
324 |
|
325 |
static inline int ccs_kill_permission(pid_t pid, int sig) |
326 |
{ |
327 |
- return ccsecurity_ops.kill_permission ? |
328 |
- ccsecurity_ops.kill_permission(pid, sig) : 0; |
329 |
+ int (*func) (pid_t, int) = ccsecurity_ops.kill_permission; |
330 |
+ return func ? func(pid, sig) : 0; |
331 |
} |
332 |
|
333 |
static inline int ccs_tgkill_permission(pid_t tgid, pid_t pid, int sig) |
334 |
{ |
335 |
- return ccsecurity_ops.tgkill_permission ? |
336 |
- ccsecurity_ops.tgkill_permission(tgid, pid, sig) : 0; |
337 |
+ int (*func) (pid_t, pid_t, int) = ccsecurity_ops.tgkill_permission; |
338 |
+ return func ? func(tgid, pid, sig) : 0; |
339 |
} |
340 |
|
341 |
static inline int ccs_tkill_permission(pid_t pid, int sig) |
342 |
{ |
343 |
- return ccsecurity_ops.tkill_permission ? |
344 |
- ccsecurity_ops.tkill_permission(pid, sig) : 0; |
345 |
+ int (*func) (pid_t, int) = ccsecurity_ops.tkill_permission; |
346 |
+ return func ? func(pid, sig) : 0; |
347 |
} |
348 |
|
349 |
static inline int ccs_socket_create_permission(int family, int type, |
350 |
int protocol) |
351 |
{ |
352 |
- return ccsecurity_ops.socket_create_permission ? |
353 |
- ccsecurity_ops.socket_create_permission(family, type, protocol) |
354 |
- : 0; |
355 |
+ int (*func) (int, int, int) = ccsecurity_ops.socket_create_permission; |
356 |
+ return func ? func(family, type, protocol) : 0; |
357 |
} |
358 |
|
359 |
static inline int ccs_socket_listen_permission(struct socket *sock) |
360 |
{ |
361 |
- return ccsecurity_ops.socket_listen_permission ? |
362 |
- ccsecurity_ops.socket_listen_permission(sock) : 0; |
363 |
+ int (*func) (struct socket *) |
364 |
+ = ccsecurity_ops.socket_listen_permission; |
365 |
+ return func ? func(sock) : 0; |
366 |
} |
367 |
|
368 |
static inline int ccs_socket_connect_permission(struct socket *sock, |
369 |
struct sockaddr *addr, |
370 |
int addr_len) |
371 |
{ |
372 |
- return ccsecurity_ops.socket_connect_permission ? |
373 |
- ccsecurity_ops.socket_connect_permission(sock, addr, addr_len) |
374 |
- : 0; |
375 |
+ int (*func) (struct socket *, struct sockaddr *, int) |
376 |
+ = ccsecurity_ops.socket_connect_permission; |
377 |
+ return func ? func(sock, addr, addr_len) : 0; |
378 |
} |
379 |
|
380 |
static inline int ccs_socket_bind_permission(struct socket *sock, |
381 |
struct sockaddr *addr, |
382 |
int addr_len) |
383 |
{ |
384 |
- return ccsecurity_ops.socket_bind_permission ? |
385 |
- ccsecurity_ops.socket_bind_permission(sock, addr, addr_len) : |
386 |
- 0; |
387 |
+ int (*func) (struct socket *, struct sockaddr *, int) |
388 |
+ = ccsecurity_ops.socket_bind_permission; |
389 |
+ return func ? func(sock, addr, addr_len) : 0; |
390 |
} |
391 |
|
392 |
-static inline int ccs_socket_accept_permission(struct socket *sock, |
393 |
- struct sockaddr *addr) |
394 |
+static inline int ccs_socket_post_accept_permission(struct socket *sock, |
395 |
+ struct socket *newsock) |
