diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2011-03-16 12:15:43 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2011-03-16 12:15:43 -0400 |
commit | 0f6e0e8448a16d8d22119ce91d8dd24b44865b51 (patch) | |
tree | 7c295c02db035fc6a0b867465911a2bc9dc6b1ef /include/linux/security.h | |
parent | 0d2ecee2bdb2a19d04bc5cefac0f86e790f1aad4 (diff) | |
parent | a002951c97ff8da49938c982a4c236bf2fafdc9f (diff) |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (33 commits)
AppArmor: kill unused macros in lsm.c
AppArmor: cleanup generated files correctly
KEYS: Add an iovec version of KEYCTL_INSTANTIATE
KEYS: Add a new keyctl op to reject a key with a specified error code
KEYS: Add a key type op to permit the key description to be vetted
KEYS: Add an RCU payload dereference macro
AppArmor: Cleanup make file to remove cruft and make it easier to read
SELinux: implement the new sb_remount LSM hook
LSM: Pass -o remount options to the LSM
SELinux: Compute SID for the newly created socket
SELinux: Socket retains creator role and MLS attribute
SELinux: Auto-generate security_is_socket_class
TOMOYO: Fix memory leak upon file open.
Revert "selinux: simplify ioctl checking"
selinux: drop unused packet flow permissions
selinux: Fix packet forwarding checks on postrouting
selinux: Fix wrong checks for selinux_policycap_netpeer
selinux: Fix check for xfrm selinux context algorithm
ima: remove unnecessary call to ima_must_measure
IMA: remove IMA imbalance checking
...
Diffstat (limited to 'include/linux/security.h')
-rw-r--r-- | include/linux/security.h | 35 |
1 files changed, 20 insertions, 15 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index debbd97db7ab..83d9227abf02 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
@@ -25,6 +25,7 @@ | |||
25 | #include <linux/fs.h> | 25 | #include <linux/fs.h> |
26 | #include <linux/fsnotify.h> | 26 | #include <linux/fsnotify.h> |
27 | #include <linux/binfmts.h> | 27 | #include <linux/binfmts.h> |
28 | #include <linux/dcache.h> | ||
28 | #include <linux/signal.h> | 29 | #include <linux/signal.h> |
29 | #include <linux/resource.h> | 30 | #include <linux/resource.h> |
30 | #include <linux/sem.h> | 31 | #include <linux/sem.h> |
@@ -267,6 +268,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
267 | * @orig the original mount data copied from userspace. | 268 | * @orig the original mount data copied from userspace. |
268 | * @copy copied data which will be passed to the security module. | 269 | * @copy copied data which will be passed to the security module. |
269 | * Returns 0 if the copy was successful. | 270 | * Returns 0 if the copy was successful. |
271 | * @sb_remount: | ||
272 | * Extracts security system specifc mount options and verifys no changes | ||
273 | * are being made to those options. | ||
274 | * @sb superblock being remounted | ||
275 | * @data contains the filesystem-specific data. | ||
276 | * Return 0 if permission is granted. | ||
270 | * @sb_umount: | 277 | * @sb_umount: |
271 | * Check permission before the @mnt file system is unmounted. | 278 | * Check permission before the @mnt file system is unmounted. |
272 | * @mnt contains the mounted file system. | 279 | * @mnt contains the mounted file system. |
@@ -315,6 +322,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
315 | * then it should return -EOPNOTSUPP to skip this processing. | 322 | * then it should return -EOPNOTSUPP to skip this processing. |
316 | * @inode contains the inode structure of the newly created inode. | 323 | * @inode contains the inode structure of the newly created inode. |
317 | * @dir contains the inode structure of the parent directory. | 324 | * @dir contains the inode structure of the parent directory. |
325 | * @qstr contains the last path component of the new object | ||
318 | * @name will be set to the allocated name suffix (e.g. selinux). | 326 | * @name will be set to the allocated name suffix (e.g. selinux). |
319 | * @value will be set to the allocated attribute value. | 327 | * @value will be set to the allocated attribute value. |
320 | * @len will be set to the length of the value. | 328 | * @len will be set to the length of the value. |
@@ -1257,12 +1265,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
1257 | * @cap contains the capability <include/linux/capability.h>. | 1265 | * @cap contains the capability <include/linux/capability.h>. |
1258 | * @audit: Whether to write an audit message or not | 1266 | * @audit: Whether to write an audit message or not |
1259 | * Return 0 if the capability is granted for @tsk. | 1267 | * Return 0 if the capability is granted for @tsk. |
1260 | * @sysctl: | ||
1261 | * Check permission before accessing the @table sysctl variable in the | ||
1262 | * manner specified by @op. | ||
1263 | * @table contains the ctl_table structure for the sysctl variable. | ||
1264 | * @op contains the operation (001 = search, 002 = write, 004 = read). | ||
1265 | * Return 0 if permission is granted. | ||
1266 | * @syslog: | 1268 | * @syslog: |
1267 | * Check permission before accessing the kernel message ring or changing | 1269 | * Check permission before accessing the kernel message ring or changing |
1268 | * logging to the console. | 1270 | * logging to the console. |
