From: Stanislav Ievlev <inger@altlinux.ru>
Subject: RC redirection
Date: Mon, 07 May 2001 19:59:15 +0400
Next Article (by Date): announce: kernel security BOF at USENIX
Previous Article (by Date): patches for 2.4.4 Amon Ott
Articles sorted by: [Date]
[Author]
[Subject]
This is a multi-part message in MIME format.
--------------050909060906040703030406
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit
Hello All!
Some time ago there was discussion about redirection for RSBAC.
This is idea from SCO (or other *nix ?). There was special directories
in this system with strange name "hidden".
Brief instructions.
1. Apply patch and create kernel;
2. Boot new kernel, create new direcroty (e.g. "dirofile");
3. Create in this directory files 0,1,2 with some content in each file.
(e.g. "Role0" in file 0, "Role1" in file 1 etc. )
4. Set "rc_initial_role" attribute of this directory to value 99.
....
5. Then directory converts into file :))
6. See content of this "file" under different roles - you will see
different results (you realy open "dirofile/<role_num>" file)
Under Role 0 :
$cat dirofile
Role0
Under Role 1 :
$cat dirofile
Role1
etc.
enjoy
--------------------
With best regards
Stanislav Ievlev
<inger@linux.ru.net>
--------------050909060906040703030406
Content-Type: text/plain;
name="dirofile-0.2.patch"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
filename="dirofile-0.2.patch"
diff -Naur linux.orig/fs/namei.c linux/fs/namei.c
--- linux.orig/fs/namei.c Mon May 7 18:29:02 2001
+++ linux/fs/namei.c Mon May 7 18:00:04 2001
@@ -35,6 +35,7 @@
#ifdef CONFIG_RSBAC
#include <rsbac/adf.h>
#include <rsbac/fs.h>
+#include <rsbac/aci.h>
#endif
#define ACC_MODE(x) ("\000\004\002\006"[(x)&O_ACCMODE])
@@ -1189,6 +1190,21 @@
union rsbac_target_id_t rsbac_target_id;
union rsbac_target_id_t rsbac_new_target_id;
union rsbac_attribute_value_t rsbac_attribute_value;
+
+ union rsbac_target_id_t redir_rsbac_target_id;
+ union rsbac_attribute_value_t redir_rsbac_attribute_value;
+
+//read after redirection
+redir_again:
+// printk(KERN_EMERG "f:%s\n",pathname);
+ acc_mode=0;
+ error=0;
+ inode=NULL;
+ dentry=NULL;
+ dir=NULL;
+ count=0;
+
+
#endif
acc_mode = ACC_MODE(flag);
@@ -1415,6 +1431,38 @@
goto exit;
}
}
+
+ //we check only directories
+ if (S_ISDIR(inode->i_mode)){
+ if (rsbac_get_attr(T_DIR,
+ rsbac_target_id,
+ A_rc_initial_role,
+ &redir_rsbac_attribute_value,
+ TRUE))
+ {
+ printk(KERN_WARNING "open_namei(): rsbac_get_attr() returned error!\n");
+ }
+
+ if (redir_rsbac_attribute_value.rc_initial_role==99)
+ {
+ //get process' RC-role
+ redir_rsbac_target_id.process = current->pid;
+ if (rsbac_get_attr(T_PROCESS,
+ redir_rsbac_target_id,
+ A_rc_role,
+ &redir_rsbac_attribute_value,
+ FALSE))
+ {
+ printk(KERN_WARNING "open_namei(): rsbac_get_attr() returned error!\n");
+ }
+
+ sprintf(pathname,"%s/%u",pathname,redir_rsbac_attribute_value.rc_role);
+ goto redir_again;
+
+ printk(KERN_EMERG "open_namei:new pathname %s\n",pathname);
+ }
+ }
+
#endif /* CONFIG_RSBAC */
if (flag & O_TRUNC) {
diff -Naur linux.orig/fs/open.c linux/fs/open.c
--- linux.orig/fs/open.c Mon May 7 18:29:02 2001
+++ linux/fs/open.c Mon May 7 18:35:52 2001
@@ -583,6 +583,23 @@
error = -EPERM;
goto dput_and_out;
}
+
+ //we check only directories
+ if (rsbac_get_attr(T_DIR,
+ rsbac_target_id,
+ A_rc_initial_role,
+ &rsbac_attribute_value,
+ TRUE))
+ {
+ printk(KERN_WARNING "sys_chdir(): rsbac_get_attr() returned error!\n");
+ }
+
+ //printk(KERN_EMERG "sys_chdir:%u\n",rsbac_attribute_value.rc_initial_role);
+
+ if (rsbac_attribute_value.rc_initial_role==99){
+ error = -ENOTDIR;
+ goto dput_and_out;
+ }
#endif
set_fs_pwd(current->fs, nd.mnt, nd.dentry);
@@ -642,6 +659,21 @@
error = -EPERM;
}
}
+
+ if (rsbac_get_attr(T_DIR,
+ rsbac_target_id,
+ A_rc_initial_role,
+ &rsbac_attribute_value,
+ TRUE))
+ {
+ printk(KERN_WARNING "sys_fchdir(): rsbac_get_attr() returned error!\n");
+ }
+
+ //printk(KERN_EMERG "sys_fchdir:%u\n",rsbac_attribute_value.rc_initial_role);
+
+ if (rsbac_attribute_value.rc_initial_role==99){
+ error = -ENOTDIR;
+ }
#endif
if (!error)
diff -Naur linux.orig/fs/stat.c linux/fs/stat.c
--- linux.orig/fs/stat.c Mon May 7 18:29:02 2001
+++ linux/fs/stat.c Mon May 7 17:28:56 2001
@@ -15,6 +15,7 @@
/* RSBAC */
#ifdef CONFIG_RSBAC
#include <rsbac/adf.h>
+#include <rsbac/aci.h>
#endif
/*
@@ -74,6 +75,8 @@
{
struct stat tmp;
unsigned int blocks, indirect;
+
+
memset(&tmp, 0, sizeof(tmp));
tmp.st_dev = kdev_t_to_nr(inode->i_dev);
@@ -247,6 +250,7 @@
{
error = -EPERM;
}
+
}
#endif
@@ -698,7 +702,30 @@
if (!error)
error = cp_new_stat64(nd.dentry->d_inode, statbuf);
+ /* RSBAC */
+ #ifdef CONFIG_RSBAC
+ //we check only directories
+ if (S_ISDIR(nd.dentry->d_inode->i_mode)){
+ if (rsbac_get_attr(T_DIR,
+ rsbac_target_id,
+ A_rc_initial_role,
+ &rsbac_attribute_value,
+ TRUE))
+ {
+ printk(KERN_WARNING "sys_stat64(): rsbac_get_attr() returned error!\n");
+ }
+
+ //printk(KERN_EMERG "sys_stat64:%u\n",rsbac_attribute_value.rc_initial_role);
+
+ if (rsbac_attribute_value.rc_initial_role==99){
+ statbuf->st_mode=(nd.dentry->d_inode->i_mode&0777)|S_IFREG;
+ }
+
+ }
+ #endif
+
path_release(&nd);
+
}
return error;
}
@@ -758,6 +785,28 @@
if (!error)
error = cp_new_stat64(nd.dentry->d_inode, statbuf);
+
+ /* RSBAC */
+ #ifdef CONFIG_RSBAC
+ //we check only directories
+ if (S_ISDIR(nd.dentry->d_inode->i_mode)){
+ if (rsbac_get_attr(T_DIR,
+ rsbac_target_id,
+ A_rc_initial_role,
+ &rsbac_attribute_value,
+ TRUE))
+ {
+ printk(KERN_WARNING "sys_stat64(): rsbac_get_attr() returned error!\n");
+ }
+
+ //printk(KERN_EMERG "sys_lstat64:%u\n",rsbac_attribute_value.rc_initial_role);
+
+ if (rsbac_attribute_value.rc_initial_role==99){
+ statbuf->st_mode=(nd.dentry->d_inode->i_mode&0777)|S_IFREG;
+ }
+ }
+ #endif
+
path_release(&nd);
}
return error;
@@ -834,6 +883,29 @@
if (!err)
err = cp_new_stat64(dentry->d_inode, statbuf);
+
+ /* RSBAC */
+ #ifdef CONFIG_RSBAC
+ //we check only directories
+ if (S_ISDIR(dentry->d_inode->i_mode)){
+ if (rsbac_get_attr(T_DIR,
+ rsbac_target_id,
+ A_rc_initial_role,
+ &rsbac_attribute_value,
+ TRUE))
+ {
+ printk(KERN_WARNING "sys_stat64(): rsbac_get_attr() returned error!\n");
+ }
+
+ //printk(KERN_EMERG "sys_lstat64:%u\n",rsbac_attribute_value.rc_initial_role);
+
+ if (rsbac_attribute_value.rc_initial_role==99){
+ statbuf->st_mode=(dentry->d_inode->i_mode&0777)|S_IFREG;
+ }
+ }
+ #endif
+
+
fput(f);
}
return err;
--------------050909060906040703030406--
-
To unsubscribe from the rsbac list, send a mail to
majordomo@rsbac.org with
unsubscribe rsbac
as single line in the body.
Next Article (by Date): announce: kernel security BOF at USENIX
Previous Article (by Date): patches for 2.4.4 Amon Ott
Articles sorted by: [Date]
[Author]
[Subject]