396 |
{ |
397 |
- return ccsecurity_ops.socket_accept_permission ? |
398 |
- ccsecurity_ops.socket_accept_permission(sock, addr) : 0; |
399 |
+ int (*func) (struct socket *, struct socket *) |
400 |
+ = ccsecurity_ops.socket_post_accept_permission; |
401 |
+ return func ? func(sock, newsock) : 0; |
402 |
} |
403 |
|
404 |
static inline int ccs_socket_sendmsg_permission(struct socket *sock, |
405 |
struct msghdr *msg, |
406 |
int size) |
407 |
{ |
408 |
- return ccsecurity_ops.socket_sendmsg_permission ? |
409 |
- ccsecurity_ops.socket_sendmsg_permission(sock, msg, size) : 0; |
410 |
+ int (*func) (struct socket *, struct msghdr *, int) |
411 |
+ = ccsecurity_ops.socket_sendmsg_permission; |
412 |
+ return func ? func(sock, msg, size) : 0; |
413 |
} |
414 |
|
415 |
-static inline int ccs_socket_recvmsg_permission(struct sock *sk, |
416 |
- struct sk_buff *skb, |
417 |
- const unsigned int flags) |
418 |
+static inline int ccs_socket_post_recvmsg_permission(struct sock *sk, |
419 |
+ struct sk_buff *skb) |
420 |
{ |
421 |
- return ccsecurity_ops.socket_recvmsg_permission ? |
422 |
- ccsecurity_ops.socket_recvmsg_permission(sk, skb, flags) : 0; |
423 |
+ int (*func) (struct sock *, struct sk_buff *) |
424 |
+ = ccsecurity_ops.socket_post_recvmsg_permission; |
425 |
+ return func ? func(sk, skb) : 0; |
426 |
} |
427 |
|
428 |
static inline int ccs_chown_permission(struct dentry *dentry, |
429 |
struct vfsmount *mnt, uid_t user, |
430 |
gid_t group) |
431 |
{ |
432 |
- return ccsecurity_ops.chown_permission ? |
433 |
- ccsecurity_ops.chown_permission(dentry, mnt, user, group) : 0; |
434 |
+ int (*func) (struct dentry *, struct vfsmount *, uid_t, gid_t) |
435 |
+ = ccsecurity_ops.chown_permission; |
436 |
+ return func ? func(dentry, mnt, user, group) : 0; |
437 |
} |
438 |
|
439 |
static inline int ccs_chmod_permission(struct dentry *dentry, |
440 |
struct vfsmount *mnt, mode_t mode) |
441 |
{ |
442 |
- return ccsecurity_ops.chmod_permission ? |
443 |
- ccsecurity_ops.chmod_permission(dentry, mnt, mode) : 0; |
444 |
+ int (*func) (struct dentry *, struct vfsmount *, mode_t) |
445 |
+ = ccsecurity_ops.chmod_permission; |
446 |
+ return func ? func(dentry, mnt, mode) : 0; |
447 |
} |
448 |
|
449 |
static inline int ccs_sigqueue_permission(pid_t pid, int sig) |
450 |
{ |
451 |
- return ccsecurity_ops.sigqueue_permission ? |
452 |
- ccsecurity_ops.sigqueue_permission(pid, sig) : 0; |
453 |
+ int (*func) (pid_t, int) = ccsecurity_ops.sigqueue_permission; |
454 |
+ return func ? func(pid, sig) : 0; |
455 |
} |
456 |
|
457 |
static inline int ccs_tgsigqueue_permission(pid_t tgid, pid_t pid, int sig) |
458 |
{ |
459 |
- return ccsecurity_ops.tgsigqueue_permission ? |
460 |
- ccsecurity_ops.tgsigqueue_permission(tgid, pid, sig) : 0; |
461 |
+ int (*func) (pid_t, pid_t, int) = ccsecurity_ops.tgsigqueue_permission; |
462 |
+ return func ? func(tgid, pid, sig) : 0; |
463 |
} |
464 |
|
465 |
