1 /* 2 * Linux Security plug 3 * 4 * Copyright (C) 2001 WireX Communications, Inc <[email protected]> 5 * Copyright (C) 2001 Greg Kroah-Hartman <[email protected]> 6 * Copyright (C) 2001 Networks Associates Technology, Inc <[email protected]> 7 * Copyright (C) 2001 James Morris <[email protected]> 8 * Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group) 9 * 10 * This program is free software; you can redistribute it and/or modify 11 * it under the terms of the GNU General Public License as published by 12 * the Free Software Foundation; either version 2 of the License, or 13 * (at your option) any later version. 14 * 15 * Due to this file being licensed under the GPL there is controversy over 16 * whether this permits you to write a module that #includes this file 17 * without placing your module under the GPL. Please consult a lawyer for 18 * advice before doing this. 19 * 20 */ 21 22 #ifndef __LINUX_SECURITY_H 23 #define __LINUX_SECURITY_H 24 25 #include <linux/fs.h> 26 #include <linux/binfmts.h> 27 #include <linux/signal.h> 28 #include <linux/resource.h> 29 #include <linux/sem.h> 30 #include <linux/shm.h> 31 #include <linux/msg.h> 32 #include <linux/sched.h> 33 34 struct ctl_table; 35 36 /* 37 * These functions are in security/capability.c and are used 38 * as the default capabilities functions 39 */ 40 extern int cap_capable (struct task_struct *tsk, int cap); 41 extern int cap_settime (struct timespec *ts, struct timezone *tz); 42 extern int cap_ptrace (struct task_struct *parent, struct task_struct *child); 43 extern int cap_capget (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); 44 extern int cap_capset_check (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); 45 extern void cap_capset_set (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); 46 extern int cap_bprm_set_security (struct linux_binprm *bprm); 47 extern void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe); 48 extern int cap_bprm_secureexec(struct linux_binprm *bprm); 49 extern int cap_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags); 50 extern int cap_inode_removexattr(struct dentry *dentry, char *name); 51 extern int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags); 52 extern void cap_task_reparent_to_init (struct task_struct *p); 53 extern int cap_syslog (int type); 54 extern int cap_vm_enough_memory (long pages); 55 56 struct msghdr; 57 struct sk_buff; 58 struct sock; 59 struct sockaddr; 60 struct socket; 61 62 extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb); 63 extern int cap_netlink_recv(struct sk_buff *skb); 64 65 /* 66 * Values used in the task_security_ops calls 67 */ 68 /* setuid or setgid, id0 == uid or gid */ 69 #define LSM_SETID_ID 1 70 71 /* setreuid or setregid, id0 == real, id1 == eff */ 72 #define LSM_SETID_RE 2 73 74 /* setresuid or setresgid, id0 == real, id1 == eff, uid2 == saved */ 75 #define LSM_SETID_RES 4 76 77 /* setfsuid or setfsgid, id0 == fsuid or fsgid */ 78 #define LSM_SETID_FS 8 79 80 /* forward declares to avoid warnings */ 81 struct nfsctl_arg; 82 struct sched_param; 83 struct swap_info_struct; 84 85 /* bprm_apply_creds unsafe reasons */ 86 #define LSM_UNSAFE_SHARE 1 87 #define LSM_UNSAFE_PTRACE 2 88 #define LSM_UNSAFE_PTRACE_CAP 4 89 90 #ifdef CONFIG_SECURITY 91 92 /** 93 * struct security_operations - main security structure 94 * 95 * Security hooks for program execution operations. 96 * 97 * @bprm_alloc_security: 98 * Allocate and attach a security structure to the @bprm->security field. 99 * The security field is initialized to NULL when the bprm structure is 100 * allocated. 101 * @bprm contains the linux_binprm structure to be modified. 102 * Return 0 if operation was successful. 103 * @bprm_free_security: 104 * @bprm contains the linux_binprm structure to be modified. 105 * Deallocate and clear the @bprm->security field. 106 * @bprm_apply_creds: 107 * Compute and set the security attributes of a process being transformed 108 * by an execve operation based on the old attributes (current->security) 109 * and the information saved in @bprm->security by the set_security hook. 110 * Since this hook function (and its caller) are void, this hook can not 111 * return an error. However, it can leave the security attributes of the 112 * process unchanged if an access failure occurs at this point. 113 * bprm_apply_creds is called under task_lock. @unsafe indicates various 114 * reasons why it may be unsafe to change security state. 115 * @bprm contains the linux_binprm structure. 116 * @bprm_post_apply_creds: 117 * Runs after bprm_apply_creds with the task_lock dropped, so that 118 * functions which cannot be called safely under the task_lock can 119 * be used. This hook is a good place to perform state changes on 120 * the process such as closing open file descriptors to which access 121 * is no longer granted if the attributes were changed. 122 * Note that a security module might need to save state between 123 * bprm_apply_creds and bprm_post_apply_creds to store the decision 124 * on whether the process may proceed. 125 * @bprm contains the linux_binprm structure. 126 * @bprm_set_security: 127 * Save security information in the bprm->security field, typically based 128 * on information about the bprm->file, for later use by the apply_creds 129 * hook. This hook may also optionally check permissions (e.g. for 130 * transitions between security domains). 131 * This hook may be called multiple times during a single execve, e.g. for 132 * interpreters. The hook can tell whether it has already been called by 133 * checking to see if @bprm->security is non-NULL. If so, then the hook 134 * may decide either to retain the security information saved earlier or 135 * to replace it. 136 * @bprm contains the linux_binprm structure. 137 * Return 0 if the hook is successful and permission is granted. 138 * @bprm_check_security: 139 * This hook mediates the point when a search for a binary handler will 140 * begin. It allows a check the @bprm->security value which is set in 141 * the preceding set_security call. The primary difference from 142 * set_security is that the argv list and envp list are reliably 143 * available in @bprm. This hook may be called multiple times 144 * during a single execve; and in each pass set_security is called 145 * first. 146 * @bprm contains the linux_binprm structure. 147 * Return 0 if the hook is successful and permission is granted. 148 * @bprm_secureexec: 149 * Return a boolean value (0 or 1) indicating whether a "secure exec" 150 * is required. The flag is passed in the auxiliary table 151 * on the initial stack to the ELF interpreter to indicate whether libc 152 * should enable secure mode. 153 * @bprm contains the linux_binprm structure. 154 * 155 * Security hooks for filesystem operations. 156 * 157 * @sb_alloc_security: 158 * Allocate and attach a security structure to the sb->s_security field. 159 * The s_security field is initialized to NULL when the structure is 160 * allocated. 161 * @sb contains the super_block structure to be modified. 162 * Return 0 if operation was successful. 163 * @sb_free_security: 164 * Deallocate and clear the sb->s_security field. 165 * @sb contains the super_block structure to be modified. 166 * @sb_statfs: 167 * Check permission before obtaining filesystem statistics for the @sb 168 * filesystem. 169 * @sb contains the super_block structure for the filesystem. 170 * Return 0 if permission is granted. 171 * @sb_mount: 172 * Check permission before an object specified by @dev_name is mounted on 173 * the mount point named by @nd. For an ordinary mount, @dev_name 174 * identifies a device if the file system type requires a device. For a 175 * remount (@flags & MS_REMOUNT), @dev_name is irrelevant. For a 176 * loopback/bind mount (@flags & MS_BIND), @dev_name identifies the 177 * pathname of the object being mounted. 178 * @dev_name contains the name for object being mounted. 179 * @nd contains the nameidata structure for mount point object. 180 * @type contains the filesystem type. 181 * @flags contains the mount flags. 182 * @data contains the filesystem-specific data. 183 * Return 0 if permission is granted. 184 * @sb_copy_data: 185 * Allow mount option data to be copied prior to parsing by the filesystem, 186 * so that the security module can extract security-specific mount 187 * options cleanly (a filesystem may modify the data e.g. with strsep()). 188 * This also allows the original mount data to be stripped of security- 189 * specific options to avoid having to make filesystems aware of them. 190 * @type the type of filesystem being mounted. 191 * @orig the original mount data copied from userspace. 192 * @copy copied data which will be passed to the security module. 193 * Returns 0 if the copy was successful. 194 * @sb_check_sb: 195 * Check permission before the device with superblock @mnt->sb is mounted 196 * on the mount point named by @nd. 197 * @mnt contains the vfsmount for device being mounted. 198 * @nd contains the nameidata object for the mount point. 199 * Return 0 if permission is granted. 200 * @sb_umount: 201 * Check permission before the @mnt file system is unmounted. 202 * @mnt contains the mounted file system. 203 * @flags contains the unmount flags, e.g. MNT_FORCE. 204 * Return 0 if permission is granted. 205 * @sb_umount_close: 206 * Close any files in the @mnt mounted filesystem that are held open by 207 * the security module. This hook is called during an umount operation 208 * prior to checking whether the filesystem is still busy. 209 * @mnt contains the mounted filesystem. 210 * @sb_umount_busy: 211 * Handle a failed umount of the @mnt mounted filesystem, e.g. re-opening 212 * any files that were closed by umount_close. This hook is called during 213 * an umount operation if the umount fails after a call to the 214 * umount_close hook. 215 * @mnt contains the mounted filesystem. 216 * @sb_post_remount: 217 * Update the security module's state when a filesystem is remounted. 218 * This hook is only called if the remount was successful. 219 * @mnt contains the mounted file system. 220 * @flags contains the new filesystem flags. 221 * @data contains the filesystem-specific data. 222 * @sb_post_mountroot: 223 * Update the security module's state when the root filesystem is mounted. 224 * This hook is only called if the mount was successful. 225 * @sb_post_addmount: 226 * Update the security module's state when a filesystem is mounted. 227 * This hook is called any time a mount is successfully grafetd to 228 * the tree. 229 * @mnt contains the mounted filesystem. 230 * @mountpoint_nd contains the nameidata structure for the mount point. 231 * @sb_pivotroot: 232 * Check permission before pivoting the root filesystem. 233 * @old_nd contains the nameidata structure for the new location of the current root (put_old). 234 * @new_nd contains the nameidata structure for the new root (new_root). 235 * Return 0 if permission is granted. 236 * @sb_post_pivotroot: 237 * Update module state after a successful pivot. 238 * @old_nd contains the nameidata structure for the old root. 239 * @new_nd contains the nameidata structure for the new root. 240 * 241 * Security hooks for inode operations. 242 * 243 * @inode_alloc_security: 244 * Allocate and attach a security structure to @inode->i_security. The 245 * i_security field is initialized to NULL when the inode structure is 246 * allocated. 247 * @inode contains the inode structure. 248 * Return 0 if operation was successful. 249 * @inode_free_security: 250 * @inode contains the inode structure. 251 * Deallocate the inode security structure and set @inode->i_security to 252 * NULL. 253 * @inode_init_security: 254 * Obtain the security attribute name suffix and value to set on a newly 255 * created inode and set up the incore security field for the new inode. 256 * This hook is called by the fs code as part of the inode creation 257 * transaction and provides for atomic labeling of the inode, unlike 258 * the post_create/mkdir/... hooks called by the VFS. The hook function 259 * is expected to allocate the name and value via kmalloc, with the caller 260 * being responsible for calling kfree after using them. 261 * If the security module does not use security attributes or does 262 * not wish to put a security attribute on this particular inode, 263 * then it should return -EOPNOTSUPP to skip this processing. 264 * @inode contains the inode structure of the newly created inode. 265 * @dir contains the inode structure of the parent directory. 266 * @name will be set to the allocated name suffix (e.g. selinux). 267 * @value will be set to the allocated attribute value. 268 * @len will be set to the length of the value. 