Menu
▾
▴
lids-devel — LIDS Development Mailing List
You can subscribe to this list here.
| 2001 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(4) |
Sep
(17) |
Oct
(29) |
Nov
(11) |
Dec
(12) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2002 |
Jan
(4) |
Feb
(4) |
Mar
(8) |
Apr
|
May
(2) |
Jun
(6) |
Jul
(3) |
Aug
|
Sep
|
Oct
(2) |
Nov
|
Dec
|
| 2003 |
Jan
|
Feb
|
Mar
(1) |
Apr
|
May
|
Jun
(2) |
Jul
(1) |
Aug
(10) |
Sep
(1) |
Oct
(3) |
Nov
(1) |
Dec
(7) |
| 2004 |
Jan
(5) |
Feb
(4) |
Mar
(4) |
Apr
(1) |
May
(3) |
Jun
|
Jul
(3) |
Aug
(7) |
Sep
(1) |
Oct
|
Nov
(1) |
Dec
(1) |
| 2005 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
(1) |
Dec
(7) |
| 2006 |
Jan
(10) |
Feb
|
Mar
(5) |
Apr
(5) |
May
|
Jun
(2) |
Jul
|
Aug
(1) |
Sep
(2) |
Oct
|
Nov
|
Dec
|
|
From: <no...@ro...> - 2006-04-21 01:06:43
|
Author: omok
Date: Fri Apr 21 03:06:36 2006
New Revision: 22
Log:
changed lidsadm.c strncpy() to memcpy() because sometime SHA256(password) d=
igest contains any NULL characters
Modified:
lidstools/trunk/src/lidsadm.c
Modified: lidstools/trunk/src/lidsadm.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lidstools/trunk/src/lidsadm.c (original)
+++ lidstools/trunk/src/lidsadm.c Fri Apr 21 03:06:36 2006
@@ -181,7 +181,7 @@
exit_error(2,"read password error");
}
=20
- strncpy(wanted.passwd, passwd, 32);
+ memcpy(wanted.passwd, passwd, 32);
if (write(lk, &wanted, sizeof (lids_locks_t)) =3D=3D -1) {
perror("write");
exit_error(2, "cannot write " LIDS_LOCKS);
|
Author: roedie
Date: Thu Apr 20 21:46:19 2006
New Revision: 21
Log:
Ran Lindent all over the place to remove whitespace and comply to the Codin=
gstyle document.
Modified:
lids/trunk/security/lids/include/linux/lids.h
lids/trunk/security/lids/include/linux/lids_sysctl.h
lids/trunk/security/lids/include/linux/lidsext.h
lids/trunk/security/lids/include/linux/lidsif.h
lids/trunk/security/lids/lids_acl.c
lids/trunk/security/lids/lids_cap.c
lids/trunk/security/lids/lids_init.c
lids/trunk/security/lids/lids_logs.c
lids/trunk/security/lids/lids_lsm.c
lids/trunk/security/lids/lids_sysctl.c
Modified: lids/trunk/security/lids/include/linux/lids.h
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lids/trunk/security/lids/include/linux/lids.h (original)
+++ lids/trunk/security/lids/include/linux/lids.h Thu Apr 20 21:46:19 2006
@@ -63,8 +63,7 @@
int lids_get_inode_security(struct dentry *o_dentry,
struct inode *inode);
*/
-extern struct lids_inode_acl * lids_do_get_acl(struct inode *inode);=20
-
+extern struct lids_inode_acl *lids_do_get_acl(struct inode *inode);
=20
extern struct lids_sys_acl *lids_search_acl(unsigned long int ino, dev_t d=
ev,
unsigned long lids_curr);
@@ -95,6 +94,7 @@
=20
extern void lids_alert(int type, long dst, long dst2, char *name, char *ac=
tion);
extern int lids_read_pw(void);
-extern int do_lids_setup(void);
-extern int lids_check_capset(struct task_struct *tsk, kernel_cap_t a,kerne=
l_cap_t set);
+extern int do_lids_setup(void);
+extern int lids_check_capset(struct task_struct *tsk, kernel_cap_t a,
+ kernel_cap_t set);
#endif /* LIDS_H */
Modified: lids/trunk/security/lids/include/linux/lids_sysctl.h
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lids/trunk/security/lids/include/linux/lids_sysctl.h (original)
+++ lids/trunk/security/lids/include/linux/lids_sysctl.h Thu Apr 20 21:46:1=
9 2006
@@ -118,7 +118,7 @@
#endif
=20
#ifdef CONFIG_LIDS_ALLOW_SWITCH
-char lids_pw[LIDS_PW_LEN+16];
+char lids_pw[LIDS_PW_LEN + 16];
int lids_read_pw()
{
struct file *filp;
@@ -150,11 +150,12 @@
set_fs(oldfs);
=20
if (bytes < LIDS_PW_LEN) {
- printk("LIDS: The file " LIDS_PW_FILE " is too short, need %d, got %d\n"=
, LIDS_PW_LEN, bytes);
+ printk("LIDS: The file " LIDS_PW_FILE
+ " is too short, need %d, got %d\n", LIDS_PW_LEN, bytes);
return -1;
}
=20
- memset(lids_pw,'\0',LIDS_PW_LEN);
+ memset(lids_pw, '\0', LIDS_PW_LEN);
memcpy(lids_pw, buffer, LIDS_PW_LEN);
/* Close the file */
fput(filp);
Modified: lids/trunk/security/lids/include/linux/lidsext.h
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lids/trunk/security/lids/include/linux/lidsext.h (original)
+++ lids/trunk/security/lids/include/linux/lidsext.h Thu Apr 20 21:46:19 20=
06
@@ -38,8 +38,7 @@
=20
#ifdef CONFIG_LIDS_RESTRICT_MODE_SWITCH
=20
-static inline int
-lids_check_tty(struct tty_struct *tty)
+static inline int lids_check_tty(struct tty_struct *tty)
{
return (tty && !(0
#ifdef CONFIG_LIDS_MODE_SWITCH_CONSOLE
@@ -54,8 +53,7 @@
));
}
#else
-static inline int
-lids_check_tty(struct tty_struct *tty)
+static inline int lids_check_tty(struct tty_struct *tty)
{
return 0;
}
Modified: lids/trunk/security/lids/include/linux/lidsif.h
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lids/trunk/security/lids/include/linux/lidsif.h (original)
+++ lids/trunk/security/lids/include/linux/lidsif.h Thu Apr 20 21:46:19 2006
@@ -135,7 +135,7 @@
__u32 magic3;
passwd_t passwd;
__u32 magic4;
-} __attribute__ ((__packed__)) lids_locks_t ;
+} __attribute__ ((__packed__)) lids_locks_t;
=20
struct lids_s_dev {
__u32 major;
@@ -151,28 +151,28 @@
} __attribute__ ((__packed__));
=20
struct lids_object_acl {
- __u32 sid; /* subject id*/
- __u32 oid; /* object id*/
- struct lids_s_inode inode; /* point the the original inode */
- __u32 type; /* READ WRITE APPEND DENY */
- __u32 inherit; /* the inherit level */
- struct lids_object_acl *next;
-#ifdef __KERNEL__
- char name[64]; /* filename of the inode */
+ __u32 sid; /* subject id */
+ __u32 oid; /* object id */
+ struct lids_s_inode inode; /* point the the original inode */
+ __u32 type; /* READ WRITE APPEND DENY */
+ __u32 inherit; /* the inherit level */
+ struct lids_object_acl *next;
+#ifdef __KERNEL__
+ char name[64]; /* filename of the inode */
#else
- char name[PATH_MAX]; /* filename of the inode */
-#endif
-} __attribute__ ((__packed__)) ;
+ char name[PATH_MAX]; /* filename of the inode */
+#endif
+} __attribute__ ((__packed__));
=20
struct lids_subject_acl {
- __u32 sid; /* sid */
- __u32 ext_cap; /* socket */
- __u32 sys_cap; /* Move from tsk */
- __u32 o_acl_num; /* the object number */
- __u32 port[16][2]; /* bind port */
+ __u32 sid; /* sid */
+ __u32 ext_cap; /* socket */
+ __u32 sys_cap; /* Move from tsk */
+ __u32 o_acl_num; /* the object number */
+ __u32 port[16][2]; /* bind port */
struct lids_cap cap_inherit[32]; /* inheritable array */
- struct lids_object_acl *o_acl; /* object acl */
-} __attribute__ ((__packed__)) ;
+ struct lids_object_acl *o_acl; /* object acl */
+} __attribute__ ((__packed__));
=20
#ifdef __KERNEL__
struct lids_task_acl {
@@ -191,28 +191,28 @@
} __attribute__ ((__packed__));
=20
struct lids_inode_acl {
- __u32 magic;
- __u32 type; /* READ WRITE APPEND DENY */
- __u32 version; /* current vesion of acl*/
- __u32 flags; /* inode flags */
+ __u32 magic;
+ __u32 type; /* READ WRITE APPEND DENY */
+ __u32 version; /* current vesion of acl */
+ __u32 flags; /* inode flags */
struct lids_s_inode inode; /* point the the original inode */
struct lids_perm perm[64]; /* the sid/oid that have perm on this file */
struct lids_subject_acl *s_acl;
#ifdef __KERNEL__
- char name[64]; /* filename of the inode */
+ char name[64]; /* filename of the inode */
#else
- char name[PATH_MAX]; /* filename of the inode */
-#endif
-} __attribute__ ((__packed__)) ;
-struct lids_acl_header{
+ char name[PATH_MAX]; /* filename of the inode */
+#endif
+} __attribute__ ((__packed__));
+struct lids_acl_header {
__u32 magic; /* MAGIC */
__u32 version; /* ACL Version */
__u32 sys_cap; /* Overall Cap */
__u32 ext_cap; /* Overall Ext Cap */
- __u32 discovery; /* Discovery Mode*/
- __u32 search; /* Search Matrix*/
+ __u32 discovery; /* Discovery Mode */
+ __u32 search; /* Search Matrix */
__u32 u_size; /* user size */
- struct lids_s_inode lidsadm; /* lidsadm's inode value*/
-} __attribute__ ((__packed__));
-
-#endif
+ struct lids_s_inode lidsadm; /* lidsadm's inode value */
+} __attribute__ ((__packed__));
+
+#endif
Modified: lids/trunk/security/lids/lids_acl.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lids/trunk/security/lids/lids_acl.c (original)
+++ lids/trunk/security/lids/lids_acl.c Thu Apr 20 21:46:19 2006
@@ -57,14 +57,13 @@
=20
void *b11;
static int lids_get_inode_security(struct dentry *o_dentry,
- struct inode *inode);
+ struct inode *inode);
=20
/*
* Free routine=20
*
*/
-static void
-lids_free_object_acl(struct lids_object_acl *o_acl)
+static void lids_free_object_acl(struct lids_object_acl *o_acl)
{
struct lids_object_acl *p;
=20
@@ -78,8 +77,7 @@
}
}
=20
-void
-lids_free_subject_acl(struct lids_subject_acl *s_acl)
+void lids_free_subject_acl(struct lids_subject_acl *s_acl)
{
struct lids_object_acl *o_acl;
=20
@@ -91,8 +89,7 @@
kfree(s_acl);
}
=20
-void
-lids_free_inode_acl(struct lids_inode_acl *i_acl)
+void lids_free_inode_acl(struct lids_inode_acl *i_acl)
{
if (!i_acl)
return;
@@ -106,8 +103,7 @@
/*
* free the lids acl structure here
*/
-void
-lids_free_task_acl(struct lids_task_acl *task_acl)
+void lids_free_task_acl(struct lids_task_acl *task_acl)
{
struct lids_subject_acl *s_acl;
=20
@@ -123,12 +119,11 @@
/*=20
* lids allocation routine
*/
-static struct lids_task_acl *
-lids_alloc_task_acl(struct task_struct *task)
+static struct lids_task_acl *lids_alloc_task_acl(struct task_struct *task)
{
struct lids_task_acl *task_acl;
=20
- task_acl =3D kmalloc(sizeof (struct lids_task_acl), GFP_ATOMIC);
+ task_acl =3D kmalloc(sizeof(struct lids_task_acl), GFP_ATOMIC);
if (!task_acl) {
printk(KERN_INFO "LIDS: kmalloc error for task_acl\n");
return NULL;
@@ -154,8 +149,7 @@
***********************************************************************
***********************************************************************/
=20
-int
-lids_local_off(void)
+int lids_local_off(void)
{
struct task_struct *t;
=20
@@ -177,28 +171,26 @@
* LIDS ACL Function=20
*
*/
-static int
-lids_check_acl_inode(struct inode *inode, int type)
+static int lids_check_acl_inode(struct inode *inode, int type)
{
=20
struct lids_task_acl *task_acl =3D current->security;
- struct lids_object_acl *o_acl;=20
- struct lids_inode_acl *i_acl=3D inode->i_security;
+ struct lids_object_acl *o_acl;
+ struct lids_inode_acl *i_acl =3D inode->i_security;
//time_t currenttime;
- int i=3D0;
-
+ int i =3D 0;
=20
if (!(task_acl && task_acl->s_acl))
return -EPERM;
-=09
- while (i_acl->perm[i].sid !=3D 0 && i< 64) {
+
+ while (i_acl->perm[i].sid !=3D 0 && i < 64) {
=20
o_acl =3D task_acl->s_acl->o_acl;
- while(o_acl) {
- if ( i_acl->perm[i].sid =3D=3D o_acl->sid &&
- i_acl->perm[i].oid =3D=3D o_acl->oid ) {
-
- return type & i_acl->perm[i].type ? 0 : -EPERM;
+ while (o_acl) {
+ if (i_acl->perm[i].sid =3D=3D o_acl->sid &&
+ i_acl->perm[i].oid =3D=3D o_acl->oid) {
+
+ return type & i_acl->perm[i].type ? 0 : -EPERM;
}
o_acl =3D o_acl->next;
}
@@ -206,22 +198,27 @@
}
return -EPERM;
}
+
#if 0
void show_lids_sec(struct lids_inode_acl *i_acl)
{
struct lids_subject_acl *s_acl;
struct lids_object_acl *o_acl;
-=09
- if(!i_acl) return;
- printk("\tshow: inode: %s, %d\n",i_acl->name, i_acl->type);
+
+ if (!i_acl)
+ return;
+ printk("\tshow: inode: %s, %d\n", i_acl->name, i_acl->type);
s_acl =3D i_acl->s_acl;
- if(!s_acl) return;
- printk("\t -- cap %x \n",s_acl->sys_cap);
+ if (!s_acl)
+ return;
+ printk("\t -- cap %x \n", s_acl->sys_cap);
o_acl =3D s_acl->o_acl;
- if(!o_acl) return;
- while(o_acl) {
- printk("\t -- obj [%s] type %d inherit %d\n",o_acl->name,o_acl->type,o_ac=
l->inherit);
- o_acl =3D o_acl->next;
+ if (!o_acl)
+ return;
+ while (o_acl) {
+ printk("\t -- obj [%s] type %d inherit %d\n", o_acl->name,
+ o_acl->type, o_acl->inherit);
+ o_acl =3D o_acl->next;
}
}
#endif
@@ -236,23 +233,22 @@
=20
computed_s_acl->o_acl =3D NULL;
src_acl =3D current_s_acl->o_acl;
-=09
+
while (src_acl) {
if (src_acl->inherit !=3D 0) {
dst_acl =3D
- kmalloc(sizeof (struct lids_object_acl),
- GFP_KERNEL);
+ kmalloc(sizeof(struct lids_object_acl), GFP_KERNEL);
if (!dst_acl) {
LIDS_DBG("kmalloc failed\n");
lids_free_subject_acl(computed_s_acl);
return -ENOMEM;
}
memcpy(dst_acl, src_acl,
- sizeof (struct lids_object_acl));
+ sizeof(struct lids_object_acl));
if (dst_acl->inherit > 0)
dst_acl->inherit--;
=20
- LIDS_DBG=09
+ LIDS_DBG
(" +++ pid %i: 1 ACL inherited. remaining TTL : %i\n",
current->pid, dst_acl->inherit);
=20
@@ -260,14 +256,14 @@
computed_s_acl->o_acl =3D dst_acl;
=20
} else {
- LIDS_DBG=09
+ LIDS_DBG
(" + pid %i: 1 ACL not inherited: TTL elapsed.\n",
current->pid);
}
src_acl =3D src_acl->next;
}
- LIDS_DBG("%s: =3D pid %i: %s inherit acls\n", __FUNCTION__, current->=
pid,
- computed_s_acl->o_acl ? "does" : "does not");
+ LIDS_DBG("%s: =3D pid %i: %s inherit acls\n", __FUNCTION__,
+ current->pid, computed_s_acl->o_acl ? "does" : "does not");
return 0;
}
=20
@@ -289,12 +285,13 @@
set_bit(i, (void *)&computed_s_acl->sys_cap);
memcpy(&computed_s_acl->cap_inherit[i],
¤t_s_acl->cap_inherit[i],
- sizeof (struct lids_cap));
+ sizeof(struct lids_cap));
if (current_s_acl->cap_inherit[i].inherit > 0)
computed_s_acl->cap_inherit[i].inherit--;
}
}
- LIDS_DBG("%s: %d current %x computed %x\n",__FUNCTION__, current->pid, cu=
rrent_s_acl->sys_cap, computed_s_acl->sys_cap);
+ LIDS_DBG("%s: %d current %x computed %x\n", __FUNCTION__, current->pid,
+ current_s_acl->sys_cap, computed_s_acl->sys_cap);
=20
}
=20
@@ -307,13 +304,16 @@
src_acl =3D new_s_acl->o_acl;
computed_s_acl->o_acl =3D NULL;
while (src_acl) {
- LIDS_DBG(" + pid %i: getting a new fs ACL, %s type %d inherit %d\n",=
current->pid,src_acl->name, src_acl->type, src_acl->inherit);
- dst_acl =3D kmalloc(sizeof (struct lids_object_acl), GFP_KERNEL);
+ LIDS_DBG
+ (" + pid %i: getting a new fs ACL, %s type %d inherit %d\n",
+ current->pid, src_acl->name, src_acl->type,
+ src_acl->inherit);
+ dst_acl =3D kmalloc(sizeof(struct lids_object_acl), GFP_KERNEL);
if (!dst_acl) {
LIDS_DBG("kmalloc failed\n");
return -3;
}
- memcpy(dst_acl, src_acl, sizeof (struct lids_object_acl));
+ memcpy(dst_acl, src_acl, sizeof(struct lids_object_acl));
dst_acl->next =3D computed_s_acl->o_acl;
computed_s_acl->o_acl =3D dst_acl;
src_acl =3D src_acl->next;
@@ -332,7 +332,8 @@
/* 0. SOCKET inherit FIXME later */
computed_s_acl->ext_cap |=3D new_s_acl->ext_cap;
/* if its parent do not has mark, use its own */
- memcpy(computed_s_acl->port, new_s_acl->port, sizeof(computed_s_acl->port=
));
+ memcpy(computed_s_acl->port, new_s_acl->port,
+ sizeof(computed_s_acl->port));
=20
for (i =3D 0; i < 32; i++) {
/* Here we do an unsigned comparison for -1 to be the biggest number */
@@ -356,14 +357,15 @@
struct lids_subject_acl *computed_s_acl, int protect)
{
=20
- memset(computed_s_acl, 0, sizeof (struct lids_subject_acl));
+ memset(computed_s_acl, 0, sizeof(struct lids_subject_acl));
=20
if (current_s_acl) {
=20
- LIDS_DBG("%s: + pid %i: inherit ACLs: %lx ext %lx port %d oacl %p\n",__F=
UNCTION__,
- current->pid, current_s_acl->sys_cap,
- current_s_acl->ext_cap,current_s_acl->port[0][0],
- current_s_acl->o_acl);
+ LIDS_DBG
+ ("%s: + pid %i: inherit ACLs: %lx ext %lx port %d oacl %p\n",
+ __FUNCTION__, current->pid, current_s_acl->sys_cap,
+ current_s_acl->ext_cap, current_s_acl->port[0][0],
+ current_s_acl->o_acl);
=20
lids_compute_inherit_cap(current_s_acl, computed_s_acl);
=20
@@ -376,11 +378,11 @@
=20
if (new_s_acl && protect) {
=20
- LIDS_DBG=09
- ("%s: + pid %i: getting new ACLs: cap %lx, ext_cap %lx computed %lx,=
ext %lx port %d oacl %p\n",__FUNCTION__,
- current->pid, new_s_acl->sys_cap, new_s_acl->ext_cap,
- new_s_acl->ext_cap, computed_s_acl->ext_cap,
- new_s_acl->port[0][0],
+ LIDS_DBG
+ ("%s: + pid %i: getting new ACLs: cap %lx, ext_cap %lx computed %lx,=
ext %lx port %d oacl %p\n",
+ __FUNCTION__, current->pid, new_s_acl->sys_cap,
+ new_s_acl->ext_cap, new_s_acl->ext_cap,
+ computed_s_acl->ext_cap, new_s_acl->port[0][0],
new_s_acl->o_acl);
=20
lids_compute_new_cap(new_s_acl, computed_s_acl);
@@ -391,10 +393,11 @@
=20
}
=20
- LIDS_DBG("%s: =3D pid %i: final caps : %#lx ext_cap =3D %lx port %d o_acl=
=3D %p\n",
- __FUNCTION__, current->pid, computed_s_acl->sys_cap,
- computed_s_acl->ext_cap, computed_s_acl->port[0][0], computed_s_acl->o_=
acl);
-
+ LIDS_DBG
+ ("%s: =3D pid %i: final caps : %#lx ext_cap =3D %lx port %d o_acl =3D=
%p\n",
+ __FUNCTION__, current->pid, computed_s_acl->sys_cap,
+ computed_s_acl->ext_cap, computed_s_acl->port[0][0],
+ computed_s_acl->o_acl);
=20
return 0;
}
@@ -402,8 +405,7 @@
/*
* apply the acl to task->security
*/
-void
-lids_set_task_acl(struct lids_subject_acl *s_acl, struct task_struct *task)
+void lids_set_task_acl(struct lids_subject_acl *s_acl, struct task_struct =
*task)
{
struct lids_task_acl *acl =3D task->security;
=20
@@ -432,32 +434,32 @@
return;
}
=20
