aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2009-01-06 20:11:39 -0500
committerLinus Torvalds <torvalds@linux-foundation.org>2009-01-06 20:11:39 -0500
commitc861ea2cb2c25c1698734d9b0540a09e253690a1 (patch)
treeb83e5313ca07a3efbcbcdd7fe33e0f6ad6284493 /include
parent3610639d1fceb09cb418c65fcbe9136c31eee03a (diff)
parentac8cc0fa5395fe2278e305a4cbed48e90d88d878 (diff)
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #3] Revert "CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2]" SELinux: shrink sizeof av_inhert selinux_class_perm and context CRED: Fix regression in cap_capable() as shown up by sys_faccessat() [ver #2] keys: fix sparse warning by adding __user annotation to cast smack: Add support for unlabeled network hosts and networks selinux: Deprecate and schedule the removal of the the compat_net functionality netlabel: Update kernel configuration API
Diffstat (limited to 'include')
-rw-r--r--include/linux/capability.h17
-rw-r--r--include/linux/security.h41
-rw-r--r--include/net/cipso_ipv4.h6
-rw-r--r--include/net/netlabel.h86
4 files changed, 131 insertions, 19 deletions
diff --git a/include/linux/capability.h b/include/linux/capability.h
index e22f48c2a46..02bdb768d43 100644
--- a/include/linux/capability.h
+++ b/include/linux/capability.h
@@ -529,8 +529,21 @@ extern const kernel_cap_t __cap_init_eff_set;
529 * 529 *
530 * Note that this does not set PF_SUPERPRIV on the task. 530 * Note that this does not set PF_SUPERPRIV on the task.
531 */ 531 */
532#define has_capability(t, cap) (security_capable((t), (cap)) == 0) 532#define has_capability(t, cap) (security_real_capable((t), (cap)) == 0)
533#define has_capability_noaudit(t, cap) (security_capable_noaudit((t), (cap)) == 0) 533
534/**
535 * has_capability_noaudit - Determine if a task has a superior capability available (unaudited)
536 * @t: The task in question
537 * @cap: The capability to be tested for
538 *
539 * Return true if the specified task has the given superior capability
540 * currently in effect, false if not, but don't write an audit message for the
541 * check.
542 *
543 * Note that this does not set PF_SUPERPRIV on the task.
544 */
545#define has_capability_noaudit(t, cap) \
546 (security_real_capable_noaudit((t), (cap)) == 0)
534 547
535extern int capable(int cap); 548extern int capable(int cap);
536 549
diff --git a/include/linux/security.h b/include/linux/security.h
index b92b5e453f6..1f2ab6353c0 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -48,7 +48,8 @@ struct audit_krule;
48 * These functions are in security/capability.c and are used 48 * These functions are in security/capability.c and are used
49 * as the default capabilities functions 49 * as the default capabilities functions
50 */ 50 */
51extern int cap_capable(struct task_struct *tsk, int cap, int audit); 51extern int cap_capable(struct task_struct *tsk, const struct cred *cred,
52 int cap, int audit);
52extern int cap_settime(struct timespec *ts, struct timezone *tz); 53extern int cap_settime(struct timespec *ts, struct timezone *tz);
53extern int cap_ptrace_may_access(struct task_struct *child, unsigned int mode); 54extern int cap_ptrace_may_access(struct task_struct *child, unsigned int mode);
54extern int cap_ptrace_traceme(struct task_struct *parent); 55extern int cap_ptrace_traceme(struct task_struct *parent);
@@ -1251,9 +1252,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
1251 * @permitted contains the permitted capability set. 1252 * @permitted contains the permitted capability set.
1252 * Return 0 and update @new if permission is granted. 1253 * Return 0 and update @new if permission is granted.
1253 * @capable: 1254 * @capable:
1254 * Check whether the @tsk process has the @cap capability. 1255 * Check whether the @tsk process has the @cap capability in the indicated
1256 * credentials.
1255 * @tsk contains the task_struct for the process. 1257 * @tsk contains the task_struct for the process.
1258 * @cred contains the credentials to use.
1256 * @cap contains the capability <include/linux/capability.h>. 1259 * @cap contains the capability <include/linux/capability.h>.
1260 * @audit: Whether to write an audit message or not
1257 * Return 0 if the capability is granted for @tsk. 1261 * Return 0 if the capability is granted for @tsk.
