1 files changed, 36 insertions, 0 deletions
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 7161d8e7ee79..84c0b927ea85 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -906,6 +906,33 @@
 *      associated with the TUN device's security structure.
 *      @security pointer to the TUN devices's security structure.
 *
+ * Security hooks for SCTP
+ *
+ * @sctp_assoc_request:
+ *      Passes the @ep and @chunk->skb of the association INIT packet to
+ *      the security module.
+ *      @ep pointer to sctp endpoint structure.
+ *      @skb pointer to skbuff of association packet.
+ *      Return 0 on success, error on failure.
+ * @sctp_bind_connect:
+ *      Validiate permissions required for each address associated with sock
+ *      @sk. Depending on @optname, the addresses will be treated as either
+ *      for a connect or bind service. The @addrlen is calculated on each
+ *      ipv4 and ipv6 address using sizeof(struct sockaddr_in) or
+ *      sizeof(struct sockaddr_in6).
+ *      @sk pointer to sock structure.
+ *      @optname name of the option to validate.
+ *      @address list containing one or more ipv4/ipv6 addresses.
+ *      @addrlen total length of address(s).
+ *      Return 0 on success, error on failure.
+ * @sctp_sk_clone:
+ *      Called whenever a new socket is created by accept(2) (i.e. a TCP
+ *      style socket) or when a socket is 'peeled off' e.g userspace
+ *      calls sctp_peeloff(3).
+ *      @ep pointer to current sctp endpoint structure.
+ *      @sk pointer to current sock structure.
+ *      @sk pointer to new sock structure.
+ *
 * Security hooks for Infiniband
 *
 * @ib_pkey_access:
@@ -1665,6 +1692,12 @@ union security_list_options {
        int (*tun_dev_attach_queue)(void *security);
        int (*tun_dev_attach)(struct sock *sk, void *security);
        int (*tun_dev_open)(void *security);
+        int (*sctp_assoc_request)(struct sctp_endpoint *ep,
+                                  struct sk_buff *skb);
+        int (*sctp_bind_connect)(struct sock *sk, int optname,
+                                 struct sockaddr *address, int addrlen);
+        void (*sctp_sk_clone)(struct sctp_endpoint *ep, struct sock *sk,
+                              struct sock *newsk);
 #endif  /* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_INFINIBAND
@@ -1914,6 +1947,9 @@ struct security_hook_heads {
        struct list_head tun_dev_attach_queue;
        struct list_head tun_dev_attach;
        struct list_head tun_dev_open;
+        struct list_head sctp_assoc_request;
+        struct list_head sctp_bind_connect;
+        struct list_head sctp_sk_clone;
 #endif  /* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_INFINIBAND
        struct list_head ib_pkey_access;

diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 7161d8e7ee79..84c0b927ea85 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h
@@ -906,6 +906,33 @@
906	* associated with the TUN device's security structure.	906	* associated with the TUN device's security structure.
907	* @security pointer to the TUN devices's security structure.	907	* @security pointer to the TUN devices's security structure.
908	*	908	*
		909	* Security hooks for SCTP
		910	*
		911	* @sctp_assoc_request:
		912	* Passes the @ep and @chunk->skb of the association INIT packet to
		913	* the security module.
		914	* @ep pointer to sctp endpoint structure.
		915	* @skb pointer to skbuff of association packet.
		916	* Return 0 on success, error on failure.
		917	* @sctp_bind_connect:
		918	* Validiate permissions required for each address associated with sock
		919	* @sk. Depending on @optname, the addresses will be treated as either
		920	* for a connect or bind service. The @addrlen is calculated on each
		921	* ipv4 and ipv6 address using sizeof(struct sockaddr_in) or
		922	* sizeof(struct sockaddr_in6).
		923	* @sk pointer to sock structure.
		924	* @optname name of the option to validate.
		925	* @address list containing one or more ipv4/ipv6 addresses.
		926	* @addrlen total length of address(s).
		927	* Return 0 on success, error on failure.
		928	* @sctp_sk_clone:
		929	* Called whenever a new socket is created by accept(2) (i.e. a TCP
		930	* style socket) or when a socket is 'peeled off' e.g userspace
		931	* calls sctp_peeloff(3).
		932	* @ep pointer to current sctp endpoint structure.
		933	* @sk pointer to current sock structure.
		934	* @sk pointer to new sock structure.
		935	*
909	* Security hooks for Infiniband	936	* Security hooks for Infiniband
910	*	937	*
911	* @ib_pkey_access:	938	* @ib_pkey_access:
@@ -1665,6 +1692,12 @@ union security_list_options {
1665	int (tun_dev_attach_queue)(void security);	1692	int (tun_dev_attach_queue)(void security);
1666	int (tun_dev_attach)(struct sock sk, void *security);	1693	int (tun_dev_attach)(struct sock sk, void *security);
1667	int (tun_dev_open)(void security);	1694	int (tun_dev_open)(void security);
		1695	int (sctp_assoc_request)(struct sctp_endpoint ep,
		1696	struct sk_buff *skb);
		1697	int (sctp_bind_connect)(struct sock sk, int optname,
		1698	struct sockaddr *address, int addrlen);
		1699	void (sctp_sk_clone)(struct sctp_endpoint ep, struct sock *sk,
		1700	struct sock *newsk);
1668	#endif /* CONFIG_SECURITY_NETWORK */	1701	#endif /* CONFIG_SECURITY_NETWORK */
1669		1702
1670	#ifdef CONFIG_SECURITY_INFINIBAND	1703	#ifdef CONFIG_SECURITY_INFINIBAND
@@ -1914,6 +1947,9 @@ struct security_hook_heads {
1914	struct list_head tun_dev_attach_queue;	1947	struct list_head tun_dev_attach_queue;
1915	struct list_head tun_dev_attach;	1948	struct list_head tun_dev_attach;
1916	struct list_head tun_dev_open;	1949	struct list_head tun_dev_open;
		1950	struct list_head sctp_assoc_request;
		1951	struct list_head sctp_bind_connect;
		1952	struct list_head sctp_sk_clone;
1917	#endif /* CONFIG_SECURITY_NETWORK */	1953	#endif /* CONFIG_SECURITY_NETWORK */
1918	#ifdef CONFIG_SECURITY_INFINIBAND	1954	#ifdef CONFIG_SECURITY_INFINIBAND
1919	struct list_head ib_pkey_access;	1955	struct list_head ib_pkey_access;