aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJames Morris <jmorris@namei.org>2007-10-17 02:31:32 -0400
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-10-17 11:43:07 -0400
commit20510f2f4e2dabb0ff6c13901807627ec9452f98 (patch)
treed64b9eeb90d577f7f9688a215c4c6c3c2405188a
parent5c3b447457789374cdb7b03afe2540d48c649a36 (diff)
security: Convert LSM into a static interface
Convert LSM into a static interface, as the ability to unload a security module is not required by in-tree users and potentially complicates the overall security architecture. Needlessly exported LSM symbols have been unexported, to help reduce API abuse. Parameters for the capability and root_plug modules are now specified at boot. The SECURITY_FRAMEWORK_VERSION macro has also been removed. In a nutshell, there is no safe way to unload an LSM. The modular interface is thus unecessary and broken infrastructure. It is used only by out-of-tree modules, which are often binary-only, illegal, abusive of the API and dangerous, e.g. silently re-vectoring SELinux. [akpm@linux-foundation.org: cleanups] [akpm@linux-foundation.org: USB Kconfig fix] [randy.dunlap@oracle.com: fix LSM kernel-doc] Signed-off-by: James Morris <jmorris@namei.org> Acked-by: Chris Wright <chrisw@sous-sol.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: "Serge E. Hallyn" <serue@us.ibm.com> Acked-by: Arjan van de Ven <arjan@infradead.org> Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat
-rw-r--r--Documentation/DocBook/kernel-api.tmpl2
-rw-r--r--Documentation/kernel-parameters.txt17
-rw-r--r--include/linux/security.h1190
-rw-r--r--security/Kconfig6
-rw-r--r--security/capability.c24
-rw-r--r--security/commoncap.c3
-rw-r--r--security/dummy.c1
-rw-r--r--security/root_plug.c31
-rw-r--r--security/security.c964
-rw-r--r--security/selinux/hooks.c2
-rw-r--r--security/selinux/xfrm.c1
11 files changed, 1185 insertions, 1056 deletions
diff --git a/Documentation/DocBook/kernel-api.tmpl b/Documentation/DocBook/kernel-api.tmpl
index 083258f0eab5..d3290c46af51 100644
--- a/Documentation/DocBook/kernel-api.tmpl
+++ b/Documentation/DocBook/kernel-api.tmpl
@@ -340,7 +340,7 @@ X!Earch/x86/kernel/mca_32.c
340 340
341 <chapter id="security"> 341 <chapter id="security">
342 <title>Security Framework</title> 342 <title>Security Framework</title>
343!Esecurity/security.c 343!Isecurity/security.c
344 </chapter> 344 </chapter>
345 345
346 <chapter id="audit"> 346 <chapter id="audit">
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index a0ed205e5351..63bda3637085 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -75,10 +75,12 @@ parameter is applicable:
75 PPT Parallel port support is enabled. 75 PPT Parallel port support is enabled.
76 PS2 Appropriate PS/2 support is enabled. 76 PS2 Appropriate PS/2 support is enabled.
77 RAM RAM disk support is enabled. 77 RAM RAM disk support is enabled.
78 ROOTPLUG The example Root Plug LSM is enabled.
78 S390 S390 architecture is enabled. 79 S390 S390 architecture is enabled.
79 SCSI Appropriate SCSI support is enabled. 80 SCSI Appropriate SCSI support is enabled.
80 A lot of drivers has their options described inside of 81 A lot of drivers has their options described inside of
81 Documentation/scsi/. 82 Documentation/scsi/.
83 SECURITY Different security models are enabled.
82 SELINUX SELinux support is enabled. 84 SELINUX SELinux support is enabled.
83 SERIAL Serial support is enabled. 85 SERIAL Serial support is enabled.
84 SH SuperH architecture is enabled. 86 SH SuperH architecture is enabled.
@@ -373,6 +375,12 @@ and is between 256 and 4096 characters. It is defined in the file
373 possible to determine what the correct size should be. 375 possible to determine what the correct size should be.
374 This option provides an override for these situations. 376 This option provides an override for these situations.
375 377
378 capability.disable=
379 [SECURITY] Disable capabilities. This would normally
380 be used only if an alternative security model is to be
381 configured. Potentially dangerous and should only be
382 used if you are entirely sure of the consequences.
383
376 chandev= [HW,NET] Generic channel device initialisation 384 chandev= [HW,NET] Generic channel device initialisation
377 385
378 checkreqprot [SELINUX] Set initial checkreqprot flag value. 386 checkreqprot [SELINUX] Set initial checkreqprot flag value.
@@ -1539,6 +1547,15 @@ and is between 256 and 4096 characters. It is defined in the file
1539 Useful for devices that are detected asynchronously 1547 Useful for devices that are detected asynchronously
1540 (e.g. USB and MMC devices). 1548 (e.g. USB and MMC devices).
1541 1549
1550 root_plug.vendor_id=
1551 [ROOTPLUG] Override the default vendor ID
1552
1553 root_plug.product_id=
1554 [ROOTPLUG] Override the default product ID
1555
1556 root_plug.debug=
1557 [ROOTPLUG] Enable debugging output
1558
1542 rw [KNL] Mount root device read-write on boot 1559 rw [KNL] Mount root device read-write on boot
1543 1560
1544 S [KNL] Run init in single mode 1561 S [KNL] Run init in single mode
diff --git a/include/linux/security.h b/include/linux/security.h
index 928d4793c6f4..a300a3f2fe68 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -54,7 +54,7 @@ extern int cap_inode_removexattr(struct dentry *dentry, char *name);
54extern int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags); 54extern int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags);
55extern void cap_task_reparent_to_init (struct task_struct *p); 55extern void cap_task_reparent_to_init (struct task_struct *p);
56extern int cap_syslog (int type); 56extern int cap_syslog (int type);
57extern int cap_vm_enough_memory (struct mm_struct *mm, long pages); 57extern int cap_vm_enough_memory(struct mm_struct *mm, long pages);
58 58
59struct msghdr; 59struct msghdr;
60struct sk_buff; 60struct sk_buff;
@@ -1409,742 +1409,6 @@ struct security_operations {
1409 1409
1410}; 1410};
1411 1411
1412/* global variables */
1413extern struct security_operations *security_ops;
1414
1415/* inline stuff */
1416static inline int security_ptrace (struct task_struct * parent, struct task_struct * child)
1417{
1418 return security_ops->ptrace (parent, child);
1419}
1420
1421static inline int security_capget (struct task_struct *target,
1422 kernel_cap_t *effective,
1423 kernel_cap_t *inheritable,
1424 kernel_cap_t *permitted)
1425{
1426 return security_ops->capget (target, effective, inheritable, permitted);
1427}
1428
1429static inline int security_capset_check (struct task_struct *target,
1430 kernel_cap_t *effective,
1431 kernel_cap_t *inheritable,
1432 kernel_cap_t *permitted)
1433{
1434 return security_ops->capset_check (target, effective, inheritable, permitted);
1435}
1436
1437static inline void security_capset_set (struct task_struct *target,
1438 kernel_cap_t *effective,
1439 kernel_cap_t *inheritable,
1440 kernel_cap_t *permitted)
1441{
1442 security_ops->capset_set (target, effective, inheritable, permitted);
1443}
1444
1445static inline int security_capable(struct task_struct *tsk, int cap)
1446{
1447 return security_ops->capable(tsk, cap);
1448}
1449
1450static inline int security_acct (struct file *file)
1451{
1452 return security_ops->acct (file);
1453}
1454
1455static inline int security_sysctl(struct ctl_table *table, int op)
1456{
1457 return security_ops->sysctl(table, op);
1458}
1459
1460static inline int security_quotactl (int cmds, int type, int id,
1461 struct super_block *sb)
1462{
1463 return security_ops->quotactl (cmds, type, id, sb);
1464}
1465
1466static inline int security_quota_on (struct dentry * dentry)
1467{
1468 return security_ops->quota_on (dentry);
1469}
1470
1471static inline int security_syslog(int type)
1472{
1473 return security_ops->syslog(type);
1474}
1475
1476static inline int security_settime(struct timespec *ts, struct timezone *tz)
1477{
1478 return security_ops->settime(ts, tz);
1479}
1480
1481static inline int security_vm_enough_memory(long pages)
1482{
1483 return security_ops->vm_enough_memory(current->mm, pages);
1484}
1485
1486static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
1487{
1488 return security_ops->vm_enough_memory(mm, pages);
1489}
1490
1491static inline int security_bprm_alloc (struct linux_binprm *bprm)
1492{
1493 return security_ops->bprm_alloc_security (bprm);
1494}
1495static inline void security_bprm_free (struct linux_binprm *bprm)
1496{
1497 security_ops->bprm_free_security (bprm);
1498}
1499static inline void security_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
1500{
1501 security_ops->bprm_apply_creds (bprm, unsafe);
1502}
1503static inline void security_bprm_post_apply_creds (struct linux_binprm *bprm)
1504{
1505 security_ops->bprm_post_apply_creds (bprm);
1506}
1507static inline int security_bprm_set (struct linux_binprm *bprm)
1508{
1509 return security_ops->bprm_set_security (bprm);
1510}
1511
1512static inline int security_bprm_check (struct linux_binprm *bprm)
1513{
1514 return security_ops->bprm_check_security (bprm);
1515}
1516
1517static inline int security_bprm_secureexec (struct linux_binprm *bprm)
1518{
1519 return security_ops->bprm_secureexec (bprm);
1520}
1521
1522static inline int security_sb_alloc (struct super_block *sb)
1523{
1524 return security_ops->sb_alloc_security (sb);
1525}
1526
1527static inline void security_sb_free (struct super_block *sb)
1528{
1529 security_ops->sb_free_security (sb);
1530}
1531
1532static inline int security_sb_copy_data (struct file_system_type *type,
1533 void *orig, void *copy)
1534{
1535 return security_ops->sb_copy_data (type, orig, copy);
1536}
1537
1538static inline int security_sb_kern_mount (struct super_block *sb, void *data)
1539{
1540 return security_ops->sb_kern_mount (sb, data);
1541}
1542
1543static inline int security_sb_statfs (struct dentry *dentry)
1544{
1545 return security_ops->sb_statfs (dentry);
1546}
1547
1548static inline int security_sb_mount (char *dev_name, struct nameidata *nd,
1549 char *type, unsigned long flags,
1550 void *data)
1551{
1552 return security_ops->sb_mount (dev_name, nd, type, flags, data);
1553}
1554
1555static inline int security_sb_check_sb (struct vfsmount *mnt,
1556 struct nameidata *nd)
1557{
1558 return security_ops->sb_check_sb (mnt, nd);
1559}
1560
1561static inline int security_sb_umount (struct vfsmount *mnt, int flags)
1562{
1563 return security_ops->sb_umount (mnt, flags);
1564}
1565
1566static inline void security_sb_umount_close (struct vfsmount *mnt)
1567{
