Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security

Pull security subsystem updates from James Morris: "Highlights: IMA: - provide ">" and "<" operators for fowner/uid/euid rules KEYS: - add a system blacklist keyring - add KEYCTL_RESTRICT_KEYRING, exposes keyring link restriction functionality to userland via keyctl() LSM: - harden LSM API with __ro_after_init - add prlmit security hook, implement for SELinux - revive security_task_alloc hook TPM: - implement contextual TPM command 'spaces'" * 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (98 commits) tpm: Fix reference count to main device tpm_tis: convert to using locality callbacks tpm: fix handling of the TPM 2.0 event logs tpm_crb: remove a cruft constant keys: select CONFIG_CRYPTO when selecting DH / KDF apparmor: Make path_max parameter readonly apparmor: fix parameters so that the permission test is bypassed at boot apparmor: fix invalid reference to index variable of iterator line 836 apparmor: use SHASH_DESC_ON_STACK security/apparmor/lsm.c: set debug messages apparmor: fix boolreturn.cocci warnings Smack: Use GFP_KERNEL for smk_netlbl_mls(). smack: fix double free in smack_parse_opts_str() KEYS: add SP800-56A KDF support for DH KEYS: Keyring asymmetric key restrict method with chaining KEYS: Restrict asymmetric key linkage using a specific keychain KEYS: Add a lookup_restriction function for the asymmetric key type KEYS: Add KEYCTL_RESTRICT_KEYRING KEYS: Consistent ordering for __key_link_begin and restrict check KEYS: Add an optional lookup_restriction hook to key_type ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2017-05-03 11:50:52 -0400
committer: Linus Torvalds <torvalds@linux-foundation.org> 2017-05-03 11:50:52 -0400
commit: 0302e28dee643932ee7b3c112ebccdbb9f8ec32c (patch)
tree: 405d4cb3f772ef069ed7f291adc4b74a4e73346e /security/security.c
parent: 89c9fea3c8034cdb2fd745f551cde0b507fd6893 (diff)
parent: 8979b02aaf1d6de8d52cc143aa4da961ed32e5a2 (diff)
1 files changed, 18 insertions, 352 deletions
diff --git a/security/security.c b/security/security.c
index 23555c5504f6..b9fea3999cf8 100644
--- a/security/security.c
+++ b/security/security.c
@@ -32,6 +32,7 @@
 /* Maximum number of letters for an LSM name string */
 #define SECURITY_NAME_MAX       10
+struct security_hook_heads security_hook_heads __lsm_ro_after_init;
 char *lsm_names;
 /* Boot-time LSM user choice */
 static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
@@ -54,6 +55,12 @@ static void __init do_security_initcalls(void)
 */
 int __init security_init(void)
 {
+        int i;
+        struct list_head *list = (struct list_head *) &security_hook_heads;
+        for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct list_head);
+             i++)
+                INIT_LIST_HEAD(&list[i]);
        pr_info("Security Framework initialized\n");
        /*
@@ -934,6 +941,11 @@ int security_task_create(unsigned long clone_flags)
        return call_int_hook(task_create, 0, clone_flags);
 }
+int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
+{
+        return call_int_hook(task_alloc, 0, task, clone_flags);
+}
 void security_task_free(struct task_struct *task)
 {
        call_void_hook(task_free, task);
@@ -1040,6 +1052,12 @@ int security_task_getioprio(struct task_struct *p)
        return call_int_hook(task_getioprio, 0, p);
 }
+int security_task_prlimit(const struct cred *cred, const struct cred *tcred,
+                          unsigned int flags)
+{
+        return call_int_hook(task_prlimit, 0, cred, tcred, flags);
+}
 int security_task_setrlimit(struct task_struct *p, unsigned int resource,
                struct rlimit *new_rlim)
 {
@@ -1625,355 +1643,3 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
                                actx);
 }
 #endif /* CONFIG_AUDIT */
-struct security_hook_heads security_hook_heads = {
-        .binder_set_context_mgr =
-                LIST_HEAD_INIT(security_hook_heads.binder_set_context_mgr),
-        .binder_transaction =
-                LIST_HEAD_INIT(security_hook_heads.binder_transaction),
-        .binder_transfer_binder =
-                LIST_HEAD_INIT(security_hook_heads.binder_transfer_binder),
-        .binder_transfer_file =
-                LIST_HEAD_INIT(security_hook_heads.binder_transfer_file),
-        .ptrace_access_check =
-                LIST_HEAD_INIT(security_hook_heads.ptrace_access_check),
-        .ptrace_traceme =
-                LIST_HEAD_INIT(security_hook_heads.ptrace_traceme),
-        .capget =       LIST_HEAD_INIT(security_hook_heads.capget),
-        .capset =       LIST_HEAD_INIT(security_hook_heads.capset),
-        .capable =      LIST_HEAD_INIT(security_hook_heads.capable),
-        .quotactl =     LIST_HEAD_INIT(security_hook_heads.quotactl),
-        .quota_on =     LIST_HEAD_INIT(security_hook_heads.quota_on),
-        .syslog =       LIST_HEAD_INIT(security_hook_heads.syslog),
-        .settime =      LIST_HEAD_INIT(security_hook_heads.settime),
-        .vm_enough_memory =
-                LIST_HEAD_INIT(security_hook_heads.vm_enough_memory),
-        .bprm_set_creds =
-                LIST_HEAD_INIT(security_hook_heads.bprm_set_creds),
-        .bprm_check_security =
-                LIST_HEAD_INIT(security_hook_heads.bprm_check_security),