static inline int ccs_search_binary_handler(struct linux_binprm *bprm, |
466 |
@@ -487,6 +510,65 @@ |
467 |
return ccsecurity_ops.search_binary_handler(bprm, regs); |
468 |
} |
469 |
|
470 |
+/* for net/ipv4/raw.c and net/ipv6/raw.c */ |
471 |
+#if defined(_RAW_H) || defined(_NET_RAWV6_H) |
472 |
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0) |
473 |
+static inline void skb_kill_datagram(struct sock *sk, struct sk_buff *skb, |
474 |
+ unsigned int flags) |
475 |
+{ |
476 |
+ /* Clear queue. */ |
477 |
+ if (flags & MSG_PEEK) { |
478 |
+ int clear = 0; |
479 |
+ spin_lock_irq(&sk->receive_queue.lock); |
480 |
+ if (skb == skb_peek(&sk->receive_queue)) { |
481 |
+ __skb_unlink(skb, &sk->receive_queue); |
482 |
+ clear = 1; |
483 |
+ } |
484 |
+ spin_unlock_irq(&sk->receive_queue.lock); |
485 |
+ if (clear) |
486 |
+ kfree_skb(skb); |
487 |
+ } |
488 |
+ skb_free_datagram(sk, skb); |
489 |
+} |
490 |
+#elif LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 12) |
491 |
+static inline void skb_kill_datagram(struct sock *sk, struct sk_buff *skb, |
492 |
+ unsigned int flags) |
493 |
+{ |
494 |
+ /* Clear queue. */ |
495 |
+ if (flags & MSG_PEEK) { |
496 |
+ int clear = 0; |
497 |
+ spin_lock_irq(&sk->sk_receive_queue.lock); |
498 |
+ if (skb == skb_peek(&sk->sk_receive_queue)) { |
499 |
+ __skb_unlink(skb, &sk->sk_receive_queue); |
500 |
+ clear = 1; |
501 |
+ } |
502 |
+ spin_unlock_irq(&sk->sk_receive_queue.lock); |
503 |
+ if (clear) |
504 |
+ kfree_skb(skb); |
505 |
+ } |
506 |
+ skb_free_datagram(sk, skb); |
507 |
+} |
508 |
+#elif LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 16) |
509 |
+static inline void skb_kill_datagram(struct sock *sk, struct sk_buff *skb, |
510 |
+ unsigned int flags) |
511 |
+{ |
512 |
+ /* Clear queue. */ |
513 |
+ if (flags & MSG_PEEK) { |
514 |
+ int clear = 0; |
515 |
+ spin_lock_bh(&sk->sk_receive_queue.lock); |
516 |
+ if (skb == skb_peek(&sk->sk_receive_queue)) { |
517 |
+ __skb_unlink(skb, &sk->sk_receive_queue); |
518 |
+ clear = 1; |
519 |
+ } |
520 |
+ spin_unlock_bh(&sk->sk_receive_queue.lock); |
521 |
+ if (clear) |
522 |
+ kfree_skb(skb); |
523 |
+ } |
524 |
+ skb_free_datagram(sk, skb); |
525 |
+} |
526 |
+#endif |
527 |
+#endif |
528 |
+ |
529 |
#else |
530 |
|
531 |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25) |
532 |
@@ -712,8 +794,8 @@ |
533 |
return 0; |
534 |
} |
535 |
|
536 |
-static inline int ccs_socket_accept_permission(struct socket *sock, |
537 |
- struct sockaddr *addr) |
538 |
+static inline int ccs_socket_post_accept_permission(struct socket *sock, |
539 |
+ struct socket *newsock) |
540 |
{ |
541 |
return 0; |
542 |
} |
543 |
@@ -724,9 +806,8 @@ |
544 |
return 0; |
545 |
} |
546 |
|
547 |
-static inline int ccs_socket_recvmsg_permission(struct sock *sk, |
548 |
- struct sk_buff *skb, |
549 |
- const unsigned int flags) |
550 |
+static inline int ccs_socket_post_recvmsg_permission(struct sock *sk, |
551 |
