aboutsummaryrefslogtreecommitdiffstats
path: root/include/linux/security.h
diff options
context:
space:
mode:
Diffstat (limited to 'include/linux/security.h')
-rw-r--r--include/linux/security.h342
1 files changed, 286 insertions, 56 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index d2c17bd91a2..9b5fea81f55 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -31,6 +31,8 @@
31#include <linux/msg.h> 31#include <linux/msg.h>
32#include <linux/sched.h> 32#include <linux/sched.h>
33#include <linux/key.h> 33#include <linux/key.h>
34#include <linux/xfrm.h>
35#include <net/flow.h>
34 36
35struct ctl_table; 37struct ctl_table;
36 38
@@ -67,7 +69,7 @@ struct xfrm_state;
67struct xfrm_user_sec_ctx; 69struct xfrm_user_sec_ctx;
68 70
69extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb); 71extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb);
70extern int cap_netlink_recv(struct sk_buff *skb); 72extern int cap_netlink_recv(struct sk_buff *skb, int cap);
71 73
72/* 74/*
73 * Values used in the task_security_ops calls 75 * Values used in the task_security_ops calls
@@ -88,6 +90,7 @@ extern int cap_netlink_recv(struct sk_buff *skb);
88struct nfsctl_arg; 90struct nfsctl_arg;
89struct sched_param; 91struct sched_param;
90struct swap_info_struct; 92struct swap_info_struct;
93struct request_sock;
91 94
92/* bprm_apply_creds unsafe reasons */ 95/* bprm_apply_creds unsafe reasons */
93#define LSM_UNSAFE_SHARE 1 96#define LSM_UNSAFE_SHARE 1
@@ -567,6 +570,9 @@ struct swap_info_struct;
567 * @p. 570 * @p.
568 * @p contains the task_struct for the process. 571 * @p contains the task_struct for the process.
569 * Return 0 if permission is granted. 572 * Return 0 if permission is granted.
573 * @task_getsecid:
574 * Retrieve the security identifier of the process @p.
575 * @p contains the task_struct for the process and place is into @secid.
570 * @task_setgroups: 576 * @task_setgroups:
571 * Check permission before setting the supplementary group set of the 577 * Check permission before setting the supplementary group set of the
572 * current process. 578 * current process.
@@ -582,6 +588,10 @@ struct swap_info_struct;
582 * @p contains the task_struct of process. 588 * @p contains the task_struct of process.
583 * @ioprio contains the new ioprio value 589 * @ioprio contains the new ioprio value
584 * Return 0 if permission is granted. 590 * Return 0 if permission is granted.
591 * @task_getioprio
592 * Check permission before getting the ioprio value of @p.
593 * @p contains the task_struct of process.
594 * Return 0 if permission is granted.
585 * @task_setrlimit: 595 * @task_setrlimit:
586 * Check permission before setting the resource limits of the current 596 * Check permission before setting the resource limits of the current
587 * process for @resource to @new_rlim. The old resource limit values can 597 * process for @resource to @new_rlim. The old resource limit values can
@@ -615,6 +625,7 @@ struct swap_info_struct;
615 * @p contains the task_struct for process. 625 * @p contains the task_struct for process.
616 * @info contains the signal information. 626 * @info contains the signal information.
617 * @sig contains the signal value. 627 * @sig contains the signal value.
628 * @secid contains the sid of the process where the signal originated
618 * Return 0 if permission is granted. 629 * Return 0 if permission is granted.
619 * @task_wait: 630 * @task_wait:
620 * Check permission before allowing a process to reap a child process @p 631 * Check permission before allowing a process to reap a child process @p
@@ -656,6 +667,7 @@ struct swap_info_struct;
656 * Check permission before processing the received netlink message in 667 * Check permission before processing the received netlink message in
657 * @skb. 668 * @skb.
658 * @skb contains the sk_buff structure for the netlink message. 669 * @skb contains the sk_buff structure for the netlink message.
670 * @cap indicates the capability required
659 * Return 0 if permission is granted. 671 * Return 0 if permission is granted.
660 * 672 *
661 * Security hooks for Unix domain networking. 673 * Security hooks for Unix domain networking.
@@ -803,9 +815,19 @@ struct swap_info_struct;
803 * which is used to copy security attributes between local stream sockets. 815 * which is used to copy security attributes between local stream sockets.
804 * @sk_free_security: 816 * @sk_free_security:
805 * Deallocate security structure. 817 * Deallocate security structure.
806 * @sk_getsid: 818 * @sk_clone_security:
807 * Retrieve the LSM-specific sid for the sock to enable caching of network 819 * Clone/copy security structure.
820 * @sk_getsecid:
821 * Retrieve the LSM-specific secid for the sock to enable caching of network
808 * authorizations. 822 * authorizations.
823 * @sock_graft:
824 * Sets the socket's isec sid to the sock's sid.
825 * @inet_conn_request:
826 * Sets the openreq's sid to socket's sid with MLS portion taken from peer sid.
827 * @inet_csk_clone:
828 * Sets the new child socket's sid to the openreq sid.
829 * @req_classify_flow:
830 * Sets the flow's sid to the openreq sid.
809 * 831 *
810 * Security hooks for XFRM operations. 832 * Security hooks for XFRM operations.
811 * 833 *
@@ -814,9 +836,10 @@ struct swap_info_struct;
814 * used by the XFRM system. 836 * used by the XFRM system.
815 * @sec_ctx contains the security context information being provided by 837 * @sec_ctx contains the security context information being provided by
816 * the user-level policy update program (e.g., setkey). 838 * the user-level policy update program (e.g., setkey).
817 * Allocate a security structure to the xp->security field. 839 * @sk refers to the sock from which to derive the security context.
818 * The security field is initialized to NULL when the xfrm_policy is 840 * Allocate a security structure to the xp->security field; the security
819 * allocated. 841 * field is initialized to NULL when the xfrm_policy is allocated. Only
842 * one of sec_ctx or sock can be specified.
820 * Return 0 if operation was successful (memory to allocate, legal context) 843 * Return 0 if operation was successful (memory to allocate, legal context)
821 * @xfrm_policy_clone_security: 844 * @xfrm_policy_clone_security:
822 * @old contains an existing xfrm_policy in the SPD. 845 * @old contains an existing xfrm_policy in the SPD.
@@ -835,9 +858,14 @@ struct swap_info_struct;
835 * Database by the XFRM system. 858 * Database by the XFRM system.
836 * @sec_ctx contains the security context information being provided by 859 * @sec_ctx contains the security context information being provided by
837 * the user-level SA generation program (e.g., setkey or racoon). 860 * the user-level SA generation program (e.g., setkey or racoon).
838 * Allocate a security structure to the x->security field. The 861 * @polsec contains the security context information associated with a xfrm
839 * security field is initialized to NULL when the xfrm_state is 862 * policy rule from which to take the base context. polsec must be NULL
840 * allocated. 863 * when sec_ctx is specified.
864 * @secid contains the secid from which to take the mls portion of the context.
865 * Allocate a security structure to the x->security field; the security
866 * field is initialized to NULL when the xfrm_state is allocated. Set the
867 * context to correspond to either sec_ctx or polsec, with the mls portion
868 * taken from secid in the latter case.
841 * Return 0 if operation was successful (memory to allocate, legal context). 869 * Return 0 if operation was successful (memory to allocate, legal context).
842 * @xfrm_state_free_security: 870 * @xfrm_state_free_security:
843 * @x contains the xfrm_state. 871 * @x contains the xfrm_state.
@@ -848,13 +876,27 @@ struct swap_info_struct;
848 * @xfrm_policy_lookup: 876 * @xfrm_policy_lookup:
849 * @xp contains the xfrm_policy for which the access control is being 877 * @xp contains the xfrm_policy for which the access control is being
850 * checked. 878 * checked.
851 * @sk_sid contains the sock security label that is used to authorize 879 * @fl_secid contains the flow security label that is used to authorize
852 * access to the policy xp. 880 * access to the policy xp.
853 * @dir contains the direction of the flow (input or output). 881 * @dir contains the direction of the flow (input or output).
854 * Check permission when a sock selects a xfrm_policy for processing 882 * Check permission when a flow selects a xfrm_policy for processing
855 * XFRMs on a packet. The hook is called when selecting either a 883 * XFRMs on a packet. The hook is called when selecting either a
856 * per-socket policy or a generic xfrm policy. 884 * per-socket policy or a generic xfrm policy.
857 * Return 0 if permission is granted. 885 * Return 0 if permission is granted.
886 * @xfrm_state_pol_flow_match:
887 * @x contains the state to match.
888 * @xp contains the policy to check for a match.
889 * @fl contains the flow to check for a match.
890 * Return 1 if there is a match.
891 * @xfrm_flow_state_match:
892 * @fl contains the flow key to match.
893 * @xfrm points to the xfrm_state to match.
894 * Return 1 if there is a match.
895 * @xfrm_decode_session:
896 * @skb points to skb to decode.
897 * @secid points to the flow key secid to set.
898 * @ckall says if all xfrms used should be checked for same secid.
899 * Return 0 if ckall is zero or all xfrms used have the same secid.
858 * 900 *
859 * Security hooks affecting all Key Management operations 901 * Security hooks affecting all Key Management operations
860 * 902 *
@@ -862,6 +904,7 @@ struct swap_info_struct;
862 * Permit allocation of a key and assign security data. Note that key does 904 * Permit allocation of a key and assign security data. Note that key does
863 * not have a serial number assigned at this point. 905 * not have a serial number assigned at this point.