-        .bprm_secureexec =
-                LIST_HEAD_INIT(security_hook_heads.bprm_secureexec),
-        .bprm_committing_creds =
-                LIST_HEAD_INIT(security_hook_heads.bprm_committing_creds),
-        .bprm_committed_creds =
-                LIST_HEAD_INIT(security_hook_heads.bprm_committed_creds),
-        .sb_alloc_security =
-                LIST_HEAD_INIT(security_hook_heads.sb_alloc_security),
-        .sb_free_security =
-                LIST_HEAD_INIT(security_hook_heads.sb_free_security),
-        .sb_copy_data = LIST_HEAD_INIT(security_hook_heads.sb_copy_data),
-        .sb_remount =   LIST_HEAD_INIT(security_hook_heads.sb_remount),
-        .sb_kern_mount =
-                LIST_HEAD_INIT(security_hook_heads.sb_kern_mount),
-        .sb_show_options =
-                LIST_HEAD_INIT(security_hook_heads.sb_show_options),
-        .sb_statfs =    LIST_HEAD_INIT(security_hook_heads.sb_statfs),
-        .sb_mount =     LIST_HEAD_INIT(security_hook_heads.sb_mount),
-        .sb_umount =    LIST_HEAD_INIT(security_hook_heads.sb_umount),
-        .sb_pivotroot = LIST_HEAD_INIT(security_hook_heads.sb_pivotroot),
-        .sb_set_mnt_opts =
-                LIST_HEAD_INIT(security_hook_heads.sb_set_mnt_opts),
-        .sb_clone_mnt_opts =
-                LIST_HEAD_INIT(security_hook_heads.sb_clone_mnt_opts),
-        .sb_parse_opts_str =
-                LIST_HEAD_INIT(security_hook_heads.sb_parse_opts_str),
-        .dentry_init_security =
-                LIST_HEAD_INIT(security_hook_heads.dentry_init_security),
-        .dentry_create_files_as =
-                LIST_HEAD_INIT(security_hook_heads.dentry_create_files_as),
-#ifdef CONFIG_SECURITY_PATH
-        .path_unlink =  LIST_HEAD_INIT(security_hook_heads.path_unlink),
-        .path_mkdir =   LIST_HEAD_INIT(security_hook_heads.path_mkdir),
-        .path_rmdir =   LIST_HEAD_INIT(security_hook_heads.path_rmdir),
-        .path_mknod =   LIST_HEAD_INIT(security_hook_heads.path_mknod),
-        .path_truncate =
-                LIST_HEAD_INIT(security_hook_heads.path_truncate),
-        .path_symlink = LIST_HEAD_INIT(security_hook_heads.path_symlink),
-        .path_link =    LIST_HEAD_INIT(security_hook_heads.path_link),
-        .path_rename =  LIST_HEAD_INIT(security_hook_heads.path_rename),
-        .path_chmod =   LIST_HEAD_INIT(security_hook_heads.path_chmod),
-        .path_chown =   LIST_HEAD_INIT(security_hook_heads.path_chown),
-        .path_chroot =  LIST_HEAD_INIT(security_hook_heads.path_chroot),
-#endif
-        .inode_alloc_security =
-                LIST_HEAD_INIT(security_hook_heads.inode_alloc_security),
-        .inode_free_security =
-                LIST_HEAD_INIT(security_hook_heads.inode_free_security),
-        .inode_init_security =
-                LIST_HEAD_INIT(security_hook_heads.inode_init_security),
-        .inode_create = LIST_HEAD_INIT(security_hook_heads.inode_create),
-        .inode_link =   LIST_HEAD_INIT(security_hook_heads.inode_link),
-        .inode_unlink = LIST_HEAD_INIT(security_hook_heads.inode_unlink),
-        .inode_symlink =
-                LIST_HEAD_INIT(security_hook_heads.inode_symlink),
-        .inode_mkdir =  LIST_HEAD_INIT(security_hook_heads.inode_mkdir),
-        .inode_rmdir =  LIST_HEAD_INIT(security_hook_heads.inode_rmdir),
-        .inode_mknod =  LIST_HEAD_INIT(security_hook_heads.inode_mknod),
-        .inode_rename = LIST_HEAD_INIT(security_hook_heads.inode_rename),
-        .inode_readlink =
-                LIST_HEAD_INIT(security_hook_heads.inode_readlink),
-        .inode_follow_link =
-                LIST_HEAD_INIT(security_hook_heads.inode_follow_link),
-        .inode_permission =
-                LIST_HEAD_INIT(security_hook_heads.inode_permission),
-        .inode_setattr =
-                LIST_HEAD_INIT(security_hook_heads.inode_setattr),
-        .inode_getattr =
-                LIST_HEAD_INIT(security_hook_heads.inode_getattr),
-        .inode_setxattr =
-                LIST_HEAD_INIT(security_hook_heads.inode_setxattr),
-        .inode_post_setxattr =
-                LIST_HEAD_INIT(security_hook_heads.inode_post_setxattr),
-        .inode_getxattr =
-                LIST_HEAD_INIT(security_hook_heads.inode_getxattr),
-        .inode_listxattr =
-                LIST_HEAD_INIT(security_hook_heads.inode_listxattr),
-        .inode_removexattr =
-                LIST_HEAD_INIT(security_hook_heads.inode_removexattr),
-        .inode_need_killpriv =
-                LIST_HEAD_INIT(security_hook_heads.inode_need_killpriv),
-        .inode_killpriv =
-                LIST_HEAD_INIT(security_hook_heads.inode_killpriv),
-        .inode_getsecurity =
-                LIST_HEAD_INIT(security_hook_heads.inode_getsecurity),
-        .inode_setsecurity =
-                LIST_HEAD_INIT(security_hook_heads.inode_setsecurity),
-        .inode_listsecurity =
-                LIST_HEAD_INIT(security_hook_heads.inode_listsecurity),
-        .inode_getsecid =
-                LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
-        .inode_copy_up =
-                LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
-        .inode_copy_up_xattr =
-                LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr),