+ struct sk_buff *skb) |
552 |
{ |
553 |
return 0; |
554 |
} |
555 |
@@ -760,8 +841,14 @@ |
556 |
return search_binary_handler(bprm, regs); |
557 |
} |
558 |
|
559 |
+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 16) |
560 |
+static inline void skb_kill_datagram(struct sock *sk, struct sk_buff *skb, |
561 |
+ unsigned int flags) { |
562 |
+} |
563 |
#endif |
564 |
|
565 |
+#endif |
566 |
+ |
567 |
#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 5, 0) |
568 |
int ccs_may_create(struct inode *dir, struct dentry *dentry); |
569 |
#else |
570 |
Index: trunk/1.7.x/ccs-patch/security/ccsecurity/compat.h |
571 |
=================================================================== |
572 |
--- trunk/1.7.x/ccs-patch/security/ccsecurity/compat.h (revision 3827) |
573 |
+++ trunk/1.7.x/ccs-patch/security/ccsecurity/compat.h (working copy) |
574 |
@@ -180,7 +180,6 @@ |
575 |
#define sk_family family |
576 |
#define sk_protocol protocol |
577 |
#define sk_type type |
578 |
-#define sk_receive_queue receive_queue |
579 |
static inline struct socket *SOCKET_I(struct inode *inode) |
580 |
{ |
581 |
return inode->i_sock ? &inode->u.socket_i : NULL; |
582 |
Index: trunk/1.7.x/ccs-patch/security/ccsecurity/network.c |
583 |
=================================================================== |
584 |
--- trunk/1.7.x/ccs-patch/security/ccsecurity/network.c (revision 3827) |
585 |
+++ trunk/1.7.x/ccs-patch/security/ccsecurity/network.c (working copy) |
586 |
@@ -531,8 +531,6 @@ |
587 |
|
588 |
#else |
589 |
|
590 |
-#define MAX_SOCK_ADDR 128 /* net/socket.c */ |
591 |
- |
592 |
/* Check permission for creating a socket. */ |
593 |
static int __ccs_socket_create_permission(int family, int type, int protocol) |
594 |
{ |
595 |
@@ -566,8 +564,8 @@ |
596 |
/* Check permission for listening a TCP socket. */ |
597 |
static int __ccs_socket_listen_permission(struct socket *sock) |
598 |
{ |
599 |
+ struct sockaddr_storage addr; |
600 |
int error = 0; |
601 |
- char addr[MAX_SOCK_ADDR]; |
602 |
int addr_len; |
603 |
/* Nothing to do if I am a kernel service. */ |
604 |
if (segment_eq(get_fs(), KERNEL_DS)) |
605 |
@@ -583,19 +581,19 @@ |
606 |
} |
607 |
if (!ccs_capable(CCS_INET_STREAM_SOCKET_LISTEN)) |
608 |
return -EPERM; |
609 |
- if (sock->ops->getname(sock, (struct sockaddr *) addr, &addr_len, 0)) |
610 |
+ if (sock->ops->getname(sock, (struct sockaddr *) &addr, &addr_len, 0)) |
611 |
return -EPERM; |
612 |
- switch (((struct sockaddr *) addr)->sa_family) { |
613 |
+ switch (((struct sockaddr *) &addr)->sa_family) { |
614 |
struct sockaddr_in6 *addr6; |
615 |
struct sockaddr_in *addr4; |
616 |
case AF_INET6: |
617 |
- addr6 = (struct sockaddr_in6 *) addr; |
618 |
+ addr6 = (struct sockaddr_in6 *) &addr; |
619 |
error = ccs_network_listen_acl(true, |
620 |
addr6->sin6_addr.s6_addr, |
621 |
addr6->sin6_port); |
622 |
break; |
623 |
case AF_INET: |
624 |
- addr4 = (struct sockaddr_in *) addr; |
625 |