1258 * @acct: 1262 * @acct:
1259 * Check permission before enabling or disabling process accounting. If 1263 * Check permission before enabling or disabling process accounting. If
@@ -1346,7 +1350,8 @@ struct security_operations {
1346 const kernel_cap_t *effective, 1350 const kernel_cap_t *effective,
1347 const kernel_cap_t *inheritable, 1351 const kernel_cap_t *inheritable,
1348 const kernel_cap_t *permitted); 1352 const kernel_cap_t *permitted);
1349 int (*capable) (struct task_struct *tsk, int cap, int audit); 1353 int (*capable) (struct task_struct *tsk, const struct cred *cred,
1354 int cap, int audit);
1350 int (*acct) (struct file *file); 1355 int (*acct) (struct file *file);
1351 int (*sysctl) (struct ctl_table *table, int op); 1356 int (*sysctl) (struct ctl_table *table, int op);
1352 int (*quotactl) (int cmds, int type, int id, struct super_block *sb); 1357 int (*quotactl) (int cmds, int type, int id, struct super_block *sb);
@@ -1628,8 +1633,9 @@ int security_capset(struct cred *new, const struct cred *old,
1628 const kernel_cap_t *effective, 1633 const kernel_cap_t *effective,
1629 const kernel_cap_t *inheritable, 1634 const kernel_cap_t *inheritable,
1630 const kernel_cap_t *permitted); 1635 const kernel_cap_t *permitted);
1631int security_capable(struct task_struct *tsk, int cap); 1636int security_capable(int cap);
1632int security_capable_noaudit(struct task_struct *tsk, int cap); 1637int security_real_capable(struct task_struct *tsk, int cap);
1638int security_real_capable_noaudit(struct task_struct *tsk, int cap);
1633int security_acct(struct file *file); 1639int security_acct(struct file *file);
1634int security_sysctl(struct ctl_table *table, int op); 1640int security_sysctl(struct ctl_table *table, int op);
1635int security_quotactl(int cmds, int type, int id, struct super_block *sb); 1641int security_quotactl(int cmds, int type, int id, struct super_block *sb);
@@ -1826,14 +1832,31 @@ static inline int security_capset(struct cred *new,
1826 return cap_capset(new, old, effective, inheritable, permitted); 1832 return cap_capset(new, old, effective, inheritable, permitted);
1827} 1833}
1828 1834
1829static inline int security_capable(struct task_struct *tsk, int cap) 1835static inline int security_capable(int cap)
1830{ 1836{
1831 return cap_capable(tsk, cap, SECURITY_CAP_AUDIT); 1837 return cap_capable(current, current_cred(), cap, SECURITY_CAP_AUDIT);
1832} 1838}
1833 1839
1834static inline int security_capable_noaudit(struct task_struct *tsk, int cap) 1840static inline int security_real_capable(struct task_struct *tsk, int cap)
1835{ 1841{
1836 return cap_capable(tsk, cap, SECURITY_CAP_NOAUDIT); 1842 int ret;
1843
1844 rcu_read_lock();
1845 ret = cap_capable(tsk, __task_cred(tsk), cap, SECURITY_CAP_AUDIT);
1846 rcu_read_unlock();
1847 return ret;
1848}
1849
1850static inline
1851int security_real_capable_noaudit(struct task_struct *tsk, int cap)
1852{
1853 int ret;
1854
1855 rcu_read_lock();
1856 ret = cap_capable(tsk, __task_cred(tsk), cap,
1857 SECURITY_CAP_NOAUDIT);
1858 rcu_read_unlock();
1859 return ret;
1837} 1860}
1838 1861
1839static inline int security_acct(struct file *file) 1862static inline int security_acct(struct file *file)
diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h
index 9909774eb99..bedc7f62e35 100644
--- a/include/net/cipso_ipv4.h
+++ b/include/net/cipso_ipv4.h
@@ -131,7 +131,8 @@ extern int cipso_v4_rbm_strictvalid;
131 */ 131 */
132 132
133#ifdef CONFIG_NETLABEL 133#ifdef CONFIG_NETLABEL
134int cipso_v4_doi_add(struct cipso_v4_doi *doi_def); 134int cipso_v4_doi_add(struct cipso_v4_doi *doi_def,
135 struct netlbl_audit *audit_info);
135void cipso_v4_doi_free(struct cipso_v4_doi *doi_def); 136void cipso_v4_doi_free(struct cipso_v4_doi *doi_def);
136int cipso_v4_doi_remove(u32 doi, struct netlbl_audit *audit_info); 137int cipso_v4_doi_remove(u32 doi, struct netlbl_audit *audit_info);
137struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi); 138struct cipso_v4_doi *cipso_v4_doi_getdef(u32 doi);
@@ -140,7 +141,8 @@ int cipso_v4_doi_walk(u32 *skip_cnt,
140 int (*callback) (struct cipso_v4_doi *doi_def, void *arg), 141 int (*callback) (struct cipso_v4_doi *doi_def, void *arg),
141 void *cb_arg); 142 void *cb_arg);
142#else 143#else
143static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def) 144static inline int cipso_v4_doi_add(struct cipso_v4_doi *doi_def,
145 struct netlbl_audit *audit_info)
144{ 146{
145 return -ENOSYS; 147 return -ENOSYS;
146} 148}
diff --git a/include/net/netlabel.h b/include/net/netlabel.h
index 17c442a4514..749011eedc0 100644