-        .file_permission =
-                LIST_HEAD_INIT(security_hook_heads.file_permission),
-        .file_alloc_security =
-                LIST_HEAD_INIT(security_hook_heads.file_alloc_security),
-        .file_free_security =
-                LIST_HEAD_INIT(security_hook_heads.file_free_security),
-        .file_ioctl =   LIST_HEAD_INIT(security_hook_heads.file_ioctl),
-        .mmap_addr =    LIST_HEAD_INIT(security_hook_heads.mmap_addr),
-        .mmap_file =    LIST_HEAD_INIT(security_hook_heads.mmap_file),
-        .file_mprotect =
-                LIST_HEAD_INIT(security_hook_heads.file_mprotect),
-        .file_lock =    LIST_HEAD_INIT(security_hook_heads.file_lock),
-        .file_fcntl =   LIST_HEAD_INIT(security_hook_heads.file_fcntl),
-        .file_set_fowner =
-                LIST_HEAD_INIT(security_hook_heads.file_set_fowner),
-        .file_send_sigiotask =
-                LIST_HEAD_INIT(security_hook_heads.file_send_sigiotask),
-        .file_receive = LIST_HEAD_INIT(security_hook_heads.file_receive),
-        .file_open =    LIST_HEAD_INIT(security_hook_heads.file_open),
-        .task_create =  LIST_HEAD_INIT(security_hook_heads.task_create),
-        .task_free =    LIST_HEAD_INIT(security_hook_heads.task_free),
-        .cred_alloc_blank =
-                LIST_HEAD_INIT(security_hook_heads.cred_alloc_blank),
-        .cred_free =    LIST_HEAD_INIT(security_hook_heads.cred_free),
-        .cred_prepare = LIST_HEAD_INIT(security_hook_heads.cred_prepare),
-        .cred_transfer =
-                LIST_HEAD_INIT(security_hook_heads.cred_transfer),
-        .kernel_act_as =
-                LIST_HEAD_INIT(security_hook_heads.kernel_act_as),
-        .kernel_create_files_as =
-                LIST_HEAD_INIT(security_hook_heads.kernel_create_files_as),
-        .kernel_module_request =
-                LIST_HEAD_INIT(security_hook_heads.kernel_module_request),
-        .kernel_read_file =
-                LIST_HEAD_INIT(security_hook_heads.kernel_read_file),
-        .kernel_post_read_file =
-                LIST_HEAD_INIT(security_hook_heads.kernel_post_read_file),
-        .task_fix_setuid =
-                LIST_HEAD_INIT(security_hook_heads.task_fix_setuid),
-        .task_setpgid = LIST_HEAD_INIT(security_hook_heads.task_setpgid),
-        .task_getpgid = LIST_HEAD_INIT(security_hook_heads.task_getpgid),
-        .task_getsid =  LIST_HEAD_INIT(security_hook_heads.task_getsid),
-        .task_getsecid =
-                LIST_HEAD_INIT(security_hook_heads.task_getsecid),
-        .task_setnice = LIST_HEAD_INIT(security_hook_heads.task_setnice),
-        .task_setioprio =
-                LIST_HEAD_INIT(security_hook_heads.task_setioprio),
-        .task_getioprio =
-                LIST_HEAD_INIT(security_hook_heads.task_getioprio),
-        .task_setrlimit =
-                LIST_HEAD_INIT(security_hook_heads.task_setrlimit),
-        .task_setscheduler =
-                LIST_HEAD_INIT(security_hook_heads.task_setscheduler),
-        .task_getscheduler =
-                LIST_HEAD_INIT(security_hook_heads.task_getscheduler),
-        .task_movememory =
-                LIST_HEAD_INIT(security_hook_heads.task_movememory),
-        .task_kill =    LIST_HEAD_INIT(security_hook_heads.task_kill),
-        .task_prctl =   LIST_HEAD_INIT(security_hook_heads.task_prctl),
-        .task_to_inode =
-                LIST_HEAD_INIT(security_hook_heads.task_to_inode),
-        .ipc_permission =
-                LIST_HEAD_INIT(security_hook_heads.ipc_permission),
-        .ipc_getsecid = LIST_HEAD_INIT(security_hook_heads.ipc_getsecid),
-        .msg_msg_alloc_security =
-                LIST_HEAD_INIT(security_hook_heads.msg_msg_alloc_security),
-        .msg_msg_free_security =
-                LIST_HEAD_INIT(security_hook_heads.msg_msg_free_security),
-        .msg_queue_alloc_security =
-                LIST_HEAD_INIT(security_hook_heads.msg_queue_alloc_security),
-        .msg_queue_free_security =
-                LIST_HEAD_INIT(security_hook_heads.msg_queue_free_security),
-        .msg_queue_associate =
-                LIST_HEAD_INIT(security_hook_heads.msg_queue_associate),
-        .msg_queue_msgctl =
-                LIST_HEAD_INIT(security_hook_heads.msg_queue_msgctl),
-        .msg_queue_msgsnd =
-                LIST_HEAD_INIT(security_hook_heads.msg_queue_msgsnd),
-        .msg_queue_msgrcv =
-                LIST_HEAD_INIT(security_hook_heads.msg_queue_msgrcv),
-        .shm_alloc_security =
-                LIST_HEAD_INIT(security_hook_heads.shm_alloc_security),
-        .shm_free_security =
-                LIST_HEAD_INIT(security_hook_heads.shm_free_security),
-        .shm_associate =
-                LIST_HEAD_INIT(security_hook_heads.shm_associate),
-        .shm_shmctl =   LIST_HEAD_INIT(security_hook_heads.shm_shmctl),
-        .shm_shmat =    LIST_HEAD_INIT(security_hook_heads.shm_shmat),
-        .sem_alloc_security =
-                LIST_HEAD_INIT(security_hook_heads.sem_alloc_security),
-        .sem_free_security =
-                LIST_HEAD_INIT(security_hook_heads.sem_free_security),
-        .sem_associate =
-                LIST_HEAD_INIT(security_hook_heads.sem_associate),
-        .sem_semctl =   LIST_HEAD_INIT(security_hook_heads.sem_semctl),
