1 /* 2 * Linux Security plug 3 * 4 * Copyright (C) 2001 WireX Communications, Inc <[email protected]> 5 * Copyright (C) 2001 Greg Kroah-Hartman <[email protected]> 6 * Copyright (C) 2001 Networks Associates Technology, Inc <[email protected]> 7 * Copyright (C) 2001 James Morris <[email protected]> 8 * Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group) 9 * 10 * This program is free software; you can redistribute it and/or modify 11 * it under the terms of the GNU General Public License as published by 12 * the Free Software Foundation; either version 2 of the License, or 13 * (at your option) any later version. 14 * 15 * Due to this file being licensed under the GPL there is controversy over 16 * whether this permits you to write a module that #includes this file 17 * without placing your module under the GPL. Please consult a lawyer for 18 * advice before doing this. 19 * 20 */ 21 22 #ifndef __LINUX_SECURITY_H 23 #define __LINUX_SECURITY_H 24 25 #include <linux/fs.h> 26 #include <linux/binfmts.h> 27 #include <linux/signal.h> 28 #include <linux/resource.h> 29 #include <linux/sem.h> 30 #include <linux/shm.h> 31 #include <linux/msg.h> 32 #include <linux/sched.h> 33 34 struct ctl_table; 35 36 /* 37 * These functions are in security/capability.c and are used 38 * as the default capabilities functions 39 */ 40 extern int cap_capable (struct task_struct *tsk, int cap); 41 extern int cap_settime (struct timespec *ts, struct timezone *tz); 42 extern int cap_ptrace (struct task_struct *parent, struct task_struct *child); 43 extern int cap_capget (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); 44 extern int cap_capset_check (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); 45 extern void cap_capset_set (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); 46 extern int cap_bprm_set_security (struct linux_binprm *bprm); 47 extern void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe); 48 extern int cap_bprm_secureexec(struct linux_binprm *bprm); 49 extern int cap_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags); 50 extern int cap_inode_removexattr(struct dentry *dentry, char *name); 51 extern int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags); 52 extern void cap_task_reparent_to_init (struct task_struct *p); 53 extern int cap_syslog (int type); 54 extern int cap_vm_enough_memory (long pages); 55 56 struct msghdr; 57 struct sk_buff; 58 struct sock; 59 struct sockaddr; 60 struct socket; 61 62 extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb); 63 extern int cap_netlink_recv(struct sk_buff *skb); 64 65 /* 66 * Values used in the task_security_ops calls 67 */ 68 /* setuid or setgid, id0 == uid or gid */ 69 #define LSM_SETID_ID 1 70 71 /* setreuid or setregid, id0 == real, id1 == eff */ 72 #define LSM_SETID_RE 2 73 74 /* setresuid or setresgid, id0 == real, id1 == eff, uid2 == saved */ 75 #define LSM_SETID_RES 4 76 77 /* setfsuid or setfsgid, id0 == fsuid or fsgid */ 78 #define LSM_SETID_FS 8 79 80 /* forward declares to avoid warnings */ 81 struct nfsctl_arg; 82 struct sched_param; 83 struct swap_info_struct; 84 85 /* bprm_apply_creds unsafe reasons */ 86 #define LSM_UNSAFE_SHARE 1 87 #define LSM_UNSAFE_PTRACE 2 88 #define LSM_UNSAFE_PTRACE_CAP 4 89 90 #ifdef CONFIG_SECURITY 91 92 /** 93 * struct security_operations - main security structure 94 * 95 * Security hooks for program execution operations. 96 * 97 * @bprm_alloc_security: 98 * Allocate and attach a security structure to the @bprm->security field. 99 * The security field is initialized to NULL when the bprm structure is 100 * allocated. 101 * @bprm contains the linux_binprm structure to be modified. 102 * Return 0 if operation was successful. 103 * @bprm_free_security: 104 * @bprm contains the linux_binprm structure to be modified. 105 * Deallocate and clear the @bprm->security field. 106 * @bprm_apply_creds: 107 * Compute and set the security attributes of a process being transformed 108 * by an execve operation based on the old attributes (current->security) 109 * and the information saved in @bprm->security by the set_security hook. 110 * Since this hook function (and its caller) are void, this hook can not 111 * return an error. However, it can leave the security attributes of the 112 * process unchanged if an access failure occurs at this point. 113 * bprm_apply_creds is called under task_lock. @unsafe indicates various 114 * reasons why it may be unsafe to change security state. 115 * @bprm contains the linux_binprm structure. 116 * @bprm_post_apply_creds: 117 * Runs after bprm_apply_creds with the task_lock dropped, so that 118 * functions which cannot be called safely under the task_lock can 119 * be used. This hook is a good place to perform state changes on 120 * the process such as closing open file descriptors to which access 121 * is no longer granted if the attributes were changed. 122 * Note that a security module might need to save state between 123 * bprm_apply_creds and bprm_post_apply_creds to store the decision 124 * on whether the process may proceed. 125 * @bprm contains the linux_binprm structure. 126 * @bprm_set_security: 127 * Save security information in the bprm->security field, typically based 128 * on information about the bprm->file, for later use by the apply_creds 129 * hook. This hook may also optionally check permissions (e.g. for 130 * transitions between security domains). 131 * This hook may be called multiple times during a single execve, e.g. for 132 * interpreters. The hook can tell whether it has already been called by 133 * checking to see if @bprm->security is non-NULL. If so, then the hook 134 * may decide either to retain the security information saved earlier or 135 * to replace it. 136 * @bprm contains the linux_binprm structure. 137 * Return 0 if the hook is successful and permission is granted. 138 * @bprm_check_security: 139 * This hook mediates the point when a search for a binary handler will 140 * begin. It allows a check the @bprm->security value which is set in 141 * the preceding set_security call. The primary difference from 142 * set_security is that the argv list and envp list are reliably 143 * available in @bprm. This hook may be called multiple times 144 * during a single execve; and in each pass set_security is called 145 * first. 146 * @bprm contains the linux_binprm structure. 147 * Return 0 if the hook is successful and permission is granted. 148 * @bprm_secureexec: 149 * Return a boolean value (0 or 1) indicating whether a "secure exec" 150 * is required. The flag is passed in the auxiliary table 151 * on the initial stack to the ELF interpreter to indicate whether libc 152 * should enable secure mode. 153 * @bprm contains the linux_binprm structure. 154 * 155 * Security hooks for filesystem operations. 156 * 157 * @sb_alloc_security: 158 * Allocate and attach a security structure to the sb->s_security field. 159 * The s_security field is initialized to NULL when the structure is 160 * allocated. 161 * @sb contains the super_block structure to be modified. 162 * Return 0 if operation was successful. 163 * @sb_free_security: 164 * Deallocate and clear the sb->s_security field. 165 * @sb contains the super_block structure to be modified. 166 * @sb_statfs: 167 * Check permission before obtaining filesystem statistics for the @sb 168 * filesystem. 169 * @sb contains the super_block structure for the filesystem. 170 * Return 0 if permission is granted. 171 * @sb_mount: 172 * Check permission before an object specified by @dev_name is mounted on 173 * the mount point named by @nd. For an ordinary mount, @dev_name 174 * identifies a device if the file system type requires a device. For a 175 * remount (@flags & MS_REMOUNT), @dev_name is irrelevant. For a 176 * loopback/bind mount (@flags & MS_BIND), @dev_name identifies the 177 * pathname of the object being mounted. 178 * @dev_name contains the name for object being mounted. 179 * @nd contains the nameidata structure for mount point object. 180 * @type contains the filesystem type. 181 * @flags contains the mount flags. 182 * @data contains the filesystem-specific data. 183 * Return 0 if permission is granted. 184 * @sb_copy_data: 185 * Allow mount option data to be copied prior to parsing by the filesystem, 186 * so that the security module can extract security-specific mount 187 * options cleanly (a filesystem may modify the data e.g. with strsep()). 188 * This also allows the original mount data to be stripped of security- 189 * specific options to avoid having to make filesystems aware of them. 190 * @type the type of filesystem being mounted. 191 * @orig the original mount data copied from userspace. 192 * @copy copied data which will be passed to the security module. 193 * Returns 0 if the copy was successful. 194 * @sb_check_sb: 195 * Check permission before the device with superblock @mnt->sb is mounted 196 * on the mount point named by @nd. 197 * @mnt contains the vfsmount for device being mounted. 198 * @nd contains the nameidata object for the mount point. 199 * Return 0 if permission is granted. 200 * @sb_umount: 201 * Check permission before the @mnt file system is unmounted. 202 * @mnt contains the mounted file system. 203 * @flags contains the unmount flags, e.g. MNT_FORCE. 204 * Return 0 if permission is granted. 205 * @sb_umount_close: 206 * Close any files in the @mnt mounted filesystem that are held open by 207 * the security module. This hook is called during an umount operation 208 * prior to checking whether the filesystem is still busy. 209 * @mnt contains the mounted filesystem. 210 * @sb_umount_busy: 211 * Handle a failed umount of the @mnt mounted filesystem, e.g. re-opening 212 * any files that were closed by umount_close. This hook is called during 213 * an umount operation if the umount fails after a call to the 214 * umount_close hook. 215 * @mnt contains the mounted filesystem. 216 * @sb_post_remount: 217 * Update the security module's state when a filesystem is remounted. 218 * This hook is only called if the remount was successful. 219 * @mnt contains the mounted file system. 220 * @flags contains the new filesystem flags. 221 * @data contains the filesystem-specific data. 222 * @sb_post_mountroot: 223 * Update the security module's state when the root filesystem is mounted. 224 * This hook is only called if the mount was successful. 225 * @sb_post_addmount: 226 * Update the security module's state when a filesystem is mounted. 227 * This hook is called any time a mount is successfully grafetd to 228 * the tree. 229 * @mnt contains the mounted filesystem. 230 * @mountpoint_nd contains the nameidata structure for the mount point. 231 * @sb_pivotroot: 232 * Check permission before pivoting the root filesystem. 233 * @old_nd contains the nameidata structure for the new location of the current root (put_old). 234 * @new_nd contains the nameidata structure for the new root (new_root). 235 * Return 0 if permission is granted. 236 * @sb_post_pivotroot: 237 * Update module state after a successful pivot. 238 * @old_nd contains the nameidata structure for the old root. 239 * @new_nd contains the nameidata structure for the new root. 240 * 241 * Security hooks for inode operations. 242 * 243 * @inode_alloc_security: 244 * Allocate and attach a security structure to @inode->i_security. The 245 * i_security field is initialized to NULL when the inode structure is 246 * allocated. 247 * @inode contains the inode structure. 248 * Return 0 if operation was successful. 249 * @inode_free_security: 250 * @inode contains the inode structure. 251 * Deallocate the inode security structure and set @inode->i_security to 252 * NULL. 253 * @inode_create: 254 * Check permission to create a regular file. 255 * @dir contains inode structure of the parent of the new file. 256 * @dentry contains the dentry structure for the file to be created. 257 * @mode contains the file mode of the file to be created. 258 * Return 0 if permission is granted. 259 * @inode_post_create: 260 * Set the security attributes on a newly created regular file. This hook 261 * is called after a file has been successfully created. 262 * @dir contains the inode structure of the parent directory of the new file. 263 * @dentry contains the the dentry structure for the newly created file. 264 * @mode contains the file mode. 265 * @inode_link: 266 * Check permission before creating a new hard link to a file. 267 * @old_dentry contains the dentry structure for an existing link to the file. 268 * @dir contains the inode structure of the parent directory of the new link. 269 * @new_dentry contains the dentry structure for the new link. 270 * Return 0 if permission is granted. 271 * @inode_post_link: 272 * Set security attributes for a new hard link to a file. 273 * @old_dentry contains the dentry structure for the existing link. 274 * @dir contains the inode structure of the parent directory of the new file. 275 * @new_dentry contains the dentry structure for the new file link. 276 * @inode_unlink: 277 * Check the permission to remove a hard link to a file. 278 * @dir contains the inode structure of parent directory of the file. 279 * @dentry contains the dentry structure for file to be unlinked. 