diff options
author | Andrew Morton <akpm@digeo.com> | 2003-06-25 04:19:59 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <greg@kroah.com> | 2003-06-25 04:19:59 -0700 |
commit | 177be0a448f4eff7fe847e8515d29e4620d2093d (patch) | |
tree | 0d788110202b2871547ade6285ffe08678d74abf /security | |
parent | b10b09beca1040b7cdeedff5c2f0e42d43163fef (diff) | |
download | history-177be0a448f4eff7fe847e8515d29e4620d2093d.tar.gz |
[PATCH] AT_SECURE auxv entry
From: Stephen Smalley <sds@epoch.ncsc.mil>
This patch adds an AT_SECURE auxv entry to pass a boolean flag indicating
whether "secure mode" should be enabled (i.e. sanitize the environment,
initial descriptors, etc) and allows each security module to specify the
flag value via a new hook.
New userland can then simply obey this flag when present rather than
applying other methods of deciding (sample patch for glibc-2.3.2 can be
found at http://www.cs.utah.edu/~sds/glibc-secureexec.patch).
This change enables security modules like SELinux to request secure mode
upon changes to other security attributes (e.g. capabilities,
roles/domains, etc) in addition to uid/gid changes or even to completely
override the legacy logic.
The legacy decision algorithm is preserved in the default hook functions
for the dummy and capability security modules.
Credit for the idea of adding an AT_SECURE auxv entry goes to Roland
McGrath.
Diffstat (limited to 'security')
-rw-r--r-- | security/capability.c | 13 | ||||
-rw-r--r-- | security/dummy.c | 11 |
2 files changed, 24 insertions, 0 deletions
diff --git a/security/capability.c b/security/capability.c index e2496a3f39abf2..e01bc5271c369e 100644 --- a/security/capability.c +++ b/security/capability.c @@ -158,6 +158,17 @@ void cap_bprm_compute_creds (struct linux_binprm *bprm) current->keep_capabilities = 0; } +int cap_bprm_secureexec (struct linux_binprm *bprm) +{ + /* If/when this module is enhanced to incorporate capability + bits on files, the test below should be extended to also perform a + test between the old and new capability sets. For now, + it simply preserves the legacy decision algorithm used by + the old userland. */ + return (current->euid != current->uid || + current->egid != current->gid); +} + /* moved from kernel/sys.c. */ /* * cap_emulate_setxuid() fixes the effective / permitted capabilities of @@ -271,6 +282,7 @@ EXPORT_SYMBOL(cap_capset_check); EXPORT_SYMBOL(cap_capset_set); EXPORT_SYMBOL(cap_bprm_set_security); EXPORT_SYMBOL(cap_bprm_compute_creds); +EXPORT_SYMBOL(cap_bprm_secureexec); EXPORT_SYMBOL(cap_task_post_setuid); EXPORT_SYMBOL(cap_task_reparent_to_init); EXPORT_SYMBOL(cap_syslog); @@ -289,6 +301,7 @@ static struct security_operations capability_ops = { .bprm_compute_creds = cap_bprm_compute_creds, .bprm_set_security = cap_bprm_set_security, + .bprm_secureexec = cap_bprm_secureexec, .task_post_setuid = cap_task_post_setuid, .task_reparent_to_init = cap_task_reparent_to_init, diff --git a/security/dummy.c b/security/dummy.c index 18de8edb32c84a..a4307e78a16838 100644 --- a/security/dummy.c +++ b/security/dummy.c @@ -122,6 +122,16 @@ static int dummy_bprm_check_security (struct linux_binprm *bprm) return 0; } +static int dummy_bprm_secureexec (struct linux_binprm *bprm) +{ + /* The new userland will simply use the value provided + in the AT_SECURE field to decide whether secure mode + is required. Hence, this logic is required to preserve + the legacy decision algorithm used by the old userland. */ + return (current->euid != current->uid || + current->egid != current->gid); +} + static int dummy_sb_alloc_security (struct super_block *sb) { return 0; @@ -788,6 +798,7 @@ void security_fixup_ops (struct security_operations *ops) set_to_dummy_if_null(ops, bprm_compute_creds); set_to_dummy_if_null(ops, bprm_set_security); set_to_dummy_if_null(ops, bprm_check_security); + set_to_dummy_if_null(ops, bprm_secureexec); set_to_dummy_if_null(ops, sb_alloc_security); set_to_dummy_if_null(ops, sb_free_security); set_to_dummy_if_null(ops, sb_kern_mount); |