目录

. TOMOYO Introduction

. TOMOYO Sourcecode Analysis

1. Introduction

TOMOYO是一款基于LSM Framework实现的LSMs(安全模块)

Relevant Link:

http://lxr.free-electrons.com/source/Documentation/security/tomoyo.txt

2. TOMOYO Sourcecode Analysis

以网络连接状态函数(sys_connect)的监控(tomoyo_socket_connect)的监控log作为例子

/source/security/tomoyo/tomoyo.c

/**

* tomoyo_socket_connect - Check permission for connect().

*

* @sock:     Pointer to "struct socket".

* @addr:     Pointer to "struct sockaddr".

* @addr_len: Size of @addr.

*

* Returns 0 on success, negative value otherwise.

*/

static int tomoyo_socket_connect(struct socket *sock, struct sockaddr *addr, int addr_len)

{

    return tomoyo_socket_connect_permission(sock, addr, addr_len);

}

/source/security/tomoyo/network.c

/**

* tomoyo_sock_family - Get socket's family.

*

* @sk: Pointer to "struct sock".

*

* Returns one of PF_INET, PF_INET6, PF_UNIX or 0.

*/

static u8 tomoyo_sock_family(struct sock *sk)

{

     u8 family;

    if (tomoyo_kernel_service())

        return 0;

    family = sk->sk_family;

    switch (family)

    {

        case PF_INET:

        case PF_INET6:

        case PF_UNIX:

            return family;

        default:

            return 0;

    }

}

/**

* tomoyo_socket_connect_permission - Check permission for setting the remote address of a socket.

*

* @sock:     Pointer to "struct socket".

* @addr:     Pointer to "struct sockaddr".

* @addr_len: Size of @addr.

*

* Returns 0 on success, negative value otherwise.

*/

int tomoyo_socket_connect_permission(struct socket *sock, struct sockaddr *addr, int addr_len)

{

    struct tomoyo_addr_info address;

    //Get socket's family.(family是链路层的概念)

    const u8 family = tomoyo_sock_family(sock->sk);

    //socket的类型(TCP、UDP...)(type是传输层的概念)

    const unsigned int type = sock->type;

    if (!family)

        return 0;

    address.protocol = type;

    switch (type)

    {

        case SOCK_DGRAM:

        case SOCK_RAW:

            address.operation = TOMOYO_NETWORK_SEND;

            break;

        case SOCK_STREAM:

        case SOCK_SEQPACKET:

            address.operation = TOMOYO_NETWORK_CONNECT;

            break;

        default:

            return 0;

    }

    if (family == PF_UNIX)

        return tomoyo_check_unix_address(addr, addr_len, &address);

    return tomoyo_check_inet_address(addr, addr_len, sock->sk->sk_protocol, &address);

}

/* Structure for holding socket address. */

struct tomoyo_addr_info

{

    u8 protocol;

    u8 operation;

    struct tomoyo_inet_addr_info inet;

    struct tomoyo_unix_addr_info unix0;

};

static int tomoyo_check_inet_address(const struct sockaddr *addr, const unsigned int addr_len, const u16 port, struct tomoyo_addr_info *address)

{

    struct tomoyo_inet_addr_info *i = &address->inet;

    switch (addr->sa_family)

    {

        case AF_INET6:

            if (addr_len < SIN6_LEN_RFC2133)

                goto skip;

            i->is_ipv6 = true;

            i->address = (__be32 *)((struct sockaddr_in6 *) addr)->sin6_addr.s6_addr;

            i->port = ((struct sockaddr_in6 *) addr)->sin6_port;

            break;

        case AF_INET:

            if (addr_len < sizeof(struct sockaddr_in))

                goto skip;

            i->is_ipv6 = false;

            i->address = (__be32 *) &((struct sockaddr_in *) addr)->sin_addr;

            i->port = ((struct sockaddr_in *) addr)->sin_port;

            break;

        default:

            goto skip;

    }

    if (address->protocol == SOCK_RAW)

        i->port = htons(port);

    return tomoyo_inet_entry(address);

    skip:

        return 0;

}

Relevant Link:

Copyright (c) 2014 LittleHann All rights reserved

TOMOYO Linux(undone)的更多相关文章

  1. Linux LSM(Linux Security Modules) Hook Technology

    目录 . 引言 . Linux Security Module Framework Introduction . LSM Sourcecode Analysis . LSMs Hook Engine: ...

