1 /*
2 * Root Plug sample LSM module
3 *
4 * Originally written for a Linux Journal.
5 *
6 * Copyright (C) 2002 Greg Kroah-Hartman <greg@kroah.com>
7 *
8 * Prevents any programs running with egid == 0 if a specific USB device
9 * is not present in the system. Yes, it can be gotten around, but is a
10 * nice starting point for people to play with, and learn the LSM
11 * interface.
12 *
13 * If you want to turn this into something with a semblance of security,
14 * you need to hook the task_* functions also.
15 *
16 * See http://www.linuxjournal.com/article.php?sid=6279 for more information
17 * about this code.
18 *
19 * This program is free software; you can redistribute it and/or
20 * modify it under the terms of the GNU General Public License as
21 * published by the Free Software Foundation, version 2 of the
22 * License.
23 */
24
25 #include <linux/kernel.h>
26 #include <linux/init.h>
27 #include <linux/security.h>
28 #include <linux/usb.h>
29 #include <linux/moduleparam.h>
30
31 /* default is a generic type of usb to serial converter */
32 static int vendor_id = 0x0557;
33 static int product_id = 0x2008;
34
35 module_param(vendor_id, uint, 0400);
36 module_param(product_id, uint, 0400);
37
38 /* should we print out debug messages */
39 static int debug = 0;
40
41 module_param(debug, bool, 0600);
42
43 #define MY_NAME "root_plug"
44
45 #define root_dbg(fmt, arg...) \
46 do { \
47 if (debug) \
48 printk(KERN_DEBUG "%s: %s: " fmt , \
49 MY_NAME , __func__ , \
50 ## arg); \
51 } while (0)
52
rootplug_bprm_check_security(struct linux_binprm * bprm)53 static int rootplug_bprm_check_security (struct linux_binprm *bprm)
54 {
55 struct usb_device *dev;
56
57 root_dbg("file %s, e_uid = %d, e_gid = %d\n",
58 bprm->filename, bprm->cred->euid, bprm->cred->egid);
59
60 if (bprm->cred->egid == 0) {
61 dev = usb_find_device(vendor_id, product_id);
62 if (!dev) {
63 root_dbg("e_gid = 0, and device not found, "
64 "task not allowed to run...\n");
65 return -EPERM;
66 }
67 usb_put_dev(dev);
68 }
69
70 return 0;
71 }
72
73 static struct security_operations rootplug_security_ops = {
74 /* Use the capability functions for some of the hooks */
75 .ptrace_may_access = cap_ptrace_may_access,
76 .ptrace_traceme = cap_ptrace_traceme,
77 .capget = cap_capget,
78 .capset = cap_capset,
79 .capable = cap_capable,
80
81 .bprm_set_creds = cap_bprm_set_creds,
82
83 .task_fix_setuid = cap_task_fix_setuid,
84 .task_prctl = cap_task_prctl,
85
86 .bprm_check_security = rootplug_bprm_check_security,
87 };
88
rootplug_init(void)89 static int __init rootplug_init (void)
90 {
91 /* register ourselves with the security framework */
92 if (register_security (&rootplug_security_ops)) {
93 printk (KERN_INFO
94 "Failure registering Root Plug module with the kernel\n");
95 return -EINVAL;
96 }
97 printk (KERN_INFO "Root Plug module initialized, "
98 "vendor_id = %4.4x, product id = %4.4x\n", vendor_id, product_id);
99 return 0;
100 }
101
102 security_initcall (rootplug_init);
103