280 * Return 0 if permission is granted. 281 * @inode_symlink: 282 * Check the permission to create a symbolic link to a file. 283 * @dir contains the inode structure of parent directory of the symbolic link. 284 * @dentry contains the dentry structure of the symbolic link. 285 * @old_name contains the pathname of file. 286 * Return 0 if permission is granted. 287 * @inode_post_symlink: 288 * @dir contains the inode structure of the parent directory of the new link. 289 * @dentry contains the dentry structure of new symbolic link. 290 * @old_name contains the pathname of file. 291 * Set security attributes for a newly created symbolic link. Note that 292 * @dentry->d_inode may be NULL, since the filesystem might not 293 * instantiate the dentry (e.g. NFS). 294 * @inode_mkdir: 295 * Check permissions to create a new directory in the existing directory 296 * associated with inode strcture @dir. 297 * @dir containst the inode structure of parent of the directory to be created. 298 * @dentry contains the dentry structure of new directory. 299 * @mode contains the mode of new directory. 300 * Return 0 if permission is granted. 301 * @inode_post_mkdir: 302 * Set security attributes on a newly created directory. 303 * @dir contains the inode structure of parent of the directory to be created. 304 * @dentry contains the dentry structure of new directory. 305 * @mode contains the mode of new directory. 306 * @inode_rmdir: 307 * Check the permission to remove a directory. 308 * @dir contains the inode structure of parent of the directory to be removed. 309 * @dentry contains the dentry structure of directory to be removed. 310 * Return 0 if permission is granted. 311 * @inode_mknod: 312 * Check permissions when creating a special file (or a socket or a fifo 313 * file created via the mknod system call). Note that if mknod operation 314 * is being done for a regular file, then the create hook will be called 315 * and not this hook. 316 * @dir contains the inode structure of parent of the new file. 317 * @dentry contains the dentry structure of the new file. 318 * @mode contains the mode of the new file. 319 * @dev contains the the device number. 320 * Return 0 if permission is granted. 321 * @inode_post_mknod: 322 * Set security attributes on a newly created special file (or socket or 323 * fifo file created via the mknod system call). 324 * @dir contains the inode structure of parent of the new node. 325 * @dentry contains the dentry structure of the new node. 326 * @mode contains the mode of the new node. 327 * @dev contains the the device number. 328 * @inode_rename: 329 * Check for permission to rename a file or directory. 330 * @old_dir contains the inode structure for parent of the old link. 331 * @old_dentry contains the dentry structure of the old link. 332 * @new_dir contains the inode structure for parent of the new link. 333 * @new_dentry contains the dentry structure of the new link. 334 * Return 0 if permission is granted. 335 * @inode_post_rename: 336 * Set security attributes on a renamed file or directory. 337 * @old_dir contains the inode structure for parent of the old link. 338 * @old_dentry contains the dentry structure of the old link. 339 * @new_dir contains the inode structure for parent of the new link. 340 * @new_dentry contains the dentry structure of the new link. 341 * @inode_readlink: 342 * Check the permission to read the symbolic link. 343 * @dentry contains the dentry structure for the file link. 344 * Return 0 if permission is granted. 345 * @inode_follow_link: 346 * Check permission to follow a symbolic link when looking up a pathname. 347 * @dentry contains the dentry structure for the link. 348 * @nd contains the nameidata structure for the parent directory. 349 * Return 0 if permission is granted. 350 * @inode_permission: 351 * Check permission before accessing an inode. This hook is called by the 352 * existing Linux permission function, so a security module can use it to 353 * provide additional checking for existing Linux permission checks. 354 * Notice that this hook is called when a file is opened (as well as many 355 * other operations), whereas the file_security_ops permission hook is 356 * called when the actual read/write operations are performed. 357 * @inode contains the inode structure to check. 358 * @mask contains the permission mask. 359 * @nd contains the nameidata (may be NULL). 360 * Return 0 if permission is granted. 361 * @inode_setattr: 362 * Check permission before setting file attributes. Note that the kernel 363 * call to notify_change is performed from several locations, whenever 364 * file attributes change (such as when a file is truncated, chown/chmod 365 * operations, transferring disk quotas, etc). 366 * @dentry contains the dentry structure for the file. 367 * @attr is the iattr structure containing the new file attributes. 368 * Return 0 if permission is granted. 369 * @inode_getattr: 370 * Check permission before obtaining file attributes. 371 * @mnt is the vfsmount where the dentry was looked up 372 * @dentry contains the dentry structure for the file. 373 * Return 0 if permission is granted. 374 * @inode_delete: 375 * @inode contains the inode structure for deleted inode. 376 * This hook is called when a deleted inode is released (i.e. an inode 377 * with no hard links has its use count drop to zero). A security module 378 * can use this hook to release any persistent label associated with the 379 * inode. 380 * @inode_setxattr: 381 * Check permission before setting the extended attributes 382 * @value identified by @name for @dentry. 383 * Return 0 if permission is granted. 384 * @inode_post_setxattr: 385 * Update inode security field after successful setxattr operation. 386 * @value identified by @name for @dentry. 387 * @inode_getxattr: 388 * Check permission before obtaining the extended attributes 389 * identified by @name for @dentry. 390 * Return 0 if permission is granted. 391 * @inode_listxattr: 392 * Check permission before obtaining the list of extended attribute 393 * names for @dentry. 394 * Return 0 if permission is granted. 395 * @inode_removexattr: 396 * Check permission before removing the extended attribute 397 * identified by @name for @dentry. 398 * Return 0 if permission is granted. 399 * @inode_getsecurity: 400 * Copy the extended attribute representation of the security label 401 * associated with @name for @inode into @buffer. @buffer may be 402 * NULL to request the size of the buffer required. @size indicates 403 * the size of @buffer in bytes. Note that @name is the remainder 404 * of the attribute name after the security. prefix has been removed. 405 * Return number of bytes used/required on success. 406 * @inode_setsecurity: 407 * Set the security label associated with @name for @inode from the 408 * extended attribute value @value. @size indicates the size of the 409 * @value in bytes. @flags may be XATTR_CREATE, XATTR_REPLACE, or 0. 410 * Note that @name is the remainder of the attribute name after the 411 * security. prefix has been removed. 412 * Return 0 on success. 413 * @inode_listsecurity: 414 * Copy the extended attribute names for the security labels 415 * associated with @inode into @buffer. The maximum size of @buffer 416 * is specified by @buffer_size. @buffer may be NULL to request 417 * the size of the buffer required. 418 * Returns number of bytes used/required on success. 419 * 420 * Security hooks for file operations 421 * 422 * @file_permission: 423 * Check file permissions before accessing an open file. This hook is 424 * called by various operations that read or write files. A security 425 * module can use this hook to perform additional checking on these 426 * operations, e.g. to revalidate permissions on use to support privilege 427 * bracketing or policy changes. Notice that this hook is used when the 428 * actual read/write operations are performed, whereas the 429 * inode_security_ops hook is called when a file is opened (as well as 430 * many other operations). 431 * Caveat: Although this hook can be used to revalidate permissions for 432 * various system call operations that read or write files, it does not 433 * address the revalidation of permissions for memory-mapped files. 434 * Security modules must handle this separately if they need such 435 * revalidation. 436 * @file contains the file structure being accessed. 437 * @mask contains the requested permissions. 438 * Return 0 if permission is granted. 439 * @file_alloc_security: 440 * Allocate and attach a security structure to the file->f_security field. 441 * The security field is initialized to NULL when the structure is first 442 * created. 443 * @file contains the file structure to secure. 444 * Return 0 if the hook is successful and permission is granted. 445 * @file_free_security: 446 * Deallocate and free any security structures stored in file->f_security. 447 * @file contains the file structure being modified. 448 * @file_ioctl: 449 * @file contains the file structure. 450 * @cmd contains the operation to perform. 451 * @arg contains the operational arguments. 452 * Check permission for an ioctl operation on @file. Note that @arg can 453 * sometimes represents a user space pointer; in other cases, it may be a 454 * simple integer value. When @arg represents a user space pointer, it 455 * should never be used by the security module. 456 * Return 0 if permission is granted. 457 * @file_mmap : 458 * Check permissions for a mmap operation. The @file may be NULL, e.g. 459 * if mapping anonymous memory. 460 * @file contains the file structure for file to map (may be NULL). 461 * @reqprot contains the protection requested by the application. 462 * @prot contains the protection that will be applied by the kernel. 463 * @flags contains the operational flags. 464 * Return 0 if permission is granted. 465 * @file_mprotect: 466 * Check permissions before changing memory access permissions. 467 * @vma contains the memory region to modify. 468 * @reqprot contains the protection requested by the application. 469 * @prot contains the protection that will be applied by the kernel. 470 * Return 0 if permission is granted. 471 * @file_lock: 472 * Check permission before performing file locking operations. 473 * Note: this hook mediates both flock and fcntl style locks. 474 * @file contains the file structure. 475 * @cmd contains the posix-translated lock operation to perform 476 * (e.g. F_RDLCK, F_WRLCK). 477 * Return 0 if permission is granted. 478 * @file_fcntl: 479 * Check permission before allowing the file operation specified by @cmd 480 * from being performed on the file @file. Note that @arg can sometimes 481 * represents a user space pointer; in other cases, it may be a simple 482 * integer value. When @arg represents a user space pointer, it should 483 * never be used by the security module. 484 * @file contains the file structure. 485 * @cmd contains the operation to be performed. 486 * @arg contains the operational arguments. 487 * Return 0 if permission is granted. 488 * @file_set_fowner: 489 * Save owner security information (typically from current->security) in 490 * file->f_security for later use by the send_sigiotask hook. 491 * @file contains the file structure to update. 492 * Return 0 on success. 493 * @file_send_sigiotask: 494 * Check permission for the file owner @fown to send SIGIO or SIGURG to the 495 * process @tsk. Note that this hook is sometimes called from interrupt. 496 * Note that the fown_struct, @fown, is never outside the context of a 497 * struct file, so the file structure (and associated security information) 498 * can always be obtained: 499 * (struct file *)((long)fown - offsetof(struct file,f_owner)); 500 * @tsk contains the structure of task receiving signal. 501 * @fown contains the file owner information. 502 * @sig is the signal that will be sent. When 0, kernel sends SIGIO. 503 * Return 0 if permission is granted. 504 * @file_receive: 505 * This hook allows security modules to control the ability of a process 506 * to receive an open file descriptor via socket IPC. 507 * @file contains the file structure being received. 508 * Return 0 if permission is granted. 509 * 510 * Security hooks for task operations. 511 * 512 * @task_create: 513 * Check permission before creating a child process. See the clone(2) 514 * manual page for definitions of the @clone_flags. 515 * @clone_flags contains the flags indicating what should be shared. 516 * Return 0 if permission is granted. 517 * @task_alloc_security: 518 * @p contains the task_struct for child process. 519 * Allocate and attach a security structure to the p->security field. The 520 * security field is initialized to NULL when the task structure is 521 * allocated. 522 * Return 0 if operation was successful. 523 * @task_free_security: 524 * @p contains the task_struct for process. 525 * Deallocate and clear the p->security field. 526 * @task_setuid: 527 * Check permission before setting one or more of the user identity 528 * attributes of the current process. The @flags parameter indicates 529 * which of the set*uid system calls invoked this hook and how to 530 * interpret the @id0, @id1, and @id2 parameters. See the LSM_SETID 531 * definitions at the beginning of this file for the @flags values and 532 * their meanings. 