-static struct lids_subject_acl *
-lids_copy_subject_acl(struct lids_subject_acl *src)
+static struct lids_subject_acl *lids_copy_subject_acl(struct lids_subject_=
acl
+ *src)
{
=20
struct lids_object_acl *s, *d;
struct lids_subject_acl *dst;
=20
dst =3D (struct lids_subject_acl *)
- kmalloc(sizeof (struct lids_subject_acl), GFP_KERNEL);
+ kmalloc(sizeof(struct lids_subject_acl), GFP_KERNEL);
if (!dst) {
LIDS_DBG("kmalloc error\n");
return NULL;
}
- memcpy(dst, src, sizeof (struct lids_subject_acl));
+ memcpy(dst, src, sizeof(struct lids_subject_acl));
=20
/* 1 . copy lids_acl */
dst->o_acl =3D NULL;
s =3D src->o_acl;
while (s) {
- d =3D kmalloc(sizeof (struct lids_object_acl), GFP_KERNEL);
+ d =3D kmalloc(sizeof(struct lids_object_acl), GFP_KERNEL);
if (!d) {
LIDS_DBG("kmalloc error\n");
lids_free_subject_acl(dst);
return NULL;
}
- memcpy(d, s, sizeof (struct lids_object_acl));
+ memcpy(d, s, sizeof(struct lids_object_acl));
d->next =3D dst->o_acl;
dst->o_acl =3D d;
s =3D s->next;
@@ -475,8 +477,7 @@
* check if the requried access can be permitted
*/
=20
-int
-lids_check_base(struct dentry *dentry, int flag)
+int lids_check_base(struct dentry *dentry, int flag)
{
struct inode *inode =3D dentry->d_inode;
struct lids_inode_acl *i_acl;
@@ -487,11 +488,12 @@
=20
error =3D lids_get_inode_security(dentry, inode);
if (error) {
- printk("%s: yeee. [%s] error ??\n",__FUNCTION__, dentry->d_iname);
+ printk("%s: yeee. [%s] error ??\n", __FUNCTION__,
+ dentry->d_iname);
return -EPERM;
}
=20
- i_acl =3D (struct lids_inode_acl *) inode->i_security;
+ i_acl =3D (struct lids_inode_acl *)inode->i_security;
=20
LIDS_DBG("%s: LIDS ACL: i_acl=3D %p, name=3D[%s], inode =3D %d\n",
__FUNCTION__, i_acl, dentry->d_iname, inode->i_ino);
@@ -500,7 +502,7 @@
return 0;
}
/* do not have any acl */
- if(i_acl->type =3D=3D 0xffffffff) {
+ if (i_acl->type =3D=3D 0xffffffff) {
return 0;
}
=20
@@ -556,7 +558,7 @@
if (i_acl && (i_acl->type & LIDS_APPEND) =3D=3D 0) {
/* task and its parent do not have acl */
computed_s_acl =3D
- kmalloc(sizeof (struct lids_subject_acl), GFP_KERNEL);
+ kmalloc(sizeof(struct lids_subject_acl), GFP_KERNEL);
if (computed_s_acl =3D=3D NULL) {
printk(KERN_INFO
"LIDS: kmalloc error for computed acl\n");
@@ -584,7 +586,7 @@
if (task_s_acl) {
=20
computed_s_acl =3D
- kmalloc(sizeof (struct lids_subject_acl),
+ kmalloc(sizeof(struct lids_subject_acl),
GFP_KERNEL);
if (computed_s_acl =3D=3D NULL) {
printk
@@ -611,7 +613,7 @@
computed_s_acl->o_acl =3D NULL;
computed_s_acl->sys_cap =3D 0;
memset(computed_s_acl->cap_inherit, 0,
- 32 * sizeof (struct lids_cap));
+ 32 * sizeof(struct lids_cap));
spin_lock(¤t_task_acl->t_lock);
current_task_acl->s_acl =3D computed_s_acl;
spin_unlock(¤t_task_acl->t_lock);
@@ -644,8 +646,7 @@
static LIST_HEAD(lids_init_head);
static spinlock_t lids_init_lock =3D SPIN_LOCK_UNLOCKED;
=20
-static int
-lids_push_task_acl(struct task_struct *task)
+static int lids_push_task_acl(struct task_struct *task)
{
struct lids_task_acl *task_acl;
=20
@@ -675,8 +676,7 @@
/*
*
*/
-struct dentry *
-lids_get_task_dentry(struct task_struct *task)
+struct dentry *lids_get_task_dentry(struct task_struct *task)
{
struct dentry *dentry =3D NULL;
struct vm_area_struct *vma;
@@ -694,8 +694,7 @@
return dentry;
}
=20
-static int
-lids_attach_task_acl(struct task_struct *task)
+static int lids_attach_task_acl(struct task_struct *task)
{
struct lids_task_acl *task_acl;
struct dentry *dentry =3D NULL;
@@ -726,8 +725,7 @@
return retval;
}
=20
-int
-lids_setup_task_acl(int state)
+int lids_setup_task_acl(int state)
{
struct task_struct *p;
=20
@@ -760,36 +758,43 @@
=20
/* inode acl */
=20
-static int=20
-lids_copy_inode_acl(struct lids_inode_acl *d_i_acl, struct lids_inode_acl =
*s_i_acl)
+static int
+lids_copy_inode_acl(struct lids_inode_acl *d_i_acl,
+ struct lids_inode_acl *s_i_acl)
{
struct lids_subject_acl *d_s_acl;
- struct lids_object_acl *d_o_acl,*s_o_acl;
+ struct lids_object_acl *d_o_acl, *s_o_acl;
=20
memcpy(d_i_acl, s_i_acl, sizeof(struct lids_inode_acl));
=20
- LIDS_DBG("%s: inode name =3D %s, perm sid %d oid %d\n",__FUNCTION__,s_i_a=
cl->name,s_i_acl->perm[0].sid, s_i_acl->perm[0].oid);
-
- if(s_i_acl->s_acl) {
- d_s_acl =3D kmalloc(sizeof(struct lids_subject_acl),GFP_KERNEL);
- if(!d_s_acl) {
- printk("%s: LIDS: kmalloc subject acl error\n",__FUNCTION__);
+ LIDS_DBG("%s: inode name =3D %s, perm sid %d oid %d\n", __FUNCTION__,
+ s_i_acl->name, s_i_acl->perm[0].sid, s_i_acl->perm[0].oid);
+
+ if (s_i_acl->s_acl) {
+ d_s_acl =3D kmalloc(sizeof(struct lids_subject_acl), GFP_KERNEL);
+ if (!d_s_acl) {
+ printk("%s: LIDS: kmalloc subject acl error\n",
+ __FUNCTION__);
return -ENOMEM;
- }=09
- memcpy(d_s_acl, s_i_acl->s_acl,sizeof(struct lids_subject_acl));
-
- d_i_acl->s_acl =3D d_s_acl;=09
+ }
+ memcpy(d_s_acl, s_i_acl->s_acl,
+ sizeof(struct lids_subject_acl));
+
+ d_i_acl->s_acl =3D d_s_acl;
d_s_acl->o_acl =3D NULL;
=20
- s_o_acl =3D s_i_acl->s_acl->o_acl;=20
-
- while(s_o_acl) {
- d_o_acl =3D kmalloc(sizeof(struct lids_object_acl),GFP_KERNEL);
- if(!d_o_acl) {
- printk("%s: LIDS: kmalloc object acl error\n",__FUNCTION__);
+ s_o_acl =3D s_i_acl->s_acl->o_acl;
+
+ while (s_o_acl) {
+ d_o_acl =3D
+ kmalloc(sizeof(struct lids_object_acl), GFP_KERNEL);
+ if (!d_o_acl) {
+ printk("%s: LIDS: kmalloc object acl error\n",
+ __FUNCTION__);
return -ENOMEM;
- }=09
- memcpy(d_o_acl, s_o_acl,sizeof(struct lids_object_acl));
+ }
+ memcpy(d_o_acl, s_o_acl,
+ sizeof(struct lids_object_acl));
d_o_acl->next =3D d_s_acl->o_acl;
d_s_acl->o_acl =3D d_o_acl;
=20
@@ -800,30 +805,30 @@
return 0;
}
=20
-static struct lids_inode_acl *
-lids_set_inode_acl(struct inode *inode, struct lids_inode_acl *c_i_acl)
+static struct lids_inode_acl *lids_set_inode_acl(struct inode *inode,
+ struct lids_inode_acl *c_i_acl)
{
struct lids_inode_acl *i_acl;
=20
- i_acl =3D kmalloc(sizeof (struct lids_inode_acl), GFP_KERNEL);
+ i_acl =3D kmalloc(sizeof(struct lids_inode_acl), GFP_KERNEL);
if (!i_acl) {
printk(KERN_INFO "LIDS: kmalloc failed for inode_acl\n");
return NULL;
}
- if(!c_i_acl) {
- c_i_acl =3D kmalloc(sizeof(struct lids_inode_acl),GFP_KERNEL);=09
- if(!c_i_acl) {
+ if (!c_i_acl) {
+ c_i_acl =3D kmalloc(sizeof(struct lids_inode_acl), GFP_KERNEL);
+ if (!c_i_acl) {
printk("LIDS: fatal error c_i_acl kmalloc failed\n");
return NULL;
}
memset(c_i_acl, 0, sizeof(struct lids_inode_acl));
- c_i_acl->version =3D lids_update_version;=20
+ c_i_acl->version =3D lids_update_version;
c_i_acl->type =3D 0xffffffff;
c_i_acl->magic =3D LIDS_MAGIC;
}
lids_copy_inode_acl(i_acl, c_i_acl);
/* FIXME, if inode has security */
-=09
+
spin_lock(&inode->i_lock);
lids_free_inode_acl(inode->i_security);
inode->i_security =3D i_acl;
@@ -832,8 +837,7 @@
return c_i_acl;
}
=20
-static int
-lids_get_inode_security(struct dentry *dentry, struct inode *inode)
+static int lids_get_inode_security(struct dentry *dentry, struct inode *in=
ode)
{
struct lids_inode_acl *i_acl, *c_i_acl;
struct dentry *i_dentry =3D NULL;
@@ -852,45 +856,45 @@
MINOR(inode->i_sb->s_dev), inode->i_ino);
=20
i_acl =3D inode->i_security;
- if(i_acl && i_acl->version =3D=3D lids_update_version) {=20
+ if (i_acl && i_acl->version =3D=3D lids_update_version) {
return 0;
}
=20
if (!dentry) {
- printk("%s: dentry is NULL, Bug?\n",__FUNCTION__);
+ printk("%s: dentry is NULL, Bug?\n", __FUNCTION__);
return 0;
}
i_dentry =3D dentry;
- while(1) {
+ while (1) {
c_i_acl =3D lids_do_get_acl(i_dentry->d_inode);
- if(c_i_acl !=3D NULL || i_dentry =3D=3D i_dentry->d_parent ) {
- c_i_acl =3D lids_set_inode_acl(i_dentry->d_inode, c_i_acl);
+ if (c_i_acl !=3D NULL || i_dentry =3D=3D i_dentry->d_parent) {
+ c_i_acl =3D
+ lids_set_inode_acl(i_dentry->d_inode, c_i_acl);
break;
}
i_dentry =3D i_dentry->d_parent;
=20
i_acl =3D i_dentry->d_inode->i_security;
- if(i_acl && i_acl->version =3D=3D lids_update_version) {
+ if (i_acl && i_acl->version =3D=3D lids_update_version) {
c_i_acl =3D i_acl;
break;
}
}
- if(!c_i_acl) {
+ if (!c_i_acl) {
return -ENOMEM;
}
- while(dentry !=3D i_dentry) {
+ while (dentry !=3D i_dentry) {
c_i_acl =3D lids_set_inode_acl(dentry->d_inode, c_i_acl);
- if(!c_i_acl)=20
+ if (!c_i_acl)
return -ENOMEM;
dentry =3D dentry->d_parent;
- /* it is root now */=09
- }
- return 0;=09
+ /* it is root now */
+ }
+ return 0;
}
=20
#if 0
-static int
-lids_check_shellcode(struct linux_binprm *bprm)
+static int lids_check_shellcode(struct linux_binprm *bprm)
{
struct page *page;
int i, offset, err =3D 0;
@@ -944,8 +948,7 @@
}
#endif
=20
-static int
-lids_check_envp(struct linux_binprm *bprm)
+static int lids_check_envp(struct linux_binprm *bprm)
{
struct page *page;
int err =3D 0;
@@ -957,7 +960,7 @@
* copy the userspace charctor into a buffer to hold all the=20
* envp here.. and check it.
*/
- LIDS_DBG("%s: enter file %s\n",__FUNCTION__, bprm->filename);
+ LIDS_DBG("%s: enter file %s\n", __FUNCTION__, bprm->filename);
offset =3D (bprm->p) % PAGE_SIZE;
i =3D (bprm->p) / PAGE_SIZE;
kaddr =3D p =3D kmalloc(MAX_ARG_PAGES * PAGE_SIZE - bprm->p, GFP_KERNEL);
@@ -965,15 +968,15 @@
if (!p)
return -1;
=20
- end_p =3D p + MAX_ARG_PAGES * PAGE_SIZE - bprm->p;=20
+ end_p =3D p + MAX_ARG_PAGES * PAGE_SIZE - bprm->p;
while (i < MAX_ARG_PAGES) {
page =3D bprm->page[i];
paddr =3D kmap(page);
/* make sure each time, the kaddr is not out of bound */
- if( kaddr + PAGE_SIZE - offset > end_p ) {
+ if (kaddr + PAGE_SIZE - offset > end_p) {
kfree(p);
return -1;
- }=20
+ }
memcpy(kaddr, paddr + offset, PAGE_SIZE - offset);
kaddr +=3D PAGE_SIZE - offset;
kunmap(page);
@@ -995,10 +998,10 @@
kaddr =3D strchr(kaddr, '\0');
kaddr =3D kaddr + 1;
/* overflow checking */
- if(kaddr > end_p) {
+ if (kaddr > end_p) {
kfree(p);
return -1;
- }=20
+ }
i++;
}
=20
@@ -1013,16 +1016,16 @@
kfree(p);
return err;
}
+
/*
* checking the envp=20
*/
-int
-lids_execve_check_envp(struct linux_binprm *bprm)
+int lids_execve_check_envp(struct linux_binprm *bprm)
{
struct lids_task_acl *current_task_acl =3D current->security;
- struct lids_subject_acl *current_s_acl=3DNULL;
-
- LIDS_DBG("%s: enter file %s\n",__FUNCTION__, bprm->filename);
+ struct lids_subject_acl *current_s_acl =3D NULL;
+
+ LIDS_DBG("%s: enter file %s\n", __FUNCTION__, bprm->filename);
if (current_task_acl && current_task_acl->s_acl) {
current_s_acl =3D current_task_acl->s_acl;
=20
@@ -1044,11 +1047,10 @@
/*
* the current->security struct lids_sys_acl
*/
-int
-lids_execve(struct linux_binprm *bprm)
+int lids_execve(struct linux_binprm *bprm)
{
struct lids_task_acl *current_task_acl =3D current->security;
- struct dentry *dentry,*t_dentry;
+ struct dentry *dentry, *t_dentry;
struct lids_inode_acl *i_acl =3D NULL;
int error;
=20
@@ -1068,12 +1070,11 @@
=20
t_dentry =3D lids_get_task_dentry(current);
=20
- if (t_dentry && lids_load && lids_local_load=20
- && lids_ext_capable(current, 15) < 0) {
+ if (t_dentry && lids_load && lids_local_load
+ && lids_ext_capable(current, 15) < 0) {
if (dentry->d_inode->i_ino !=3D t_dentry->d_inode->i_ino ||
dentry->d_inode->i_sb->s_dev !=3D
- t_dentry->d_inode->i_sb->s_dev=20
- ) {
+ t_dentry->d_inode->i_sb->s_dev) {
lids_security_alert
("pid %i ppid %i, exec [%s] denied\n",
current->pid, current->parent->pid,
@@ -1099,8 +1100,7 @@
/* copy the fork=20
*/
=20
-int
-lids_fork_task(struct task_struct *tsk)
+int lids_fork_task(struct task_struct *tsk)
{
struct lids_subject_acl *src =3D NULL;
struct lids_subject_acl *dst =3D NULL;
@@ -1142,8 +1142,7 @@
return 0;
}
=20
-int
-lids_check_task_kill(struct task_struct *p, struct siginfo *info, int sig)
+int lids_check_task_kill(struct task_struct *p, struct siginfo *info, int =
sig)
{
struct lids_task_acl *task_acl =3D p->security;
struct lids_subject_acl *s_acl =3D task_acl->s_acl;
Modified: lids/trunk/security/lids/lids_cap.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lids/trunk/security/lids/lids_cap.c (original)
+++ lids/trunk/security/lids/lids_cap.c Thu Apr 20 21:46:19 2006
@@ -76,22 +76,21 @@
/*
* check the CAP_NET_BIND_SERVICE to bind to specify port
*/
-int
-lids_bind_checker(const int port)
+int lids_bind_checker(const int port)
{
int i =3D 0;
struct lids_task_acl *task_acl =3D current->security;
struct lids_subject_acl *s_acl;
=20
/* if CAP_NET_BIND_SERVICE is enable global, return success */
-// if (capable(CAP_NET_BIND_SERVICE))
- if (cap_raised(cap_bset, CAP_NET_BIND_SERVICE))=20
+// if (capable(CAP_NET_BIND_SERVICE))
+ if (cap_raised(cap_bset, CAP_NET_BIND_SERVICE))
return 1;
/* if the LIDS is disable , return success */
/* check only port < 1024) */
- if (!(lids_load && lids_local_load) || port > 1023 )
+ if (!(lids_load && lids_local_load) || port > 1023)
return 1;
- if (!( task_acl && task_acl->s_acl))
+ if (!(task_acl && task_acl->s_acl))
return 1;
s_acl =3D task_acl->s_acl;
=20
@@ -102,29 +101,29 @@
}
return -1;
}
-static void
-lids_capset_log(kernel_cap_t dest)
+static void lids_capset_log(kernel_cap_t dest)
{
- int i=3D0,len=3D0;
+ int i =3D 0, len =3D 0;
char action[640];
//kernel_cap_t dest;
//cap_t(dest) =3D cap_t(a) & ~cap_t(set);
-=09
- memset(action,'\0',640);
=20
- for(i=3D0;i<32;i++) {
- if(cap_raised(dest,i) && (len+strlen(lids_caps_desc[i])+1) < 640) {
- memcpy(action+len,lids_caps_desc[i],strlen(lids_caps_desc[i]));
- len =3D len+strlen(lids_caps_desc[i])+1;
- action[len-1] =3D 0x20;=20
+ memset(action, '\0', 640);
+
+ for (i =3D 0; i < 32; i++) {
+ if (cap_raised(dest, i)
+ && (len + strlen(lids_caps_desc[i]) + 1) < 640) {
+ memcpy(action + len, lids_caps_desc[i],
+ strlen(lids_caps_desc[i]));
+ len =3D len + strlen(lids_caps_desc[i]) + 1;
+ action[len - 1] =3D 0x20;
//printk("%d: %s action=3D%s\n", i, lids_caps_desc[i], action);
}
- } =09
- lids_alert(LIDS_CAP, -1, i, "cap" , action);
+ }
+ lids_alert(LIDS_CAP, -1, i, "cap", action);
}
=20
-int
-lids_check_capset(struct task_struct *tsk, kernel_cap_t a,kernel_cap_t set=
)=20
+int lids_check_capset(struct task_struct *tsk, kernel_cap_t a, kernel_cap_=
t set)
{
struct lids_task_acl *tsk_acl =3D tsk->security;
kernel_cap_t dest;
@@ -132,19 +131,18 @@
=20
//printk("lids_check_capset: dest %x **\n",cap_t(dest));
if (tsk_acl && tsk_acl->s_acl) {
- if (!(cap_t(dest)& ~(tsk_acl->s_acl->sys_cap))) {
- //printk("lids_check_capset: dest %x, tsk %x\n",cap_t(dest), tsk_acl->s_a=
cl->sys_cap);
+ if (!(cap_t(dest) & ~(tsk_acl->s_acl->sys_cap))) {
+ //printk("lids_check_capset: dest %x, tsk %x\n",cap_t(dest), tsk_acl->s=
_acl->sys_cap);
=20
return 0;
}
}
- lids_capset_log(to_cap_t(cap_t(dest)& ~(tsk_acl->s_acl->sys_cap)));
+ lids_capset_log(to_cap_t(cap_t(dest) & ~(tsk_acl->s_acl->sys_cap)));
return LIDS_ERROR(-EPERM);
- =09
+
}
=20
-int
-lids_check_capable(struct task_struct *tsk, int cap, int log)
+int lids_check_capable(struct task_struct *tsk, int cap, int log)
{
struct lids_task_acl *tsk_acl =3D tsk->security;
=20
@@ -159,8 +157,7 @@
return LIDS_ERROR(-EPERM);
}
=20
-void
-lids_cap_log(int cap)
+void lids_cap_log(int cap)
{
if (!cap_raised(lids_cap_val, cap)) {
lids_alert(LIDS_CAP, -1, cap, lids_caps_desc[cap],
@@ -168,8 +165,7 @@
}
}
=20
-int
-lids_ext_capable(struct task_struct *tsk, int type)
+int lids_ext_capable(struct task_struct *tsk, int type)
{
struct lids_task_acl *task_acl =3D tsk->security;
struct lids_subject_acl *s_acl;
@@ -183,4 +179,3 @@
}
return 0;
}
-
Modified: lids/trunk/security/lids/lids_init.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lids/trunk/security/lids/lids_init.c (original)
+++ lids/trunk/security/lids/lids_init.c Thu Apr 20 21:46:19 2006
@@ -34,7 +34,7 @@
=20
static int lids_lock_init =3D 0;
static spinlock_t lids_lock;
-int lids_init_setup;
+int lids_init_setup;
static int lids_u_size =3D 0;
=20
static char lids_binary_acl_file[3][PATH_MAX] =3D
@@ -45,7 +45,7 @@
#define LIDS_MAX_ACL_NUM 1024
static struct lids_inode_acl lids_acl[2][LIDS_MAX_ACL_NUM];
static int lids_last_acl[2];
-static int lids_eft_set;=20
+static int lids_eft_set;
int lids_update_version;
=20
/* fast guessing table*/
@@ -69,8 +69,8 @@
*/
static int lids_search_inode(unsigned long ino, int major, int minor)
{
- dev_t s_dev;
- dev_t dev =3D MKDEV(major,minor);=20
+ dev_t s_dev;
+ dev_t dev =3D MKDEV(major, minor);
long j;
long i =3D (ino ^ dev) & 0xffff;
=20
@@ -84,8 +84,8 @@
to 8 comparisons (table is sorted!) */
=20
for (j =3D i =3D lids_search_value[lids_eft_set];; j >>=3D 1) {
- s_dev =3D MKDEV(lids_acl[lids_eft_set][i].inode.dev.major,=20
- lids_acl[lids_eft_set][i].inode.dev.minor);
+ s_dev =3D MKDEV(lids_acl[lids_eft_set][i].inode.dev.major,
+ lids_acl[lids_eft_set][i].inode.dev.minor);
=20
if (i >=3D lids_last_acl[lids_eft_set])
i -=3D j;
@@ -98,37 +98,40 @@
else if (lids_acl[lids_eft_set][i].inode.ino > ino)
i -=3D j;
else {
- return i; // return type??
+ return i; // return type??