-        .sem_semop =    LIST_HEAD_INIT(security_hook_heads.sem_semop),
-        .netlink_send = LIST_HEAD_INIT(security_hook_heads.netlink_send),
-        .d_instantiate =
-                LIST_HEAD_INIT(security_hook_heads.d_instantiate),
-        .getprocattr =  LIST_HEAD_INIT(security_hook_heads.getprocattr),
-        .setprocattr =  LIST_HEAD_INIT(security_hook_heads.setprocattr),
-        .ismaclabel =   LIST_HEAD_INIT(security_hook_heads.ismaclabel),
-        .secid_to_secctx =
-                LIST_HEAD_INIT(security_hook_heads.secid_to_secctx),
-        .secctx_to_secid =
-                LIST_HEAD_INIT(security_hook_heads.secctx_to_secid),
-        .release_secctx =
-                LIST_HEAD_INIT(security_hook_heads.release_secctx),
-        .inode_invalidate_secctx =
-                LIST_HEAD_INIT(security_hook_heads.inode_invalidate_secctx),
-        .inode_notifysecctx =
-                LIST_HEAD_INIT(security_hook_heads.inode_notifysecctx),
-        .inode_setsecctx =
-                LIST_HEAD_INIT(security_hook_heads.inode_setsecctx),
-        .inode_getsecctx =
-                LIST_HEAD_INIT(security_hook_heads.inode_getsecctx),
-#ifdef CONFIG_SECURITY_NETWORK
-        .unix_stream_connect =
-                LIST_HEAD_INIT(security_hook_heads.unix_stream_connect),
-        .unix_may_send =
-                LIST_HEAD_INIT(security_hook_heads.unix_may_send),
-        .socket_create =
-                LIST_HEAD_INIT(security_hook_heads.socket_create),
-        .socket_post_create =
-                LIST_HEAD_INIT(security_hook_heads.socket_post_create),
-        .socket_bind =  LIST_HEAD_INIT(security_hook_heads.socket_bind),
-        .socket_connect =
-                LIST_HEAD_INIT(security_hook_heads.socket_connect),
-        .socket_listen =
-                LIST_HEAD_INIT(security_hook_heads.socket_listen),
-        .socket_accept =
-                LIST_HEAD_INIT(security_hook_heads.socket_accept),
-        .socket_sendmsg =
-                LIST_HEAD_INIT(security_hook_heads.socket_sendmsg),
-        .socket_recvmsg =
-                LIST_HEAD_INIT(security_hook_heads.socket_recvmsg),
-        .socket_getsockname =
-                LIST_HEAD_INIT(security_hook_heads.socket_getsockname),
-        .socket_getpeername =
-                LIST_HEAD_INIT(security_hook_heads.socket_getpeername),
-        .socket_getsockopt =
-                LIST_HEAD_INIT(security_hook_heads.socket_getsockopt),
-        .socket_setsockopt =
-                LIST_HEAD_INIT(security_hook_heads.socket_setsockopt),
-        .socket_shutdown =
-                LIST_HEAD_INIT(security_hook_heads.socket_shutdown),
-        .socket_sock_rcv_skb =
-                LIST_HEAD_INIT(security_hook_heads.socket_sock_rcv_skb),
-        .socket_getpeersec_stream =
-                LIST_HEAD_INIT(security_hook_heads.socket_getpeersec_stream),
-        .socket_getpeersec_dgram =
-                LIST_HEAD_INIT(security_hook_heads.socket_getpeersec_dgram),
-        .sk_alloc_security =
-                LIST_HEAD_INIT(security_hook_heads.sk_alloc_security),
-        .sk_free_security =
-                LIST_HEAD_INIT(security_hook_heads.sk_free_security),
-        .sk_clone_security =
-                LIST_HEAD_INIT(security_hook_heads.sk_clone_security),
-        .sk_getsecid =  LIST_HEAD_INIT(security_hook_heads.sk_getsecid),
-        .sock_graft =   LIST_HEAD_INIT(security_hook_heads.sock_graft),
-        .inet_conn_request =
-                LIST_HEAD_INIT(security_hook_heads.inet_conn_request),
-        .inet_csk_clone =
-                LIST_HEAD_INIT(security_hook_heads.inet_csk_clone),
-        .inet_conn_established =
-                LIST_HEAD_INIT(security_hook_heads.inet_conn_established),
-        .secmark_relabel_packet =
-                LIST_HEAD_INIT(security_hook_heads.secmark_relabel_packet),
-        .secmark_refcount_inc =
-                LIST_HEAD_INIT(security_hook_heads.secmark_refcount_inc),
-        .secmark_refcount_dec =
-                LIST_HEAD_INIT(security_hook_heads.secmark_refcount_dec),
-        .req_classify_flow =
-                LIST_HEAD_INIT(security_hook_heads.req_classify_flow),
-        .tun_dev_alloc_security =
-                LIST_HEAD_INIT(security_hook_heads.tun_dev_alloc_security),
-        .tun_dev_free_security =
-                LIST_HEAD_INIT(security_hook_heads.tun_dev_free_security),
-        .tun_dev_create =
-                LIST_HEAD_INIT(security_hook_heads.tun_dev_create),
-        .tun_dev_attach_queue =
-                LIST_HEAD_INIT(security_hook_heads.tun_dev_attach_queue),
-        .tun_dev_attach =
-                LIST_HEAD_INIT(security_hook_heads.tun_dev_attach),
-        .tun_dev_open = LIST_HEAD_INIT(security_hook_heads.tun_dev_open),
-#endif  /* CONFIG_SECURITY_NETWORK */
-#ifdef CONFIG_SECURITY_NETWORK_XFRM
-        .xfrm_policy_alloc_security =
-                LIST_HEAD_INIT(security_hook_heads.xfrm_policy_alloc_security),
-        .xfrm_policy_clone_security =
-                LIST_HEAD_INIT(security_hook_heads.xfrm_policy_clone_security),
-        .xfrm_policy_free_security =
-                LIST_HEAD_INIT(security_hook_heads.xfrm_policy_free_security),
-        .xfrm_policy_delete_security =