864 * @key points to the key. 906 * @key points to the key.
907 * @flags is the allocation flags
865 * Return 0 if permission is granted, -ve error otherwise. 908 * Return 0 if permission is granted, -ve error otherwise.
866 * @key_free: 909 * @key_free:
867 * Notification of destruction; free security data. 910 * Notification of destruction; free security data.
@@ -1099,6 +1142,16 @@ struct swap_info_struct;
1099 * @name contains the name of the security module being unstacked. 1142 * @name contains the name of the security module being unstacked.
1100 * @ops contains a pointer to the struct security_operations of the module to unstack. 1143 * @ops contains a pointer to the struct security_operations of the module to unstack.
1101 * 1144 *
1145 * @secid_to_secctx:
1146 * Convert secid to security context.
1147 * @secid contains the security ID.
1148 * @secdata contains the pointer that stores the converted security context.
1149 *
1150 * @release_secctx:
1151 * Release the security context.
1152 * @secdata contains the security context.
1153 * @seclen contains the length of the security context.
1154 *
1102 * This is the main security structure. 1155 * This is the main security structure.
1103 */ 1156 */
1104struct security_operations { 1157struct security_operations {
@@ -1217,16 +1270,18 @@ struct security_operations {
1217 int (*task_setpgid) (struct task_struct * p, pid_t pgid); 1270 int (*task_setpgid) (struct task_struct * p, pid_t pgid);
1218 int (*task_getpgid) (struct task_struct * p); 1271 int (*task_getpgid) (struct task_struct * p);
1219 int (*task_getsid) (struct task_struct * p); 1272 int (*task_getsid) (struct task_struct * p);
1273 void (*task_getsecid) (struct task_struct * p, u32 * secid);
1220 int (*task_setgroups) (struct group_info *group_info); 1274 int (*task_setgroups) (struct group_info *group_info);
1221 int (*task_setnice) (struct task_struct * p, int nice); 1275 int (*task_setnice) (struct task_struct * p, int nice);
1222 int (*task_setioprio) (struct task_struct * p, int ioprio); 1276 int (*task_setioprio) (struct task_struct * p, int ioprio);
1277 int (*task_getioprio) (struct task_struct * p);
1223 int (*task_setrlimit) (unsigned int resource, struct rlimit * new_rlim); 1278 int (*task_setrlimit) (unsigned int resource, struct rlimit * new_rlim);
1224 int (*task_setscheduler) (struct task_struct * p, int policy, 1279 int (*task_setscheduler) (struct task_struct * p, int policy,
1225 struct sched_param * lp); 1280 struct sched_param * lp);
1226 int (*task_getscheduler) (struct task_struct * p); 1281 int (*task_getscheduler) (struct task_struct * p);
1227 int (*task_movememory) (struct task_struct * p); 1282 int (*task_movememory) (struct task_struct * p);
1228 int (*task_kill) (struct task_struct * p, 1283 int (*task_kill) (struct task_struct * p,
1229 struct siginfo * info, int sig); 1284 struct siginfo * info, int sig, u32 secid);
1230 int (*task_wait) (struct task_struct * p); 1285 int (*task_wait) (struct task_struct * p);
1231 int (*task_prctl) (int option, unsigned long arg2, 1286 int (*task_prctl) (int option, unsigned long arg2,
1232 unsigned long arg3, unsigned long arg4, 1287 unsigned long arg3, unsigned long arg4,
@@ -1265,7 +1320,7 @@ struct security_operations {
1265 struct sembuf * sops, unsigned nsops, int alter); 1320 struct sembuf * sops, unsigned nsops, int alter);
1266 1321
1267 int (*netlink_send) (struct sock * sk, struct sk_buff * skb); 1322 int (*netlink_send) (struct sock * sk, struct sk_buff * skb);
1268 int (*netlink_recv) (struct sk_buff * skb); 1323 int (*netlink_recv) (struct sk_buff * skb, int cap);
1269 1324
1270 /* allow module stacking */ 1325 /* allow module stacking */
1271 int (*register_security) (const char *name, 1326 int (*register_security) (const char *name,
@@ -1277,6 +1332,8 @@ struct security_operations {
1277 1332
1278 int (*getprocattr)(struct task_struct *p, char *name, void *value, size_t size); 1333 int (*getprocattr)(struct task_struct *p, char *name, void *value, size_t size);
1279 int (*setprocattr)(struct task_struct *p, char *name, void *value, size_t size); 1334 int (*setprocattr)(struct task_struct *p, char *name, void *value, size_t size);
1335 int (*secid_to_secctx)(u32 secid, char **secdata, u32 *seclen);