}
if (!j || i < 0)
return -1;
}
}
-#endif=20
-
-struct lids_inode_acl *
-lids_do_get_acl(struct inode *inode)
+#endif
+
+struct lids_inode_acl *lids_do_get_acl(struct inode *inode)
{
#if 0
int retval;
=20
- retval =3D lids_search_inode(inode->i_ino, MAJOR(inode->i_sb->s_dev), MI=
NOR(inode->i_sb->s_dev));
- if(retval >=3D0 )=20
+ retval =3D
+ lids_search_inode(inode->i_ino, MAJOR(inode->i_sb->s_dev),
+ MINOR(inode->i_sb->s_dev));
+ if (retval >=3D 0)
return &lids_acl[lids_eft_set][retval];
return NULL;
#else
int i;
=20
- for(i=3D0;i<lids_last_acl[lids_eft_set];i++) {
- if(inode->i_ino =3D=3D lids_acl[lids_eft_set][i].inode.ino &&
- MAJOR(inode->i_sb->s_dev) =3D=3D lids_acl[lids_eft_set][i].inode.dev.ma=
jor &&=20
- MINOR(inode->i_sb->s_dev) =3D=3D lids_acl[lids_eft_set][i].inode.dev.mi=
nor ) {=20
+ for (i =3D 0; i < lids_last_acl[lids_eft_set]; i++) {
+ if (inode->i_ino =3D=3D lids_acl[lids_eft_set][i].inode.ino &&
+ MAJOR(inode->i_sb->s_dev) =3D=3D
+ lids_acl[lids_eft_set][i].inode.dev.major
+ && MINOR(inode->i_sb->s_dev) =3D=3D
+ lids_acl[lids_eft_set][i].inode.dev.minor) {
return &lids_acl[lids_eft_set][i];
}
- }=09
+ }
return NULL;
#endif
-=09
+
}
=20
static int
@@ -141,18 +144,18 @@
u32 eft_set =3D (lids_eft_set & 1) ^ 1;
int i;
=20
-
- if (len < sizeof (struct lids_inode_acl) - sizeof(char*) + lids_u_size ) {
+ if (len < sizeof(struct lids_inode_acl) - sizeof(char *) + lids_u_size) {
printk(KERN_INFO "LIDS: Inode ACL incorrect, len =3D %d\n", len);
return -1;
}
/* we do not have the psinLock_t in the xattr */
- memcpy(i_acl, p, sizeof (struct lids_inode_acl) - sizeof(char *) -64 );
- memcpy(i_acl->name, p+sizeof (struct lids_inode_acl)-sizeof(char*)+lids_u=
_size-64, 64);
+ memcpy(i_acl, p, sizeof(struct lids_inode_acl) - sizeof(char *) - 64);
+ memcpy(i_acl->name,
+ p + sizeof(struct lids_inode_acl) - sizeof(char *) +
+ lids_u_size - 64, 64);
=20
i_acl->version =3D lids_update_version; /* current version */
i_acl->s_acl =3D NULL;
-
=20
if (i_acl->magic !=3D LIDS_MAGIC) { /* LIDS magic */
printk(KERN_INFO "LIDS: magic code mismatch %x\n",
@@ -160,56 +163,71 @@
return -1;
}
/* fastguesing */
- i =3D ((MKDEV(i_acl->inode.dev.major,i_acl->inode.dev.minor)) ^ (i_acl->i=
node.ino)) & 0xffff;
+ i =3D ((MKDEV(i_acl->inode.dev.major, i_acl->inode.dev.minor)) ^
+ (i_acl->inode.ino)) & 0xffff;
fastguess[eft_set][i >> 5] |=3D lids_bittab[i & 31];
=20
- if (len =3D=3D (sizeof (struct lids_inode_acl) ) - sizeof(char *)+lids_u_=
size ) {
+ if (len =3D=3D
+ (sizeof(struct lids_inode_acl)) - sizeof(char *) + lids_u_size) {
return 0;
}
- len -=3D (sizeof (struct lids_inode_acl) - sizeof(char *)+lids_u_size );
-
- s_acl =3D kmalloc(sizeof (struct lids_subject_acl), GFP_KERNEL);
+ len -=3D (sizeof(struct lids_inode_acl) - sizeof(char *) + lids_u_size);
+
+ s_acl =3D kmalloc(sizeof(struct lids_subject_acl), GFP_KERNEL);
if (!s_acl) {
return -ENOMEM;
}
=20
- p +=3D (sizeof (struct lids_inode_acl) -sizeof(char *) + lids_u_size );
- memcpy(s_acl, p, sizeof (struct lids_subject_acl) - sizeof(char *) + lids=
_u_size);
+ p +=3D (sizeof(struct lids_inode_acl) - sizeof(char *) + lids_u_size);
+ memcpy(s_acl, p,
+ sizeof(struct lids_subject_acl) - sizeof(char *) + lids_u_size);
=20
/* set it */
i_acl->s_acl =3D s_acl;
s_acl->o_acl =3D NULL;
=20
- if (len =3D=3D sizeof (struct lids_subject_acl) - sizeof(char *) + lids_u=
_size) {
+ if (len =3D=3D
+ sizeof(struct lids_subject_acl) - sizeof(char *) + lids_u_size) {
return 0;
}
- len -=3D sizeof (struct lids_subject_acl) - sizeof(char *) + lids_u_size;
+ len -=3D sizeof(struct lids_subject_acl) - sizeof(char *) + lids_u_size;
=20
if (len < 0) {
printk(KERN_INFO "LIDS: Subject ACL incorrect, len =3D %d\n",
len);
return -1;
}
- num =3D (unsigned int) (len % ( sizeof (struct lids_object_acl) - sizeof(=
char*) + lids_u_size));
+ num =3D
+ (unsigned int)(len %
+ (sizeof(struct lids_object_acl) - sizeof(char *) +
+ lids_u_size));
if (num > 0) {
printk(KERN_INFO "LIDS: Object ACLs incorrect, len =3D %d\n",
len);
return -1;
}
- num =3D (unsigned int) (len / (sizeof (struct lids_object_acl) - sizeof(c=
har*) + lids_u_size ));
-
- p +=3D sizeof (struct lids_subject_acl) - sizeof(char *) + lids_u_size;;
+ num =3D
+ (unsigned int)(len /
+ (sizeof(struct lids_object_acl) - sizeof(char *) +
+ lids_u_size));
+
+ p +=3D sizeof(struct lids_subject_acl) - sizeof(char *) + lids_u_size;;
o_acl =3D pre_acl =3D NULL;
for (i =3D 0; i < num; i++) {
- o_acl =3D kmalloc(sizeof (struct lids_object_acl), GFP_KERNEL);
+ o_acl =3D kmalloc(sizeof(struct lids_object_acl), GFP_KERNEL);
if (!o_acl) {
return -ENOMEM;
}
- memcpy(o_acl, p, sizeof (struct lids_object_acl) - sizeof(char*) + lids_=
u_size -64 );
+ memcpy(o_acl, p,
+ sizeof(struct lids_object_acl) - sizeof(char *) +
+ lids_u_size - 64);
o_acl->next =3D pre_acl;
- memcpy(o_acl->name, p+sizeof (struct lids_object_acl) - sizeof(char*) + =
lids_u_size-64, 64);
-
- p +=3D sizeof (struct lids_object_acl) - sizeof(char*) + lids_u_size;
+ memcpy(o_acl->name,
+ p + sizeof(struct lids_object_acl) - sizeof(char *) +
+ lids_u_size - 64, 64);
+
+ p +=3D sizeof(struct lids_object_acl) - sizeof(char *) +
+ lids_u_size;
pre_acl =3D o_acl;
}
/* the last one */
@@ -217,96 +235,107 @@
return 0;
=20
}
+
/*=20
* translate buffer into acl=20
*/
-static int
-lids_buffer_to_acl(char *buffer, int len)
-{
- int err=3D0;
- char *p , *q;
+static int lids_buffer_to_acl(char *buffer, int len)
+{
+ int err =3D 0;
+ char *p, *q;
u32 num;
- u32 plen=3D0;
+ u32 plen =3D 0;
u32 hlen;
u32 eft_set =3D (lids_eft_set & 1) ^ 1;
-=09
- hlen =3D sizeof (struct lids_inode_acl) - sizeof(char*) + lids_u_size;=20
+
+ hlen =3D sizeof(struct lids_inode_acl) - sizeof(char *) + lids_u_size;
p =3D q =3D buffer;
=20
- while(len >=3D hlen ) {
- hlen =3D sizeof (struct lids_inode_acl) - sizeof(char*) - 64;=20
- num =3D *(u32 *)(p+12);
-
- plen =3D sizeof (struct lids_inode_acl) - sizeof(char*) + lids_u_size;=20
-
- if(num !=3D 0) {
- hlen =3D plen + sizeof (struct lids_subject_acl) - sizeof(char*) + lids=
_u_size;
- if(hlen > len) {
+ while (len >=3D hlen) {
+ hlen =3D sizeof(struct lids_inode_acl) - sizeof(char *) - 64;
+ num =3D *(u32 *) (p + 12);
+
+ plen =3D
+ sizeof(struct lids_inode_acl) - sizeof(char *) +
+ lids_u_size;
+
+ if (num !=3D 0) {
+ hlen =3D
+ plen + sizeof(struct lids_subject_acl) -
+ sizeof(char *) + lids_u_size;
+ if (hlen > len) {
return len;
}
- num =3D *(u32 *)(p+plen+12);=20
+ num =3D *(u32 *) (p + plen + 12);
plen =3D hlen;
=20
- if(num !=3D 0) {
- plen+=3Dnum*( sizeof (struct lids_object_acl) - sizeof(char *) + lids_=
u_size);
- if(plen > len) {
+ if (num !=3D 0) {
+ plen +=3D
+ num * (sizeof(struct lids_object_acl) -
+ sizeof(char *) + lids_u_size);
+ if (plen > len) {
return len;
}
}
}
- err =3D lids_buffer_to_inode_acl(p, plen, &lids_acl[eft_set][lids_last_a=
cl[eft_set]]);
-
- if(err) return err;
+ err =3D
+ lids_buffer_to_inode_acl(p, plen,
+ &lids_acl[eft_set][lids_last_acl
+ [eft_set]]);
+
+ if (err)
+ return err;
lids_last_acl[eft_set]++;
=20
len -=3D plen;
- hlen =3D sizeof (struct lids_inode_acl) - sizeof(char*) + lids_u_size;=20
+ hlen =3D
+ sizeof(struct lids_inode_acl) - sizeof(char *) +
+ lids_u_size;
p +=3D plen;
}
=20
return len;
}
-void
-lids_free_lids_set(int eft_set)
+void lids_free_lids_set(int eft_set)
{
int i;
=20
- for(i=3D0;i<lids_last_acl[eft_set];i++) {
+ for (i =3D 0; i < lids_last_acl[eft_set]; i++) {
lids_free_subject_acl((lids_acl[eft_set][i].s_acl));
}
- memset(lids_acl[eft_set],0,sizeof(lids_acl[eft_set]));
-}
+ memset(lids_acl[eft_set], 0, sizeof(lids_acl[eft_set]));
+}
+
/*
* lids read capability from /etc/lids/lids.cap=20
*/
=20
-static int
-lids_read_acl(int state)
+static int lids_read_acl(int state)
{
struct file *filp =3D NULL;
char *buffer;
mm_segment_t oldfs;
- int bytes,rlen =3D 1024;
+ int bytes, rlen =3D 1024;
int error =3D 0;
u32 start =3D 0, finished =3D 0;
struct lids_acl_header hdr;
- u32 eft_set =3D (lids_eft_set & 1) ^ 1;
+ u32 eft_set =3D (lids_eft_set & 1) ^ 1;
=20
lids_update_version++;
lids_last_acl[eft_set] =3D 0;
-=09
- /* using MUTEX to protect lids_acl[] */ =09
- /* FIXME, need to free the subject+acl if any*/
+
+ /* using MUTEX to protect lids_acl[] */
+ /* FIXME, need to free the subject+acl if any */
=20
lids_free_lids_set(eft_set);
-=09
- filp =3D filp_open(lids_binary_acl_file[state-1], O_RDONLY, 0);
+
+ filp =3D filp_open(lids_binary_acl_file[state - 1], O_RDONLY, 0);
=20
if (IS_ERR(filp) || (filp =3D=3D NULL)) {
error =3D -1;
printk
("LIDS: Error opening ACLs file %s in state %d, Does it exist?\n",
- lids_binary_acl_file[state-1], state);
+ lids_binary_acl_file[state - 1], state);
/* FIXME: if (lids_load) goto err_panic; */
return error;
}
@@ -327,7 +356,7 @@
set_fs(KERNEL_DS);
bytes =3D filp->f_op->read(filp, (char *)&hdr, sizeof(hdr), &filp->f_pos);
set_fs(oldfs);
-=09
+
if (bytes !=3D sizeof(hdr)) {
printk("LIDS: %s format error\n", lids_binary_acl_file[state]);
fput(filp);
@@ -336,20 +365,21 @@
lids_cap_val =3D hdr.sys_cap;
lids_search_value[eft_set] =3D hdr.search;
lids_u_size =3D hdr.u_size;
- printk("LIDS: user space is %d bit\n",lids_u_size*8);
+ printk("LIDS: user space is %d bit\n", lids_u_size * 8);
=20
if (lids_state =3D=3D LIDS_STATE_BOOT) {
lids_acl_discovery =3D hdr.discovery;
memcpy(&lidsadm, &(hdr.lidsadm), sizeof(struct lids_s_inode));
- printk("LIDS: lidsadm inode 0x%x dev 0x%x:%x\n", lidsadm.ino, lidsadm.de=
v=2Emajor, lidsadm.dev.minor);
- }
-
- start =3D sizeof(hdr) ;=20
+ printk("LIDS: lidsadm inode 0x%x dev 0x%x:%x\n", lidsadm.ino,
+ lidsadm.dev.major, lidsadm.dev.minor);
+ }
+
+ start =3D sizeof(hdr);
=20
while (!finished) {
=20
- buffer =3D kmalloc(rlen,GFP_KERNEL);=20
- memset(buffer,0,rlen);
+ buffer =3D kmalloc(rlen, GFP_KERNEL);
+ memset(buffer, 0, rlen);
=20
filp->f_pos =3D start;
oldfs =3D get_fs();
@@ -360,28 +390,28 @@
if (bytes < rlen) {
finished =3D 1;
}
- error =3D lids_buffer_to_acl(buffer,bytes);
+ error =3D lids_buffer_to_acl(buffer, bytes);
=20
kfree(buffer);
=20
- if (error<0)
+ if (error < 0)
break;
/* we do not have enough room for the whole buffer */
- if(bytes =3D=3D error) {
- if(!bytes && finished && start =3D=3D sizeof(hdr))
+ if (bytes =3D=3D error) {
+ if (!bytes && finished && start =3D=3D sizeof(hdr))
break;
- if(finished) {
+ if (finished) {
printk("LIDS: Format error\n");
- error =3D -10;=09
+ error =3D -10;
break;
- }else {
- rlen +=3Drlen; /* enlarge the buffer*/
+ } else {
+ rlen +=3D rlen; /* enlarge the buffer */
}
- }else{
+ } else {
rlen =3D 1024;
}
=20
- start +=3D bytes-error;
+ start +=3D bytes - error;
}
/* Close the file */
fput(filp);
@@ -389,9 +419,9 @@
/* switch it */
lids_eft_set =3D eft_set;
//printk("LIDS: Using eft_set %d , ",lids_eft_set);
- printk("LIDS: ACL Discovery: %s, ",lids_acl_discovery?"ON":"OFF");
- printk("Effective Capability: %x, ",lids_cap_val);
- printk("Total ACLs Count: %d\n",lids_last_acl[eft_set]);
+ printk("LIDS: ACL Discovery: %s, ", lids_acl_discovery ? "ON" : "OFF");
+ printk("Effective Capability: %x, ", lids_cap_val);
+ printk("Total ACLs Count: %d\n", lids_last_acl[eft_set]);
=20
return error;
}
@@ -405,8 +435,7 @@
*
*/
=20
-int
-lids_init(void)
+int lids_init(void)
{
int error =3D 0;
/* Get lidsadm dev/inode */
@@ -432,8 +461,7 @@
printk(KERN_INFO "LIDS: Initializing LIDS ACLs\n");
=20
if (lids_read_acl(lids_state)) {
- printk("LIDS: Read ACL file error, state %d\n",
- lids_state);
+ printk("LIDS: Read ACL file error, state %d\n", lids_state);
error =3D -9;
goto lids_panic;
}
@@ -447,19 +475,19 @@
lids_state_name[lids_state - 1]);
}
lids_local_on =3D 1;
- if (!error) return 0;
-lids_panic:
+ if (!error)
+ return 0;
+ lids_panic:
printk
- ("LIDS_ERR: Cannot initialize the lids system, return code %d\n",
- error);
+ ("LIDS_ERR: Cannot initialize the lids system, return code %d\n",
+ error);
return error;
}
=20
/*
do_lids_setup=20
*/
-int
-do_lids_setup(void)
+int do_lids_setup(void)
{
int err =3D 0;
=20
@@ -471,7 +499,7 @@
if (IS_ERR(filp) || (filp =3D=3D NULL)) {
return -1;
}
-=09
+
lids_init_setup =3D 1;
lids_local_on =3D 1;
lids_flags =3D 0;
@@ -484,18 +512,16 @@
=20
lids_update_version =3D (int)get_seconds();
lids_eft_set =3D 0;
- memset(lids_last_acl,0,sizeof(lids_last_acl));
- memset(lids_acl,0,sizeof(lids_acl));
-
+ memset(lids_last_acl, 0, sizeof(lids_last_acl));
+ memset(lids_acl, 0, sizeof(lids_acl));
=20
lids_sysctl_init();
/* load BOOT acl */
/* make it read the configure file easier. */
err =3D lids_init();
=20
- printk(KERN_NOTICE "LIDS: Linux Intrusion Detection System %s %s\n", LIDS=
_VERSION,
- lids_load =3D=3D 1 ? "started" : "not started");
-
+ printk(KERN_NOTICE "LIDS: Linux Intrusion Detection System %s %s\n",
+ LIDS_VERSION, lids_load =3D=3D 1 ? "started" : "not started");
=20
return err;
}
Modified: lids/trunk/security/lids/lids_logs.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lids/trunk/security/lids/lids_logs.c (original)
+++ lids/trunk/security/lids/lids_logs.c Thu Apr 20 21:46:19 2006
@@ -29,27 +29,25 @@
*
* This routine returns the name of tty.
*/
-static char *
-_lids_tty_make_name(struct tty_struct *tty, const char *name, char *buf)
+static char *_lids_tty_make_name(struct tty_struct *tty, const char *name,
+ char *buf)
{
=20
if (!tty) /* Hmm. NULL pointer. That's fun. */
- strncpy(buf, "NULL tty",64);
+ strncpy(buf, "NULL tty", 64);
else
snprintf(buf, 64, name, tty->name);
=20
return buf;
}
=20
-char *
-lids_tty_name(struct tty_struct *tty, char *buf)
+char *lids_tty_name(struct tty_struct *tty, char *buf)
{
return _lids_tty_make_name(tty, (tty) ? tty->name : NULL, buf);
}
=20
/* return current dentry */
-static struct dentry *
-lids_current_dentry(void)
+static struct dentry *lids_current_dentry(void)
{
struct dentry *f_dentry =3D NULL;
struct vm_area_struct *vma;
@@ -67,8 +65,7 @@
return f_dentry;
}
=20
-void
-lids_log(int flood, const char *message, ...)
+void lids_log(int flood, const char *message, ...)
{
va_list args;
char ttyname[64];
@@ -125,8 +122,7 @@
}
=20
/* sent out message */
-void
-lids_alert(int type, long dst, long dst2, char *name, char *action)
+void lids_alert(int type, long dst, long dst2, char *name, char *action)
{
struct dentry *f_dentry;
=20
Modified: lids/trunk/security/lids/lids_lsm.c
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lids/trunk/security/lids/lids_lsm.c (original)
+++ lids/trunk/security/lids/lids_lsm.c Thu Apr 20 21:46:19 2006
@@ -31,8 +31,7 @@
=20
struct security_operations *lids_secondary_ops;
=20
-static int
-lids_ptrace(struct task_struct *parent, struct task_struct *child)
+static int lids_ptrace(struct task_struct *parent, struct task_struct *chi=
ld)
{
if (lids_load && lids_local_load) {
if (lids_check_capable(parent, CAP_SYS_PTRACE, 1)) {
@@ -45,19 +44,19 @@
}
=20
/* from security/commoncap.c */
-int lids_capget (struct task_struct *target, kernel_cap_t *effective,
- kernel_cap_t *inheritable, kernel_cap_t *permitted)
+int lids_capget(struct task_struct *target, kernel_cap_t * effective,
+ kernel_cap_t * inheritable, kernel_cap_t * permitted)
{
/* Derived from kernel/capability.c:sys_capget. */
- *effective =3D cap_t (target->cap_effective);
- *inheritable =3D cap_t (target->cap_inheritable);
- *permitted =3D cap_t (target->cap_permitted);
+ *effective =3D cap_t(target->cap_effective);
+ *inheritable =3D cap_t(target->cap_inheritable);
+ *permitted =3D cap_t(target->cap_permitted);
return 0;
}
=20
/* from security/commoncap.c */
-void lids_capset_set (struct task_struct *target, kernel_cap_t *effective,
- kernel_cap_t *inheritable, kernel_cap_t *permitted)
+void lids_capset_set(struct task_struct *target, kernel_cap_t * effective,
+ kernel_cap_t * inheritable, kernel_cap_t * permitted)
{
target->cap_effective =3D *effective;
target->cap_inheritable =3D *inheritable;
@@ -65,8 +64,8 @@
}
=20
/* derived from security/commoncap.c */
-int lids_capset_check (struct task_struct *target, kernel_cap_t *effective,
- kernel_cap_t *inheritable, kernel_cap_t *permitted)
+int lids_capset_check(struct task_struct *target, kernel_cap_t * effective,
+ kernel_cap_t * inheritable, kernel_cap_t * permitted)
{
if (lids_load && lids_local_load) {
if (lids_check_capable(target, CAP_SETPCAP, 1)) {
@@ -77,51 +76,53 @@
}
/* Derived from kernel/capability.c:sys_capset. */
/* verify restrictions on target's new Inheritable set */
- if (!cap_issubset (*inheritable,
- cap_combine (target->cap_inheritable,
- current->cap_permitted))) {
- if(lids_check_capset(target, *inheritable,=20
- cap_combine (target->cap_inheritable,
- current->cap_permitted))) {
- lids_security_alert("capset_check inheritable error, 0x%x, 0x%x",
- *inheritable, cap_combine(target->cap_inheritable,=20
- current->cap_permitted)) ;
+ if (!cap_issubset(*inheritable,
+ cap_combine(target->cap_inheritable,
+ current->cap_permitted))) {
+ if (lids_check_capset(target, *inheritable,
+ cap_combine(target->cap_inheritable,
+ current->cap_permitted))) {
+ lids_security_alert
+ ("capset_check inheritable error, 0x%x, 0x%x",
+ *inheritable, cap_combine(target->cap_inheritable,
+ current->cap_permitted));
return -EPERM;
}
}
=20
/* verify restrictions on target's new Permitted set */
- if (!cap_issubset (*permitted,
- cap_combine (target->cap_permitted,
- current->cap_permitted))) {
- if(lids_check_capset(target, *permitted,=20
- cap_combine (target->cap_permitted,
- current->cap_permitted))) {
- lids_security_alert("capset_check permitted error, 0x%x, 0x%x",
- *permitted, cap_combine(target->cap_permitted,=20
- current->cap_permitted)) ;
+ if (!cap_issubset(*permitted,
+ cap_combine(target->cap_permitted,
+ current->cap_permitted))) {
+ if (lids_check_capset(target, *permitted,
+ cap_combine(target->cap_permitted,
+ current->cap_permitted))) {
+ lids_security_alert
+ ("capset_check permitted error, 0x%x, 0x%x",
+ *permitted, cap_combine(target->cap_permitted,
+ current->cap_permitted));
return -EPERM;
}
}
=20
/* verify the _new_Effective_ is a subset of the _new_Permitted_ */
- if (!cap_issubset (*effective, *permitted)) {
- if(lids_check_capset(target, *effective,=20
- cap_combine (target->cap_effective,
- current->cap_permitted))) {
- lids_security_alert("capset_check effective error, 0x%x, 0x%x",
- *effective, *permitted);
- return -EPERM;
- }
- }
-
- return 0;
-}
-
-static int
-lids_capable(struct task_struct *tsk, int cap)
-{
- if (cap_raised (tsk->cap_effective, cap))=20
+ if (!cap_issubset(*effective, *permitted)) {
+ if (lids_check_capset(target, *effective,
+ cap_combine(target->cap_effective,
+ current->cap_permitted))) {
+ lids_security_alert
+ ("capset_check effective error, 0x%x, 0x%x",
+ *effective, *permitted);
+ return -EPERM;
+ }
+ }
+
+ return 0;
+}
+
+static int lids_capable(struct task_struct *tsk, int cap)
+{
+ if (cap_raised(tsk->cap_effective, cap))
return 0;
=20
if (cap_is_fs_cap(cap) ? tsk->fsuid =3D=3D 0 : tsk->euid =3D=3D 0) {
@@ -135,24 +136,24 @@
=20
}
=20
-static inline void lids_emulate_setxuid (int old_ruid, int old_euid,
+static inline void lids_emulate_setxuid(int old_ruid, int old_euid,
int old_suid)
{
if ((old_ruid =3D=3D 0 || old_euid =3D=3D 0 || old_suid =3D=3D 0) &&
(current->uid !=3D 0 && current->euid !=3D 0 && current->suid !=3D 0)=
&&
!current->keep_capabilities) {
- cap_clear (current->cap_permitted);
- cap_clear (current->cap_effective);
+ cap_clear(current->cap_permitted);
+ cap_clear(current->cap_effective);
}
if (old_euid =3D=3D 0 && current->euid !=3D 0) {
- cap_clear (current->cap_effective);
+ cap_clear(current->cap_effective);
}
if (old_euid !=3D 0 && current->euid =3D=3D 0) {
current->cap_effective =3D current->cap_permitted;
}
}
=20
-int lids_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid,
+int lids_task_post_setuid(uid_t old_ruid, uid_t old_euid, uid_t old_suid,
int flags)
{
switch (flags) {
@@ -160,8 +161,8 @@
case LSM_SETID_ID:
case LSM_SETID_RES:
/* Copied from kernel/sys.c:setreuid/setuid/setresuid. */
- if (!issecure (SECURE_NO_SETUID_FIXUP)) {
- lids_emulate_setxuid (old_ruid, old_euid, old_suid);
+ if (!issecure(SECURE_NO_SETUID_FIXUP)) {
+ lids_emulate_setxuid(old_ruid, old_euid, old_suid);
}
break;
case LSM_SETID_FS:
@@ -175,14 +176,14 @@
* if not, we might be a bit too harsh here.
