Prev: [RFC v2 04/10] snet: introduce snet_core
Next: [RFC v2 02/10] Revert "lsm: Remove the socket_post_accept() hook"
From: Samir Bellabes on 2 Mar 2010 15:40 Allow a security module to update security informations when a socket is closed. Signed-off-by: Samir Bellabes <sam(a)synack.fr> --- include/linux/security.h | 10 ++++++++++ net/socket.c | 1 + security/capability.c | 5 +++++ security/security.c | 5 +++++ 4 files changed, 21 insertions(+), 0 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 2c627d3..74e564b 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -981,6 +981,9 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * @sock contains the socket structure. * @how contains the flag indicating how future sends and receives are handled. * Return 0 if permission is granted. + * @socket_close: + * Allow a module to update security informations when a socket is closed + * @sock is closed. * @socket_sock_rcv_skb: * Check permissions on incoming network packets. This hook is distinct * from Netfilter's IP input hooks since it is the first time that the @@ -1680,6 +1683,7 @@ struct security_operations { int (*socket_getsockopt) (struct socket *sock, int level, int optname); int (*socket_setsockopt) (struct socket *sock, int level, int optname); int (*socket_shutdown) (struct socket *sock, int how); + void (*socket_close) (struct socket *sock); int (*socket_sock_rcv_skb) (struct sock *sk, struct sk_buff *skb); int (*socket_getpeersec_stream) (struct socket *sock, char __user *optval, int __user *optlen, unsigned len); int (*socket_getpeersec_dgram) (struct socket *sock, struct sk_buff *skb, u32 *secid); @@ -2700,6 +2704,7 @@ int security_socket_getpeername(struct socket *sock); int security_socket_getsockopt(struct socket *sock, int level, int optname); int security_socket_setsockopt(struct socket *sock, int level, int optname); int security_socket_shutdown(struct socket *sock, int how); +void security_socket_close(struct socket *sock); int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb); int security_socket_getpeersec_stream(struct socket *sock, char __user *optval, int __user *optlen, unsigned len); @@ -2812,6 +2817,11 @@ static inline int security_socket_shutdown(struct socket *sock, int how) { return 0; } + +static inline void security_socket_close(struct socket *sock) +{ +} + static inline int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) { diff --git a/net/socket.c b/net/socket.c index 769c386..b4eb361 100644 --- a/net/socket.c +++ b/net/socket.c @@ -1055,6 +1055,7 @@ static int sock_close(struct inode *inode, struct file *filp) printk(KERN_DEBUG "sock_close: NULL inode\n"); return 0; } + security_socket_close(SOCKET_I(inode)); sock_release(SOCKET_I(inode)); return 0; } diff --git a/security/capability.c b/security/capability.c index 5c700e1..a9810dc 100644 --- a/security/capability.c +++ b/security/capability.c @@ -677,6 +677,10 @@ static int cap_socket_shutdown(struct socket *sock, int how) return 0; } +static void cap_socket_close(struct socket *sock) +{ +} + static int cap_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) { return 0; @@ -1084,6 +1088,7 @@ void security_fixup_ops(struct security_operations *ops) set_to_cap_if_null(ops, socket_setsockopt); set_to_cap_if_null(ops, socket_getsockopt); set_to_cap_if_null(ops, socket_shutdown); + set_to_cap_if_null(ops, socket_close); set_to_cap_if_null(ops, socket_sock_rcv_skb); set_to_cap_if_null(ops, socket_getpeersec_stream); set_to_cap_if_null(ops, socket_getpeersec_dgram); diff --git a/security/security.c b/security/security.c index 122b748..288c3a8 100644 --- a/security/security.c +++ b/security/security.c @@ -1118,6 +1118,11 @@ int security_socket_shutdown(struct socket *sock, int how) return security_ops->socket_shutdown(sock, how); } +void security_socket_close(struct socket *sock) +{ + return security_ops->socket_close(sock); +} + int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) { return security_ops->socket_sock_rcv_skb(sk, skb); -- 1.6.3.3 -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ |