aboutsummaryrefslogtreecommitdiffstats
path: root/include/linux/security.h
diff options
context:
space:
mode:
authorKentaro Takeda <takedakn@nttdata.co.jp>2008-12-16 23:24:15 -0500
committerAl Viro <viro@zeniv.linux.org.uk>2008-12-31 18:07:37 -0500
commitbe6d3e56a6b9b3a4ee44a0685e39e595073c6f0d (patch)
tree3a770f4cc676efeba443b28caa1ad195eeff49bc /include/linux/security.h
parent6a94cb73064c952255336cc57731904174b2c58f (diff)
introduce new LSM hooks where vfsmount is available.
Add new LSM hooks for path-based checks. Call them on directory-modifying operations at the points where we still know the vfsmount involved. Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp> Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'include/linux/security.h')
-rw-r--r--include/linux/security.h137
1 files changed, 137 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index 3416cb85e77..b92b5e453f6 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -335,17 +335,37 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
335 * @dir contains the inode structure of the parent directory of the new link. 335 * @dir contains the inode structure of the parent directory of the new link.
336 * @new_dentry contains the dentry structure for the new link. 336 * @new_dentry contains the dentry structure for the new link.
337 * Return 0 if permission is granted. 337 * Return 0 if permission is granted.
338 * @path_link:
339 * Check permission before creating a new hard link to a file.
340 * @old_dentry contains the dentry structure for an existing link
341 * to the file.
342 * @new_dir contains the path structure of the parent directory of
343 * the new link.
344 * @new_dentry contains the dentry structure for the new link.
345 * Return 0 if permission is granted.
338 * @inode_unlink: 346 * @inode_unlink:
339 * Check the permission to remove a hard link to a file. 347 * Check the permission to remove a hard link to a file.
340 * @dir contains the inode structure of parent directory of the file. 348 * @dir contains the inode structure of parent directory of the file.
341 * @dentry contains the dentry structure for file to be unlinked. 349 * @dentry contains the dentry structure for file to be unlinked.
342 * Return 0 if permission is granted. 350 * Return 0 if permission is granted.
351 * @path_unlink:
352 * Check the permission to remove a hard link to a file.
353 * @dir contains the path structure of parent directory of the file.
354 * @dentry contains the dentry structure for file to be unlinked.
355 * Return 0 if permission is granted.
343 * @inode_symlink: 356 * @inode_symlink:
344 * Check the permission to create a symbolic link to a file. 357 * Check the permission to create a symbolic link to a file.
345 * @dir contains the inode structure of parent directory of the symbolic link. 358 * @dir contains the inode structure of parent directory of the symbolic link.
346 * @dentry contains the dentry structure of the symbolic link. 359 * @dentry contains the dentry structure of the symbolic link.
347 * @old_name contains the pathname of file. 360 * @old_name contains the pathname of file.
348 * Return 0 if permission is granted. 361 * Return 0 if permission is granted.
362 * @path_symlink:
363 * Check the permission to create a symbolic link to a file.
364 * @dir contains the path structure of parent directory of
365 * the symbolic link.
366 * @dentry contains the dentry structure of the symbolic link.
367 * @old_name contains the pathname of file.
368 * Return 0 if permission is granted.
349 * @inode_mkdir: 369 * @inode_mkdir:
350 * Check permissions to create a new directory in the existing directory 370 * Check permissions to create a new directory in the existing directory
351 * associated with inode strcture @dir. 371 * associated with inode strcture @dir.
@@ -353,11 +373,25 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
353 * @dentry contains the dentry structure of new directory. 373 * @dentry contains the dentry structure of new directory.
354 * @mode contains the mode of new directory. 374 * @mode contains the mode of new directory.
355 * Return 0 if permission is granted. 375 * Return 0 if permission is granted.
376 * @path_mkdir:
377 * Check permissions to create a new directory in the existing directory
378 * associated with path strcture @path.
379 * @dir containst the path structure of parent of the directory
380 * to be created.
381 * @dentry contains the dentry structure of new directory.
382 * @mode contains the mode of new directory.
383 * Return 0 if permission is granted.
356 * @inode_rmdir: 384 * @inode_rmdir:
357 * Check the permission to remove a directory. 385 * Check the permission to remove a directory.
358 * @dir contains the inode structure of parent of the directory to be removed. 386 * @dir contains the inode structure of parent of the directory to be removed.
359 * @dentry contains the dentry structure of directory to be removed. 387 * @dentry contains the dentry structure of directory to be removed.
360 * Return 0 if permission is granted. 388 * Return 0 if permission is granted.
389 * @path_rmdir:
390 * Check the permission to remove a directory.
391 * @dir contains the path structure of parent of the directory to be
392 * removed.
393 * @dentry contains the dentry structure of directory to be removed.
394 * Return 0 if permission is granted.
361 * @inode_mknod: 395 * @inode_mknod:
362 * Check permissions when creating a special file (or a socket or a fifo 396 * Check permissions when creating a special file (or a socket or a fifo
363 * file created via the mknod system call). Note that if mknod operation 397 * file created via the mknod system call). Note that if mknod operation
@@ -368,6 +402,15 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
368 * @mode contains the mode of the new file. 402 * @mode contains the mode of the new file.
369 * @dev contains the device number. 403 * @dev contains the device number.
370 * Return 0 if permission is granted. 404 * Return 0 if permission is granted.
405 * @path_mknod:
406 * Check permissions when creating a file. Note that this hook is called
407 * even if mknod operation is being done for a regular file.
408 * @dir contains the path structure of parent of the new file.
409 * @dentry contains the dentry structure of the new file.
410 * @mode contains the mode of the new file.
411 * @dev contains the undecoded device number. Use new_decode_dev() to get
412 * the decoded device number.
413 * Return 0 if permission is granted.
371 * @inode_rename: 414 * @inode_rename:
372 * Check for permission to rename a file or directory. 415 * Check for permission to rename a file or directory.
373 * @old_dir contains the inode structure for parent of the old link. 416 * @old_dir contains the inode structure for parent of the old link.
@@ -375,6 +418,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
375 * @new_dir contains the inode structure for parent of the new link. 418 * @new_dir contains the inode structure for parent of the new link.
376 * @new_dentry contains the dentry structure of the new link. 419 * @new_dentry contains the dentry structure of the new link.
377 * Return 0 if permission is granted. 420 * Return 0 if permission is granted.
421 * @path_rename:
422 * Check for permission to rename a file or directory.
423 * @old_dir contains the path structure for parent of the old link.
424 * @old_dentry contains the dentry structure of the old link.
425 * @new_dir contains the path structure for parent of the new link.
426 * @new_dentry contains the dentry structure of the new link.
427 * Return 0 if permission is granted.
378 * @inode_readlink: 428 * @inode_readlink:
379 * Check the permission to read the symbolic link. 429 * Check the permission to read the symbolic link.
380 * @dentry contains the dentry structure for the file link. 430 * @dentry contains the dentry structure for the file link.
@@ -403,6 +453,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
403 * @dentry contains the dentry structure for the file. 453 * @dentry contains the dentry structure for the file.
404 * @attr is the iattr structure containing the new file attributes. 454 * @attr is the iattr structure containing the new file attributes.
405 * Return 0 if permission is granted. 455 * Return 0 if permission is granted.
456 * @path_truncate:
457 * Check permission before truncating a file.
458 * @path contains the path structure for the file.
459 * @length is the new length of the file.
460 * @time_attrs is the flags passed to do_truncate().
461 * Return 0 if permission is granted.
406 * @inode_getattr: 462 * @inode_getattr:
407 * Check permission before obtaining file attributes. 463 * Check permission before obtaining file attributes.