533 * @id0 contains a uid. 534 * @id1 contains a uid. 535 * @id2 contains a uid. 536 * @flags contains one of the LSM_SETID_* values. 537 * Return 0 if permission is granted. 538 * @task_post_setuid: 539 * Update the module's state after setting one or more of the user 540 * identity attributes of the current process. The @flags parameter 541 * indicates which of the set*uid system calls invoked this hook. If 542 * @flags is LSM_SETID_FS, then @old_ruid is the old fs uid and the other 543 * parameters are not used. 544 * @old_ruid contains the old real uid (or fs uid if LSM_SETID_FS). 545 * @old_euid contains the old effective uid (or -1 if LSM_SETID_FS). 546 * @old_suid contains the old saved uid (or -1 if LSM_SETID_FS). 547 * @flags contains one of the LSM_SETID_* values. 548 * Return 0 on success. 549 * @task_setgid: 550 * Check permission before setting one or more of the group identity 551 * attributes of the current process. The @flags parameter indicates 552 * which of the set*gid system calls invoked this hook and how to 553 * interpret the @id0, @id1, and @id2 parameters. See the LSM_SETID 554 * definitions at the beginning of this file for the @flags values and 555 * their meanings. 556 * @id0 contains a gid. 557 * @id1 contains a gid. 558 * @id2 contains a gid. 559 * @flags contains one of the LSM_SETID_* values. 560 * Return 0 if permission is granted. 561 * @task_setpgid: 562 * Check permission before setting the process group identifier of the 563 * process @p to @pgid. 564 * @p contains the task_struct for process being modified. 565 * @pgid contains the new pgid. 566 * Return 0 if permission is granted. 567 * @task_getpgid: 568 * Check permission before getting the process group identifier of the 569 * process @p. 570 * @p contains the task_struct for the process. 571 * Return 0 if permission is granted. 572 * @task_getsid: 573 * Check permission before getting the session identifier of the process 574 * @p. 575 * @p contains the task_struct for the process. 576 * Return 0 if permission is granted. 577 * @task_setgroups: 578 * Check permission before setting the supplementary group set of the 579 * current process. 580 * @group_info contains the new group information. 581 * Return 0 if permission is granted. 582 * @task_setnice: 583 * Check permission before setting the nice value of @p to @nice. 584 * @p contains the task_struct of process. 585 * @nice contains the new nice value. 586 * Return 0 if permission is granted. 587 * @task_setrlimit: 588 * Check permission before setting the resource limits of the current 589 * process for @resource to @new_rlim. The old resource limit values can 590 * be examined by dereferencing (current->signal->rlim + resource). 591 * @resource contains the resource whose limit is being set. 592 * @new_rlim contains the new limits for @resource. 593 * Return 0 if permission is granted. 594 * @task_setscheduler: 595 * Check permission before setting scheduling policy and/or parameters of 596 * process @p based on @policy and @lp. 597 * @p contains the task_struct for process. 598 * @policy contains the scheduling policy. 599 * @lp contains the scheduling parameters. 600 * Return 0 if permission is granted. 601 * @task_getscheduler: 602 * Check permission before obtaining scheduling information for process 603 * @p. 604 * @p contains the task_struct for process. 605 * Return 0 if permission is granted. 606 * @task_kill: 607 * Check permission before sending signal @sig to @p. @info can be NULL, 608 * the constant 1, or a pointer to a siginfo structure. If @info is 1 or 609 * SI_FROMKERNEL(info) is true, then the signal should be viewed as coming 610 * from the kernel and should typically be permitted. 611 * SIGIO signals are handled separately by the send_sigiotask hook in 612 * file_security_ops. 613 * @p contains the task_struct for process. 614 * @info contains the signal information. 615 * @sig contains the signal value. 616 * Return 0 if permission is granted. 617 * @task_wait: 618 * Check permission before allowing a process to reap a child process @p 619 * and collect its status information. 620 * @p contains the task_struct for process. 621 * Return 0 if permission is granted. 622 * @task_prctl: 623 * Check permission before performing a process control operation on the 624 * current process. 625 * @option contains the operation. 626 * @arg2 contains a argument. 627 * @arg3 contains a argument. 628 * @arg4 contains a argument. 629 * @arg5 contains a argument. 630 * Return 0 if permission is granted. 631 * @task_reparent_to_init: 632 * Set the security attributes in @p->security for a kernel thread that 633 * is being reparented to the init task. 634 * @p contains the task_struct for the kernel thread. 635 * @task_to_inode: 636 * Set the security attributes for an inode based on an associated task's 637 * security attributes, e.g. for /proc/pid inodes. 638 * @p contains the task_struct for the task. 639 * @inode contains the inode structure for the inode. 640 * 641 * Security hooks for Netlink messaging. 642 * 643 * @netlink_send: 644 * Save security information for a netlink message so that permission 645 * checking can be performed when the message is processed. The security 646 * information can be saved using the eff_cap field of the 647 * netlink_skb_parms structure. Also may be used to provide fine 648 * grained control over message transmission. 649 * @sk associated sock of task sending the message., 650 * @skb contains the sk_buff structure for the netlink message. 651 * Return 0 if the information was successfully saved and message 652 * is allowed to be transmitted. 653 * @netlink_recv: 654 * Check permission before processing the received netlink message in 655 * @skb. 656 * @skb contains the sk_buff structure for the netlink message. 657 * Return 0 if permission is granted. 658 * 659 * Security hooks for Unix domain networking. 660 * 661 * @unix_stream_connect: 662 * Check permissions before establishing a Unix domain stream connection 663 * between @sock and @other. 664 * @sock contains the socket structure. 665 * @other contains the peer socket structure. 666 * Return 0 if permission is granted. 667 * @unix_may_send: 668 * Check permissions before connecting or sending datagrams from @sock to 669 * @other. 670 * @sock contains the socket structure. 671 * @sock contains the peer socket structure. 672 * Return 0 if permission is granted. 673 * 674 * The @unix_stream_connect and @unix_may_send hooks were necessary because 675 * Linux provides an alternative to the conventional file name space for Unix 676 * domain sockets. Whereas binding and connecting to sockets in the file name 677 * space is mediated by the typical file permissions (and caught by the mknod 678 * and permission hooks in inode_security_ops), binding and connecting to 679 * sockets in the abstract name space is completely unmediated. Sufficient 680 * control of Unix domain sockets in the abstract name space isn't possible 681 * using only the socket layer hooks, since we need to know the actual target 682 * socket, which is not looked up until we are inside the af_unix code. 683 * 684 * Security hooks for socket operations. 685 * 686 * @socket_create: 687 * Check permissions prior to creating a new socket. 688 * @family contains the requested protocol family. 689 * @type contains the requested communications type. 690 * @protocol contains the requested protocol. 691 * @kern set to 1 if a kernel socket. 692 * Return 0 if permission is granted. 693 * @socket_post_create: 694 * This hook allows a module to update or allocate a per-socket security 695 * structure. Note that the security field was not added directly to the 696 * socket structure, but rather, the socket security information is stored 697 * in the associated inode. Typically, the inode alloc_security hook will 698 * allocate and and attach security information to 699 * sock->inode->i_security. This hook may be used to update the 700 * sock->inode->i_security field with additional information that wasn't 701 * available when the inode was allocated. 702 * @sock contains the newly created socket structure. 703 * @family contains the requested protocol family. 704 * @type contains the requested communications type. 705 * @protocol contains the requested protocol. 706 * @kern set to 1 if a kernel socket. 707 * @socket_bind: 708 * Check permission before socket protocol layer bind operation is 709 * performed and the socket @sock is bound to the address specified in the 710 * @address parameter. 711 * @sock contains the socket structure. 712 * @address contains the address to bind to. 713 * @addrlen contains the length of address. 714 * Return 0 if permission is granted. 715 * @socket_connect: 716 * Check permission before socket protocol layer connect operation 717 * attempts to connect socket @sock to a remote address, @address. 718 * @sock contains the socket structure. 719 * @address contains the address of remote endpoint. 720 * @addrlen contains the length of address. 721 * Return 0 if permission is granted. 722 * @socket_listen: 723 * Check permission before socket protocol layer listen operation. 724 * @sock contains the socket structure. 725 * @backlog contains the maximum length for the pending connection queue. 726 * Return 0 if permission is granted. 727 * @socket_accept: 728 * Check permission before accepting a new connection. Note that the new 729 * socket, @newsock, has been created and some information copied to it, 730 * but the accept operation has not actually been performed. 731 * @sock contains the listening socket structure. 732 * @newsock contains the newly created server socket for connection. 733 * Return 0 if permission is granted. 734 * @socket_post_accept: 735 * This hook allows a security module to copy security 736 * information into the newly created socket's inode. 737 * @sock contains the listening socket structure. 738 * @newsock contains the newly created server socket for connection. 739 * @socket_sendmsg: 740 * Check permission before transmitting a message to another socket. 741 * @sock contains the socket structure. 742 * @msg contains the message to be transmitted. 743 * @size contains the size of message. 744 * Return 0 if permission is granted. 745 * @socket_recvmsg: 746 * Check permission before receiving a message from a socket. 747 * @sock contains the socket structure. 748 * @msg contains the message structure. 749 * @size contains the size of message structure. 750 * @flags contains the operational flags. 751 * Return 0 if permission is granted. 752 * @socket_getsockname: 753 * Check permission before the local address (name) of the socket object 754 * @sock is retrieved. 755 * @sock contains the socket structure. 756 * Return 0 if permission is granted. 757 * @socket_getpeername: 758 * Check permission before the remote address (name) of a socket object 759 * @sock is retrieved. 760 * @sock contains the socket structure. 761 * Return 0 if permission is granted. 762 * @socket_getsockopt: 763 * Check permissions before retrieving the options associated with socket 764 * @sock. 765 * @sock contains the socket structure. 766 * @level contains the protocol level to retrieve option from. 767 * @optname contains the name of option to retrieve. 768 * Return 0 if permission is granted. 769 * @socket_setsockopt: 770 * Check permissions before setting the options associated with socket 771 * @sock. 772 * @sock contains the socket structure. 773 * @level contains the protocol level to set options for. 774 * @optname contains the name of the option to set. 775 * Return 0 if permission is granted. 776 * @socket_shutdown: 777 * Checks permission before all or part of a connection on the socket 778 * @sock is shut down. 779 * @sock contains the socket structure. 780 * @how contains the flag indicating how future sends and receives are handled. 781 * Return 0 if permission is granted. 782 * @socket_sock_rcv_skb: 783 * Check permissions on incoming network packets. This hook is distinct 784 * from Netfilter's IP input hooks since it is the first time that the 785 * incoming sk_buff @skb has been associated with a particular socket, @sk. 786 * @sk contains the sock (not socket) associated with the incoming sk_buff. 787 * @skb contains the incoming network data. 788 * @socket_getpeersec: 789 * This hook allows the security module to provide peer socket security 790 * state to userspace via getsockopt SO_GETPEERSEC. 791 * @sock is the local socket. 792 * @optval userspace memory where the security state is to be copied. 793 * @optlen userspace int where the module should copy the actual length 794 * of the security state. 795 * @len as input is the maximum length to copy to userspace provided 796 * by the caller. 797 * Return 0 if all is well, otherwise, typical getsockopt return 798 * values. 799 * @sk_alloc_security: 800 * Allocate and attach a security structure to the sk->sk_security field, 801 * which is used to copy security attributes between local stream sockets. 