使用LSM做一个系统的钩子,是我在本科毕设的核心。具体的代码已经没有了,但是这个LSM的demo可以帮助初步的配置,之后的代码实现主要依赖于LSM提供的钩子,并且需要对task_struct
和inode_struct
有一定的理解。
/*
* Test Linux Security Module
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2, as
* published by the Free Software Foundation.
*
*/
#include <linux/security.h>
#include <linux/sysctl.h>
#include <linux/ptrace.h>
#include <linux/prctl.h>
#include <linux/ratelimit.h>
#include <linux/workqueue.h>
#include <linux/file.h>
#include <linux/fs.h>
#include <linux/dcache.h>
#include <linux/path.h>
int test_file_permission(struct file *file, int mask)
{
char *name = file->f_path.dentry->d_name.name;
if(!strcmp(name, "test.txt"))
{
file->f_flags |= O_RDONLY;
printk("you can have your control code here!\n");
}
return 0;
}
static struct security_operations test_security_ops = {
.name = "test",
.file_permission = test_file_permission,
};
static __init int test_init(void)
{
printk("enter test init!\n");
printk(KERN_INFO "Test: becoming......\n")
if (register_security(&test_security_ops))
panic("Test: kernel registration failed.\n");
return 0;
}
security_initcall(test_init);
- 在内核代码security文件夹下面添加一个文件夹test,放入三个文件Makefile,Kconfig和代码test.c。test.c即上面的代码,Makefile内容如下:
obj-$(CONFIG_SECURITY_TEST):= test.o
Kconfig内容如下:
config SECURITY_TEST
bool " TEST Kernel Support"
depends on NETLABEL && SECURITY_NETWORK
default n
help
This selects the Simplified Mandatory Access
Control Kernel.
Smack is useful for sensitivity, integrity, and
a variety
of other mandatory security schemes.
If you are unsure how to answer this question,
answer N.
- 修改security文件夹下面的Kconfig和Makefile
Makefile 在合适的位置加上:
subdir-$(CONFIG_SECURITY_TEST) += test
# Must precede
capability.o in order to stack properly.
obj-$(CONFIG_SECURITY_TEST)
+= test/test.o
obj-$(CONFIG_SECURITY_SELINUX)
+= selinux/built-in.o
obj-$(CONFIG_SECURITY_SMACK)
+= smack/built-in.o
Kconfig在合适的位置加上:
sourcesecurity/test/Kconfig
相关参考
http://blog.csdn.net/dog250/article/details/5303645