-                LIST_HEAD_INIT(security_hook_heads.xfrm_policy_delete_security),
-        .xfrm_state_alloc =
-                LIST_HEAD_INIT(security_hook_heads.xfrm_state_alloc),
-        .xfrm_state_alloc_acquire =
-                LIST_HEAD_INIT(security_hook_heads.xfrm_state_alloc_acquire),
-        .xfrm_state_free_security =
-                LIST_HEAD_INIT(security_hook_heads.xfrm_state_free_security),
-        .xfrm_state_delete_security =
-                LIST_HEAD_INIT(security_hook_heads.xfrm_state_delete_security),
-        .xfrm_policy_lookup =
-                LIST_HEAD_INIT(security_hook_heads.xfrm_policy_lookup),
-        .xfrm_state_pol_flow_match =
-                LIST_HEAD_INIT(security_hook_heads.xfrm_state_pol_flow_match),
-        .xfrm_decode_session =
-                LIST_HEAD_INIT(security_hook_heads.xfrm_decode_session),
-#endif  /* CONFIG_SECURITY_NETWORK_XFRM */
-#ifdef CONFIG_KEYS
-        .key_alloc =    LIST_HEAD_INIT(security_hook_heads.key_alloc),
-        .key_free =     LIST_HEAD_INIT(security_hook_heads.key_free),
-        .key_permission =
-                LIST_HEAD_INIT(security_hook_heads.key_permission),
-        .key_getsecurity =
-                LIST_HEAD_INIT(security_hook_heads.key_getsecurity),
-#endif  /* CONFIG_KEYS */
-#ifdef CONFIG_AUDIT
-        .audit_rule_init =
-                LIST_HEAD_INIT(security_hook_heads.audit_rule_init),
-        .audit_rule_known =
-                LIST_HEAD_INIT(security_hook_heads.audit_rule_known),
-        .audit_rule_match =
-                LIST_HEAD_INIT(security_hook_heads.audit_rule_match),
-        .audit_rule_free =
-                LIST_HEAD_INIT(security_hook_heads.audit_rule_free),
-#endif /* CONFIG_AUDIT */
-};
author	Linus Torvalds <torvalds@linux-foundation.org>	2017-05-03 11:50:52 -0400
committer	Linus Torvalds <torvalds@linux-foundation.org>	2017-05-03 11:50:52 -0400
commit	0302e28dee643932ee7b3c112ebccdbb9f8ec32c (patch)
tree	405d4cb3f772ef069ed7f291adc4b74a4e73346e /security/security.c
parent	89c9fea3c8034cdb2fd745f551cde0b507fd6893 (diff)
parent	8979b02aaf1d6de8d52cc143aa4da961ed32e5a2 (diff)

diff --git a/security/security.c b/security/security.c index 23555c5504f6..b9fea3999cf8 100644 --- a/security/security.c +++ b/security/security.c
@@ -32,6 +32,7 @@
32	/* Maximum number of letters for an LSM name string */	32	/* Maximum number of letters for an LSM name string */
33	#define SECURITY_NAME_MAX 10	33	#define SECURITY_NAME_MAX 10
34		34
		35	struct security_hook_heads security_hook_heads __lsm_ro_after_init;
35	char *lsm_names;	36	char *lsm_names;
36	/* Boot-time LSM user choice */	37	/* Boot-time LSM user choice */
37	static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =	38	static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
@@ -54,6 +55,12 @@ static void __init do_security_initcalls(void)
54	*/	55	*/
55	int __init security_init(void)	56	int __init security_init(void)
56	{	57	{
		58	int i;
		59	struct list_head list = (struct list_head ) &security_hook_heads;
		60
		61	for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct list_head);
		62	i++)
		63	INIT_LIST_HEAD(&list[i]);
57	pr_info("Security Framework initialized\n");	64	pr_info("Security Framework initialized\n");
58		65
59	/*	66	/*
@@ -934,6 +941,11 @@ int security_task_create(unsigned long clone_flags)
934	return call_int_hook(task_create, 0, clone_flags);	941	return call_int_hook(task_create, 0, clone_flags);
935	}	942	}
936		943
		944	int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
		945	{
		946	return call_int_hook(task_alloc, 0, task, clone_flags);
		947	}
		948
937	void security_task_free(struct task_struct *task)	949	void security_task_free(struct task_struct *task)
938	{	950	{
939	call_void_hook(task_free, task);	951	call_void_hook(task_free, task);
@@ -1040,6 +1052,12 @@ int security_task_getioprio(struct task_struct *p)
1040	return call_int_hook(task_getioprio, 0, p);	1052	return call_int_hook(task_getioprio, 0, p);
1041	}	1053	}
1042		1054
		1055	int security_task_prlimit(const struct cred cred, const struct cred tcred,
		1056	unsigned int flags)
		1057	{
		1058	return call_int_hook(task_prlimit, 0, cred, tcred, flags);
		1059	}
		1060
1043	int security_task_setrlimit(struct task_struct *p, unsigned int resource,	1061	int security_task_setrlimit(struct task_struct *p, unsigned int resource,
1044	struct rlimit *new_rlim)	1062	struct rlimit *new_rlim)
1045	{	1063	{
@@ -1625,355 +1643,3 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
1625	actx);	1643	actx);
1626	}	1644	}
1627	#endif /* CONFIG_AUDIT */	1645	#endif /* CONFIG_AUDIT */
1628
1629	struct security_hook_heads security_hook_heads = {
1630	.binder_set_context_mgr =
1631	LIST_HEAD_INIT(security_hook_heads.binder_set_context_mgr),
1632	.binder_transaction =
1633	LIST_HEAD_INIT(security_hook_heads.binder_transaction),
1634	.binder_transfer_binder =
1635	LIST_HEAD_INIT(security_hook_heads.binder_transfer_binder),
1636	.binder_transfer_file =
1637	LIST_HEAD_INIT(security_hook_heads.binder_transfer_file),
1638
1639	.ptrace_access_check =
1640	LIST_HEAD_INIT(security_hook_heads.ptrace_access_check),
1641	.ptrace_traceme =
1642	LIST_HEAD_INIT(security_hook_heads.ptrace_traceme),
1643	.capget = LIST_HEAD_INIT(security_hook_heads.capget),
