Add default hooks for both the dummy and capability code to protect the XATTR_SECURITY_PREFIX namespace. These EAs were fully accessible to unauthorized users, so a user that rebooted from an SELinux kernel to a default kernel would leave those critical EAs unprotected. ===== include/linux/security.h 1.26 vs edited ===== --- 25-akpm/include/linux/security.h | 6 ++++-- 25-akpm/security/capability.c | 3 +++ 25-akpm/security/commoncap.c | 22 ++++++++++++++++++++++ 25-akpm/security/dummy.c | 9 +++++++++ 4 files changed, 38 insertions(+), 2 deletions(-) diff -puN include/linux/security.h~XATTR_SECURITY_PREFIX-default-hooks include/linux/security.h --- 25/include/linux/security.h~XATTR_SECURITY_PREFIX-default-hooks Fri Jan 16 13:31:06 2004 +++ 25-akpm/include/linux/security.h Fri Jan 16 13:31:06 2004 @@ -46,6 +46,8 @@ extern void cap_capset_set (struct task_ extern int cap_bprm_set_security (struct linux_binprm *bprm); extern void cap_bprm_compute_creds (struct linux_binprm *bprm); extern int cap_bprm_secureexec(struct linux_binprm *bprm); +extern int cap_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags); +extern int cap_inode_removexattr(struct dentry *dentry, char *name); extern int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags); extern void cap_task_reparent_to_init (struct task_struct *p); extern int cap_syslog (int type); @@ -2155,7 +2157,7 @@ static inline void security_inode_delete static inline int security_inode_setxattr (struct dentry *dentry, char *name, void *value, size_t size, int flags) { - return 0; + return cap_inode_setxattr(dentry, name, value, size, flags); } static inline void security_inode_post_setxattr (struct dentry *dentry, char *name, @@ -2174,7 +2176,7 @@ static inline int security_inode_listxat static inline int security_inode_removexattr (struct dentry *dentry, char *name) { - return 0; + return cap_inode_removexattr(dentry, name); } static inline int security_inode_getsecurity(struct dentry *dentry, const char *name, void *buffer, size_t size) diff -puN security/capability.c~XATTR_SECURITY_PREFIX-default-hooks security/capability.c --- 25/security/capability.c~XATTR_SECURITY_PREFIX-default-hooks Fri Jan 16 13:31:06 2004 +++ 25-akpm/security/capability.c Fri Jan 16 13:31:06 2004 @@ -39,6 +39,9 @@ static struct security_operations capabi .bprm_set_security = cap_bprm_set_security, .bprm_secureexec = cap_bprm_secureexec, + .inode_setxattr = cap_inode_setxattr, + .inode_removexattr = cap_inode_removexattr, + .task_post_setuid = cap_task_post_setuid, .task_reparent_to_init = cap_task_reparent_to_init, diff -puN security/commoncap.c~XATTR_SECURITY_PREFIX-default-hooks security/commoncap.c --- 25/security/commoncap.c~XATTR_SECURITY_PREFIX-default-hooks Fri Jan 16 13:31:06 2004 +++ 25-akpm/security/commoncap.c Fri Jan 16 13:31:06 2004 @@ -21,6 +21,7 @@ #include #include #include +#include int cap_capable (struct task_struct *tsk, int cap) { @@ -171,6 +172,25 @@ int cap_bprm_secureexec (struct linux_bi current->egid != current->gid); } +int cap_inode_setxattr(struct dentry *dentry, char *name, void *value, + size_t size, int flags) +{ + if (!strncmp(name, XATTR_SECURITY_PREFIX, + sizeof(XATTR_SECURITY_PREFIX) - 1) && + !capable(CAP_SYS_ADMIN)) + return -EPERM; + return 0; +} + +int cap_inode_removexattr(struct dentry *dentry, char *name) +{ + if (!strncmp(name, XATTR_SECURITY_PREFIX, + sizeof(XATTR_SECURITY_PREFIX) - 1) && + !capable(CAP_SYS_ADMIN)) + return -EPERM; + return 0; +} + /* moved from kernel/sys.c. */ /* * cap_emulate_setxuid() fixes the effective / permitted capabilities of @@ -344,6 +364,8 @@ EXPORT_SYMBOL(cap_capset_set); EXPORT_SYMBOL(cap_bprm_set_security); EXPORT_SYMBOL(cap_bprm_compute_creds); EXPORT_SYMBOL(cap_bprm_secureexec); +EXPORT_SYMBOL(cap_inode_setxattr); +EXPORT_SYMBOL(cap_inode_removexattr); EXPORT_SYMBOL(cap_task_post_setuid); EXPORT_SYMBOL(cap_task_reparent_to_init); EXPORT_SYMBOL(cap_syslog); diff -puN security/dummy.c~XATTR_SECURITY_PREFIX-default-hooks security/dummy.c --- 25/security/dummy.c~XATTR_SECURITY_PREFIX-default-hooks Fri Jan 16 13:31:06 2004 +++ 25-akpm/security/dummy.c Fri Jan 16 13:31:06 2004 @@ -24,6 +24,7 @@ #include #include #include +#include static int dummy_ptrace (struct task_struct *parent, struct task_struct *child) { @@ -387,6 +388,10 @@ static void dummy_inode_delete (struct i static int dummy_inode_setxattr (struct dentry *dentry, char *name, void *value, size_t size, int flags) { + if (!strncmp(name, XATTR_SECURITY_PREFIX, + sizeof(XATTR_SECURITY_PREFIX) - 1) && + !capable(CAP_SYS_ADMIN)) + return -EPERM; return 0; } @@ -407,6 +412,10 @@ static int dummy_inode_listxattr (struct static int dummy_inode_removexattr (struct dentry *dentry, char *name) { + if (!strncmp(name, XATTR_SECURITY_PREFIX, + sizeof(XATTR_SECURITY_PREFIX) - 1) && + !capable(CAP_SYS_ADMIN)) + return -EPERM; return 0; } _