1336 void (*release_secctx)(char *secdata, u32 seclen);
1280 1337
1281#ifdef CONFIG_SECURITY_NETWORK 1338#ifdef CONFIG_SECURITY_NETWORK
1282 int (*unix_stream_connect) (struct socket * sock, 1339 int (*unix_stream_connect) (struct socket * sock,
@@ -1284,8 +1341,8 @@ struct security_operations {
1284 int (*unix_may_send) (struct socket * sock, struct socket * other); 1341 int (*unix_may_send) (struct socket * sock, struct socket * other);
1285 1342
1286 int (*socket_create) (int family, int type, int protocol, int kern); 1343 int (*socket_create) (int family, int type, int protocol, int kern);
1287 void (*socket_post_create) (struct socket * sock, int family, 1344 int (*socket_post_create) (struct socket * sock, int family,
1288 int type, int protocol, int kern); 1345 int type, int protocol, int kern);
1289 int (*socket_bind) (struct socket * sock, 1346 int (*socket_bind) (struct socket * sock,
1290 struct sockaddr * address, int addrlen); 1347 struct sockaddr * address, int addrlen);
1291 int (*socket_connect) (struct socket * sock, 1348 int (*socket_connect) (struct socket * sock,
@@ -1305,26 +1362,39 @@ struct security_operations {
1305 int (*socket_shutdown) (struct socket * sock, int how); 1362 int (*socket_shutdown) (struct socket * sock, int how);
1306 int (*socket_sock_rcv_skb) (struct sock * sk, struct sk_buff * skb); 1363 int (*socket_sock_rcv_skb) (struct sock * sk, struct sk_buff * skb);
1307 int (*socket_getpeersec_stream) (struct socket *sock, char __user *optval, int __user *optlen, unsigned len); 1364 int (*socket_getpeersec_stream) (struct socket *sock, char __user *optval, int __user *optlen, unsigned len);
1308 int (*socket_getpeersec_dgram) (struct sk_buff *skb, char **secdata, u32 *seclen); 1365 int (*socket_getpeersec_dgram) (struct socket *sock, struct sk_buff *skb, u32 *secid);
1309 int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority); 1366 int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority);
1310 void (*sk_free_security) (struct sock *sk); 1367 void (*sk_free_security) (struct sock *sk);
1311 unsigned int (*sk_getsid) (struct sock *sk, struct flowi *fl, u8 dir); 1368 void (*sk_clone_security) (const struct sock *sk, struct sock *newsk);
1369 void (*sk_getsecid) (struct sock *sk, u32 *secid);
1370 void (*sock_graft)(struct sock* sk, struct socket *parent);
1371 int (*inet_conn_request)(struct sock *sk, struct sk_buff *skb,
1372 struct request_sock *req);
1373 void (*inet_csk_clone)(struct sock *newsk, const struct request_sock *req);
1374 void (*req_classify_flow)(const struct request_sock *req, struct flowi *fl);
1312#endif /* CONFIG_SECURITY_NETWORK */ 1375#endif /* CONFIG_SECURITY_NETWORK */
1313 1376
1314#ifdef CONFIG_SECURITY_NETWORK_XFRM 1377#ifdef CONFIG_SECURITY_NETWORK_XFRM
1315 int (*xfrm_policy_alloc_security) (struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx); 1378 int (*xfrm_policy_alloc_security) (struct xfrm_policy *xp,
1379 struct xfrm_user_sec_ctx *sec_ctx, struct sock *sk);
1316 int (*xfrm_policy_clone_security) (struct xfrm_policy *old, struct xfrm_policy *new); 1380 int (*xfrm_policy_clone_security) (struct xfrm_policy *old, struct xfrm_policy *new);
1317 void (*xfrm_policy_free_security) (struct xfrm_policy *xp); 1381 void (*xfrm_policy_free_security) (struct xfrm_policy *xp);
1318 int (*xfrm_policy_delete_security) (struct xfrm_policy *xp); 1382 int (*xfrm_policy_delete_security) (struct xfrm_policy *xp);
1319 int (*xfrm_state_alloc_security) (struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx); 1383 int (*xfrm_state_alloc_security) (struct xfrm_state *x,
1384 struct xfrm_user_sec_ctx *sec_ctx, struct xfrm_sec_ctx *polsec,
1385 u32 secid);
1320 void (*xfrm_state_free_security) (struct xfrm_state *x); 1386 void (*xfrm_state_free_security) (struct xfrm_state *x);
1321 int (*xfrm_state_delete_security) (struct xfrm_state *x); 1387 int (*xfrm_state_delete_security) (struct xfrm_state *x);
1322 int (*xfrm_policy_lookup)(struct xfrm_policy *xp, u32 sk_sid, u8 dir); 1388 int (*xfrm_policy_lookup)(struct xfrm_policy *xp, u32 fl_secid, u8 dir);
1389 int (*xfrm_state_pol_flow_match)(struct xfrm_state *x,
1390 struct xfrm_policy *xp, struct flowi *fl);
1391 int (*xfrm_flow_state_match)(struct flowi *fl, struct xfrm_state *xfrm);