802 * @sk_free_security: 803 * Deallocate security structure. 804 * 805 * Security hooks affecting all System V IPC operations. 806 * 807 * @ipc_permission: 808 * Check permissions for access to IPC 809 * @ipcp contains the kernel IPC permission structure 810 * @flag contains the desired (requested) permission set 811 * Return 0 if permission is granted. 812 * 813 * Security hooks for individual messages held in System V IPC message queues 814 * @msg_msg_alloc_security: 815 * Allocate and attach a security structure to the msg->security field. 816 * The security field is initialized to NULL when the structure is first 817 * created. 818 * @msg contains the message structure to be modified. 819 * Return 0 if operation was successful and permission is granted. 820 * @msg_msg_free_security: 821 * Deallocate the security structure for this message. 822 * @msg contains the message structure to be modified. 823 * 824 * Security hooks for System V IPC Message Queues 825 * 826 * @msg_queue_alloc_security: 827 * Allocate and attach a security structure to the 828 * msq->q_perm.security field. The security field is initialized to 829 * NULL when the structure is first created. 830 * @msq contains the message queue structure to be modified. 831 * Return 0 if operation was successful and permission is granted. 832 * @msg_queue_free_security: 833 * Deallocate security structure for this message queue. 834 * @msq contains the message queue structure to be modified. 835 * @msg_queue_associate: 836 * Check permission when a message queue is requested through the 837 * msgget system call. This hook is only called when returning the 838 * message queue identifier for an existing message queue, not when a 839 * new message queue is created. 840 * @msq contains the message queue to act upon. 841 * @msqflg contains the operation control flags. 842 * Return 0 if permission is granted. 843 * @msg_queue_msgctl: 844 * Check permission when a message control operation specified by @cmd 845 * is to be performed on the message queue @msq. 846 * The @msq may be NULL, e.g. for IPC_INFO or MSG_INFO. 847 * @msq contains the message queue to act upon. May be NULL. 848 * @cmd contains the operation to be performed. 849 * Return 0 if permission is granted. 850 * @msg_queue_msgsnd: 851 * Check permission before a message, @msg, is enqueued on the message 852 * queue, @msq. 853 * @msq contains the message queue to send message to. 854 * @msg contains the message to be enqueued. 855 * @msqflg contains operational flags. 856 * Return 0 if permission is granted. 857 * @msg_queue_msgrcv: 858 * Check permission before a message, @msg, is removed from the message 859 * queue, @msq. The @target task structure contains a pointer to the 860 * process that will be receiving the message (not equal to the current 861 * process when inline receives are being performed). 862 * @msq contains the message queue to retrieve message from. 863 * @msg contains the message destination. 864 * @target contains the task structure for recipient process. 865 * @type contains the type of message requested. 866 * @mode contains the operational flags. 867 * Return 0 if permission is granted. 868 * 869 * Security hooks for System V Shared Memory Segments 870 * 871 * @shm_alloc_security: 872 * Allocate and attach a security structure to the shp->shm_perm.security 873 * field. The security field is initialized to NULL when the structure is 874 * first created. 875 * @shp contains the shared memory structure to be modified. 876 * Return 0 if operation was successful and permission is granted. 877 * @shm_free_security: 878 * Deallocate the security struct for this memory segment. 879 * @shp contains the shared memory structure to be modified. 880 * @shm_associate: 881 * Check permission when a shared memory region is requested through the 882 * shmget system call. This hook is only called when returning the shared 883 * memory region identifier for an existing region, not when a new shared 884 * memory region is created. 885 * @shp contains the shared memory structure to be modified. 886 * @shmflg contains the operation control flags. 887 * Return 0 if permission is granted. 888 * @shm_shmctl: 889 * Check permission when a shared memory control operation specified by 890 * @cmd is to be performed on the shared memory region @shp. 891 * The @shp may be NULL, e.g. for IPC_INFO or SHM_INFO. 892 * @shp contains shared memory structure to be modified. 893 * @cmd contains the operation to be performed. 894 * Return 0 if permission is granted. 895 * @shm_shmat: 896 * Check permissions prior to allowing the shmat system call to attach the 897 * shared memory segment @shp to the data segment of the calling process. 898 * The attaching address is specified by @shmaddr. 899 * @shp contains the shared memory structure to be modified. 900 * @shmaddr contains the address to attach memory region to. 901 * @shmflg contains the operational flags. 902 * Return 0 if permission is granted. 903 * 904 * Security hooks for System V Semaphores 905 * 906 * @sem_alloc_security: 907 * Allocate and attach a security structure to the sma->sem_perm.security 908 * field. The security field is initialized to NULL when the structure is 909 * first created. 910 * @sma contains the semaphore structure 911 * Return 0 if operation was successful and permission is granted. 912 * @sem_free_security: 913 * deallocate security struct for this semaphore 914 * @sma contains the semaphore structure. 915 * @sem_associate: 916 * Check permission when a semaphore is requested through the semget 917 * system call. This hook is only called when returning the semaphore 918 * identifier for an existing semaphore, not when a new one must be 919 * created. 920 * @sma contains the semaphore structure. 921 * @semflg contains the operation control flags. 922 * Return 0 if permission is granted. 923 * @sem_semctl: 924 * Check permission when a semaphore operation specified by @cmd is to be 925 * performed on the semaphore @sma. The @sma may be NULL, e.g. for 926 * IPC_INFO or SEM_INFO. 927 * @sma contains the semaphore structure. May be NULL. 928 * @cmd contains the operation to be performed. 929 * Return 0 if permission is granted. 930 * @sem_semop 931 * Check permissions before performing operations on members of the 932 * semaphore set @sma. If the @alter flag is nonzero, the semaphore set 933 * may be modified. 934 * @sma contains the semaphore structure. 935 * @sops contains the operations to perform. 936 * @nsops contains the number of operations to perform. 937 * @alter contains the flag indicating whether changes are to be made. 938 * Return 0 if permission is granted. 939 * 940 * @ptrace: 941 * Check permission before allowing the @parent process to trace the 942 * @child process. 943 * Security modules may also want to perform a process tracing check 944 * during an execve in the set_security or apply_creds hooks of 945 * binprm_security_ops if the process is being traced and its security 946 * attributes would be changed by the execve. 947 * @parent contains the task_struct structure for parent process. 948 * @child contains the task_struct structure for child process. 949 * Return 0 if permission is granted. 950 * @capget: 951 * Get the @effective, @inheritable, and @permitted capability sets for 952 * the @target process. The hook may also perform permission checking to 953 * determine if the current process is allowed to see the capability sets 954 * of the @target process. 955 * @target contains the task_struct structure for target process. 956 * @effective contains the effective capability set. 957 * @inheritable contains the inheritable capability set. 958 * @permitted contains the permitted capability set. 959 * Return 0 if the capability sets were successfully obtained. 960 * @capset_check: 961 * Check permission before setting the @effective, @inheritable, and 962 * @permitted capability sets for the @target process. 963 * Caveat: @target is also set to current if a set of processes is 964 * specified (i.e. all processes other than current and init or a 965 * particular process group). Hence, the capset_set hook may need to 966 * revalidate permission to the actual target process. 967 * @target contains the task_struct structure for target process. 968 * @effective contains the effective capability set. 969 * @inheritable contains the inheritable capability set. 970 * @permitted contains the permitted capability set. 971 * Return 0 if permission is granted. 972 * @capset_set: 973 * Set the @effective, @inheritable, and @permitted capability sets for 974 * the @target process. Since capset_check cannot always check permission 975 * to the real @target process, this hook may also perform permission 976 * checking to determine if the current process is allowed to set the 977 * capability sets of the @target process. However, this hook has no way 978 * of returning an error due to the structure of the sys_capset code. 979 * @target contains the task_struct structure for target process. 980 * @effective contains the effective capability set. 981 * @inheritable contains the inheritable capability set. 982 * @permitted contains the permitted capability set. 983 * @acct: 984 * Check permission before enabling or disabling process accounting. If 985 * accounting is being enabled, then @file refers to the open file used to 986 * store accounting records. If accounting is being disabled, then @file 987 * is NULL. 988 * @file contains the file structure for the accounting file (may be NULL). 989 * Return 0 if permission is granted. 990 * @sysctl: 991 * Check permission before accessing the @table sysctl variable in the 992 * manner specified by @op. 993 * @table contains the ctl_table structure for the sysctl variable. 994 * @op contains the operation (001 = search, 002 = write, 004 = read). 995 * Return 0 if permission is granted. 996 * @capable: 997 * Check whether the @tsk process has the @cap capability. 998 * @tsk contains the task_struct for the process. 999 * @cap contains the capability <include/linux/capability.h>. 1000 * Return 0 if the capability is granted for @tsk. 1001 * @syslog: 1002 * Check permission before accessing the kernel message ring or changing 1003 * logging to the console. 1004 * See the syslog(2) manual page for an explanation of the @type values. 1005 * @type contains the type of action. 1006 * Return 0 if permission is granted. 1007 * @settime: 1008 * Check permission to change the system time. 1009 * struct timespec and timezone are defined in include/linux/time.h 1010 * @ts contains new time 1011 * @tz contains new timezone 1012 * Return 0 if permission is granted. 1013 * @vm_enough_memory: 1014 * Check permissions for allocating a new virtual mapping. 1015 * @pages contains the number of pages. 1016 * Return 0 if permission is granted. 1017 * 1018 * @register_security: 1019 * allow module stacking. 1020 * @name contains the name of the security module being stacked. 1021 * @ops contains a pointer to the struct security_operations of the module to stack. 1022 * @unregister_security: 1023 * remove a stacked module. 1024 * @name contains the name of the security module being unstacked. 1025 * @ops contains a pointer to the struct security_operations of the module to unstack. 1026 * 1027 * This is the main security structure. 