*/
=20
- if (!issecure (SECURE_NO_SETUID_FIXUP)) {
+ if (!issecure(SECURE_NO_SETUID_FIXUP)) {
if (old_fsuid =3D=3D 0 && current->fsuid !=3D 0) {
- cap_t (current->cap_effective) &=3D
+ cap_t(current->cap_effective) &=3D
~CAP_FS_MASK;
}
if (old_fsuid !=3D 0 && current->fsuid =3D=3D 0) {
- cap_t (current->cap_effective) |=3D
- (cap_t (current->cap_permitted) &
+ cap_t(current->cap_effective) |=3D
+ (cap_t(current->cap_permitted) &
CAP_FS_MASK);
}
}
@@ -195,9 +196,7 @@
return 0;
}
=20
-
-static int
-lids_bprm_alloc_security(struct linux_binprm *bprm)
+static int lids_bprm_alloc_security(struct linux_binprm *bprm)
{
int rc =3D 0;
if (lids_execve(bprm))
@@ -209,26 +208,24 @@
return rc;
}
=20
-static void
-lids_bprm_free_security(struct linux_binprm *bprm)
+static void lids_bprm_free_security(struct linux_binprm *bprm)
{
if (lids_secondary_ops)
lids_secondary_ops->bprm_free_security(bprm);
return;
}
=20
-static void
-lids_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
+static void lids_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
{
kernel_cap_t new_permitted, working;
=20
- new_permitted =3D cap_intersect (bprm->cap_permitted, cap_bset);
- working =3D cap_intersect (bprm->cap_inheritable,
- current->cap_inheritable);
- new_permitted =3D cap_combine (new_permitted, working);
+ new_permitted =3D cap_intersect(bprm->cap_permitted, cap_bset);
+ working =3D cap_intersect(bprm->cap_inheritable,
+ current->cap_inheritable);
+ new_permitted =3D cap_combine(new_permitted, working);
=20
if (bprm->e_uid !=3D current->uid || bprm->e_gid !=3D current->gid ||
- !cap_issubset (new_permitted, current->cap_permitted)) {
+ !cap_issubset(new_permitted, current->cap_permitted)) {
current->mm->dumpable =3D 0;
=20
if (unsafe & ~LSM_UNSAFE_PTRACE_CAP) {
@@ -236,9 +233,10 @@
bprm->e_uid =3D current->uid;
bprm->e_gid =3D current->gid;
}
- if (!capable (CAP_SETPCAP)) {
- new_permitted =3D cap_intersect (new_permitted,
- current->cap_permitted);
+ if (!capable(CAP_SETPCAP)) {
+ new_permitted =3D cap_intersect(new_permitted,
+ current->
+ cap_permitted);
}
}
/*
@@ -255,101 +253,95 @@
if (current->pid !=3D 1) {
current->cap_permitted =3D new_permitted;
current->cap_effective =3D
- cap_intersect (new_permitted, bprm->cap_effective);
- }
-
-// current->keep_capabilities =3D 0;
+ cap_intersect(new_permitted, bprm->cap_effective);
+ }
+// current->keep_capabilities =3D 0;
=20
if (lids_secondary_ops)
- lids_secondary_ops->bprm_apply_creds(bprm,unsafe);
+ lids_secondary_ops->bprm_apply_creds(bprm, unsafe);
return;
}
=20
-static int
-lids_bprm_set_security(struct linux_binprm *bprm)
+static int lids_bprm_set_security(struct linux_binprm *bprm)
{
int rc =3D 0;
=20
- cap_clear (bprm->cap_inheritable);
- cap_clear (bprm->cap_permitted);
- cap_clear (bprm->cap_effective);
-
- if (!issecure (SECURE_NOROOT)) {
+ cap_clear(bprm->cap_inheritable);
+ cap_clear(bprm->cap_permitted);
+ cap_clear(bprm->cap_effective);
+
+ if (!issecure(SECURE_NOROOT)) {
if (bprm->e_uid =3D=3D 0 || current->uid =3D=3D 0) {
- cap_set_full (bprm->cap_inheritable);
- cap_set_full (bprm->cap_permitted);
+ cap_set_full(bprm->cap_inheritable);
+ cap_set_full(bprm->cap_permitted);
}
if (bprm->e_uid =3D=3D 0)
- cap_set_full (bprm->cap_effective);
+ cap_set_full(bprm->cap_effective);
}
if (lids_secondary_ops)
rc =3D lids_secondary_ops->bprm_set_security(bprm);
=20
return rc;
}
-static int
-lids_bprm_check_security(struct linux_binprm *bprm)
+static int lids_bprm_check_security(struct linux_binprm *bprm)
{
lids_execve_check_envp(bprm);
return 0;
}
=20
#ifndef MODULE
-static int __init
-lids_load_setup(char *str)
+static int __init lids_load_setup(char *str)
...
[truncated message content] |
|
From: <no...@ro...> - 2006-04-20 19:18:54
|
Author: roedie
Date: Thu Apr 20 21:18:45 2006
New Revision: 20
Log:
Typos....
Modified:
lids/trunk/security/lids/Kconfig
Modified: lids/trunk/security/lids/Kconfig
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lids/trunk/security/lids/Kconfig (original)
+++ lids/trunk/security/lids/Kconfig Thu Apr 20 21:18:45 2006
@@ -48,13 +48,13 @@
Note: You must set a password with 'lidsadm -P'
=20
config LIDS_ALLOW_LFS
- bool "Allow switch to a Linux Free Session"
+ bool "Allow switch to a LIDS Free Session"
depends on LIDS_ALLOW_SWITCH
default y
help
This option adds the ability to create a LIDS Free Session (LFS).=
When
- inside an LFS the ACL's you have created won't affect you. You can use
- an LFS to do administrative work. You cannot create more than one LFS
+ inside a LFS, the ACL's you have created won't affect you. You can use
+ the LFS to do administrative work. You cannot create more than one LFS
at a time.
=20
Saying no increases security but disables the ability to do system
@@ -65,7 +65,7 @@
depends on LIDS && LIDS_ALLOW_SWITCH
default n
help
- If you enable this option, creating an LFS and switching states will
+ If you enable this option, creating a LFS and switching states will
only be allowed from specified terminal types.
=20
config LIDS_MODE_SWITCH_CONSOLE
|
|
From: <no...@ro...> - 2006-04-20 19:13:14
|
Author: roedie
Date: Thu Apr 20 21:12:59 2006
New Revision: 19
Log:
Kernel help updates.
Modified:
lids/trunk/security/lids/Kconfig
Modified: lids/trunk/security/lids/Kconfig
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lids/trunk/security/lids/Kconfig (original)
+++ lids/trunk/security/lids/Kconfig Thu Apr 20 21:12:59 2006
@@ -8,30 +8,21 @@
config LIDS
tristate "Linux Intrusion Detection System support (EXPERIMENTAL)"
help
- LIDS - Linux Intrusion Detection System can let you protect
- your linux kernel.
+ This enables the Linux Intrusion Detection System.
+ =20
+ LIDS enhances the kernel's security by implementing Mandatory
+ Access Control (MAC).
+ =20
+ You will also need the lidstools utilities to be able to edit your
+ LIDS ACL's. The lidstools can obtained from <http://www.lids.org/>.
=20
- In order to use LIDS, you need to download the lidstools first
- from http://www.lids.org/
+ Help with LIDS can be found at:
+ <http://www.lids.org/maillist.html>
+ <http://wiki.lids.org/>
+ <http://forum.lids.org/>
=20
- Please read help provided with each option carefully. At the end
- of each option we indicate what answer will increase security.
- Be aware that security always has side effects, and some
- programs could break.
-
- If you have any questions about LIDS, mail to the authors :
- Huagang Xie ( xi...@ww...)
- Philippe.biondi (phi...@we...)
-
- or visit lids home ,
- http://www.lids.org/
- =20
- And you can get help from the LIDS Mailing list at
- http://www.lids.org/maillist.html
-
- If your want to make LIDS as module, say "M" here , or if you
- want to build it into the kernel, say "Y" here. otherwise,
- say "N".
+ To compile LIDS as a module, choose M here: the module will be c=
alled
+ lids.ko. To compile LIDS into the kernel say Y here. Otherwise say N.
=20
comment "LIDS Options"
depends on LIDS
@@ -44,55 +35,57 @@
If you say Yes here, LIDS will try not to flood logs with the
same message repeated a lot of times.
=20
- Saying yes will increase security.
+ Saying Yes will increase security.
=20
config LIDS_ALLOW_SWITCH
- bool "Allow switching the LFS and States"
+ bool "Allow state switching"
depends on LIDS && PROC_FS && CRYPTO_SHA256
default y
help
- If you say Yes here, you will enable the switch the LIDS between states
+ If you say Yes here you will be able to switch LIDS to the=20
+ BOOT, POSTBOOT and SHUTDOWN states.
+ =20
Note: You must set a password with 'lidsadm -P'
=20
config LIDS_ALLOW_LFS
- bool "Allow switch the Linux Free Session"
+ bool "Allow switch to a Linux Free Session"
depends on LIDS_ALLOW_SWITCH
default y
help
- If you say Yes here, you will enable the possibility to switch LIDS on a=
nd off. =20
-
- You can turn LIDS off only on current console by=20
- lidsadm -S -- -LIDS=20
- or globally off by=20
- lidsadm -S -- -LIDS_GLOBAL=20
- by enable this option. =20
+ This option adds the ability to create a LIDS Free Session (LFS).=
When
+ inside an LFS the ACL's you have created won't affect you. You can use
+ an LFS to do administrative work. You cannot create more than one LFS
+ at a time.
=20
- Saying no increases security.
+ Saying no increases security but disables the ability to do system
+ administration on a system running a kernel with LIDS active.
=20
config LIDS_RESTRICT_MODE_SWITCH
bool "Restrict mode switching to specified terminals"
depends on LIDS && LIDS_ALLOW_SWITCH
default n
help
- If you enable this option, mode switching will be only allowed
- from specified terminal types.
+ If you enable this option, creating an LFS and switching states will
+ only be allowed from specified terminal types.
=20
config LIDS_MODE_SWITCH_CONSOLE
bool "Allow mode switching from a Linux Console"
depends on LIDS && LIDS_RESTRICT_MODE_SWITCH
default y
help
- Allow mode switching from a Linux Console.
+ Allow LFS creation and state switching from a Linux Console.
=20
config LIDS_MODE_SWITCH_SERIAL
bool "Allow mode switching from a serial Console"
depends on LIDS && LIDS_RESTRICT_MODE_SWITCH
+ default y
help
- Allow mode switching from a serial Console.
+ Allow LFS creation and state switching from a serial Console.
=20
config LIDS_MODE_SWITCH_PTY
bool "Allow mode switching from a PTY"
depends on LIDS && LIDS_RESTRICT_MODE_SWITCH
+ default y
help
- Allow mode switching from a PTY.=20
+ Allow LFS creation and state switching from a PTY.=20
endmenu
|
|
From: <no...@ro...> - 2006-03-14 21:43:36
|
Author: roedie
Date: Tue Mar 14 22:43:27 2006
New Revision: 18
Log:
Not much time for large updates, but we'll get there.
Modified:
lidstools/branches/roedie-doc/src/lidsconf.8
lidstools/branches/roedie-doc/src/lidsconf.8.xml
Modified: lidstools/branches/roedie-doc/src/lidsconf.8
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lidstools/branches/roedie-doc/src/lidsconf.8 (original)
+++ lidstools/branches/roedie-doc/src/lidsconf.8 Tue Mar 14 22:43:27 2006
@@ -39,13 +39,12 @@
ACL is short for "Access Control List". The ACL's in LIDS define how a sub=
ject can access an object. The subject can be any program or file on the sy=
stem. The object can be a file, directory, or a special option (capability,=
MEM devices, RAW IO, a HIDDEN process, etc). The target defines the access=
type that the subject has on the object.
=2ETP=20
The synopsis of an ACL is
-\fI[\-s subject] [\-i inheritance] \-o object \-j TARGET\fR
+\fI[STATE] [\-s subject] [\-i inheritance] \-o object \-j TARGET\fR
=2ETP=20
-When a subject is not specified, the ACL defines the object's default acce=
ss.
-state can be "BOOT","POSTBOOT", "SHUTDOWN" or blank which refers to the di=
fferent ACL states LIDS supports. If you do not provide a state the default=
value is "GLOBAL" which will apply to all states. The rules which are defi=
ned in BOOT, POSTBOOT or SHUTDOWN states take precedense over rules defined=
in the GLOBAL state.
+The 'STATE' can be "BOOT","POSTBOOT", "SHUTDOWN" or blank which refers to =
the different ACL states LIDS supports. If you do not provide a state the d=
efault value is "GLOBAL" which will apply to all states. The rules which ar=
e defined in BOOT, POSTBOOT or SHUTDOWN states take precedense over rules d=
efined in the GLOBAL state.
=2ETP=20
\fB\-s subject\fR=20
-A subject can be any program on the system, such as "/bin/login".
+A subject can be any program on the system, such as "/bin/login". When a s=
ubject is not specified, the ACL defines the object's default access.
=2ETP=20
\fB\-o object [ports]\fR=20
An object can be a file, directory, or a capability (CAP_SYS_RAWIO, CAP_MO=
DULE etc). If the object is CAP_NET_BIND_SERVICE, you must specify the port=
range. For example, "20\-299,400\-1002".
@@ -64,29 +63,29 @@
These options specify the action to perform. Only one command can be given=
on
the commandline unless otherwise specified.
=2ETP=20
-\fB\-A, \-\-add [state]\fR=20
+\fB\-A, \-\-add [STATE]\fR=20
Add one or more rules to the end of the selected state chain.
=2ETP=20
\fB\-C, \-\-check\fR=20
Check your LIDS rules and have them compiled. The output of this command c=
an help in making tighter rules or showing problems with your current ruleb=
ase.
=2ETP=20
-\fB\-D, \-\-delete [acl_type]\fR=20
-Delete one or more rules from the selected acl_type.
+\fB\-D, \-\-delete [STATE]\fR=20
+Delete one or more rules from the selected state.
=2ETP=20
-\fB\-Z, \-\-zero [acl_type]\fR=20
-Delete all acl's from the selected acl_type. If no acl_type is given then =
the rules from the GLOBAL acl_type are deleted.
+\fB\-Z, \-\-zero [STATE]\fR=20
+Delete all acl's from the selected state. If no state is given then the ru=
les from the GLOBAL state are deleted.
=2ETP=20
\fB\-U, \-\-update\fR=20
-Update your acl's. If you change or move a file or directory, it's inode w=
ill change. You the need to update your lids config with this command
+Update your acl's. If you change or move a file or directory, it's inode w=
ill change. You the need to update your lids config with this command. Afte=
r updating you most likely also want to reload your configuration with the =
lidsadm tool.
=2ETP=20
-\fB\-L, \-\-list [acl_type]\fR=20
-List the acl's in the selected acl_type.
+\fB\-L, \-\-list [STATE]\fR=20
+List the acl's in the selected state.
=2ETP=20
\fB\-P, \-\-passwd\fR=20
-Set a new LIDS password.
+Set a new LIDS password. You need the password for lots of administrative =
tasks.
=2ETP=20
-\fB\-S, \-\-script\fR=20
-Write out a script to set your acl's.
+\fB\-S, \-\-script [STATE]\fR=20
+Write out a script to set your acl's for the given state.
=2ETP=20
\fB\-v, \-\-version\fR=20
Show the lidsconf version.
@@ -97,103 +96,9 @@
\fB\-H, \-\-morehelp\fR=20
Show more help options.
=2ESH "AVAILABLE CAPABILITIES"
-The capabilities used in LIDS are shown below. You can use the name to ena=
ble or disable the capability when sealing and switching. You can also gran=
t the capability to a program even if the capability is disabled globally o=
n the system.
-=2ETP=20
-\fICAP_CHOWN\fR=20
-chown(2)/chgrp(2)
-=2ETP=20
-\fICAP_DAC_OVERRIDE\fR=20
-DAC access.
-=2ETP=20
-\fICAP_DAC_READ_SEARCH\fR=20
-DAC read.
-=2ETP=20
-\fICAP_FOWNER\fR=20
-Owner ID not equal user ID.
-=2ETP=20
-\fICAP_FSETID\fR=20
-Effective user ID not equal owner ID.
-=2ETP=20
-\fICAP_KILL\fR=20
-Real/effective ID not equal process ID.
-=2ETP=20
-\fICAP_SETGID\fR=20
-setgid(2)
-=2ETP=20
-\fICAP_SETUID\fR=20
-set*uid(2)
-=2ETP=20
-\fICAP_SETPCAP\fR=20
-Transfer capability.
-=2ETP=20
-\fICAP_LINUX_IMMUTABLE\fR=20
-Immutable and append file attributes.
-=2ETP=20
-\fICAP_NET_BIND_SERVICE\fR=20
-Binding to ports below 1024.
-=2ETP=20
-\fICAP_NET_BROADCAST\fR=20
-Broadcasting/listening to multicast.
-=2ETP=20
-\fICAP_NET_ADMIN\fR=20
-Interface/firewall/routing changes.
-=2ETP=20
-\fICAP_NET_RAW\fR=20
-Raw sockets (ping).
-=2ETP=20
-\fICAP_IPC_LOCK\fR=20
-Locking of shared memory segments.
-=2ETP=20
-\fICAP_IPC_OWNER\fR=20
-IPC ownership checks.
-=2ETP=20
-\fICAP_SYS_MODULE\fR=20
-Insertion and removal of kernel modules.
-=2ETP=20
-\fICAP_SYS_RAWIO\fR=20
-ioperm(2)/iopl(2) access
-=2ETP=20
-\fICAP_SYS_CHROOT\fR=20
-chroot(2)
-=2ETP=20
-\fICAP_SYS_PTRACE\fR=20
-ptrace(2)
-=2ETP=20
-\fICAP_SYS_PACCT\fR=20
-Configuration of process accounting.
-=2ETP=20
-\fICAP_SYS_ADMIN\fR=20
-Tons of admin stuff.
-=2ETP=20
-\fICAP_SYS_BOOT\fR=20
-reboot(2)
-=2ETP=20
-\fICAP_SYS_NICE\fR=20
-nice(2)
-=2ETP=20
-\fICAP_SYS_RESOURCE\fR=20
-Setting resource limits.
-=2ETP=20
-\fICAP_SYS_TIME\fR=20
-Setting system time.
-=2ETP=20
-\fICAP_SYS_TTY_CONFIG\fR=20
-TTY configuration.
-=2ETP=20
-\fICAP_MKNOD\fR=20
-Allow the privileged aspects of mknod().
-=2ETP=20
-\fICAP_LEASE\fR=20
-Allow taking of leases on files.
-=2ETP=20
-\fICAP_HIDDEN\fR=20
-Make a program hidden from the entire system.
-=2ETP=20
-\fICAP_KILL_PROTECTED\fR=20
-Allow/disallow a process to kill protected processes.
-=2ETP=20
-\fICAP_PROTECTED\fR=20
-Protect the process from signals.
+There are a lot of capabilities. You can use the capability name to enable=
or disable the capability when sealing and switching. You can also grant t=
he capability to a program even if the capability is disabled globally on t=
he system. This way you can deny a capability and only make it available to=
a program that really needs it.
+=2EPP
+A list of available capabilities with their descriptions can be fount in t=
he /etc/lids/lids.cap file.
