X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=procprotect.c;h=2672ef817da335d933e03f907530a421538c4e9c;hb=c48fc2de287117f7d339fe085dd582c8f301f51f;hp=c59d42e4b78173023ff94a9c1750323b0ea46bc1;hpb=71ef859a01e467cf31e1ce4fe9203721f7e1e57a;p=procprotect.git

diff --git a/procprotect.c b/procprotect.c
index c59d42e..2672ef8 100644
--- a/procprotect.c
+++ b/procprotect.c
@@ -2,6 +2,7 @@
 #include <linux/moduleparam.h>
 #include <linux/types.h>
 #include <linux/kernel.h>
+#include <linux/version.h>
 #include <linux/fs_struct.h>
 #include <linux/fs.h>
 #include <linux/mm.h>
@@ -33,7 +34,8 @@
 #error "This code does not support your architecture"
 #endif
 
-static char *aclpath __devinitdata = "procprotect";
+static char *aclpath = "procprotect";
+
 static struct qstr aclqpath;
 
 module_param(aclpath, charp, 0);
@@ -63,11 +65,10 @@ struct hlist_head procprotect_hash[HASH_SIZE];
 struct proc_dir_entry *proc_entry;
 
 static int run_acl(unsigned long ino) {
-    struct hlist_node *n;
     struct acl_entry *entry;
     hlist_for_each_entry_rcu(entry, 
-            n, &procprotect_hash[ino & (HASH_SIZE-1)],
-            hlist) {
+			     &procprotect_hash[ino & (HASH_SIZE-1)],
+			     hlist) {
         if (entry->ino==ino) {
             return 0;
         }
@@ -84,14 +85,13 @@ static int lookup_fast_entry(struct kretprobe_instance *ri, struct pt_regs *regs
     int ret = -1;
     struct procprotect_ctx *ctx;
     struct nameidata *nd = (struct nameidata *) regs->di;
-    struct qstr *q = (struct qstr *) regs->si;
     struct dentry *parent = nd->path.dentry;
     struct inode *pinode = parent->d_inode;
 
     if (pinode->i_sb->s_magic == PROC_SUPER_MAGIC
             && current->nsproxy->mnt_ns!=init_task.nsproxy->mnt_ns) {	
         ctx = (struct procprotect_ctx *) ri->data;
-        ctx->inode = regs->cx;
+        ctx->inode = regs->dx;
         ctx->flags = nd->flags;
         ret = 0;
     }
@@ -113,9 +113,7 @@ static int lookup_fast_ret(struct kretprobe_instance *ri, struct pt_regs *regs)
         /* The kernel is going to honor the request. Here's where we step in */
         struct inode *inode = *(ctx->inode);
         if (!run_acl(inode->i_ino)) {
-            if (current->nsproxy->mnt_ns!=init_task.nsproxy->mnt_ns) {
-                regs->ax = -EPERM;
-            }
+            regs->ax = -EPERM;
         }
     }
 
@@ -127,8 +125,7 @@ static int lookup_slow_entry(struct kretprobe_instance *ri, struct pt_regs *regs
     int ret = -1;
     struct procprotect_ctx *ctx;
     struct nameidata *nd = (struct nameidata *) regs->di;
-    struct qstr *q = (struct qstr *) regs->si;
-    struct path *p = (struct path *) regs->dx;
+    struct path *p = (struct path *) regs->si;
 
     struct dentry *parent = nd->path.dentry;
     struct inode *pinode = parent->d_inode;
@@ -139,7 +136,7 @@ static int lookup_slow_entry(struct kretprobe_instance *ri, struct pt_regs *regs
             && current->nsproxy->mnt_ns!=init_task.nsproxy->mnt_ns) {	
         
         ctx = (struct procprotect_ctx *) ri->data;
-        ctx->q = q;
+        ctx->q = &nd->last;
         ctx->flags = nd->flags;
         ctx->path = p;
         ret = 0;
@@ -151,19 +148,26 @@ static int lookup_slow_entry(struct kretprobe_instance *ri, struct pt_regs *regs
 /* The entry hook ensures that the return hook is only called for
    accesses to /proc */
 