1644	.capset = LIST_HEAD_INIT(security_hook_heads.capset),
1645	.capable = LIST_HEAD_INIT(security_hook_heads.capable),
1646	.quotactl = LIST_HEAD_INIT(security_hook_heads.quotactl),
1647	.quota_on = LIST_HEAD_INIT(security_hook_heads.quota_on),
1648	.syslog = LIST_HEAD_INIT(security_hook_heads.syslog),
1649	.settime = LIST_HEAD_INIT(security_hook_heads.settime),
1650	.vm_enough_memory =
1651	LIST_HEAD_INIT(security_hook_heads.vm_enough_memory),
1652	.bprm_set_creds =
1653	LIST_HEAD_INIT(security_hook_heads.bprm_set_creds),
1654	.bprm_check_security =
1655	LIST_HEAD_INIT(security_hook_heads.bprm_check_security),
1656	.bprm_secureexec =
1657	LIST_HEAD_INIT(security_hook_heads.bprm_secureexec),
1658	.bprm_committing_creds =
1659	LIST_HEAD_INIT(security_hook_heads.bprm_committing_creds),
1660	.bprm_committed_creds =
1661	LIST_HEAD_INIT(security_hook_heads.bprm_committed_creds),
1662	.sb_alloc_security =
1663	LIST_HEAD_INIT(security_hook_heads.sb_alloc_security),
1664	.sb_free_security =
1665	LIST_HEAD_INIT(security_hook_heads.sb_free_security),
1666	.sb_copy_data = LIST_HEAD_INIT(security_hook_heads.sb_copy_data),
1667	.sb_remount = LIST_HEAD_INIT(security_hook_heads.sb_remount),
1668	.sb_kern_mount =
1669	LIST_HEAD_INIT(security_hook_heads.sb_kern_mount),
1670	.sb_show_options =
1671	LIST_HEAD_INIT(security_hook_heads.sb_show_options),
1672	.sb_statfs = LIST_HEAD_INIT(security_hook_heads.sb_statfs),
1673	.sb_mount = LIST_HEAD_INIT(security_hook_heads.sb_mount),
1674	.sb_umount = LIST_HEAD_INIT(security_hook_heads.sb_umount),
1675	.sb_pivotroot = LIST_HEAD_INIT(security_hook_heads.sb_pivotroot),
1676	.sb_set_mnt_opts =
1677	LIST_HEAD_INIT(security_hook_heads.sb_set_mnt_opts),
1678	.sb_clone_mnt_opts =
1679	LIST_HEAD_INIT(security_hook_heads.sb_clone_mnt_opts),
1680	.sb_parse_opts_str =
1681	LIST_HEAD_INIT(security_hook_heads.sb_parse_opts_str),
1682	.dentry_init_security =
1683	LIST_HEAD_INIT(security_hook_heads.dentry_init_security),
1684	.dentry_create_files_as =
1685	LIST_HEAD_INIT(security_hook_heads.dentry_create_files_as),
1686	#ifdef CONFIG_SECURITY_PATH
1687	.path_unlink = LIST_HEAD_INIT(security_hook_heads.path_unlink),
1688	.path_mkdir = LIST_HEAD_INIT(security_hook_heads.path_mkdir),
1689	.path_rmdir = LIST_HEAD_INIT(security_hook_heads.path_rmdir),
1690	.path_mknod = LIST_HEAD_INIT(security_hook_heads.path_mknod),
1691	.path_truncate =
1692	LIST_HEAD_INIT(security_hook_heads.path_truncate),
1693	.path_symlink = LIST_HEAD_INIT(security_hook_heads.path_symlink),
1694	.path_link = LIST_HEAD_INIT(security_hook_heads.path_link),
1695	.path_rename = LIST_HEAD_INIT(security_hook_heads.path_rename),
1696	.path_chmod = LIST_HEAD_INIT(security_hook_heads.path_chmod),
1697	.path_chown = LIST_HEAD_INIT(security_hook_heads.path_chown),
1698	.path_chroot = LIST_HEAD_INIT(security_hook_heads.path_chroot),
1699	#endif
1700	.inode_alloc_security =
1701	LIST_HEAD_INIT(security_hook_heads.inode_alloc_security),
1702	.inode_free_security =
1703	LIST_HEAD_INIT(security_hook_heads.inode_free_security),
1704	.inode_init_security =
1705	LIST_HEAD_INIT(security_hook_heads.inode_init_security),
1706	.inode_create = LIST_HEAD_INIT(security_hook_heads.inode_create),
1707	.inode_link = LIST_HEAD_INIT(security_hook_heads.inode_link),
1708	.inode_unlink = LIST_HEAD_INIT(security_hook_heads.inode_unlink),
1709	.inode_symlink =
1710	LIST_HEAD_INIT(security_hook_heads.inode_symlink),
1711	.inode_mkdir = LIST_HEAD_INIT(security_hook_heads.inode_mkdir),
1712	.inode_rmdir = LIST_HEAD_INIT(security_hook_heads.inode_rmdir),
1713	.inode_mknod = LIST_HEAD_INIT(security_hook_heads.inode_mknod),
1714	.inode_rename = LIST_HEAD_INIT(security_hook_heads.inode_rename),
1715	.inode_readlink =
1716	LIST_HEAD_INIT(security_hook_heads.inode_readlink),
1717	.inode_follow_link =
1718	LIST_HEAD_INIT(security_hook_heads.inode_follow_link),
1719	.inode_permission =
1720	LIST_HEAD_INIT(security_hook_heads.inode_permission),
1721	.inode_setattr =
1722	LIST_HEAD_INIT(security_hook_heads.inode_setattr),
1723	.inode_getattr =
1724	LIST_HEAD_INIT(security_hook_heads.inode_getattr),
1725	.inode_setxattr =
1726	LIST_HEAD_INIT(security_hook_heads.inode_setxattr),
1727	.inode_post_setxattr =
1728	LIST_HEAD_INIT(security_hook_heads.inode_post_setxattr),
1729	.inode_getxattr =
1730	LIST_HEAD_INIT(security_hook_heads.inode_getxattr),
1731	.inode_listxattr =
1732	LIST_HEAD_INIT(security_hook_heads.inode_listxattr),
1733	.inode_removexattr =
1734	LIST_HEAD_INIT(security_hook_heads.inode_removexattr),
1735	.inode_need_killpriv =
1736	LIST_HEAD_INIT(security_hook_heads.inode_need_killpriv),
1737	.inode_killpriv =
1738	LIST_HEAD_INIT(security_hook_heads.inode_killpriv),
1739	.inode_getsecurity =
1740	LIST_HEAD_INIT(security_hook_heads.inode_getsecurity),
1741	.inode_setsecurity =
1742	LIST_HEAD_INIT(security_hook_heads.inode_setsecurity),
1743	.inode_listsecurity =
1744	LIST_HEAD_INIT(security_hook_heads.inode_listsecurity),
1745	.inode_getsecid =
1746	LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
1747	.inode_copy_up =
1748	LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
1749	.inode_copy_up_xattr =
1750	LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr),
1751	.file_permission =
1752	LIST_HEAD_INIT(security_hook_heads.file_permission),
