On Mon, 24 Jan 2005 00:58:08 EST, John Richard Moser said: > I believe this would be sufficient to finish an LSM module to implement > linking restrictions from GrSecurity. I did Symlinks in an LSM module, > but haven't tested it out; it's purely academic. > The hook here would be used (in my academic exploration) to prevent hard > links from being created to files you don't own, unless you're root.
You don't need a hook there to do that. The inode_link hook should be
sufficient,
using code something like this:
+int vtkit_link (struct dentry *old_entry, struct inode *dir, struct dentry
*new_entry)
+{
+ struct inode *i_target = old_entry->d_inode;
+ struct inode *i_new = new_entry->d_inode;
+ int perm_check = 0;
+
+ /* We check as follows - if the target of the link isn't owned by us,
+ * and we're not a privileged user, then we complain if any of the
+ * following are true:
+ * 1) It's not a special file
+ * 2) the target is set-uid or set-gid
+ * 3) user doesn't have permission to the target
+ *
+ * Yes, a "current->uid" check is pig-headed and wrong in the context
of a
+ * system that uses priv separation...
+ */
+ perm_check = generic_permission(i_target, MAY_READ | MAY_WRITE, NULL);
+ if (security_safe_hardlink && (current->fsuid != i_target->i_uid) &&
+ !capable(CAP_FOWNER) && current->uid &&
+ (!S_ISREG(i_target->i_mode) || (i_target->i_mode & S_ISUID) ||
+ ((i_target->i_mode & (S_ISGID | S_IXGRP)) == (S_ISGID |
S_IXGRP)) ||
+ perm_check)) {
+ printk(KERN_NOTICE "vtkit - rejecting hard link (target
UID %d) by PID %d (uid=%d, comm=%s)\n",
+ i_target->i_uid, current->pid, current->uid,
current->comm);
+ return (perm_check ? perm_check:-EPERM);
+ }
+ return 0;
+}
If I'm missing something here, please let me know... ;)
pgpfildz233W5.pgp
Description: PGP signature