+static int print_once = 0;
+
 static int lookup_slow_ret(struct kretprobe_instance *ri, struct pt_regs *regs)
 {
-    struct procprotect_ctx *ctx = (struct procprotect_ctx *) ri->data;
-    int ret = regs->ax;
+    struct procprotect_ctx *ctx;
+    int ret;
+
+    if (!ri || !ri->data) {return 0;}
+    ctx = (struct procprotect_ctx *) ri->data;
+
+    ret = regs->ax;
 
     if (ret==0) {
-        /* The kernel is going to honor the request. Here's where we step in */
         struct path *p = ctx->path;
+        if (!p || !p->dentry || !p->dentry->d_inode /* This last check was responsible for the f18 bug*/) {
+            return 0;
+        }
         struct inode *inode = p->dentry->d_inode;
         if (!run_acl(inode->i_ino)) {
-            if (current->nsproxy->mnt_ns!=init_task.nsproxy->mnt_ns) {
-                regs->ax = -EPERM;
-            }
+            regs->ax = -EPERM;
         }
     }
 
@@ -177,12 +181,17 @@ struct open_flags {
   int intent;
 };
 
-static struct file *do_last_probe(struct nameidata *nd, struct path *path,
+static struct file *do_last_probe(struct nameidata *nd, struct path *path, struct file *file,
                          struct open_flags *op, const char *pathname) {
     struct dentry *parent = nd->path.dentry;
     struct inode *pinode = parent->d_inode;
+    struct qstr *q = &nd->last;
 
+    
     if (pinode->i_sb->s_magic == PROC_SUPER_MAGIC && current->nsproxy->mnt_ns!=init_task.nsproxy->mnt_ns) {
+        /*if (!strncmp(q->name,"sysrq-trigger",13)) {
+            printk(KERN_CRIT "do_last sysrqtrigger: %d",op->open_flag);
+        }*/
         op->open_flag &= ~O_CREAT;
     }
     jprobe_return();
@@ -238,14 +247,13 @@ static void __exit procprotect_exit(void)
     unregister_kretprobe(&fast_probe);
     unregister_kretprobe(&slow_probe);
 	unregister_jprobe(&dolast_probe);
-    struct hlist_node *n;
     struct acl_entry *entry;
     int i;
 
     for (i=0;i<HASH_SIZE;i++) {
         hlist_for_each_entry_rcu(entry, 
-                n, &procprotect_hash[i],
-                hlist) {
+				 &procprotect_hash[i],
+				 hlist) {
             kfree(entry);
         }
     }
@@ -278,11 +286,12 @@ int procfile_write(struct file *file, const char *buffer, unsigned long count, v
 
 static int __init procprotect_init(void)
 {
-    printk("Procprotect: starting procprotect version %s with ACLs at path %s.\n",
-            VERSION_STR, aclpath);
     int ret;
     int i;
 
+    printk("Procprotect: starting procprotect version %s with ACLs at path %s.\n",
+            VERSION_STR, aclpath);
+
     for(i=0;i<HASH_SIZE;i++) {
         INIT_HLIST_HEAD(&procprotect_hash[i]);
     }
@@ -290,6 +299,18 @@ static int __init procprotect_init(void)
     aclqpath.name = aclpath;
     aclqpath.len = strnlen(aclpath, PATH_MAX);
 
+    dolast_probe.kp.addr = 
+        (kprobe_opcode_t *) kallsyms_lookup_name("do_last");
+
+    if (!dolast_probe.kp.addr) {
+        printk("Couldn't find %s to plant kretprobe\n", "do_last");
+        return -1;
+    }
+
+    if ((ret = register_jprobe(&dolast_probe)) <0) {
+                  printk("register_jprobe failed, returned %u\n", ret);
+                  return -1;
+    }
     fast_probe.kp.addr = 
         (kprobe_opcode_t *) kallsyms_lookup_name("lookup_fast");
     if (!fast_probe.kp.addr) {
@@ -304,18 +325,7 @@ static int __init procprotect_init(void)
         return -1;
     }
 
-    dolast_probe.kp.addr = 
-        (kprobe_opcode_t *) kallsyms_lookup_name("do_last");
-
-    if (!dolast_probe.kp.addr) {
-        printk("Couldn't find %s to plant kretprobe\n", "do_last");
-        return -1;
-    }
-
-    if ((ret = register_jprobe(&dolast_probe)) <0) {
-                  printk("register_jprobe failed, returned %u\n", ret);
-                  return -1;
-    }
+    
 
     if ((ret = register_kretprobe(&fast_probe)) <0) {
         printk("register_kretprobe failed, returned %d\n", ret);