269 * Returns 0 if @name and @value have been successfully set, 270 * -EOPNOTSUPP if no security attribute is needed, or 271 * -ENOMEM on memory allocation failure. 272 * @inode_create: 273 * Check permission to create a regular file. 274 * @dir contains inode structure of the parent of the new file. 275 * @dentry contains the dentry structure for the file to be created. 276 * @mode contains the file mode of the file to be created. 277 * Return 0 if permission is granted. 278 * @inode_link: 279 * Check permission before creating a new hard link to a file. 280 * @old_dentry contains the dentry structure for an existing link to the file. 281 * @dir contains the inode structure of the parent directory of the new link. 282 * @new_dentry contains the dentry structure for the new link. 283 * Return 0 if permission is granted. 284 * @inode_unlink: 285 * Check the permission to remove a hard link to a file. 286 * @dir contains the inode structure of parent directory of the file. 287 * @dentry contains the dentry structure for file to be unlinked. 288 * Return 0 if permission is granted. 289 * @inode_symlink: 290 * Check the permission to create a symbolic link to a file. 291 * @dir contains the inode structure of parent directory of the symbolic link. 292 * @dentry contains the dentry structure of the symbolic link. 293 * @old_name contains the pathname of file. 294 * Return 0 if permission is granted. 295 * @inode_mkdir: 296 * Check permissions to create a new directory in the existing directory 297 * associated with inode strcture @dir. 298 * @dir containst the inode structure of parent of the directory to be created. 299 * @dentry contains the dentry structure of new directory. 300 * @mode contains the mode of new directory. 301 * Return 0 if permission is granted. 302 * @inode_rmdir: 303 * Check the permission to remove a directory. 304 * @dir contains the inode structure of parent of the directory to be removed. 305 * @dentry contains the dentry structure of directory to be removed. 306 * Return 0 if permission is granted. 307 * @inode_mknod: 308 * Check permissions when creating a special file (or a socket or a fifo 309 * file created via the mknod system call). Note that if mknod operation 310 * is being done for a regular file, then the create hook will be called 311 * and not this hook. 312 * @dir contains the inode structure of parent of the new file. 313 * @dentry contains the dentry structure of the new file. 314 * @mode contains the mode of the new file. 315 * @dev contains the the device number. 316 * Return 0 if permission is granted. 317 * @inode_rename: 318 * Check for permission to rename a file or directory. 319 * @old_dir contains the inode structure for parent of the old link. 320 * @old_dentry contains the dentry structure of the old link. 321 * @new_dir contains the inode structure for parent of the new link. 322 * @new_dentry contains the dentry structure of the new link. 323 * Return 0 if permission is granted. 324 * @inode_readlink: 325 * Check the permission to read the symbolic link. 326 * @dentry contains the dentry structure for the file link. 327 * Return 0 if permission is granted. 328 * @inode_follow_link: 329 * Check permission to follow a symbolic link when looking up a pathname. 330 * @dentry contains the dentry structure for the link. 331 * @nd contains the nameidata structure for the parent directory. 332 * Return 0 if permission is granted. 333 * @inode_permission: 334 * Check permission before accessing an inode. This hook is called by the 335 * existing Linux permission function, so a security module can use it to 336 * provide additional checking for existing Linux permission checks. 337 * Notice that this hook is called when a file is opened (as well as many 338 * other operations), whereas the file_security_ops permission hook is 339 * called when the actual read/write operations are performed. 340 * @inode contains the inode structure to check. 341 * @mask contains the permission mask. 342 * @nd contains the nameidata (may be NULL). 343 * Return 0 if permission is granted. 344 * @inode_setattr: 345 * Check permission before setting file attributes. Note that the kernel 346 * call to notify_change is performed from several locations, whenever 347 * file attributes change (such as when a file is truncated, chown/chmod 348 * operations, transferring disk quotas, etc). 349 * @dentry contains the dentry structure for the file. 350 * @attr is the iattr structure containing the new file attributes. 351 * Return 0 if permission is granted. 352 * @inode_getattr: 353 * Check permission before obtaining file attributes. 354 * @mnt is the vfsmount where the dentry was looked up 355 * @dentry contains the dentry structure for the file. 356 * Return 0 if permission is granted. 357 * @inode_delete: 358 * @inode contains the inode structure for deleted inode. 359 * This hook is called when a deleted inode is released (i.e. an inode 360 * with no hard links has its use count drop to zero). A security module 361 * can use this hook to release any persistent label associated with the 362 * inode. 363 * @inode_setxattr: 364 * Check permission before setting the extended attributes 365 * @value identified by @name for @dentry. 366 * Return 0 if permission is granted. 367 * @inode_post_setxattr: 368 * Update inode security field after successful setxattr operation. 369 * @value identified by @name for @dentry. 370 * @inode_getxattr: 371 * Check permission before obtaining the extended attributes 372 * identified by @name for @dentry. 373 * Return 0 if permission is granted. 374 * @inode_listxattr: 375 * Check permission before obtaining the list of extended attribute 376 * names for @dentry. 377 * Return 0 if permission is granted. 378 * @inode_removexattr: 379 * Check permission before removing the extended attribute 380 * identified by @name for @dentry. 381 * Return 0 if permission is granted. 382 * @inode_getsecurity: 383 * Copy the extended attribute representation of the security label 384 * associated with @name for @inode into @buffer. @buffer may be 385 * NULL to request the size of the buffer required. @size indicates 386 * the size of @buffer in bytes. Note that @name is the remainder 387 * of the attribute name after the security. prefix has been removed. 388 * Return number of bytes used/required on success. 389 * @inode_setsecurity: 390 * Set the security label associated with @name for @inode from the 391 * extended attribute value @value. @size indicates the size of the 392 * @value in bytes. @flags may be XATTR_CREATE, XATTR_REPLACE, or 0. 393 * Note that @name is the remainder of the attribute name after the 394 * security. prefix has been removed. 395 * Return 0 on success. 396 * @inode_listsecurity: 397 * Copy the extended attribute names for the security labels 398 * associated with @inode into @buffer. The maximum size of @buffer 399 * is specified by @buffer_size. @buffer may be NULL to request 400 * the size of the buffer required. 401 * Returns number of bytes used/required on success. 402 * 403 * Security hooks for file operations 404 * 405 * @file_permission: 406 * Check file permissions before accessing an open file. This hook is 407 * called by various operations that read or write files. A security 408 * module can use this hook to perform additional checking on these 409 * operations, e.g. to revalidate permissions on use to support privilege 410 * bracketing or policy changes. Notice that this hook is used when the 411 * actual read/write operations are performed, whereas the 412 * inode_security_ops hook is called when a file is opened (as well as 413 * many other operations). 414 * Caveat: Although this hook can be used to revalidate permissions for 415 * various system call operations that read or write files, it does not 416 * address the revalidation of permissions for memory-mapped files. 417 * Security modules must handle this separately if they need such 418 * revalidation. 419 * @file contains the file structure being accessed. 420 * @mask contains the requested permissions. 421 * Return 0 if permission is granted. 422 * @file_alloc_security: 423 * Allocate and attach a security structure to the file->f_security field. 424 * The security field is initialized to NULL when the structure is first 425 * created. 426 * @file contains the file structure to secure. 427 * Return 0 if the hook is successful and permission is granted. 428 * @file_free_security: 429 * Deallocate and free any security structures stored in file->f_security. 430 * @file contains the file structure being modified. 431 * @file_ioctl: 432 * @file contains the file structure. 433 * @cmd contains the operation to perform. 434 * @arg contains the operational arguments. 435 * Check permission for an ioctl operation on @file. Note that @arg can 436 * sometimes represents a user space pointer; in other cases, it may be a 437 * simple integer value. When @arg represents a user space pointer, it 438 * should never be used by the security module. 439 * Return 0 if permission is granted. 440 * @file_mmap : 441 * Check permissions for a mmap operation. The @file may be NULL, e.g. 442 * if mapping anonymous memory. 443 * @file contains the file structure for file to map (may be NULL). 444 * @reqprot contains the protection requested by the application. 445 * @prot contains the protection that will be applied by the kernel. 446 * @flags contains the operational flags. 447 * Return 0 if permission is granted. 448 * @file_mprotect: 449 * Check permissions before changing memory access permissions. 450 * @vma contains the memory region to modify. 451 * @reqprot contains the protection requested by the application. 452 * @prot contains the protection that will be applied by the kernel. 453 * Return 0 if permission is granted. 454 * @file_lock: 455 * Check permission before performing file locking operations. 456 * Note: this hook mediates both flock and fcntl style locks. 457 * @file contains the file structure. 458 * @cmd contains the posix-translated lock operation to perform 459 * (e.g. F_RDLCK, F_WRLCK). 460 * Return 0 if permission is granted. 461 * @file_fcntl: 462 * Check permission before allowing the file operation specified by @cmd 463 * from being performed on the file @file. Note that @arg can sometimes 464 * represents a user space pointer; in other cases, it may be a simple 465 * integer value. When @arg represents a user space pointer, it should 466 * never be used by the security module. 467 * @file contains the file structure. 468 * @cmd contains the operation to be performed. 469 * @arg contains the operational arguments. 470 * Return 0 if permission is granted. 471 * @file_set_fowner: 472 * Save owner security information (typically from current->security) in 473 * file->f_security for later use by the send_sigiotask hook. 474 * @file contains the file structure to update. 475 * Return 0 on success. 476 * @file_send_sigiotask: 477 * Check permission for the file owner @fown to send SIGIO or SIGURG to the 478 * process @tsk. Note that this hook is sometimes called from interrupt. 479 * Note that the fown_struct, @fown, is never outside the context of a 480 * struct file, so the file structure (and associated security information) 481 * can always be obtained: 482 * (struct file *)((long)fown - offsetof(struct file,f_owner)); 483 * @tsk contains the structure of task receiving signal. 484 * @fown contains the file owner information. 485 * @sig is the signal that will be sent. When 0, kernel sends SIGIO. 486 * Return 0 if permission is granted. 487 * @file_receive: 488 * This hook allows security modules to control the ability of a process 489 * to receive an open file descriptor via socket IPC. 490 * @file contains the file structure being received. 491 * Return 0 if permission is granted. 492 * 493 * Security hooks for task operations. 494 * 495 * @task_create: 496 * Check permission before creating a child process. See the clone(2) 497 * manual page for definitions of the @clone_flags. 498 * @clone_flags contains the flags indicating what should be shared. 499 * Return 0 if permission is granted. 500 * @task_alloc_security: 501 * @p contains the task_struct for child process. 502 * Allocate and attach a security structure to the p->security field. The 503 * security field is initialized to NULL when the task structure is 504 * allocated. 505 * Return 0 if operation was successful. 506 * @task_free_security: 507 * @p contains the task_struct for process. 508 * Deallocate and clear the p->security field. 509 * @task_setuid: 510 * Check permission before setting one or more of the user identity 511 * attributes of the current process. The @flags parameter indicates 512 * which of the set*uid system calls invoked this hook and how to 513 * interpret the @id0, @id1, and @id2 parameters. See the LSM_SETID 514 * definitions at the beginning of this file for the @flags values and 515 * their meanings. 