Re: LSM hook addition?
From: Valdis . Kletnieks
Date: Mon Jan 24 2005 - 03:43:45 EST
On Mon, 24 Jan 2005 00:58:08 EST, John Richard Moser said:
> I believe this would be sufficient to finish an LSM module to implement
> linking restrictions from GrSecurity. I did Symlinks in an LSM module,
> but haven't tested it out; it's purely academic.
> The hook here would be used (in my academic exploration) to prevent hard
> links from being created to files you don't own, unless you're root.
You don't need a hook there to do that. The inode_link hook should be sufficient,
using code something like this:
+int vtkit_link (struct dentry *old_entry, struct inode *dir, struct dentry *new_entry)
+{
+ struct inode *i_target = old_entry->d_inode;
+ struct inode *i_new = new_entry->d_inode;
+ int perm_check = 0;
+
+ /* We check as follows - if the target of the link isn't owned by us,
+ * and we're not a privileged user, then we complain if any of the
+ * following are true:
+ * 1) It's not a special file
+ * 2) the target is set-uid or set-gid
+ * 3) user doesn't have permission to the target
+ *
+ * Yes, a "current->uid" check is pig-headed and wrong in the context of a
+ * system that uses priv separation...
+ */
+ perm_check = generic_permission(i_target, MAY_READ | MAY_WRITE, NULL);
+ if (security_safe_hardlink && (current->fsuid != i_target->i_uid) &&
+ !capable(CAP_FOWNER) && current->uid &&
+ (!S_ISREG(i_target->i_mode) || (i_target->i_mode & S_ISUID) ||
+ ((i_target->i_mode & (S_ISGID | S_IXGRP)) == (S_ISGID | S_IXGRP)) ||
+ perm_check)) {
+ printk(KERN_NOTICE "vtkit - rejecting hard link (target UID %d) by PID %d (uid=%d, comm=%s)\n",
+ i_target->i_uid, current->pid, current->uid, current->comm);
+ return (perm_check ? perm_check:-EPERM);
+ }
+ return 0;
+}
If I'm missing something here, please let me know... ;)
Attachment:
pgp00000.pgp
Description: PGP signature