=2ESH EXAMPLES
Here are some examples of using lidsconf. They range from simple/normal to=
a little more complex/esoteric. Note that actual file names are used to ma=
ke things more concrete. In their place you should substitute file/director=
ies from
\fIyour own system.\fR
Modified: lidstools/branches/roedie-doc/src/lidsconf.8.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lidstools/branches/roedie-doc/src/lidsconf.8.xml (original)
+++ lidstools/branches/roedie-doc/src/lidsconf.8.xml Tue Mar 14 22:43:27 20=
06
@@ -85,14 +85,13 @@
<term>The synopsis of an ACL is</term>
<listitem>
<para>
- <emphasis remap=3D"B">[-s subject] [-i inheritance] -o object -j TAR=
GET</emphasis>
+ <emphasis remap=3D"B">[STATE] [-s subject] [-i inheritance] -o objec=
t -j TARGET</emphasis>
</para>
</listitem>
</varlistentry>
<varlistentry>
- <term>When a subject is not specified, the ACL defines the object's de=
fault access.</term>
- <listitem>
- <para>state can be "BOOT","POSTBOOT", "SHUTDOWN" or blank which refer=
s to the different ACL states LIDS supports. If you do not provide a state =
the default value is "GLOBAL" which will apply to all states. The rules whi=
ch are defined in BOOT, POSTBOOT or SHUTDOWN states take precedense over ru=
les defined in the GLOBAL state.</para>
+ <listitem>
+ <para>The 'STATE' can be "BOOT","POSTBOOT", "SHUTDOWN" or blank which=
refers to the different ACL states LIDS supports. If you do not provide a =
state the default value is "GLOBAL" which will apply to all states. The rul=
es which are defined in BOOT, POSTBOOT or SHUTDOWN states take precedense o=
ver rules defined in the GLOBAL state.</para>
</listitem>
</varlistentry>
<varlistentry>
@@ -100,7 +99,7 @@
<option>-s subject</option>
</term>
<listitem>
- <para>A subject can be any program on the system, such as "/bin/login=
"=2E</para>
+ <para>A subject can be any program on the system, such as "/bin/login=
"=2E When a subject is not specified, the ACL defines the object's default =
access.</para>
</listitem>
</varlistentry>
<varlistentry>
@@ -141,7 +140,7 @@
<variablelist remap=3D"TP">
<varlistentry>
<term>
- <option>-A, --add [state]</option>
+ <option>-A, --add [STATE]</option>
</term>
<listitem>
<para>Add one or more rules to the end of the selected state chain.</=
para>
@@ -157,18 +156,18 @@
</varlistentry>
<varlistentry>
<term>
- <option>-D, --delete [acl_type]</option>
- </term>
- <listitem>
- <para>Delete one or more rules from the selected acl_type.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>-Z, --zero [acl_type]</option>
- </term>
- <listitem>
- <para>Delete all acl's from the selected acl_type. If no acl_type is =
given then the rules from the GLOBAL acl_type are deleted.</para>
+ <option>-D, --delete [STATE]</option>
+ </term>
+ <listitem>
+ <para>Delete one or more rules from the selected state.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-Z, --zero [STATE]</option>
+ </term>
+ <listitem>
+ <para>Delete all acl's from the selected state. If no state is given =
then the rules from the GLOBAL state are deleted.</para>
</listitem>
</varlistentry>
<varlistentry>
@@ -176,15 +175,15 @@
<option>-U, --update</option>
</term>
<listitem>
- <para>Update your acl's. If you change or move a file or directory, i=
t's inode will change. You the need to update your lids config with this co=
mmand</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>-L, --list [acl_type]</option>
- </term>
- <listitem>
- <para>List the acl's in the selected acl_type.</para>
+ <para>Update your acl's. If you change or move a file or directory, i=
t's inode will change. You the need to update your lids config with this co=
mmand. After updating you most likely also want to reload your configuratio=
n with the lidsadm tool.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-L, --list [STATE]</option>
+ </term>
+ <listitem>
+ <para>List the acl's in the selected state.</para>
</listitem>
</varlistentry>
<varlistentry>
@@ -192,15 +191,15 @@
<option>-P, --passwd</option>
</term>
<listitem>
- <para>Set a new LIDS password.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>-S, --script</option>
- </term>
- <listitem>
- <para>Write out a script to set your acl's.</para>
+ <para>Set a new LIDS password. You need the password for lots of admi=
nistrative tasks.</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-S, --script [STATE]</option>
+ </term>
+ <listitem>
+ <para>Write out a script to set your acl's for the given state.</para>
</listitem>
</varlistentry>
<varlistentry>
@@ -231,265 +230,8 @@
</refsect1>
<refsect1 id=3D"available_capabilities">
<title>Available capabilities</title>
- <para>The capabilities used in LIDS are shown below. You can use the nam=
e to enable or disable the capability when sealing and switching. You can a=
lso grant the capability to a program even if the capability is disabled gl=
obally on the system.</para>
- <variablelist remap=3D"TP">
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_CHOWN</emphasis>
- </term>
- <listitem>
- <para>chown(2)/chgrp(2)</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_DAC_OVERRIDE</emphasis>
- </term>
- <listitem>
- <para>DAC access.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_DAC_READ_SEARCH</emphasis>
- </term>
- <listitem>
- <para>DAC read.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_FOWNER</emphasis>
- </term>
- <listitem>
- <para>Owner ID not equal user ID.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_FSETID</emphasis>
- </term>
- <listitem>
- <para>Effective user ID not equal owner ID.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_KILL</emphasis>
- </term>
- <listitem>
- <para>Real/effective ID not equal process ID.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_SETGID</emphasis>
- </term>
- <listitem>
- <para>setgid(2)</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_SETUID</emphasis>
- </term>
- <listitem>
- <para>set*uid(2)</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_SETPCAP</emphasis>
- </term>
- <listitem>
- <para>Transfer capability.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_LINUX_IMMUTABLE</emphasis>
- </term>
- <listitem>
- <para>Immutable and append file attributes.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_NET_BIND_SERVICE</emphasis>
- </term>
- <listitem>
- <para>Binding to ports below 1024.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_NET_BROADCAST</emphasis>
- </term>
- <listitem>
- <para>Broadcasting/listening to multicast.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_NET_ADMIN</emphasis>
- </term>
- <listitem>
- <para>Interface/firewall/routing changes.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_NET_RAW</emphasis>
- </term>
- <listitem>
- <para>Raw sockets (ping).</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_IPC_LOCK</emphasis>
- </term>
- <listitem>
- <para>Locking of shared memory segments.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_IPC_OWNER</emphasis>
- </term>
- <listitem>
- <para>IPC ownership checks.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_SYS_MODULE</emphasis>
- </term>
- <listitem>
- <para>Insertion and removal of kernel modules.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_SYS_RAWIO</emphasis>
- </term>
- <listitem>
- <para>ioperm(2)/iopl(2) access</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_SYS_CHROOT</emphasis>
- </term>
- <listitem>
- <para>chroot(2)</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_SYS_PTRACE</emphasis>
- </term>
- <listitem>
- <para>ptrace(2)</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_SYS_PACCT</emphasis>
- </term>
- <listitem>
- <para>Configuration of process accounting.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_SYS_ADMIN</emphasis>
- </term>
- <listitem>
- <para>Tons of admin stuff.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_SYS_BOOT</emphasis>
- </term>
- <listitem>
- <para>reboot(2)</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_SYS_NICE</emphasis>
- </term>
- <listitem>
- <para>nice(2)</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_SYS_RESOURCE</emphasis>
- </term>
- <listitem>
- <para>Setting resource limits.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_SYS_TIME</emphasis>
- </term>
- <listitem>
- <para>Setting system time.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_SYS_TTY_CONFIG</emphasis>
- </term>
- <listitem>
- <para>TTY configuration.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_MKNOD</emphasis>
- </term>
- <listitem>
- <para>Allow the privileged aspects of mknod().</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_LEASE</emphasis>
- </term>
- <listitem>
- <para>Allow taking of leases on files.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_HIDDEN</emphasis>
- </term>
- <listitem>
- <para>Make a program hidden from the entire system.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_KILL_PROTECTED</emphasis>
- </term>
- <listitem>
- <para>Allow/disallow a process to kill protected processes.</para>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <emphasis remap=3D"B">CAP_PROTECTED</emphasis>
- </term>
- <listitem>
- <para>Protect the process from signals.</para>
- </listitem>
- </varlistentry>
- </variablelist>
+ <para>There are a lot of capabilities. You can use the capability name t=
o enable or disable the capability when sealing and switching. You can also=
grant the capability to a program even if the capability is disabled globa=
lly on the system. This way you can deny a capability and only make it avai=
lable to a program that really needs it.</para>
+ <para>A list of available capabilities with their descriptions can be fo=
unt in the /etc/lids/lids.cap file.</para>
</refsect1>
<refsect1 id=3D"examples">
<title>EXAMPLES</title>
|
|
From: <no...@ro...> - 2006-03-14 00:10:52
|
Author: roedie
Date: Tue Mar 14 01:10:45 2006
New Revision: 17
Log:
More documentation updates.
Modified:
lidstools/branches/roedie-doc/src/lidsconf.8
lidstools/branches/roedie-doc/src/lidsconf.8.xml
Modified: lidstools/branches/roedie-doc/src/lidsconf.8
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lidstools/branches/roedie-doc/src/lidsconf.8 (original)
+++ lidstools/branches/roedie-doc/src/lidsconf.8 Tue Mar 14 01:10:45 2006
@@ -3,19 +3,19 @@
lidsconf \- A configuration tool for the Linux Intrusion Detection System
=2ESH SYNOPSIS
\fBlidsconf\fR [\-A | D] [
-\fBacl_type\fR
+\fBSTATE\fR
] [\-s \fBsubject\fR] \-o \fBobject\fR [\-i \fBlevel\fR] \-j \fBACTION\fR=20
=2EPP
\fBlidsconf\fR \-C=20
=2EPP
\fBlidsconf\fR \-Z|S [
-\fBacl_type\fR
+\fBSTATE\fR
]
=2EPP
\fBlidsconf\fR \-U=20
=2EPP
\fBlidsconf\fR \-L [
-\fBacl_type\fR
+\fBSTATE\fR
] [\-e ]
=2EPP
\fBlidsconf\fR \-P=20
@@ -36,36 +36,36 @@
lidsconf
is used to configure the access restriction information for LIDS. All info=
rmation is stored in "/etc/lids/lids.conf","/etc/lids/lids.boot.conf","/etc=
/lids/lids.postboot.conf","/etc/lids/lids.shutdown.conf" based on the ACL t=
ype. When you are done configuring you need to compile you rules to make .a=
cl files which are read by LIDS.
=2ESH "OPTIONS (ACL'S)"
-ACL is short for "Access Control List". The ACL in LIDS defines how a subj=
ect can access an object. The subject can be any program file on the system=
. The object can be a file, directory, or a special option (MEM devices, RA=
W IO, a HIDDEN process, etc). The target defines the access type that the s=
ubject has on the object.
-=2ETP=20
-The synopsis of the ACL is
-\fI[\-s subject] [\-i TTL] \-o object \-j TARGET\fR
-=2ETP=20
-When a subject is not specified, the ACL defines the object's default acce=
ss., \fIacl_type\fR=20
-acl_type can be "BOOT","POSTBOOT", "SHUTDOWN" or blank which refers to dif=
ferent acl states, if you do not provide an acl_type the default value is "=
GLOBAL" which will apply for all states. For more information on the LIDS S=
TATEFUL ACL, please check the FAQ under the doc directory.
+ACL is short for "Access Control List". The ACL's in LIDS define how a sub=
ject can access an object. The subject can be any program or file on the sy=
stem. The object can be a file, directory, or a special option (capability,=
MEM devices, RAW IO, a HIDDEN process, etc). The target defines the access=
type that the subject has on the object.
+=2ETP=20
+The synopsis of an ACL is
+\fI[\-s subject] [\-i inheritance] \-o object \-j TARGET\fR
+=2ETP=20
+When a subject is not specified, the ACL defines the object's default acce=
ss.
+state can be "BOOT","POSTBOOT", "SHUTDOWN" or blank which refers to the di=
fferent ACL states LIDS supports. If you do not provide a state the default=
value is "GLOBAL" which will apply to all states. The rules which are defi=
ned in BOOT, POSTBOOT or SHUTDOWN states take precedense over rules defined=
in the GLOBAL state.
=2ETP=20
\fB\-s subject\fR=20
A subject can be any program on the system, such as "/bin/login".
=2ETP=20
-\fB\-o object [portscale]\fR=20
-An object can be a file, directory, or a special option (CAP_SYS_RAWIO, CA=
P_HIDDEN, CAP_INIT_KILL, etc). If the object is CAP_NET_BIND_SERVICE, you m=
ust specify the port range. For example, "20\-299,400\-1002".
-=2ETP=20
-\fB\-i <inheritance level>\fR=20
+\fB\-o object [ports]\fR=20
+An object can be a file, directory, or a capability (CAP_SYS_RAWIO, CAP_MO=
DULE etc). If the object is CAP_NET_BIND_SERVICE, you must specify the port=
range. For example, "20\-299,400\-1002".
+=2ETP=20
+\fB\-i [inheritance level]\fR=20
This specifies that the ACL is inheritable by the subject's children. The=20
\fIinheritance level\fR
-affects how far the ACL is inherited. An inheritance level of "\-1" means=20
+affects how deep the ACL is inherited. An inheritance level of "\-1" means=20
\fIunlimited\fR
-inheritance. An inheritance level of 1 means that a child process spawned =
by the parent which is not the same program as the parent will inherit the =
ACL, but a child process spawned from the child (i.e. a grandchild of the o=
rignal process) won't.
-The Inheritance level will only affect the children which are not the same=
program as its parent. If the child is the same program as the parent, it =
will gain all the permission from its parent.
+inheritance. An inheritance level of 1 means that a child process spawned =
by the parent which is not the same program as the parent will inherit the =
ACL, but a child process spawned from the child (i.e. a grandchild of the o=
rignal process) will not inherit anything.
+The Inheritance level will only affect the children which are not the same=
program as its parent. If the child is the same program as the parent, it =
will get all the permission from its parent.
=2ETP=20
\fB\-j target\fR=20
-The target can be DENY, READ, APPEND, WRITE, or IGNORE for normal file acc=
ess ACLs. For a special object, the target can only be GRANT.
+The target can be DENY, READONLY, APPEND, WRITE, or IGNORE for normal file=
access ACLs. For a special object (CAP_SYS_RAWIO etc), the target can only=
be GRANT.
=2ESH COMMANDS
These options specify the action to perform. Only one command can be given=
on
the commandline unless otherwise specified.
=2ETP=20
-\fB\-A, \-\-add [acl_type]\fR=20
-Add one or more rules to the end of the selected acl_type chain.
+\fB\-A, \-\-add [state]\fR=20
+Add one or more rules to the end of the selected state chain.
=2ETP=20
\fB\-C, \-\-check\fR=20
Check your LIDS rules and have them compiled. The output of this command c=
an help in making tighter rules or showing problems with your current ruleb=
ase.
Modified: lidstools/branches/roedie-doc/src/lidsconf.8.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lidstools/branches/roedie-doc/src/lidsconf.8.xml (original)
+++ lidstools/branches/roedie-doc/src/lidsconf.8.xml Tue Mar 14 01:10:45 20=
06
@@ -19,7 +19,7 @@
<arg choide=3D"plain">D</arg>
</group>
<arg choice=3D"opt">
- <replaceable>acl_type</replaceable>
+ <replaceable>STATE</replaceable>
</arg>
<arg choice=3D"opt">-s <replaceable>subject</replaceable></arg>
<arg choice=3D"plain">-o <replaceable>object</replaceable></arg>
@@ -34,7 +34,7 @@
<command>lidsconf</command>
<arg choice=3D"plain">-Z|S </arg>
<arg choice=3D"opt">
- <replaceable>acl_type</replaceable>
+ <replaceable>STATE</replaceable>
</arg>
</cmdsynopsis>
<cmdsynopsis>
@@ -45,7 +45,7 @@
<command>lidsconf</command>
<arg choice=3D"plain">-L </arg>
<arg choice=3D"opt">
- <replaceable>acl_type</replaceable>
+ <replaceable>STATE</replaceable>
</arg>
<arg choice=3D"opt">-e </arg>
</cmdsynopsis>
@@ -79,23 +79,20 @@
</refsect1>
<refsect1 id=3D"options">
<title>Options (ACL's)</title>
- <para>ACL is short for "Access Control List". The ACL in LIDS defines ho=
w a subject can access an object. The subject can be any program file on th=
e system. The object can be a file, directory, or a special option (MEM dev=
ices, RAW IO, a HIDDEN process, etc). The target defines the access type th=
at the subject has on the object.</para>
+ <para>ACL is short for "Access Control List". The ACL's in LIDS define h=
ow a subject can access an object. The subject can be any program or file o=
n the system. The object can be a file, directory, or a special option (cap=
ability, MEM devices, RAW IO, a HIDDEN process, etc). The target defines th=
e access type that the subject has on the object.</para>
<variablelist remap=3D"TP">
<varlistentry>
- <term>The synopsis of the ACL is</term>
+ <term>The synopsis of an ACL is</term>
<listitem>
<para>
- <emphasis remap=3D"B">[-s subject] [-i TTL] -o object -j TARGET</emp=
hasis>
+ <emphasis remap=3D"B">[-s subject] [-i inheritance] -o object -j TAR=
GET</emphasis>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>When a subject is not specified, the ACL defines the object's de=
fault access.</term>
- <term>
- <emphasis remap=3D"B">acl_type</emphasis>
- </term>
- <listitem>
- <para>acl_type can be "BOOT","POSTBOOT", "SHUTDOWN" or blank which re=
fers to different acl states, if you do not provide an acl_type the default=
value is "GLOBAL" which will apply for all states. For more information on=
the LIDS STATEFUL ACL, please check the FAQ under the doc directory.</para>
+ <listitem>
+ <para>state can be "BOOT","POSTBOOT", "SHUTDOWN" or blank which refer=
s to the different ACL states LIDS supports. If you do not provide a state =
the default value is "GLOBAL" which will apply to all states. The rules whi=
ch are defined in BOOT, POSTBOOT or SHUTDOWN states take precedense over ru=
les defined in the GLOBAL state.</para>
</listitem>
</varlistentry>
<varlistentry>
@@ -108,23 +105,23 @@
</varlistentry>
<varlistentry>
<term>
- <option>-o object [portscale]</option>
- </term>
- <listitem>
- <para>An object can be a file, directory, or a special option (CAP_SY=
S_RAWIO, CAP_HIDDEN, CAP_INIT_KILL, etc). If the object is CAP_NET_BIND_SE=
RVICE, you must specify the port range. For example, "20-299,400-1002".</pa=
ra>
- </listitem>
- </varlistentry>
- <varlistentry>
- <term>
- <option>-i <inheritance level></option>
+ <option>-o object [ports]</option>
+ </term>
+ <listitem>
+ <para>An object can be a file, directory, or a capability (CAP_SYS_RA=
WIO, CAP_MODULE etc). If the object is CAP_NET_BIND_SERVICE, you must spec=
ify the port range. For example, "20-299,400-1002".</para>
+ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>
+ <option>-i [inheritance level]</option>
</term>
<listitem>
<para>This specifies that the ACL is inheritable by the subject's chi=
ldren. The=20
<emphasis remap=3D"B">inheritance level</emphasis>
-affects how far the ACL is inherited. An inheritance level of "-1" means=20
+affects how deep the ACL is inherited. An inheritance level of "-1" means=20
<emphasis remap=3D"B">unlimited</emphasis>
-inheritance. An inheritance level of 1 means that a child process spawned=
by the parent which is not the same program as the parent will inherit the=
ACL, but a child process spawned from the child (i.e. a grandchild of the =
orignal process) won't.
-The Inheritance level will only affect the children which are not the same=
program as its parent. If the child is the same program as the parent, it =
will gain all the permission from its parent.</para>
+inheritance. An inheritance level of 1 means that a child process spawned=
by the parent which is not the same program as the parent will inherit the=
ACL, but a child process spawned from the child (i.e. a grandchild of the =
orignal process) will not inherit anything.
+The Inheritance level will only affect the children which are not the same=
program as its parent. If the child is the same program as the parent, it =
will get all the permission from its parent.</para>
</listitem>
</varlistentry>
<varlistentry>
@@ -132,7 +129,7 @@
<option>-j target</option>
</term>
<listitem>
- <para>The target can be DENY, READ, APPEND, WRITE, or IGNORE for norm=
al file access ACLs. For a special object, the target can only be GRANT.</p=
ara>
+ <para>The target can be DENY, READONLY, APPEND, WRITE, or IGNORE for =
normal file access ACLs. For a special object (CAP_SYS_RAWIO etc), the targ=
et can only be GRANT.</para>
</listitem>
</varlistentry>
</variablelist>
@@ -144,10 +141,10 @@
<variablelist remap=3D"TP">
<varlistentry>
<term>
- <option>-A, --add [acl_type]</option>
- </term>
- <listitem>
- <para>Add one or more rules to the end of the selected acl_type chain=
.</para>
+ <option>-A, --add [state]</option>
+ </term>
+ <listitem>
+ <para>Add one or more rules to the end of the selected state chain.</=
para>
</listitem>
</varlistentry>
<varlistentry>
|
|
From: <no...@ro...> - 2006-03-13 21:22:27
|
Author: roedie
Date: Mon Mar 13 22:22:19 2006
New Revision: 16
Log:
Small update.
Modified:
lidstools/branches/roedie-doc/src/lidsadm.8
lidstools/branches/roedie-doc/src/lidsadm.8.xml
lidstools/branches/roedie-doc/src/lidsconf.8
lidstools/branches/roedie-doc/src/lidsconf.8.xml
Modified: lidstools/branches/roedie-doc/src/lidsadm.8
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lidstools/branches/roedie-doc/src/lidsadm.8 (original)
+++ lidstools/branches/roedie-doc/src/lidsadm.8 Mon Mar 13 22:22:19 2006
@@ -1,265 +1,223 @@
-=2ETH LIDSADM 8
-=2E\"
-=2E\" Man page written by Sander Klein <ro...@ro...> (May 2003)
-=2E\" It is based on the original lidsadm page by Steve Bremer.
-=2E\" TODO: I will think of something in the end...
-=2E\"
-=2E\" This program is free software; you can redistribute it and/or modify
-=2E\" it under the terms of the GNU General Public License as publishe=
d by
-=2E\" the Free Software Foundation; either version 2 of the License, or
-=2E\" (at your option) any later version.
-=2E\"
-=2E\" This program is distributed in the hope that it will be useful,
-=2E\" but WITHOUT ANY WARRANTY; without even the implied warranty of
-=2E\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-=2E\" GNU General Public License for more details.
-=2E\"
-=2E\" You should have received a copy of the GNU General Public License
-=2E\" along with this program; if not, write to the Free Software
-=2E\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-=2E\"
-=2E\"
-
+=2ETH lidsadm 8 =20
=2ESH NAME
lidsadm \- administration tool for the Linux Intrusion Detection System
-
=2ESH SYNOPSIS
-=2EB "lidsadm -[S|I] -- [+|-][LIDS_FLAG] [...]"
-=2Ebr
-=2EB "lidsadm -V"
-=2Ebr
-=2EB "lidsadm -h"
-
+\fBlidsadm\fR \- [
+\fBS\fR
+|=20
+\fBI\fR
+] \-\- [
+\fBLIDS_FLAG\fR
+]=20
+\fB\&.[..]\fR
+=2EPP
+\fBlidsadm\fR \-V=20
+=2EPP
+\fBlidsadm\fR \-h=20
+=2Esp 1
=2ESH DESCRIPTION
-=2EB lidsadm
+lidsadm
is an adminstration tool for the
-=2EI Linux Intrusion Detection System (LIDS).
-
+\fILinux Intrusion Detection System (LIDS).\fR
+=2EPP
LIDS is a kernel patch to enhance the current Linux kernel. With LIDS, you=
can protect important files, directories, and devices. You can also define=
ACLs that restrict the access control on the entire system. For more infor=
mation about LIDS, please go to
-=2EI http://www.lids.org.
-
-=2EB lidsadm
+\fIhttp://www.lids.org.\fR
+=2EPP
+lidsadm
is used to define ACLs and administer the LIDS protections online.
-
=2ESH COMMANDS
-Commands define the individual functions of the lidsadm utility. They can=
not be combined.
-=2ETP
-=2EB -S
+Commands define the individual functions of the lidsadm utility. They cann=
ot be combined.
+=2ETP=20
+\fB\-S\fR=20
Change LIDS protections (requires your LIDS password).
-=2ETP
-=2EB -I
+=2ETP=20
+\fB\-I\fR=20
Changes LIDS protections once without a password. This is used to "seal th=
e kernel" and to switch from the BOOT to the POSTBOOT acl_type.
-=2ETP
-=2EB -V
+=2ETP=20
+\fB\-V\fR=20
Lets you view the current state of your LIDS system. (this needs to be bui=
lt in during compile time)
-=2ETP
-=2EB -v
+=2ETP=20
+\fB\-v\fR=20
Shows the version of the lidsadm tool.
-=2ETP
-=2EB -h
+=2ETP=20
+\fB\-h\fR=20
List the help.
-
-=2ESH LIDS_FLAG's
-=2ETP
-There are many flags you can set. They can be used to set or unset capabil=
ities but they can also switch your LIDS system on or off, or to switch int=
o different states.=20
-
-=2ESH Available capabilities
+=2ESH LIDS_FLAG'S
+=2ETP=20
+There are many flags you can set. They can be used to set or unset capabil=
ities but they can also switch your LIDS system on or off, or to switch int=
o different states.
+=2ESH "AVAILABLE CAPABILITIES"
The capabilities used in LIDS are shown below. You can use the name to ena=
ble or disable the capability when sealing and switching. You can also gran=
t the capability to a program even if the capability is disabled globally o=
n the system.
-
-=2ETP
-=2EB CAP_CHOWN
+=2ETP=20
+\fICAP_CHOWN\fR=20
chown(2)/chgrp(2)
-=2ETP
-=2EB CAP_DAC_OVERRIDE
+=2ETP=20
+\fICAP_DAC_OVERRIDE\fR=20
DAC access.
-=2ETP
-=2EB CAP_DAC_READ_SEARCH
+=2ETP=20
+\fICAP_DAC_READ_SEARCH\fR=20
DAC read.
-=2ETP
-=2EB CAP_FOWNER
+=2ETP=20
+\fICAP_FOWNER\fR=20
Owner ID not equal user ID.