1392 int (*xfrm_decode_session)(struct sk_buff *skb, u32 *secid, int ckall);
1323#endif /* CONFIG_SECURITY_NETWORK_XFRM */ 1393#endif /* CONFIG_SECURITY_NETWORK_XFRM */
1324 1394
1325 /* key management security hooks */ 1395 /* key management security hooks */
1326#ifdef CONFIG_KEYS 1396#ifdef CONFIG_KEYS
1327 int (*key_alloc)(struct key *key, struct task_struct *tsk); 1397 int (*key_alloc)(struct key *key, struct task_struct *tsk, unsigned long flags);
1328 void (*key_free)(struct key *key); 1398 void (*key_free)(struct key *key);
1329 int (*key_permission)(key_ref_t key_ref, 1399 int (*key_permission)(key_ref_t key_ref,
1330 struct task_struct *context, 1400 struct task_struct *context,
@@ -1525,6 +1595,7 @@ static inline void security_sb_post_pivotroot (struct nameidata *old_nd,
1525 1595
1526static inline int security_inode_alloc (struct inode *inode) 1596static inline int security_inode_alloc (struct inode *inode)
1527{ 1597{
1598 inode->i_security = NULL;
1528 return security_ops->inode_alloc_security (inode); 1599 return security_ops->inode_alloc_security (inode);
1529} 1600}
1530 1601
@@ -1837,6 +1908,11 @@ static inline int security_task_getsid (struct task_struct *p)
1837 return security_ops->task_getsid (p); 1908 return security_ops->task_getsid (p);
1838} 1909}
1839 1910
1911static inline void security_task_getsecid (struct task_struct *p, u32 *secid)
1912{
1913 security_ops->task_getsecid (p, secid);
1914}
1915
1840static inline int security_task_setgroups (struct group_info *group_info) 1916static inline int security_task_setgroups (struct group_info *group_info)
1841{ 1917{
1842 return security_ops->task_setgroups (group_info); 1918 return security_ops->task_setgroups (group_info);
@@ -1852,6 +1928,11 @@ static inline int security_task_setioprio (struct task_struct *p, int ioprio)
1852 return security_ops->task_setioprio (p, ioprio); 1928 return security_ops->task_setioprio (p, ioprio);
1853} 1929}
1854 1930
1931static inline int security_task_getioprio (struct task_struct *p)
1932{
1933 return security_ops->task_getioprio (p);
1934}
1935
1855static inline int security_task_setrlimit (unsigned int resource, 1936static inline int security_task_setrlimit (unsigned int resource,
1856 struct rlimit *new_rlim) 1937 struct rlimit *new_rlim)
1857{ 1938{
@@ -1876,9 +1957,10 @@ static inline int security_task_movememory (struct task_struct *p)
1876} 1957}
1877 1958
1878static inline int security_task_kill (struct task_struct *p, 1959static inline int security_task_kill (struct task_struct *p,
1879 struct siginfo *info, int sig) 1960 struct siginfo *info, int sig,
1961 u32 secid)
1880{ 1962{
1881 return security_ops->task_kill (p, info, sig); 1963 return security_ops->task_kill (p, info, sig, secid);
1882} 1964}
1883 1965
1884static inline int security_task_wait (struct task_struct *p) 1966static inline int security_task_wait (struct task_struct *p)
@@ -2031,9 +2113,19 @@ static inline int security_netlink_send(struct sock *sk, struct sk_buff * skb)
2031 return security_ops->netlink_send(sk, skb); 2113 return security_ops->netlink_send(sk, skb);
2032} 2114}
2033 2115
2034static inline int security_netlink_recv(struct sk_buff * skb) 2116static inline int security_netlink_recv(struct sk_buff * skb, int cap)
2117{
2118 return security_ops->netlink_recv(skb, cap);
2119}
2120
2121static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
2035{ 2122{
2036 return security_ops->netlink_recv(skb); 2123 return security_ops->secid_to_secctx(secid, secdata, seclen);
2124}
2125
2126static inline void security_release_secctx(char *secdata, u32 seclen)
2127{
2128 return security_ops->release_secctx(secdata, seclen);
2037} 2129}
2038 2130
2039/* prototypes */ 2131/* prototypes */
@@ -2489,6 +2581,9 @@ static inline int security_task_getsid (struct task_struct *p)
2489 return 0; 2581 return 0;
2490} 2582}
2491 2583
2584static inline void security_task_getsecid (struct task_struct *p, u32 *secid)
2585{ }
2586
2492static inline int security_task_setgroups (struct group_info *group_info) 2587static inline int security_task_setgroups (struct group_info *group_info)
2493{ 2588{
2494 return 0; 2589 return 0;
@@ -2504,6 +2599,11 @@ static inline int security_task_setioprio (struct task_struct *p, int ioprio)
2504 return 0; 2599 return 0;
2505} 2600}