1568 security_ops->sb_umount_close (mnt);
1569}
1570
1571static inline void security_sb_umount_busy (struct vfsmount *mnt)
1572{
1573 security_ops->sb_umount_busy (mnt);
1574}
1575
1576static inline void security_sb_post_remount (struct vfsmount *mnt,
1577 unsigned long flags, void *data)
1578{
1579 security_ops->sb_post_remount (mnt, flags, data);
1580}
1581
1582static inline void security_sb_post_mountroot (void)
1583{
1584 security_ops->sb_post_mountroot ();
1585}
1586
1587static inline void security_sb_post_addmount (struct vfsmount *mnt,
1588 struct nameidata *mountpoint_nd)
1589{
1590 security_ops->sb_post_addmount (mnt, mountpoint_nd);
1591}
1592
1593static inline int security_sb_pivotroot (struct nameidata *old_nd,
1594 struct nameidata *new_nd)
1595{
1596 return security_ops->sb_pivotroot (old_nd, new_nd);
1597}
1598
1599static inline void security_sb_post_pivotroot (struct nameidata *old_nd,
1600 struct nameidata *new_nd)
1601{
1602 security_ops->sb_post_pivotroot (old_nd, new_nd);
1603}
1604
1605static inline int security_inode_alloc (struct inode *inode)
1606{
1607 inode->i_security = NULL;
1608 return security_ops->inode_alloc_security (inode);
1609}
1610
1611static inline void security_inode_free (struct inode *inode)
1612{
1613 security_ops->inode_free_security (inode);
1614}
1615
1616static inline int security_inode_init_security (struct inode *inode,
1617 struct inode *dir,
1618 char **name,
1619 void **value,
1620 size_t *len)
1621{
1622 if (unlikely (IS_PRIVATE (inode)))
1623 return -EOPNOTSUPP;
1624 return security_ops->inode_init_security (inode, dir, name, value, len);
1625}
1626
1627static inline int security_inode_create (struct inode *dir,
1628 struct dentry *dentry,
1629 int mode)
1630{
1631 if (unlikely (IS_PRIVATE (dir)))
1632 return 0;
1633 return security_ops->inode_create (dir, dentry, mode);
1634}
1635
1636static inline int security_inode_link (struct dentry *old_dentry,
1637 struct inode *dir,
1638 struct dentry *new_dentry)
1639{
1640 if (unlikely (IS_PRIVATE (old_dentry->d_inode)))
1641 return 0;
1642 return security_ops->inode_link (old_dentry, dir, new_dentry);
1643}
1644
1645static inline int security_inode_unlink (struct inode *dir,
1646 struct dentry *dentry)
1647{
1648 if (unlikely (IS_PRIVATE (dentry->d_inode)))
1649 return 0;
1650 return security_ops->inode_unlink (dir, dentry);
1651}
1652
1653static inline int security_inode_symlink (struct inode *dir,
1654 struct dentry *dentry,
1655 const char *old_name)
1656{
1657 if (unlikely (IS_PRIVATE (dir)))
1658 return 0;
1659 return security_ops->inode_symlink (dir, dentry, old_name);
1660}
1661
1662static inline int security_inode_mkdir (struct inode *dir,
1663 struct dentry *dentry,
1664 int mode)
1665{
1666 if (unlikely (IS_PRIVATE (dir)))
1667 return 0;
1668 return security_ops->inode_mkdir (dir, dentry, mode);
1669}
1670
1671static inline int security_inode_rmdir (struct inode *dir,
1672 struct dentry *dentry)
1673{
1674 if (unlikely (IS_PRIVATE (dentry->d_inode)))
1675 return 0;
1676 return security_ops->inode_rmdir (dir, dentry);
1677}
1678
1679static inline int security_inode_mknod (struct inode *dir,
1680 struct dentry *dentry,
1681 int mode, dev_t dev)
1682{
1683 if (unlikely (IS_PRIVATE (dir)))
1684 return 0;
1685 return security_ops->inode_mknod (dir, dentry, mode, dev);
1686}
1687
1688static inline int security_inode_rename (struct inode *old_dir,
1689 struct dentry *old_dentry,
1690 struct inode *new_dir,
1691 struct dentry *new_dentry)
1692{
1693 if (unlikely (IS_PRIVATE (old_dentry->d_inode) ||
1694 (new_dentry->d_inode && IS_PRIVATE (new_dentry->d_inode))))
1695 return 0;
1696 return security_ops->inode_rename (old_dir, old_dentry,
1697 new_dir, new_dentry);
1698}
1699
1700static inline int security_inode_readlink (struct dentry *dentry)
1701{
1702 if (unlikely (IS_PRIVATE (dentry->d_inode)))
1703 return 0;
1704 return security_ops->inode_readlink (dentry);
1705}
1706
1707static inline int security_inode_follow_link (struct dentry *dentry,
1708 struct nameidata *nd)
1709{
1710 if (unlikely (IS_PRIVATE (dentry->d_inode)))
1711 return 0;
1712 return security_ops->inode_follow_link (dentry, nd);
1713}
1714
1715static inline int security_inode_permission (struct inode *inode, int mask,
1716 struct nameidata *nd)
1717{
1718 if (unlikely (IS_PRIVATE (inode)))
1719 return 0;
1720 return security_ops->inode_permission (inode, mask, nd);
1721}
1722
1723static inline int security_inode_setattr (struct dentry *dentry,
1724 struct iattr *attr)
1725{
1726 if (unlikely (IS_PRIVATE (dentry->d_inode)))
1727 return 0;
1728 return security_ops->inode_setattr (dentry, attr);
1729}
1730
1731static inline int security_inode_getattr (struct vfsmount *mnt,
1732 struct dentry *dentry)
1733{
1734 if (unlikely (IS_PRIVATE (dentry->d_inode)))
1735 return 0;
1736 return security_ops->inode_getattr (mnt, dentry);
1737}
1738
1739static inline void security_inode_delete (struct inode *inode)
1740{
1741 if (unlikely (IS_PRIVATE (inode)))
1742 return;
1743 security_ops->inode_delete (inode);
1744}
1745
1746static inline int security_inode_setxattr (struct dentry *dentry, char *name,
1747 void *value, size_t size, int flags)
1748{
1749 if (unlikely (IS_PRIVATE (dentry->d_inode)))
1750 return 0;
1751 return security_ops->inode_setxattr (dentry, name, value, size, flags);
1752}
1753
1754static inline void security_inode_post_setxattr (struct dentry *dentry, char *name,
1755 void *value, size_t size, int flags)
1756{
1757 if (unlikely (IS_PRIVATE (dentry->d_inode)))
1758 return;
1759 security_ops->inode_post_setxattr (dentry, name, value, size, flags);
1760}
1761
1762static inline int security_inode_getxattr (struct dentry *dentry, char *name)
1763{
1764 if (unlikely (IS_PRIVATE (dentry->d_inode)))
1765 return 0;
1766 return security_ops->inode_getxattr (dentry, name);
1767}
1768
1769static inline int security_inode_listxattr (struct dentry *dentry)
1770{
1771 if (unlikely (IS_PRIVATE (dentry->d_inode)))
1772 return 0;
1773 return security_ops->inode_listxattr (dentry);
1774}
1775
1776static inline int security_inode_removexattr (struct dentry *dentry, char *name)
1777{
1778 if (unlikely (IS_PRIVATE (dentry->d_inode)))
1779 return 0;
1780 return security_ops->inode_removexattr (dentry, name);
1781}
1782
1783static inline const char *security_inode_xattr_getsuffix(void)
1784{
1785 return security_ops->inode_xattr_getsuffix();
1786}
1787
1788static inline int security_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
1789{
1790 if (unlikely (IS_PRIVATE (inode)))
1791 return 0;
1792 return security_ops->inode_getsecurity(inode, name, buffer, size, err);
1793}
1794
1795static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
1796{
1797 if (unlikely (IS_PRIVATE (inode)))
1798 return 0;
1799 return security_ops->inode_setsecurity(inode, name, value, size, flags);
1800}
1801
1802static inline int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
1803{
1804 if (unlikely (IS_PRIVATE (inode)))
1805 return 0;
1806 return security_ops->inode_listsecurity(inode, buffer, buffer_size);
1807}
1808
1809static inline int security_file_permission (struct file *file, int mask)
1810{
1811 return security_ops->file_permission (file, mask);
1812}
1813
1814static inline int security_file_alloc (struct file *file)
1815{
1816 return security_ops->file_alloc_security (file);
1817}
1818
1819static inline void security_file_free (struct file *file)
1820{
1821 security_ops->file_free_security (file);
1822}
1823
1824static inline int security_file_ioctl (struct file *file, unsigned int cmd,
1825 unsigned long arg)
1826{
1827 return security_ops->file_ioctl (file, cmd, arg);
1828}
1829
1830static inline int security_file_mmap (struct file *file, unsigned long reqprot,
1831 unsigned long prot,
1832 unsigned long flags,
1833 unsigned long addr,
1834 unsigned long addr_only)
1835{
1836 return security_ops->file_mmap (file, reqprot, prot, flags, addr,
1837 addr_only);
1838}
1839
1840static inline int security_file_mprotect (struct vm_area_struct *vma,
1841 unsigned long reqprot,
1842 unsigned long prot)
1843{
1844 return security_ops->file_mprotect (vma, reqprot, prot);
1845}
1846
1847static inline int security_file_lock (struct file *file, unsigned int cmd)
1848{
1849 return security_ops->file_lock (file, cmd);
1850}
1851
1852static inline int security_file_fcntl (struct file *file, unsigned int cmd,
1853 unsigned long arg)
1854{
1855 return security_ops->file_fcntl (file, cmd, arg);
1856}
1857
1858static inline int security_file_set_fowner (struct file *file)
1859{
1860 return security_ops->file_set_fowner (file);
1861}
1862
1863static inline int security_file_send_sigiotask (struct task_struct *tsk,
1864 struct fown_struct *fown,
1865 int sig)
1866{
1867 return security_ops->file_send_sigiotask (tsk, fown, sig);
1868}
1869
1870static inline int security_file_receive (struct file *file)
1871{
1872 return security_ops->file_receive (file);
1873}
1874
1875static inline int security_dentry_open (struct file *file)
1876{
1877 return security_ops->dentry_open (file);
1878}
1879
1880static inline int security_task_create (unsigned long clone_flags)
1881{
1882 return security_ops->task_create (clone_flags);
1883}
1884
1885static inline int security_task_alloc (struct task_struct *p)
1886{
1887 return security_ops->task_alloc_security (p);
1888}
1889
1890static inline void security_task_free (struct task_struct *p)
1891{
1892 security_ops->task_free_security (p);
1893}
1894
1895static inline int security_task_setuid (uid_t id0, uid_t id1, uid_t id2,
1896 int flags)
1897{
1898 return security_ops->task_setuid (id0, id1, id2, flags);
1899}
1900
1901static inline int security_task_post_setuid (uid_t old_ruid, uid_t old_euid,
1902 uid_t old_suid, int flags)
1903{
1904 return security_ops->task_post_setuid (old_ruid, old_euid, old_suid, flags);
1905}
1906
1907static inline int security_task_setgid (gid_t id0, gid_t id1, gid_t id2,
1908 int flags)
1909{
1910 return security_ops->task_setgid (id0, id1, id2, flags);
1911}
1912
1913static inline int security_task_setpgid (struct task_struct *p, pid_t pgid)
1914{
1915 return security_ops->task_setpgid (p, pgid);
1916}
1917
1918static inline int security_task_getpgid (struct task_struct *p)
1919{
1920 return security_ops->task_getpgid (p);
1921}
1922
1923static inline int security_task_getsid (struct task_struct *p)
1924{
1925 return security_ops->task_getsid (p);
1926}
1927
1928static inline void security_task_getsecid (struct task_struct *p, u32 *secid)