-=2ETP
-=2EB CAP_FSETID
+=2ETP=20
+\fICAP_FSETID\fR=20
Effective user ID not equal owner ID.
-=2ETP
-=2EB CAP_KILL
+=2ETP=20
+\fICAP_KILL\fR=20
Real/effective ID not equal process ID.
-=2ETP
-=2EB CAP_SETGID
+=2ETP=20
+\fICAP_SETGID\fR=20
setgid(2)
-=2ETP
-=2EB CAP_SETUID
+=2ETP=20
+\fICAP_SETUID\fR=20
set*uid(2)
-=2ETP
-=2EB CAP_SETPCAP
+=2ETP=20
+\fICAP_SETPCAP\fR=20
Transfer capability.
-=2ETP
-=2EB CAP_LINUX_IMMUTABLE
+=2ETP=20
+\fICAP_LINUX_IMMUTABLE\fR=20
Immutable and append file attributes.
-=2ETP
-=2EB CAP_NET_BIND_SERVICE
+=2ETP=20
+\fICAP_NET_BIND_SERVICE\fR=20
Binding to ports below 1024.
-=2ETP
-=2EB CAP_NET_BROADCAST
+=2ETP=20
+\fICAP_NET_BROADCAST\fR=20
Broadcasting/listening to multicast.
-=2ETP
-=2EB CAP_NET_ADMIN
+=2ETP=20
+\fICAP_NET_ADMIN\fR=20
Interface/firewall/routing changes.
-=2ETP
-=2EB CAP_NET_RAW
+=2ETP=20
+\fICAP_NET_RAW\fR=20
Raw sockets (ping).
-=2ETP
-=2EB CAP_IPC_LOCK
+=2ETP=20
+\fICAP_IPC_LOCK\fR=20
Locking of shared memory segments.
-=2ETP
-=2EB CAP_IPC_OWNER
+=2ETP=20
+\fICAP_IPC_OWNER\fR=20
IPC ownership checks.
-=2ETP
-=2EB CAP_SYS_MODULE
+=2ETP=20
+\fICAP_SYS_MODULE\fR=20
Insertion and removal of kernel modules.
-=2ETP
-=2EB CAP_SYS_RAWIO
+=2ETP=20
+\fICAP_SYS_RAWIO\fR=20
ioperm(2)/iopl(2) access
-=2ETP
-=2EB CAP_SYS_CHROOT
+=2ETP=20
+\fICAP_SYS_CHROOT\fR=20
chroot(2)
-=2ETP
-=2EB CAP_SYS_PTRACE
+=2ETP=20
+\fICAP_SYS_PTRACE\fR=20
ptrace(2)
-=2ETP
-=2EB CAP_SYS_PACCT
+=2ETP=20
+\fICAP_SYS_PACCT\fR=20
Configuration of process accounting.
-=2ETP
-=2EB CAP_SYS_ADMIN
+=2ETP=20
+\fICAP_SYS_ADMIN\fR=20
Tons of admin stuff.
-=2ETP
-=2EB CAP_SYS_BOOT
+=2ETP=20
+\fICAP_SYS_BOOT\fR=20
reboot(2)
-=2ETP
-=2EB CAP_SYS_NICE
+=2ETP=20
+\fICAP_SYS_NICE\fR=20
nice(2)
-=2ETP
-=2EB CAP_SYS_RESOURCE
+=2ETP=20
+\fICAP_SYS_RESOURCE\fR=20
Setting resource limits.
-=2ETP
-=2EB CAP_SYS_TIME
+=2ETP=20
+\fICAP_SYS_TIME\fR=20
Setting system time.
-=2ETP
-=2EB CAP_SYS_TTY_CONFIG
+=2ETP=20
+\fICAP_SYS_TTY_CONFIG\fR=20
TTY configuration.
-=2ETP
-=2EB CAP_MKNOD
+=2ETP=20
+\fICAP_MKNOD\fR=20
Allow the privileged aspects of mknod().
-=2ETP
-=2EB CAP_LEASE
+=2ETP=20
+\fICAP_LEASE\fR=20
Allow taking of leases on files.
-=2ETP
-=2EB CAP_HIDDEN
+=2ETP=20
+\fICAP_HIDDEN\fR=20
Make a program hidden from the entire system.
-=2ETP
-=2EB CAP_KILL_PROTECTED
+=2ETP=20
+\fICAP_KILL_PROTECTED\fR=20
Allow/disallow a process to kill protected processes.
-=2ETP
-=2EB CAP_PROTECTED
+=2ETP=20
+\fICAP_PROTECTED\fR=20
Protect the process from signals.
-
-=2ESH Available FLAGS
-
-These flags are used with the ADMIN option "-S".
-=2ETP
-=2EB LIDS_GLOBAL
-Enable/disable LIDS system-wide.
-=2ETP
-=2EB RELOAD_CONF
+=2ESH "AVAILABLE FLAGS"
+These flags are used with the ADMIN option "\-S".
+=2ETP=20
+\fILIDS_GLOBAL\fR=20
+Enable/disable LIDS system\-wide.
+=2ETP=20
+\fIRELOAD_CONF\fR=20
Reload config files and inode/dev numbers of special programs.
-=2ETP
-=2EB LIDS
+=2ETP=20
+\fILIDS\fR=20
Enable/disable LIDS locally (the shell & childs). This is known as a LIDS =
free session (LFS).
-=2ETP
-=2EB ACL_DISCOVERY=20
+=2ETP=20
+\fIACL_DISCOVERY\fR=20
Enable/disable LIDS ACL Discovery Mode. When this mode is turned on, if so=
mething violates the rules, LIDS will not prevent the action and print out =
a rule that you can use in future ACLs.=20
-=2EB SHUTDOWN=20
+\fISHUTDOWN\fR
Switch to "SHUTDOWN" State.
-
-
=2ESH EXAMPLES
Here are some examples of using lidsadm.
-=2ETP
-=2EB lidsadm -I
+=2ETP=20
+\fBlidsadm \-I\fR=20
Seal the kernel with the default capabilities set in /etc/lids/lids.cap. Y=
ou should edit that file by yourself.
-=2ETP
-=2EB lidsadm -S -- -LIDS
+=2ETP=20
+\fBlidsadm \-S \-\- \-LIDS\fR=20
Switch LIDS off in your current terminal session, we recommend you use thi=
s=2E
-=2ETP
-=2EB lidsadm -S -- -LIDS_GLOBAL
-Switch LIDS off globally. Your system is no longer protected by LIDS.
-=2ETP
-=2EB lidsadm -S -- +SHUTDOWN
+=2ETP=20
+\fBlidsadm \-S \-\- \-LIDS_GLOBAL\fR=20
+Switch LIDS off globally. Your system is no longer protected by LIDS.
+=2ETP=20
+\fBlidsadm \-S \-\- +SHUTDOWN\fR=20
Switch to SHUTDOWN state.
-=2ETP
-=2EB lidsadm -S -- +ACL_DISCOVERY
+=2ETP=20
+\fBlidsadm \-S \-\- +ACL_DISCOVERY\fR=20
Turn on the ACL discovery mode.
-
-
-=2ESH OTHER SOURCES OF INFORMATION.
-=2ETP=20
-=2EB Mailing List
+=2ESH "OTHER SOURCES OF INFORMATION."
+=2ETP=20
+\fIMailing List\fR=20
To subscribe, unsubscribe, go to:
-=2EI http://lists.sourceforge.net/lists/listinfo/lids-user
-=2Ebr
-To post a message to the list, send an e-mail to:
-=2EB lid...@li...
-=2Ebr
+\fIhttp://lists.sourceforge.net/lists/listinfo/lids\-user\fR
+To post a message to the list, send an e\-mail to:
+\fIlids\-u...@li...\fR
Current LIDS archive can be found at:
-=2EI http://www.geocrawler.com/redir-sf.php3?list=3Dlids-user
-=2Ebr
+\fIhttp://www.geocrawler.com/redir\-sf.php3?list=3Dlids\-user\fR
An outdated searchable archive can be found at:
-=2EI http://groups.yahoo.com/group/lids
-
-=2ETP=20
-=2EB LIDS FAQ
+\fIhttp://groups.yahoo.com/group/lids\fR
+=2ETP=20
+\fILIDS FAQ\fR=20
The LIDS FAQ is located at:
-=2Ebr
-=2EI http://www.lids.org/lids-faq.lids-faq.html
-=2Ebr
+\fIhttp://www.lids.org/lids\-faq.lids\-faq.html\fR
or
-=2Ebr
-=2EI http://www.roedie.nl/lids-faq/
-
-=2ESH BUGS=20
+\fIhttp://www.roedie.nl/lids\-faq/\fR
+=2ESH BUGS
Any bugs found with LIDS itself should be sent to Xie, Phil, or the mailin=
g list
-=2EB (lid...@li...).
-Please include your .config file used to compile your kernel, and the lids=
.conf and lids.cap files located in /etc/lids directory. Any errors found =
in this man page should be sent to Sander Klein.=20
+\fI(lids\-u...@li...).\fR
+Please include your .config file used to compile your kernel, and the lids=
.conf and lids.cap files located in /etc/lids directory. Any errors found i=
n this man page should be sent to Sander Klein.
=2ESH FILES
\fB/etc/lids/lids.conf\fR \- LIDS configuration file.
-=2Ebr
\fB/etc/lids/lids.cap\fR \- Defines the global capabilities.
-=2Ebr
-\fB/etc/lids/lids.net\fR \- Configuration file for e-mail alerts.
-=2Ebr
+\fB/etc/lids/lids.net\fR \- Configuration file for e\-mail alerts.
\fB/etc/lids/lids.pw\fR \- Contains the encrypted LIDS password.
-
-=2ESH SEE ALSO
-=2EBR lidsconf (8)
-
+=2ESH "SEE ALSO"
+\fBlidsconf\fR(8)
=2ESH AUTHORS
Huagang Xie
-=2EI <xi...@li...>
+\fI<xi...@li...>\fR
=2EPP
Philippe Biondi=20
-=2EI <bi...@ca...>
+\fI<biondi@cartel\-securite.fr>\fR
=2EPP
Manpage written by Sander Klein
-=2EI <ro...@ro...>
-
+\fI<ro...@ro...>\fR
=2ESH DISTRIBUTION
The newest version of=20
-=2EI LIDS=20
+\fILIDS\fR
can be obtained from=20
-=2EI http://www.lids.org/=20
+\fIhttp://www.lids.org/\fR
or one of it's mirrors.
-=2EI LIDS=20
-is (C) 1999-2004 by Huagang Xie(xi...@li...).
-=2E\" See the lidsconf (8) man page for some funny remarks...
-=2E\"
-
+\fILIDS\fR
+is (C) 1999\-2004 by Huagang Xie(xi...@li...).
Modified: lidstools/branches/roedie-doc/src/lidsadm.8.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lidstools/branches/roedie-doc/src/lidsadm.8.xml (original)
+++ lidstools/branches/roedie-doc/src/lidsadm.8.xml Mon Mar 13 22:22:19 2006
@@ -3,7 +3,7 @@
<!-- lifted from troff+man by doclifter -->
<refentry id=3D"lidsadm8">
<refmeta>
- <refentrytitle>LIDSADM</refentrytitle>
+ <refentrytitle>lidsadm</refentrytitle>
<manvolnum>8</manvolnum>
</refmeta>
<refnamediv id=3D"name">
Modified: lidstools/branches/roedie-doc/src/lidsconf.8
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lidstools/branches/roedie-doc/src/lidsconf.8 (original)
+++ lidstools/branches/roedie-doc/src/lidsconf.8 Mon Mar 13 22:22:19 2006
@@ -1,323 +1,268 @@
-=2ETH LIDSCONF 8
-=2E\"
-=2E\" Man page written by Sander Klein <ro...@ro...> (May 2003)
-=2E\" It is based on the original lidsadm page by Steve Bremer.
-=2E\" TODO: I will think of something in the end...
-=2E\"
-=2E\" This program is free software; you can redistribute it and/or modify
-=2E\" it under the terms of the GNU General Public License as publishe=
d by
-=2E\" the Free Software Foundation; either version 2 of the License, or
-=2E\" (at your option) any later version.
-=2E\"
-=2E\" This program is distributed in the hope that it will be useful,
-=2E\" but WITHOUT ANY WARRANTY; without even the implied warranty of
-=2E\" MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-=2E\" GNU General Public License for more details.
-=2E\"
-=2E\" You should have received a copy of the GNU General Public License
-=2E\" along with this program; if not, write to the Free Software
-=2E\" Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
-=2E\"
-=2E\"
-
+=2ETH lidsconf 8 =20
=2ESH NAME
-lidsconf \- configuration tool for the Linux Intrusion Detection System
+lidsconf \- A configuration tool for the Linux Intrusion Detection System
=2ESH SYNOPSIS
-=2EB lidsconf -A [acl_type] [-s subject] [-R] -o object [-d] [-t from-to]=20
-=2EB [-i level] -j ACTION
-=2Ebr
-=2EB lidsconf -C
-=2Ebr
-=2EB lidsconf -D [acl_type] [-s file] [-o file]
-=2Ebr
-=2EB lidsconf -Z [acl_type]
-=2Ebr
-=2EB lidsconf -U
-=2Ebr
-=2EB lidsconf -L [acl_type] [-e]
-=2Ebr
-=2EB lidsconf -P
-=2Ebr
-=2EB lidsconf -S [acl_type]
-=2Ebr
-=2EB lidsconf -v
-=2Ebr
-=2EB lidsconf [-h|H]
-
+\fBlidsconf\fR [\-A | D] [
+\fBacl_type\fR
+] [\-s \fBsubject\fR] \-o \fBobject\fR [\-i \fBlevel\fR] \-j \fBACTION\fR=20
+=2EPP
+\fBlidsconf\fR \-C=20
+=2EPP
+\fBlidsconf\fR \-Z|S [
+\fBacl_type\fR
+]
+=2EPP
+\fBlidsconf\fR \-U=20
+=2EPP
+\fBlidsconf\fR \-L [
+\fBacl_type\fR
+] [\-e ]
+=2EPP
+\fBlidsconf\fR \-P=20
+=2EPP
+\fBlidsconf\fR \-v=20
+=2EPP
+\fBlidsconf\fR [\-h |=20
+\fBH\fR
+]
+=2Esp 1
=2ESH DESCRIPTION
-
-=2EI lidsconf=20
+lidsconf
is a configuration tool for the
-=2EI Linux Intrusion Detection System (LIDS).
-
-LIDS is a kernel patch to enhance the current Linux kernel. With LIDS, you=
can protect important files, directories, and devices. You can also define=
ACLs that restrict the access control on the entire system. For more infor=
mation about LIDS, please go to=20
-=2EI http://www.lids.org.=20
-
-=2EI lidsconf
-is used to configure the access restriction information for LIDS. All of t=
he information is stored in "/etc/lids/lids.conf","/etc/lids/lids.boot.conf=
","/etc/lids/lids.postboot.conf","/etc/lids/lids.shutdown.conf" based on th=
e ACL type.
-
-=2ESH Options (ACL's)
+\fILinux Intrusion Detection System (LIDS).\fR
+=2EPP
+LIDS is a kernel patch and two admin tools to enhance the Linux kernel wit=
h with an implementation of Mandatory Access Control or MAC for short. When=
in effect, all system access, all network administrative operations, any c=
apability usage, raw devices, memory and IO access can be made impossible, =
even for root. You can define which programs are allowed to access specific=
files. It uses and extends the system capabilities. You can fine tune your=
security settings while the system is active.
+=2EPP
+lidsconf
+is used to configure the access restriction information for LIDS. All info=
rmation is stored in "/etc/lids/lids.conf","/etc/lids/lids.boot.conf","/etc=
/lids/lids.postboot.conf","/etc/lids/lids.shutdown.conf" based on the ACL t=
ype. When you are done configuring you need to compile you rules to make .a=
cl files which are read by LIDS.
+=2ESH "OPTIONS (ACL'S)"
ACL is short for "Access Control List". The ACL in LIDS defines how a subj=
ect can access an object. The subject can be any program file on the system=
. The object can be a file, directory, or a special option (MEM devices, RA=
W IO, a HIDDEN process, etc). The target defines the access type that the s=
ubject has on the object.
-=2ETP
-The synopsis of the ACL is=20
-=2EB
-[-s subject] [-i TTL] -o object -j TARGET
-=2ETP
-When a subject is not specified, the ACL defines the object's default acce=
ss.
-
-=2ETP
-=2EB acl_type=20
+=2ETP=20
+The synopsis of the ACL is
+\fI[\-s subject] [\-i TTL] \-o object \-j TARGET\fR
+=2ETP=20
+When a subject is not specified, the ACL defines the object's default acce=
ss., \fIacl_type\fR=20
acl_type can be "BOOT","POSTBOOT", "SHUTDOWN" or blank which refers to dif=
ferent acl states, if you do not provide an acl_type the default value is "=
GLOBAL" which will apply for all states. For more information on the LIDS S=
TATEFUL ACL, please check the FAQ under the doc directory.
-=2ETP
-=2EB -s subject
+=2ETP=20
+\fB\-s subject\fR=20
A subject can be any program on the system, such as "/bin/login".
-=2ETP
-=2EB -o object [portscale]
-An object can be a file, directory, or a special option (CAP_SYS_RAWIO, CA=
P_HIDDEN, CAP_INIT_KILL, etc). If the object is CAP_NET_BIND_SERVICE, you =
must specify the port range. For example, "20-299,400-1002".
-=2ETP
-=2EB -i <inheritance level>
-This specifies that the ACL is inheritable by the subject's children. The=20
-=2EB inheritance level
-affects how far the ACL is inherited. An inheritance level of "-1" means=20
-=2EB unlimited=20
-inheritance. An inheritance level of 1 means that a child process spawned=
by the parent which is not the same program as the parent will inherit the=
ACL, but a child process spawned from the child (i.e. a grandchild of the =
orignal process) won't.
+=2ETP=20
+\fB\-o object [portscale]\fR=20
+An object can be a file, directory, or a special option (CAP_SYS_RAWIO, CA=
P_HIDDEN, CAP_INIT_KILL, etc). If the object is CAP_NET_BIND_SERVICE, you m=
ust specify the port range. For example, "20\-299,400\-1002".
+=2ETP=20
+\fB\-i <inheritance level>\fR=20
+This specifies that the ACL is inheritable by the subject's children. The=20
+\fIinheritance level\fR
+affects how far the ACL is inherited. An inheritance level of "\-1" means=20
+\fIunlimited\fR
+inheritance. An inheritance level of 1 means that a child process spawned =
by the parent which is not the same program as the parent will inherit the =
ACL, but a child process spawned from the child (i.e. a grandchild of the o=
rignal process) won't.
The Inheritance level will only affect the children which are not the same=
program as its parent. If the child is the same program as the parent, it =
will gain all the permission from its parent.
-=2ETP
-
-=2ETP
-=2EB -j target
+=2ETP=20
+\fB\-j target\fR=20
The target can be DENY, READ, APPEND, WRITE, or IGNORE for normal file acc=
ess ACLs. For a special object, the target can only be GRANT.
-
=2ESH COMMANDS
These options specify the action to perform. Only one command can be given=
on
the commandline unless otherwise specified.
-
-=2ETP
-=2EB -A, --add [acl_type]
+=2ETP=20
+\fB\-A, \-\-add [acl_type]\fR=20
Add one or more rules to the end of the selected acl_type chain.
-=2ETP
-=2EB -C, --check
+=2ETP=20
+\fB\-C, \-\-check\fR=20
Check your LIDS rules and have them compiled. The output of this command c=
an help in making tighter rules or showing problems with your current ruleb=
ase.
-=2ETP
-=2EB -D, --delete [acl_type]
+=2ETP=20
+\fB\-D, \-\-delete [acl_type]\fR=20
Delete one or more rules from the selected acl_type.
-=2ETP
-=2EB -Z, --zero [acl_type]
+=2ETP=20
+\fB\-Z, \-\-zero [acl_type]\fR=20
Delete all acl's from the selected acl_type. If no acl_type is given then =
the rules from the GLOBAL acl_type are deleted.
-=2ETP
-=2EB -U, --update
+=2ETP=20
+\fB\-U, \-\-update\fR=20
Update your acl's. If you change or move a file or directory, it's inode w=
ill change. You the need to update your lids config with this command
-=2ETP
-=2EB -L, --list [acl_type]
+=2ETP=20
+\fB\-L, \-\-list [acl_type]\fR=20
List the acl's in the selected acl_type.
-=2ETP
-=2EB -P, --passwd
+=2ETP=20
+\fB\-P, \-\-passwd\fR=20
Set a new LIDS password.
-=2ETP
-=2EB -S, --script
+=2ETP=20
+\fB\-S, \-\-script\fR=20
Write out a script to set your acl's.
-=2ETP
-=2EB -v, --version
+=2ETP=20
+\fB\-v, \-\-version\fR=20
Show the lidsconf version.
-=2ETP
-=2EB -h, --help
+=2ETP=20
+\fB\-h, \-\-help\fR=20
Show the lidsconf help.
-=2ETP
-=2EB -H, --morehelp
+=2ETP=20
+\fB\-H, \-\-morehelp\fR=20
Show more help options.
-
-=2ETP
-=2ESH Available capabilities
+=2ESH "AVAILABLE CAPABILITIES"
The capabilities used in LIDS are shown below. You can use the name to ena=
ble or disable the capability when sealing and switching. You can also gran=
t the capability to a program even if the capability is disabled globally o=
n the system.
-
-=2ETP
-=2EB CAP_CHOWN
+=2ETP=20
+\fICAP_CHOWN\fR=20
chown(2)/chgrp(2)
-=2ETP
-=2EB CAP_DAC_OVERRIDE
+=2ETP=20
+\fICAP_DAC_OVERRIDE\fR=20
DAC access.
-=2ETP
-=2EB CAP_DAC_READ_SEARCH
+=2ETP=20
+\fICAP_DAC_READ_SEARCH\fR=20
DAC read.
-=2ETP
-=2EB CAP_FOWNER
+=2ETP=20
+\fICAP_FOWNER\fR=20
Owner ID not equal user ID.
-=2ETP
-=2EB CAP_FSETID
+=2ETP=20
+\fICAP_FSETID\fR=20
Effective user ID not equal owner ID.
-=2ETP
-=2EB CAP_KILL
+=2ETP=20
+\fICAP_KILL\fR=20
Real/effective ID not equal process ID.
=2ETP=20
-=2EB CAP_SETGID
+\fICAP_SETGID\fR=20
setgid(2)
=2ETP=20
-=2EB CAP_SETUID=20
+\fICAP_SETUID\fR=20
set*uid(2)
-=2ETP
-=2EB CAP_SETPCAP
+=2ETP=20
+\fICAP_SETPCAP\fR=20
Transfer capability.
-=2ETP
-=2EB CAP_LINUX_IMMUTABLE
+=2ETP=20
+\fICAP_LINUX_IMMUTABLE\fR=20
Immutable and append file attributes.
-=2ETP
-=2EB CAP_NET_BIND_SERVICE
+=2ETP=20
+\fICAP_NET_BIND_SERVICE\fR=20
Binding to ports below 1024.
-=2ETP
-=2EB CAP_NET_BROADCAST
+=2ETP=20
+\fICAP_NET_BROADCAST\fR=20
Broadcasting/listening to multicast.
-=2ETP
-=2EB CAP_NET_ADMIN
+=2ETP=20
+\fICAP_NET_ADMIN\fR=20
Interface/firewall/routing changes.
-=2ETP
-=2EB CAP_NET_RAW
+=2ETP=20
+\fICAP_NET_RAW\fR=20
Raw sockets (ping).
-=2ETP
-=2EB CAP_IPC_LOCK
+=2ETP=20
+\fICAP_IPC_LOCK\fR=20
Locking of shared memory segments.
