linux/security/root_plug.c
<<
>>
Prefs
   1/*
   2 * Root Plug sample LSM module
   3 *
   4 * Originally written for a Linux Journal.
   5 *
   6 * Copyright (C) 2002 Greg Kroah-Hartman <greg@kroah.com>
   7 *
   8 * Prevents any programs running with egid == 0 if a specific USB device
   9 * is not present in the system.  Yes, it can be gotten around, but is a
  10 * nice starting point for people to play with, and learn the LSM
  11 * interface.
  12 *
  13 * If you want to turn this into something with a semblance of security,
  14 * you need to hook the task_* functions also.
  15 *
  16 * See http://www.linuxjournal.com/article.php?sid=6279 for more information
  17 * about this code.
  18 *
  19 *      This program is free software; you can redistribute it and/or
  20 *      modify it under the terms of the GNU General Public License as
  21 *      published by the Free Software Foundation, version 2 of the
  22 *      License.
  23 */
  24
  25#include <linux/kernel.h>
  26#include <linux/init.h>
  27#include <linux/security.h>
  28#include <linux/usb.h>
  29#include <linux/moduleparam.h>
  30
  31/* flag to keep track of how we were registered */
  32static int secondary;
  33
  34/* default is a generic type of usb to serial converter */
  35static int vendor_id = 0x0557;
  36static int product_id = 0x2008;
  37
  38module_param(vendor_id, uint, 0400);
  39module_param(product_id, uint, 0400);
  40
  41/* should we print out debug messages */
  42static int debug = 0;
  43
  44module_param(debug, bool, 0600);
  45
  46#define MY_NAME "root_plug"
  47
  48#define root_dbg(fmt, arg...)                                   \
  49        do {                                                    \
  50                if (debug)                                      \
  51                        printk(KERN_DEBUG "%s: %s: " fmt ,      \
  52                                MY_NAME , __FUNCTION__ ,        \
  53                                ## arg);                        \
  54        } while (0)
  55
  56static int rootplug_bprm_check_security (struct linux_binprm *bprm)
  57{
  58        struct usb_device *dev;
  59
  60        root_dbg("file %s, e_uid = %d, e_gid = %d\n",
  61                 bprm->filename, bprm->e_uid, bprm->e_gid);
  62
  63        if (bprm->e_gid == 0) {
  64                dev = usb_find_device(vendor_id, product_id);
  65                if (!dev) {
  66                        root_dbg("e_gid = 0, and device not found, "
  67                                 "task not allowed to run...\n");
  68                        return -EPERM;
  69                }
  70                usb_put_dev(dev);
  71        }
  72
  73        return 0;
  74}
  75
  76static struct security_operations rootplug_security_ops = {
  77        /* Use the capability functions for some of the hooks */
  78        .ptrace =                       cap_ptrace,
  79        .capget =                       cap_capget,
  80        .capset_check =                 cap_capset_check,
  81        .capset_set =                   cap_capset_set,
  82        .capable =                      cap_capable,
  83
  84        .bprm_apply_creds =             cap_bprm_apply_creds,
  85        .bprm_set_security =            cap_bprm_set_security,
  86
  87        .task_post_setuid =             cap_task_post_setuid,
  88        .task_reparent_to_init =        cap_task_reparent_to_init,
  89
  90        .bprm_check_security =          rootplug_bprm_check_security,
  91};
  92
  93static int __init rootplug_init (void)
  94{
  95        /* register ourselves with the security framework */
  96        if (register_security (&rootplug_security_ops)) {
  97                printk (KERN_INFO 
  98                        "Failure registering Root Plug module with the kernel\n");
  99                /* try registering with primary module */
 100                if (mod_reg_security (MY_NAME, &rootplug_security_ops)) {
 101                        printk (KERN_INFO "Failure registering Root Plug "
 102                                " module with primary security module.\n");
 103                        return -EINVAL;
 104                }
 105                secondary = 1;
 106        }
 107        printk (KERN_INFO "Root Plug module initialized, "
 108                "vendor_id = %4.4x, product id = %4.4x\n", vendor_id, product_id);
 109        return 0;
 110}
 111
 112security_initcall (rootplug_init);
 113