1929{
1930 security_ops->task_getsecid (p, secid);
1931}
1932
1933static inline int security_task_setgroups (struct group_info *group_info)
1934{
1935 return security_ops->task_setgroups (group_info);
1936}
1937
1938static inline int security_task_setnice (struct task_struct *p, int nice)
1939{
1940 return security_ops->task_setnice (p, nice);
1941}
1942
1943static inline int security_task_setioprio (struct task_struct *p, int ioprio)
1944{
1945 return security_ops->task_setioprio (p, ioprio);
1946}
1947
1948static inline int security_task_getioprio (struct task_struct *p)
1949{
1950 return security_ops->task_getioprio (p);
1951}
1952
1953static inline int security_task_setrlimit (unsigned int resource,
1954 struct rlimit *new_rlim)
1955{
1956 return security_ops->task_setrlimit (resource, new_rlim);
1957}
1958
1959static inline int security_task_setscheduler (struct task_struct *p,
1960 int policy,
1961 struct sched_param *lp)
1962{
1963 return security_ops->task_setscheduler (p, policy, lp);
1964}
1965
1966static inline int security_task_getscheduler (struct task_struct *p)
1967{
1968 return security_ops->task_getscheduler (p);
1969}
1970
1971static inline int security_task_movememory (struct task_struct *p)
1972{
1973 return security_ops->task_movememory (p);
1974}
1975
1976static inline int security_task_kill (struct task_struct *p,
1977 struct siginfo *info, int sig,
1978 u32 secid)
1979{
1980 return security_ops->task_kill (p, info, sig, secid);
1981}
1982
1983static inline int security_task_wait (struct task_struct *p)
1984{
1985 return security_ops->task_wait (p);
1986}
1987
1988static inline int security_task_prctl (int option, unsigned long arg2,
1989 unsigned long arg3,
1990 unsigned long arg4,
1991 unsigned long arg5)
1992{
1993 return security_ops->task_prctl (option, arg2, arg3, arg4, arg5);
1994}
1995
1996static inline void security_task_reparent_to_init (struct task_struct *p)
1997{
1998 security_ops->task_reparent_to_init (p);
1999}
2000
2001static inline void security_task_to_inode(struct task_struct *p, struct inode *inode)
2002{
2003 security_ops->task_to_inode(p, inode);
2004}
2005
2006static inline int security_ipc_permission (struct kern_ipc_perm *ipcp,
2007 short flag)
2008{
2009 return security_ops->ipc_permission (ipcp, flag);
2010}
2011
2012static inline int security_msg_msg_alloc (struct msg_msg * msg)
2013{
2014 return security_ops->msg_msg_alloc_security (msg);
2015}
2016
2017static inline void security_msg_msg_free (struct msg_msg * msg)
2018{
2019 security_ops->msg_msg_free_security(msg);
2020}
2021
2022static inline int security_msg_queue_alloc (struct msg_queue *msq)
2023{
2024 return security_ops->msg_queue_alloc_security (msq);
2025}
2026
2027static inline void security_msg_queue_free (struct msg_queue *msq)
2028{
2029 security_ops->msg_queue_free_security (msq);
2030}
2031
2032static inline int security_msg_queue_associate (struct msg_queue * msq,
2033 int msqflg)
2034{
2035 return security_ops->msg_queue_associate (msq, msqflg);
2036}
2037
2038static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd)
2039{
2040 return security_ops->msg_queue_msgctl (msq, cmd);
2041}
2042
2043static inline int security_msg_queue_msgsnd (struct msg_queue * msq,
2044 struct msg_msg * msg, int msqflg)
2045{
2046 return security_ops->msg_queue_msgsnd (msq, msg, msqflg);
2047}
2048
2049static inline int security_msg_queue_msgrcv (struct msg_queue * msq,
2050 struct msg_msg * msg,
2051 struct task_struct * target,
2052 long type, int mode)
2053{
2054 return security_ops->msg_queue_msgrcv (msq, msg, target, type, mode);
2055}
2056
2057static inline int security_shm_alloc (struct shmid_kernel *shp)
2058{
2059 return security_ops->shm_alloc_security (shp);
2060}
2061
2062static inline void security_shm_free (struct shmid_kernel *shp)
2063{
2064 security_ops->shm_free_security (shp);
2065}
2066
2067static inline int security_shm_associate (struct shmid_kernel * shp,
2068 int shmflg)
2069{
2070 return security_ops->shm_associate(shp, shmflg);
2071}
2072
2073static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd)
2074{
2075 return security_ops->shm_shmctl (shp, cmd);
2076}
2077
2078static inline int security_shm_shmat (struct shmid_kernel * shp,
2079 char __user *shmaddr, int shmflg)
2080{
2081 return security_ops->shm_shmat(shp, shmaddr, shmflg);
2082}
2083
2084static inline int security_sem_alloc (struct sem_array *sma)
2085{
2086 return security_ops->sem_alloc_security (sma);
2087}
2088
2089static inline void security_sem_free (struct sem_array *sma)
2090{
2091 security_ops->sem_free_security (sma);
2092}
2093
2094static inline int security_sem_associate (struct sem_array * sma, int semflg)
2095{
2096 return security_ops->sem_associate (sma, semflg);
2097}
2098
2099static inline int security_sem_semctl (struct sem_array * sma, int cmd)
2100{
2101 return security_ops->sem_semctl(sma, cmd);
2102}
2103
2104static inline int security_sem_semop (struct sem_array * sma,
2105 struct sembuf * sops, unsigned nsops,
2106 int alter)
2107{
2108 return security_ops->sem_semop(sma, sops, nsops, alter);
2109}
2110
2111static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode)
2112{
2113 if (unlikely (inode && IS_PRIVATE (inode)))
2114 return;
2115 security_ops->d_instantiate (dentry, inode);
2116}
2117
2118static inline int security_getprocattr(struct task_struct *p, char *name, char **value)
2119{
2120 return security_ops->getprocattr(p, name, value);
2121}
2122
2123static inline int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size)
2124{
2125 return security_ops->setprocattr(p, name, value, size);
2126}
2127
2128static inline int security_netlink_send(struct sock *sk, struct sk_buff * skb)
2129{
2130 return security_ops->netlink_send(sk, skb);
2131}
2132
2133static inline int security_netlink_recv(struct sk_buff * skb, int cap)
2134{
2135 return security_ops->netlink_recv(skb, cap);
2136}
2137
2138static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
2139{
2140 return security_ops->secid_to_secctx(secid, secdata, seclen);
2141}
2142
2143static inline void security_release_secctx(char *secdata, u32 seclen)
2144{
2145 return security_ops->release_secctx(secdata, seclen);
2146}
2147
2148/* prototypes */ 1412/* prototypes */
2149extern int security_init (void); 1413extern int security_init (void);
2150extern int register_security (struct security_operations *ops); 1414extern int register_security (struct security_operations *ops);
@@ -2158,6 +1422,157 @@ extern struct dentry *securityfs_create_dir(const char *name, struct dentry *par
2158extern void securityfs_remove(struct dentry *dentry); 1422extern void securityfs_remove(struct dentry *dentry);
2159 1423
2160 1424
1425/* Security operations */
1426int security_ptrace(struct task_struct *parent, struct task_struct *child);
1427int security_capget(struct task_struct *target,
1428 kernel_cap_t *effective,
1429 kernel_cap_t *inheritable,
1430 kernel_cap_t *permitted);
1431int security_capset_check(struct task_struct *target,
1432 kernel_cap_t *effective,
1433 kernel_cap_t *inheritable,
1434 kernel_cap_t *permitted);
1435void security_capset_set(struct task_struct *target,
1436 kernel_cap_t *effective,
1437 kernel_cap_t *inheritable,
1438 kernel_cap_t *permitted);
1439int security_capable(struct task_struct *tsk, int cap);
1440int security_acct(struct file *file);
1441int security_sysctl(struct ctl_table *table, int op);
1442int security_quotactl(int cmds, int type, int id, struct super_block *sb);
1443int security_quota_on(struct dentry *dentry);
1444int security_syslog(int type);
1445int security_settime(struct timespec *ts, struct timezone *tz);
1446int security_vm_enough_memory(long pages);
1447int security_vm_enough_memory_mm(struct mm_struct *mm, long pages);
1448int security_bprm_alloc(struct linux_binprm *bprm);
1449void security_bprm_free(struct linux_binprm *bprm);
1450void security_bprm_apply_creds(struct linux_binprm *bprm, int unsafe);
1451void security_bprm_post_apply_creds(struct linux_binprm *bprm);
1452int security_bprm_set(struct linux_binprm *bprm);
1453int security_bprm_check(struct linux_binprm *bprm);
1454int security_bprm_secureexec(struct linux_binprm *bprm);
1455int security_sb_alloc(struct super_block *sb);
1456void security_sb_free(struct super_block *sb);
1457int security_sb_copy_data(struct file_system_type *type, void *orig, void *copy);
1458int security_sb_kern_mount(struct super_block *sb, void *data);
1459int security_sb_statfs(struct dentry *dentry);
1460int security_sb_mount(char *dev_name, struct nameidata *nd,
1461 char *type, unsigned long flags, void *data);
1462int security_sb_check_sb(struct vfsmount *mnt, struct nameidata *nd);
1463int security_sb_umount(struct vfsmount *mnt, int flags);
1464void security_sb_umount_close(struct vfsmount *mnt);
1465void security_sb_umount_busy(struct vfsmount *mnt);
1466void security_sb_post_remount(struct vfsmount *mnt, unsigned long flags, void *data);
1467void security_sb_post_mountroot(void);
1468void security_sb_post_addmount(struct vfsmount *mnt, struct nameidata *mountpoint_nd);
1469int security_sb_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd);
1470void security_sb_post_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd);
1471int security_inode_alloc(struct inode *inode);
1472void security_inode_free(struct inode *inode);
1473int security_inode_init_security(struct inode *inode, struct inode *dir,
1474 char **name, void **value, size_t *len);
1475int security_inode_create(struct inode *dir, struct dentry *dentry, int mode);
1476int security_inode_link(struct dentry *old_dentry, struct inode *dir,
1477 struct dentry *new_dentry);
1478int security_inode_unlink(struct inode *dir, struct dentry *dentry);
1479int security_inode_symlink(struct inode *dir, struct dentry *dentry,
1480 const char *old_name);
1481int security_inode_mkdir(struct inode *dir, struct dentry *dentry, int mode);
1482int security_inode_rmdir(struct inode *dir, struct dentry *dentry);
1483int security_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev);
1484int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
1485 struct inode *new_dir, struct dentry *new_dentry);
1486int security_inode_readlink(struct dentry *dentry);
1487int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd);
1488int security_inode_permission(struct inode *inode, int mask, struct nameidata *nd);
1489int security_inode_setattr(struct dentry *dentry, struct iattr *attr);
