首页 > 代码库 > TOMOYO Linux(undone)
TOMOYO Linux(undone)
目录
1. TOMOYO Introduction
2. TOMOYO Sourcecode Analysis
1. Introduction
TOMOYO是一款基于LSM Framework实现的LSMs(安全模块)
Relevant Link:
http://lxr.free-electrons.com/source/Documentation/security/tomoyo.txt
2. TOMOYO Sourcecode Analysis
以网络连接状态函数(sys_connect)的监控(tomoyo_socket_connect)的监控log作为例子
/source/security/tomoyo/tomoyo.c
/*** tomoyo_socket_connect - Check permission for connect().** @sock: Pointer to "struct socket".* @addr: Pointer to "struct sockaddr".* @addr_len: Size of @addr.** Returns 0 on success, negative value otherwise.*/static int tomoyo_socket_connect(struct socket *sock, struct sockaddr *addr, int addr_len){ return tomoyo_socket_connect_permission(sock, addr, addr_len);}
/source/security/tomoyo/network.c
/*** tomoyo_sock_family - Get socket‘s family.** @sk: Pointer to "struct sock".** Returns one of PF_INET, PF_INET6, PF_UNIX or 0.*/static u8 tomoyo_sock_family(struct sock *sk){ u8 family; if (tomoyo_kernel_service()) return 0; family = sk->sk_family; switch (family) { case PF_INET: case PF_INET6: case PF_UNIX: return family; default: return 0; }}/*** tomoyo_socket_connect_permission - Check permission for setting the remote address of a socket.** @sock: Pointer to "struct socket".* @addr: Pointer to "struct sockaddr".* @addr_len: Size of @addr.** Returns 0 on success, negative value otherwise.*/int tomoyo_socket_connect_permission(struct socket *sock, struct sockaddr *addr, int addr_len){ struct tomoyo_addr_info address; //Get socket‘s family.(family是链路层的概念) const u8 family = tomoyo_sock_family(sock->sk); //socket的类型(TCP、UDP...)(type是传输层的概念) const unsigned int type = sock->type; if (!family) return 0; address.protocol = type; switch (type) { case SOCK_DGRAM: case SOCK_RAW: address.operation = TOMOYO_NETWORK_SEND; break; case SOCK_STREAM: case SOCK_SEQPACKET: address.operation = TOMOYO_NETWORK_CONNECT; break; default: return 0; } if (family == PF_UNIX) return tomoyo_check_unix_address(addr, addr_len, &address); return tomoyo_check_inet_address(addr, addr_len, sock->sk->sk_protocol, &address);}/* Structure for holding socket address. */struct tomoyo_addr_info { u8 protocol; u8 operation; struct tomoyo_inet_addr_info inet; struct tomoyo_unix_addr_info unix0;}; static int tomoyo_check_inet_address(const struct sockaddr *addr, const unsigned int addr_len, const u16 port, struct tomoyo_addr_info *address){ struct tomoyo_inet_addr_info *i = &address->inet; switch (addr->sa_family) { case AF_INET6: if (addr_len < SIN6_LEN_RFC2133) goto skip; i->is_ipv6 = true; i->address = (__be32 *)((struct sockaddr_in6 *) addr)->sin6_addr.s6_addr; i->port = ((struct sockaddr_in6 *) addr)->sin6_port; break; case AF_INET: if (addr_len < sizeof(struct sockaddr_in)) goto skip; i->is_ipv6 = false; i->address = (__be32 *) &((struct sockaddr_in *) addr)->sin_addr; i->port = ((struct sockaddr_in *) addr)->sin_port; break; default: goto skip; } if (address->protocol == SOCK_RAW) i->port = htons(port); return tomoyo_inet_entry(address); skip: return 0;}
Relevant Link:
Copyright (c) 2014 LittleHann All rights reserved
TOMOYO Linux(undone)
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。