  2. Linux Security模块

    一.Linux Security Modules Linux Security Modules (LSM) 是一种 Linux 内核子系统,旨在将内核以模块形式集成到各种安全模块中.在 2001 年的 ...

  3. Logical Volume Manager (Linux)

    http://en.wikipedia.org/wiki/Logical_Volume_Manager_(Linux) Logical Volume Manager (Linux) From Wiki ...

  4. Linux 驱动开发

    linux驱动开发总结(一) 基础性总结 1, linux驱动一般分为3大类: * 字符设备 * 块设备 * 网络设备 2, 开发环境构建: * 交叉工具链构建 * NFS和tftp服务器安装 3, ...

  5. Linaro/Yocto/Openwrt

    http://en.wikipedia.org/wiki/Linaro Linaro From Wikipedia, the free encyclopedia     This article ap ...

  6. Linux inode && Fast Directory Travel Method(undone)

    目录 . Linux inode简介 . Fast Directory Travel Method 1. Linux inode简介 0x1: 磁盘分割原理 字节 -> 扇区(sector)(每 ...

  7. Linux Kernel File IO Syscall Kernel-Source-Code Analysis(undone)

    目录 . 引言 . open() syscall . close() syscall 0. 引言 在linux的哲学中,所有的磁盘文件.目录.外设设备.驱动设备全部被抽象为了"文件" ...

  8. Linux Kernel中获取当前目录方法(undone)

    目录 . 引言 . 基于进程内存镜像信息struct mm_struct获取struct path调用d_path()获取当前进程的"绝对路径" . 基于文件描述符(fd).tas ...

  9. Linux Cache Mechanism Summary(undone)

    目录 . 缓存机制简介 . 内核缓存机制 . 内存缓存机制 . 文件缓存机制 . 数据库缓存机制 1. 缓存机制简介 0x1: 什么是缓存cache 在计算机整个领域中,缓存(cache)这个词是一个 ...

随机推荐

  1. Windows环境中Openfire与Spark安装与配置指南

    安装软件: openfire3.9.3 spark2.6.3 安装环境: WindowsXP JDK1.6.0_21 Oracle 一.openfire安装 1.安装openfire3.9.3,下载地 ...

  2. java 20 - 6 加入了异常处理的字节输出流的操作

    昨天坐了十几个钟的车回家,累弊了.... ————————————割掉疲劳————————————— 前面的字节输出流都是抛出了异常不管,这次的加入了异常处理: 首先还是创建一个字节输出流对象,先给它 ...

  3. request模块提交数据

    http://ctf8.shiyanbar.com/jia/ #coding:utf-8import re,requestsurl = r"http://ctf8.shiyanbar.com ...

  4. 对访问修饰关键字public, protected, internal and private的说明

    对访问修饰关键字public, protected, internal and private的说明1.msdn: Internal types or members are accessible o ...

  5. drbd初探及Heartbeat+DRBD+MySQL

    1,drbd快速入门 http://www.mingxiao.info/article/?id=39#__RefHeading___Toc1114_501652171 2.Heartbeat+DRBD ...

  6. [tomcat7源码学习]初始化之catalina.home和catalina.base(转)

    我们在代码中为了获取某个配置文件路径下的文件经常会这么写 String tomcatPath = System.getProperty("catalina.home") + &qu ...

  7. Objective-c归档的概念和用法

  8. 浩瀚先森(guohao1206.com)

    博客搬家啦,新博客地址:浩瀚先森 http://www.guohao1206.com

  9. 整合 Bing translator 到自己的系统中

    整合这个功能, 是因为 aliexpress 的买家来自不同国家, 我的 "小卖家" 同步到买家的留言, 很多西班牙,俄罗斯等小语种的文字, 看不懂. Google 被墙, 基本很 ...

  10. android之文件权限问题

    当我们在手机上安装一个应用的时候,linux会为每个APP创建一个用户名和用户组 xidian.dy.com.chujia是系统为每个应用创建的一个独立的文件夹,我们可以看到这个文件的所有者为app_ ...