1490int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry);
1491void security_inode_delete(struct inode *inode);
1492int security_inode_setxattr(struct dentry *dentry, char *name,
1493 void *value, size_t size, int flags);
1494void security_inode_post_setxattr(struct dentry *dentry, char *name,
1495 void *value, size_t size, int flags);
1496int security_inode_getxattr(struct dentry *dentry, char *name);
1497int security_inode_listxattr(struct dentry *dentry);
1498int security_inode_removexattr(struct dentry *dentry, char *name);
1499const char *security_inode_xattr_getsuffix(void);
1500int security_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err);
1501int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags);
1502int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
1503int security_file_permission(struct file *file, int mask);
1504int security_file_alloc(struct file *file);
1505void security_file_free(struct file *file);
1506int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
1507int security_file_mmap(struct file *file, unsigned long reqprot,
1508 unsigned long prot, unsigned long flags,
1509 unsigned long addr, unsigned long addr_only);
1510int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
1511 unsigned long prot);
1512int security_file_lock(struct file *file, unsigned int cmd);
1513int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg);
1514int security_file_set_fowner(struct file *file);
1515int security_file_send_sigiotask(struct task_struct *tsk,
1516 struct fown_struct *fown, int sig);
1517int security_file_receive(struct file *file);
1518int security_dentry_open(struct file *file);
1519int security_task_create(unsigned long clone_flags);
1520int security_task_alloc(struct task_struct *p);
1521void security_task_free(struct task_struct *p);
1522int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags);
1523int security_task_post_setuid(uid_t old_ruid, uid_t old_euid,
1524 uid_t old_suid, int flags);
1525int security_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags);
1526int security_task_setpgid(struct task_struct *p, pid_t pgid);
1527int security_task_getpgid(struct task_struct *p);
1528int security_task_getsid(struct task_struct *p);
1529void security_task_getsecid(struct task_struct *p, u32 *secid);
1530int security_task_setgroups(struct group_info *group_info);
1531int security_task_setnice(struct task_struct *p, int nice);
1532int security_task_setioprio(struct task_struct *p, int ioprio);
1533int security_task_getioprio(struct task_struct *p);
1534int security_task_setrlimit(unsigned int resource, struct rlimit *new_rlim);
1535int security_task_setscheduler(struct task_struct *p,
1536 int policy, struct sched_param *lp);
1537int security_task_getscheduler(struct task_struct *p);
1538int security_task_movememory(struct task_struct *p);
1539int security_task_kill(struct task_struct *p, struct siginfo *info,
1540 int sig, u32 secid);
1541int security_task_wait(struct task_struct *p);
1542int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
1543 unsigned long arg4, unsigned long arg5);
1544void security_task_reparent_to_init(struct task_struct *p);
1545void security_task_to_inode(struct task_struct *p, struct inode *inode);
1546int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag);
1547int security_msg_msg_alloc(struct msg_msg *msg);
1548void security_msg_msg_free(struct msg_msg *msg);
1549int security_msg_queue_alloc(struct msg_queue *msq);
1550void security_msg_queue_free(struct msg_queue *msq);
1551int security_msg_queue_associate(struct msg_queue *msq, int msqflg);
1552int security_msg_queue_msgctl(struct msg_queue *msq, int cmd);
1553int security_msg_queue_msgsnd(struct msg_queue *msq,
1554 struct msg_msg *msg, int msqflg);
1555int security_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
1556 struct task_struct *target, long type, int mode);
1557int security_shm_alloc(struct shmid_kernel *shp);
1558void security_shm_free(struct shmid_kernel *shp);
1559int security_shm_associate(struct shmid_kernel *shp, int shmflg);
1560int security_shm_shmctl(struct shmid_kernel *shp, int cmd);
1561int security_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, int shmflg);
1562int security_sem_alloc(struct sem_array *sma);
1563void security_sem_free(struct sem_array *sma);
1564int security_sem_associate(struct sem_array *sma, int semflg);
1565int security_sem_semctl(struct sem_array *sma, int cmd);
1566int security_sem_semop(struct sem_array *sma, struct sembuf *sops,
1567 unsigned nsops, int alter);
1568void security_d_instantiate (struct dentry *dentry, struct inode *inode);
1569int security_getprocattr(struct task_struct *p, char *name, char **value);
1570int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size);
1571int security_netlink_send(struct sock *sk, struct sk_buff *skb);
1572int security_netlink_recv(struct sk_buff *skb, int cap);
1573int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
1574void security_release_secctx(char *secdata, u32 seclen);
1575
2161#else /* CONFIG_SECURITY */ 1576#else /* CONFIG_SECURITY */
2162 1577
2163/* 1578/*
@@ -2834,170 +2249,43 @@ static inline void security_release_secctx(char *secdata, u32 seclen)
2834#endif /* CONFIG_SECURITY */ 2249#endif /* CONFIG_SECURITY */
2835 2250
2836#ifdef CONFIG_SECURITY_NETWORK 2251#ifdef CONFIG_SECURITY_NETWORK
2837static inline int security_unix_stream_connect(struct socket * sock,
2838 struct socket * other,
2839 struct sock * newsk)
2840{
2841 return security_ops->unix_stream_connect(sock, other, newsk);
2842}
2843
2844
2845static inline int security_unix_may_send(struct socket * sock,
2846 struct socket * other)
2847{
2848 return security_ops->unix_may_send(sock, other);
2849}
2850
2851static inline int security_socket_create (int family, int type,
2852 int protocol, int kern)
2853{
2854 return security_ops->socket_create(family, type, protocol, kern);
2855}
2856
2857static inline int security_socket_post_create(struct socket * sock,
2858 int family,
2859 int type,
2860 int protocol, int kern)
2861{
2862 return security_ops->socket_post_create(sock, family, type,
2863 protocol, kern);
2864}
2865
2866static inline int security_socket_bind(struct socket * sock,
2867 struct sockaddr * address,
2868 int addrlen)
2869{
2870 return security_ops->socket_bind(sock, address, addrlen);
2871}
2872
2873static inline int security_socket_connect(struct socket * sock,
2874 struct sockaddr * address,
2875 int addrlen)
2876{
2877 return security_ops->socket_connect(sock, address, addrlen);
2878}
2879
2880static inline int security_socket_listen(struct socket * sock, int backlog)
2881{
2882 return security_ops->socket_listen(sock, backlog);
2883}
2884
2885static inline int security_socket_accept(struct socket * sock,
2886 struct socket * newsock)
2887{
2888 return security_ops->socket_accept(sock, newsock);
2889}
2890
2891static inline void security_socket_post_accept(struct socket * sock,
2892 struct socket * newsock)
2893{
2894 security_ops->socket_post_accept(sock, newsock);
2895}
2896
2897static inline int security_socket_sendmsg(struct socket * sock,
2898 struct msghdr * msg, int size)
2899{
2900 return security_ops->socket_sendmsg(sock, msg, size);
2901}
2902
2903static inline int security_socket_recvmsg(struct socket * sock,
2904 struct msghdr * msg, int size,
2905 int flags)
2906{
2907 return security_ops->socket_recvmsg(sock, msg, size, flags);
2908}
2909
2910static inline int security_socket_getsockname(struct socket * sock)
2911{
2912 return security_ops->socket_getsockname(sock);
2913}
2914
2915static inline int security_socket_getpeername(struct socket * sock)
2916{
2917 return security_ops->socket_getpeername(sock);
2918}
2919
2920static inline int security_socket_getsockopt(struct socket * sock,
2921 int level, int optname)
2922{
2923 return security_ops->socket_getsockopt(sock, level, optname);
2924}
2925 2252
2926static inline int security_socket_setsockopt(struct socket * sock, 2253int security_unix_stream_connect(struct socket *sock, struct socket *other,
2927 int level, int optname) 2254 struct sock *newsk);
2928{ 2255int security_unix_may_send(struct socket *sock, struct socket *other);
2929 return security_ops->socket_setsockopt(sock, level, optname); 2256int security_socket_create(int family, int type, int protocol, int kern);
2930} 2257int security_socket_post_create(struct socket *sock, int family,
2258 int type, int protocol, int kern);
2259int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen);
2260int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen);
2261int security_socket_listen(struct socket *sock, int backlog);
2262int security_socket_accept(struct socket *sock, struct socket *newsock);
2263void security_socket_post_accept(struct socket *sock, struct socket *newsock);
2264int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size);
2265int security_socket_recvmsg(struct socket *sock, struct msghdr *msg,
2266 int size, int flags);
2267int security_socket_getsockname(struct socket *sock);
2268int security_socket_getpeername(struct socket *sock);
2269int security_socket_getsockopt(struct socket *sock, int level, int optname);
2270int security_socket_setsockopt(struct socket *sock, int level, int optname);
2271int security_socket_shutdown(struct socket *sock, int how);
2272int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb);
2273int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
2274 int __user *optlen, unsigned len);
2275int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid);
2276int security_sk_alloc(struct sock *sk, int family, gfp_t priority);
2277void security_sk_free(struct sock *sk);
2278void security_sk_clone(const struct sock *sk, struct sock *newsk);
2279void security_sk_classify_flow(struct sock *sk, struct flowi *fl);
2280void security_req_classify_flow(const struct request_sock *req, struct flowi *fl);
2281void security_sock_graft(struct sock*sk, struct socket *parent);
2282int security_inet_conn_request(struct sock *sk,
2283 struct sk_buff *skb, struct request_sock *req);
2284void security_inet_csk_clone(struct sock *newsk,
2285 const struct request_sock *req);
2286void security_inet_conn_established(struct sock *sk,
2287 struct sk_buff *skb);
2931 2288
2932static inline int security_socket_shutdown(struct socket * sock, int how)
2933{
2934 return security_ops->socket_shutdown(sock, how);
2935}
2936
2937static inline int security_sock_rcv_skb (struct sock * sk,