--- a/include/net/netlabel.h
+++ b/include/net/netlabel.h
@@ -33,6 +33,8 @@
33#include <linux/types.h> 33#include <linux/types.h>
34#include <linux/net.h> 34#include <linux/net.h>
35#include <linux/skbuff.h> 35#include <linux/skbuff.h>
36#include <linux/in.h>
37#include <linux/in6.h>
36#include <net/netlink.h> 38#include <net/netlink.h>
37#include <asm/atomic.h> 39#include <asm/atomic.h>
38 40
@@ -353,13 +355,37 @@ static inline void netlbl_secattr_free(struct netlbl_lsm_secattr *secattr)
353/* 355/*
354 * LSM configuration operations 356 * LSM configuration operations
355 */ 357 */
356int netlbl_cfg_map_del(const char *domain, struct netlbl_audit *audit_info); 358int netlbl_cfg_map_del(const char *domain,
357int netlbl_cfg_unlbl_add_map(const char *domain, 359 u16 family,
360 const void *addr,
361 const void *mask,
362 struct netlbl_audit *audit_info);
363int netlbl_cfg_unlbl_map_add(const char *domain,
364 u16 family,
365 const void *addr,
366 const void *mask,
358 struct netlbl_audit *audit_info); 367 struct netlbl_audit *audit_info);
359int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def, 368int netlbl_cfg_unlbl_static_add(struct net *net,
369 const char *dev_name,
370 const void *addr,
371 const void *mask,
372 u16 family,
373 u32 secid,
374 struct netlbl_audit *audit_info);
375int netlbl_cfg_unlbl_static_del(struct net *net,
376 const char *dev_name,
377 const void *addr,
378 const void *mask,
379 u16 family,
380 struct netlbl_audit *audit_info);
381int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def,
382 struct netlbl_audit *audit_info);
383void netlbl_cfg_cipsov4_del(u32 doi, struct netlbl_audit *audit_info);
384int netlbl_cfg_cipsov4_map_add(u32 doi,
360 const char *domain, 385 const char *domain,
386 const struct in_addr *addr,
387 const struct in_addr *mask,
361 struct netlbl_audit *audit_info); 388 struct netlbl_audit *audit_info);
362
363/* 389/*
364 * LSM security attribute operations 390 * LSM security attribute operations
365 */ 391 */
@@ -401,19 +427,62 @@ void netlbl_skbuff_err(struct sk_buff *skb, int error, int gateway);
401void netlbl_cache_invalidate(void); 427void netlbl_cache_invalidate(void);
402int netlbl_cache_add(const struct sk_buff *skb, 428int netlbl_cache_add(const struct sk_buff *skb,
403 const struct netlbl_lsm_secattr *secattr); 429 const struct netlbl_lsm_secattr *secattr);
430
431/*
432 * Protocol engine operations
433 */
434struct audit_buffer *netlbl_audit_start(int type,
435 struct netlbl_audit *audit_info);
404#else 436#else
405static inline int netlbl_cfg_map_del(const char *domain, 437static inline int netlbl_cfg_map_del(const char *domain,
438 u16 family,
439 const void *addr,
440 const void *mask,
406 struct netlbl_audit *audit_info) 441 struct netlbl_audit *audit_info)
407{ 442{
408 return -ENOSYS; 443 return -ENOSYS;
409} 444}
410static inline int netlbl_cfg_unlbl_add_map(const char *domain, 445static inline int netlbl_cfg_unlbl_map_add(const char *domain,
446 u16 family,
447 void *addr,
448 void *mask,
411 struct netlbl_audit *audit_info) 449 struct netlbl_audit *audit_info)
412{ 450{
413 return -ENOSYS; 451 return -ENOSYS;
414} 452}
415static inline int netlbl_cfg_cipsov4_add_map(struct cipso_v4_doi *doi_def, 453static inline int netlbl_cfg_unlbl_static_add(struct net *net,
454 const char *dev_name,
455 const void *addr,
456 const void *mask,
457 u16 family,
458 u32 secid,
459 struct netlbl_audit *audit_info)
460{
461 return -ENOSYS;
462}
463static inline int netlbl_cfg_unlbl_static_del(struct net *net,
464 const char *dev_name,
465 const void *addr,
466 const void *mask,
467 u16 family,
468 struct netlbl_audit *audit_info)
469{
470 return -ENOSYS;
471}
472static inline int netlbl_cfg_cipsov4_add(struct cipso_v4_doi *doi_def,
473 struct netlbl_audit *audit_info)
474{
475 return -ENOSYS;
476}
477static inline void netlbl_cfg_cipsov4_del(u32 doi,
478 struct netlbl_audit *audit_info)
479{
480 return;
481}
482static inline int netlbl_cfg_cipsov4_map_add(u32 doi,
416 const char *domain, 483 const char *domain,
484 const struct in_addr *addr,
485 const struct in_addr *mask,
417 struct netlbl_audit *audit_info) 486 struct netlbl_audit *audit_info)
418{ 487{
419 return -ENOSYS; 488 return -ENOSYS;
@@ -495,6 +564,11 @@ static inline int netlbl_cache_add(const struct sk_buff *skb,
495{ 564{
496 return 0; 565 return 0;
497} 566}
567static inline struct audit_buffer *netlbl_audit_start(int type,
568 struct netlbl_audit *audit_info)
569{
570 return NULL;
571}
498#endif /* CONFIG_NETLABEL */ 572#endif /* CONFIG_NETLABEL */
499 573
500#endif /* _NETLABEL_H */ 574#endif /* _NETLABEL_H */