516 * @id0 contains a uid. 517 * @id1 contains a uid. 518 * @id2 contains a uid. 519 * @flags contains one of the LSM_SETID_* values. 520 * Return 0 if permission is granted. 521 * @task_post_setuid: 522 * Update the module's state after setting one or more of the user 523 * identity attributes of the current process. The @flags parameter 524 * indicates which of the set*uid system calls invoked this hook. If 525 * @flags is LSM_SETID_FS, then @old_ruid is the old fs uid and the other 526 * parameters are not used. 527 * @old_ruid contains the old real uid (or fs uid if LSM_SETID_FS). 528 * @old_euid contains the old effective uid (or -1 if LSM_SETID_FS). 529 * @old_suid contains the old saved uid (or -1 if LSM_SETID_FS). 530 * @flags contains one of the LSM_SETID_* values. 531 * Return 0 on success. 532 * @task_setgid: 533 * Check permission before setting one or more of the group identity 534 * attributes of the current process. The @flags parameter indicates 535 * which of the set*gid system calls invoked this hook and how to 536 * interpret the @id0, @id1, and @id2 parameters. See the LSM_SETID 537 * definitions at the beginning of this file for the @flags values and 538 * their meanings. 539 * @id0 contains a gid. 540 * @id1 contains a gid. 541 * @id2 contains a gid. 542 * @flags contains one of the LSM_SETID_* values. 543 * Return 0 if permission is granted. 544 * @task_setpgid: 545 * Check permission before setting the process group identifier of the 546 * process @p to @pgid. 547 * @p contains the task_struct for process being modified. 548 * @pgid contains the new pgid. 549 * Return 0 if permission is granted. 550 * @task_getpgid: 551 * Check permission before getting the process group identifier of the 552 * process @p. 553 * @p contains the task_struct for the process. 554 * Return 0 if permission is granted. 555 * @task_getsid: 556 * Check permission before getting the session identifier of the process 557 * @p. 558 * @p contains the task_struct for the process. 559 * Return 0 if permission is granted. 560 * @task_setgroups: 561 * Check permission before setting the supplementary group set of the 562 * current process. 563 * @group_info contains the new group information. 564 * Return 0 if permission is granted. 565 * @task_setnice: 566 * Check permission before setting the nice value of @p to @nice. 567 * @p contains the task_struct of process. 568 * @nice contains the new nice value. 569 * Return 0 if permission is granted. 570 * @task_setrlimit: 571 * Check permission before setting the resource limits of the current 572 * process for @resource to @new_rlim. The old resource limit values can 573 * be examined by dereferencing (current->signal->rlim + resource). 574 * @resource contains the resource whose limit is being set. 575 * @new_rlim contains the new limits for @resource. 576 * Return 0 if permission is granted. 577 * @task_setscheduler: 578 * Check permission before setting scheduling policy and/or parameters of 579 * process @p based on @policy and @lp. 580 * @p contains the task_struct for process. 581 * @policy contains the scheduling policy. 582 * @lp contains the scheduling parameters. 583 * Return 0 if permission is granted. 584 * @task_getscheduler: 585 * Check permission before obtaining scheduling information for process 586 * @p. 587 * @p contains the task_struct for process. 588 * Return 0 if permission is granted. 589 * @task_kill: 590 * Check permission before sending signal @sig to @p. @info can be NULL, 591 * the constant 1, or a pointer to a siginfo structure. If @info is 1 or 592 * SI_FROMKERNEL(info) is true, then the signal should be viewed as coming 593 * from the kernel and should typically be permitted. 594 * SIGIO signals are handled separately by the send_sigiotask hook in 595 * file_security_ops. 596 * @p contains the task_struct for process. 597 * @info contains the signal information. 598 * @sig contains the signal value. 599 * Return 0 if permission is granted. 600 * @task_wait: 601 * Check permission before allowing a process to reap a child process @p 602 * and collect its status information. 603 * @p contains the task_struct for process. 604 * Return 0 if permission is granted. 605 * @task_prctl: 606 * Check permission before performing a process control operation on the 607 * current process. 608 * @option contains the operation. 609 * @arg2 contains a argument. 610 * @arg3 contains a argument. 611 * @arg4 contains a argument. 612 * @arg5 contains a argument. 613 * Return 0 if permission is granted. 614 * @task_reparent_to_init: 615 * Set the security attributes in @p->security for a kernel thread that 616 * is being reparented to the init task. 617 * @p contains the task_struct for the kernel thread. 618 * @task_to_inode: 619 * Set the security attributes for an inode based on an associated task's 620 * security attributes, e.g. for /proc/pid inodes. 621 * @p contains the task_struct for the task. 622 * @inode contains the inode structure for the inode. 623 * 624 * Security hooks for Netlink messaging. 625 * 626 * @netlink_send: 627 * Save security information for a netlink message so that permission 628 * checking can be performed when the message is processed. The security 629 * information can be saved using the eff_cap field of the 630 * netlink_skb_parms structure. Also may be used to provide fine 631 * grained control over message transmission. 632 * @sk associated sock of task sending the message., 633 * @skb contains the sk_buff structure for the netlink message. 634 * Return 0 if the information was successfully saved and message 635 * is allowed to be transmitted. 636 * @netlink_recv: 637 * Check permission before processing the received netlink message in 638 * @skb. 639 * @skb contains the sk_buff structure for the netlink message. 640 * Return 0 if permission is granted. 641 * 642 * Security hooks for Unix domain networking. 643 * 644 * @unix_stream_connect: 645 * Check permissions before establishing a Unix domain stream connection 646 * between @sock and @other. 647 * @sock contains the socket structure. 648 * @other contains the peer socket structure. 649 * Return 0 if permission is granted. 650 * @unix_may_send: 651 * Check permissions before connecting or sending datagrams from @sock to 652 * @other. 653 * @sock contains the socket structure. 654 * @sock contains the peer socket structure. 655 * Return 0 if permission is granted. 656 * 657 * The @unix_stream_connect and @unix_may_send hooks were necessary because 658 * Linux provides an alternative to the conventional file name space for Unix 659 * domain sockets. Whereas binding and connecting to sockets in the file name 660 * space is mediated by the typical file permissions (and caught by the mknod 661 * and permission hooks in inode_security_ops), binding and connecting to 662 * sockets in the abstract name space is completely unmediated. Sufficient 663 * control of Unix domain sockets in the abstract name space isn't possible 664 * using only the socket layer hooks, since we need to know the actual target 665 * socket, which is not looked up until we are inside the af_unix code. 666 * 667 * Security hooks for socket operations. 668 * 669 * @socket_create: 670 * Check permissions prior to creating a new socket. 671 * @family contains the requested protocol family. 672 * @type contains the requested communications type. 673 * @protocol contains the requested protocol. 674 * @kern set to 1 if a kernel socket. 675 * Return 0 if permission is granted. 676 * @socket_post_create: 677 * This hook allows a module to update or allocate a per-socket security 678 * structure. Note that the security field was not added directly to the 679 * socket structure, but rather, the socket security information is stored 680 * in the associated inode. Typically, the inode alloc_security hook will 681 * allocate and and attach security information to 682 * sock->inode->i_security. This hook may be used to update the 683 * sock->inode->i_security field with additional information that wasn't 684 * available when the inode was allocated. 685 * @sock contains the newly created socket structure. 686 * @family contains the requested protocol family. 687 * @type contains the requested communications type. 688 * @protocol contains the requested protocol. 689 * @kern set to 1 if a kernel socket. 690 * @socket_bind: 691 * Check permission before socket protocol layer bind operation is 692 * performed and the socket @sock is bound to the address specified in the 693 * @address parameter. 694 * @sock contains the socket structure. 695 * @address contains the address to bind to. 696 * @addrlen contains the length of address. 697 * Return 0 if permission is granted. 698 * @socket_connect: 699 * Check permission before socket protocol layer connect operation 700 * attempts to connect socket @sock to a remote address, @address. 701 * @sock contains the socket structure. 702 * @address contains the address of remote endpoint. 703 * @addrlen contains the length of address. 704 * Return 0 if permission is granted. 705 * @socket_listen: 706 * Check permission before socket protocol layer listen operation. 707 * @sock contains the socket structure. 708 * @backlog contains the maximum length for the pending connection queue. 709 * Return 0 if permission is granted. 710 * @socket_accept: 711 * Check permission before accepting a new connection. Note that the new 712 * socket, @newsock, has been created and some information copied to it, 713 * but the accept operation has not actually been performed. 714 * @sock contains the listening socket structure. 715 * @newsock contains the newly created server socket for connection. 716 * Return 0 if permission is granted. 717 * @socket_post_accept: 718 * This hook allows a security module to copy security 719 * information into the newly created socket's inode. 720 * @sock contains the listening socket structure. 721 * @newsock contains the newly created server socket for connection. 722 * @socket_sendmsg: 723 * Check permission before transmitting a message to another socket. 724 * @sock contains the socket structure. 725 * @msg contains the message to be transmitted. 726 * @size contains the size of message. 727 * Return 0 if permission is granted. 728 * @socket_recvmsg: 729 * Check permission before receiving a message from a socket. 730 * @sock contains the socket structure. 731 * @msg contains the message structure. 732 * @size contains the size of message structure. 733 * @flags contains the operational flags. 734 * Return 0 if permission is granted. 735 * @socket_getsockname: 736 * Check permission before the local address (name) of the socket object 737 * @sock is retrieved. 738 * @sock contains the socket structure. 739 * Return 0 if permission is granted. 740 * @socket_getpeername: 741 * Check permission before the remote address (name) of a socket object 742 * @sock is retrieved. 743 * @sock contains the socket structure. 744 * Return 0 if permission is granted. 745 * @socket_getsockopt: 746 * Check permissions before retrieving the options associated with socket 747 * @sock. 748 * @sock contains the socket structure. 749 * @level contains the protocol level to retrieve option from. 750 * @optname contains the name of option to retrieve. 751 * Return 0 if permission is granted. 752 * @socket_setsockopt: 753 * Check permissions before setting the options associated with socket 754 * @sock. 755 * @sock contains the socket structure. 756 * @level contains the protocol level to set options for. 757 * @optname contains the name of the option to set. 758 * Return 0 if permission is granted. 759 * @socket_shutdown: 760 * Checks permission before all or part of a connection on the socket 761 * @sock is shut down. 762 * @sock contains the socket structure. 763 * @how contains the flag indicating how future sends and receives are handled. 764 * Return 0 if permission is granted. 765 * @socket_sock_rcv_skb: 766 * Check permissions on incoming network packets. This hook is distinct 767 * from Netfilter's IP input hooks since it is the first time that the 768 * incoming sk_buff @skb has been associated with a particular socket, @sk. 769 * @sk contains the sock (not socket) associated with the incoming sk_buff. 770 * @skb contains the incoming network data. 771 * @socket_getpeersec: 772 * This hook allows the security module to provide peer socket security 773 * state to userspace via getsockopt SO_GETPEERSEC. 774 * @sock is the local socket. 775 * @optval userspace memory where the security state is to be copied. 