diff options
Diffstat (limited to 'include/linux/lsm_hooks.h')
| -rw-r--r-- | include/linux/lsm_hooks.h | 34 |
1 files changed, 30 insertions, 4 deletions
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index e29d4c62a3c8..080f34e66017 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h | |||
| @@ -533,8 +533,13 @@ | |||
| 533 | * manual page for definitions of the @clone_flags. | 533 | * manual page for definitions of the @clone_flags. |
| 534 | * @clone_flags contains the flags indicating what should be shared. | 534 | * @clone_flags contains the flags indicating what should be shared. |
| 535 | * Return 0 if permission is granted. | 535 | * Return 0 if permission is granted. |
| 536 | * @task_alloc: | ||
| 537 | * @task task being allocated. | ||
| 538 | * @clone_flags contains the flags indicating what should be shared. | ||
| 539 | * Handle allocation of task-related resources. | ||
| 540 | * Returns a zero on success, negative values on failure. | ||
| 536 | * @task_free: | 541 | * @task_free: |
| 537 | * @task task being freed | 542 | * @task task about to be freed. |
| 538 | * Handle release of task-related resources. (Note that this can be called | 543 | * Handle release of task-related resources. (Note that this can be called |
| 539 | * from interrupt context.) | 544 | * from interrupt context.) |
| 540 | * @cred_alloc_blank: | 545 | * @cred_alloc_blank: |
| @@ -630,10 +635,19 @@ | |||
| 630 | * Check permission before getting the ioprio value of @p. | 635 | * Check permission before getting the ioprio value of @p. |
| 631 | * @p contains the task_struct of process. | 636 | * @p contains the task_struct of process. |
| 632 | * Return 0 if permission is granted. | 637 | * Return 0 if permission is granted. |
| 638 | * @task_prlimit: | ||
| 639 | * Check permission before getting and/or setting the resource limits of | ||
| 640 | * another task. | ||
| 641 | * @cred points to the cred structure for the current task. | ||
| 642 | * @tcred points to the cred structure for the target task. | ||
| 643 | * @flags contains the LSM_PRLIMIT_* flag bits indicating whether the | ||
| 644 | * resource limits are being read, modified, or both. | ||
| 645 | * Return 0 if permission is granted. | ||
| 633 | * @task_setrlimit: | 646 | * @task_setrlimit: |
| 634 | * Check permission before setting the resource limits of the current | 647 | * Check permission before setting the resource limits of process @p |
| 635 | * process for @resource to @new_rlim. The old resource limit values can | 648 | * for @resource to @new_rlim. The old resource limit values can |
| 636 | * be examined by dereferencing (current->signal->rlim + resource). | 649 | * be examined by dereferencing (p->signal->rlim + resource). |
| 650 | * @p points to the task_struct for the target task's group leader. | ||
| 637 | * @resource contains the resource whose limit is being set. | 651 | * @resource contains the resource whose limit is being set. |
| 638 | * @new_rlim contains the new limits for @resource. | 652 | * @new_rlim contains the new limits for @resource. |
| 639 | * Return 0 if permission is granted. | 653 | * Return 0 if permission is granted. |
| @@ -1473,6 +1487,7 @@ union security_list_options { | |||
| 1473 | int (*file_open)(struct file *file, const struct cred *cred); | 1487 | int (*file_open)(struct file *file, const struct cred *cred); |
| 1474 | 1488 | ||
| 1475 | int (*task_create)(unsigned long clone_flags); | 1489 | int (*task_create)(unsigned long clone_flags); |
