From patchwork Sat Jan 2 13:04:11 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Samir Bellabes X-Patchwork-Id: 42015 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 898651007D3 for ; Sun, 3 Jan 2010 00:04:41 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752204Ab0ABNEe (ORCPT ); Sat, 2 Jan 2010 08:04:34 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id S1752202Ab0ABNEd (ORCPT ); Sat, 2 Jan 2010 08:04:33 -0500 Received: from bob75-7-88-160-5-175.fbx.proxad.net ([88.160.5.175]:38311 "EHLO cerbere.dyndns.info" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752158Ab0ABNE1 (ORCPT ); Sat, 2 Jan 2010 08:04:27 -0500 Received: from localhost.localdomain (unknown [192.168.4.14]) by cerbere.dyndns.info (Postfix) with ESMTP id 3DFE083F3; Sat, 2 Jan 2010 14:04:24 +0100 (CET) From: Samir Bellabes To: linux-security-module@vger.kernel.org Cc: Patrick McHardy , jamal , Evgeniy Polyakov , Neil Horman , netdev@vger.kernel.org, netfilter-devel@vger.kernel.org, Samir Bellabes Subject: [RFC 4/9] snet: introduce snet_core.c and snet.h Date: Sat, 2 Jan 2010 14:04:11 +0100 Message-Id: <1262437456-24476-5-git-send-email-sam@synack.fr> X-Mailer: git-send-email 1.6.3.3 In-Reply-To: <1262437456-24476-1-git-send-email-sam@synack.fr> References: <1262437456-24476-1-git-send-email-sam@synack.fr> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org this patch introduce snet_core.c, which provides main functions to start and stop snet's subsystems : - snet_hooks : LSM hooks - snet_netlink : kernel-user communication (genetlink) - snet_event : manages the table of protected syscalls - snet_verdict : provides a wait queue for syscalls and manage verdicts from userspace Signed-off-by: Samir Bellabes --- security/snet/include/snet.h | 29 ++++++++++++++++ security/snet/snet_core.c | 77 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 106 insertions(+), 0 deletions(-) create mode 100644 security/snet/include/snet.h create mode 100644 security/snet/snet_core.c diff --git a/security/snet/include/snet.h b/security/snet/include/snet.h new file mode 100644 index 0000000..b664a47 --- /dev/null +++ b/security/snet/include/snet.h @@ -0,0 +1,29 @@ +#ifndef _SNET_H +#define _SNET_H + +#include "snet_hooks.h" + +#define SNET_VERSION 0x1 +#define SNET_NAME "snet" + +#define SNET_PRINTK(enable, fmt, arg...) \ + do { \ + if (enable) \ + printk(KERN_INFO "%s: %s: " fmt , \ + SNET_NAME , __func__ , \ + ## arg); \ + } while (0) + +#ifdef CONFIG_SECURITY_SNET_DEBUG +extern unsigned int snet_debug; +#define snet_dbg(fmt, arg...) SNET_PRINTK(snet_debug, fmt, ##arg) +#else +#define snet_dbg(fmt, arg...) +#endif + +struct snet_event { + enum snet_syscall syscall; + u8 protocol; +} __attribute__ ((packed)); + +#endif /* _SNET_H */ diff --git a/security/snet/snet_core.c b/security/snet/snet_core.c new file mode 100644 index 0000000..34b61e9 --- /dev/null +++ b/security/snet/snet_core.c @@ -0,0 +1,77 @@ +#include +#include +#include + +#include "snet.h" +#include "snet_hooks.h" +#include "snet_netlink.h" +#include "snet_event.h" +#include "snet_verdict.h" +#include "snet_utils.h" + +unsigned int event_hash_size = 16; +module_param(event_hash_size, uint, 0600); +MODULE_PARM_DESC(event_hash_size, "Set the size of the event hash table"); + +unsigned int verdict_hash_size = 16; +module_param(verdict_hash_size, uint, 0600); +MODULE_PARM_DESC(verdict_hash_size, "Set the size of the verdict hash table"); + +unsigned int snet_verdict_delay = 5; +module_param(snet_verdict_delay, uint, 0600); +MODULE_PARM_DESC(snet_verdict_delay, "Set the timeout for verdicts in secs"); + +unsigned int snet_verdict_policy = SNET_VERDICT_GRANT; /* permissive by default */ +module_param(snet_verdict_policy, uint, 0600); +MODULE_PARM_DESC(snet_verdict_policy, "Set the default verdict"); + +#ifdef CONFIG_SECURITY_SNET_DEBUG +unsigned int snet_debug; +EXPORT_SYMBOL_GPL(snet_debug); +module_param(snet_debug, bool, 0644); +MODULE_PARM_DESC(snet_debug, "Enable debug messages"); +#endif + +void snet_core_exit(void) +{ + snet_netlink_exit(); + snet_event_exit(); + snet_hooks_exit(); + snet_verdict_exit(); + snet_dbg("stopped\n"); +} + +static __init int snet_init(void) +{ + int ret; + + snet_dbg("initializing: event_hash_size=%u " + "verdict_hash_size=%u verdict_delay=%usecs " + "default_policy=%s\n", + event_hash_size, verdict_hash_size, snet_verdict_delay, + snet_verdict_name(snet_verdict_policy)); + + ret = snet_event_init(); + if (ret < 0) + goto exit; + + ret = snet_verdict_init(); + if (ret < 0) + goto exit; + + ret = snet_hooks_init(); + if (ret < 0) + goto exit; + + snet_dbg("started\n"); + return 0; +exit: + snet_core_exit(); + return ret; +} + +security_initcall(snet_init); + +MODULE_DESCRIPTION("snet - Security for NETwork syscalls"); +MODULE_LICENSE("GPL"); +MODULE_AUTHOR("Samir Bellabes ");