776 * @optlen userspace int where the module should copy the actual length 777 * of the security state. 778 * @len as input is the maximum length to copy to userspace provided 779 * by the caller. 780 * Return 0 if all is well, otherwise, typical getsockopt return 781 * values. 782 * @sk_alloc_security: 783 * Allocate and attach a security structure to the sk->sk_security field, 784 * which is used to copy security attributes between local stream sockets. 785 * @sk_free_security: 786 * Deallocate security structure. 787 * 788 * Security hooks affecting all System V IPC operations. 789 * 790 * @ipc_permission: 791 * Check permissions for access to IPC 792 * @ipcp contains the kernel IPC permission structure 793 * @flag contains the desired (requested) permission set 794 * Return 0 if permission is granted. 795 * 796 * Security hooks for individual messages held in System V IPC message queues 797 * @msg_msg_alloc_security: 798 * Allocate and attach a security structure to the msg->security field. 799 * The security field is initialized to NULL when the structure is first 800 * created. 801 * @msg contains the message structure to be modified. 802 * Return 0 if operation was successful and permission is granted. 803 * @msg_msg_free_security: 804 * Deallocate the security structure for this message. 805 * @msg contains the message structure to be modified. 806 * 807 * Security hooks for System V IPC Message Queues 808 * 809 * @msg_queue_alloc_security: 810 * Allocate and attach a security structure to the 811 * msq->q_perm.security field. The security field is initialized to 812 * NULL when the structure is first created. 813 * @msq contains the message queue structure to be modified. 814 * Return 0 if operation was successful and permission is granted. 815 * @msg_queue_free_security: 816 * Deallocate security structure for this message queue. 817 * @msq contains the message queue structure to be modified. 818 * @msg_queue_associate: 819 * Check permission when a message queue is requested through the 820 * msgget system call. This hook is only called when returning the 821 * message queue identifier for an existing message queue, not when a 822 * new message queue is created. 823 * @msq contains the message queue to act upon. 824 * @msqflg contains the operation control flags. 825 * Return 0 if permission is granted. 826 * @msg_queue_msgctl: 827 * Check permission when a message control operation specified by @cmd 828 * is to be performed on the message queue @msq. 829 * The @msq may be NULL, e.g. for IPC_INFO or MSG_INFO. 830 * @msq contains the message queue to act upon. May be NULL. 831 * @cmd contains the operation to be performed. 832 * Return 0 if permission is granted. 833 * @msg_queue_msgsnd: 834 * Check permission before a message, @msg, is enqueued on the message 835 * queue, @msq. 836 * @msq contains the message queue to send message to. 837 * @msg contains the message to be enqueued. 838 * @msqflg contains operational flags. 839 * Return 0 if permission is granted. 840 * @msg_queue_msgrcv: 841 * Check permission before a message, @msg, is removed from the message 842 * queue, @msq. The @target task structure contains a pointer to the 843 * process that will be receiving the message (not equal to the current 844 * process when inline receives are being performed). 845 * @msq contains the message queue to retrieve message from. 846 * @msg contains the message destination. 847 * @target contains the task structure for recipient process. 848 * @type contains the type of message requested. 849 * @mode contains the operational flags. 850 * Return 0 if permission is granted. 851 * 852 * Security hooks for System V Shared Memory Segments 853 * 854 * @shm_alloc_security: 855 * Allocate and attach a security structure to the shp->shm_perm.security 856 * field. The security field is initialized to NULL when the structure is 857 * first created. 858 * @shp contains the shared memory structure to be modified. 859 * Return 0 if operation was successful and permission is granted. 860 * @shm_free_security: 861 * Deallocate the security struct for this memory segment. 862 * @shp contains the shared memory structure to be modified. 863 * @shm_associate: 864 * Check permission when a shared memory region is requested through the 865 * shmget system call. This hook is only called when returning the shared 866 * memory region identifier for an existing region, not when a new shared 867 * memory region is created. 868 * @shp contains the shared memory structure to be modified. 869 * @shmflg contains the operation control flags. 870 * Return 0 if permission is granted. 871 * @shm_shmctl: 872 * Check permission when a shared memory control operation specified by 873 * @cmd is to be performed on the shared memory region @shp. 874 * The @shp may be NULL, e.g. for IPC_INFO or SHM_INFO. 875 * @shp contains shared memory structure to be modified. 876 * @cmd contains the operation to be performed. 877 * Return 0 if permission is granted. 878 * @shm_shmat: 879 * Check permissions prior to allowing the shmat system call to attach the 880 * shared memory segment @shp to the data segment of the calling process. 881 * The attaching address is specified by @shmaddr. 882 * @shp contains the shared memory structure to be modified. 883 * @shmaddr contains the address to attach memory region to. 884 * @shmflg contains the operational flags. 885 * Return 0 if permission is granted. 886 * 887 * Security hooks for System V Semaphores 888 * 889 * @sem_alloc_security: 890 * Allocate and attach a security structure to the sma->sem_perm.security 891 * field. The security field is initialized to NULL when the structure is 892 * first created. 893 * @sma contains the semaphore structure 894 * Return 0 if operation was successful and permission is granted. 895 * @sem_free_security: 896 * deallocate security struct for this semaphore 897 * @sma contains the semaphore structure. 898 * @sem_associate: 899 * Check permission when a semaphore is requested through the semget 900 * system call. This hook is only called when returning the semaphore 901 * identifier for an existing semaphore, not when a new one must be 902 * created. 903 * @sma contains the semaphore structure. 904 * @semflg contains the operation control flags. 905 * Return 0 if permission is granted. 906 * @sem_semctl: 907 * Check permission when a semaphore operation specified by @cmd is to be 908 * performed on the semaphore @sma. The @sma may be NULL, e.g. for 909 * IPC_INFO or SEM_INFO. 910 * @sma contains the semaphore structure. May be NULL. 911 * @cmd contains the operation to be performed. 912 * Return 0 if permission is granted. 913 * @sem_semop 914 * Check permissions before performing operations on members of the 915 * semaphore set @sma. If the @alter flag is nonzero, the semaphore set 916 * may be modified. 917 * @sma contains the semaphore structure. 918 * @sops contains the operations to perform. 919 * @nsops contains the number of operations to perform. 920 * @alter contains the flag indicating whether changes are to be made. 921 * Return 0 if permission is granted. 922 * 923 * @ptrace: 924 * Check permission before allowing the @parent process to trace the 925 * @child process. 926 * Security modules may also want to perform a process tracing check 927 * during an execve in the set_security or apply_creds hooks of 928 * binprm_security_ops if the process is being traced and its security 929 * attributes would be changed by the execve. 930 * @parent contains the task_struct structure for parent process. 931 * @child contains the task_struct structure for child process. 932 * Return 0 if permission is granted. 933 * @capget: 934 * Get the @effective, @inheritable, and @permitted capability sets for 935 * the @target process. The hook may also perform permission checking to 936 * determine if the current process is allowed to see the capability sets 937 * of the @target process. 938 * @target contains the task_struct structure for target process. 939 * @effective contains the effective capability set. 940 * @inheritable contains the inheritable capability set. 941 * @permitted contains the permitted capability set. 942 * Return 0 if the capability sets were successfully obtained. 943 * @capset_check: 944 * Check permission before setting the @effective, @inheritable, and 945 * @permitted capability sets for the @target process. 946 * Caveat: @target is also set to current if a set of processes is 947 * specified (i.e. all processes other than current and init or a 948 * particular process group). Hence, the capset_set hook may need to 949 * revalidate permission to the actual target process. 950 * @target contains the task_struct structure for target process. 951 * @effective contains the effective capability set. 952 * @inheritable contains the inheritable capability set. 953 * @permitted contains the permitted capability set. 954 * Return 0 if permission is granted. 955 * @capset_set: 956 * Set the @effective, @inheritable, and @permitted capability sets for 957 * the @target process. Since capset_check cannot always check permission 958 * to the real @target process, this hook may also perform permission 959 * checking to determine if the current process is allowed to set the 960 * capability sets of the @target process. However, this hook has no way 961 * of returning an error due to the structure of the sys_capset code. 962 * @target contains the task_struct structure for target process. 963 * @effective contains the effective capability set. 964 * @inheritable contains the inheritable capability set. 965 * @permitted contains the permitted capability set. 966 * @acct: 967 * Check permission before enabling or disabling process accounting. If 968 * accounting is being enabled, then @file refers to the open file used to 969 * store accounting records. If accounting is being disabled, then @file 970 * is NULL. 971 * @file contains the file structure for the accounting file (may be NULL). 972 * Return 0 if permission is granted. 973 * @sysctl: 974 * Check permission before accessing the @table sysctl variable in the 975 * manner specified by @op. 976 * @table contains the ctl_table structure for the sysctl variable. 977 * @op contains the operation (001 = search, 002 = write, 004 = read). 978 * Return 0 if permission is granted. 979 * @capable: 980 * Check whether the @tsk process has the @cap capability. 981 * @tsk contains the task_struct for the process. 982 * @cap contains the capability <include/linux/capability.h>. 983 * Return 0 if the capability is granted for @tsk. 984 * @syslog: 985 * Check permission before accessing the kernel message ring or changing 986 * logging to the console. 987 * See the syslog(2) manual page for an explanation of the @type values. 988 * @type contains the type of action. 989 * Return 0 if permission is granted. 990 * @settime: 991 * Check permission to change the system time. 992 * struct timespec and timezone are defined in include/linux/time.h 993 * @ts contains new time 994 * @tz contains new timezone 995 * Return 0 if permission is granted. 996 * @vm_enough_memory: 997 * Check permissions for allocating a new virtual mapping. 998 * @pages contains the number of pages. 999 * Return 0 if permission is granted. 1000 * 1001 * @register_security: 1002 * allow module stacking. 1003 * @name contains the name of the security module being stacked. 1004 * @ops contains a pointer to the struct security_operations of the module to stack. 1005 * @unregister_security: 1006 * remove a stacked module. 1007 * @name contains the name of the security module being unstacked. 1008 * @ops contains a pointer to the struct security_operations of the module to unstack. 1009 * 1010 * This is the main security structure. 