2506 2601
2602static inline int security_task_getioprio (struct task_struct *p)
2603{
2604 return 0;
2605}
2606
2507static inline int security_task_setrlimit (unsigned int resource, 2607static inline int security_task_setrlimit (unsigned int resource,
2508 struct rlimit *new_rlim) 2608 struct rlimit *new_rlim)
2509{ 2609{
@@ -2528,7 +2628,8 @@ static inline int security_task_movememory (struct task_struct *p)
2528} 2628}
2529 2629
2530static inline int security_task_kill (struct task_struct *p, 2630static inline int security_task_kill (struct task_struct *p,
2531 struct siginfo *info, int sig) 2631 struct siginfo *info, int sig,
2632 u32 secid)
2532{ 2633{
2533 return 0; 2634 return 0;
2534} 2635}
@@ -2669,9 +2770,9 @@ static inline int security_netlink_send (struct sock *sk, struct sk_buff *skb)
2669 return cap_netlink_send (sk, skb); 2770 return cap_netlink_send (sk, skb);
2670} 2771}
2671 2772
2672static inline int security_netlink_recv (struct sk_buff *skb) 2773static inline int security_netlink_recv (struct sk_buff *skb, int cap)
2673{ 2774{
2674 return cap_netlink_recv (skb); 2775 return cap_netlink_recv (skb, cap);
2675} 2776}
2676 2777
2677static inline struct dentry *securityfs_create_dir(const char *name, 2778static inline struct dentry *securityfs_create_dir(const char *name,
@@ -2693,6 +2794,14 @@ static inline void securityfs_remove(struct dentry *dentry)
2693{ 2794{
2694} 2795}
2695 2796
2797static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
2798{
2799 return -EOPNOTSUPP;
2800}
2801
2802static inline void security_release_secctx(char *secdata, u32 seclen)
2803{
2804}
2696#endif /* CONFIG_SECURITY */ 2805#endif /* CONFIG_SECURITY */
2697 2806
2698#ifdef CONFIG_SECURITY_NETWORK 2807#ifdef CONFIG_SECURITY_NETWORK
@@ -2716,13 +2825,13 @@ static inline int security_socket_create (int family, int type,
2716 return security_ops->socket_create(family, type, protocol, kern); 2825 return security_ops->socket_create(family, type, protocol, kern);
2717} 2826}
2718 2827
2719static inline void security_socket_post_create(struct socket * sock, 2828static inline int security_socket_post_create(struct socket * sock,
2720 int family, 2829 int family,
2721 int type, 2830 int type,
2722 int protocol, int kern) 2831 int protocol, int kern)
2723{ 2832{
2724 security_ops->socket_post_create(sock, family, type, 2833 return security_ops->socket_post_create(sock, family, type,
2725 protocol, kern); 2834 protocol, kern);
2726} 2835}
2727 2836
2728static inline int security_socket_bind(struct socket * sock, 2837static inline int security_socket_bind(struct socket * sock,
@@ -2808,10 +2917,9 @@ static inline int security_socket_getpeersec_stream(struct socket *sock, char __
2808 return security_ops->socket_getpeersec_stream(sock, optval, optlen, len); 2917 return security_ops->socket_getpeersec_stream(sock, optval, optlen, len);
2809} 2918}
2810 2919
2811static inline int security_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, 2920static inline int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
2812 u32 *seclen)
2813{ 2921{
2814 return security_ops->socket_getpeersec_dgram(skb, secdata, seclen); 2922 return security_ops->socket_getpeersec_dgram(sock, skb, secid);
2815} 2923}
2816 2924
2817static inline int security_sk_alloc(struct sock *sk, int family, gfp_t priority) 2925static inline int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
@@ -2824,9 +2932,36 @@ static inline void security_sk_free(struct sock *sk)
2824 return security_ops->sk_free_security(sk); 2932 return security_ops->sk_free_security(sk);
2825} 2933}
2826 2934
2827static inline unsigned int security_sk_sid(struct sock *sk, struct flowi *fl, u8 dir) 2935static inline void security_sk_clone(const struct sock *sk, struct sock *newsk)
2936{
2937 return security_ops->sk_clone_security(sk, newsk);
2938}
2939
2940static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
2941{
2942 security_ops->sk_getsecid(sk, &fl->secid);
2943}
2944
2945static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
2946{
2947 security_ops->req_classify_flow(req, fl);
2948}
2949
2950static inline void security_sock_graft(struct sock* sk, struct socket *parent)
2828{ 2951{
2829 return security_ops->sk_getsid(sk, fl, dir); 2952 security_ops->sock_graft(sk, parent);