-=2ETP
-=2EB CAP_IPC_OWNER
+=2ETP=20
+\fICAP_IPC_OWNER\fR=20
IPC ownership checks.
-=2ETP
-=2EB CAP_SYS_MODULE
+=2ETP=20
+\fICAP_SYS_MODULE\fR=20
Insertion and removal of kernel modules.
-=2ETP
-=2EB CAP_SYS_RAWIO
+=2ETP=20
+\fICAP_SYS_RAWIO\fR=20
ioperm(2)/iopl(2) access
-=2ETP
-=2EB CAP_SYS_CHROOT
+=2ETP=20
+\fICAP_SYS_CHROOT\fR=20
chroot(2)
-=2ETP
-=2EB CAP_SYS_PTRACE
+=2ETP=20
+\fICAP_SYS_PTRACE\fR=20
ptrace(2)
-=2ETP
-=2EB CAP_SYS_PACCT
+=2ETP=20
+\fICAP_SYS_PACCT\fR=20
Configuration of process accounting.
-=2ETP
-=2EB CAP_SYS_ADMIN
+=2ETP=20
+\fICAP_SYS_ADMIN\fR=20
Tons of admin stuff.
-=2ETP
-=2EB CAP_SYS_BOOT
+=2ETP=20
+\fICAP_SYS_BOOT\fR=20
reboot(2)
-=2ETP
-=2EB CAP_SYS_NICE
+=2ETP=20
+\fICAP_SYS_NICE\fR=20
nice(2)
-=2ETP
-=2EB CAP_SYS_RESOURCE
+=2ETP=20
+\fICAP_SYS_RESOURCE\fR=20
Setting resource limits.
-=2ETP
-=2EB CAP_SYS_TIME
+=2ETP=20
+\fICAP_SYS_TIME\fR=20
Setting system time.
-=2ETP
-=2EB CAP_SYS_TTY_CONFIG
+=2ETP=20
+\fICAP_SYS_TTY_CONFIG\fR=20
TTY configuration.
-=2ETP
-=2EB CAP_MKNOD
+=2ETP=20
+\fICAP_MKNOD\fR=20
Allow the privileged aspects of mknod().
-=2ETP
-=2EB CAP_LEASE
+=2ETP=20
+\fICAP_LEASE\fR=20
Allow taking of leases on files.
-=2ETP
-=2EB CAP_HIDDEN
+=2ETP=20
+\fICAP_HIDDEN\fR=20
Make a program hidden from the entire system.
-=2ETP
-=2EB CAP_KILL_PROTECTED
+=2ETP=20
+\fICAP_KILL_PROTECTED\fR=20
Allow/disallow a process to kill protected processes.
-=2ETP
-=2EB CAP_PROTECTED
+=2ETP=20
+\fICAP_PROTECTED\fR=20
Protect the process from signals.
-
=2ESH EXAMPLES
-Here are some examples of using lidsconf. They range from simple/normal t=
o a little more complex/esoteric. Note that actual file names are used to =
make things more concrete. In their place you should substitute file/direct=
ories from
-=2EB your own system.
-=2ETP
-=2EB lidsconf -A BOOT -o /var/log/message -j APPEND
+Here are some examples of using lidsconf. They range from simple/normal to=
a little more complex/esoteric. Note that actual file names are used to ma=
ke things more concrete. In their place you should substitute file/director=
ies from
+\fIyour own system.\fR
+=2ETP=20
+\fBlidsconf \-A BOOT \-o /var/log/message \-j APPEND\fR=20
Protects /var/log/message as append only in BOOT STATE.
-=2ETP
-=2EB lidsconf -A POSTBOOT -o /sbin/test -j IGNORE
-Specifies that the read-only protection of /sbin doesn't apply to /sbin/te=
st in POSTBOOT state.
-=2ETP
-=2EB lidsconf -A POSTBOOT -o /etc/shadow -j DENY
+=2ETP=20
+\fBlidsconf \-A POSTBOOT \-o /sbin/test \-j IGNORE\fR=20
+Specifies that the read\-only protection of /sbin doesn't apply to /sbin/t=
est in POSTBOOT state.
+=2ETP=20
+\fBlidsconf \-A POSTBOOT \-o /etc/shadow \-j DENY\fR=20
Make /etc/shadow hidden from everyone only in BOOT STATE. Nothing can see =
the file (open,stat,..).
-=2ETP
-=2EB lidsconf -A POSTBOOT -s /bin/login -o /etc/shadow -j READ
+=2ETP=20
+\fBlidsconf \-A POSTBOOT \-s /bin/login \-o /etc/shadow \-j READ\fR=20
Allows the /bin/login program to read the /etc/passwd even though it has b=
een defined as hidden above.
-In this case, only /bin/login can read /etc/passwd. No other program or u=
ser can see the file (/etc/passwd).
-=2ETP
-=2EB lidsconf -A -s /usr/sbin/httpd -o /home/httpd -j READ
-=2ETP
-=2EB lidsconf -A -s /usr/sbin/httpd -o CAP_NET_BIND_SERVICE 80 -i -1 -j GR=
ANT
+In this case, only /bin/login can read /etc/passwd. No other program or us=
er can see the file (/etc/passwd).
+=2ETP=20
+\fBlidsconf \-A \-s /usr/sbin/httpd \-o /home/httpd \-j READ\fR , \fBlidsc=
onf \-A \-s /usr/sbin/httpd \-o CAP_NET_BIND_SERVICE 80 \-i \-1 \-j GRANT\f=
R=20
Protects the server root of a web server (/home/httpd) as DENY, and allow =
only the httpd binary (/usr/sbin/httpd) to read the server root (/home/http=
d),and the httpd can only bind to port 80.
-=2ETP
-=2EB lidsconf -A SHUTDOWN -s /bin/program -i 2 -o CAP_NET_ADMIN -j GRANT
+=2ETP=20
+\fBlidsconf \-A SHUTDOWN \-s /bin/program \-i 2 \-o CAP_NET_ADMIN \-j GRAN=
T\fR=20
Grant the /bin/program the capability of CAP_NET_ADMIN, and the inheritanc=
e level is 2 only in SHUTDOWN state.
-=2ETP
-=2EB lidsconf -A -s /usr/X11/bin/XF86_SVGA -o CAP_SYS_RAWIO -j GRANT
+=2ETP=20
+\fBlidsconf \-A \-s /usr/X11/bin/XF86_SVGA \-o CAP_SYS_RAWIO \-j GRANT\fR=20
Grants the program XF86_SVGA the capability of CAP_SYS_RAWIO if the CAP_SY=
S_RAWIO has been disabled in /etc/lids/lids.cap.
-
-=2ESH OTHER SOURCES OF INFORMATION.
-=2ETP
-=2EB Mailing List
+=2ESH "OTHER SOURCES OF INFORMATION."
+=2ETP=20
+\fIMailing List\fR=20
To subscribe, unsubscribe, go to:
-=2EI http://lists.sourceforge.net/lists/listinfo/lids-user
-=2Ebr
-To post a message to the list, send an e-mail to:
-=2EB lid...@li...
-=2Ebr
+\fIhttp://lists.sourceforge.net/lists/listinfo/lids\-user\fR
+To post a message to the list, send an e\-mail to:
+\fIlids\-u...@li...\fR
Current LIDS archive can be found at:
-=2EI http://www.geocrawler.com/redir-sf.php3?list=3Dlids-user
-=2Ebr
+\fIhttp://www.geocrawler.com/redir\-sf.php3?list=3Dlids\-user\fR
An outdated searchable archive can be found at:
-=2EI http://groups.yahoo.com/group/lids
-
-=2ETP
-=2EB LIDS FAQ
+\fIhttp://groups.yahoo.com/group/lids\fR
+=2ETP=20
+\fILIDS FAQ\fR=20
The LIDS FAQ is located at:
-=2Ebr
-=2EI http://www.lids.org/lids-faq/lids-faq.html
-=2Ebr
+\fIhttp://www.lids.org/lids\-faq/lids\-faq.html\fR
or
-=2Ebr
-=2EI http://www.roedie.nl/lids-faq
-
+\fIhttp://www.roedie.nl/lids\-faq\fR
=2ESH BUGS
Any bugs found with LIDS itself should be sent to Xie, Phil, or the mailin=
g list
-=2EB (lid...@li...).
-Please include your .config file used to compile your kernel, and the lids=
.conf and lids.cap files located in /etc/lids directory. Any errors found =
in this man page should be sent to Sander Klein.
+\fI(lids\-u...@li...).\fR
+Please include your .config file used to compile your kernel, and the lids=
.conf and lids.cap files located in /etc/lids directory. Any errors found i=
n this man page should be sent to Sander Klein.
=2ESH FILES
\fB/etc/lids/lids.ini\fR \- LIDS Initial file.
-=2Ebr
\fB/etc/lids/lids.cap\fR \- Defines the global capabilities.
-=2Ebr
\fB/etc/lids/lids.boot.cap\fR \- Defines the BOOT capabilities.
-=2Ebr
\fB/etc/lids/lids.postboot.cap\fR \- Defines the POSTBOOT capabilities.
-=2Ebr
\fB/etc/lids/lids.shutdown.cap\fR \- Defines the SHUTDOWN capabilities.
-=2Ebr
\fB/etc/lids/lids.pw\fR \- Contains the encrypted LIDS password.
-
-=2ESH SEE ALSO
-=2EBR lidsadm (8)
-
+=2ESH "SEE ALSO"
+\fBlidsadm\fR(8)
=2ESH AUTHORS
Huagang Xie
-=2EI <xi...@li...>
+\fI<xi...@li...>\fR
=2EPP
Philippe Biondi
-=2EI <bi...@ca...>
+\fI<biondi@cartel\-securite.fr>\fR
=2EPP
Manpage written by Sander Klein
-=2EI <ro...@ro...>
-=2EPP
-
+\fI<ro...@ro...>\fR
=2ESH DISTRIBUTION
The newest version of=20
-=2EI LIDS=20
+\fILIDS\fR
can be obtained from=20
-=2EI http://www.lids.org/=20
+\fIhttp://www.lids.org/\fR
or one of it's mirrors.
-=2EI LIDS=20
-is (C) 1999-2004 by Huagang Xie(xi...@li...).
-=2E\" See the lidsadm (8) man page for some funny remarks...
-=2E\"
+\fILIDS\fR
+is (C) 1999\-2004 by Huagang Xie(xi...@li...).
Modified: lidstools/branches/roedie-doc/src/lidsconf.8.xml
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lidstools/branches/roedie-doc/src/lidsconf.8.xml (original)
+++ lidstools/branches/roedie-doc/src/lidsconf.8.xml Mon Mar 13 22:22:19 20=
06
@@ -3,7 +3,7 @@
<!-- lifted from troff+man by doclifter -->
<refentry id=3D"lidsconf8">
<refmeta>
- <refentrytitle>LIDSCONF</refentrytitle>
+ <refentrytitle>lidsconf</refentrytitle>
<manvolnum>8</manvolnum>
</refmeta>
<refnamediv id=3D"name">
|
|
From: <no...@ro...> - 2006-03-13 21:15:36
|
Author: roedie
Date: Mon Mar 13 22:15:28 2006
New Revision: 15
Log:
Converted man pages to xml.
Made a first stab at cleaning them up.
Added:
lidstools/branches/roedie-doc/src/lidsadm.8.xml
lidstools/branches/roedie-doc/src/lidsconf.8.xml
Modified:
lidstools/branches/roedie-doc/src/lidsadm.8
lidstools/branches/roedie-doc/src/lidsconf.8
Modified: lidstools/branches/roedie-doc/src/lidsadm.8
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lidstools/branches/roedie-doc/src/lidsadm.8 (original)
+++ lidstools/branches/roedie-doc/src/lidsadm.8 Mon Mar 13 22:15:28 2006
@@ -66,7 +66,6 @@
=2ESH Available capabilities
The capabilities used in LIDS are shown below. You can use the name to ena=
ble or disable the capability when sealing and switching. You can also gran=
t the capability to a program even if the capability is disabled globally o=
n the system.
=20
-=2ESP
=2ETP
=2EB CAP_CHOWN
chown(2)/chgrp(2)
@@ -259,7 +258,6 @@
can be obtained from=20
=2EI http://www.lids.org/=20
or one of it's mirrors.
-=2ESp
=2EI LIDS=20
is (C) 1999-2004 by Huagang Xie(xi...@li...).
=2E\" See the lidsconf (8) man page for some funny remarks...
Modified: lidstools/branches/roedie-doc/src/lidsconf.8
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lidstools/branches/roedie-doc/src/lidsconf.8 (original)
+++ lidstools/branches/roedie-doc/src/lidsconf.8 Mon Mar 13 22:15:28 2006
@@ -130,7 +130,6 @@
=2ESH Available capabilities
The capabilities used in LIDS are shown below. You can use the name to ena=
ble or disable the capability when sealing and switching. You can also gran=
t the capability to a program even if the capability is disabled globally o=
n the system.
=20
-=2ESP
=2ETP
=2EB CAP_CHOWN
chown(2)/chgrp(2)
@@ -318,7 +317,6 @@
can be obtained from=20
=2EI http://www.lids.org/=20
or one of it's mirrors.
-=2ESp
=2EI LIDS=20
is (C) 1999-2004 by Huagang Xie(xi...@li...).
=2E\" See the lidsadm (8) man page for some funny remarks...
|
|
From: <no...@ro...> - 2006-03-13 19:17:08
|
Author: roedie
Date: Mon Mar 13 20:16:54 2006
New Revision: 14
Log:
Creating temporary branch for documentation.
Added:
lidstools/branches/roedie-doc/
- copied from r13, lidstools/trunk/
|
|
From: Junji K. <jun...@li...> - 2006-01-20 14:25:23
|
Hi, I'm pleased to introduce Linux Event Dispatcher version 1.0 beta is now ready for download. I thought some poeple on this list might be interested in this so I'm posting this. It would be multi-posting. It so, I'm very sorry for bandwidth. Led is realtime event filtering framework for Linux system that handles any system events on the fly. You can register actions to particular events such as access violation and login failures at realtime with led. The events can be fed from, via syslogd. auditd, ulogd of netfilter and any other sources too. This is preliminary release to have people review. The base framework is pretty much done but plugins. I'd need some help from people out there to write more plugins. Any comments and requests are welcome :) You can download led from: http://www.linuon.com/ [Brief Introduction] First of all Linux Event Dispatcher, or led for short, is NOT a replacement for other traditional logging and filtering system. Instead led gets fed events from them. The main goal of led is to handle system events realtime and do action for the events on the fly. For example you can have filters for critical events from kernel audit system and setup detailed actions for each event such as avc violation and unexpected write operation on /var/www/html/index.hml. You may pick action for each event either shutdown system immediately or block http port temporarily and recover whole web contents etc. And same time you can check who did it and ban him/her from host if he/she is on localhost and report it to you right away... You would be able to do such things with led. Normally most of administrators won't realize attack until they get some error or look into logwatch report email carefully. It might be too late. You could have restricted setting to take the risk minimum but you can't block port entirely. As long as you are opening ports to public there's risk so how fast you can notice error and recover from compromise is the key... For more info please go to http://www.linuon.com/ Thanks, -- Junji -- /* ** Junji Kanemaru ** CEO, Linuon inc. ** WEB: http://www.linuon.com/ */ |
|
From: <no...@ro...> - 2006-01-11 04:01:38
|
Author: xie
Date: Wed Jan 11 05:01:28 2006
New Revision: 13
Log:
test=20
Modified:
lidstools/trunk/ChangeLog
Modified: lidstools/trunk/ChangeLog
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lidstools/trunk/ChangeLog (original)
+++ lidstools/trunk/ChangeLog Wed Jan 11 05:01:28 2006
@@ -1,3 +1,6 @@
+2006-1-9 Roedie=20
+ * putting the fileinto Subversion.
+
2004-2-26 Yusuf Wilajati Purna
* Merged 0.5.2p1 to lidstools maintained by Huagang.
* Changed the version 0.5.3.
|
|
From: <no...@ro...> - 2006-01-04 20:01:58
|
Author: roedie
Date: Wed Jan 4 21:01:50 2006
New Revision: 12
Log:
Made install file a bit up-to-date.
Modified:
lidstools/trunk/INSTALL
Modified: lidstools/trunk/INSTALL
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lidstools/trunk/INSTALL (original)
+++ lidstools/trunk/INSTALL Wed Jan 4 21:01:50 2006
@@ -9,17 +9,16 @@
- Building your kernel with LIDS support. -
=20
1)=20
-Get the latest LIDS tarball from www.lids.org or one of it's mirrors and
-unpack it.
+Get the latest LIDS kernel patch tarball from www.lids.org or one of it's
+mirrors and unpack it.
=20
-You will get a lids-a.b.c-x.y.z directory containing some documents,
-a lids-a.b.c-x.y.z.patch and a lidstools-d.e.f.tar.gz file.
+You will get a lids-a.b.c-x.y.z directory containing some documents and
+a lids-a.b.c-x.y.z.patch.
=20
-The package name format
-is like: lids-a.b.c-x.y.z.tar.gz
+The package name format is like: lids-a.b.c-x.y.z.tar.gz
=20
a.b.c is the LIDS version en x.y.z is the kernel version.
-d.e.f is the lidstools version.
+
=20
2)
Get the corresponding vanilla kernel source from kernel.org and unpack it.=
It
@@ -27,7 +26,7 @@
Do *NOT* use a kernel source that is provided with your Linux distribution.
Those kernel sources are non-vanilla kernel sources which means they are
modified and there is a posibility that lids will not work correct on these
-kernels or will even fail completely to apply the patch.
+kernels or maybe you will even completely fail to apply the patch.
=20
3)
Change directory to your kernel source and patch you kernel source with
@@ -103,10 +102,16 @@
used to configure LIDS and do administrative tasks.
=20
1)
-Unpack the lidstools-d.e.f.tar.gz that came with the LIDS tarball.
+Get the latest lidstools package from the LIDS website or one of it's mirr=
ors
+and unpack it.
+
+The lidstools package has a version nummber like lidstools-a.b.c.tar.gz. T=
he
+'a' and 'b' numbers have to be the same as the numbers of the LIDS kernelp=
atch
+you used earlier. For example, you have downloaded lids-2.2.2-2.6.14.tar.g=
z,
+then you need a lidstools-2.2.x package.=20
=20
2)
-Change directory to the lidstools-d.e.f directory.
+Change directory to the lidstools-a.b.c directory.
=20
3)
Build the lidstools using the following commands:
@@ -127,12 +132,12 @@
After editing you rulebase do not forget to compile it using 'lidsconf -C',
else your rules will not be used. If you have some good rules to get a
program working you are encouraged to send them to the LIDS mailinglist or
-to <li...@ro...>. Then they can be made available to others.
+publish them on the LIDS wiki.
=20
---
=20
You can find documentation about how to use LIDS in the doc/ directory or =
at
-http://www.lids.org/document.html.
+http://wiki.lids.org.
=20
There's a mailinglist for LIDS available at <lid...@li...urceforge.n=
et>
where you can ask questions, report bugs and give suggestions about LIDS.
@@ -144,4 +149,3 @@
Enjoy LIDS
=20
LIDS Development Team
-July 2004
|
|
From: <no...@ro...> - 2006-01-03 20:19:47
|
Author: roedie
Date: Tue Jan 3 21:19:38 2006
New Revision: 11
Log:
Removed Authors because it was duplicate with CREDITS.
Sanitized some file names.
Removed some obsolete docs.
Modified some docs.
Added:
lidstools/trunk/doc/acl_discovery/acl_discovery.txt
- copied unchanged from r10, lidstools/trunk/doc/acl_discovery/acl_di=
scovery.FAQ
lidstools/trunk/doc/inherit_level.txt
- copied unchanged from r10, lidstools/trunk/doc/inherit_level
lidstools/trunk/doc/secure_channel.txt
- copied unchanged from r10, lidstools/trunk/doc/secure_channel
lidstools/trunk/doc/stateful_acl.txt
- copied unchanged from r10, lidstools/trunk/doc/Stateful_acl.FAQ
Removed:
lidstools/trunk/AUTHORS
lidstools/trunk/doc/Learning_mode.FAQ
lidstools/trunk/doc/Stateful_acl.FAQ
lidstools/trunk/doc/acl_discovery.FAQ
lidstools/trunk/doc/acl_discovery/acl_discovery.FAQ
lidstools/trunk/doc/inherit_level
lidstools/trunk/doc/secure_channel
Modified:
lidstools/trunk/CREDITS
lidstools/trunk/README
lidstools/trunk/doc/README
lidstools/trunk/example/README
Modified: lidstools/trunk/CREDITS
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lidstools/trunk/CREDITS (original)
+++ lidstools/trunk/CREDITS Tue Jan 3 21:19:38 2006
@@ -45,7 +45,7 @@
D: the first site of LIDS
=20
N: Sander Klein=20
-E: s....@ik...
+E: s....@ne...
D: provide patch to Configure.help and lidsadm.c
=20
N: Bosko Radivojevic
Modified: lidstools/trunk/README
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lidstools/trunk/README (original)
+++ lidstools/trunk/README Tue Jan 3 21:19:38 2006
@@ -5,10 +5,13 @@
kernel patch. These tools are useless without a LIDS enhanced kernel.
=20
* Website http://www.lids.org
+
* For installation notes please read the INSTALL file or
http://wiki.lids.org/index.php/LIDS_2.2_Installation_Howto
+
* More documentation is available in the /doc directory or in the lids WI=
KI
located at wiki.lids.org
+
* If you need support, need help, want to report a bug or have suggestion
please contact us at lid...@li...
or at http://forum.lids.org.
@@ -16,3 +19,4 @@
Enjoy,
=20
LIDS Development Team
+www.lids.org
Modified: lidstools/trunk/doc/README
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lidstools/trunk/doc/README (original)
+++ lidstools/trunk/doc/README Tue Jan 3 21:19:38 2006
@@ -1,12 +1,15 @@
-There is a documentation page on www.lids.org, you can get=20
-1. LIDS HOWTO
-2. LIDS Hacking HOWTO
-3. LIDS FAQ
-4. Build a secure kernel with LIDS=20
-etc.=20
+There is a documentation page on wiki.lids.org. The you can find the:
=20
-and you are encourage to write document for LIDS project.
+ * LIDS HOWTO
+ * LIDS Hacking HOWTO
+ * LIDS FAQ
+ * Build a secure kernel with LIDS=20
+ * And more...=20
+
+Ofcourse everyone is encouraged to write documentation for the LIDS projec=
t=2E We
+are always willing to review your documentation and give comments.
=20
Thanks,
-LIDS TEAMS.=20
+
+LIDS Team=20
www.lids.org
Modified: lidstools/trunk/example/README
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lidstools/trunk/example/README (original)
+++ lidstools/trunk/example/README Tue Jan 3 21:19:38 2006
@@ -1,23 +1,23 @@
These are sample configuration files for LIDS and will be copied=20
to "$(prefix)/etc/lids/" as the initial configuration files for LIDS.
=20
-NOTE: These are just samples and can only be treated as=20
- LOW SECURITY. You must build you own ACLs based on your special
- system configuration.
+NOTE: These are just samples and used as initial files for LIDS. These fil=
es
+ can only be treated as LOW SECURITY. They might not even work for yo=
ur
+ system. You must build you own ACL's based on your special system
+ configuration.
=20
-lids.acl.sh ------ Initial the LIDS ACL on the filesystem.
-lids.cap ------ global lids capability in GLOBAL state.
-lids.boot.cap ------ global lids capability in BOOT state.
-lids.postboot.cap ------ global lids capability in POSTBOOT state.
-lids.shutdown.cap ------ global lids capability in SHUTDOWN state.
-lids.ini ------ LIDS init file
-lids.pw ------ lids kernel password for certification.
