Merge bk://lsm.bkbits.net/linus-2.5

into home.transmeta.com:/home/torvalds/v2.5/linux

Merge bk://lsm.bkbits.net/linus-2.5
into home.transmeta.com:/home/torvalds/v2.5/linux
f803e090 · Linus Torvalds · cbfe51cb · 712adcb4 · f803e090 · f803e090
Commit f803e090 authored Dec 20, 2002 by Linus Torvalds
5 changed files
--- a/kernel/capability.c
+++ b/kernel/capability.c
@@ -84,13 +84,15 @@ static inline void cap_set_pg(int pgrp, kernel_cap_t *effective,
 			      kernel_cap_t *inheritable,
 			      kernel_cap_t *permitted)
 {
-     task_t *g, *target;
-
-     do_each_thread(g, target) {
-             if (target->pgrp != pgrp)
-                     continue;
-	     security_capset_set(target, effective, inheritable, permitted);
-     } while_each_thread(g, target);
+	task_t *g, *target;
+	struct list_head *l;
+	struct pid *pid;
+
+	for_each_task_pid(pgrp, PIDTYPE_PGID, g, l, pid) {
+		target = g;
+		while_each_thread(g, target)
+			security_capset_set(target, effective, inheritable, permitted);
+	}
 }

 /*

--- a/security/Kconfig
+++ b/security/Kconfig
@@ -27,8 +27,11 @@ config SECURITY_ROOTPLUG
 	depends on SECURITY!=n
 	help
 	  This is a sample LSM module that should only be used as such.
-	  It enables control over processes being created by root users
-	  if a specific USB device is not present in the system.
+	  It prevents any programs running with egid == 0 if a specific
+	  USB device is not present in the system.
+
+	  See <http://www.linuxjournal.com/article.php?sid=6279> for
+	  more information about this module.
 	  
 	  If you are unsure how to answer this question, answer N.


--- a/security/dummy.c
+++ b/security/dummy.c
@@ -3,7 +3,7 @@
 * security model is loaded.
 *
 * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com>
- * Copyright (C) 2001 Greg Kroah-Hartman <greg@kroah.com>
+ * Copyright (C) 2001-2002  Greg Kroah-Hartman <greg@kroah.com>
 * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com>
 *
 *	This program is free software; you can redistribute it and/or modify
@@ -542,111 +542,7 @@ static int dummy_unregister_security (const char *name, struct security_operatio
 	return -EINVAL;
 }

