lsm: Add hooks to the TUN driver

The TUN driver lacks any LSM hooks which makes it difficult for LSM modules, such as SELinux, to enforce access controls on network traffic generated by TUN users; this is particularly problematic for virtualization apps such as QEMU and KVM. This patch adds three new LSM hooks designed to control the creation and attachment of TUN devices, the hooks are: * security_tun_dev_create() Provides access control for the creation of new TUN devices * security_tun_dev_post_create() Provides the ability to create the necessary socket LSM state for newly created TUN devices * security_tun_dev_attach() Provides access control for attaching to existing, persistent TUN devices and the ability to update the TUN device's socket LSM state as necessary Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: Eric Paris <eparis@parisplace.org> Acked-by: Serge Hallyn <serue@us.ibm.com> Acked-by: David S. Miller <davem@davemloft.net> Signed-off-by: James Morris <jmorris@namei.org>
author: Paul Moore <paul.moore@hp.com> 2009-08-28 18:12:43 -0400
committer: James Morris <jmorris@namei.org> 2009-08-31 18:29:48 -0400
commit: 2b980dbd77d229eb60588802162c9659726b11f4 (patch)
tree: 78a7f734d0721029e4b4c961ca61d35abe9e6dbc /security
parent: d8e180dcd5bbbab9cd3ff2e779efcf70692ef541 (diff)
2 files changed, 37 insertions, 0 deletions
diff --git a/security/capability.c b/security/capability.c
index 1b943f54b2ea..06400cf07757 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -706,10 +706,26 @@ static void cap_inet_conn_established(struct sock *sk, struct sk_buff *skb)
 {
 }
 static void cap_req_classify_flow(const struct request_sock *req,
                                  struct flowi *fl)
 {
 }
+static int cap_tun_dev_create(void)
+{
+        return 0;
+}
+static void cap_tun_dev_post_create(struct sock *sk)
+{
+}
+static int cap_tun_dev_attach(struct sock *sk)
+{
+        return 0;
+}
 #endif  /* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -1026,6 +1042,9 @@ void security_fixup_ops(struct security_operations *ops)
        set_to_cap_if_null(ops, inet_csk_clone);
        set_to_cap_if_null(ops, inet_conn_established);
        set_to_cap_if_null(ops, req_classify_flow);
+        set_to_cap_if_null(ops, tun_dev_create);
+        set_to_cap_if_null(ops, tun_dev_post_create);
+        set_to_cap_if_null(ops, tun_dev_attach);
 #endif  /* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
        set_to_cap_if_null(ops, xfrm_policy_alloc_security);
diff --git a/security/security.c b/security/security.c
index 0e993f42ce3d..f88eaf6b14cc 100644
--- a/security/security.c
+++ b/security/security.c
@@ -1117,6 +1117,24 @@ void security_inet_conn_established(struct sock *sk,
        security_ops->inet_conn_established(sk, skb);
 }
+int security_tun_dev_create(void)
+{
+        return security_ops->tun_dev_create();
+}
+EXPORT_SYMBOL(security_tun_dev_create);
+void security_tun_dev_post_create(struct sock *sk)
+{
+        return security_ops->tun_dev_post_create(sk);
+}
+EXPORT_SYMBOL(security_tun_dev_post_create);
+int security_tun_dev_attach(struct sock *sk)
+{
+        return security_ops->tun_dev_attach(sk);
+}
+EXPORT_SYMBOL(security_tun_dev_attach);
 #endif  /* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
author	Paul Moore <paul.moore@hp.com>	2009-08-28 18:12:43 -0400
committer	James Morris <jmorris@namei.org>	2009-08-31 18:29:48 -0400
commit	2b980dbd77d229eb60588802162c9659726b11f4 (patch)
tree	78a7f734d0721029e4b4c961ca61d35abe9e6dbc /security
parent	d8e180dcd5bbbab9cd3ff2e779efcf70692ef541 (diff)

diff --git a/security/capability.c b/security/capability.c index 1b943f54b2ea..06400cf07757 100644 --- a/security/capability.c +++ b/security/capability.c
@@ -706,10 +706,26 @@ static void cap_inet_conn_established(struct sock sk, struct sk_buff skb)
706	{	706	{
707	}	707	}
708		708
		709
		710
709	static void cap_req_classify_flow(const struct request_sock *req,	711	static void cap_req_classify_flow(const struct request_sock *req,
710	struct flowi *fl)	712	struct flowi *fl)
711	{	713	{
712	}	714	}
		715
		716	static int cap_tun_dev_create(void)
		717	{
		718	return 0;
		719	}
		720
		721	static void cap_tun_dev_post_create(struct sock *sk)
		722	{
		723	}
		724
		725	static int cap_tun_dev_attach(struct sock *sk)
		726	{
		727	return 0;
		728	}
713	#endif /* CONFIG_SECURITY_NETWORK */	729	#endif /* CONFIG_SECURITY_NETWORK */
714		730
715	#ifdef CONFIG_SECURITY_NETWORK_XFRM	731	#ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -1026,6 +1042,9 @@ void security_fixup_ops(struct security_operations *ops)
1026	set_to_cap_if_null(ops, inet_csk_clone);	1042	set_to_cap_if_null(ops, inet_csk_clone);
1027	set_to_cap_if_null(ops, inet_conn_established);	1043	set_to_cap_if_null(ops, inet_conn_established);
1028	set_to_cap_if_null(ops, req_classify_flow);	1044	set_to_cap_if_null(ops, req_classify_flow);
		1045	set_to_cap_if_null(ops, tun_dev_create);
		1046	set_to_cap_if_null(ops, tun_dev_post_create);
		1047	set_to_cap_if_null(ops, tun_dev_attach);
1029	#endif /* CONFIG_SECURITY_NETWORK */	1048	#endif /* CONFIG_SECURITY_NETWORK */
1030	#ifdef CONFIG_SECURITY_NETWORK_XFRM	1049	#ifdef CONFIG_SECURITY_NETWORK_XFRM
1031	set_to_cap_if_null(ops, xfrm_policy_alloc_security);	1050	set_to_cap_if_null(ops, xfrm_policy_alloc_security);


diff --git a/security/security.c b/security/security.c index 0e993f42ce3d..f88eaf6b14cc 100644 --- a/security/security.c +++ b/security/security.c
@@ -1117,6 +1117,24 @@ void security_inet_conn_established(struct sock *sk,
1117	security_ops->inet_conn_established(sk, skb);	1117	security_ops->inet_conn_established(sk, skb);
1118	}	1118	}
1119		1119
		1120	int security_tun_dev_create(void)
		1121	{
		1122	return security_ops->tun_dev_create();
		1123	}
		1124	EXPORT_SYMBOL(security_tun_dev_create);
		1125
		1126	void security_tun_dev_post_create(struct sock *sk)
		1127	{
		1128	return security_ops->tun_dev_post_create(sk);
		1129	}
		1130	EXPORT_SYMBOL(security_tun_dev_post_create);
		1131
		1132	int security_tun_dev_attach(struct sock *sk)
		1133	{
		1134	return security_ops->tun_dev_attach(sk);
		1135	}
		1136	EXPORT_SYMBOL(security_tun_dev_attach);
		1137
1120	#endif /* CONFIG_SECURITY_NETWORK */	1138	#endif /* CONFIG_SECURITY_NETWORK */
1121		1139
1122	#ifdef CONFIG_SECURITY_NETWORK_XFRM	1140	#ifdef CONFIG_SECURITY_NETWORK_XFRM