lids-1.1.1r2-2.4.18.patch

关于LINUX安全内核的源代码

+        }
+#endif
 	error = vfs_readdir(file, filldir64, &buf);
 	if (error < 0)
 		goto out_putf;
diff -Nru linux-2.4.18-ori/fs/super.c linux-2.4.18-lids-1.1.1r2/fs/super.c
--- linux-2.4.18-ori/fs/super.c	Mon Feb 25 20:38:09 2002
+++ linux-2.4.18-lids-1.1.1r2/fs/super.c	Thu Apr 11 18:02:44 2002
@@ -54,6 +54,10 @@
 LIST_HEAD(super_blocks);
 spinlock_t sb_lock = SPIN_LOCK_UNLOCKED;
 
+#ifdef CONFIG_LIDS
+#include <linux/lidsext.h>
+#endif
+
 /*
  * Handling of filesystem drivers list.
  * Rules:
@@ -857,8 +861,12 @@
 		return ERR_PTR(-EINVAL);
 
 	/* we need capabilities... */
-	if (!capable(CAP_SYS_ADMIN))
+	if (!capable(CAP_SYS_ADMIN)) {
+#ifdef CONFIG_LIDS
+		lids_security_alert("CAP_SYS_ADMIN violation: try to mount %s",name);
+#endif
 		return ERR_PTR(-EPERM);
+	}
 
 	/* ... filesystem driver... */
 	fstype = get_fs_type(type);
diff -Nru linux-2.4.18-ori/include/linux/capability.h linux-2.4.18-lids-1.1.1r2/include/linux/capability.h
--- linux-2.4.18-ori/include/linux/capability.h	Thu Nov 22 20:46:19 2001
+++ linux-2.4.18-lids-1.1.1r2/include/linux/capability.h	Wed Apr 17 13:46:09 2002
@@ -279,6 +279,18 @@
 