+ addr4 = (struct sockaddr_in *) &addr; |
626 |
error = ccs_network_listen_acl(false, |
627 |
(u8 *) &addr4->sin_addr, |
628 |
addr4->sin_port); |
629 |
@@ -711,40 +709,38 @@ |
630 |
return error; |
631 |
} |
632 |
|
633 |
-/* |
634 |
- * Check permission for accepting a TCP socket. |
635 |
- * |
636 |
- * Currently, the LSM hook for this purpose is not provided. |
637 |
- */ |
638 |
-static int __ccs_socket_accept_permission(struct socket *sock, |
639 |
- struct sockaddr *addr) |
640 |
+/* Check permission for accepting a TCP socket. */ |
641 |
+static int __ccs_socket_post_accept_permission(struct socket *sock, |
642 |
+ struct socket *newsock) |
643 |
{ |
644 |
+ struct sockaddr_storage addr; |
645 |
int error = 0; |
646 |
int addr_len; |
647 |
/* Nothing to do if I am a kernel service. */ |
648 |
if (segment_eq(get_fs(), KERNEL_DS)) |
649 |
return 0; |
650 |
- switch (sock->sk->sk_family) { |
651 |
+ switch (newsock->sk->sk_family) { |
652 |
case PF_INET: |
653 |
case PF_INET6: |
654 |
break; |
655 |
default: |
656 |
return 0; |
657 |
} |
658 |
- error = sock->ops->getname(sock, addr, &addr_len, 2); |
659 |
+ error = newsock->ops->getname(newsock, (struct sockaddr *) &addr, |
660 |
+ &addr_len, 2); |
661 |
if (error) |
662 |
return error; |
663 |
- switch (addr->sa_family) { |
664 |
+ switch (((struct sockaddr *) &addr)->sa_family) { |
665 |
struct sockaddr_in6 *addr6; |
666 |
struct sockaddr_in *addr4; |
667 |
case AF_INET6: |
668 |
- addr6 = (struct sockaddr_in6 *) addr; |
669 |
+ addr6 = (struct sockaddr_in6 *) &addr; |
670 |
error = ccs_network_accept_acl(true, |
671 |
addr6->sin6_addr.s6_addr, |
672 |
addr6->sin6_port); |
673 |
break; |
674 |
case AF_INET: |
675 |
- addr4 = (struct sockaddr_in *) addr; |
676 |
+ addr4 = (struct sockaddr_in *) &addr; |
677 |
error = ccs_network_accept_acl(false, |
678 |
(u8 *) &addr4->sin_addr, |
679 |
addr4->sin_port); |
680 |
@@ -820,53 +816,10 @@ |
681 |
#endif |
682 |
#endif |
683 |
|
684 |
-#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 12) |
685 |
-static void skb_kill_datagram(struct sock *sk, struct sk_buff *skb, |
686 |
- unsigned int flags) |
687 |
+/* Check permission for receiving a datagram via a UDP or RAW socket. */ |
688 |
+static int __ccs_socket_post_recvmsg_permission(struct sock *sk, |
689 |
+ struct sk_buff *skb) |
690 |
{ |
691 |
- /* Clear queue. */ |
692 |
- if (flags & MSG_PEEK) { |
693 |
- int clear = 0; |
694 |
- spin_lock_irq(&sk->sk_receive_queue.lock); |
695 |
- if (skb == skb_peek(&sk->sk_receive_queue)) { |
696 |
- __skb_unlink(skb, &sk->sk_receive_queue); |
697 |
- clear = 1; |
698 |
- } |
699 |
- spin_unlock_irq(&sk->sk_receive_queue.lock); |
700 |
- if (clear) |
701 |
- kfree_skb(skb); |
702 |
- } |
703 |
- skb_free_datagram(sk, skb); |
704 |
-} |
705 |
-#elif LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 16) |
706 |
-static void skb_kill_datagram(struct sock *sk, struct sk_buff *skb, |