2953}
2954
2955static inline int security_inet_conn_request(struct sock *sk,
2956 struct sk_buff *skb, struct request_sock *req)
2957{
2958 return security_ops->inet_conn_request(sk, skb, req);
2959}
2960
2961static inline void security_inet_csk_clone(struct sock *newsk,
2962 const struct request_sock *req)
2963{
2964 security_ops->inet_csk_clone(newsk, req);
2830} 2965}
2831#else /* CONFIG_SECURITY_NETWORK */ 2966#else /* CONFIG_SECURITY_NETWORK */
2832static inline int security_unix_stream_connect(struct socket * sock, 2967static inline int security_unix_stream_connect(struct socket * sock,
@@ -2848,11 +2983,12 @@ static inline int security_socket_create (int family, int type,
2848 return 0; 2983 return 0;
2849} 2984}
2850 2985
2851static inline void security_socket_post_create(struct socket * sock, 2986static inline int security_socket_post_create(struct socket * sock,
2852 int family, 2987 int family,
2853 int type, 2988 int type,
2854 int protocol, int kern) 2989 int protocol, int kern)
2855{ 2990{
2991 return 0;
2856} 2992}
2857 2993
2858static inline int security_socket_bind(struct socket * sock, 2994static inline int security_socket_bind(struct socket * sock,
@@ -2936,8 +3072,7 @@ static inline int security_socket_getpeersec_stream(struct socket *sock, char __
2936 return -ENOPROTOOPT; 3072 return -ENOPROTOOPT;
2937} 3073}
2938 3074
2939static inline int security_socket_getpeersec_dgram(struct sk_buff *skb, char **secdata, 3075static inline int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
2940 u32 *seclen)
2941{ 3076{
2942 return -ENOPROTOOPT; 3077 return -ENOPROTOOPT;
2943} 3078}
@@ -2951,16 +3086,43 @@ static inline void security_sk_free(struct sock *sk)
2951{ 3086{
2952} 3087}
2953 3088
2954static inline unsigned int security_sk_sid(struct sock *sk, struct flowi *fl, u8 dir) 3089static inline void security_sk_clone(const struct sock *sk, struct sock *newsk)
3090{
3091}
3092
3093static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
3094{
3095}
3096
3097static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
3098{
3099}
3100
3101static inline void security_sock_graft(struct sock* sk, struct socket *parent)
3102{
3103}
3104
3105static inline int security_inet_conn_request(struct sock *sk,
3106 struct sk_buff *skb, struct request_sock *req)
2955{ 3107{
2956 return 0; 3108 return 0;
2957} 3109}
3110
3111static inline void security_inet_csk_clone(struct sock *newsk,
3112 const struct request_sock *req)
3113{
3114}
2958#endif /* CONFIG_SECURITY_NETWORK */ 3115#endif /* CONFIG_SECURITY_NETWORK */
2959 3116
2960#ifdef CONFIG_SECURITY_NETWORK_XFRM 3117#ifdef CONFIG_SECURITY_NETWORK_XFRM
2961static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx) 3118static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx)
2962{ 3119{
2963 return security_ops->xfrm_policy_alloc_security(xp, sec_ctx); 3120 return security_ops->xfrm_policy_alloc_security(xp, sec_ctx, NULL);
3121}
3122
3123static inline int security_xfrm_sock_policy_alloc(struct xfrm_policy *xp, struct sock *sk)
3124{
3125 return security_ops->xfrm_policy_alloc_security(xp, NULL, sk);
2964} 3126}
2965 3127
2966static inline int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new) 3128static inline int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new)
@@ -2978,9 +3140,18 @@ static inline int security_xfrm_policy_delete(struct xfrm_policy *xp)
2978 return security_ops->xfrm_policy_delete_security(xp); 3140 return security_ops->xfrm_policy_delete_security(xp);
2979} 3141}
2980 3142
2981static inline int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx) 3143static inline int security_xfrm_state_alloc(struct xfrm_state *x,
3144 struct xfrm_user_sec_ctx *sec_ctx)
3145{
3146 return security_ops->xfrm_state_alloc_security(x, sec_ctx, NULL, 0);
3147}
3148
3149static inline int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
3150 struct xfrm_sec_ctx *polsec, u32 secid)
2982{ 3151{
2983 return security_ops->xfrm_state_alloc_security(x, sec_ctx); 3152 if (!polsec)
3153 return 0;
3154 return security_ops->xfrm_state_alloc_security(x, NULL, polsec, secid);
2984} 3155}
2985 3156
2986static inline int security_xfrm_state_delete(struct xfrm_state *x) 3157static inline int security_xfrm_state_delete(struct xfrm_state *x)