1028 */ 1029 struct security_operations { 1030 int (*ptrace) (struct task_struct * parent, struct task_struct * child); 1031 int (*capget) (struct task_struct * target, 1032 kernel_cap_t * effective, 1033 kernel_cap_t * inheritable, kernel_cap_t * permitted); 1034 int (*capset_check) (struct task_struct * target, 1035 kernel_cap_t * effective, 1036 kernel_cap_t * inheritable, 1037 kernel_cap_t * permitted); 1038 void (*capset_set) (struct task_struct * target, 1039 kernel_cap_t * effective, 1040 kernel_cap_t * inheritable, 1041 kernel_cap_t * permitted); 1042 int (*acct) (struct file * file); 1043 int (*sysctl) (struct ctl_table * table, int op); 1044 int (*capable) (struct task_struct * tsk, int cap); 1045 int (*quotactl) (int cmds, int type, int id, struct super_block * sb); 1046 int (*quota_on) (struct dentry * dentry); 1047 int (*syslog) (int type); 1048 int (*settime) (struct timespec *ts, struct timezone *tz); 1049 int (*vm_enough_memory) (long pages); 1050 1051 int (*bprm_alloc_security) (struct linux_binprm * bprm); 1052 void (*bprm_free_security) (struct linux_binprm * bprm); 1053 void (*bprm_apply_creds) (struct linux_binprm * bprm, int unsafe); 1054 void (*bprm_post_apply_creds) (struct linux_binprm * bprm); 1055 int (*bprm_set_security) (struct linux_binprm * bprm); 1056 int (*bprm_check_security) (struct linux_binprm * bprm); 1057 int (*bprm_secureexec) (struct linux_binprm * bprm); 1058 1059 int (*sb_alloc_security) (struct super_block * sb); 1060 void (*sb_free_security) (struct super_block * sb); 1061 int (*sb_copy_data)(struct file_system_type *type, 1062 void *orig, void *copy); 1063 int (*sb_kern_mount) (struct super_block *sb, void *data); 1064 int (*sb_statfs) (struct super_block * sb); 1065 int (*sb_mount) (char *dev_name, struct nameidata * nd, 1066 char *type, unsigned long flags, void *data); 1067 int (*sb_check_sb) (struct vfsmount * mnt, struct nameidata * nd); 1068 int (*sb_umount) (struct vfsmount * mnt, int flags); 1069 void (*sb_umount_close) (struct vfsmount * mnt); 1070 void (*sb_umount_busy) (struct vfsmount * mnt); 1071 void (*sb_post_remount) (struct vfsmount * mnt, 1072 unsigned long flags, void *data); 1073 void (*sb_post_mountroot) (void); 1074 void (*sb_post_addmount) (struct vfsmount * mnt, 1075 struct nameidata * mountpoint_nd); 1076 int (*sb_pivotroot) (struct nameidata * old_nd, 1077 struct nameidata * new_nd); 1078 void (*sb_post_pivotroot) (struct nameidata * old_nd, 1079 struct nameidata * new_nd); 1080 1081 int (*inode_alloc_security) (struct inode *inode); 1082 void (*inode_free_security) (struct inode *inode); 1083 int (*inode_create) (struct inode *dir, 1084 struct dentry *dentry, int mode); 1085 void (*inode_post_create) (struct inode *dir, 1086 struct dentry *dentry, int mode); 1087 int (*inode_link) (struct dentry *old_dentry, 1088 struct inode *dir, struct dentry *new_dentry); 1089 void (*inode_post_link) (struct dentry *old_dentry, 1090 struct inode *dir, struct dentry *new_dentry); 1091 int (*inode_unlink) (struct inode *dir, struct dentry *dentry); 1092 int (*inode_symlink) (struct inode *dir, 1093 struct dentry *dentry, const char *old_name); 1094 void (*inode_post_symlink) (struct inode *dir, 1095 struct dentry *dentry, 1096 const char *old_name); 1097 int (*inode_mkdir) (struct inode *dir, struct dentry *dentry, int mode); 1098 void (*inode_post_mkdir) (struct inode *dir, struct dentry *dentry, 1099 int mode); 1100 int (*inode_rmdir) (struct inode *dir, struct dentry *dentry); 1101 int (*inode_mknod) (struct inode *dir, struct dentry *dentry, 1102 int mode, dev_t dev); 1103 void (*inode_post_mknod) (struct inode *dir, struct dentry *dentry, 1104 int mode, dev_t dev); 1105 int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry, 1106 struct inode *new_dir, struct dentry *new_dentry); 1107 void (*inode_post_rename) (struct inode *old_dir, 1108 struct dentry *old_dentry, 1109 struct inode *new_dir, 1110 struct dentry *new_dentry); 1111 int (*inode_readlink) (struct dentry *dentry); 1112 int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd); 1113 int (*inode_permission) (struct inode *inode, int mask, struct nameidata *nd); 1114 int (*inode_setattr) (struct dentry *dentry, struct iattr *attr); 1115 int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry); 1116 void (*inode_delete) (struct inode *inode); 1117 int (*inode_setxattr) (struct dentry *dentry, char *name, void *value, 1118 size_t size, int flags); 1119 void (*inode_post_setxattr) (struct dentry *dentry, char *name, void *value, 1120 size_t size, int flags); 1121 int (*inode_getxattr) (struct dentry *dentry, char *name); 1122 int (*inode_listxattr) (struct dentry *dentry); 1123 int (*inode_removexattr) (struct dentry *dentry, char *name); 1124 int (*inode_getsecurity)(struct inode *inode, const char *name, void *buffer, size_t size); 1125 int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags); 1126 int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size); 1127 1128 int (*file_permission) (struct file * file, int mask); 1129 int (*file_alloc_security) (struct file * file); 1130 void (*file_free_security) (struct file * file); 1131 int (*file_ioctl) (struct file * file, unsigned int cmd, 1132 unsigned long arg); 1133 int (*file_mmap) (struct file * file, 1134 unsigned long reqprot, 1135 unsigned long prot, unsigned long flags); 1136 int (*file_mprotect) (struct vm_area_struct * vma, 1137 unsigned long reqprot, 1138 unsigned long prot); 1139 int (*file_lock) (struct file * file, unsigned int cmd); 1140 int (*file_fcntl) (struct file * file, unsigned int cmd, 1141 unsigned long arg); 1142 int (*file_set_fowner) (struct file * file); 1143 int (*file_send_sigiotask) (struct task_struct * tsk, 1144 struct fown_struct * fown, int sig); 1145 int (*file_receive) (struct file * file); 1146 1147 int (*task_create) (unsigned long clone_flags); 1148 int (*task_alloc_security) (struct task_struct * p); 1149 void (*task_free_security) (struct task_struct * p); 1150 int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags); 1151 int (*task_post_setuid) (uid_t old_ruid /* or fsuid */ , 1152 uid_t old_euid, uid_t old_suid, int flags); 1153 int (*task_setgid) (gid_t id0, gid_t id1, gid_t id2, int flags); 1154 int (*task_setpgid) (struct task_struct * p, pid_t pgid); 1155 int (*task_getpgid) (struct task_struct * p); 1156 int (*task_getsid) (struct task_struct * p); 1157 int (*task_setgroups) (struct group_info *group_info); 1158 int (*task_setnice) (struct task_struct * p, int nice); 1159 int (*task_setrlimit) (unsigned int resource, struct rlimit * new_rlim); 1160 int (*task_setscheduler) (struct task_struct * p, int policy, 1161 struct sched_param * lp); 1162 int (*task_getscheduler) (struct task_struct * p); 1163 int (*task_kill) (struct task_struct * p, 1164 struct siginfo * info, int sig); 1165 int (*task_wait) (struct task_struct * p); 1166 int (*task_prctl) (int option, unsigned long arg2, 1167 unsigned long arg3, unsigned long arg4, 1168 unsigned long arg5); 1169 void (*task_reparent_to_init) (struct task_struct * p); 1170 void (*task_to_inode)(struct task_struct *p, struct inode *inode); 1171 1172 int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag); 1173 1174 int (*msg_msg_alloc_security) (struct msg_msg * msg); 1175 void (*msg_msg_free_security) (struct msg_msg * msg); 1176 1177 int (*msg_queue_alloc_security) (struct msg_queue * msq); 1178 void (*msg_queue_free_security) (struct msg_queue * msq); 1179 int (*msg_queue_associate) (struct msg_queue * msq, int msqflg); 1180 int (*msg_queue_msgctl) (struct msg_queue * msq, int cmd); 1181 int (*msg_queue_msgsnd) (struct msg_queue * msq, 1182 struct msg_msg * msg, int msqflg); 1183 int (*msg_queue_msgrcv) (struct msg_queue * msq, 1184 struct msg_msg * msg, 1185 struct task_struct * target, 1186 long type, int mode); 1187 1188 int (*shm_alloc_security) (struct shmid_kernel * shp); 1189 void (*shm_free_security) (struct shmid_kernel * shp); 1190 int (*shm_associate) (struct shmid_kernel * shp, int shmflg); 1191 int (*shm_shmctl) (struct shmid_kernel * shp, int cmd); 1192 int (*shm_shmat) (struct shmid_kernel * shp, 1193 char __user *shmaddr, int shmflg); 1194 1195 int (*sem_alloc_security) (struct sem_array * sma); 1196 void (*sem_free_security) (struct sem_array * sma); 1197 int (*sem_associate) (struct sem_array * sma, int semflg); 1198 int (*sem_semctl) (struct sem_array * sma, int cmd); 1199 int (*sem_semop) (struct sem_array * sma, 1200 struct sembuf * sops, unsigned nsops, int alter); 1201 1202 int (*netlink_send) (struct sock * sk, struct sk_buff * skb); 1203 int (*netlink_recv) (struct sk_buff * skb); 1204 1205 /* allow module stacking */ 1206 int (*register_security) (const char *name, 1207 struct security_operations *ops); 1208 int (*unregister_security) (const char *name, 1209 struct security_operations *ops); 1210 1211 void (*d_instantiate) (struct dentry *dentry, struct inode *inode); 1212 1213 int (*getprocattr)(struct task_struct *p, char *name, void *value, size_t size); 1214 int (*setprocattr)(struct task_struct *p, char *name, void *value, size_t size); 1215 1216 #ifdef CONFIG_SECURITY_NETWORK 1217 int (*unix_stream_connect) (struct socket * sock, 1218 struct socket * other, struct sock * newsk); 1219 int (*unix_may_send) (struct socket * sock, struct socket * other); 1220 1221 int (*socket_create) (int family, int type, int protocol, int kern); 1222 void (*socket_post_create) (struct socket * sock, int family, 1223 int type, int protocol, int kern); 1224 int (*socket_bind) (struct socket * sock, 1225 struct sockaddr * address, int addrlen); 1226 int (*socket_connect) (struct socket * sock, 1227 struct sockaddr * address, int addrlen); 1228 int (*socket_listen) (struct socket * sock, int backlog); 1229 int (*socket_accept) (struct socket * sock, struct socket * newsock); 1230 void (*socket_post_accept) (struct socket * sock, 1231 struct socket * newsock); 1232 int (*socket_sendmsg) (struct socket * sock, 1233 struct msghdr * msg, int size); 1234 int (*socket_recvmsg) (struct socket * sock, 1235 struct msghdr * msg, int size, int flags); 1236 int (*socket_getsockname) (struct socket * sock); 1237 int (*socket_getpeername) (struct socket * sock); 1238 int (*socket_getsockopt) (struct socket * sock, int level, int optname); 1239 int (*socket_setsockopt) (struct socket * sock, int level, int optname); 1240 int (*socket_shutdown) (struct socket * sock, int how); 1241 int (*socket_sock_rcv_skb) (struct sock * sk, struct sk_buff * skb); 1242 int (*socket_getpeersec) (struct socket *sock, char __user *optval, int __user *optlen, unsigned len); 1243 int (*sk_alloc_security) (struct sock *sk, int family, int priority); 1244 void (*sk_free_security) (struct sock *sk); 1245 #endif /* CONFIG_SECURITY_NETWORK */ 1246 }; 1247 1248 /* global variables */ 1249 extern struct security_operations *security_ops; 1250 1251 /* inline stuff */ 1252 static inline int security_ptrace (struct task_struct * parent, struct task_struct * child) 1253 { 1254 return security_ops->ptrace (parent, child); 1255 } 1256 1257 static inline int security_capget (struct task_struct *target, 1258 kernel_cap_t *effective, 1259 kernel_cap_t *inheritable, 1260 kernel_cap_t *permitted) 1261 { 1262 return security_ops->capget (target, effective, inheritable, permitted); 1263 } 1264 1265 static inline int security_capset_check (struct task_struct *target, 1266 kernel_cap_t *effective, 1267 kernel_cap_t *inheritable, 1268 kernel_cap_t *permitted) 1269 { 1270 return security_ops->capset_check (target, effective, inheritable, permitted); 1271 } 1272 1273 static inline void security_capset_set (struct task_struct *target, 1274 kernel_cap_t *effective, 1275 kernel_cap_t *inheritable, 1276 kernel_cap_t *permitted) 1277 { 1278 security_ops->capset_set (target, effective, inheritable, permitted); 1279 } 1280 1281 static inline int security_acct (struct file *file) 1282 { 1283 return security_ops->acct (file); 1284 } 1285 1286 static inline int security_sysctl(struct ctl_table *table, int op) 1287 { 1288 return security_ops->sysctl(table, op); 1289 } 1290 1291 static inline int security_quotactl (int cmds, int type, int id, 1292 struct super_block *sb) 1293 { 1294 return security_ops->quotactl (cmds, type, id, sb); 1295 } 1296 1297 static inline int security_quota_on (struct dentry * dentry) 1298 { 1299 return security_ops->quota_on (dentry); 1300 } 1301 1302 static inline int security_syslog(int type) 1303 { 1304 return security_ops->syslog(type); 1305 } 1306 1307 static inline int security_settime(struct timespec *ts, struct timezone *tz) 1308 { 1309 return security_ops->settime(ts, tz); 1310 } 1311 1312 1313 static inline int security_vm_enough_memory(long pages) 1314 { 1315 return security_ops->vm_enough_memory(pages); 1316 } 1317 1318 static inline int security_bprm_alloc (struct linux_binprm *bprm) 1319 { 1320 return security_ops->bprm_alloc_security (bprm); 1321 } 1322 static inline void security_bprm_free (struct linux_binprm *bprm) 1323 { 1324 security_ops->bprm_free_security (bprm); 1325 } 1326 static inline void security_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) 1327 { 1328 security_ops->bprm_apply_creds (bprm, unsafe); 1329 } 1330 static inline void security_bprm_post_apply_creds (struct linux_binprm *bprm) 1331 { 1332 security_ops->bprm_post_apply_creds (bprm); 1333 } 1334 static inline int security_bprm_set (struct linux_binprm *bprm) 1335 { 1336 return security_ops->bprm_set_security (bprm); 1337 } 1338 1339 static inline int security_bprm_check (struct linux_binprm *bprm) 1340 { 1341 return security_ops->bprm_check_security (bprm); 1342 } 1343 1344 static inline int security_bprm_secureexec (struct linux_binprm *bprm) 1345 { 1346 return security_ops->bprm_secureexec (bprm); 1347 } 1348 1349 static inline int security_sb_alloc (struct super_block *sb) 1350 { 1351 return security_ops->sb_alloc_security (sb); 1352 } 1353 1354 static inline void security_sb_free (struct super_block *sb) 1355 { 1356 security_ops->sb_free_security (sb); 1357 } 1358 1359 static inline int security_sb_copy_data (struct file_system_type *type, 1360 void *orig, void *copy) 1361 { 1362 return security_ops->sb_copy_data (type, orig, copy); 1363 } 1364 1365 static inline int security_sb_kern_mount (struct super_block *sb, void *data) 1366 { 1367 return security_ops->sb_kern_mount (sb, data); 1368 } 1369 1370 static inline int security_sb_statfs (struct super_block *sb) 1371 { 1372 return security_ops->sb_statfs (sb); 1373 } 1374 1375 static inline int security_sb_mount (char *dev_name, struct nameidata *nd, 1376 char *type, unsigned long flags, 1377 void *data) 1378 { 1379 return security_ops->sb_mount (dev_name, nd, type, flags, data); 1380 } 1381 1382 static inline int security_sb_check_sb (struct vfsmount *mnt, 1383 struct nameidata *nd) 1384 { 1385 return security_ops->sb_check_sb (mnt, nd); 1386 } 1387 1388 static inline int security_sb_umount (struct vfsmount *mnt, int flags) 1389 { 1390 return security_ops->sb_umount (mnt, flags); 1391 } 1392 1393 static inline void security_sb_umount_close (struct vfsmount *mnt) 1394 { 1395 security_ops->sb_umount_close (mnt); 1396 } 1397 1398 static inline void security_sb_umount_busy (struct vfsmount *mnt) 1399 { 1400 security_ops->sb_umount_busy (mnt); 1401 } 1402 1403 static inline void security_sb_post_remount (struct vfsmount *mnt, 1404 unsigned long flags, void *data) 1405 { 1406 security_ops->sb_post_remount (mnt, flags, data); 1407 } 1408 1409 static inline void security_sb_post_mountroot (void) 1410 { 1411 security_ops->sb_post_mountroot (); 1412 } 1413 1414 static inline void security_sb_post_addmount (struct vfsmount *mnt, 1415 struct nameidata *mountpoint_nd) 1416 { 1417 security_ops->sb_post_addmount (mnt, mountpoint_nd); 1418 } 1419 1420 static inline int security_sb_pivotroot (struct nameidata *old_nd, 1421 struct nameidata *new_nd) 1422 { 1423 return security_ops->sb_pivotroot (old_nd, new_nd); 1424 } 1425 1426 static inline void security_sb_post_pivotroot (struct nameidata *old_nd, 1427 struct nameidata *new_nd) 1428 { 1429 security_ops->sb_post_pivotroot (old_nd, new_nd); 1430 } 1431 1432 static inline int security_inode_alloc (struct inode *inode) 1433 { 1434 if (unlikely (IS_PRIVATE (inode))) 1435 return 0; 1436 return security_ops->inode_alloc_security (inode); 1437 } 1438 1439 static inline void security_inode_free (struct inode *inode) 1440 { 1441 if (unlikely (IS_PRIVATE (inode))) 1442 return; 1443 security_ops->inode_free_security (inode); 1444 } 1445 1446 static inline int security_inode_create (struct inode *dir, 1447 struct dentry *dentry, 1448 int mode) 1449 { 1450 if (unlikely (IS_PRIVATE (dir))) 1451 return 0; 1452 return security_ops->inode_create (dir, dentry, mode); 1453 } 1454 1455 static inline void security_inode_post_create (struct inode *dir, 1456 struct dentry *dentry, 1457 int mode) 1458 { 1459 if (dentry->d_inode && unlikely (IS_PRIVATE (dentry->d_inode))) 1460 return; 1461 security_ops->inode_post_create (dir, dentry, mode); 1462 } 1463 1464 static inline int security_inode_link (struct dentry *old_dentry, 1465 struct inode *dir, 1466 struct dentry *new_dentry) 1467 { 1468 if (unlikely (IS_PRIVATE (old_dentry->d_inode))) 1469 return 0; 1470 return security_ops->inode_link (old_dentry, dir, new_dentry); 1471 } 1472 1473 static inline void security_inode_post_link (struct dentry *old_dentry, 1474 struct inode *dir, 1475 struct dentry *new_dentry) 1476 { 1477 if (new_dentry->d_inode && unlikely (IS_PRIVATE (new_dentry->d_inode))) 1478 return; 1479 security_ops->inode_post_link (old_dentry, dir, new_dentry); 1480 } 1481 1482 static inline int security_inode_unlink (struct inode *dir, 1483 struct dentry *dentry) 1484 { 1485 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1486 return 0; 1487 return security_ops->inode_unlink (dir, dentry); 1488 } 1489 1490 static inline int security_inode_symlink (struct inode *dir, 1491 struct dentry *dentry, 1492 const char *old_name) 1493 { 1494 if (unlikely (IS_PRIVATE (dir))) 1495 return 0; 1496 return security_ops->inode_symlink (dir, dentry, old_name); 1497 } 1498 1499 static inline void security_inode_post_symlink (struct inode *dir, 1500 struct dentry *dentry, 1501 const char *old_name) 1502 { 1503 if (dentry->d_inode && unlikely (IS_PRIVATE (dentry->d_inode))) 1504 return; 1505 security_ops->inode_post_symlink (dir, dentry, old_name); 1506 } 1507 1508 static inline int security_inode_mkdir (struct inode *dir, 1509 struct dentry *dentry, 1510 int mode) 1511 { 1512 if (unlikely (IS_PRIVATE (dir))) 1513 return 0; 1514 return security_ops->inode_mkdir (dir, dentry, mode); 1515 } 1516 1517 static inline void security_inode_post_mkdir (struct inode *dir, 1518 struct dentry *dentry, 1519 int mode) 1520 { 1521 if (dentry->d_inode && unlikely (IS_PRIVATE (dentry->d_inode))) 1522 return; 1523 security_ops->inode_post_mkdir (dir, dentry, mode); 1524 } 1525 1526 static inline int security_inode_rmdir (struct inode *dir, 1527 struct dentry *dentry) 1528 { 1529 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1530 return 0; 1531 return security_ops->inode_rmdir (dir, dentry); 1532 } 1533 1534 static inline int security_inode_mknod (struct inode *dir, 1535 struct dentry *dentry, 1536 int mode, dev_t dev) 1537 { 1538 if (unlikely (IS_PRIVATE (dir))) 1539 return 0; 1540 return security_ops->inode_mknod (dir, dentry, mode, dev); 1541 } 1542 1543 static inline void security_inode_post_mknod (struct inode *dir, 1544 struct dentry *dentry, 1545 int mode, dev_t dev) 1546 { 1547 if (dentry->d_inode && unlikely (IS_PRIVATE (dentry->d_inode))) 1548 return; 1549 security_ops->inode_post_mknod (dir, dentry, mode, dev); 1550 } 1551 1552 static inline int security_inode_rename (struct inode *old_dir, 1553 struct dentry *old_dentry, 1554 struct inode *new_dir, 1555 struct dentry *new_dentry) 1556 { 1557 if (unlikely (IS_PRIVATE (old_dentry->d_inode) || 1558 (new_dentry->d_inode && IS_PRIVATE (new_dentry->d_inode)))) 1559 return 0; 1560 return security_ops->inode_rename (old_dir, old_dentry, 1561 new_dir, new_dentry); 1562 } 1563 1564 static inline void security_inode_post_rename (struct inode *old_dir, 1565 struct dentry *old_dentry, 1566 struct inode *new_dir, 1567 struct dentry *new_dentry) 1568 { 1569 if (unlikely (IS_PRIVATE (old_dentry->d_inode) || 1570 (new_dentry->d_inode && IS_PRIVATE (new_dentry->d_inode)))) 1571 return; 1572 security_ops->inode_post_rename (old_dir, old_dentry, 1573 new_dir, new_dentry); 1574 } 1575 1576 static inline int security_inode_readlink (struct dentry *dentry) 1577 { 1578 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1579 return 0; 1580 return security_ops->inode_readlink (dentry); 1581 } 1582 1583 static inline int security_inode_follow_link (struct dentry *dentry, 1584 struct nameidata *nd) 1585 { 1586 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1587 return 0; 1588 return security_ops->inode_follow_link (dentry, nd); 1589 } 1590 1591 static inline int security_inode_permission (struct inode *inode, int mask, 1592 struct nameidata *nd) 1593 { 1594 if (unlikely (IS_PRIVATE (inode))) 1595 return 0; 1596 return security_ops->inode_permission (inode, mask, nd); 1597 } 1598 1599 static inline int security_inode_setattr (struct dentry *dentry, 1600 struct iattr *attr) 1601 { 1602 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1603 return 0; 1604 return security_ops->inode_setattr (dentry, attr); 1605 } 1606 1607 static inline int security_inode_getattr (struct vfsmount *mnt, 1608 struct dentry *dentry) 1609 { 1610 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1611 return 0; 1612 return security_ops->inode_getattr (mnt, dentry); 1613 } 1614 1615 static inline void security_inode_delete (struct inode *inode) 1616 { 1617 if (unlikely (IS_PRIVATE (inode))) 1618 return; 1619 security_ops->inode_delete (inode); 1620 } 1621 1622 static inline int security_inode_setxattr (struct dentry *dentry, char *name, 1623 void *value, size_t size, int flags) 1624 { 1625 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1626 return 0; 1627 return security_ops->inode_setxattr (dentry, name, value, size, flags); 1628 } 1629 1630 static inline void security_inode_post_setxattr (struct dentry *dentry, char *name, 1631 void *value, size_t size, int flags) 1632 { 1633 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1634 return; 1635 security_ops->inode_post_setxattr (dentry, name, value, size, flags); 1636 } 1637 1638 static inline int security_inode_getxattr (struct dentry *dentry, char *name) 1639 { 1640 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1641 return 0; 1642 return security_ops->inode_getxattr (dentry, name); 1643 } 1644 1645 static inline int security_inode_listxattr (struct dentry *dentry) 1646 { 1647 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1648 return 0; 1649 return security_ops->inode_listxattr (dentry); 1650 } 1651 1652 static inline int security_inode_removexattr (struct dentry *dentry, char *name) 1653 { 1654 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1655 return 0; 1656 return security_ops->inode_removexattr (dentry, name); 1657 } 1658 1659 static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size) 1660 { 1661 if (unlikely (IS_PRIVATE (inode))) 1662 return 0; 1663 return security_ops->inode_getsecurity(inode, name, buffer, size); 1664 } 1665 1666 static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) 1667 { 1668 if (unlikely (IS_PRIVATE (inode))) 1669 return 0; 1670 return security_ops->inode_setsecurity(inode, name, value, size, flags); 1671 } 1672 1673 static inline int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 1674 { 1675 if (unlikely (IS_PRIVATE (inode))) 1676 return 0; 1677 return security_ops->inode_listsecurity(inode, buffer, buffer_size); 1678 } 1679 1680 static inline int security_file_permission (struct file *file, int mask) 1681 { 1682 return security_ops->file_permission (file, mask); 1683 } 1684 1685 static inline int security_file_alloc (struct file *file) 1686 { 1687 return security_ops->file_alloc_security (file); 1688 } 1689 1690 static inline void security_file_free (struct file *file) 1691 { 1692 security_ops->file_free_security (file); 1693 } 1694 1695 static inline int security_file_ioctl (struct file *file, unsigned int cmd, 1696 unsigned long arg) 1697 { 1698 return security_ops->file_ioctl (file, cmd, arg); 1699 } 1700 1701 static inline int security_file_mmap (struct file *file, unsigned long reqprot, 1702 unsigned long prot, 1703 unsigned long flags) 1704 { 1705 return security_ops->file_mmap (file, reqprot, prot, flags); 1706 } 1707 1708 static inline int security_file_mprotect (struct vm_area_struct *vma, 1709 unsigned long reqprot, 1710 unsigned long prot) 1711 { 1712 return security_ops->file_mprotect (vma, reqprot, prot); 1713 } 1714 1715 static inline int security_file_lock (struct file *file, unsigned int cmd) 1716 { 1717 return security_ops->file_lock (file, cmd); 1718 } 1719 1720 static inline int security_file_fcntl (struct file *file, unsigned int cmd, 1721 unsigned long arg) 1722 { 1723 return security_ops->file_fcntl (file, cmd, arg); 1724 } 1725 1726 static inline int security_file_set_fowner (struct file *file) 1727 { 1728 return security_ops->file_set_fowner (file); 1729 } 1730 1731 static inline int security_file_send_sigiotask (struct task_struct *tsk, 1732 struct fown_struct *fown, 1733 int sig) 1734 { 1735 return security_ops->file_send_sigiotask (tsk, fown, sig); 1736 } 1737 1738 static inline int security_file_receive (struct file *file) 1739 { 1740 return security_ops->file_receive (file); 1741 } 1742 1743 static inline int security_task_create (unsigned long clone_flags) 1744 { 1745 return security_ops->task_create (clone_flags); 1746 } 1747 1748 static inline int security_task_alloc (struct task_struct *p) 1749 { 1750 return security_ops->task_alloc_security (p); 1751 } 1752 1753 static inline void security_task_free (struct task_struct *p) 1754 { 1755 security_ops->task_free_security (p); 1756 } 1757 1758 static inline int security_task_setuid (uid_t id0, uid_t id1, uid_t id2, 1759 int flags) 1760 { 1761 return security_ops->task_setuid (id0, id1, id2, flags); 1762 } 1763 1764 static inline int security_task_post_setuid (uid_t old_ruid, uid_t old_euid, 1765 uid_t old_suid, int flags) 1766 { 1767 return security_ops->task_post_setuid (old_ruid, old_euid, old_suid, flags); 1768 } 1769 1770 static inline int security_task_setgid (gid_t id0, gid_t id1, gid_t id2, 1771 int flags) 1772 { 1773 return security_ops->task_setgid (id0, id1, id2, flags); 1774 } 1775 1776 static inline int security_task_setpgid (struct task_struct *p, pid_t pgid) 1777 { 1778 return security_ops->task_setpgid (p, pgid); 1779 } 1780 1781 static inline int security_task_getpgid (struct task_struct *p) 1782 { 1783 return security_ops->task_getpgid (p); 1784 } 1785 1786 static inline int security_task_getsid (struct task_struct *p) 1787 { 1788 return security_ops->task_getsid (p); 1789 } 1790 1791 static inline int security_task_setgroups (struct group_info *group_info) 1792 { 1793 return security_ops->task_setgroups (group_info); 1794 } 1795 1796 static inline int security_task_setnice (struct task_struct *p, int nice) 1797 { 1798 return security_ops->task_setnice (p, nice); 1799 } 1800 1801 static inline int security_task_setrlimit (unsigned int resource, 1802 struct rlimit *new_rlim) 1803 { 1804 return security_ops->task_setrlimit (resource, new_rlim); 1805 } 1806 1807 static inline int security_task_setscheduler (struct task_struct *p, 1808 int policy, 1809 struct sched_param *lp) 1810 { 1811 return security_ops->task_setscheduler (p, policy, lp); 1812 } 1813 1814 static inline int security_task_getscheduler (struct task_struct *p) 1815 { 1816 return security_ops->task_getscheduler (p); 1817 } 1818 1819 static inline int security_task_kill (struct task_struct *p, 1820 struct siginfo *info, int sig) 1821 { 1822 return security_ops->task_kill (p, info, sig); 1823 } 1824 1825 static inline int security_task_wait (struct task_struct *p) 1826 { 1827 return