security/root_plug.c at v2.6.30 · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / security / root_plug.c
at v2.6.30 2.8 kB view raw
  1/*
  2 * Root Plug sample LSM module
  3 *
  4 * Originally written for a Linux Journal.
  5 *
  6 * Copyright (C) 2002 Greg Kroah-Hartman <greg@kroah.com>
  7 *
  8 * Prevents any programs running with egid == 0 if a specific USB device
  9 * is not present in the system.  Yes, it can be gotten around, but is a
 10 * nice starting point for people to play with, and learn the LSM
 11 * interface.
 12 *
 13 * If you want to turn this into something with a semblance of security,
 14 * you need to hook the task_* functions also.
 15 *
 16 * See http://www.linuxjournal.com/article.php?sid=6279 for more information
 17 * about this code.
 18 *
 19 *	This program is free software; you can redistribute it and/or
 20 *	modify it under the terms of the GNU General Public License as
 21 *	published by the Free Software Foundation, version 2 of the
 22 *	License.
 23 */
 24
 25#include <linux/kernel.h>
 26#include <linux/init.h>
 27#include <linux/security.h>
 28#include <linux/usb.h>
 29#include <linux/moduleparam.h>
 30
 31/* default is a generic type of usb to serial converter */
 32static int vendor_id = 0x0557;
 33static int product_id = 0x2008;
 34
 35module_param(vendor_id, uint, 0400);
 36module_param(product_id, uint, 0400);
 37
 38/* should we print out debug messages */
 39static int debug = 0;
 40
 41module_param(debug, bool, 0600);
 42
 43#define MY_NAME "root_plug"
 44
 45#define root_dbg(fmt, arg...)					\
 46	do {							\
 47		if (debug)					\
 48			printk(KERN_DEBUG "%s: %s: " fmt ,	\
 49				MY_NAME , __func__ , 	\
 50				## arg);			\
 51	} while (0)
 52
 53static int rootplug_bprm_check_security (struct linux_binprm *bprm)
 54{
 55	struct usb_device *dev;
 56
 57	root_dbg("file %s, e_uid = %d, e_gid = %d\n",
 58		 bprm->filename, bprm->cred->euid, bprm->cred->egid);
 59
 60	if (bprm->cred->egid == 0) {
 61		dev = usb_find_device(vendor_id, product_id);
 62		if (!dev) {
 63			root_dbg("e_gid = 0, and device not found, "
 64				 "task not allowed to run...\n");
 65			return -EPERM;
 66		}
 67		usb_put_dev(dev);
 68	}
 69
 70	return 0;
 71}
 72
 73static struct security_operations rootplug_security_ops = {
 74	/* Use the capability functions for some of the hooks */
 75	.ptrace_may_access =		cap_ptrace_may_access,
 76	.ptrace_traceme =		cap_ptrace_traceme,
 77	.capget =			cap_capget,
 78	.capset =			cap_capset,
 79	.capable =			cap_capable,
 80
 81	.bprm_set_creds =		cap_bprm_set_creds,
 82
 83	.task_fix_setuid =		cap_task_fix_setuid,
 84	.task_prctl =			cap_task_prctl,
 85
 86	.bprm_check_security =		rootplug_bprm_check_security,
 87};
 88
 89static int __init rootplug_init (void)
 90{
 91	/* register ourselves with the security framework */
 92	if (register_security (&rootplug_security_ops)) {
 93		printk (KERN_INFO 
 94			"Failure registering Root Plug module with the kernel\n");
 95			return -EINVAL;
 96	}
 97	printk (KERN_INFO "Root Plug module initialized, "
 98		"vendor_id = %4.4x, product id = %4.4x\n", vendor_id, product_id);
 99	return 0;
100}
101
102security_initcall (rootplug_init);