 #define CAP_LEASE            28
 
+#ifdef CONFIG_LIDS
+/* hide the process from the system */
+#define CAP_HIDDEN      29
+
+/* Allow the process to KILL protected programms */
+#define CAP_KILL_PROTECTED  30 
+
+/* Protect the process from signals */
+#define CAP_PROTECTED  31
+#endif
+
+
 #ifdef __KERNEL__
 /* 
  * Bounding set
diff -Nru linux-2.4.18-ori/include/linux/lids.h linux-2.4.18-lids-1.1.1r2/include/linux/lids.h
--- linux-2.4.18-ori/include/linux/lids.h	Thu Jan  1 01:00:00 1970
+++ linux-2.4.18-lids-1.1.1r2/include/linux/lids.h	Tue Apr 30 14:58:52 2002
@@ -0,0 +1,59 @@
+#ifndef LIDS_H
+#define LIDS_H
+
+/*
+ * This file include everything needed for LIDS internals.
+ * The biggest part is included from in lidsif.h
+ *
+ */
+
+#include <linux/kernel.h>
+#include <linux/sysctl.h>
+#include <linux/slab.h>
+#include <linux/tty.h>
+
+#include <linux/lidsext.h>
+#include <linux/lidsif.h>
+
+#define LIDS_VERSION	"1.1.1r2"
+
+
+/* FIXME: some more externals in kernel/signal.c and kernel/sysctl.c */
+
+extern int lids_load;		/* 1 = load ids protection , 0 = don't load */
+extern lids_flags_t lids_flags;	/* 1 = load ids protection , 0 = don't load */
+extern int lids_local_on;
+extern unsigned long lids_current;
+extern lids_flags_t lids_flags;
+
+int _open_namei(const char * pathname, int flag, int mode, struct nameidata *nd);
+struct file *_filp_open(const char * filename, int flags, int mode);
+
+extern int lids_proc_locks_sysctl(ctl_table *table, int write, struct file *filp, void *buffer, size_t *lenp, int conv, int op);
+extern int lids_init(void);
+extern void exit_lids(struct task_struct *tsk);
+
+extern int lids_init_task_acl(struct lids_task_acl *acl);
+extern int lids_compute_acls(struct lids_task_acl *current_acl,struct lids_sys_acl *new_sys_acl,struct lids_task_acl *computed_acl);
+extern void lids_get_task_acl(struct lids_task_acl *acl,struct task_struct *task);
+extern void lids_set_task_acl(struct lids_task_acl *acl,struct task_struct *task);
+extern int lids_task_acl_deep_copy(struct lids_task_acl *dst,struct lids_task_acl *src);
+extern void lids_free_lids_task_acl(struct lids_task_acl *acl);
+
+extern struct lids_sys_acl * lids_search_acl(unsigned long int ino,kdev_t dev,unsigned long lids_curr);
+extern int lids_check_base(struct dentry *base, int flag);
+extern int lids_set_flags(struct lids_sys_acl *);
+extern int lids_check_hidden_inode(unsigned long int ino,kdev_t dev);
+extern int lids_bind_checker(const int);
+extern int lids_local_off(void);
+
+#ifdef CONFIG_LIDS_SA_THROUGH_NET
+extern int lids_klids_init(void);
+extern void lids_send_message(char *msg,int len);
+#endif
+#ifdef CONFIG_LIDS_PORT_SCAN_DETECTOR
+extern void lids_port_scanner_detector_init(void);
+extern int lids_check_scan(__u32 addr,__u16 port); 
+#endif
+
+#endif /* LIDS_H */
diff -Nru linux-2.4.18-ori/include/linux/lidsext.h linux-2.4.18-lids-1.1.1r2/include/linux/lidsext.h
--- linux-2.4.18-ori/include/linux/lidsext.h	Thu Jan  1 01:00:00 1970
+++ linux-2.4.18-lids-1.1.1r2/include/linux/lidsext.h	Wed Apr 17 13:46:07 2002
@@ -0,0 +1,101 @@
+#ifndef LIDSEXT_H
+#define LIDSEXT_H
+
+/*
+ * This file contains LIDS macros needed for logging and debugging,
+ * used about everywhere in the kernel.
+ *
+ */
+
+/* needed extern declarations */
+
+#include <linux/config.h>
+
+extern void lids_cap_log(int);
+extern int lids_cap_time_checker(const int);
+extern int lids_local_off(void);
+extern int lids_reload_conf;
+extern int lids_load;
+extern int lids_local_on;
+extern int lids_local_pid;
+extern int lids_first_time;
+
+
+#ifdef CONFIG_LIDS_DEBUG
+#define LIDS_DEBUG
+#endif
+
+#define LIDS_STR2(x) #x
+#define LIDS_STR(X) LIDS_STR2(X)
+
+#ifdef LIDS_DEBUG
+#define LIDS_DBG(msg...)  printk(KERN_DEBUG "LIDS." __FUNCTION__ ".l" LIDS_STR(__LINE__) ": " ##msg)
+#else
+#define LIDS_DBG(msg...)
+#endif
+
+
+#ifdef CONFIG_LIDS_HANGUP
+extern void lids_hangup_console(void);
+#else
+#define lids_hangup_console() do {} while (0)
+#endif
+
+