2938 struct sk_buff * skb)
2939{
2940 return security_ops->socket_sock_rcv_skb (sk, skb);
2941}
2942
2943static inline int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
2944 int __user *optlen, unsigned len)
2945{
2946 return security_ops->socket_getpeersec_stream(sock, optval, optlen, len);
2947}
2948
2949static inline int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
2950{
2951 return security_ops->socket_getpeersec_dgram(sock, skb, secid);
2952}
2953
2954static inline int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
2955{
2956 return security_ops->sk_alloc_security(sk, family, priority);
2957}
2958
2959static inline void security_sk_free(struct sock *sk)
2960{
2961 return security_ops->sk_free_security(sk);
2962}
2963
2964static inline void security_sk_clone(const struct sock *sk, struct sock *newsk)
2965{
2966 return security_ops->sk_clone_security(sk, newsk);
2967}
2968
2969static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
2970{
2971 security_ops->sk_getsecid(sk, &fl->secid);
2972}
2973
2974static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
2975{
2976 security_ops->req_classify_flow(req, fl);
2977}
2978
2979static inline void security_sock_graft(struct sock* sk, struct socket *parent)
2980{
2981 security_ops->sock_graft(sk, parent);
2982}
2983
2984static inline int security_inet_conn_request(struct sock *sk,
2985 struct sk_buff *skb, struct request_sock *req)
2986{
2987 return security_ops->inet_conn_request(sk, skb, req);
2988}
2989
2990static inline void security_inet_csk_clone(struct sock *newsk,
2991 const struct request_sock *req)
2992{
2993 security_ops->inet_csk_clone(newsk, req);
2994}
2995
2996static inline void security_inet_conn_established(struct sock *sk,
2997 struct sk_buff *skb)
2998{
2999 security_ops->inet_conn_established(sk, skb);
3000}
3001#else /* CONFIG_SECURITY_NETWORK */ 2289#else /* CONFIG_SECURITY_NETWORK */
3002static inline int security_unix_stream_connect(struct socket * sock, 2290static inline int security_unix_stream_connect(struct socket * sock,
3003 struct socket * other, 2291 struct socket * other,
@@ -3155,77 +2443,24 @@ static inline void security_inet_conn_established(struct sock *sk,
3155#endif /* CONFIG_SECURITY_NETWORK */ 2443#endif /* CONFIG_SECURITY_NETWORK */
3156 2444
3157#ifdef CONFIG_SECURITY_NETWORK_XFRM 2445#ifdef CONFIG_SECURITY_NETWORK_XFRM
3158static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx)
3159{
3160 return security_ops->xfrm_policy_alloc_security(xp, sec_ctx);
3161}
3162 2446
3163static inline int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new) 2447int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx);
3164{ 2448int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new);
3165 return security_ops->xfrm_policy_clone_security(old, new); 2449void security_xfrm_policy_free(struct xfrm_policy *xp);
3166} 2450int security_xfrm_policy_delete(struct xfrm_policy *xp);
3167 2451int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx);
3168static inline void security_xfrm_policy_free(struct xfrm_policy *xp) 2452int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
3169{ 2453 struct xfrm_sec_ctx *polsec, u32 secid);
3170 security_ops->xfrm_policy_free_security(xp); 2454int security_xfrm_state_delete(struct xfrm_state *x);
3171} 2455void security_xfrm_state_free(struct xfrm_state *x);
2456int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir);
2457int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
2458 struct xfrm_policy *xp, struct flowi *fl);
2459int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid);
2460void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl);
3172 2461
3173static inline int security_xfrm_policy_delete(struct xfrm_policy *xp)
3174{
3175 return security_ops->xfrm_policy_delete_security(xp);
3176}
3177
3178static inline int security_xfrm_state_alloc(struct xfrm_state *x,
3179 struct xfrm_user_sec_ctx *sec_ctx)
3180{
3181 return security_ops->xfrm_state_alloc_security(x, sec_ctx, 0);
3182}
3183
3184static inline int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
3185 struct xfrm_sec_ctx *polsec, u32 secid)
3186{
3187 if (!polsec)
3188 return 0;
3189 /*
3190 * We want the context to be taken from secid which is usually
3191 * from the sock.
3192 */
3193 return security_ops->xfrm_state_alloc_security(x, NULL, secid);
3194}
3195
3196static inline int security_xfrm_state_delete(struct xfrm_state *x)
3197{
3198 return security_ops->xfrm_state_delete_security(x);
3199}
3200
3201static inline void security_xfrm_state_free(struct xfrm_state *x)
3202{
3203 security_ops->xfrm_state_free_security(x);
3204}
3205
3206static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir)
3207{
3208 return security_ops->xfrm_policy_lookup(xp, fl_secid, dir);
3209}
3210
3211static inline int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
3212 struct xfrm_policy *xp, struct flowi *fl)
3213{
3214 return security_ops->xfrm_state_pol_flow_match(x, xp, fl);
3215}
3216
3217static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
3218{
3219 return security_ops->xfrm_decode_session(skb, secid, 1);
3220}
3221
3222static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
3223{
3224 int rc = security_ops->xfrm_decode_session(skb, &fl->secid, 0);
3225
3226 BUG_ON(rc);
3227}
3228#else /* CONFIG_SECURITY_NETWORK_XFRM */ 2462#else /* CONFIG_SECURITY_NETWORK_XFRM */
2463
3229static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx) 2464static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx)
3230{ 2465{
3231 return 0; 2466 return 0;
@@ -3290,24 +2525,11 @@ static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi
3290 2525
3291#ifdef CONFIG_KEYS 2526#ifdef CONFIG_KEYS
3292#ifdef CONFIG_SECURITY 2527#ifdef CONFIG_SECURITY
3293static inline int security_key_alloc(struct key *key,
3294 struct task_struct *tsk,
3295 unsigned long flags)
3296{
3297 return security_ops->key_alloc(key, tsk, flags);
3298}
3299
3300static inline void security_key_free(struct key *key)
3301{
3302 security_ops->key_free(key);
3303}
3304 2528
3305static inline int security_key_permission(key_ref_t key_ref, 2529int security_key_alloc(struct key *key, struct task_struct *tsk, unsigned long flags);
3306 struct task_struct *context, 2530void security_key_free(struct key *key);
3307 key_perm_t perm) 2531int security_key_permission(key_ref_t key_ref,
3308{ 2532 struct task_struct *context, key_perm_t perm);
3309 return security_ops->key_permission(key_ref, context, perm);
3310}
3311 2533
3312#else 2534#else
3313 2535
diff --git a/security/Kconfig b/security/Kconfig
index 460e5c9cf496..a94ee94cf491 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -74,15 +74,15 @@ config SECURITY_NETWORK_XFRM
74 If you are unsure how to answer this question, answer N. 74 If you are unsure how to answer this question, answer N.
75 75
76config SECURITY_CAPABILITIES 76config SECURITY_CAPABILITIES
77 tristate "Default Linux Capabilities" 77 bool "Default Linux Capabilities"
78 depends on SECURITY 78 depends on SECURITY
79 help 79 help
80 This enables the "default" Linux capabilities functionality. 80 This enables the "default" Linux capabilities functionality.
81 If you are unsure how to answer this question, answer Y. 81 If you are unsure how to answer this question, answer Y.
82 82
83config SECURITY_ROOTPLUG 83config SECURITY_ROOTPLUG
84 tristate "Root Plug Support" 84 bool "Root Plug Support"
85 depends on USB && SECURITY 85 depends on USB=y && SECURITY
86 help 86 help
87 This is a sample LSM module that should only be used as such. 87 This is a sample LSM module that should only be used as such.
88 It prevents any programs running with egid == 0 if a specific 88 It prevents any programs running with egid == 0 if a specific
diff --git a/security/capability.c b/security/capability.c
index 38296a005465..fda6a14cb24d 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -8,7 +8,6 @@
8 * 8 *
9 */ 9 */
10 10
11#include <linux/module.h>
12#include <linux/init.h> 11#include <linux/init.h>
13#include <linux/kernel.h> 12#include <linux/kernel.h>
14#include <linux/security.h> 13#include <linux/security.h>
@@ -52,7 +51,6 @@ static int secondary;
52 51
53static int capability_disable; 52static int capability_disable;
54module_param_named(disable, capability_disable, int, 0); 53module_param_named(disable, capability_disable, int, 0);
55MODULE_PARM_DESC(disable, "To disable capabilities module set disable = 1");
56 54
57static int __init capability_init (void) 55static int __init capability_init (void)
58{ 56{
@@ -75,26 +73,4 @@ static int __init capability_init (void)
75 return 0; 73 return 0;
76} 74}
77 75
78static void __exit capability_exit (void)
79{
80 if (capability_disable)
81 return;
82 /* remove ourselves from the security framework */
83 if (secondary) {
84 if (mod_unreg_security (KBUILD_MODNAME, &capability_ops))
85 printk (KERN_INFO "Failure unregistering capabilities "
86 "with primary module.\n");
87 return;
88 }
89
90 if (unregister_security (&capability_ops)) {
91 printk (KERN_INFO
92 "Failure unregistering capabilities with the kernel\n");
93 }
94}
95
96security_initcall (capability_init); 76security_initcall (capability_init);
97module_exit (capability_exit);
98
99MODULE_DESCRIPTION("Standard Linux Capabilities Security Module");
100MODULE_LICENSE("GPL");
diff --git a/security/commoncap.c b/security/commoncap.c
index 7520361663e8..0f8a2ce3f3a6 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -339,6 +339,3 @@ EXPORT_SYMBOL(cap_task_post_setuid);
339EXPORT_SYMBOL(cap_task_reparent_to_init); 339EXPORT_SYMBOL(cap_task_reparent_to_init);
340EXPORT_SYMBOL(cap_syslog); 340EXPORT_SYMBOL(cap_syslog);
341EXPORT_SYMBOL(cap_vm_enough_memory); 341EXPORT_SYMBOL(cap_vm_enough_memory);
342
343MODULE_DESCRIPTION("Standard Linux Common Capabilities Security Module");
344MODULE_LICENSE("GPL");
diff --git a/security/dummy.c b/security/dummy.c
index 64b647a0d9a6..4129dcf3daec 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -15,7 +15,6 @@
15#undef DEBUG 15#undef DEBUG
16 16
17#include <linux/capability.h> 17#include <linux/capability.h>
18#include <linux/module.h>
19#include <linux/kernel.h> 18#include <linux/kernel.h>
20#include <linux/mman.h> 19#include <linux/mman.h>
21#include <linux/pagemap.h> 20#include <linux/pagemap.h>
diff --git a/security/root_plug.c b/security/root_plug.c
index 38dd4f3e641f..870f13095bb6 100644
--- a/security/root_plug.c
+++ b/security/root_plug.c
@@ -22,11 +22,11 @@
22 * License. 22 * License.