408 * @mnt is the vfsmount where the dentry was looked up 464 * @mnt is the vfsmount where the dentry was looked up
@@ -1331,6 +1387,22 @@ struct security_operations {
1331 struct super_block *newsb); 1387 struct super_block *newsb);
1332 int (*sb_parse_opts_str) (char *options, struct security_mnt_opts *opts); 1388 int (*sb_parse_opts_str) (char *options, struct security_mnt_opts *opts);
1333 1389
1390#ifdef CONFIG_SECURITY_PATH
1391 int (*path_unlink) (struct path *dir, struct dentry *dentry);
1392 int (*path_mkdir) (struct path *dir, struct dentry *dentry, int mode);
1393 int (*path_rmdir) (struct path *dir, struct dentry *dentry);
1394 int (*path_mknod) (struct path *dir, struct dentry *dentry, int mode,
1395 unsigned int dev);
1396 int (*path_truncate) (struct path *path, loff_t length,
1397 unsigned int time_attrs);
1398 int (*path_symlink) (struct path *dir, struct dentry *dentry,
1399 const char *old_name);
1400 int (*path_link) (struct dentry *old_dentry, struct path *new_dir,
1401 struct dentry *new_dentry);
1402 int (*path_rename) (struct path *old_dir, struct dentry *old_dentry,
1403 struct path *new_dir, struct dentry *new_dentry);
1404#endif
1405
1334 int (*inode_alloc_security) (struct inode *inode); 1406 int (*inode_alloc_security) (struct inode *inode);
1335 void (*inode_free_security) (struct inode *inode); 1407 void (*inode_free_security) (struct inode *inode);
1336 int (*inode_init_security) (struct inode *inode, struct inode *dir, 1408 int (*inode_init_security) (struct inode *inode, struct inode *dir,
@@ -2705,6 +2777,71 @@ static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi
2705 2777
2706#endif /* CONFIG_SECURITY_NETWORK_XFRM */ 2778#endif /* CONFIG_SECURITY_NETWORK_XFRM */
2707 2779
2780#ifdef CONFIG_SECURITY_PATH
2781int security_path_unlink(struct path *dir, struct dentry *dentry);
2782int security_path_mkdir(struct path *dir, struct dentry *dentry, int mode);
2783int security_path_rmdir(struct path *dir, struct dentry *dentry);
2784int security_path_mknod(struct path *dir, struct dentry *dentry, int mode,
2785 unsigned int dev);
2786int security_path_truncate(struct path *path, loff_t length,
2787 unsigned int time_attrs);
2788int security_path_symlink(struct path *dir, struct dentry *dentry,
2789 const char *old_name);
2790int security_path_link(struct dentry *old_dentry, struct path *new_dir,
2791 struct dentry *new_dentry);
2792int security_path_rename(struct path *old_dir, struct dentry *old_dentry,
2793 struct path *new_dir, struct dentry *new_dentry);
2794#else /* CONFIG_SECURITY_PATH */
2795static inline int security_path_unlink(struct path *dir, struct dentry *dentry)
2796{
2797 return 0;
2798}
2799
2800static inline int security_path_mkdir(struct path *dir, struct dentry *dentry,
2801 int mode)
2802{
2803 return 0;
2804}
2805
2806static inline int security_path_rmdir(struct path *dir, struct dentry *dentry)
2807{
2808 return 0;
2809}
2810
2811static inline int security_path_mknod(struct path *dir, struct dentry *dentry,
2812 int mode, unsigned int dev)
2813{
2814 return 0;
2815}
2816
2817static inline int security_path_truncate(struct path *path, loff_t length,
2818 unsigned int time_attrs)
2819{
2820 return 0;
2821}
2822
2823static inline int security_path_symlink(struct path *dir, struct dentry *dentry,
2824 const char *old_name)
2825{
2826 return 0;
2827}
2828
2829static inline int security_path_link(struct dentry *old_dentry,
2830 struct path *new_dir,
2831 struct dentry *new_dentry)
2832{
2833 return 0;
2834}
2835
2836static inline int security_path_rename(struct path *old_dir,
2837 struct dentry *old_dentry,
2838 struct path *new_dir,
2839 struct dentry *new_dentry)
2840{
2841 return 0;
2842}
2843#endif /* CONFIG_SECURITY_PATH */
2844
2708#ifdef CONFIG_KEYS 2845#ifdef CONFIG_KEYS
2709#ifdef CONFIG_SECURITY 2846#ifdef CONFIG_SECURITY
2710 2847