+extern void lids_log(int flood, char *message, ...);
+
+
+#ifdef CONFIG_LIDS_NO_FLOOD_LOG
+
+#define lids_security_alert(message, args...)                                       \
+do {                                                                       	    \
+	if (lids_load && lids_local_load) {					    \
+		static unsigned long warning_time = 0, no_flood_yet = 0;            \
+		static spinlock_t lids_security_alert_lock = SPIN_LOCK_UNLOCKED;    \
+									   	    \
+		spin_lock(&lids_security_alert_lock);                               \
+										    \
+/* Make sure at least CONFIG_LIDS_TIMEOUT_AFTER_FLOOD 			   	    \
+ * passed since the last warning logged 				   	    \
+ */ 									   	    \
+		if ((!warning_time) || 					            \
+		    (jiffies-warning_time > CONFIG_LIDS_TIMEOUT_AFTER_FLOOD*HZ)) {  \
+			warning_time = jiffies; no_flood_yet = 1;                   \
+			lids_log(0, message , ## args);                             \
+		} else if (no_flood_yet) {                                          \
+			warning_time = jiffies; no_flood_yet = 0;                   \
+			lids_log(1, message , ## args);                             \
+		}                                                           	    \
+		spin_unlock(&lids_security_alert_lock);                             \
+		lids_hangup_console();                                              \
+	}									    \
+} while(0)
+
+#else /* CONFIG_LIDS_NO_FLOOD_LOG */
+
+#define lids_security_alert(message, args...)                                      \
+do {                                                                       	   \
+	if (lids_load && lids_local_load) {					   \
+		static spinlock_t lids_security_alert_lock = SPIN_LOCK_UNLOCKED;   \
+										   \
+		spin_lock(&lids_security_alert_lock);                              \
+		lids_log(0, message , ## args);                                    \
+		spin_unlock(&lids_security_alert_lock);                            \
+		lids_hangup_console();    					   \
+	}				   					   \
+} while(0)
+
+#endif /* CONFIG_LIDS_NO_FLOOD_LOG */
+
+
+
+#ifdef CONFIG_LIDS_ALLOW_SWITCH
+#define lids_local_load ( lids_local_on || (!lids_local_off()) )
+#else
+#define lids_local_load 1
+#endif /* CONFIG_LIDS_ALLOW_SWITCH */
+
+
+
+
+#endif /* LIDSEXT_H */
diff -Nru linux-2.4.18-ori/include/linux/lidsif.h linux-2.4.18-lids-1.1.1r2/include/linux/lidsif.h
--- linux-2.4.18-ori/include/linux/lidsif.h	Thu Jan  1 01:00:00 1970
+++ linux-2.4.18-lids-1.1.1r2/include/linux/lidsif.h	Wed Apr 17 13:46:09 2002
@@ -0,0 +1,157 @@
+#ifndef LIDSIF_H
+#define LIDSIF_H
+
+
+/*
+ * This file contains every definitions needed for interfacing
+ * kernel part and user space part of LIDS
+ *
+ */
+
+
+/* 
+ * If the file is not compiled for the kernel,
+ * it must include  replacement file which contains
+ * a copy of every internal structure needed 
+ *
+ */
+
+#ifdef __KERNEL__
+#include <linux/kdev_t.h>
+#include <linux/capability.h>
+#else
+#include <kernel_inc.h>
+#endif
+
+
+/* 
+ * Here begin the common structures, shared by LIDS and 
+ * lidstools
+ *
+ */
+
+
+#define LIDS_FLAGS_LIDS_ON              0
+#define LIDS_FLAGS_RELOAD_CONF          1      
+#define LIDS_FLAGS_LIDS_LOCAL_ON        2
+
+#define LIDS_MAX_DOMAIN         64
+/*
+ *      ACL target.
+ */
+
+#define LIDS_DENY       0       /* DENY ACCESS*/
+#define LIDS_READONLY   1       /* Read Only File */
+#define LIDS_APPEND     2       /* APPEND ONLY FILE */
+#define LIDS_WRITE      4       /* Protect Writing to device */
+#define LIDS_IGNORE     8       /* Ignore the protection */
+#define LIDS_CAP        16      /* acl type is capability */
+
+/* 
+ * Me ? Paranoiac !?
+ *
+ * The magic numbers are all around the encrypted password.
+ * They have a null byte to bother ASCIIZ functions.
+ */
+
+#define LIDS_MAGIC_1 0x004e6741
+#define LIDS_MAGIC_2 0x68002d62
+#define LIDS_MAGIC_3 0xe68400c3
+#define LIDS_MAGIC_4 0xd94aa400
+
+#define LIDS_FLAG_FULL_SET            (~0)
+#define LIDS_FLAG_TO_MASK(flag)       (1 << (flag))