707 |
- unsigned int flags) |
708 |
-{ |
709 |
- /* Clear queue. */ |
710 |
- if (flags & MSG_PEEK) { |
711 |
- int clear = 0; |
712 |
- spin_lock_bh(&sk->sk_receive_queue.lock); |
713 |
- if (skb == skb_peek(&sk->sk_receive_queue)) { |
714 |
- __skb_unlink(skb, &sk->sk_receive_queue); |
715 |
- clear = 1; |
716 |
- } |
717 |
- spin_unlock_bh(&sk->sk_receive_queue.lock); |
718 |
- if (clear) |
719 |
- kfree_skb(skb); |
720 |
- } |
721 |
- skb_free_datagram(sk, skb); |
722 |
-} |
723 |
-#endif |
724 |
- |
725 |
-/* |
726 |
- * Check permission for receiving a datagram via a UDP or RAW socket. |
727 |
- * |
728 |
- * Currently, the LSM hook for this purpose is not provided. |
729 |
- */ |
730 |
-static int __ccs_socket_recvmsg_permission(struct sock *sk, |
731 |
- struct sk_buff *skb, |
732 |
- const unsigned int flags) |
733 |
-{ |
734 |
int error = 0; |
735 |
const unsigned int type = sk->sk_type; |
736 |
if (type != SOCK_DGRAM && type != SOCK_RAW) |
737 |
@@ -907,34 +860,7 @@ |
738 |
(u8 *) &sin4, port); |
739 |
break; |
740 |
} |
741 |
- if (!error) |
742 |
- return 0; |
743 |
- /* |
744 |
- * Remove from queue if MSG_PEEK is used so that |
745 |
- * the head message from unwanted source in receive queue will not |
746 |
- * prevent the caller from picking up next message from wanted source |
747 |
- * when the caller is using MSG_PEEK flag for picking up. |
748 |
- */ |
749 |
- { |
750 |
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35) |
751 |
- bool slow = false; |
752 |
- if (type == SOCK_DGRAM) |
753 |
- slow = lock_sock_fast(sk); |
754 |
-#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25) |
755 |
- if (type == SOCK_DGRAM) |
756 |
- lock_sock(sk); |
757 |
-#endif |
758 |
- skb_kill_datagram(sk, skb, flags); |
759 |
-#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 35) |
760 |
- if (type == SOCK_DGRAM) |
761 |
- unlock_sock_fast(sk, slow); |
762 |
-#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25) |
763 |
- if (type == SOCK_DGRAM) |
764 |
- release_sock(sk); |
765 |
-#endif |
766 |
- } |
767 |
- /* Hope less harmful than -EPERM. */ |
768 |
- return -ENOMEM; |
769 |
+ return error; |
770 |
} |
771 |
|
772 |
void __init ccs_network_init(void) |
773 |
@@ -946,12 +872,12 @@ |
774 |
ccsecurity_ops.socket_connect_permission = |
775 |
__ccs_socket_connect_permission; |
776 |
ccsecurity_ops.socket_bind_permission = __ccs_socket_bind_permission; |
777 |
- ccsecurity_ops.socket_accept_permission = |
778 |
- __ccs_socket_accept_permission; |
779 |
+ ccsecurity_ops.socket_post_accept_permission = |
780 |
+ __ccs_socket_post_accept_permission; |
781 |
ccsecurity_ops.socket_sendmsg_permission = |
782 |
__ccs_socket_sendmsg_permission; |
783 |
- ccsecurity_ops.socket_recvmsg_permission = |
784 |
- __ccs_socket_recvmsg_permission; |
785 |
+ ccsecurity_ops.socket_post_recvmsg_permission = |
786 |
+ __ccs_socket_post_recvmsg_permission; |
787 |
} |
788 |
|
789 |
#endif |