security_ops->task_wait (p); 1828 } 1829 1830 static inline int security_task_prctl (int option, unsigned long arg2, 1831 unsigned long arg3, 1832 unsigned long arg4, 1833 unsigned long arg5) 1834 { 1835 return security_ops->task_prctl (option, arg2, arg3, arg4, arg5); 1836 } 1837 1838 static inline void security_task_reparent_to_init (struct task_struct *p) 1839 { 1840 security_ops->task_reparent_to_init (p); 1841 } 1842 1843 static inline void security_task_to_inode(struct task_struct *p, struct inode *inode) 1844 { 1845 security_ops->task_to_inode(p, inode); 1846 } 1847 1848 static inline int security_ipc_permission (struct kern_ipc_perm *ipcp, 1849 short flag) 1850 { 1851 return security_ops->ipc_permission (ipcp, flag); 1852 } 1853 1854 static inline int security_msg_msg_alloc (struct msg_msg * msg) 1855 { 1856 return security_ops->msg_msg_alloc_security (msg); 1857 } 1858 1859 static inline void security_msg_msg_free (struct msg_msg * msg) 1860 { 1861 security_ops->msg_msg_free_security(msg); 1862 } 1863 1864 static inline int security_msg_queue_alloc (struct msg_queue *msq) 1865 { 1866 return security_ops->msg_queue_alloc_security (msq); 1867 } 1868 1869 static inline void security_msg_queue_free (struct msg_queue *msq) 1870 { 1871 security_ops->msg_queue_free_security (msq); 1872 } 1873 1874 static inline int security_msg_queue_associate (struct msg_queue * msq, 1875 int msqflg) 1876 { 1877 return security_ops->msg_queue_associate (msq, msqflg); 1878 } 1879 1880 static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd) 1881 { 1882 return security_ops->msg_queue_msgctl (msq, cmd); 1883 } 1884 1885 static inline int security_msg_queue_msgsnd (struct msg_queue * msq, 1886 struct msg_msg * msg, int msqflg) 1887 { 1888 return security_ops->msg_queue_msgsnd (msq, msg, msqflg); 1889 } 1890 1891 static inline int security_msg_queue_msgrcv (struct msg_queue * msq, 1892 struct msg_msg * msg, 1893 struct task_struct * target, 1894 long type, int mode) 1895 { 1896 return security_ops->msg_queue_msgrcv (msq, msg, target, type, mode); 1897 } 1898 1899 static inline int security_shm_alloc (struct shmid_kernel *shp) 1900 { 1901 return security_ops->shm_alloc_security (shp); 1902 } 1903 1904 static inline void security_shm_free (struct shmid_kernel *shp) 1905 { 1906 security_ops->shm_free_security (shp); 1907 } 1908 1909 static inline int security_shm_associate (struct shmid_kernel * shp, 1910 int shmflg) 1911 { 1912 return security_ops->shm_associate(shp, shmflg); 1913 } 1914 1915 static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd) 1916 { 1917 return security_ops->shm_shmctl (shp, cmd); 1918 } 1919 1920 static inline int security_shm_shmat (struct shmid_kernel * shp, 1921 char __user *shmaddr, int shmflg) 1922 { 1923 return security_ops->shm_shmat(shp, shmaddr, shmflg); 1924 } 1925 1926 static inline int security_sem_alloc (struct sem_array *sma) 1927 { 1928 return security_ops->sem_alloc_security (sma); 1929 } 1930 1931 static inline void security_sem_free (struct sem_array *sma) 1932 { 1933 security_ops->sem_free_security (sma); 1934 } 1935 1936 static inline int security_sem_associate (struct sem_array * sma, int semflg) 1937 { 1938 return security_ops->sem_associate (sma, semflg); 1939 } 1940 1941 static inline int security_sem_semctl (struct sem_array * sma, int cmd) 1942 { 1943 return security_ops->sem_semctl(sma, cmd); 1944 } 1945 1946 static inline int security_sem_semop (struct sem_array * sma, 1947 struct sembuf * sops, unsigned nsops, 1948 int alter) 1949 { 1950 return security_ops->sem_semop(sma, sops, nsops, alter); 1951 } 1952 1953 static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode) 1954 { 1955 if (unlikely (inode && IS_PRIVATE (inode))) 1956 return; 1957 security_ops->d_instantiate (dentry, inode); 1958 } 1959 1960 static inline int security_getprocattr(struct task_struct *p, char *name, void *value, size_t size) 1961 { 1962 return security_ops->getprocattr(p, name, value, size); 1963 } 1964 1965 static inline int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size) 1966 { 1967 return security_ops->setprocattr(p, name, value, size); 1968 } 1969 1970 static inline int security_netlink_send(struct sock *sk, struct sk_buff * skb) 1971 { 1972 return security_ops->netlink_send(sk, skb); 1973 } 1974 1975 static inline int security_netlink_recv(struct sk_buff * skb) 1976 { 1977 return security_ops->netlink_recv(skb); 1978 } 1979 1980 /* prototypes */ 1981 extern int security_init (void); 1982 extern int register_security (struct security_operations *ops); 1983 extern int unregister_security (struct security_operations *ops); 1984 extern int mod_reg_security (const char *name, struct security_operations *ops); 1985 extern int mod_unreg_security (const char *name, struct security_operations *ops); 1986 1987 1988 #else /* CONFIG_SECURITY */ 1989 1990 /* 1991 * This is the default capabilities functionality. Most of these functions 1992 * are just stubbed out, but a few must call the proper capable code. 1993 */ 1994 1995 static inline int security_init(void) 1996 { 1997 return 0; 1998 } 1999 2000 static inline int security_ptrace (struct task_struct *parent, struct task_struct * child) 2001 { 2002 return cap_ptrace (parent, child); 2003 } 2004 2005 static inline int security_capget (struct task_struct *target, 2006 kernel_cap_t *effective, 2007 kernel_cap_t *inheritable, 2008 kernel_cap_t *permitted) 2009 { 2010 return cap_capget (target, effective, inheritable, permitted); 2011 } 2012 2013 static inline int security_capset_check (struct task_struct *target, 2014 kernel_cap_t *effective, 2015 kernel_cap_t *inheritable, 2016 kernel_cap_t *permitted) 2017 { 2018 return cap_capset_check (target, effective, inheritable, permitted); 2019 } 2020 2021 static inline void security_capset_set (struct task_struct *target, 2022 kernel_cap_t *effective, 2023 kernel_cap_t *inheritable, 2024 kernel_cap_t *permitted) 2025 { 2026 cap_capset_set (target, effective, inheritable, permitted); 2027 } 2028 2029 static inline int security_acct (struct file *file) 2030 { 2031 return 0; 2032 } 2033 2034 static inline int security_sysctl(struct ctl_table *table, int op) 2035 { 2036 return 0; 2037 } 2038 2039 static inline int security_quotactl (int cmds, int type, int id, 2040 struct super_block * sb) 2041 { 2042 return 0; 2043 } 2044 2045 static inline int security_quota_on (struct dentry * dentry) 2046 { 2047 return 0; 2048 } 2049 2050 static inline int security_syslog(int type) 2051 { 2052 return cap_syslog(type); 2053 } 2054 2055 static inline int security_settime(struct timespec *ts, struct timezone *tz) 2056 { 2057 return cap_settime(ts, tz); 2058 } 2059 2060 static inline int security_vm_enough_memory(long pages) 2061 { 2062 return cap_vm_enough_memory(pages); 2063 } 2064 2065 static inline int security_bprm_alloc (struct linux_binprm *bprm) 2066 { 2067 return 0; 2068 } 2069 2070 static inline void security_bprm_free (struct linux_binprm *bprm) 2071 { } 2072 2073 static inline void security_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) 2074 { 2075 cap_bprm_apply_creds (bprm, unsafe); 2076 } 2077 2078 static inline void security_bprm_post_apply_creds (struct linux_binprm *bprm) 2079 { 2080 return; 2081 } 2082 2083 static inline int security_bprm_set (struct linux_binprm *bprm) 2084 { 2085 return cap_bprm_set_security (bprm); 2086 } 2087 2088 static inline int security_bprm_check (struct linux_binprm *bprm) 2089 { 2090 return 0; 2091 } 2092 2093 static inline int security_bprm_secureexec (struct linux_binprm *bprm) 2094 { 2095 return cap_bprm_secureexec(bprm); 2096 } 2097 2098 static inline int security_sb_alloc (struct super_block *sb) 2099 { 2100 return 0; 2101 } 2102 2103 static inline void security_sb_free (struct super_block *sb) 2104 { } 2105 2106 static inline int security_sb_copy_data (struct file_system_type *type, 2107 void *orig, void *copy) 2108 { 2109 return 0; 2110 } 2111 2112 static inline int security_sb_kern_mount (struct super_block *sb, void *data) 2113 { 2114 return 0; 2115 } 2116 2117 static inline int security_sb_statfs (struct super_block *sb) 2118 { 2119 return 0; 2120 } 2121 2122 static inline int security_sb_mount (char *dev_name, struct nameidata *nd, 2123 char *type, unsigned long flags, 2124 void *data) 2125 { 2126 return 0; 2127 } 2128 2129 static inline int security_sb_check_sb (struct vfsmount *mnt, 2130 struct nameidata *nd) 2131 { 2132 return 0; 2133 } 2134 2135 static inline int security_sb_umount (struct vfsmount *mnt, int flags) 2136 { 2137 return 0; 2138 } 2139 2140 static inline void security_sb_umount_close (struct vfsmount *mnt) 2141 { } 2142 2143 static inline void security_sb_umount_busy (struct vfsmount *mnt) 2144 { } 2145 2146 static inline void security_sb_post_remount (struct vfsmount *mnt, 2147 unsigned long flags, void *data) 2148 { } 2149 2150 static inline void security_sb_post_mountroot (void) 2151 { } 2152 2153 static inline void security_sb_post_addmount (struct vfsmount *mnt, 2154 struct nameidata *mountpoint_nd) 2155 { } 2156 2157 static inline int security_sb_pivotroot (struct nameidata *old_nd, 2158 struct nameidata *new_nd) 2159 { 2160 return 0; 2161 } 2162 2163 static inline void security_sb_post_pivotroot (struct nameidata *old_nd, 2164 struct nameidata *new_nd) 2165 { } 2166 2167 static inline int security_inode_alloc (struct inode *inode) 2168 { 2169 return 0; 2170 } 2171 2172 static inline void security_inode_free (struct inode *inode) 2173 { } 2174 2175 static inline int security_inode_create (struct inode *dir, 2176 struct dentry *dentry, 2177 int mode) 2178 { 2179 return 0; 2180 } 2181 2182 static inline void security_inode_post_create (struct inode *dir, 2183 struct dentry *dentry, 2184 int mode) 2185 { } 2186 2187 static inline int security_inode_link (struct dentry *old_dentry, 2188 struct inode *dir, 2189 struct dentry *new_dentry) 2190 { 2191 return 0; 2192 } 2193 2194 static inline void security_inode_post_link (struct dentry *old_dentry, 2195 struct inode *dir, 2196 struct dentry *new_dentry) 2197 { } 2198 2199 static inline int security_inode_unlink (struct inode *dir, 2200 struct dentry *dentry) 2201 { 2202 return 0; 2203 } 2204 2205 static inline int security_inode_symlink (struct inode *dir, 2206 struct dentry *dentry, 2207 const char *old_name) 2208 { 2209 return 0; 2210 } 2211 2212 static inline void security_inode_post_symlink (struct inode *dir, 2213 struct dentry *dentry, 2214 const char *old_name) 2215 { } 2216 2217 static inline int security_inode_mkdir (struct inode *dir, 2218 struct dentry *dentry, 2219 int mode) 2220 { 2221 return 0; 2222 } 2223 2224 static inline void security_inode_post_mkdir (struct inode *dir, 2225 struct dentry *dentry, 2226 int mode) 2227 { } 2228 2229 static inline int security_inode_rmdir (struct inode *dir, 2230 struct dentry *dentry) 2231 { 2232 return 0; 2233 } 2234 2235 static inline int security_inode_mknod (struct inode *dir, 2236 struct dentry *dentry, 2237 int mode, dev_t dev) 2238 { 2239 return 0; 2240 } 2241 2242 static inline void security_inode_post_mknod (struct inode *dir, 2243 struct dentry *dentry, 2244 int mode, dev_t dev) 2245 { } 2246 2247 static inline int security_inode_rename (struct inode *old_dir, 2248 struct dentry *old_dentry, 2249 struct inode *new_dir, 2250 struct dentry *new_dentry) 2251 { 2252 return 0; 2253 } 2254 2255 static inline void security_inode_post_rename (struct inode *old_dir, 2256 struct dentry *old_dentry, 2257 struct inode *new_dir, 2258 struct dentry *new_dentry) 2259 { } 2260 2261 static inline int security_inode_readlink (struct dentry *dentry) 2262 { 2263 return 0; 2264 } 2265 2266 static inline int security_inode_follow_link (struct dentry *dentry, 2267 struct nameidata *nd) 2268 { 2269 return 0; 2270 } 2271 2272 static inline int security_inode_permission (struct inode *inode, int mask, 2273 struct nameidata *nd) 2274 { 2275 return 0; 2276 } 2277 2278 static inline int security_inode_setattr (struct dentry *dentry, 2279 struct iattr *attr) 2280 { 2281 return 0; 2282 } 2283 2284 static inline int security_inode_getattr (struct vfsmount *mnt, 2285 struct dentry *dentry) 2286 { 2287 return 0; 2288 } 2289 2290 static inline void security_inode_delete (struct inode *inode) 2291 { } 2292 2293 static inline int security_inode_setxattr (struct dentry *dentry, char *name, 2294 void *value, size_t size, int flags) 2295 { 2296 return cap_inode_setxattr(dentry, name, value, size, flags); 2297 } 2298 2299 static inline void security_inode_post_setxattr (struct dentry *dentry, char *name, 2300 void *value, size_t size, int flags) 2301 { } 2302 2303 static inline int security_inode_getxattr (struct dentry *dentry, char *name) 2304 { 2305 return 0; 2306 } 2307 2308 static inline int security_inode_listxattr (struct dentry *dentry) 2309 { 2310 return 0; 2311 } 2312 2313 static inline int security_inode_removexattr (struct dentry *dentry, char *name) 2314 { 2315 return cap_inode_removexattr(dentry, name); 2316 } 2317 2318 static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size) 2319 { 2320 return -EOPNOTSUPP; 2321 } 2322 2323 static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) 