1753	.file_alloc_security =
1754	LIST_HEAD_INIT(security_hook_heads.file_alloc_security),
1755	.file_free_security =
1756	LIST_HEAD_INIT(security_hook_heads.file_free_security),
1757	.file_ioctl = LIST_HEAD_INIT(security_hook_heads.file_ioctl),
1758	.mmap_addr = LIST_HEAD_INIT(security_hook_heads.mmap_addr),
1759	.mmap_file = LIST_HEAD_INIT(security_hook_heads.mmap_file),
1760	.file_mprotect =
1761	LIST_HEAD_INIT(security_hook_heads.file_mprotect),
1762	.file_lock = LIST_HEAD_INIT(security_hook_heads.file_lock),
1763	.file_fcntl = LIST_HEAD_INIT(security_hook_heads.file_fcntl),
1764	.file_set_fowner =
1765	LIST_HEAD_INIT(security_hook_heads.file_set_fowner),
1766	.file_send_sigiotask =
1767	LIST_HEAD_INIT(security_hook_heads.file_send_sigiotask),
1768	.file_receive = LIST_HEAD_INIT(security_hook_heads.file_receive),
1769	.file_open = LIST_HEAD_INIT(security_hook_heads.file_open),
1770	.task_create = LIST_HEAD_INIT(security_hook_heads.task_create),
1771	.task_free = LIST_HEAD_INIT(security_hook_heads.task_free),
1772	.cred_alloc_blank =
1773	LIST_HEAD_INIT(security_hook_heads.cred_alloc_blank),
1774	.cred_free = LIST_HEAD_INIT(security_hook_heads.cred_free),
1775	.cred_prepare = LIST_HEAD_INIT(security_hook_heads.cred_prepare),
1776	.cred_transfer =
1777	LIST_HEAD_INIT(security_hook_heads.cred_transfer),
1778	.kernel_act_as =
1779	LIST_HEAD_INIT(security_hook_heads.kernel_act_as),
1780	.kernel_create_files_as =
1781	LIST_HEAD_INIT(security_hook_heads.kernel_create_files_as),
1782	.kernel_module_request =
1783	LIST_HEAD_INIT(security_hook_heads.kernel_module_request),
1784	.kernel_read_file =
1785	LIST_HEAD_INIT(security_hook_heads.kernel_read_file),
1786	.kernel_post_read_file =
1787	LIST_HEAD_INIT(security_hook_heads.kernel_post_read_file),
1788	.task_fix_setuid =
1789	LIST_HEAD_INIT(security_hook_heads.task_fix_setuid),
1790	.task_setpgid = LIST_HEAD_INIT(security_hook_heads.task_setpgid),
1791	.task_getpgid = LIST_HEAD_INIT(security_hook_heads.task_getpgid),
1792	.task_getsid = LIST_HEAD_INIT(security_hook_heads.task_getsid),
1793	.task_getsecid =
1794	LIST_HEAD_INIT(security_hook_heads.task_getsecid),
1795	.task_setnice = LIST_HEAD_INIT(security_hook_heads.task_setnice),
1796	.task_setioprio =
1797	LIST_HEAD_INIT(security_hook_heads.task_setioprio),
1798	.task_getioprio =
1799	LIST_HEAD_INIT(security_hook_heads.task_getioprio),
1800	.task_setrlimit =
1801	LIST_HEAD_INIT(security_hook_heads.task_setrlimit),
1802	.task_setscheduler =
1803	LIST_HEAD_INIT(security_hook_heads.task_setscheduler),
1804	.task_getscheduler =
1805	LIST_HEAD_INIT(security_hook_heads.task_getscheduler),
1806	.task_movememory =
1807	LIST_HEAD_INIT(security_hook_heads.task_movememory),
1808	.task_kill = LIST_HEAD_INIT(security_hook_heads.task_kill),
1809	.task_prctl = LIST_HEAD_INIT(security_hook_heads.task_prctl),
1810	.task_to_inode =
1811	LIST_HEAD_INIT(security_hook_heads.task_to_inode),
1812	.ipc_permission =
1813	LIST_HEAD_INIT(security_hook_heads.ipc_permission),
1814	.ipc_getsecid = LIST_HEAD_INIT(security_hook_heads.ipc_getsecid),
1815	.msg_msg_alloc_security =
1816	LIST_HEAD_INIT(security_hook_heads.msg_msg_alloc_security),
1817	.msg_msg_free_security =
1818	LIST_HEAD_INIT(security_hook_heads.msg_msg_free_security),
1819	.msg_queue_alloc_security =
1820	LIST_HEAD_INIT(security_hook_heads.msg_queue_alloc_security),
1821	.msg_queue_free_security =
1822	LIST_HEAD_INIT(security_hook_heads.msg_queue_free_security),
1823	.msg_queue_associate =
1824	LIST_HEAD_INIT(security_hook_heads.msg_queue_associate),
1825	.msg_queue_msgctl =
1826	LIST_HEAD_INIT(security_hook_heads.msg_queue_msgctl),
1827	.msg_queue_msgsnd =
1828	LIST_HEAD_INIT(security_hook_heads.msg_queue_msgsnd),
1829	.msg_queue_msgrcv =
1830	LIST_HEAD_INIT(security_hook_heads.msg_queue_msgrcv),
1831	.shm_alloc_security =
1832	LIST_HEAD_INIT(security_hook_heads.shm_alloc_security),
1833	.shm_free_security =
1834	LIST_HEAD_INIT(security_hook_heads.shm_free_security),
1835	.shm_associate =
1836	LIST_HEAD_INIT(security_hook_heads.shm_associate),
1837	.shm_shmctl = LIST_HEAD_INIT(security_hook_heads.shm_shmctl),
1838	.shm_shmat = LIST_HEAD_INIT(security_hook_heads.shm_shmat),
1839	.sem_alloc_security =
1840	LIST_HEAD_INIT(security_hook_heads.sem_alloc_security),
1841	.sem_free_security =
1842	LIST_HEAD_INIT(security_hook_heads.sem_free_security),
1843	.sem_associate =
1844	LIST_HEAD_INIT(security_hook_heads.sem_associate),
1845	.sem_semctl = LIST_HEAD_INIT(security_hook_heads.sem_semctl),
1846	.sem_semop = LIST_HEAD_INIT(security_hook_heads.sem_semop),
1847	.netlink_send = LIST_HEAD_INIT(security_hook_heads.netlink_send),
1848	.d_instantiate =
1849	LIST_HEAD_INIT(security_hook_heads.d_instantiate),
1850	.getprocattr = LIST_HEAD_INIT(security_hook_heads.getprocattr),
1851	.setprocattr = LIST_HEAD_INIT(security_hook_heads.setprocattr),
1852	.ismaclabel = LIST_HEAD_INIT(security_hook_heads.ismaclabel),
1853	.secid_to_secctx =
1854	LIST_HEAD_INIT(security_hook_heads.secid_to_secctx),
1855	.secctx_to_secid =
1856	LIST_HEAD_INIT(security_hook_heads.secctx_to_secid),
1857	.release_secctx =
1858	LIST_HEAD_INIT(security_hook_heads.release_secctx),
1859	.inode_invalidate_secctx =
1860	LIST_HEAD_INIT(security_hook_heads.inode_invalidate_secctx),