+lids.acl.sh ------ Initialize the LIDS ACL's on the filesystem.
+lids.cap ------ global lids capability for the GLOBAL state.
+lids.boot.cap ------ global lids capability for the BOOT state.
+lids.postboot.cap ------ global lids capability for the POSTBOOT state.
+lids.shutdown.cap ------ global lids capability for the SHUTDOWN state.
+lids.ini ------ LIDS ini file.
+lids.pw ------ LIDS kernel password for authentication.
=20
-NOTE: you must reconfigurate lids.conf, lids.cap, lids.xxx.conf,
- lids.xxx.cap (with lidsconf) and lids.pw (with lidsconf -P)
- *before* you reboot the system!=20
- =20
+NOTE: you must reconfigure lids.conf, lids.cap, lids.xxx.conf, lids.xxx.cap
+ (with lidsconf) and lids.pw (with lidsconf -P) *BEFORE* you reboot t=
he
+ system! Also, do not forget to run 'lidsconf -C' after configuring y=
our
+ ACL's.
=20
-LIDS Team
-
-February 2004
+LIDS Development Team
+www.lids.org
|
|
From: <no...@ro...> - 2006-01-02 20:20:17
|
Author: roedie
Date: Mon Jan 2 21:20:12 2006
New Revision: 10
Log:
Remove even more... almost done I think ;-)
Removed:
lidstools/trunk/src/README
|
|
From: <no...@ro...> - 2006-01-02 20:12:02
|
Author: roedie
Date: Mon Jan 2 21:11:56 2006
New Revision: 9
Log:
Removed this file because it is obsolete. Docs will be rewritten.
Removed:
lidstools/trunk/doc/WHAT_IS_NEW_IN_LIDS_2.2
|
|
From: <no...@ro...> - 2006-01-02 20:06:40
|
Author: roedie
Date: Mon Jan 2 21:06:37 2006
New Revision: 8
Log:
Removed the FAQ because it is obsolete compared to the one in the wiki.
Removed:
lidstools/trunk/doc/FAQ/
|
|
From: <no...@ro...> - 2006-01-02 19:22:14
|
Author: roedie
Date: Mon Jan 2 20:22:04 2006
New Revision: 7
Log:
Updated readme file because it was obsolete.
Modified:
lidstools/trunk/README
Modified: lidstools/trunk/README
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- lidstools/trunk/README (original)
+++ lidstools/trunk/README Mon Jan 2 20:22:04 2006
@@ -1,80 +1,18 @@
-Quick install for LIDS 2.2.x with XATTR suppport
--------------
-NOTE: this lidstool can be used not only for kernel 2.6.x
+This is the lidstools source package.
=20
-You need to do the following=20
-1. Configure the kernel with "SHA256" support under the "CRYTPO" entry.
- This Option is needed by LIDS to authenticate the lidsadm user.
+It contains the source for the lidsconf and lidsadm utilities used to
+administrate systems enhanced with the Linux Intrusion Detection System
+kernel patch. These tools are useless without a LIDS enhanced kernel.
=20
-ONFIG_CRYPTO=3Dy
-CONFIG_CRYPTO_SHA256=3Dy
-
-2. Configure the kernel with "XATTR" support. Note, reiserfs do not support
-XATTR in the kernel right now, but has a patch which will let it support.
-The following is EXT2 and EXT3's example.
-
-CONFIG_EXT2_FS=3Dy
-CONFIG_EXT2_FS_XATTR=3Dy
-CONFIG_EXT2_FS_POSIX_ACL=3Dy
-CONFIG_EXT2_FS_SECURITY=3Dy
-CONFIG_EXT3_FS=3Dy
-CONFIG_EXT3_FS_XATTR=3Dy
-CONFIG_EXT3_FS_POSIX_ACL=3Dy
-CONFIG_EXT3_FS_SECURITY=3Dy
-
-
-2. Reconfigure the filesystem to make it work =20
- edit the /etc/fstab , adding "acl" after the "default"
-
-here is an example on Redhat 9.0,=20
- -------------- /etc/fstab -----------------------------------------------=
------
-LABEL=3D/ / ext3 defaults,acl =
1 1
-none /dev/pts devpts gid=3D5,mode=3D620=
0 0
-none /proc proc defaults 0 0
-none /dev/shm tmpfs defaults 0 0
------------- end of /etc/fstab -------------------------------------------=
------
-
-Here is what you need to do :
-
-3. Install LIDSTOOLS
-
-=2E/configure KERNEL_DIR=3Dyour_kernel_dir_with_lids_patch
-make
-make install
-
-4. Reconfigure the ACLs.
-
-Current ACLs will stored in inode's xattr on the file system. check the=20
-example on "example/lids.acl.conf" for details.=20
-
-NOTE: the ACL configure need run only ONCE. But you can always change the=20
-ACL anytime you want.=20
-
-5. Enjoy the new one.=20
-
-then configure the ACLs (man lidsconf), check example/lids.acl.sh for exam=
ple).
-then configure, compile and install the new patched kernel
-then reboot and enjoy :)
-
-
-The configuration script need a kernel sources tree patched with=20
-the LIDS patch. But it will give you any action it need you to do.
-It could do it by itself, but I think the configure script must not
-be allowed to modify anything else than the configuration.
-
-There is some documentation and the FAQ in the doc/ directory.
-You'll find the ACL examples in the example/ document. These ACL are
-installed in /etc/lids during the make install. You are encouraged to=20
-flush them and make your own.
-
-If you are experiencig problems, if you need help, if you want to=20
-report a bug, if you have a new bright idea or if you just want
-to get in touch with the authors, you can use the following e-mail
-addresses :
-
-LIDS Mailing List <lid...@li...>
-Huagang XIE <xi...@ww...>
+ * Website http://www.lids.org
+ * For installation notes please read the INSTALL file or
+ http://wiki.lids.org/index.php/LIDS_2.2_Installation_Howto
+ * More documentation is available in the /doc directory or in the lids WI=
KI
+ located at wiki.lids.org
+ * If you need support, need help, want to report a bug or have suggestion
+ please contact us at lid...@li...
+ or at http://forum.lids.org.
=20
Enjoy,
-LIDS Develop Team
-March 2004
+
+LIDS Development Team
|
|
From: <no...@ro...> - 2006-01-02 18:50:35
|
Author: roedie
Date: Mon Jan 2 19:50:27 2006
New Revision: 6
Log:
Removed obsolete Changelog file.
Removed more CVS directories.
Removed:
lidstools/trunk/doc/FAQ/CVS/
lidstools/trunk/doc/acl_discovery/CVS/
lidstools/trunk/doc/lids_prevent_worm/CVS/
lidstools/trunk/src/ChangeLog
|
|
From: <no...@ro...> - 2006-01-02 18:44:00
|
Author: roedie
Date: Mon Jan 2 19:43:50 2006
New Revision: 5
Log:
Removed obsolete CVS directories.
Removed:
lidstools/trunk/doc/CVS/
lidstools/trunk/example/CVS/
|
|
From: <no...@ro...> - 2005-12-30 11:50:04
|
Author: roedie
Date: Fri Dec 30 12:49:54 2005
New Revision: 2
Log:
Initial Import
Added:
lids/
lids/branches/
lids/tags/
lids/trunk/
lids/trunk/security/
lids/trunk/security/Kconfig
lids/trunk/security/Makefile
lids/trunk/security/capability.c
lids/trunk/security/commoncap.c
lids/trunk/security/dummy.c
lids/trunk/security/lids/
lids/trunk/security/lids/Kconfig
lids/trunk/security/lids/Makefile
lids/trunk/security/lids/Makefile.in
lids/trunk/security/lids/include/
lids/trunk/security/lids/include/linux/
lids/trunk/security/lids/include/linux/lids.h
lids/trunk/security/lids/include/linux/lids_sysctl.h
lids/trunk/security/lids/include/linux/lidsext.h
lids/trunk/security/lids/include/linux/lidsif.h
lids/trunk/security/lids/lids_acl.c
lids/trunk/security/lids/lids_cap.c
lids/trunk/security/lids/lids_init.c
lids/trunk/security/lids/lids_logs.c
lids/trunk/security/lids/lids_lsm.c
lids/trunk/security/lids/lids_sysctl.c
lids/trunk/security/root_plug.c
lids/trunk/security/security.c
|
|
From: <no...@ro...> - 2005-12-30 11:30:53
|
Author: roedie
Date: Fri Dec 30 12:30:36 2005
New Revision: 1
Log:
Initial Import
Added:
lidstools/
lidstools/branches/
lidstools/tags/
lidstools/trunk/
lidstools/trunk/AUTHORS
lidstools/trunk/COPYING
lidstools/trunk/CREDITS
lidstools/trunk/ChangeLog
lidstools/trunk/INSTALL
lidstools/trunk/Makefile.am
lidstools/trunk/Makefile.in
lidstools/trunk/NEWS
lidstools/trunk/README
lidstools/trunk/aclocal.m4
lidstools/trunk/compile (with props)
lidstools/trunk/config.h.in
lidstools/trunk/configure (with props)
lidstools/trunk/configure.ac
lidstools/trunk/depcomp (with props)
lidstools/trunk/doc/
lidstools/trunk/doc/CVS/
lidstools/trunk/doc/CVS/Entries
lidstools/trunk/doc/CVS/Repository
lidstools/trunk/doc/CVS/Root
lidstools/trunk/doc/CVS/Tag
lidstools/trunk/doc/CVS/Template
lidstools/trunk/doc/FAQ/
lidstools/trunk/doc/FAQ/CVS/
lidstools/trunk/doc/FAQ/CVS/Entries
lidstools/trunk/doc/FAQ/CVS/Repository
lidstools/trunk/doc/FAQ/CVS/Root
lidstools/trunk/doc/FAQ/CVS/Tag
lidstools/trunk/doc/FAQ/CVS/Template
lidstools/trunk/doc/FAQ/LIDS-FAQ.html
lidstools/trunk/doc/FAQ/LIDS-FAQ.txt
lidstools/trunk/doc/Learning_mode.FAQ
lidstools/trunk/doc/NETFILTER_LIDS.miniHOWTO
lidstools/trunk/doc/README
lidstools/trunk/doc/Stateful_acl.FAQ
lidstools/trunk/doc/WHAT_IS_NEW_IN_LIDS_2.2
lidstools/trunk/doc/acl_discovery/
lidstools/trunk/doc/acl_discovery.FAQ
lidstools/trunk/doc/acl_discovery/CVS/
lidstools/trunk/doc/acl_discovery/CVS/Entries
lidstools/trunk/doc/acl_discovery/CVS/Repository
lidstools/trunk/doc/acl_discovery/CVS/Root
lidstools/trunk/doc/acl_discovery/CVS/Tag
lidstools/trunk/doc/acl_discovery/CVS/Template
lidstools/trunk/doc/acl_discovery/acl_discovery.FAQ
lidstools/trunk/doc/acl_discovery/lids_acl_discovery.pl
lidstools/trunk/doc/inherit_level
lidstools/trunk/doc/lids_prevent_worm/
lidstools/trunk/doc/lids_prevent_worm/CVS/
lidstools/trunk/doc/lids_prevent_worm/CVS/Entries
lidstools/trunk/doc/lids_prevent_worm/CVS/Repository
lidstools/trunk/doc/lids_prevent_worm/CVS/Root
lidstools/trunk/doc/lids_prevent_worm/CVS/Tag
lidstools/trunk/doc/lids_prevent_worm/CVS/Template
lidstools/trunk/doc/lids_prevent_worm/lids_worm.ps
lidstools/trunk/doc/lids_prevent_worm/lids_worm.sgml
lidstools/trunk/doc/lids_prevent_worm/lids_worm.txt
lidstools/trunk/doc/secure_channel
lidstools/trunk/example/
lidstools/trunk/example/CVS/
lidstools/trunk/example/CVS/Entries
lidstools/trunk/example/CVS/Repository
lidstools/trunk/example/CVS/Root
lidstools/trunk/example/CVS/Tag
lidstools/trunk/example/CVS/Template
lidstools/trunk/example/README
lidstools/trunk/example/lids.acl.sh
lidstools/trunk/example/lids.boot.cap
lidstools/trunk/example/lids.boot.conf
lidstools/trunk/example/lids.cap
lidstools/trunk/example/lids.conf
lidstools/trunk/example/lids.conf.2.5
lidstools/trunk/example/lids.ini
lidstools/trunk/example/lids.net
lidstools/trunk/example/lids.postboot.cap
lidstools/trunk/example/lids.postboot.conf
lidstools/trunk/example/lids.pw
lidstools/trunk/example/lids.shutdown.cap
lidstools/trunk/example/lids.shutdown.conf
lidstools/trunk/example/up.pl (with props)
lidstools/trunk/install-sh (with props)
lidstools/trunk/missing (with props)
lidstools/trunk/mkinstalldirs (with props)
lidstools/trunk/src/
lidstools/trunk/src/ChangeLog
lidstools/trunk/src/Makefile.am
lidstools/trunk/src/Makefile.in
lidstools/trunk/src/README
lidstools/trunk/src/kernel_inc.h
lidstools/trunk/src/lids_capflag.c
lidstools/trunk/src/lids_capflag.h
lidstools/trunk/src/lidsadm.8
lidstools/trunk/src/lidsadm.c
lidstools/trunk/src/lidsconf.8
lidstools/trunk/src/lidsconf.c
lidstools/trunk/src/lidsif.h
lidstools/trunk/src/lidstools.h
lidstools/trunk/src/read_pw.c
lidstools/trunk/src/sha256.c
lidstools/trunk/src/time.c
|
|
From: <no...@ro...> - 2005-12-30 11:29:09
|
Author: roedie
Date: Fri Dec 30 12:28:53 2005
New Revision: 2
Log:
Initial Import
Added:
lidstools/
lidstools/branches/
lidstools/tags/
lidstools/trunk/
lidstools/trunk/AUTHORS
lidstools/trunk/COPYING
lidstools/trunk/CREDITS
lidstools/trunk/ChangeLog
lidstools/trunk/INSTALL
lidstools/trunk/Makefile.am
lidstools/trunk/Makefile.in
lidstools/trunk/NEWS
lidstools/trunk/README
lidstools/trunk/aclocal.m4
lidstools/trunk/compile (with props)
lidstools/trunk/config.h.in
lidstools/trunk/configure (with props)
lidstools/trunk/configure.ac
lidstools/trunk/depcomp (with props)
lidstools/trunk/doc/
lidstools/trunk/doc/CVS/
lidstools/trunk/doc/CVS/Entries
lidstools/trunk/doc/CVS/Repository
lidstools/trunk/doc/CVS/Root
lidstools/trunk/doc/CVS/Tag
lidstools/trunk/doc/CVS/Template
lidstools/trunk/doc/FAQ/
lidstools/trunk/doc/FAQ/CVS/
lidstools/trunk/doc/FAQ/CVS/Entries
lidstools/trunk/doc/FAQ/CVS/Repository
lidstools/trunk/doc/FAQ/CVS/Root
lidstools/trunk/doc/FAQ/CVS/Tag
lidstools/trunk/doc/FAQ/CVS/Template
lidstools/trunk/doc/FAQ/LIDS-FAQ.html
lidstools/trunk/doc/FAQ/LIDS-FAQ.txt
lidstools/trunk/doc/Learning_mode.FAQ
lidstools/trunk/doc/NETFILTER_LIDS.miniHOWTO
lidstools/trunk/doc/README
lidstools/trunk/doc/Stateful_acl.FAQ
lidstools/trunk/doc/WHAT_IS_NEW_IN_LIDS_2.2
lidstools/trunk/doc/acl_discovery/
lidstools/trunk/doc/acl_discovery.FAQ
lidstools/trunk/doc/acl_discovery/CVS/
lidstools/trunk/doc/acl_discovery/CVS/Entries
lidstools/trunk/doc/acl_discovery/CVS/Repository
lidstools/trunk/doc/acl_discovery/CVS/Root
lidstools/trunk/doc/acl_discovery/CVS/Tag
lidstools/trunk/doc/acl_discovery/CVS/Template
lidstools/trunk/doc/acl_discovery/acl_discovery.FAQ
lidstools/trunk/doc/acl_discovery/lids_acl_discovery.pl
lidstools/trunk/doc/inherit_level
lidstools/trunk/doc/lids_prevent_worm/
lidstools/trunk/doc/lids_prevent_worm/CVS/
lidstools/trunk/doc/lids_prevent_worm/CVS/Entries
lidstools/trunk/doc/lids_prevent_worm/CVS/Repository
lidstools/trunk/doc/lids_prevent_worm/CVS/Root
lidstools/trunk/doc/lids_prevent_worm/CVS/Tag
lidstools/trunk/doc/lids_prevent_worm/CVS/Template
lidstools/trunk/doc/lids_prevent_worm/lids_worm.ps
lidstools/trunk/doc/lids_prevent_worm/lids_worm.sgml
lidstools/trunk/doc/lids_prevent_worm/lids_worm.txt
lidstools/trunk/doc/secure_channel
lidstools/trunk/example/
lidstools/trunk/example/CVS/
lidstools/trunk/example/CVS/Entries
lidstools/trunk/example/CVS/Repository
lidstools/trunk/example/CVS/Root
lidstools/trunk/example/CVS/Tag
lidstools/trunk/example/CVS/Template
lidstools/trunk/example/README
lidstools/trunk/example/lids.acl.sh
lidstools/trunk/example/lids.boot.cap
lidstools/trunk/example/lids.boot.conf
lidstools/trunk/example/lids.cap
lidstools/trunk/example/lids.conf
lidstools/trunk/example/lids.conf.2.5
lidstools/trunk/example/lids.ini
lidstools/trunk/example/lids.net
lidstools/trunk/example/lids.postboot.cap
lidstools/trunk/example/lids.postboot.conf
lidstools/trunk/example/lids.pw
lidstools/trunk/example/lids.shutdown.cap
lidstools/trunk/example/lids.shutdown.conf
lidstools/trunk/example/up.pl (with props)
lidstools/trunk/install-sh (with props)
lidstools/trunk/missing (with props)
lidstools/trunk/mkinstalldirs (with props)
lidstools/trunk/src/
lidstools/trunk/src/ChangeLog
lidstools/trunk/src/Makefile.am
lidstools/trunk/src/Makefile.in
lidstools/trunk/src/README
lidstools/trunk/src/kernel_inc.h
lidstools/trunk/src/lids_capflag.c
lidstools/trunk/src/lids_capflag.h
lidstools/trunk/src/lidsadm.8
lidstools/trunk/src/lidsadm.c
lidstools/trunk/src/lidsconf.8
lidstools/trunk/src/lidsconf.c
lidstools/trunk/src/lidsif.h
lidstools/trunk/src/lidstools.h
lidstools/trunk/src/read_pw.c
lidstools/trunk/src/sha256.c
lidstools/trunk/src/time.c
|
|
From: <no...@ro...> - 2005-12-30 11:22:27
|
Author: roedie
Date: Fri Dec 30 12:22:03 2005
New Revision: 1
Log:
Initial Import
Added:
branches/
tags/
trunk/
trunk/AUTHORS
trunk/COPYING
trunk/CREDITS
trunk/ChangeLog
trunk/INSTALL
trunk/Makefile.am
trunk/Makefile.in
trunk/NEWS
trunk/README
trunk/aclocal.m4
trunk/compile (with props)
trunk/config.h.in
trunk/configure (with props)
trunk/configure.ac
trunk/depcomp (with props)
trunk/doc/
trunk/doc/CVS/
trunk/doc/CVS/Entries
trunk/doc/CVS/Repository
trunk/doc/CVS/Root
trunk/doc/CVS/Tag
trunk/doc/CVS/Template
trunk/doc/FAQ/
trunk/doc/FAQ/CVS/
trunk/doc/FAQ/CVS/Entries
trunk/doc/FAQ/CVS/Repository
trunk/doc/FAQ/CVS/Root
trunk/doc/FAQ/CVS/Tag
trunk/doc/FAQ/CVS/Template
trunk/doc/FAQ/LIDS-FAQ.html
trunk/doc/FAQ/LIDS-FAQ.txt
trunk/doc/Learning_mode.FAQ
trunk/doc/NETFILTER_LIDS.miniHOWTO
trunk/doc/README
trunk/doc/Stateful_acl.FAQ
trunk/doc/WHAT_IS_NEW_IN_LIDS_2.2
trunk/doc/acl_discovery/
trunk/doc/acl_discovery.FAQ
trunk/doc/acl_discovery/CVS/
trunk/doc/acl_discovery/CVS/Entries
trunk/doc/acl_discovery/CVS/Repository
trunk/doc/acl_discovery/CVS/Root
trunk/doc/acl_discovery/CVS/Tag
trunk/doc/acl_discovery/CVS/Template
trunk/doc/acl_discovery/acl_discovery.FAQ
trunk/doc/acl_discovery/lids_acl_discovery.pl
trunk/doc/inherit_level
trunk/doc/lids_prevent_worm/
trunk/doc/lids_prevent_worm/CVS/
trunk/doc/lids_prevent_worm/CVS/Entries
trunk/doc/lids_prevent_worm/CVS/Repository
trunk/doc/lids_prevent_worm/CVS/Root
trunk/doc/lids_prevent_worm/CVS/Tag
trunk/doc/lids_prevent_worm/CVS/Template
trunk/doc/lids_prevent_worm/lids_worm.ps
trunk/doc/lids_prevent_worm/lids_worm.sgml
trunk/doc/lids_prevent_worm/lids_worm.txt
trunk/doc/secure_channel
trunk/example/
trunk/example/CVS/
trunk/example/CVS/Entries
trunk/example/CVS/Repository
trunk/example/CVS/Root
trunk/example/CVS/Tag
trunk/example/CVS/Template
trunk/example/README
trunk/example/lids.acl.sh
trunk/example/lids.boot.cap
trunk/example/lids.boot.conf
trunk/example/lids.cap
trunk/example/lids.conf
trunk/example/lids.conf.2.5
trunk/example/lids.ini
trunk/example/lids.net
trunk/example/lids.postboot.cap
trunk/example/lids.postboot.conf
trunk/example/lids.pw
trunk/example/lids.shutdown.cap
trunk/example/lids.shutdown.conf
trunk/example/up.pl (with props)
trunk/install-sh (with props)
trunk/missing (with props)
trunk/mkinstalldirs (with props)
trunk/src/
trunk/src/ChangeLog
trunk/src/Makefile.am
trunk/src/Makefile.in
trunk/src/README
trunk/src/kernel_inc.h
trunk/src/lids_capflag.c
trunk/src/lids_capflag.h
trunk/src/lidsadm.8
trunk/src/lidsadm.c
trunk/src/lidsconf.8
trunk/src/lidsconf.c
trunk/src/lidsif.h
trunk/src/lidstools.h
trunk/src/read_pw.c
trunk/src/sha256.c
trunk/src/time.c
|
|
From: <no...@ro...> - 2005-12-28 21:25:20
|
Author: roedie
Date: Wed Dec 28 22:25:10 2005
New Revision: 449
Log:
test commit
Modified:
trunk/html/testfile
Modified: trunk/html/testfile
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- trunk/html/testfile (original)
+++ trunk/html/testfile Wed Dec 28 22:25:10 2005
@@ -1,3 +1,5 @@
And just another commit
=20
And even more commits
+
+And even more....
|
|
From: <no...@ro...> - 2005-12-28 21:08:27
|
Author: roedie
Date: Wed Dec 28 22:05:47 2005
New Revision: 447
Log:
Right, lets commit again....
Modified:
trunk/html/testfile
Modified: trunk/html/testfile
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=3D
--- trunk/html/testfile (original)
+++ trunk/html/testfile Wed Dec 28 22:05:47 2005
@@ -1,1 +1,1 @@
-blha
+And just another commit
|
2284 messages has been excluded from this view by a project administrator.