23 */ 23 */
24 24
25#include <linux/module.h>
26#include <linux/kernel.h> 25#include <linux/kernel.h>
27#include <linux/init.h> 26#include <linux/init.h>
28#include <linux/security.h> 27#include <linux/security.h>
29#include <linux/usb.h> 28#include <linux/usb.h>
29#include <linux/moduleparam.h>
30 30
31/* flag to keep track of how we were registered */ 31/* flag to keep track of how we were registered */
32static int secondary; 32static int secondary;
@@ -36,22 +36,14 @@ static int vendor_id = 0x0557;
36static int product_id = 0x2008; 36static int product_id = 0x2008;
37 37
38module_param(vendor_id, uint, 0400); 38module_param(vendor_id, uint, 0400);
39MODULE_PARM_DESC(vendor_id, "USB Vendor ID of device to look for");
40
41module_param(product_id, uint, 0400); 39module_param(product_id, uint, 0400);
42MODULE_PARM_DESC(product_id, "USB Product ID of device to look for");
43 40
44/* should we print out debug messages */ 41/* should we print out debug messages */
45static int debug = 0; 42static int debug = 0;
46 43
47module_param(debug, bool, 0600); 44module_param(debug, bool, 0600);
48MODULE_PARM_DESC(debug, "Debug enabled or not");
49 45
50#if defined(CONFIG_SECURITY_ROOTPLUG_MODULE)
51#define MY_NAME THIS_MODULE->name
52#else
53#define MY_NAME "root_plug" 46#define MY_NAME "root_plug"
54#endif
55 47
56#define root_dbg(fmt, arg...) \ 48#define root_dbg(fmt, arg...) \
57 do { \ 49 do { \
@@ -117,25 +109,4 @@ static int __init rootplug_init (void)
117 return 0; 109 return 0;
118} 110}
119 111
120static void __exit rootplug_exit (void)
121{
122 /* remove ourselves from the security framework */
123 if (secondary) {
124 if (mod_unreg_security (MY_NAME, &rootplug_security_ops))
125 printk (KERN_INFO "Failure unregistering Root Plug "
126 " module with primary module.\n");
127 } else {
128 if (unregister_security (&rootplug_security_ops)) {
129 printk (KERN_INFO "Failure unregistering Root Plug "
130 "module with the kernel\n");
131 }
132 }
133 printk (KERN_INFO "Root Plug module removed\n");
134}
135
136security_initcall (rootplug_init); 112security_initcall (rootplug_init);
137module_exit (rootplug_exit);
138
139MODULE_DESCRIPTION("Root Plug sample LSM module, written for Linux Journal article");
140MODULE_LICENSE("GPL");
141
diff --git a/security/security.c b/security/security.c
index 27e5863d30f1..5b1c034815a8 100644
--- a/security/security.c
+++ b/security/security.c
@@ -17,7 +17,6 @@
17#include <linux/kernel.h> 17#include <linux/kernel.h>
18#include <linux/security.h> 18#include <linux/security.h>
19 19
20#define SECURITY_FRAMEWORK_VERSION "1.0.0"
21 20
22/* things that live in dummy.c */ 21/* things that live in dummy.c */
23extern struct security_operations dummy_security_ops; 22extern struct security_operations dummy_security_ops;
@@ -52,8 +51,7 @@ static void __init do_security_initcalls(void)
52 */ 51 */
53int __init security_init(void) 52int __init security_init(void)
54{ 53{
55 printk(KERN_INFO "Security Framework v" SECURITY_FRAMEWORK_VERSION 54 printk(KERN_INFO "Security Framework initialized\n");
56 " initialized\n");
57 55
58 if (verify(&dummy_security_ops)) { 56 if (verify(&dummy_security_ops)) {
59 printk(KERN_ERR "%s could not verify " 57 printk(KERN_ERR "%s could not verify "
@@ -173,8 +171,958 @@ int mod_unreg_security(const char *name, struct security_operations *ops)
173 return security_ops->unregister_security(name, ops); 171 return security_ops->unregister_security(name, ops);
174} 172}
175 173
176EXPORT_SYMBOL_GPL(register_security); 174/* Security operations */
177EXPORT_SYMBOL_GPL(unregister_security); 175
178EXPORT_SYMBOL_GPL(mod_reg_security); 176int security_ptrace(struct task_struct *parent, struct task_struct *child)
179EXPORT_SYMBOL_GPL(mod_unreg_security); 177{
180EXPORT_SYMBOL(security_ops); 178 return security_ops->ptrace(parent, child);
179}
180
181int security_capget(struct task_struct *target,
182 kernel_cap_t *effective,
183 kernel_cap_t *inheritable,
184 kernel_cap_t *permitted)
185{
186 return security_ops->capget(target, effective, inheritable, permitted);
187}
188
189int security_capset_check(struct task_struct *target,
190 kernel_cap_t *effective,
191 kernel_cap_t *inheritable,
192 kernel_cap_t *permitted)
193{
194 return security_ops->capset_check(target, effective, inheritable, permitted);
195}
196
197void security_capset_set(struct task_struct *target,
198 kernel_cap_t *effective,
199 kernel_cap_t *inheritable,
200 kernel_cap_t *permitted)
201{
202 security_ops->capset_set(target, effective, inheritable, permitted);
203}
204
205int security_capable(struct task_struct *tsk, int cap)
206{
207 return security_ops->capable(tsk, cap);
208}
209
210int security_acct(struct file *file)
211{
212 return security_ops->acct(file);
213}
214
215int security_sysctl(struct ctl_table *table, int op)
216{
217 return security_ops->sysctl(table, op);
218}
219
220int security_quotactl(int cmds, int type, int id, struct super_block *sb)
221{
222 return security_ops->quotactl(cmds, type, id, sb);
223}
224
225int security_quota_on(struct dentry *dentry)
226{
227 return security_ops->quota_on(dentry);
228}
229
230int security_syslog(int type)
231{
232 return security_ops->syslog(type);
233}
234
235int security_settime(struct timespec *ts, struct timezone *tz)
236{
237 return security_ops->settime(ts, tz);
238}
239
240int security_vm_enough_memory(long pages)
241{
242 return security_ops->vm_enough_memory(current->mm, pages);
243}
244
245int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
246{
247 return security_ops->vm_enough_memory(mm, pages);
248}
249
250int security_bprm_alloc(struct linux_binprm *bprm)
251{
252 return security_ops->bprm_alloc_security(bprm);
253}
254
255void security_bprm_free(struct linux_binprm *bprm)
256{
257 security_ops->bprm_free_security(bprm);
258}
259
260void security_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
261{
262 security_ops->bprm_apply_creds(bprm, unsafe);
263}
264
265void security_bprm_post_apply_creds(struct linux_binprm *bprm)
266{
267 security_ops->bprm_post_apply_creds(bprm);
268}
269
270int security_bprm_set(struct linux_binprm *bprm)
271{
272 return security_ops->bprm_set_security(bprm);
273}
274
275int security_bprm_check(struct linux_binprm *bprm)
276{
277 return security_ops->bprm_check_security(bprm);
278}
279
280int security_bprm_secureexec(struct linux_binprm *bprm)
281{
282 return security_ops->bprm_secureexec(bprm);
283}
284
285int security_sb_alloc(struct super_block *sb)
286{
287 return security_ops->sb_alloc_security(sb);
288}
289
290void security_sb_free(struct super_block *sb)
291{
292 security_ops->sb_free_security(sb);
293}
294
295int security_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
296{
297 return security_ops->sb_copy_data(type, orig, copy);
298}
299
300int security_sb_kern_mount(struct super_block *sb, void *data)
301{
302 return security_ops->sb_kern_mount(sb, data);
303}
304
305int security_sb_statfs(struct dentry *dentry)
306{
307 return security_ops->sb_statfs(dentry);
308}
309
310int security_sb_mount(char *dev_name, struct nameidata *nd,
311 char *type, unsigned long flags, void *data)
312{
313 return security_ops->sb_mount(dev_name, nd, type, flags, data);
314}
315
316int security_sb_check_sb(struct vfsmount *mnt, struct nameidata *nd)
317{
318 return security_ops->sb_check_sb(mnt, nd);
319}
320
321int security_sb_umount(struct vfsmount *mnt, int flags)
322{
323 return security_ops->sb_umount(mnt, flags);
324}
325
326void security_sb_umount_close(struct vfsmount *mnt)
327{
328 security_ops->sb_umount_close(mnt);
329}
330
331void security_sb_umount_busy(struct vfsmount *mnt)
332{
333 security_ops->sb_umount_busy(mnt);
334}
335
336void security_sb_post_remount(struct vfsmount *mnt, unsigned long flags, void *data)
337{
338 security_ops->sb_post_remount(mnt, flags, data);
339}
340
341void security_sb_post_mountroot(void)
342{
343 security_ops->sb_post_mountroot();
344}
345
346void security_sb_post_addmount(struct vfsmount *mnt, struct nameidata *mountpoint_nd)
347{
348 security_ops->sb_post_addmount(mnt, mountpoint_nd);
349}
350
351int security_sb_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd)
352{
353 return security_ops->sb_pivotroot(old_nd, new_nd);
354}
355
356void security_sb_post_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd)
357{
358 security_ops->sb_post_pivotroot(old_nd, new_nd);
359}
360
361int security_inode_alloc(struct inode *inode)
362{
363 inode->i_security = NULL;
364 return security_ops->inode_alloc_security(inode);
365}
366
367void security_inode_free(struct inode *inode)
368{
369 security_ops->inode_free_security(inode);
370}
371
372int security_inode_init_security(struct inode *inode, struct inode *dir,
373 char **name, void **value, size_t *len)
374{
375 if (unlikely(IS_PRIVATE(inode)))
376 return -EOPNOTSUPP;
377 return security_ops->inode_init_security(inode, dir, name, value, len);
378}
379EXPORT_SYMBOL(security_inode_init_security);
380
381int security_inode_create(struct inode *dir, struct dentry *dentry, int mode)
382{
383 if (unlikely(IS_PRIVATE(dir)))
384 return 0;
385 return security_ops->inode_create(dir, dentry, mode);
386}
387
388int security_inode_link(struct dentry *old_dentry, struct inode *dir,
389 struct dentry *new_dentry)
390{
391 if (unlikely(IS_PRIVATE(old_dentry->d_inode)))
392 return 0;
393 return security_ops->inode_link(old_dentry, dir, new_dentry);
394}
395
396int security_inode_unlink(struct inode *dir, struct dentry *dentry)
397{
398 if (unlikely(IS_PRIVATE(dentry->d_inode)))
399 return 0;
400 return security_ops->inode_unlink(dir, dentry);
401}
402
403int security_inode_symlink(struct inode *dir, struct dentry *dentry,
404 const char *old_name)
405{
406 if (unlikely(IS_PRIVATE(dir)))
407 return 0;
408 return security_ops->inode_symlink(dir, dentry, old_name);
409}
410
411int security_inode_mkdir(struct inode *dir, struct dentry *dentry, int mode)
412{
413 if (unlikely(IS_PRIVATE(dir)))
414 return 0;
415 return security_ops->inode_mkdir(dir, dentry, mode);
416}
417
418int security_inode_rmdir(struct inode *dir, struct dentry *dentry)
419{
420 if (unlikely(IS_PRIVATE(dentry->d_inode)))
421 return 0;
422 return security_ops->inode_rmdir(dir, dentry);
423}
424
425int security_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
426{
427 if (unlikely(IS_PRIVATE(dir)))
428 return 0;
