- Putting access control on listen() [rather than socket()/bind()]
seems like a really bad idea. In particular, in some cases one can
bind to a port and receive messages on it without ever calling listen(),
if I am not mistaken.
- The use of sock_i_uid(sock) seems poorly chosen; if sock->socket==NULL,
then your module will mistakenly think that the action was requested by
uid 0. In general, the return value from sock_i_uid() cannot be trusted
for permission checks for several reasons. Why don't you simply use
current->euid for your permission checks?
- Checking pid's doesn't seem like a good idea. If a process listed in
allowed_pids dies, then some other malicious process can wrap the pid
space and take over that trusted pid, thereby subverting your access
control policy.
- Are you aware of previous work on this subject? In particular, you
might enjoy checking out the Janus project, which is a much more general
implementation of this idea: http://www.cs.berkeley.edu/~daw/janus/
- You should really join the mailing list hosted by Crispin Cowan working
to develop kernel hooks for this sort of kernel security modification.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/