1011 */ 1012 struct security_operations { 1013 int (*ptrace) (struct task_struct * parent, struct task_struct * child); 1014 int (*capget) (struct task_struct * target, 1015 kernel_cap_t * effective, 1016 kernel_cap_t * inheritable, kernel_cap_t * permitted); 1017 int (*capset_check) (struct task_struct * target, 1018 kernel_cap_t * effective, 1019 kernel_cap_t * inheritable, 1020 kernel_cap_t * permitted); 1021 void (*capset_set) (struct task_struct * target, 1022 kernel_cap_t * effective, 1023 kernel_cap_t * inheritable, 1024 kernel_cap_t * permitted); 1025 int (*acct) (struct file * file); 1026 int (*sysctl) (struct ctl_table * table, int op); 1027 int (*capable) (struct task_struct * tsk, int cap); 1028 int (*quotactl) (int cmds, int type, int id, struct super_block * sb); 1029 int (*quota_on) (struct dentry * dentry); 1030 int (*syslog) (int type); 1031 int (*settime) (struct timespec *ts, struct timezone *tz); 1032 int (*vm_enough_memory) (long pages); 1033 1034 int (*bprm_alloc_security) (struct linux_binprm * bprm); 1035 void (*bprm_free_security) (struct linux_binprm * bprm); 1036 void (*bprm_apply_creds) (struct linux_binprm * bprm, int unsafe); 1037 void (*bprm_post_apply_creds) (struct linux_binprm * bprm); 1038 int (*bprm_set_security) (struct linux_binprm * bprm); 1039 int (*bprm_check_security) (struct linux_binprm * bprm); 1040 int (*bprm_secureexec) (struct linux_binprm * bprm); 1041 1042 int (*sb_alloc_security) (struct super_block * sb); 1043 void (*sb_free_security) (struct super_block * sb); 1044 int (*sb_copy_data)(struct file_system_type *type, 1045 void *orig, void *copy); 1046 int (*sb_kern_mount) (struct super_block *sb, void *data); 1047 int (*sb_statfs) (struct super_block * sb); 1048 int (*sb_mount) (char *dev_name, struct nameidata * nd, 1049 char *type, unsigned long flags, void *data); 1050 int (*sb_check_sb) (struct vfsmount * mnt, struct nameidata * nd); 1051 int (*sb_umount) (struct vfsmount * mnt, int flags); 1052 void (*sb_umount_close) (struct vfsmount * mnt); 1053 void (*sb_umount_busy) (struct vfsmount * mnt); 1054 void (*sb_post_remount) (struct vfsmount * mnt, 1055 unsigned long flags, void *data); 1056 void (*sb_post_mountroot) (void); 1057 void (*sb_post_addmount) (struct vfsmount * mnt, 1058 struct nameidata * mountpoint_nd); 1059 int (*sb_pivotroot) (struct nameidata * old_nd, 1060 struct nameidata * new_nd); 1061 void (*sb_post_pivotroot) (struct nameidata * old_nd, 1062 struct nameidata * new_nd); 1063 1064 int (*inode_alloc_security) (struct inode *inode); 1065 void (*inode_free_security) (struct inode *inode); 1066 int (*inode_init_security) (struct inode *inode, struct inode *dir, 1067 char **name, void **value, size_t *len); 1068 int (*inode_create) (struct inode *dir, 1069 struct dentry *dentry, int mode); 1070 int (*inode_link) (struct dentry *old_dentry, 1071 struct inode *dir, struct dentry *new_dentry); 1072 int (*inode_unlink) (struct inode *dir, struct dentry *dentry); 1073 int (*inode_symlink) (struct inode *dir, 1074 struct dentry *dentry, const char *old_name); 1075 int (*inode_mkdir) (struct inode *dir, struct dentry *dentry, int mode); 1076 int (*inode_rmdir) (struct inode *dir, struct dentry *dentry); 1077 int (*inode_mknod) (struct inode *dir, struct dentry *dentry, 1078 int mode, dev_t dev); 1079 int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry, 1080 struct inode *new_dir, struct dentry *new_dentry); 1081 int (*inode_readlink) (struct dentry *dentry); 1082 int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd); 1083 int (*inode_permission) (struct inode *inode, int mask, struct nameidata *nd); 1084 int (*inode_setattr) (struct dentry *dentry, struct iattr *attr); 1085 int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry); 1086 void (*inode_delete) (struct inode *inode); 1087 int (*inode_setxattr) (struct dentry *dentry, char *name, void *value, 1088 size_t size, int flags); 1089 void (*inode_post_setxattr) (struct dentry *dentry, char *name, void *value, 1090 size_t size, int flags); 1091 int (*inode_getxattr) (struct dentry *dentry, char *name); 1092 int (*inode_listxattr) (struct dentry *dentry); 1093 int (*inode_removexattr) (struct dentry *dentry, char *name); 1094 int (*inode_getsecurity)(struct inode *inode, const char *name, void *buffer, size_t size); 1095 int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags); 1096 int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size); 1097 1098 int (*file_permission) (struct file * file, int mask); 1099 int (*file_alloc_security) (struct file * file); 1100 void (*file_free_security) (struct file * file); 1101 int (*file_ioctl) (struct file * file, unsigned int cmd, 1102 unsigned long arg); 1103 int (*file_mmap) (struct file * file, 1104 unsigned long reqprot, 1105 unsigned long prot, unsigned long flags); 1106 int (*file_mprotect) (struct vm_area_struct * vma, 1107 unsigned long reqprot, 1108 unsigned long prot); 1109 int (*file_lock) (struct file * file, unsigned int cmd); 1110 int (*file_fcntl) (struct file * file, unsigned int cmd, 1111 unsigned long arg); 1112 int (*file_set_fowner) (struct file * file); 1113 int (*file_send_sigiotask) (struct task_struct * tsk, 1114 struct fown_struct * fown, int sig); 1115 int (*file_receive) (struct file * file); 1116 1117 int (*task_create) (unsigned long clone_flags); 1118 int (*task_alloc_security) (struct task_struct * p); 1119 void (*task_free_security) (struct task_struct * p); 1120 int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags); 1121 int (*task_post_setuid) (uid_t old_ruid /* or fsuid */ , 1122 uid_t old_euid, uid_t old_suid, int flags); 1123 int (*task_setgid) (gid_t id0, gid_t id1, gid_t id2, int flags); 1124 int (*task_setpgid) (struct task_struct * p, pid_t pgid); 1125 int (*task_getpgid) (struct task_struct * p); 1126 int (*task_getsid) (struct task_struct * p); 1127 int (*task_setgroups) (struct group_info *group_info); 1128 int (*task_setnice) (struct task_struct * p, int nice); 1129 int (*task_setrlimit) (unsigned int resource, struct rlimit * new_rlim); 1130 int (*task_setscheduler) (struct task_struct * p, int policy, 1131 struct sched_param * lp); 1132 int (*task_getscheduler) (struct task_struct * p); 1133 int (*task_kill) (struct task_struct * p, 1134 struct siginfo * info, int sig); 1135 int (*task_wait) (struct task_struct * p); 1136 int (*task_prctl) (int option, unsigned long arg2, 1137 unsigned long arg3, unsigned long arg4, 1138 unsigned long arg5); 1139 void (*task_reparent_to_init) (struct task_struct * p); 1140 void (*task_to_inode)(struct task_struct *p, struct inode *inode); 1141 1142 int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag); 1143 1144 int (*msg_msg_alloc_security) (struct msg_msg * msg); 1145 void (*msg_msg_free_security) (struct msg_msg * msg); 1146 1147 int (*msg_queue_alloc_security) (struct msg_queue * msq); 1148 void (*msg_queue_free_security) (struct msg_queue * msq); 1149 int (*msg_queue_associate) (struct msg_queue * msq, int msqflg); 1150 int (*msg_queue_msgctl) (struct msg_queue * msq, int cmd); 1151 int (*msg_queue_msgsnd) (struct msg_queue * msq, 1152 struct msg_msg * msg, int msqflg); 1153 int (*msg_queue_msgrcv) (struct msg_queue * msq, 1154 struct msg_msg * msg, 1155 struct task_struct * target, 1156 long type, int mode); 1157 1158 int (*shm_alloc_security) (struct shmid_kernel * shp); 1159 void (*shm_free_security) (struct shmid_kernel * shp); 1160 int (*shm_associate) (struct shmid_kernel * shp, int shmflg); 1161 int (*shm_shmctl) (struct shmid_kernel * shp, int cmd); 1162 int (*shm_shmat) (struct shmid_kernel * shp, 1163 char __user *shmaddr, int shmflg); 1164 1165 int (*sem_alloc_security) (struct sem_array * sma); 1166 void (*sem_free_security) (struct sem_array * sma); 1167 int (*sem_associate) (struct sem_array * sma, int semflg); 1168 int (*sem_semctl) (struct sem_array * sma, int cmd); 1169 int (*sem_semop) (struct sem_array * sma, 1170 struct sembuf * sops, unsigned nsops, int alter); 1171 1172 int (*netlink_send) (struct sock * sk, struct sk_buff * skb); 1173 int (*netlink_recv) (struct sk_buff * skb); 1174 1175 /* allow module stacking */ 1176 int (*register_security) (const char *name, 1177 struct security_operations *ops); 1178 int (*unregister_security) (const char *name, 1179 struct security_operations *ops); 1180 1181 void (*d_instantiate) (struct dentry *dentry, struct inode *inode); 1182 1183 int (*getprocattr)(struct task_struct *p, char *name, void *value, size_t size); 1184 int (*setprocattr)(struct task_struct *p, char *name, void *value, size_t size); 1185 1186 #ifdef CONFIG_SECURITY_NETWORK 1187 int (*unix_stream_connect) (struct socket * sock, 1188 struct socket * other, struct sock * newsk); 1189 int (*unix_may_send) (struct socket * sock, struct socket * other); 1190 1191 int (*socket_create) (int family, int type, int protocol, int kern); 1192 void (*socket_post_create) (struct socket * sock, int family, 1193 int type, int protocol, int kern); 1194 int (*socket_bind) (struct socket * sock, 1195 struct sockaddr * address, int addrlen); 1196 int (*socket_connect) (struct socket * sock, 1197 struct sockaddr * address, int addrlen); 1198 int (*socket_listen) (struct socket * sock, int backlog); 1199 int (*socket_accept) (struct socket * sock, struct socket * newsock); 1200 void (*socket_post_accept) (struct socket * sock, 1201 struct socket * newsock); 1202 int (*socket_sendmsg) (struct socket * sock, 1203 struct msghdr * msg, int size); 1204 int (*socket_recvmsg) (struct socket * sock, 1205 struct msghdr * msg, int size, int flags); 1206 int (*socket_getsockname) (struct socket * sock); 1207 int (*socket_getpeername) (struct socket * sock); 1208 int (*socket_getsockopt) (struct socket * sock, int level, int optname); 1209 int (*socket_setsockopt) (struct socket * sock, int level, int optname); 1210 int (*socket_shutdown) (struct socket * sock, int how); 1211 int (*socket_sock_rcv_skb) (struct sock * sk, struct sk_buff * skb); 1212 int (*socket_getpeersec) (struct socket *sock, char __user *optval, int __user *optlen, unsigned len); 1213 int (*sk_alloc_security) (struct sock *sk, int family, int priority); 1214 void (*sk_free_security) (struct sock *sk); 1215 #endif /* CONFIG_SECURITY_NETWORK */ 1216 }; 1217 1218 /* global variables */ 1219 extern struct security_operations *security_ops; 1220 1221 /* inline stuff */ 1222 static inline int security_ptrace (struct task_struct * parent, struct task_struct * child) 1223 { 1224 return security_ops->ptrace (parent, child); 1225 } 1226 1227 static inline int security_capget (struct task_struct *target, 1228 kernel_cap_t *effective, 1229 kernel_cap_t *inheritable, 1230 kernel_cap_t *permitted) 1231 { 1232 return security_ops->capget (target, effective, inheritable, permitted); 1233 } 1234 1235 static inline int security_capset_check (struct task_struct *target, 1236 kernel_cap_t *effective, 1237 kernel_cap_t *inheritable, 1238 kernel_cap_t *permitted) 1239 { 1240 return security_ops->capset_check (target, effective, inheritable, permitted); 1241 } 1242 1243 static inline void security_capset_set (struct task_struct *target, 1244 kernel_cap_t *effective, 1245 kernel_cap_t *inheritable, 1246 kernel_cap_t *permitted) 1247 { 1248 security_ops->capset_set (target, effective, inheritable, permitted); 1249 } 1250 1251 static inline int security_acct (struct file *file) 1252 { 1253 return security_ops->acct (file); 1254 } 1255 1256 static inline int security_sysctl(struct ctl_table *table, int op) 1257 { 1258 return security_ops->sysctl(table, op); 1259 } 1260 1261 static inline int security_quotactl (int cmds, int type, int id, 1262 struct super_block *sb) 1263 { 1264 return security_ops->quotactl (cmds, type, id, sb); 1265 } 1266 1267 static inline int security_quota_on (struct dentry * dentry) 1268 { 1269 return security_ops->quota_on (dentry); 1270 } 1271 1272 static inline int security_syslog(int type) 1273 { 1274 return security_ops->syslog(type); 1275 } 1276 1277 static inline int security_settime(struct timespec *ts, struct timezone *tz) 1278 { 1279 return security_ops->settime(ts, tz); 1280 } 1281 1282 1283 static inline int security_vm_enough_memory(long pages) 1284 { 1285 return security_ops->vm_enough_memory(pages); 1286 } 1287 1288 static inline int security_bprm_alloc (struct linux_binprm *bprm) 1289 { 1290 return security_ops->bprm_alloc_security (bprm); 1291 } 1292 static inline void security_bprm_free (struct linux_binprm *bprm) 1293 { 1294 security_ops->bprm_free_security (bprm); 1295 } 1296 static inline void security_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) 1297 { 1298 security_ops->bprm_apply_creds (bprm, unsafe); 1299 } 1300 static inline void security_bprm_post_apply_creds (struct linux_binprm *bprm) 1301 { 1302 security_ops->bprm_post_apply_creds (bprm); 1303 } 1304 static inline int security_bprm_set (struct linux_binprm *bprm) 1305 { 1306 return security_ops->bprm_set_security (bprm); 1307 } 1308 1309 static inline int security_bprm_check (struct linux_binprm *bprm) 1310 { 1311 return security_ops->bprm_check_security (bprm); 1312 } 1313 1314 static inline int security_bprm_secureexec (struct linux_binprm *bprm) 1315 { 1316 return security_ops->bprm_secureexec (bprm); 1317 } 1318 1319 static inline int security_sb_alloc (struct super_block *sb) 1320 { 1321 return security_ops->sb_alloc_security (sb); 1322 } 1323 1324 static inline void security_sb_free (struct super_block *sb) 1325 { 1326 security_ops->sb_free_security (sb); 1327 } 1328 1329 static inline int security_sb_copy_data (struct file_system_type *type, 1330 void *orig, void *copy) 1331 { 1332 return security_ops->sb_copy_data (type, orig, copy); 1333 } 1334 1335 static inline int security_sb_kern_mount (struct super_block *sb, void *data) 1336 { 1337 return security_ops->sb_kern_mount (sb, data); 1338 } 1339 1340 static inline int security_sb_statfs (struct super_block *sb) 1341 { 1342 return security_ops->sb_statfs (sb); 1343 } 1344 1345 static inline int security_sb_mount (char *dev_name, struct nameidata *nd, 1346 char *type, unsigned long flags, 1347 void *data) 1348 { 1349 return security_ops->sb_mount (dev_name, nd, type, flags, data); 1350 } 1351 1352 static inline int security_sb_check_sb (struct vfsmount *mnt, 1353 struct nameidata *nd) 1354 { 1355 return security_ops->sb_check_sb (mnt, nd); 1356 } 1357 1358 static inline int security_sb_umount (struct vfsmount *mnt, int flags) 1359 { 1360 return security_ops->sb_umount (mnt, flags); 1361 } 1362 1363 static inline void security_sb_umount_close (struct vfsmount *mnt) 1364 { 1365 security_ops->sb_umount_close (mnt); 1366 } 1367 1368 static inline void security_sb_umount_busy (struct vfsmount *mnt) 1369 { 1370 security_ops->sb_umount_busy (mnt); 1371 } 1372 1373 static inline void security_sb_post_remount (struct vfsmount *mnt, 1374 unsigned long flags, void *data) 1375 { 1376 security_ops->sb_post_remount (mnt, flags, data); 1377 } 1378 1379 static inline void security_sb_post_mountroot (void) 1380 { 1381 security_ops->sb_post_mountroot (); 1382 } 1383 1384 static inline void security_sb_post_addmount (struct vfsmount *mnt, 1385 struct nameidata *mountpoint_nd) 1386 { 1387 security_ops->sb_post_addmount (mnt, mountpoint_nd); 1388 } 1389 1390 static inline int security_sb_pivotroot (struct nameidata *old_nd, 1391 struct nameidata *new_nd) 1392 { 1393 return security_ops->sb_pivotroot (old_nd, new_nd); 1394 } 1395 1396 static inline void security_sb_post_pivotroot (struct nameidata *old_nd, 1397 struct nameidata *new_nd) 1398 { 1399 security_ops->sb_post_pivotroot (old_nd, new_nd); 1400 } 1401 1402 static inline int security_inode_alloc (struct inode *inode) 1403 { 1404 if (unlikely (IS_PRIVATE (inode))) 1405 return 0; 1406 return security_ops->inode_alloc_security (inode); 1407 } 1408 1409 static inline void security_inode_free (struct inode *inode) 1410 { 1411 if (unlikely (IS_PRIVATE (inode))) 1412 return; 1413 security_ops->inode_free_security (inode); 1414 } 1415 1416 static inline int security_inode_init_security (struct inode *inode, 1417 struct inode *dir, 1418 char **name, 1419 void **value, 1420 size_t *len) 1421 { 1422 if (unlikely (IS_PRIVATE (inode))) 1423 return -EOPNOTSUPP; 1424 return security_ops->inode_init_security (inode, dir, name, value, len); 1425 } 1426 1427 static inline int security_inode_create (struct inode *dir, 1428 struct dentry *dentry, 1429 int mode) 1430 { 1431 if (unlikely (IS_PRIVATE (dir))) 1432 return 0; 1433 return security_ops->inode_create (dir, dentry, mode); 1434 } 1435 1436 static inline int security_inode_link (struct dentry *old_dentry, 1437 struct inode *dir, 1438 struct dentry *new_dentry) 1439 { 1440 if (unlikely (IS_PRIVATE (old_dentry->d_inode))) 1441 return 0; 1442 return security_ops->inode_link (old_dentry, dir, new_dentry); 1443 } 1444 1445 static inline int security_inode_unlink (struct inode *dir, 1446 struct dentry *dentry) 1447 { 1448 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1449 return 0; 1450 return security_ops->inode_unlink (dir, dentry); 1451 } 1452 1453 static inline int security_inode_symlink (struct inode *dir, 1454 struct dentry *dentry, 1455 const char *old_name) 1456 { 1457 if (unlikely (IS_PRIVATE (dir))) 1458 return 0; 1459 return security_ops->inode_symlink (dir, dentry, old_name); 1460 } 1461 1462 static inline int security_inode_mkdir (struct inode *dir, 1463 struct dentry *dentry, 1464 int mode) 1465 { 1466 if (unlikely (IS_PRIVATE (dir))) 1467 return 0; 1468 return security_ops->inode_mkdir (dir, dentry, mode); 1469 } 1470 1471 static inline int security_inode_rmdir (struct inode *dir, 1472 struct dentry *dentry) 1473 { 1474 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1475 return 0; 1476 return security_ops->inode_rmdir (dir, dentry); 1477 } 1478 1479 static inline int security_inode_mknod (struct inode *dir, 1480 struct dentry *dentry, 1481 int mode, dev_t dev) 1482 { 1483 if (unlikely (IS_PRIVATE (dir))) 1484 return 0; 1485 return security_ops->inode_mknod (dir, dentry, mode, dev); 1486 } 1487 1488 static inline int security_inode_rename (struct inode *old_dir, 1489 struct dentry *old_dentry, 1490 struct inode *new_dir, 1491 struct dentry *new_dentry) 1492 { 1493 if (unlikely (IS_PRIVATE (old_dentry->d_inode) || 1494 (new_dentry->d_inode && IS_PRIVATE (new_dentry->d_inode)))) 1495 return 0; 1496 return security_ops->inode_rename (old_dir, old_dentry, 1497 new_dir, new_dentry); 1498 } 1499 1500 static inline int security_inode_readlink (struct dentry *dentry) 1501 { 1502 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1503 return 0; 1504 return security_ops->inode_readlink (dentry); 1505 } 1506 1507 static inline int security_inode_follow_link (struct dentry *dentry, 1508 struct nameidata *nd) 1509 { 1510 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1511 return 0; 1512 return security_ops->inode_follow_link (dentry, nd); 1513 } 1514 1515 static inline int security_inode_permission (struct inode *inode, int mask, 1516 struct nameidata *nd) 1517 { 1518 if (unlikely (IS_PRIVATE (inode))) 1519 return 0; 1520 return security_ops->inode_permission (inode, mask, nd); 1521 } 1522 1523 static inline int security_inode_setattr (struct dentry *dentry, 1524 struct iattr *attr) 1525 { 1526 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1527 return 0; 1528 return security_ops->inode_setattr (dentry, attr); 1529 } 1530 1531 static inline int security_inode_getattr (struct vfsmount *mnt, 1532 struct dentry *dentry) 1533 { 1534 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1535 return 0; 1536 return security_ops->inode_getattr (mnt, dentry); 1537 } 1538 1539 static inline void security_inode_delete (struct inode *inode) 1540 { 1541 if (unlikely (IS_PRIVATE (inode))) 1542 return; 1543 security_ops->inode_delete (inode); 1544 } 1545 1546 static inline int security_inode_setxattr (struct dentry *dentry, char *name, 1547 void *value, size_t size, int flags) 1548 { 1549 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1550 return 0; 1551 return security_ops->inode_setxattr (dentry, name, value, size, flags); 1552 } 1553 1554 static inline void security_inode_post_setxattr (struct dentry *dentry, char *name, 1555 void *value, size_t size, int flags) 1556 { 1557 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1558 return; 1559 security_ops->inode_post_setxattr (dentry, name, value, size, flags); 1560 } 1561 1562 static inline int security_inode_getxattr (struct dentry *dentry, char *name) 1563 { 1564 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1565 return 0; 1566 return security_ops->inode_getxattr (dentry, name); 1567 } 1568 1569 static inline int security_inode_listxattr (struct dentry *dentry) 1570 { 1571 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1572 return 0; 1573 return security_ops->inode_listxattr (dentry); 1574 } 1575 1576 static inline int security_inode_removexattr (struct dentry *dentry, char *name) 1577 { 1578 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1579 return 0; 1580 return security_ops->inode_removexattr (dentry, name); 1581 } 1582 1583 static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size) 1584 { 1585 if (unlikely (IS_PRIVATE (inode))) 1586 return 0; 1587 return security_ops->inode_getsecurity(inode, name, buffer, size); 1588 } 1589 1590 static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) 1591 { 1592 if (unlikely (IS_PRIVATE (inode))) 1593 return 0; 1594 return security_ops->inode_setsecurity(inode, name, value, size, flags); 1595 } 1596 1597 static inline int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 1598 { 1599 if (unlikely (IS_PRIVATE (inode))) 1600 return 0; 1601 return security_ops->inode_listsecurity(inode, buffer, buffer_size); 1602 } 1603 1604 static inline int security_file_permission (struct file *file, int mask) 1605 { 1606 return security_ops->file_permission (file, mask); 1607 } 1608 1609 static inline int security_file_alloc (struct file *file) 1610 { 1611 return security_ops->file_alloc_security (file); 1612 } 1613 1614 static inline void security_file_free (struct file *file) 1615 { 1616 security_ops->file_free_security (file); 1617 } 1618 1619 static inline int security_file_ioctl (struct file *file, unsigned int cmd, 1620 unsigned long arg) 1621 { 1622 return security_ops->file_ioctl (file, cmd, arg); 1623 } 1624 1625 static inline int security_file_mmap (struct file *file, unsigned long reqprot, 1626 unsigned long prot, 1627 unsigned long flags) 1628 { 1629 return security_ops->file_mmap (file, reqprot, prot, flags); 1630 } 1631 1632 static inline int security_file_mprotect (struct vm_area_struct *vma, 1633 unsigned long reqprot, 1634 unsigned long prot) 1635 { 1636 return security_ops->file_mprotect (vma, reqprot, prot); 1637 } 1638 1639 static inline int security_file_lock (struct file *file, unsigned int cmd) 1640 { 1641 return security_ops->file_lock (file, cmd); 1642 } 1643 1644 static inline int security_file_fcntl (struct file *file, unsigned int cmd, 1645 unsigned long arg) 1646 { 1647 return security_ops->file_fcntl (file, cmd, arg); 1648 } 1649 1650 static inline int security_file_set_fowner (struct file *file) 1651 { 1652 return security_ops->file_set_fowner (file); 1653 } 1654 1655 static inline int security_file_send_sigiotask (struct task_struct *tsk, 1656 struct fown_struct *fown, 1657 int sig) 1658 { 1659 return security_ops->file_send_sigiotask (tsk, fown, sig); 1660 } 1661 1662 static inline int security_file_receive (struct file *file) 1663 { 1664 return security_ops->file_receive (file); 1665 } 1666 1667 static inline int security_task_create (unsigned long clone_flags) 1668 { 1669 return security_ops->task_create (clone_flags); 1670 } 1671 1672 static inline int security_task_alloc (struct task_struct *p) 1673 { 1674 return security_ops->task_alloc_security (p); 1675 } 1676 1677 static inline void security_task_free (struct task_struct *p) 1678 { 1679 security_ops->task_free_security (p); 1680 } 1681 1682 static inline int security_task_setuid (uid_t id0, uid_t id1, uid_t id2, 1683 int flags) 1684 { 1685 return security_ops->task_setuid (id0, id1, id2, flags); 1686 } 1687 1688 static inline int security_task_post_setuid (uid_t old_ruid, uid_t old_euid, 1689 uid_t old_suid, int flags) 1690 { 1691 return security_ops->task_post_setuid (old_ruid, old_euid, old_suid, flags); 1692 } 1693 1694 static inline int security_task_setgid (gid_t id0, gid_t id1, gid_t id2, 1695 int flags) 1696 { 1697 return security_ops->task_setgid (id0, id1, id2, flags); 1698 } 1699 1700 static inline int security_task_setpgid (struct task_struct *p, pid_t pgid) 1701 { 1702 return security_ops->task_setpgid (p, pgid); 1703 } 1704 1705 static inline int security_task_getpgid (struct task_struct *p) 1706 { 1707 return security_ops->task_getpgid (p); 1708 } 1709 1710 static inline int security_task_getsid (struct task_struct *p) 1711 { 1712 return security_ops->task_getsid (p); 1713 } 1714 1715 static inline int security_task_setgroups (struct group_info *group_info) 1716 { 1717 return security_ops->task_setgroups (group_info); 1718 } 1719 1720 static inline int security_task_setnice (struct task_struct *p, int nice) 1721 { 1722 return security_ops->task_setnice (p, nice); 1723 } 1724 1725 static inline int security_task_setrlimit (unsigned int resource, 1726 struct rlimit *new_rlim) 1727 { 1728 return security_ops->task_setrlimit (resource, new_rlim); 1729 } 1730 1731 static inline int security_task_setscheduler (struct task_struct *p, 1732 int policy, 1733 struct sched_param *lp) 1734 { 1735 return security_ops->task_setscheduler (p, policy, lp); 1736 } 1737 1738 static inline int security_task_getscheduler (struct task_struct *p) 1739 { 1740 return security_ops->task_getscheduler (p); 1741 } 1742 1743 static inline int security_task_kill (struct task_struct *p, 1744 struct siginfo *info, int sig) 1745 { 1746 return security_ops->task_kill (p, info, sig); 1747 } 1748 1749 static inline int security_task_wait (struct task_struct *p) 1750 { 1751 return security_ops->task_wait (p); 1752 } 1753 1754 static inline int security_task_prctl (int option, unsigned long arg2, 1755 unsigned long arg3, 1756 unsigned long arg4, 1757 unsigned long arg5) 1758 { 1759 return security_ops->task_prctl (option, arg2, arg3, arg4, arg5); 1760 } 1761 1762 static inline void security_task_reparent_to_init (struct task_struct *p) 1763 { 1764 security_ops->task_reparent_to_init (p); 1765 } 1766 1767 static inline void security_task_to_inode(struct task_struct *p, struct inode *inode) 1768 { 1769 security_ops->task_to_inode(p, inode); 1770 } 1771 1772 static inline int security_ipc_permission (struct kern_ipc_perm *ipcp, 1773 short flag) 1774 { 1775 return security_ops->ipc_permission (ipcp, flag); 1776 } 1777 1778 static inline int security_msg_msg_alloc (struct msg_msg * msg) 1779 { 1780 return security_ops->msg_msg_alloc_security (msg); 1781 } 1782 1783 static inline void security_msg_msg_free (struct msg_msg * msg) 1784 { 1785 security_ops->msg_msg_free_security(msg); 1786 } 1787 1788 static inline int security_msg_queue_alloc (struct msg_queue *msq) 1789 { 1790 return security_ops->msg_queue_alloc_security (msq); 1791 } 1792 1793 static inline void security_msg_queue_free (struct msg_queue *msq) 1794 { 1795 security_ops->msg_queue_free_security (msq); 1796 } 1797 1798 static inline int security_msg_queue_associate (struct msg_queue * msq, 1799 int msqflg) 1800 { 1801 return security_ops->msg_queue_associate (msq, msqflg); 1802 } 1803 1804 static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd) 1805 { 1806 return security_ops->msg_queue_msgctl (msq, cmd); 1807 } 1808 1809 static inline int security_msg_queue_msgsnd (struct msg_queue * msq, 1810 struct msg_msg * msg, int msqflg) 1811 { 1812 return security_ops->msg_queue_msgsnd (msq, msg, msqflg); 1813 } 1814 1815 static inline int security_msg_queue_msgrcv (struct msg_queue * msq, 1816 struct msg_msg * msg, 1817 struct task_struct * target, 1818 long type, int mode) 1819 { 1820 return security_ops->msg_queue_msgrcv (msq, msg, target, type, mode); 1821 } 1822 1823 static inline int security_shm_alloc (struct shmid_kernel *shp) 1824 { 1825 return security_ops->shm_alloc_security (shp); 1826 } 1827 1828 static inline void security_shm_free (struct shmid_kernel *shp) 1829 { 1830 security_ops->shm_free_security (shp); 1831 } 1832 1833 static inline int security_shm_associate (struct shmid_kernel * shp, 1834 int shmflg) 1835 { 1836 return security_ops->shm_associate(shp, shmflg); 1837 } 1838 1839 static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd) 1840 { 1841 return security_ops->shm_shmctl (shp, cmd); 1842 } 1843 1844 static inline int security_shm_shmat (struct shmid_kernel * shp, 1845 char __user *shmaddr, int shmflg) 1846 { 1847 return security_ops->shm_shmat(shp, shmaddr, shmflg); 1848 } 1849 1850 static inline int security_sem_alloc (struct sem_array *sma) 1851 { 1852 return security_ops->sem_alloc_security (sma); 1853 } 1854 1855 static inline void security_sem_free (struct sem_array *sma) 1856 { 1857 security_ops->sem_free_security (sma); 1858 } 1859 1860 static inline int security_sem_associate (struct sem_array * sma, int semflg) 1861 { 1862 return security_ops->sem_associate (sma, semflg); 1863 } 1864 1865 static inline int security_sem_semctl (struct sem_array * sma, int cmd) 1866 { 1867 return security_ops->sem_semctl(sma, cmd); 1868 } 1869 1870 static inline int security_sem_semop (struct sem_array * sma, 1871 struct sembuf * sops, unsigned nsops, 1872 int alter) 1873 { 1874 return security_ops->sem_semop(sma, sops, nsops, alter); 1875 } 1876 1877 static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode) 1878 { 1879 if (unlikely (inode && IS_PRIVATE (inode))) 1880 return; 1881 security_ops->d_instantiate (dentry, inode); 1882 } 1883 1884 static inline int security_getprocattr(struct task_struct *p, char *name, void *value, size_t size) 1885 { 1886 return security_ops->getprocattr(p, name, value, size); 1887 } 1888 1889 static inline int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size) 1890 { 1891 return security_ops->setprocattr(p, name, value, size); 1892 } 1893 1894 static inline int security_netlink_send(struct sock *sk, struct sk_buff * skb) 1895 { 1896 return security_ops->netlink_send(sk, skb); 1897 } 1898 1899 static inline int security_netlink_recv(struct sk_buff * skb) 1900 { 1901 return security_ops->netlink_recv(skb); 1902 } 1903 1904 /* prototypes */ 1905 extern int security_init (void); 1906 extern int register_security (struct security_operations *ops); 1907 extern int unregister_security (struct security_operations *ops); 1908 extern int mod_reg_security (const char *name, struct security_operations *ops); 1909 extern int mod_unreg_security (const char *name, struct security_operations *ops); 1910 extern struct dentry *securityfs_create_file(const char *name, mode_t mode, 1911 struct dentry *parent, void *data, 1912 struct file_operations *fops); 1913 extern struct dentry *securityfs_create_dir(const char *name, struct dentry *parent); 1914 extern void securityfs_remove(struct dentry *dentry); 1915 1916 1917 #else /* CONFIG_SECURITY */ 1918 1919 /* 1920 * This is the default capabilities functionality. Most of these functions 1921 * are just stubbed out, but a few must call the proper capable code. 1922 */ 1923 1924 static inline int security_init(void) 1925 { 1926 return 0; 1927 } 1928 1929 static inline int security_ptrace (struct task_struct *parent, struct task_struct * child) 1930 { 1931 return cap_ptrace (parent, child); 1932 } 1933 1934 static inline int security_capget (struct task_struct *target, 1935 kernel_cap_t *effective, 1936 kernel_cap_t *inheritable, 1937 kernel_cap_t *permitted) 1938 { 1939 return cap_capget (target, effective, inheritable, permitted); 1940 } 1941 1942 static inline int security_capset_check (struct task_struct *target, 1943 kernel_cap_t *effective, 1944 kernel_cap_t *inheritable, 1945 kernel_cap_t *permitted) 1946 { 1947 return cap_capset_check (target, effective, inheritable, permitted); 1948 } 1949 1950 static inline void security_capset_set (struct task_struct *target, 1951 kernel_cap_t *effective, 1952 kernel_cap_t *inheritable, 1953 kernel_cap_t *permitted) 1954 { 1955 cap_capset_set (target, effective, inheritable, permitted); 1956 } 1957 1958 static inline int security_acct (struct file *file) 1959 { 1960 return 0; 1961 } 1962 1963 static inline int security_sysctl(struct ctl_table *table, int op) 1964 { 1965 return 0; 1966 } 1967 1968 static inline int security_quotactl (int cmds, int type, int id, 1969 struct super_block * sb) 1970 { 1971 return 0; 1972 } 1973 1974 static inline int security_quota_on (struct dentry * dentry) 1975 { 1976 return 0; 1977 } 1978 1979 static inline int security_syslog(int type) 1980 { 1981 return cap_syslog(type); 1982 } 1983 1984 static inline int security_settime(struct timespec *ts, struct timezone *tz) 1985 { 1986 return cap_settime(ts, tz); 1987 } 1988 1989 static inline int security_vm_enough_memory(long pages) 1990 { 1991 return cap_vm_enough_memory(pages); 1992 } 1993 1994 static inline int security_bprm_alloc (struct linux_binprm *bprm) 1995 { 1996 return 0; 1997 } 1998 1999 static inline void security_bprm_free (struct linux_binprm *bprm) 2000 { } 2001 2002 static inline void security_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) 2003 { 2004 cap_bprm_apply_creds (bprm, unsafe); 2005 } 2006 2007 static inline void security_bprm_post_apply_creds (struct linux_binprm *bprm) 2008 { 2009 return; 2010 } 2011 2012 static inline int security_bprm_set (struct linux_binprm *bprm) 2013 { 2014 return cap_bprm_set_security (bprm); 2015 } 2016 2017 static inline int security_bprm_check (struct linux_binprm *bprm) 2018 { 2019 return 0; 2020 } 2021 2022 static inline int security_bprm_secureexec (struct linux_binprm *bprm) 2023 { 2024 return cap_bprm_secureexec(bprm); 2025 } 2026 2027 static inline int security_sb_alloc (struct super_block *sb) 2028 { 2029 return 0; 2030 } 2031 2032 static inline void security_sb_free (struct super_block *sb) 2033 { } 2034 2035 static inline int security_sb_copy_data (struct file_system_type *type, 2036 void *orig, void *copy) 2037 { 2038 return 0; 2039 } 2040 2041 static inline int security_sb_kern_mount (struct super_block *sb, void *data) 2042 { 2043 return 0; 2044 } 2045 2046 static inline int security_sb_statfs (struct super_block *sb) 2047 { 2048 return 0; 2049 } 2050 2051 static inline int security_sb_mount (char *dev_name, struct nameidata *nd, 2052 char *type, unsigned long flags, 2053 void *data) 2054 { 2055 return 0; 2056 } 2057 2058 static inline int security_sb_check_sb (struct vfsmount *mnt, 2059 struct nameidata *nd) 2060 { 2061 return 0; 2062 } 2063 2064 static inline int security_sb_umount (struct vfsmount *mnt, int flags) 2065 { 2066 return 0; 2067 } 2068 2069 static inline void security_sb_umount_close (struct vfsmount *mnt) 2070 { } 2071 2072 static inline void security_sb_umount_busy (struct vfsmount *mnt) 2073 { } 2074 2075 static inline void security_sb_post_remount (struct vfsmount *mnt, 2076 unsigned long flags, void *data) 2077 { } 2078 2079 static inline void security_sb_post_mountroot (void) 2080 { } 2081 2082 static inline void security_sb_post_addmount (struct vfsmount *mnt, 2083 struct nameidata *mountpoint_nd) 2084 { } 2085 2086 static inline int security_sb_pivotroot (struct nameidata *old_nd, 2087 struct nameidata *new_nd) 2088 { 2089 return 0; 2090 } 2091 2092 static inline void security_sb_post_pivotroot (struct nameidata *old_nd, 2093 struct nameidata *new_nd) 2094 { } 2095 2096 static inline int security_inode_alloc (struct inode *inode) 2097 { 2098 return 0; 2099 } 2100 2101 static inline void security_inode_free (struct inode *inode) 2102 { } 2103 2104 static inline int security_inode_init_security (struct inode *inode, 2105 struct inode *dir, 2106 char **name, 2107 void **value, 2108 size_t *len) 2109 { 2110 return -EOPNOTSUPP; 2111 } 2112 2113 static inline int security_inode_create (struct inode *dir, 2114 struct dentry *dentry, 2115 int mode) 2116 { 2117 return 0; 2118 } 2119 2120 static inline int security_inode_link (struct dentry *old_dentry, 2121 struct inode *dir, 2122 struct dentry *new_dentry) 2123 { 2124 return 0; 2125 } 2126 2127 static inline int security_inode_unlink (struct inode *dir, 2128 struct dentry *dentry) 2129 { 2130 return 0; 2131 } 2132 2133 static inline int security_inode_symlink (struct inode *dir, 2134 struct dentry *dentry, 2135 const char *old_name) 2136 { 2137 return 0; 2138 } 2139 2140 static inline int security_inode_mkdir (struct inode *dir, 2141 struct dentry *dentry, 2142 int mode) 2143 { 2144 return 0; 2145 } 2146 2147 static inline int security_inode_rmdir (struct inode *dir, 2148 struct dentry *dentry) 2149 { 2150 return 0; 2151 } 2152 2153 static inline int security_inode_mknod (struct inode *dir, 2154 struct dentry *dentry, 2155 int mode, dev_t dev) 2156 { 2157 return 0; 2158 } 2159 2160 static inline int security_inode_rename (struct inode *old_dir, 2161 struct dentry *old_dentry, 2162 struct inode *new_dir, 2163 struct dentry *new_dentry) 2164 { 2165 return 0; 2166 } 2167 2168 static inline int security_inode_readlink (struct dentry *dentry) 2169 { 2170 return 0; 2171 } 2172 2173 static inline int security_inode_follow_link (struct dentry *dentry, 2174 struct nameidata *nd) 2175 { 2176 return 0; 2177 } 2178 2179 static inline int security_inode_permission (struct inode *inode, int mask, 2180 struct nameidata *nd) 2181 { 2182 return 0; 2183 } 2184 2185 static inline int security_inode_setattr (struct dentry *dentry, 2186 struct iattr *attr) 2187 { 2188 return 0; 2189 } 2190 2191 static inline int security_inode_getattr (struct vfsmount *mnt, 2192 struct dentry *dentry) 2193 { 2194 return 0; 2195 } 2196 2197 static inline void security_inode_delete (struct inode *inode) 2198 { } 2199 2200 static inline int security_inode_setxattr (struct dentry *dentry, char *name, 2201 void *value, size_t size, int flags) 2202 { 2203 return cap_inode_setxattr(dentry, name, value, size, flags); 2204 } 2205 2206 static inline void security_inode_post_setxattr (struct dentry *dentry, char *name, 2207 void *value, size_t size, int flags) 2208 { } 2209 2210 static inline int security_inode_getxattr (struct dentry *dentry, char *name) 2211 { 2212 return 0; 2213 } 2214 2215 static inline int security_inode_listxattr (struct dentry *dentry) 2216 { 2217 return 0; 2218 } 2219 2220 static inline int security_inode_removexattr (struct dentry *dentry, char *name) 2221 { 2222 return cap_inode_removexattr(dentry, name); 2223 } 2224 2225 static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size) 2226 { 2227 return -EOPNOTSUPP; 2228 } 2229 2230 static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) 2231 { 2232 return -EOPNOTSUPP; 2233 } 2234 2235 static inline int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 2236 { 2237 return 0; 2238 } 2239 2240 static inline int security_file_permission (struct file *file, int mask) 2241 { 2242 return 0; 2243 } 2244 2245 static inline int security_file_alloc (struct file *file) 2246 { 2247 return 0; 2248 } 