security/root_plug.c at v2.6.15 · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / security / root_plug.c
at v2.6.15 4.0 kB view raw
  1/*
  2 * Root Plug sample LSM module
  3 *
  4 * Originally written for a Linux Journal.
  5 *
  6 * Copyright (C) 2002 Greg Kroah-Hartman <greg@kroah.com>
  7 *
  8 * Prevents any programs running with egid == 0 if a specific USB device
  9 * is not present in the system.  Yes, it can be gotten around, but is a
 10 * nice starting point for people to play with, and learn the LSM
 11 * interface.
 12 *
 13 * If you want to turn this into something with a semblance of security,
 14 * you need to hook the task_* functions also.
 15 *
 16 * See http://www.linuxjournal.com/article.php?sid=6279 for more information
 17 * about this code.
 18 *
 19 *	This program is free software; you can redistribute it and/or
 20 *	modify it under the terms of the GNU General Public License as
 21 *	published by the Free Software Foundation, version 2 of the
 22 *	License.
 23 */
 24
 25#include <linux/config.h>
 26#include <linux/module.h>
 27#include <linux/kernel.h>
 28#include <linux/init.h>
 29#include <linux/security.h>
 30#include <linux/usb.h>
 31
 32/* flag to keep track of how we were registered */
 33static int secondary;
 34
 35/* default is a generic type of usb to serial converter */
 36static int vendor_id = 0x0557;
 37static int product_id = 0x2008;
 38
 39module_param(vendor_id, uint, 0400);
 40MODULE_PARM_DESC(vendor_id, "USB Vendor ID of device to look for");
 41
 42module_param(product_id, uint, 0400);
 43MODULE_PARM_DESC(product_id, "USB Product ID of device to look for");
 44
 45/* should we print out debug messages */
 46static int debug = 0;
 47
 48module_param(debug, bool, 0600);
 49MODULE_PARM_DESC(debug, "Debug enabled or not");
 50
 51#if defined(CONFIG_SECURITY_ROOTPLUG_MODULE)
 52#define MY_NAME THIS_MODULE->name
 53#else
 54#define MY_NAME "root_plug"
 55#endif
 56
 57#define root_dbg(fmt, arg...)					\
 58	do {							\
 59		if (debug)					\
 60			printk(KERN_DEBUG "%s: %s: " fmt ,	\
 61				MY_NAME , __FUNCTION__ , 	\
 62				## arg);			\
 63	} while (0)
 64
 65static int rootplug_bprm_check_security (struct linux_binprm *bprm)
 66{
 67	struct usb_device *dev;
 68
 69	root_dbg("file %s, e_uid = %d, e_gid = %d\n",
 70		 bprm->filename, bprm->e_uid, bprm->e_gid);
 71
 72	if (bprm->e_gid == 0) {
 73		dev = usb_find_device(vendor_id, product_id);
 74		if (!dev) {
 75			root_dbg("e_gid = 0, and device not found, "
 76				 "task not allowed to run...\n");
 77			return -EPERM;
 78		}
 79		usb_put_dev(dev);
 80	}
 81
 82	return 0;
 83}
 84
 85static struct security_operations rootplug_security_ops = {
 86	/* Use the capability functions for some of the hooks */
 87	.ptrace =			cap_ptrace,
 88	.capget =			cap_capget,
 89	.capset_check =			cap_capset_check,
 90	.capset_set =			cap_capset_set,
 91	.capable =			cap_capable,
 92
 93	.bprm_apply_creds =		cap_bprm_apply_creds,
 94	.bprm_set_security =		cap_bprm_set_security,
 95
 96	.task_post_setuid =		cap_task_post_setuid,
 97	.task_reparent_to_init =	cap_task_reparent_to_init,
 98
 99	.bprm_check_security =		rootplug_bprm_check_security,
100};
101
102static int __init rootplug_init (void)
103{
104	/* register ourselves with the security framework */
105	if (register_security (&rootplug_security_ops)) {
106		printk (KERN_INFO 
107			"Failure registering Root Plug module with the kernel\n");
108		/* try registering with primary module */
109		if (mod_reg_security (MY_NAME, &rootplug_security_ops)) {
110			printk (KERN_INFO "Failure registering Root Plug "
111				" module with primary security module.\n");
112			return -EINVAL;
113		}
114		secondary = 1;
115	}
116	printk (KERN_INFO "Root Plug module initialized, "
117		"vendor_id = %4.4x, product id = %4.4x\n", vendor_id, product_id);
118	return 0;
119}
120
121static void __exit rootplug_exit (void)
122{
123	/* remove ourselves from the security framework */
124	if (secondary) {
125		if (mod_unreg_security (MY_NAME, &rootplug_security_ops))
126			printk (KERN_INFO "Failure unregistering Root Plug "
127				" module with primary module.\n");
128	} else { 
129		if (unregister_security (&rootplug_security_ops)) {
130			printk (KERN_INFO "Failure unregistering Root Plug "
131				"module with the kernel\n");
132		}
133	}
134	printk (KERN_INFO "Root Plug module removed\n");
135}
136
137security_initcall (rootplug_init);
138module_exit (rootplug_exit);
139
140MODULE_DESCRIPTION("Root Plug sample LSM module, written for Linux Journal article");
141MODULE_LICENSE("GPL");
142