RC redirection


From: Stanislav Ievlev <inger@altlinux.ru>
Subject: RC redirection
Date: Mon, 07 May 2001 19:59:15 +0400

Next Article (by Date): announce: kernel security BOF at USENIX
Previous Article (by Date): patches for 2.4.4 Amon Ott
Articles sorted by: [Date] [Author] [Subject]


This is a multi-part message in MIME format.
--------------050909060906040703030406
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Hello All!
Some time ago there was discussion about redirection for RSBAC.
This is idea from SCO (or other *nix ?). There was special directories 
in this system with strange name "hidden".

Brief instructions.
1. Apply patch and create kernel;
2. Boot new kernel, create new direcroty (e.g. "dirofile");
3. Create in this directory files 0,1,2 with some content in each file. 
(e.g. "Role0" in file 0, "Role1" in file 1 etc. )
4. Set "rc_initial_role" attribute of this directory  to value 99.
....
5. Then directory converts into file :))
6. See content of this "file" under different roles - you will see 
different results (you realy open "dirofile/<role_num>" file)

Under Role 0 :
   $cat dirofile
       Role0

Under Role 1 :
    $cat dirofile
        Role1

etc.

enjoy
--------------------
With best regards
Stanislav Ievlev
<inger@linux.ru.net>



--------------050909060906040703030406
Content-Type: text/plain;
 name="dirofile-0.2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="dirofile-0.2.patch"

diff -Naur linux.orig/fs/namei.c linux/fs/namei.c
--- linux.orig/fs/namei.c	Mon May  7 18:29:02 2001
+++ linux/fs/namei.c	Mon May  7 18:00:04 2001
@@ -35,6 +35,7 @@
 #ifdef CONFIG_RSBAC
 #include <rsbac/adf.h>
 #include <rsbac/fs.h>
+#include <rsbac/aci.h>
 #endif
 
 #define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE])
@@ -1189,6 +1190,21 @@
         union rsbac_target_id_t       rsbac_target_id;
         union rsbac_target_id_t       rsbac_new_target_id;
         union rsbac_attribute_value_t rsbac_attribute_value;
+
+        union rsbac_target_id_t       redir_rsbac_target_id;
+        union rsbac_attribute_value_t redir_rsbac_attribute_value;
+	
+//read after redirection
+redir_again:	
+//	printk(KERN_EMERG "f:%s\n",pathname);
+	acc_mode=0;
+	error=0;
+	inode=NULL;
+	dentry=NULL;
+	dir=NULL;
+	count=0;
+
+	
         #endif
 
 	acc_mode = ACC_MODE(flag);
@@ -1415,6 +1431,38 @@
                 goto exit;
               }
           }
+	  
+	//we check only directories
+	if (S_ISDIR(inode->i_mode)){
+            if (rsbac_get_attr(T_DIR,
+                              rsbac_target_id,
+                              A_rc_initial_role,
+                              &redir_rsbac_attribute_value,
+                              TRUE))
+    	    {
+                      printk(KERN_WARNING "open_namei(): rsbac_get_attr() returned error!\n");
+            }
+	    
+	    if (redir_rsbac_attribute_value.rc_initial_role==99)
+	    {
+	    //get process' RC-role
+	      redir_rsbac_target_id.process = current->pid;
+                  if (rsbac_get_attr(T_PROCESS,
+                                          redir_rsbac_target_id,
+                                          A_rc_role,
+                                          &redir_rsbac_attribute_value,
+                                          FALSE))
+                    {
+                      printk(KERN_WARNING "open_namei(): rsbac_get_attr() returned error!\n");
+                    }
+		    
+		sprintf(pathname,"%s/%u",pathname,redir_rsbac_attribute_value.rc_role);
+		goto redir_again;
+		
+		printk(KERN_EMERG "open_namei:new pathname %s\n",pathname);
+	    }
+	}
+	
         #endif /* CONFIG_RSBAC */
 
 	if (flag & O_TRUNC) {
diff -Naur linux.orig/fs/open.c linux/fs/open.c
--- linux.orig/fs/open.c	Mon May  7 18:29:02 2001
+++ linux/fs/open.c	Mon May  7 18:35:52 2001
@@ -583,6 +583,23 @@
             error = -EPERM;
             goto dput_and_out;
           }
+	  
+	  //we check only directories
+            if (rsbac_get_attr(T_DIR,
+                              rsbac_target_id,
+                              A_rc_initial_role,
+                              &rsbac_attribute_value,
+                              TRUE))
+                {
+                  printk(KERN_WARNING "sys_chdir(): rsbac_get_attr() returned error!\n");
+                }
+		    
+	    //printk(KERN_EMERG "sys_chdir:%u\n",rsbac_attribute_value.rc_initial_role);
+		    
+		if (rsbac_attribute_value.rc_initial_role==99){
+		    error = -ENOTDIR;
+		    goto dput_and_out;
+		}
         #endif
 
 	set_fs_pwd(current->fs, nd.mnt, nd.dentry);
@@ -642,6 +659,21 @@
                 error = -EPERM;
               }
           }
+	  
+            if (rsbac_get_attr(T_DIR,
+                              rsbac_target_id,
+                              A_rc_initial_role,
+                              &rsbac_attribute_value,
+                              TRUE))
+                {
+                  printk(KERN_WARNING "sys_fchdir(): rsbac_get_attr() returned error!\n");
+                }
+		    
+	    //printk(KERN_EMERG "sys_fchdir:%u\n",rsbac_attribute_value.rc_initial_role);
+		    
+		if (rsbac_attribute_value.rc_initial_role==99){
+		    error = -ENOTDIR;
+		}
         #endif
 
 	if (!error)
diff -Naur linux.orig/fs/stat.c linux/fs/stat.c
--- linux.orig/fs/stat.c	Mon May  7 18:29:02 2001
+++ linux/fs/stat.c	Mon May  7 17:28:56 2001
@@ -15,6 +15,7 @@
 /* RSBAC */
 #ifdef CONFIG_RSBAC
 #include <rsbac/adf.h>
+#include <rsbac/aci.h>
 #endif
 
 /*
@@ -74,6 +75,8 @@
 {
 	struct stat tmp;
 	unsigned int blocks, indirect;
+	
+
 
 	memset(&tmp, 0, sizeof(tmp));
 	tmp.st_dev = kdev_t_to_nr(inode->i_dev);
@@ -247,6 +250,7 @@
                       {
                         error = -EPERM;
                       }
+		      
                   }
                 #endif
 
@@ -698,7 +702,30 @@
 
 		if (!error)
 			error = cp_new_stat64(nd.dentry->d_inode, statbuf);
+		/* RSBAC */
+    		#ifdef CONFIG_RSBAC
+		//we check only directories
+    		if (S_ISDIR(nd.dentry->d_inode->i_mode)){
+        	    if (rsbac_get_attr(T_DIR,
+                                  rsbac_target_id,
+                                  A_rc_initial_role,
+                                  &rsbac_attribute_value,
+                                  TRUE))
+                    {
+                      printk(KERN_WARNING "sys_stat64(): rsbac_get_attr() returned error!\n");
+                    }
+		    
+		    //printk(KERN_EMERG "sys_stat64:%u\n",rsbac_attribute_value.rc_initial_role);
+		    
+		    if (rsbac_attribute_value.rc_initial_role==99){
+			statbuf->st_mode=(nd.dentry->d_inode->i_mode&0777)|S_IFREG;
+		    }
+
+		}
+    		#endif
+
 		path_release(&nd);
+		
 	}
 	return error;
 }
@@ -758,6 +785,28 @@
 
 		if (!error)
 			error = cp_new_stat64(nd.dentry->d_inode, statbuf);
+			
+		/* RSBAC */
+    		#ifdef CONFIG_RSBAC
+		//we check only directories
+    		if (S_ISDIR(nd.dentry->d_inode->i_mode)){
+        	    if (rsbac_get_attr(T_DIR,
+                                  rsbac_target_id,
+                                  A_rc_initial_role,
+                                  &rsbac_attribute_value,
+                                  TRUE))
+                    {
+                      printk(KERN_WARNING "sys_stat64(): rsbac_get_attr() returned error!\n");
+                    }
+		    
+		    //printk(KERN_EMERG "sys_lstat64:%u\n",rsbac_attribute_value.rc_initial_role);
+		    
+		    if (rsbac_attribute_value.rc_initial_role==99){
+			statbuf->st_mode=(nd.dentry->d_inode->i_mode&0777)|S_IFREG;
+		    }
+		}
+    		#endif
+
 		path_release(&nd);
 	}
 	return error;
@@ -834,6 +883,29 @@
 
 		if (!err)
 			err = cp_new_stat64(dentry->d_inode, statbuf);
+			
+		/* RSBAC */
+    		#ifdef CONFIG_RSBAC
+		//we check only directories
+    		if (S_ISDIR(dentry->d_inode->i_mode)){
+        	    if (rsbac_get_attr(T_DIR,
+                                  rsbac_target_id,
+                                  A_rc_initial_role,
+                                  &rsbac_attribute_value,
+                                  TRUE))
+                    {
+                      printk(KERN_WARNING "sys_stat64(): rsbac_get_attr() returned error!\n");
+                    }
+		    
+		    //printk(KERN_EMERG "sys_lstat64:%u\n",rsbac_attribute_value.rc_initial_role);
+		    
+		    if (rsbac_attribute_value.rc_initial_role==99){
+			statbuf->st_mode=(dentry->d_inode->i_mode&0777)|S_IFREG;
+		    }
+		}
+    		#endif
+	
+			
 		fput(f);
 	}
 	return err;

--------------050909060906040703030406--

-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.

Next Article (by Date): announce: kernel security BOF at USENIX
Previous Article (by Date): patches for 2.4.4 Amon Ott
Articles sorted by: [Date] [Author] [Subject]


Go to Compuniverse LWGate Home Page.