2249 2250 static inline void security_file_free (struct file *file) 2251 { } 2252 2253 static inline int security_file_ioctl (struct file *file, unsigned int cmd, 2254 unsigned long arg) 2255 { 2256 return 0; 2257 } 2258 2259 static inline int security_file_mmap (struct file *file, unsigned long reqprot, 2260 unsigned long prot, 2261 unsigned long flags) 2262 { 2263 return 0; 2264 } 2265 2266 static inline int security_file_mprotect (struct vm_area_struct *vma, 2267 unsigned long reqprot, 2268 unsigned long prot) 2269 { 2270 return 0; 2271 } 2272 2273 static inline int security_file_lock (struct file *file, unsigned int cmd) 2274 { 2275 return 0; 2276 } 2277 2278 static inline int security_file_fcntl (struct file *file, unsigned int cmd, 2279 unsigned long arg) 2280 { 2281 return 0; 2282 } 2283 2284 static inline int security_file_set_fowner (struct file *file) 2285 { 2286 return 0; 2287 } 2288 2289 static inline int security_file_send_sigiotask (struct task_struct *tsk, 2290 struct fown_struct *fown, 2291 int sig) 2292 { 2293 return 0; 2294 } 2295 2296 static inline int security_file_receive (struct file *file) 2297 { 2298 return 0; 2299 } 2300 2301 static inline int security_task_create (unsigned long clone_flags) 2302 { 2303 return 0; 2304 } 2305 2306 static inline int security_task_alloc (struct task_struct *p) 2307 { 2308 return 0; 2309 } 2310 2311 static inline void security_task_free (struct task_struct *p) 2312 { } 2313 2314 static inline int security_task_setuid (uid_t id0, uid_t id1, uid_t id2, 2315 int flags) 2316 { 2317 return 0; 2318 } 2319 2320 static inline int security_task_post_setuid (uid_t old_ruid, uid_t old_euid, 2321 uid_t old_suid, int flags) 2322 { 2323 return cap_task_post_setuid (old_ruid, old_euid, old_suid, flags); 2324 } 2325 2326 static inline int security_task_setgid (gid_t id0, gid_t id1, gid_t id2, 2327 int flags) 2328 { 2329 return 0; 2330 } 2331 2332 static inline int security_task_setpgid (struct task_struct *p, pid_t pgid) 2333 { 2334 return 0; 2335 } 2336 2337 static inline int security_task_getpgid (struct task_struct *p) 2338 { 2339 return 0; 2340 } 2341 2342 static inline int security_task_getsid (struct task_struct *p) 2343 { 2344 return 0; 2345 } 2346 2347 static inline int security_task_setgroups (struct group_info *group_info) 2348 { 2349 return 0; 2350 } 2351 2352 static inline int security_task_setnice (struct task_struct *p, int nice) 2353 { 2354 return 0; 2355 } 2356 2357 static inline int security_task_setrlimit (unsigned int resource, 2358 struct rlimit *new_rlim) 2359 { 2360 return 0; 2361 } 2362 2363 static inline int security_task_setscheduler (struct task_struct *p, 2364 int policy, 2365 struct sched_param *lp) 2366 { 2367 return 0; 2368 } 2369 2370 static inline int security_task_getscheduler (struct task_struct *p) 2371 { 2372 return 0; 2373 } 2374 2375 static inline int security_task_kill (struct task_struct *p, 2376 struct siginfo *info, int sig) 2377 { 2378 return 0; 2379 } 2380 2381 static inline int security_task_wait (struct task_struct *p) 2382 { 2383 return 0; 2384 } 2385 2386 static inline int security_task_prctl (int option, unsigned long arg2, 2387 unsigned long arg3, 2388 unsigned long arg4, 2389 unsigned long arg5) 2390 { 2391 return 0; 2392 } 2393 2394 static inline void security_task_reparent_to_init (struct task_struct *p) 2395 { 2396 cap_task_reparent_to_init (p); 2397 } 2398 2399 static inline void security_task_to_inode(struct task_struct *p, struct inode *inode) 2400 { } 2401 2402 static inline int security_ipc_permission (struct kern_ipc_perm *ipcp, 2403 short flag) 2404 { 2405 return 0; 2406 } 2407 2408 static inline int security_msg_msg_alloc (struct msg_msg * msg) 2409 { 2410 return 0; 2411 } 2412 2413 static inline void security_msg_msg_free (struct msg_msg * msg) 2414 { } 2415 2416 static inline int security_msg_queue_alloc (struct msg_queue *msq) 2417 { 2418 return 0; 2419 } 2420 2421 static inline void security_msg_queue_free (struct msg_queue *msq) 2422 { } 2423 2424 static inline int security_msg_queue_associate (struct msg_queue * msq, 2425 int msqflg) 2426 { 2427 return 0; 2428 } 2429 2430 static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd) 2431 { 2432 return 0; 2433 } 2434 2435 static inline int security_msg_queue_msgsnd (struct msg_queue * msq, 2436 struct msg_msg * msg, int msqflg) 2437 { 2438 return 0; 2439 } 2440 2441 static inline int security_msg_queue_msgrcv (struct msg_queue * msq, 2442 struct msg_msg * msg, 2443 struct task_struct * target, 2444 long type, int mode) 2445 { 2446 return 0; 2447 } 2448 2449 static inline int security_shm_alloc (struct shmid_kernel *shp) 2450 { 2451 return 0; 2452 } 2453 2454 static inline void security_shm_free (struct shmid_kernel *shp) 2455 { } 2456 2457 static inline int security_shm_associate (struct shmid_kernel * shp, 2458 int shmflg) 2459 { 2460 return 0; 2461 } 2462 2463 static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd) 2464 { 2465 return 0; 2466 } 2467 2468 static inline int security_shm_shmat (struct shmid_kernel * shp, 2469 char __user *shmaddr, int shmflg) 2470 { 2471 return 0; 2472 } 2473 2474 static inline int security_sem_alloc (struct sem_array *sma) 2475 { 2476 return 0; 2477 } 2478 2479 static inline void security_sem_free (struct sem_array *sma) 2480 { } 2481 2482 static inline int security_sem_associate (struct sem_array * sma, int semflg) 2483 { 2484 return 0; 2485 } 2486 2487 static inline int security_sem_semctl (struct sem_array * sma, int cmd) 2488 { 2489 return 0; 2490 } 2491 2492 static inline int security_sem_semop (struct sem_array * sma, 2493 struct sembuf * sops, unsigned nsops, 2494 int alter) 2495 { 2496 return 0; 2497 } 2498 2499 static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode) 2500 { } 2501 2502 static inline int security_getprocattr(struct task_struct *p, char *name, void *value, size_t size) 2503 { 2504 return -EINVAL; 2505 } 2506 2507 static inline int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size) 2508 { 2509 return -EINVAL; 2510 } 2511 2512 static inline int security_netlink_send (struct sock *sk, struct sk_buff *skb) 2513 { 2514 return cap_netlink_send (sk, skb); 2515 } 2516 2517 static inline int security_netlink_recv (struct sk_buff *skb) 2518 { 2519 return cap_netlink_recv (skb); 2520 } 2521 2522 #endif /* CONFIG_SECURITY */ 2523 2524 #ifdef CONFIG_SECURITY_NETWORK 2525 static inline int security_unix_stream_connect(struct socket * sock, 2526 struct socket * other, 2527 struct sock * newsk) 2528 { 2529 return security_ops->unix_stream_connect(sock, other, newsk); 2530 } 2531 2532 2533 static inline int security_unix_may_send(struct socket * sock, 2534 struct socket * other) 2535 { 2536 return security_ops->unix_may_send(sock, other); 2537 } 2538 2539 static inline int security_socket_create (int family, int type, 2540 int protocol, int kern) 2541 { 2542 return security_ops->socket_create(family, type, protocol, kern); 2543 } 2544 2545 static inline void security_socket_post_create(struct socket * sock, 2546 int family, 2547 int type, 2548 int protocol, int kern) 2549 { 2550 security_ops->socket_post_create(sock, family, type, 2551 protocol, kern); 2552 } 2553 2554 static inline int security_socket_bind(struct socket * sock, 2555 struct sockaddr * address, 2556 int addrlen) 2557 { 2558 return security_ops->socket_bind(sock, address, addrlen); 2559 } 2560 2561 static inline int security_socket_connect(struct socket * sock, 2562 struct sockaddr * address, 2563 int addrlen) 2564 { 2565 return security_ops->socket_connect(sock, address, addrlen); 2566 } 2567 2568 static inline int security_socket_listen(struct socket * sock, int backlog) 2569 { 2570 return security_ops->socket_listen(sock, backlog); 2571 } 2572 2573 static inline int security_socket_accept(struct socket * sock, 2574 struct socket * newsock) 2575 { 2576 return security_ops->socket_accept(sock, newsock); 2577 } 2578 2579 static inline void security_socket_post_accept(struct socket * sock, 2580 struct socket * newsock) 2581 { 2582 security_ops->socket_post_accept(sock, newsock); 2583 } 2584 2585 static inline int security_socket_sendmsg(struct socket * sock, 2586 struct msghdr * msg, int size) 2587 { 2588 return security_ops->socket_sendmsg(sock, msg, size); 2589 } 2590 2591 static inline int security_socket_recvmsg(struct socket * sock, 2592 struct msghdr * msg, int size, 2593 int flags) 2594 { 2595 return security_ops->socket_recvmsg(sock, msg, size, flags); 2596 } 2597 2598 static inline int security_socket_getsockname(struct socket * sock) 2599 { 2600 return security_ops->socket_getsockname(sock); 2601 } 2602 2603 static inline int security_socket_getpeername(struct socket * sock) 2604 { 2605 return security_ops->socket_getpeername(sock); 2606 } 2607 2608 static inline int security_socket_getsockopt(struct socket * sock, 2609 int level, int optname) 2610 { 2611 return security_ops->socket_getsockopt(sock, level, optname); 2612 } 2613 2614 static inline int security_socket_setsockopt(struct socket * sock, 2615 int level, int optname) 2616 { 2617 return security_ops->socket_setsockopt(sock, level, optname); 2618 } 2619 2620 static inline int security_socket_shutdown(struct socket * sock, int how) 2621 { 2622 return security_ops->socket_shutdown(sock, how); 2623 } 2624 2625 static inline int security_sock_rcv_skb (struct sock * sk, 2626 struct sk_buff * skb) 2627 { 2628 return security_ops->socket_sock_rcv_skb (sk, skb); 2629 } 2630 2631 static inline int security_socket_getpeersec(struct socket *sock, char __user *optval, 2632 int __user *optlen, unsigned len) 2633 { 2634 return security_ops->socket_getpeersec(sock, optval, optlen, len); 2635 } 2636 2637 static inline int security_sk_alloc(struct sock *sk, int family, gfp_t priority) 2638 { 2639 return security_ops->sk_alloc_security(sk, family, priority); 2640 } 2641 2642 static inline void security_sk_free(struct sock *sk) 2643 { 2644 return security_ops->sk_free_security(sk); 2645 } 2646 #else /* CONFIG_SECURITY_NETWORK */ 2647 static inline int security_unix_stream_connect(struct socket * sock, 2648 struct socket * other, 2649 struct sock * newsk) 2650 { 2651 return 0; 2652 } 2653 2654 static inline int security_unix_may_send(struct socket * sock, 2655 struct socket * other) 2656 { 2657 return 0; 2658 } 2659 2660 static inline int security_socket_create (int family, int type, 2661 int protocol, int kern) 2662 { 2663 return 0; 2664 } 2665 2666 static inline void security_socket_post_create(struct socket * sock, 2667 int family, 2668 int type, 2669 int protocol, int kern) 2670 { 2671 } 2672 2673 static inline int security_socket_bind(struct socket * sock, 2674 struct sockaddr * address, 2675 int addrlen) 2676 { 2677 return 0; 2678 } 2679 2680 static inline int security_socket_connect(struct socket * sock, 2681 struct sockaddr * address, 2682 int addrlen) 2683 { 2684 return 0; 2685 } 2686 2687 static inline int security_socket_listen(struct socket * sock, int backlog) 2688 { 2689 return 0; 2690 } 2691 2692 static inline int security_socket_accept(struct socket * sock, 2693 struct socket * newsock) 2694 { 2695 return 0; 2696 } 2697 2698 static inline void security_socket_post_accept(struct socket * sock, 2699 struct socket * newsock) 2700 { 2701 } 2702 2703 static inline int security_socket_sendmsg(struct socket * sock, 2704 struct msghdr * msg, int size) 2705 { 2706 return 0; 2707 } 2708 2709 static inline int security_socket_recvmsg(struct socket * sock, 2710 struct msghdr * msg, int size, 2711 int flags) 2712 { 2713 return 0; 2714 } 2715 2716 static inline int security_socket_getsockname(struct socket * sock) 2717 { 2718 return 0; 2719 } 2720 2721 static inline int security_socket_getpeername(struct socket * sock) 2722 { 2723 return 0; 2724 } 2725 2726 static inline int security_socket_getsockopt(struct socket * sock, 2727 int level, int optname) 2728 { 2729 return 0; 2730 } 2731 2732 static inline int security_socket_setsockopt(struct socket * sock, 2733 int level, int optname) 2734 { 2735 return 0; 2736 } 2737 2738 static inline int security_socket_shutdown(struct socket * sock, int how) 2739 { 2740 return 0; 2741 } 2742 static inline int security_sock_rcv_skb (struct sock * sk, 2743 struct sk_buff * skb) 2744 { 2745 return 0; 2746 } 2747 2748 static inline int security_socket_getpeersec(struct socket *sock, char __user *optval, 2749 int __user *optlen, unsigned len) 2750 { 2751 return -ENOPROTOOPT; 2752 } 2753 2754 static inline int security_sk_alloc(struct sock *sk, int family, gfp_t priority) 2755 { 2756 return 0; 2757 } 2758 2759 static inline void security_sk_free(struct sock *sk) 2760 { 2761 } 2762 #endif /* CONFIG_SECURITY_NETWORK */ 2763 2764 #endif /* ! __LINUX_SECURITY_H */ 2765 2766