1861	.inode_notifysecctx =
1862	LIST_HEAD_INIT(security_hook_heads.inode_notifysecctx),
1863	.inode_setsecctx =
1864	LIST_HEAD_INIT(security_hook_heads.inode_setsecctx),
1865	.inode_getsecctx =
1866	LIST_HEAD_INIT(security_hook_heads.inode_getsecctx),
1867	#ifdef CONFIG_SECURITY_NETWORK
1868	.unix_stream_connect =
1869	LIST_HEAD_INIT(security_hook_heads.unix_stream_connect),
1870	.unix_may_send =
1871	LIST_HEAD_INIT(security_hook_heads.unix_may_send),
1872	.socket_create =
1873	LIST_HEAD_INIT(security_hook_heads.socket_create),
1874	.socket_post_create =
1875	LIST_HEAD_INIT(security_hook_heads.socket_post_create),
1876	.socket_bind = LIST_HEAD_INIT(security_hook_heads.socket_bind),
1877	.socket_connect =
1878	LIST_HEAD_INIT(security_hook_heads.socket_connect),
1879	.socket_listen =
1880	LIST_HEAD_INIT(security_hook_heads.socket_listen),
1881	.socket_accept =
1882	LIST_HEAD_INIT(security_hook_heads.socket_accept),
1883	.socket_sendmsg =
1884	LIST_HEAD_INIT(security_hook_heads.socket_sendmsg),
1885	.socket_recvmsg =
1886	LIST_HEAD_INIT(security_hook_heads.socket_recvmsg),
1887	.socket_getsockname =
1888	LIST_HEAD_INIT(security_hook_heads.socket_getsockname),
1889	.socket_getpeername =
1890	LIST_HEAD_INIT(security_hook_heads.socket_getpeername),
1891	.socket_getsockopt =
1892	LIST_HEAD_INIT(security_hook_heads.socket_getsockopt),
1893	.socket_setsockopt =
1894	LIST_HEAD_INIT(security_hook_heads.socket_setsockopt),
1895	.socket_shutdown =
1896	LIST_HEAD_INIT(security_hook_heads.socket_shutdown),
1897	.socket_sock_rcv_skb =
1898	LIST_HEAD_INIT(security_hook_heads.socket_sock_rcv_skb),
1899	.socket_getpeersec_stream =
1900	LIST_HEAD_INIT(security_hook_heads.socket_getpeersec_stream),
1901	.socket_getpeersec_dgram =
1902	LIST_HEAD_INIT(security_hook_heads.socket_getpeersec_dgram),
1903	.sk_alloc_security =
1904	LIST_HEAD_INIT(security_hook_heads.sk_alloc_security),
1905	.sk_free_security =
1906	LIST_HEAD_INIT(security_hook_heads.sk_free_security),
1907	.sk_clone_security =
1908	LIST_HEAD_INIT(security_hook_heads.sk_clone_security),
1909	.sk_getsecid = LIST_HEAD_INIT(security_hook_heads.sk_getsecid),
1910	.sock_graft = LIST_HEAD_INIT(security_hook_heads.sock_graft),
1911	.inet_conn_request =
1912	LIST_HEAD_INIT(security_hook_heads.inet_conn_request),
1913	.inet_csk_clone =
1914	LIST_HEAD_INIT(security_hook_heads.inet_csk_clone),
1915	.inet_conn_established =
1916	LIST_HEAD_INIT(security_hook_heads.inet_conn_established),
1917	.secmark_relabel_packet =
1918	LIST_HEAD_INIT(security_hook_heads.secmark_relabel_packet),
1919	.secmark_refcount_inc =
1920	LIST_HEAD_INIT(security_hook_heads.secmark_refcount_inc),
1921	.secmark_refcount_dec =
1922	LIST_HEAD_INIT(security_hook_heads.secmark_refcount_dec),
1923	.req_classify_flow =
1924	LIST_HEAD_INIT(security_hook_heads.req_classify_flow),
1925	.tun_dev_alloc_security =
1926	LIST_HEAD_INIT(security_hook_heads.tun_dev_alloc_security),
1927	.tun_dev_free_security =
1928	LIST_HEAD_INIT(security_hook_heads.tun_dev_free_security),
1929	.tun_dev_create =
1930	LIST_HEAD_INIT(security_hook_heads.tun_dev_create),
1931	.tun_dev_attach_queue =
1932	LIST_HEAD_INIT(security_hook_heads.tun_dev_attach_queue),
1933	.tun_dev_attach =
1934	LIST_HEAD_INIT(security_hook_heads.tun_dev_attach),
1935	.tun_dev_open = LIST_HEAD_INIT(security_hook_heads.tun_dev_open),
1936	#endif /* CONFIG_SECURITY_NETWORK */
1937	#ifdef CONFIG_SECURITY_NETWORK_XFRM
1938	.xfrm_policy_alloc_security =
1939	LIST_HEAD_INIT(security_hook_heads.xfrm_policy_alloc_security),
1940	.xfrm_policy_clone_security =
1941	LIST_HEAD_INIT(security_hook_heads.xfrm_policy_clone_security),
1942	.xfrm_policy_free_security =
1943	LIST_HEAD_INIT(security_hook_heads.xfrm_policy_free_security),
1944	.xfrm_policy_delete_security =
1945	LIST_HEAD_INIT(security_hook_heads.xfrm_policy_delete_security),
1946	.xfrm_state_alloc =
1947	LIST_HEAD_INIT(security_hook_heads.xfrm_state_alloc),
1948	.xfrm_state_alloc_acquire =
1949	LIST_HEAD_INIT(security_hook_heads.xfrm_state_alloc_acquire),
1950	.xfrm_state_free_security =
1951	LIST_HEAD_INIT(security_hook_heads.xfrm_state_free_security),
1952	.xfrm_state_delete_security =
1953	LIST_HEAD_INIT(security_hook_heads.xfrm_state_delete_security),
1954	.xfrm_policy_lookup =
1955	LIST_HEAD_INIT(security_hook_heads.xfrm_policy_lookup),
1956	.xfrm_state_pol_flow_match =
1957	LIST_HEAD_INIT(security_hook_heads.xfrm_state_pol_flow_match),
1958	.xfrm_decode_session =
1959	LIST_HEAD_INIT(security_hook_heads.xfrm_decode_session),
1960	#endif /* CONFIG_SECURITY_NETWORK_XFRM */
1961	#ifdef CONFIG_KEYS
1962	.key_alloc = LIST_HEAD_INIT(security_hook_heads.key_alloc),
1963	.key_free = LIST_HEAD_INIT(security_hook_heads.key_free),
1964	.key_permission =
1965	LIST_HEAD_INIT(security_hook_heads.key_permission),
1966	.key_getsecurity =
1967	LIST_HEAD_INIT(security_hook_heads.key_getsecurity),
1968	#endif /* CONFIG_KEYS */
1969	#ifdef CONFIG_AUDIT
1970	.audit_rule_init =
1971	LIST_HEAD_INIT(security_hook_heads.audit_rule_init),
1972	.audit_rule_known =
1973	LIST_HEAD_INIT(security_hook_heads.audit_rule_known),
1974	.audit_rule_match =
1975	LIST_HEAD_INIT(security_hook_heads.audit_rule_match),
1976	.audit_rule_free =
1977	LIST_HEAD_INIT(security_hook_heads.audit_rule_free),
1978	#endif /* CONFIG_AUDIT */
1979	};