429 return security_ops->inode_mknod(dir, dentry, mode, dev);
430}
431
432int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
433 struct inode *new_dir, struct dentry *new_dentry)
434{
435 if (unlikely(IS_PRIVATE(old_dentry->d_inode) ||
436 (new_dentry->d_inode && IS_PRIVATE(new_dentry->d_inode))))
437 return 0;
438 return security_ops->inode_rename(old_dir, old_dentry,
439 new_dir, new_dentry);
440}
441
442int security_inode_readlink(struct dentry *dentry)
443{
444 if (unlikely(IS_PRIVATE(dentry->d_inode)))
445 return 0;
446 return security_ops->inode_readlink(dentry);
447}
448
449int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd)
450{
451 if (unlikely(IS_PRIVATE(dentry->d_inode)))
452 return 0;
453 return security_ops->inode_follow_link(dentry, nd);
454}
455
456int security_inode_permission(struct inode *inode, int mask, struct nameidata *nd)
457{
458 if (unlikely(IS_PRIVATE(inode)))
459 return 0;
460 return security_ops->inode_permission(inode, mask, nd);
461}
462
463int security_inode_setattr(struct dentry *dentry, struct iattr *attr)
464{
465 if (unlikely(IS_PRIVATE(dentry->d_inode)))
466 return 0;
467 return security_ops->inode_setattr(dentry, attr);
468}
469
470int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
471{
472 if (unlikely(IS_PRIVATE(dentry->d_inode)))
473 return 0;
474 return security_ops->inode_getattr(mnt, dentry);
475}
476
477void security_inode_delete(struct inode *inode)
478{
479 if (unlikely(IS_PRIVATE(inode)))
480 return;
481 security_ops->inode_delete(inode);
482}
483
484int security_inode_setxattr(struct dentry *dentry, char *name,
485 void *value, size_t size, int flags)
486{
487 if (unlikely(IS_PRIVATE(dentry->d_inode)))
488 return 0;
489 return security_ops->inode_setxattr(dentry, name, value, size, flags);
490}
491
492void security_inode_post_setxattr(struct dentry *dentry, char *name,
493 void *value, size_t size, int flags)
494{
495 if (unlikely(IS_PRIVATE(dentry->d_inode)))
496 return;
497 security_ops->inode_post_setxattr(dentry, name, value, size, flags);
498}
499
500int security_inode_getxattr(struct dentry *dentry, char *name)
501{
502 if (unlikely(IS_PRIVATE(dentry->d_inode)))
503 return 0;
504 return security_ops->inode_getxattr(dentry, name);
505}
506
507int security_inode_listxattr(struct dentry *dentry)
508{
509 if (unlikely(IS_PRIVATE(dentry->d_inode)))
510 return 0;
511 return security_ops->inode_listxattr(dentry);
512}
513
514int security_inode_removexattr(struct dentry *dentry, char *name)
515{
516 if (unlikely(IS_PRIVATE(dentry->d_inode)))
517 return 0;
518 return security_ops->inode_removexattr(dentry, name);
519}
520
521const char *security_inode_xattr_getsuffix(void)
522{
523 return security_ops->inode_xattr_getsuffix();
524}
525
526int security_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
527{
528 if (unlikely(IS_PRIVATE(inode)))
529 return 0;
530 return security_ops->inode_getsecurity(inode, name, buffer, size, err);
531}
532
533int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
534{
535 if (unlikely(IS_PRIVATE(inode)))
536 return 0;
537 return security_ops->inode_setsecurity(inode, name, value, size, flags);
538}
539
540int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
541{
542 if (unlikely(IS_PRIVATE(inode)))
543 return 0;
544 return security_ops->inode_listsecurity(inode, buffer, buffer_size);
545}
546
547int security_file_permission(struct file *file, int mask)
548{
549 return security_ops->file_permission(file, mask);
550}
551
552int security_file_alloc(struct file *file)
553{
554 return security_ops->file_alloc_security(file);
555}
556
557void security_file_free(struct file *file)
558{
559 security_ops->file_free_security(file);
560}
561
562int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
563{
564 return security_ops->file_ioctl(file, cmd, arg);
565}
566
567int security_file_mmap(struct file *file, unsigned long reqprot,
568 unsigned long prot, unsigned long flags,
569 unsigned long addr, unsigned long addr_only)
570{
571 return security_ops->file_mmap(file, reqprot, prot, flags, addr, addr_only);
572}
573
574int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
575 unsigned long prot)
576{
577 return security_ops->file_mprotect(vma, reqprot, prot);
578}
579
580int security_file_lock(struct file *file, unsigned int cmd)
581{
582 return security_ops->file_lock(file, cmd);
583}
584
585int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
586{
587 return security_ops->file_fcntl(file, cmd, arg);
588}
589
590int security_file_set_fowner(struct file *file)
591{
592 return security_ops->file_set_fowner(file);
593}
594
595int security_file_send_sigiotask(struct task_struct *tsk,
596 struct fown_struct *fown, int sig)
597{
598 return security_ops->file_send_sigiotask(tsk, fown, sig);
599}
600
601int security_file_receive(struct file *file)
602{
603 return security_ops->file_receive(file);
604}
605
606int security_dentry_open(struct file *file)
607{
608 return security_ops->dentry_open(file);
609}
610
611int security_task_create(unsigned long clone_flags)
612{
613 return security_ops->task_create(clone_flags);
614}
615
616int security_task_alloc(struct task_struct *p)
617{
618 return security_ops->task_alloc_security(p);
619}
620
621void security_task_free(struct task_struct *p)
622{
623 security_ops->task_free_security(p);
624}
625
626int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
627{
628 return security_ops->task_setuid(id0, id1, id2, flags);
629}
630
631int security_task_post_setuid(uid_t old_ruid, uid_t old_euid,
632 uid_t old_suid, int flags)
633{
634 return security_ops->task_post_setuid(old_ruid, old_euid, old_suid, flags);
635}
636
637int security_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
638{
639 return security_ops->task_setgid(id0, id1, id2, flags);
640}
641
642int security_task_setpgid(struct task_struct *p, pid_t pgid)
643{
644 return security_ops->task_setpgid(p, pgid);
645}
646
647int security_task_getpgid(struct task_struct *p)
648{
649 return security_ops->task_getpgid(p);
650}
651
652int security_task_getsid(struct task_struct *p)
653{
654 return security_ops->task_getsid(p);
655}
656
657void security_task_getsecid(struct task_struct *p, u32 *secid)
658{
659 security_ops->task_getsecid(p, secid);
660}
661EXPORT_SYMBOL(security_task_getsecid);
662
663int security_task_setgroups(struct group_info *group_info)
664{
665 return security_ops->task_setgroups(group_info);
666}
667
668int security_task_setnice(struct task_struct *p, int nice)
669{
670 return security_ops->task_setnice(p, nice);
671}
672
673int security_task_setioprio(struct task_struct *p, int ioprio)
674{
675 return security_ops->task_setioprio(p, ioprio);
676}
677
678int security_task_getioprio(struct task_struct *p)
679{
680 return security_ops->task_getioprio(p);
681}
682
683int security_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
684{
685 return security_ops->task_setrlimit(resource, new_rlim);
686}
687
688int security_task_setscheduler(struct task_struct *p,
689 int policy, struct sched_param *lp)
690{
691 return security_ops->task_setscheduler(p, policy, lp);
692}
693
694int security_task_getscheduler(struct task_struct *p)
695{
696 return security_ops->task_getscheduler(p);
697}
698
699int security_task_movememory(struct task_struct *p)
700{
701 return security_ops->task_movememory(p);
702}
703
704int security_task_kill(struct task_struct *p, struct siginfo *info,
705 int sig, u32 secid)
706{
707 return security_ops->task_kill(p, info, sig, secid);
708}
709
710int security_task_wait(struct task_struct *p)
711{
712 return security_ops->task_wait(p);
713}
714
715int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
716 unsigned long arg4, unsigned long arg5)
717{
718 return security_ops->task_prctl(option, arg2, arg3, arg4, arg5);
719}
720
721void security_task_reparent_to_init(struct task_struct *p)
722{
723 security_ops->task_reparent_to_init(p);
724}
725
726void security_task_to_inode(struct task_struct *p, struct inode *inode)
727{
728 security_ops->task_to_inode(p, inode);
729}
730
731int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
732{
733 return security_ops->ipc_permission(ipcp, flag);
734}
735
736int security_msg_msg_alloc(struct msg_msg *msg)
737{
738 return security_ops->msg_msg_alloc_security(msg);
739}
740
741void security_msg_msg_free(struct msg_msg *msg)
742{
743 security_ops->msg_msg_free_security(msg);
744}
745
746int security_msg_queue_alloc(struct msg_queue *msq)
747{
748 return security_ops->msg_queue_alloc_security(msq);
749}
750
751void security_msg_queue_free(struct msg_queue *msq)
752{
753 security_ops->msg_queue_free_security(msq);
754}
755
756int security_msg_queue_associate(struct msg_queue *msq, int msqflg)
757{
758 return security_ops->msg_queue_associate(msq, msqflg);
759}
760
761int security_msg_queue_msgctl(struct msg_queue *msq, int cmd)
762{
763 return security_ops->msg_queue_msgctl(msq, cmd);
764}
765
766int security_msg_queue_msgsnd(struct msg_queue *msq,
767 struct msg_msg *msg, int msqflg)
768{
769 return security_ops->msg_queue_msgsnd(msq, msg, msqflg);
770}
771
772int security_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
773 struct task_struct *target, long type, int mode)
774{
775 return security_ops->msg_queue_msgrcv(msq, msg, target, type, mode);
776}
777
778int security_shm_alloc(struct shmid_kernel *shp)
779{
780 return security_ops->shm_alloc_security(shp);
781}
782
783void security_shm_free(struct shmid_kernel *shp)
784{
785 security_ops->shm_free_security(shp);
786}
787
788int security_shm_associate(struct shmid_kernel *shp, int shmflg)
789{
790 return security_ops->shm_associate(shp, shmflg);
791}
792
793int security_shm_shmctl(struct shmid_kernel *shp, int cmd)
794{
795 return security_ops->shm_shmctl(shp, cmd);
796}
797
798int security_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, int shmflg)
799{
800 return security_ops->shm_shmat(shp, shmaddr, shmflg);
801}
802
803int security_sem_alloc(struct sem_array *sma)
804{
805 return security_ops->sem_alloc_security(sma);
806}
807
808void security_sem_free(struct sem_array *sma)
809{
810 security_ops->sem_free_security(sma);
811}
812
813int security_sem_associate(struct sem_array *sma, int semflg)
814{
815 return security_ops->sem_associate(sma, semflg);
816}
817
818int security_sem_semctl(struct sem_array *sma, int cmd)
819{
820 return security_ops->sem_semctl(sma, cmd);