2324 { 2325 return -EOPNOTSUPP; 2326 } 2327 2328 static inline int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 2329 { 2330 return 0; 2331 } 2332 2333 static inline int security_file_permission (struct file *file, int mask) 2334 { 2335 return 0; 2336 } 2337 2338 static inline int security_file_alloc (struct file *file) 2339 { 2340 return 0; 2341 } 2342 2343 static inline void security_file_free (struct file *file) 2344 { } 2345 2346 static inline int security_file_ioctl (struct file *file, unsigned int cmd, 2347 unsigned long arg) 2348 { 2349 return 0; 2350 } 2351 2352 static inline int security_file_mmap (struct file *file, unsigned long reqprot, 2353 unsigned long prot, 2354 unsigned long flags) 2355 { 2356 return 0; 2357 } 2358 2359 static inline int security_file_mprotect (struct vm_area_struct *vma, 2360 unsigned long reqprot, 2361 unsigned long prot) 2362 { 2363 return 0; 2364 } 2365 2366 static inline int security_file_lock (struct file *file, unsigned int cmd) 2367 { 2368 return 0; 2369 } 2370 2371 static inline int security_file_fcntl (struct file *file, unsigned int cmd, 2372 unsigned long arg) 2373 { 2374 return 0; 2375 } 2376 2377 static inline int security_file_set_fowner (struct file *file) 2378 { 2379 return 0; 2380 } 2381 2382 static inline int security_file_send_sigiotask (struct task_struct *tsk, 2383 struct fown_struct *fown, 2384 int sig) 2385 { 2386 return 0; 2387 } 2388 2389 static inline int security_file_receive (struct file *file) 2390 { 2391 return 0; 2392 } 2393 2394 static inline int security_task_create (unsigned long clone_flags) 2395 { 2396 return 0; 2397 } 2398 2399 static inline int security_task_alloc (struct task_struct *p) 2400 { 2401 return 0; 2402 } 2403 2404 static inline void security_task_free (struct task_struct *p) 2405 { } 2406 2407 static inline int security_task_setuid (uid_t id0, uid_t id1, uid_t id2, 2408 int flags) 2409 { 2410 return 0; 2411 } 2412 2413 static inline int security_task_post_setuid (uid_t old_ruid, uid_t old_euid, 2414 uid_t old_suid, int flags) 2415 { 2416 return cap_task_post_setuid (old_ruid, old_euid, old_suid, flags); 2417 } 2418 2419 static inline int security_task_setgid (gid_t id0, gid_t id1, gid_t id2, 2420 int flags) 2421 { 2422 return 0; 2423 } 2424 2425 static inline int security_task_setpgid (struct task_struct *p, pid_t pgid) 2426 { 2427 return 0; 2428 } 2429 2430 static inline int security_task_getpgid (struct task_struct *p) 2431 { 2432 return 0; 2433 } 2434 2435 static inline int security_task_getsid (struct task_struct *p) 2436 { 2437 return 0; 2438 } 2439 2440 static inline int security_task_setgroups (struct group_info *group_info) 2441 { 2442 return 0; 2443 } 2444 2445 static inline int security_task_setnice (struct task_struct *p, int nice) 2446 { 2447 return 0; 2448 } 2449 2450 static inline int security_task_setrlimit (unsigned int resource, 2451 struct rlimit *new_rlim) 2452 { 2453 return 0; 2454 } 2455 2456 static inline int security_task_setscheduler (struct task_struct *p, 2457 int policy, 2458 struct sched_param *lp) 2459 { 2460 return 0; 2461 } 2462 2463 static inline int security_task_getscheduler (struct task_struct *p) 2464 { 2465 return 0; 2466 } 2467 2468 static inline int security_task_kill (struct task_struct *p, 2469 struct siginfo *info, int sig) 2470 { 2471 return 0; 2472 } 2473 2474 static inline int security_task_wait (struct task_struct *p) 2475 { 2476 return 0; 2477 } 2478 2479 static inline int security_task_prctl (int option, unsigned long arg2, 2480 unsigned long arg3, 2481 unsigned long arg4, 2482 unsigned long arg5) 2483 { 2484 return 0; 2485 } 2486 2487 static inline void security_task_reparent_to_init (struct task_struct *p) 2488 { 2489 cap_task_reparent_to_init (p); 2490 } 2491 2492 static inline void security_task_to_inode(struct task_struct *p, struct inode *inode) 2493 { } 2494 2495 static inline int security_ipc_permission (struct kern_ipc_perm *ipcp, 2496 short flag) 2497 { 2498 return 0; 2499 } 2500 2501 static inline int security_msg_msg_alloc (struct msg_msg * msg) 2502 { 2503 return 0; 2504 } 2505 2506 static inline void security_msg_msg_free (struct msg_msg * msg) 2507 { } 2508 2509 static inline int security_msg_queue_alloc (struct msg_queue *msq) 2510 { 2511 return 0; 2512 } 2513 2514 static inline void security_msg_queue_free (struct msg_queue *msq) 2515 { } 2516 2517 static inline int security_msg_queue_associate (struct msg_queue * msq, 2518 int msqflg) 2519 { 2520 return 0; 2521 } 2522 2523 static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd) 2524 { 2525 return 0; 2526 } 2527 2528 static inline int security_msg_queue_msgsnd (struct msg_queue * msq, 2529 struct msg_msg * msg, int msqflg) 2530 { 2531 return 0; 2532 } 2533 2534 static inline int security_msg_queue_msgrcv (struct msg_queue * msq, 2535 struct msg_msg * msg, 2536 struct task_struct * target, 2537 long type, int mode) 2538 { 2539 return 0; 2540 } 2541 2542 static inline int security_shm_alloc (struct shmid_kernel *shp) 2543 { 2544 return 0; 2545 } 2546 2547 static inline void security_shm_free (struct shmid_kernel *shp) 2548 { } 2549 2550 static inline int security_shm_associate (struct shmid_kernel * shp, 2551 int shmflg) 2552 { 2553 return 0; 2554 } 2555 2556 static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd) 2557 { 2558 return 0; 2559 } 2560 2561 static inline int security_shm_shmat (struct shmid_kernel * shp, 2562 char __user *shmaddr, int shmflg) 2563 { 2564 return 0; 2565 } 2566 2567 static inline int security_sem_alloc (struct sem_array *sma) 2568 { 2569 return 0; 2570 } 2571 2572 static inline void security_sem_free (struct sem_array *sma) 2573 { } 2574 2575 static inline int security_sem_associate (struct sem_array * sma, int semflg) 2576 { 2577 return 0; 2578 } 2579 2580 static inline int security_sem_semctl (struct sem_array * sma, int cmd) 2581 { 2582 return 0; 2583 } 2584 2585 static inline int security_sem_semop (struct sem_array * sma, 2586 struct sembuf * sops, unsigned nsops, 2587 int alter) 2588 { 2589 return 0; 2590 } 2591 2592 static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode) 2593 { } 2594 2595 static inline int security_getprocattr(struct task_struct *p, char *name, void *value, size_t size) 2596 { 2597 return -EINVAL; 2598 } 2599 2600 static inline int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size) 2601 { 2602 return -EINVAL; 2603 } 2604 2605 static inline int security_netlink_send (struct sock *sk, struct sk_buff *skb) 2606 { 2607 return cap_netlink_send (sk, skb); 2608 } 2609 2610 static inline int security_netlink_recv (struct sk_buff *skb) 2611 { 2612 return cap_netlink_recv (skb); 2613 } 2614 2615 #endif /* CONFIG_SECURITY */ 2616 2617 #ifdef CONFIG_SECURITY_NETWORK 2618 static inline int security_unix_stream_connect(struct socket * sock, 2619 struct socket * other, 2620 struct sock * newsk) 2621 { 2622 return security_ops->unix_stream_connect(sock, other, newsk); 2623 } 2624 2625 2626 static inline int security_unix_may_send(struct socket * sock, 2627 struct socket * other) 2628 { 2629 return security_ops->unix_may_send(sock, other); 2630 } 2631 2632 static inline int security_socket_create (int family, int type, 2633 int protocol, int kern) 2634 { 2635 return security_ops->socket_create(family, type, protocol, kern); 2636 } 2637 2638 static inline void security_socket_post_create(struct socket * sock, 2639 int family, 2640 int type, 2641 int protocol, int kern) 2642 { 2643 security_ops->socket_post_create(sock, family, type, 2644 protocol, kern); 2645 } 2646 2647 static inline int security_socket_bind(struct socket * sock, 2648 struct sockaddr * address, 2649 int addrlen) 2650 { 2651 return security_ops->socket_bind(sock, address, addrlen); 2652 } 2653 2654 static inline int security_socket_connect(struct socket * sock, 2655 struct sockaddr * address, 2656 int addrlen) 2657 { 2658 return security_ops->socket_connect(sock, address, addrlen); 2659 } 2660 2661 static inline int security_socket_listen(struct socket * sock, int backlog) 2662 { 2663 return security_ops->socket_listen(sock, backlog); 2664 } 2665 2666 static inline int security_socket_accept(struct socket * sock, 2667 struct socket * newsock) 2668 { 2669 return security_ops->socket_accept(sock, newsock); 2670 } 2671 2672 static inline void security_socket_post_accept(struct socket * sock, 2673 struct socket * newsock) 2674 { 2675 security_ops->socket_post_accept(sock, newsock); 2676 } 2677 2678 static inline int security_socket_sendmsg(struct socket * sock, 2679 struct msghdr * msg, int size) 2680 { 2681 return security_ops->socket_sendmsg(sock, msg, size); 2682 } 2683 2684 static inline int security_socket_recvmsg(struct socket * sock, 2685 struct msghdr * msg, int size, 2686 int flags) 2687 { 2688 return security_ops->socket_recvmsg(sock, msg, size, flags); 2689 } 2690 2691 static inline int security_socket_getsockname(struct socket * sock) 2692 { 2693 return security_ops->socket_getsockname(sock); 2694 } 2695 2696 static inline int security_socket_getpeername(struct socket * sock) 2697 { 2698 return security_ops->socket_getpeername(sock); 2699 } 2700 2701 static inline int security_socket_getsockopt(struct socket * sock, 2702 int level, int optname) 2703 { 2704 return security_ops->socket_getsockopt(sock, level, optname); 2705 } 2706 2707 static inline int security_socket_setsockopt(struct socket * sock, 2708 int level, int optname) 2709 { 2710 return security_ops->socket_setsockopt(sock, level, optname); 2711 } 2712 2713 static inline int security_socket_shutdown(struct socket * sock, int how) 2714 { 2715 return security_ops->socket_shutdown(sock, how); 2716 } 2717 2718 static inline int security_sock_rcv_skb (struct sock * sk, 2719 struct sk_buff * skb) 2720 { 2721 return security_ops->socket_sock_rcv_skb (sk, skb); 2722 } 2723 2724 static inline int security_socket_getpeersec(struct socket *sock, char __user *optval, 2725 int __user *optlen, unsigned len) 2726 { 2727 return security_ops->socket_getpeersec(sock, optval, optlen, len); 2728 } 2729 2730 static inline int security_sk_alloc(struct sock *sk, int family, 2731 unsigned int __nocast priority) 2732 { 2733 return security_ops->sk_alloc_security(sk, family, priority); 2734 } 2735 2736 static inline void security_sk_free(struct sock *sk) 2737 { 2738 return security_ops->sk_free_security(sk); 2739 } 2740 #else /* CONFIG_SECURITY_NETWORK */ 2741 static inline int security_unix_stream_connect(struct socket * sock, 2742 struct socket * other, 2743 struct sock * newsk) 2744 { 2745 return 0; 2746 } 2747 2748 static inline int security_unix_may_send(struct socket * sock, 2749 struct socket * other) 2750 { 2751 return 0; 2752 } 2753 2754 static inline int security_socket_create (int family, int type, 2755 int protocol, int kern) 2756 { 2757 return 0; 2758 } 2759 2760 static inline void security_socket_post_create(struct socket * sock, 2761 int family, 2762 int type, 2763 int protocol, int kern) 2764 { 2765 } 2766 2767 static inline int security_socket_bind(struct socket * sock, 2768 struct sockaddr * address, 2769 int addrlen) 2770 { 2771 return 0; 2772 } 2773 2774 static inline int security_socket_connect(struct socket * sock, 2775 struct sockaddr * address, 2776 int addrlen) 2777 { 2778 return 0; 2779 } 2780 2781 static inline int security_socket_listen(struct socket * sock, int backlog) 2782 { 2783 return 0; 2784 } 2785 2786 static inline int security_socket_accept(struct socket * sock, 2787 struct socket * newsock) 2788 { 2789 return 0; 2790 } 2791 2792 static inline void security_socket_post_accept(struct socket * sock, 2793 struct socket * newsock) 2794 { 2795 } 2796 2797 static inline int security_socket_sendmsg(struct socket * sock, 2798 struct msghdr * msg, int size) 2799 { 2800 return 0; 2801 } 2802 2803 static inline int security_socket_recvmsg(struct socket * sock, 2804 struct msghdr * msg, int size, 2805 int flags) 2806 { 2807 return 0; 2808 } 2809 2810 static inline int security_socket_getsockname(struct socket * sock) 2811 { 2812 return 0; 2813 } 2814 2815 static inline int security_socket_getpeername(struct socket * sock) 2816 { 2817 return 0; 2818 } 2819 2820 static inline int security_socket_getsockopt(struct socket * sock, 2821 int level, int optname) 2822 { 2823 return 0; 2824 } 2825 2826 static inline int security_socket_setsockopt(struct socket * sock, 2827 int level, int optname) 2828 { 2829 return 0; 2830 } 2831 2832 static inline int security_socket_shutdown(struct socket * sock, int how) 2833 { 2834 return 0; 2835 } 2836 static inline int security_sock_rcv_skb (struct sock * sk, 2837 struct sk_buff * skb) 2838 { 2839 return 0; 2840 } 2841 2842 static inline int security_socket_getpeersec(struct socket *sock, char __user *optval, 2843 int __user *optlen, unsigned len) 2844 { 2845 return -ENOPROTOOPT; 2846 } 2847 2848 static inline int security_sk_alloc(struct sock *sk, int family, 2849 unsigned int __nocast priority) 2850 { 2851 return 0; 2852 } 2853 2854 static inline void security_sk_free(struct sock *sk) 2855 { 2856 } 2857 #endif /* CONFIG_SECURITY_NETWORK */ 2858 2859 #endif /* ! __LINUX_SECURITY_H */ 2860 2861