realtime-lsm for default Debian kernel
Hi,
with the attached patch, you can use realtime-lsm (realtime capabilities
for ordinary users for e.g. JACK applications).
Note: This change is only useful for CONFIG_SECURITY_CAPABILITIES=y
configurations like the current Debian kernels. As soon as the kernel
really supports general stackable LSM, all this should become obsolete.
Background: What realtime-lsm currently does is replace the
capability_ops of the default security capabilities. This is done by
unloading the capability module and loading realtime.ko instead (they
can't be used both). This renders an unusable state for Debian kernels
with CONFIG_SECURITY_CAPABILITIES=y. The attached patch instead
unregisters the current capabilities (only if really necessary, the old
approach of trying to register "realtime" as a secondary module on
problems is kept). On realtime.ko unload, the old state is restored.
The only potential problem I see is loading realtime.ko, unloading
capability.ko and then unloading realtime.ko (which restores
capabilities of a module that doesn't exist anymore: capability.ko).
Maybe we can guard against that, somehow? But this would be the
CONFIG_SECURITY_CAPABILITIES=m case, where we need to get rid of
capability.ko before loading realtime.ko anyway. Kind of academical
question...
So what do you think?
Thanks,
Roland
--- realtime-lsm/Makefile 2006-07-10 02:26:22.000000000 +0200
+++ realtime-lsm-new/Makefile 2007-04-04 15:14:37.000000000 +0200
@@ -1,7 +1,6 @@
PACKAGE := realtime-lsm
VERSION := 0.8.7
SOURCES := Makefile realtime.c
-COMMONCAP := commoncap.c
DIST_EXTRA := AUTHORS ChangeLog COPYING INSTALL README
DISTFILES := $(SOURCES) $(DIST_EXTRA)
@@ -11,28 +10,17 @@
obj-m := realtime.o
-realtime-objs:= realtime.o commoncap.o
-
ifndef KERNELRELEASE
-all: $(SOURCES) config
+all: $(SOURCES)
$(MAKE) modules -C $(KERNEL_DIR) SUBDIRS=$(shell pwd)
-config:
- @if grep CONFIG_SECURITY_CAPABILITIES=m $(KERNEL_DIR)/.config; \
- then ln -sf $(KERNEL_DIR)/security/$(COMMONCAP) .; \
- else echo "Failed: Security Capabilities not configured as module"; \
- echo "Realtime LSM will not work with $(KERNEL_DIR)"; \
- echo "Please rerun \`make config' on the kernel and try again."; \
- false; \
- fi
-
install:
$(MAKE) modules_install -C $(KERNEL_DIR) SUBDIRS=$(shell pwd)
clean:
- -rm -f *.ko *.o $(COMMONCAP)
+ -rm -f *.ko *.o
-rm -f *.mod.* .*.cmd
-rm -rf .tmp_versions
--- realtime-lsm/realtime.c 2006-05-22 20:11:02.000000000 +0200
+++ realtime-lsm-new/realtime.c 2007-04-04 15:16:51.000000000 +0200
@@ -94,6 +94,8 @@
#define MY_NAME __stringify(KBUILD_MODNAME)
static int secondary; /* flag to keep track of how we were registered */
+static int substitute; /* we substituted current / default security ops */
+static struct security_operations *old_ops;
static int __init realtime_init(void)
{
@@ -102,13 +104,30 @@
/* try registering with primary module */
if (mod_reg_security(MY_NAME, &capability_ops)) {
- printk(KERN_INFO RT_ERR "Failure registering "
- "capabilities with primary security module.\n");
- printk(KERN_INFO RT_ERR "Is kernel configured "
- "with CONFIG_SECURITY_CAPABILITIES=m?\n");
- return -EINVAL;
+
+ /* try to unregister current (default) capabilities */
+ old_ops = security_ops;
+ if (unregister_security(security_ops)) {
+ printk(KERN_INFO RT_ERR "Failure on "
+ "unregistering old capabilities.\n");
+ return -EINVAL;
+ }
+
+ /* substitute with realtime capabilities */
+ if (register_security(&capability_ops)) {
+ printk(KERN_INFO RT_ERR "Failure registering "
+ "substitute security capabilities.\n");
+ if (register_security(old_ops)) {
+ printk(KERN_ERR "FATAL: Couldn't "
+ "re-register old security "
+ "capabilities. Lost them!\n");
+ }
+ return -EINVAL;
+ }
+ substitute = 1;
+ } else {
+ secondary = 1;
}
- secondary = 1;
}
if (rt_any)
@@ -136,6 +155,12 @@
printk(KERN_INFO RT_ERR
"Failure unregistering capabilities with the kernel\n");
}
+ if (substitute) {
+ if (register_security(old_ops)) {
+ printk(KERN_INFO RT_ERR "Failure re-registering "
+ "default capabilities with the kernel\n");
+ }
+ }
printk(KERN_INFO "Realtime Capability LSM exiting\n");
}
Reply to: