next up previous contents
Next: Devpts Up: Procfs Previous: Procfs Labeling Design   Contents

Procfs Labeling Implementation

The base.c:proc_pid_fill_inode function and the inode.c:proc_read_inode function in fs/proc were changed to copy the SID of the associated process into the inode for the process-specific files. The inode.c:proc_read_super function was changed to initialize the SID of the root directory and the file system of the procfs file system to the proc initial SID. The initial SID was declared in flask/initial_sids and defined in the security policy configuration.

A sid field was added to the struct proc_dir_entry structure in include/linux/proc_fs.h. The field was added at the end of the structure to ensure that the statically declared structures could be left unchanged. The proc_root_kcore, proc_root_kmsg, and proc_sys_root definitions in fs/proc/root.c were changed to set the SID explicitly to a distinct initial SID value. The initial SIDs were declared in flask/initial_sids and defined in the security policy configuration.

The inode.c:proc_get_inode function was changed to copy the SID from the struct proc_dir_entry structure into the inode if the SID is non-null. This change permits entries to be individually labeled by setting the SID in the structure. If the SID is null, then the inode is left unlabeled by proc_get_inode.

The fs/proc/root.c:proc_lookup and fs/proc/fd.c:proc_lookupfd functions were changed to copy the SID from the parent directory inode if the inode is unlabeled after the call to proc_get_inode. These changes cause unlabeled entries to be automatically labeled with the SID of their parent directory.

A sid field was added to the struct ctl_table structure in include/linux/sysctl.h. The field was added at the end of the structure to ensure that the statically declared structures could be left unchanged. The kernel, vm, net, fs, and dev entries in the kernel/sysctl.c:root_table definition were changed to set the SID of each entry to a corresponding initial SID. The modprobe entry in the kern_table definition was changed to set the SID of the entry to a corresponding initial SID. The initial SIDs were declared in flask/initial_sids and defined in the security policy configuration.

The ctl_table_inherit_sid function was added to kernel/sysctl.c. This function traverses a sysctl table and ensures that all entries are labeled, using inheritance from the parent entry as necessary. The sysctl_init function was changed to call this function on the root_table.

The ctl_table_root_sid function was also added to kernel/sysctl.c. This function is used to copy the SIDs from the root sysctl table into the dummy entries in a dynamically registered sysctl table. The ctl_table_inherit_sid function may then be used to ensure that all of the entries in the dynamically registered sysctl table are labeled properly. The register_sysctl_table function was changed to call the two functions.

The register_proc_table function was changed to copy the SID of the ctl_table structure into the proc_dir_entry structure returned by create_proc_entry. This change ensures that the /proc/sys entries are labeled with the same SID as the corresponding sysctl entry.

The ctl_perm function was changed to check the Flask directory search permission when a table entry is being traversed. This function was also changed to check the Flask file read and/or write permissions when a table entry is being accessed. These changes ensure that the Flask controls are enforced when the sysctl system call is used. Since the ctl_perm function is also called by do_rw_proc, these checks are also redundantly performed when a sysctl parameter is accessed through /proc/sys.


next up previous contents
Next: Devpts Up: Procfs Previous: Procfs Labeling Design   Contents