-struct security_operations dummy_security_ops = {
-	.ptrace =			dummy_ptrace,
-	.capget =			dummy_capget,
-	.capset_check =			dummy_capset_check,
-	.capset_set =			dummy_capset_set,
-	.acct =				dummy_acct,
-	.capable =			dummy_capable,
-	.quotactl =			dummy_quotactl,
-	.quota_on =			dummy_quota_on,
-
-	.bprm_alloc_security =		dummy_bprm_alloc_security,
-	.bprm_free_security =		dummy_bprm_free_security,
-	.bprm_compute_creds =		dummy_bprm_compute_creds,
-	.bprm_set_security =		dummy_bprm_set_security,
-	.bprm_check_security =		dummy_bprm_check_security,
-
-	.sb_alloc_security =		dummy_sb_alloc_security,
-	.sb_free_security =		dummy_sb_free_security,
-	.sb_statfs =			dummy_sb_statfs,
-	.sb_mount =			dummy_sb_mount,
-	.sb_check_sb =			dummy_sb_check_sb,
-	.sb_umount =			dummy_sb_umount,
-	.sb_umount_close =		dummy_sb_umount_close,
-	.sb_umount_busy =		dummy_sb_umount_busy,
-	.sb_post_remount =		dummy_sb_post_remount,
-	.sb_post_mountroot =		dummy_sb_post_mountroot,
-	.sb_post_addmount =		dummy_sb_post_addmount,
-	.sb_pivotroot =			dummy_sb_pivotroot,
-	.sb_post_pivotroot =		dummy_sb_post_pivotroot,
-	
-	.inode_alloc_security =		dummy_inode_alloc_security,
-	.inode_free_security =		dummy_inode_free_security,
-	.inode_create =			dummy_inode_create,
-	.inode_post_create =		dummy_inode_post_create,
-	.inode_link =			dummy_inode_link,
-	.inode_post_link =		dummy_inode_post_link,
-	.inode_unlink =			dummy_inode_unlink,
-	.inode_symlink =		dummy_inode_symlink,
-	.inode_post_symlink =		dummy_inode_post_symlink,
-	.inode_mkdir =			dummy_inode_mkdir,
-	.inode_post_mkdir =		dummy_inode_post_mkdir,
-	.inode_rmdir =			dummy_inode_rmdir,
-	.inode_mknod =			dummy_inode_mknod,
-	.inode_post_mknod =		dummy_inode_post_mknod,
-	.inode_rename =			dummy_inode_rename,
-	.inode_post_rename =		dummy_inode_post_rename,
-	.inode_readlink =		dummy_inode_readlink,
-	.inode_follow_link =		dummy_inode_follow_link,
-	.inode_permission =		dummy_inode_permission,
-	.inode_permission_lite =	dummy_inode_permission_lite,
-	.inode_setattr =		dummy_inode_setattr,
-	.inode_getattr =		dummy_inode_getattr,
-	.inode_post_lookup =		dummy_inode_post_lookup,
-	.inode_delete =			dummy_inode_delete,
-	.inode_setxattr =		dummy_inode_setxattr,
-	.inode_getxattr =		dummy_inode_getxattr,
-	.inode_listxattr =		dummy_inode_listxattr,
-	.inode_removexattr =		dummy_inode_removexattr,
-
-	.file_permission =		dummy_file_permission,
-	.file_alloc_security =		dummy_file_alloc_security,
-	.file_free_security =		dummy_file_free_security,
-	.file_ioctl =			dummy_file_ioctl,
-	.file_mmap =			dummy_file_mmap,
-	.file_mprotect =		dummy_file_mprotect,
-	.file_lock =			dummy_file_lock,
-	.file_fcntl =			dummy_file_fcntl,
-	.file_set_fowner =		dummy_file_set_fowner,
-	.file_send_sigiotask =		dummy_file_send_sigiotask,
-	.file_receive =			dummy_file_receive,
-
-	.task_create =			dummy_task_create,
-	.task_alloc_security =		dummy_task_alloc_security,
-	.task_free_security =		dummy_task_free_security,
-	.task_setuid =			dummy_task_setuid,
-	.task_post_setuid =		dummy_task_post_setuid,
-	.task_setgid =			dummy_task_setgid,
-	.task_setpgid =			dummy_task_setpgid,
-	.task_getpgid =			dummy_task_getpgid,
-	.task_getsid =			dummy_task_getsid,
-	.task_setgroups =		dummy_task_setgroups,
-	.task_setnice =			dummy_task_setnice,
-	.task_setrlimit =		dummy_task_setrlimit,
-	.task_setscheduler =		dummy_task_setscheduler,
-	.task_getscheduler =		dummy_task_getscheduler,
-	.task_wait =			dummy_task_wait,
-	.task_kill =			dummy_task_kill,
-	.task_prctl =			dummy_task_prctl,
-	.task_kmod_set_label =		dummy_task_kmod_set_label,
-	.task_reparent_to_init =	dummy_task_reparent_to_init,
-
-	.ipc_permission =		dummy_ipc_permission,
-	
-	.msg_queue_alloc_security =	dummy_msg_queue_alloc_security,
-	.msg_queue_free_security =	dummy_msg_queue_free_security,
-	
-	.shm_alloc_security =		dummy_shm_alloc_security,
-	.shm_free_security =		dummy_shm_free_security,
-	
-	.sem_alloc_security =		dummy_sem_alloc_security,
-	.sem_free_security =		dummy_sem_free_security,
-
-	.register_security =		dummy_register_security,
-	.unregister_security =		dummy_unregister_security,
-};
+struct security_operations dummy_security_ops;

 #define set_to_dummy_if_null(ops, function)				\
 	do {								\

--- a/security/root_plug.c
+++ b/security/root_plug.c
@@ -13,6 +13,9 @@
 * If you want to turn this into something with a semblance of security,
 * you need to hook the task_* functions also.
 *
+ * See http://www.linuxjournal.com/article.php?sid=6279 for more information
+ * about this code.
+ *
 *	This program is free software; you can redistribute it and/or
 *	modify it under the terms of the GNU General Public License as
 *	published by the Free Software Foundation, version 2 of the

--- a/security/security.c
+++ b/security/security.c
@@ -2,7 +2,7 @@
 * Security plug functions
 *
 * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com>
- * Copyright (C) 2001 Greg Kroah-Hartman <greg@kroah.com>
+ * Copyright (C) 2001-2002 Greg Kroah-Hartman <greg@kroah.com>
 * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com>
 *
 *	This program is free software; you can redistribute it and/or modify
@@ -48,6 +48,12 @@ int security_scaffolding_startup (void)
 	printk (KERN_INFO "Security Scaffold v" SECURITY_SCAFFOLD_VERSION
 		" initialized\n");

+	if (verify (&dummy_security_ops)) {
+		printk (KERN_ERR "%s could not verify "
+			"dummy_security_ops structure.\n", __FUNCTION__);
+		return -EIO;
+	}
+
 	security_ops = &dummy_security_ops;

 	return 0;