+#define lids_flag_raise(flag, bit)    ((flag) |= LIDS_FLAG_TO_MASK(bit))
+#define lids_flag_lower(flag, bit)    ((flag) &= ~LIDS_FLAG_TO_MASK(bit))
+#define lids_flag_raised(flag, bit)   ((flag) & LIDS_FLAG_TO_MASK(bit) & LIDS_FLAG_FULL_SET)
+
+
+
+#define LIDS_TIME_ITEM  2       
+#define LIDS_PORT_ITEM  16 
+
+
+typedef __u32 lids_flags_t;
+
+typedef char passwd_t[64];
+
+typedef struct lids_locks_s {
+        int magic1;
+        kernel_cap_t cap_bset;
+        int magic2;
+        lids_flags_t flags;
+        int magic3;
+        passwd_t passwd;
+        int magic4;
+} lids_locks_t;
+
+struct secure_ino {
+        unsigned long int ino;          /* the inode number */
+        kdev_t  dev;                    /* the dev number */
+        int     type;                   /* the file type */
+        time_t  from_time;
+        time_t  to_time;
+};
+
+struct allowed_ino {
+        unsigned long int ino;
+        kdev_t  dev;
+};
+
+/* use in task struct to represent the acl */
+struct lids_acl {
+        struct lids_acl *next;
+        unsigned long int ino;
+        kdev_t  dev;
+        int     type;                   /* READ WRITE APPEND DENY  */
+        int     inherit;                /* the inherit level */
+        time_t  time[LIDS_TIME_ITEM][2];                /* time restrition */
+};
+
+/* lids_domain define the process's execute domain */
+/*
+struct lids_domain {
+        int     counter;
+        struct dentry dentry[LIDS_MAX_DOMAIN];
+};
+*/
+
+struct lids_cap {
+        int inherit;                    /* this capabilities inherit level */
+        time_t time[LIDS_TIME_ITEM][2];         /* time ristrtiion */
+};
+/* save all the system defined acl here */
+struct lids_sys_acl {
+        unsigned long int ino;          /* the subject node number */
+        unsigned long flags;            /* capability flags */
+        struct lids_cap cap[32];        /* inheritable array*/
+        int forked;                     /* fork tags */
+        int port[LIDS_PORT_ITEM][2];
+        struct lids_acl *lids_acl;      /* object acl */
+        struct lids_acl *lids_domain;
+        kdev_t  dev;                    /* the subject dev number */
+};
+
+
+#ifdef __KERNEL__
+/* lids_domain define the process's execute domain */
+struct lids_domain {
+	int 	counter;
+	struct dentry dentry[LIDS_MAX_DOMAIN];
+};
+#endif
+
+struct lids_task_acl {
+	/* LIDS refrence box */
+	struct lids_sys_acl *lids_sys_acl;
+	unsigned long lids_cap;
+#ifdef CONFIG_LIDS_RELOAD_CONF
+	unsigned long lids_current;
+	unsigned long lids_ino;
+	kdev_t lids_dev;
+#endif
+};	
+
+
+
+#endif /* LIDSIF_H */
diff -Nru linux-2.4.18-ori/include/linux/rmd160.h linux-2.4.18-lids-1.1.1r2/include/linux/rmd160.h
--- linux-2.4.18-ori/include/linux/rmd160.h	Thu Jan  1 01:00:00 1970
+++ linux-2.4.18-lids-1.1.1r2/include/linux/rmd160.h	Thu Apr 11 18:02:44 2002
@@ -0,0 +1,138 @@
+/********************************************************************\
+ *
+ *      FILE:     rmd160.h
+ *
+ *      CONTENTS: Header file for a sample C-implementation of the
+ *                RIPEMD-160 hash-function. 
+ *      TARGET:   any computer with an ANSI C compiler
+ *
+ *      AUTHOR:   Antoon Bosselaers, ESAT-COSIC
+ *      DATE:     1 March 1996
+ *      VERSION:  1.0
+ *
+ *      Copyright (c) Katholieke Universiteit Leuven
+ *      1996, All Rights Reserved
+ *
+\********************************************************************/
+
+#ifndef  RMD160H           /* make sure this file is read only once */
+#define  RMD160H
+
+#define RMDsize 160
+
+/********************************************************************/
+
+/* typedef 8 and 32 bit types, resp.  */
+/* adapt these, if necessary, 
+   for your operating system and compiler */
+typedef    u8        byte;
+typedef    u32        dword;
+
+
+/********************************************************************/
+
+/* macro definitions */
+
+/* collect four bytes into one word: */
+#define BYTES_TO_DWORD(strptr)