821}
822
823int security_sem_semop(struct sem_array *sma, struct sembuf *sops,
824 unsigned nsops, int alter)
825{
826 return security_ops->sem_semop(sma, sops, nsops, alter);
827}
828
829void security_d_instantiate(struct dentry *dentry, struct inode *inode)
830{
831 if (unlikely(inode && IS_PRIVATE(inode)))
832 return;
833 security_ops->d_instantiate(dentry, inode);
834}
835EXPORT_SYMBOL(security_d_instantiate);
836
837int security_getprocattr(struct task_struct *p, char *name, char **value)
838{
839 return security_ops->getprocattr(p, name, value);
840}
841
842int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size)
843{
844 return security_ops->setprocattr(p, name, value, size);
845}
846
847int security_netlink_send(struct sock *sk, struct sk_buff *skb)
848{
849 return security_ops->netlink_send(sk, skb);
850}
851EXPORT_SYMBOL(security_netlink_send);
852
853int security_netlink_recv(struct sk_buff *skb, int cap)
854{
855 return security_ops->netlink_recv(skb, cap);
856}
857EXPORT_SYMBOL(security_netlink_recv);
858
859int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
860{
861 return security_ops->secid_to_secctx(secid, secdata, seclen);
862}
863EXPORT_SYMBOL(security_secid_to_secctx);
864
865void security_release_secctx(char *secdata, u32 seclen)
866{
867 return security_ops->release_secctx(secdata, seclen);
868}
869EXPORT_SYMBOL(security_release_secctx);
870
871#ifdef CONFIG_SECURITY_NETWORK
872
873int security_unix_stream_connect(struct socket *sock, struct socket *other,
874 struct sock *newsk)
875{
876 return security_ops->unix_stream_connect(sock, other, newsk);
877}
878EXPORT_SYMBOL(security_unix_stream_connect);
879
880int security_unix_may_send(struct socket *sock, struct socket *other)
881{
882 return security_ops->unix_may_send(sock, other);
883}
884EXPORT_SYMBOL(security_unix_may_send);
885
886int security_socket_create(int family, int type, int protocol, int kern)
887{
888 return security_ops->socket_create(family, type, protocol, kern);
889}
890
891int security_socket_post_create(struct socket *sock, int family,
892 int type, int protocol, int kern)
893{
894 return security_ops->socket_post_create(sock, family, type,
895 protocol, kern);
896}
897
898int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
899{
900 return security_ops->socket_bind(sock, address, addrlen);
901}
902
903int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
904{
905 return security_ops->socket_connect(sock, address, addrlen);
906}
907
908int security_socket_listen(struct socket *sock, int backlog)
909{
910 return security_ops->socket_listen(sock, backlog);
911}
912
913int security_socket_accept(struct socket *sock, struct socket *newsock)
914{
915 return security_ops->socket_accept(sock, newsock);
916}
917
918void security_socket_post_accept(struct socket *sock, struct socket *newsock)
919{
920 security_ops->socket_post_accept(sock, newsock);
921}
922
923int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
924{
925 return security_ops->socket_sendmsg(sock, msg, size);
926}
927
928int security_socket_recvmsg(struct socket *sock, struct msghdr *msg,
929 int size, int flags)
930{
931 return security_ops->socket_recvmsg(sock, msg, size, flags);
932}
933
934int security_socket_getsockname(struct socket *sock)
935{
936 return security_ops->socket_getsockname(sock);
937}
938
939int security_socket_getpeername(struct socket *sock)
940{
941 return security_ops->socket_getpeername(sock);
942}
943
944int security_socket_getsockopt(struct socket *sock, int level, int optname)
945{
946 return security_ops->socket_getsockopt(sock, level, optname);
947}
948
949int security_socket_setsockopt(struct socket *sock, int level, int optname)
950{
951 return security_ops->socket_setsockopt(sock, level, optname);
952}
953
954int security_socket_shutdown(struct socket *sock, int how)
955{
956 return security_ops->socket_shutdown(sock, how);
957}
958
959int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
960{
961 return security_ops->socket_sock_rcv_skb(sk, skb);
962}
963EXPORT_SYMBOL(security_sock_rcv_skb);
964
965int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
966 int __user *optlen, unsigned len)
967{
968 return security_ops->socket_getpeersec_stream(sock, optval, optlen, len);
969}
970
971int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
972{
973 return security_ops->socket_getpeersec_dgram(sock, skb, secid);
974}
975EXPORT_SYMBOL(security_socket_getpeersec_dgram);
976
977int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
978{
979 return security_ops->sk_alloc_security(sk, family, priority);
980}
981
982void security_sk_free(struct sock *sk)
983{
984 return security_ops->sk_free_security(sk);
985}
986
987void security_sk_clone(const struct sock *sk, struct sock *newsk)
988{
989 return security_ops->sk_clone_security(sk, newsk);
990}
991
992void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
993{
994 security_ops->sk_getsecid(sk, &fl->secid);
995}
996EXPORT_SYMBOL(security_sk_classify_flow);
997
998void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
999{
1000 security_ops->req_classify_flow(req, fl);
1001}
1002EXPORT_SYMBOL(security_req_classify_flow);
1003
1004void security_sock_graft(struct sock *sk, struct socket *parent)
1005{
1006 security_ops->sock_graft(sk, parent);
1007}
1008EXPORT_SYMBOL(security_sock_graft);
1009
1010int security_inet_conn_request(struct sock *sk,
1011 struct sk_buff *skb, struct request_sock *req)
1012{
1013 return security_ops->inet_conn_request(sk, skb, req);
1014}
1015EXPORT_SYMBOL(security_inet_conn_request);
1016
1017void security_inet_csk_clone(struct sock *newsk,
1018 const struct request_sock *req)
1019{
1020 security_ops->inet_csk_clone(newsk, req);
1021}
1022
1023void security_inet_conn_established(struct sock *sk,
1024 struct sk_buff *skb)
1025{
1026 security_ops->inet_conn_established(sk, skb);
1027}
1028
1029#endif /* CONFIG_SECURITY_NETWORK */
1030
1031#ifdef CONFIG_SECURITY_NETWORK_XFRM
1032
1033int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx)
1034{
1035 return security_ops->xfrm_policy_alloc_security(xp, sec_ctx);
1036}
1037EXPORT_SYMBOL(security_xfrm_policy_alloc);
1038
1039int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new)
1040{
1041 return security_ops->xfrm_policy_clone_security(old, new);
1042}
1043
1044void security_xfrm_policy_free(struct xfrm_policy *xp)
1045{
1046 security_ops->xfrm_policy_free_security(xp);
1047}
1048EXPORT_SYMBOL(security_xfrm_policy_free);
1049
1050int security_xfrm_policy_delete(struct xfrm_policy *xp)
1051{
1052 return security_ops->xfrm_policy_delete_security(xp);
1053}
1054
1055int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx)
1056{
1057 return security_ops->xfrm_state_alloc_security(x, sec_ctx, 0);
1058}
1059EXPORT_SYMBOL(security_xfrm_state_alloc);
1060
1061int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
1062 struct xfrm_sec_ctx *polsec, u32 secid)
1063{
1064 if (!polsec)
1065 return 0;
1066 /*
1067 * We want the context to be taken from secid which is usually
1068 * from the sock.
1069 */
1070 return security_ops->xfrm_state_alloc_security(x, NULL, secid);
1071}
1072
1073int security_xfrm_state_delete(struct xfrm_state *x)
1074{
1075 return security_ops->xfrm_state_delete_security(x);
1076}
1077EXPORT_SYMBOL(security_xfrm_state_delete);
1078
1079void security_xfrm_state_free(struct xfrm_state *x)
1080{
1081 security_ops->xfrm_state_free_security(x);
1082}
1083
1084int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir)
1085{
1086 return security_ops->xfrm_policy_lookup(xp, fl_secid, dir);
1087}
1088
1089int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
1090 struct xfrm_policy *xp, struct flowi *fl)
1091{
1092 return security_ops->xfrm_state_pol_flow_match(x, xp, fl);
1093}
1094
1095int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
1096{
1097 return security_ops->xfrm_decode_session(skb, secid, 1);
1098}
1099
1100void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
1101{
1102 int rc = security_ops->xfrm_decode_session(skb, &fl->secid, 0);
1103
1104 BUG_ON(rc);
1105}
1106EXPORT_SYMBOL(security_skb_classify_flow);
1107
1108#endif /* CONFIG_SECURITY_NETWORK_XFRM */
1109
1110#ifdef CONFIG_KEYS
1111
1112int security_key_alloc(struct key *key, struct task_struct *tsk, unsigned long flags)
1113{
1114 return security_ops->key_alloc(key, tsk, flags);
1115}
1116
1117void security_key_free(struct key *key)
1118{
1119 security_ops->key_free(key);
1120}
1121
1122int security_key_permission(key_ref_t key_ref,
1123 struct task_struct *context, key_perm_t perm)
1124{
1125 return security_ops->key_permission(key_ref, context, perm);
1126}
1127
1128#endif /* CONFIG_KEYS */
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 97b7e2738097..83a535b7bc60 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -22,7 +22,6 @@
22 * as published by the Free Software Foundation. 22 * as published by the Free Software Foundation.
23 */ 23 */
24 24
25#include <linux/module.h>
26#include <linux/init.h> 25#include <linux/init.h>
27#include <linux/kernel.h> 26#include <linux/kernel.h>
28#include <linux/ptrace.h> 27#include <linux/ptrace.h>
@@ -86,6 +85,7 @@
86extern unsigned int policydb_loaded_version; 85extern unsigned int policydb_loaded_version;
87extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); 86extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
88extern int selinux_compat_net; 87extern int selinux_compat_net;
88extern struct security_operations *security_ops;
89 89
90#ifdef CONFIG_SECURITY_SELINUX_DEVELOP 90#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
91int selinux_enforcing = 0; 91int selinux_enforcing = 0;
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index ba715f40b658..cb008d9f0a82 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -31,7 +31,6 @@
31 * 2. Emulating a reasonable SO_PEERSEC across machines 31 * 2. Emulating a reasonable SO_PEERSEC across machines
32 * 3. Testing addition of sk_policy's with security context via setsockopt 32 * 3. Testing addition of sk_policy's with security context via setsockopt
33 */ 33 */
34#include <linux/module.h>
35#include <linux/kernel.h> 34#include <linux/kernel.h>
36#include <linux/init.h> 35#include <linux/init.h>
37#include <linux/security.h> 36#include <linux/security.h>
generated by cgit v1.2.2 (git 2.25.0) at 2024-09-21 15:45:59 -0400