| 1490 | int (*task_alloc)(struct task_struct *task, unsigned long clone_flags); | ||
| 1476 | void (*task_free)(struct task_struct *task); | 1491 | void (*task_free)(struct task_struct *task); |
| 1477 | int (*cred_alloc_blank)(struct cred *cred, gfp_t gfp); | 1492 | int (*cred_alloc_blank)(struct cred *cred, gfp_t gfp); |
| 1478 | void (*cred_free)(struct cred *cred); | 1493 | void (*cred_free)(struct cred *cred); |
| @@ -1494,6 +1509,8 @@ union security_list_options { | |||
| 1494 | int (*task_setnice)(struct task_struct *p, int nice); | 1509 | int (*task_setnice)(struct task_struct *p, int nice); |
| 1495 | int (*task_setioprio)(struct task_struct *p, int ioprio); | 1510 | int (*task_setioprio)(struct task_struct *p, int ioprio); |
| 1496 | int (*task_getioprio)(struct task_struct *p); | 1511 | int (*task_getioprio)(struct task_struct *p); |
| 1512 | int (*task_prlimit)(const struct cred *cred, const struct cred *tcred, | ||
| 1513 | unsigned int flags); | ||
| 1497 | int (*task_setrlimit)(struct task_struct *p, unsigned int resource, | 1514 | int (*task_setrlimit)(struct task_struct *p, unsigned int resource, |
| 1498 | struct rlimit *new_rlim); | 1515 | struct rlimit *new_rlim); |
| 1499 | int (*task_setscheduler)(struct task_struct *p); | 1516 | int (*task_setscheduler)(struct task_struct *p); |
| @@ -1737,6 +1754,7 @@ struct security_hook_heads { | |||
| 1737 | struct list_head file_receive; | 1754 | struct list_head file_receive; |
| 1738 | struct list_head file_open; | 1755 | struct list_head file_open; |
| 1739 | struct list_head task_create; | 1756 | struct list_head task_create; |
| 1757 | struct list_head task_alloc; | ||
| 1740 | struct list_head task_free; | 1758 | struct list_head task_free; |
| 1741 | struct list_head cred_alloc_blank; | 1759 | struct list_head cred_alloc_blank; |
| 1742 | struct list_head cred_free; | 1760 | struct list_head cred_free; |
| @@ -1755,6 +1773,7 @@ struct security_hook_heads { | |||
| 1755 | struct list_head task_setnice; | 1773 | struct list_head task_setnice; |
| 1756 | struct list_head task_setioprio; | 1774 | struct list_head task_setioprio; |
| 1757 | struct list_head task_getioprio; | 1775 | struct list_head task_getioprio; |
| 1776 | struct list_head task_prlimit; | ||
| 1758 | struct list_head task_setrlimit; | 1777 | struct list_head task_setrlimit; |
| 1759 | struct list_head task_setscheduler; | 1778 | struct list_head task_setscheduler; |
| 1760 | struct list_head task_getscheduler; | 1779 | struct list_head task_getscheduler; |
| @@ -1908,6 +1927,13 @@ static inline void security_delete_hooks(struct security_hook_list *hooks, | |||
| 1908 | } | 1927 | } |
| 1909 | #endif /* CONFIG_SECURITY_SELINUX_DISABLE */ | 1928 | #endif /* CONFIG_SECURITY_SELINUX_DISABLE */ |
| 1910 | 1929 | ||
| 1930 | /* Currently required to handle SELinux runtime hook disable. */ | ||
| 1931 | #ifdef CONFIG_SECURITY_WRITABLE_HOOKS | ||
| 1932 | #define __lsm_ro_after_init | ||
| 1933 | #else | ||
| 1934 | #define __lsm_ro_after_init __ro_after_init | ||
| 1935 | #endif /* CONFIG_SECURITY_WRITABLE_HOOKS */ | ||
| 1936 | |||
| 1911 | extern int __init security_module_enable(const char *module); | 1937 | extern int __init security_module_enable(const char *module); |
| 1912 | extern void __init capability_add_hooks(void); | 1938 | extern void __init capability_add_hooks(void); |
| 1913 | #ifdef CONFIG_SECURITY_YAMA | 1939 | #ifdef CONFIG_SECURITY_YAMA |