@@ -2993,9 +3164,32 @@ static inline void security_xfrm_state_free(struct xfrm_state *x)
2993 security_ops->xfrm_state_free_security(x); 3164 security_ops->xfrm_state_free_security(x);
2994} 3165}
2995 3166
2996static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir) 3167static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir)
2997{ 3168{
2998 return security_ops->xfrm_policy_lookup(xp, sk_sid, dir); 3169 return security_ops->xfrm_policy_lookup(xp, fl_secid, dir);
3170}
3171
3172static inline int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
3173 struct xfrm_policy *xp, struct flowi *fl)
3174{
3175 return security_ops->xfrm_state_pol_flow_match(x, xp, fl);
3176}
3177
3178static inline int security_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm)
3179{
3180 return security_ops->xfrm_flow_state_match(fl, xfrm);
3181}
3182
3183static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
3184{
3185 return security_ops->xfrm_decode_session(skb, secid, 1);
3186}
3187
3188static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
3189{
3190 int rc = security_ops->xfrm_decode_session(skb, &fl->secid, 0);
3191
3192 BUG_ON(rc);
2999} 3193}
3000#else /* CONFIG_SECURITY_NETWORK_XFRM */ 3194#else /* CONFIG_SECURITY_NETWORK_XFRM */
3001static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx) 3195static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx)
@@ -3003,6 +3197,11 @@ static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm
3003 return 0; 3197 return 0;
3004} 3198}
3005 3199
3200static inline int security_xfrm_sock_policy_alloc(struct xfrm_policy *xp, struct sock *sk)
3201{
3202 return 0;
3203}
3204
3006static inline int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new) 3205static inline int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new)
3007{ 3206{
3008 return 0; 3207 return 0;
@@ -3017,7 +3216,14 @@ static inline int security_xfrm_policy_delete(struct xfrm_policy *xp)
3017 return 0; 3216 return 0;
3018} 3217}
3019 3218
3020static inline int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx) 3219static inline int security_xfrm_state_alloc(struct xfrm_state *x,
3220 struct xfrm_user_sec_ctx *sec_ctx)
3221{
3222 return 0;
3223}
3224
3225static inline int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
3226 struct xfrm_sec_ctx *polsec, u32 secid)
3021{ 3227{
3022 return 0; 3228 return 0;
3023} 3229}
@@ -3031,18 +3237,41 @@ static inline int security_xfrm_state_delete(struct xfrm_state *x)
3031 return 0; 3237 return 0;
3032} 3238}
3033 3239
3034static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir) 3240static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir)
3035{ 3241{
3036 return 0; 3242 return 0;
3037} 3243}
3244
3245static inline int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
3246 struct xfrm_policy *xp, struct flowi *fl)
3247{
3248 return 1;
3249}
3250
3251static inline int security_xfrm_flow_state_match(struct flowi *fl,
3252 struct xfrm_state *xfrm)
3253{
3254 return 1;
3255}
3256
3257static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
3258{
3259 return 0;
3260}
3261
3262static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
3263{
3264}
3265
3038#endif /* CONFIG_SECURITY_NETWORK_XFRM */ 3266#endif /* CONFIG_SECURITY_NETWORK_XFRM */
3039 3267
3040#ifdef CONFIG_KEYS 3268#ifdef CONFIG_KEYS
3041#ifdef CONFIG_SECURITY 3269#ifdef CONFIG_SECURITY
3042static inline int security_key_alloc(struct key *key, 3270static inline int security_key_alloc(struct key *key,
3043 struct task_struct *tsk) 3271 struct task_struct *tsk,
3272 unsigned long flags)
3044{ 3273{
3045 return security_ops->key_alloc(key, tsk); 3274 return security_ops->key_alloc(key, tsk, flags);
3046} 3275}
3047 3276
3048static inline void security_key_free(struct key *key) 3277static inline void security_key_free(struct key *key)
@@ -3060,7 +3289,8 @@ static inline int security_key_permission(key_ref_t key_ref,
3060#else 3289#else
3061 3290
3062static inline int security_key_alloc(struct key *key, 3291static inline int security_key_alloc(struct key *key,
3063 struct task_struct *tsk) 3292 struct task_struct *tsk,
3293 unsigned long flags)
3064{ 3294{
3065 return 0; 3295 return 0;
3066} 3296}
generated by cgit v1.2.2 (git 2.25.0) at 2025-05-02 01:21:49 -0400