@@ -1383,7 +1385,6 @@ struct security_operations { | |||
1383 | const kernel_cap_t *permitted); | 1385 | const kernel_cap_t *permitted); |
1384 | int (*capable) (struct task_struct *tsk, const struct cred *cred, | 1386 | int (*capable) (struct task_struct *tsk, const struct cred *cred, |
1385 | int cap, int audit); | 1387 | int cap, int audit); |
1386 | int (*sysctl) (struct ctl_table *table, int op); | ||
1387 | int (*quotactl) (int cmds, int type, int id, struct super_block *sb); | 1388 | int (*quotactl) (int cmds, int type, int id, struct super_block *sb); |
1388 | int (*quota_on) (struct dentry *dentry); | 1389 | int (*quota_on) (struct dentry *dentry); |
1389 | int (*syslog) (int type); | 1390 | int (*syslog) (int type); |
@@ -1399,6 +1400,7 @@ struct security_operations { | |||
1399 | int (*sb_alloc_security) (struct super_block *sb); | 1400 | int (*sb_alloc_security) (struct super_block *sb); |
1400 | void (*sb_free_security) (struct super_block *sb); | 1401 | void (*sb_free_security) (struct super_block *sb); |
1401 | int (*sb_copy_data) (char *orig, char *copy); | 1402 | int (*sb_copy_data) (char *orig, char *copy); |
1403 | int (*sb_remount) (struct super_block *sb, void *data); | ||
1402 | int (*sb_kern_mount) (struct super_block *sb, int flags, void *data); | 1404 | int (*sb_kern_mount) (struct super_block *sb, int flags, void *data); |
1403 | int (*sb_show_options) (struct seq_file *m, struct super_block *sb); | 1405 | int (*sb_show_options) (struct seq_file *m, struct super_block *sb); |
1404 | int (*sb_statfs) (struct dentry *dentry); | 1406 | int (*sb_statfs) (struct dentry *dentry); |
@@ -1435,7 +1437,8 @@ struct security_operations { | |||
1435 | int (*inode_alloc_security) (struct inode *inode); | 1437 | int (*inode_alloc_security) (struct inode *inode); |
1436 | void (*inode_free_security) (struct inode *inode); | 1438 | void (*inode_free_security) (struct inode *inode); |
1437 | int (*inode_init_security) (struct inode *inode, struct inode *dir, | 1439 | int (*inode_init_security) (struct inode *inode, struct inode *dir, |
1438 | char **name, void **value, size_t *len); | 1440 | const struct qstr *qstr, char **name, |
1441 | void **value, size_t *len); | ||
1439 | int (*inode_create) (struct inode *dir, | 1442 | int (*inode_create) (struct inode *dir, |
1440 | struct dentry *dentry, int mode); | 1443 | struct dentry *dentry, int mode); |
1441 | int (*inode_link) (struct dentry *old_dentry, | 1444 | int (*inode_link) (struct dentry *old_dentry, |
@@ -1665,7 +1668,6 @@ int security_capset(struct cred *new, const struct cred *old, | |||
1665 | int security_capable(const struct cred *cred, int cap); | 1668 | int security_capable(const struct cred *cred, int cap); |
1666 | int security_real_capable(struct task_struct *tsk, int cap); | 1669 | int security_real_capable(struct task_struct *tsk, int cap); |
1667 | int security_real_capable_noaudit(struct task_struct *tsk, int cap); | 1670 | int security_real_capable_noaudit(struct task_struct *tsk, int cap); |
1668 | int security_sysctl(struct ctl_table *table, int op); | ||
1669 | int security_quotactl(int cmds, int type, int id, struct super_block *sb); | 1671 | int security_quotactl(int cmds, int type, int id, struct super_block *sb); |
1670 | int security_quota_on(struct dentry *dentry); | 1672 | int security_quota_on(struct dentry *dentry); |
1671 | int security_syslog(int type); | 1673 | int security_syslog(int type); |
@@ -1681,6 +1683,7 @@ int security_bprm_secureexec(struct linux_binprm *bprm); | |||
1681 | int security_sb_alloc(struct super_block *sb); | 1683 | int security_sb_alloc(struct super_block *sb); |
1682 | void security_sb_free(struct super_block *sb); | 1684 | void security_sb_free(struct super_block *sb); |
1683 | int security_sb_copy_data(char *orig, char *copy); | 1685 | int security_sb_copy_data(char *orig, char *copy); |
1686 | int security_sb_remount(struct super_block *sb, void *data); | ||
1684 | int security_sb_kern_mount(struct super_block *sb, int flags, void *data); | 1687 | int security_sb_kern_mount(struct super_block *sb, int flags, void *data); |
1685 | int security_sb_show_options(struct seq_file *m, struct super_block *sb); | 1688 | int security_sb_show_options(struct seq_file *m, struct super_block *sb); |
1686 | int security_sb_statfs(struct dentry *dentry); | 1689 | int security_sb_statfs(struct dentry *dentry); |
@@ -1696,7 +1699,8 @@ int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts); | |||
1696 | int security_inode_alloc(struct inode *inode); | 1699 | int security_inode_alloc(struct inode *inode); |
1697 | void security_inode_free(struct inode *inode); | 1700 | void security_inode_free(struct inode *inode); |
1698 | int security_inode_init_security(struct inode *inode, struct inode *dir, | 1701 | int security_inode_init_security(struct inode *inode, struct inode *dir, |
1699 | char **name, void **value, size_t *len); | 1702 | const struct qstr *qstr, char **name, |
1703 | void **value, size_t *len); | ||
1700 | int security_inode_create(struct inode *dir, struct dentry *dentry, int mode); | 1704 | int security_inode_create(struct inode *dir, struct dentry *dentry, int mode); |
1701 | int security_inode_link(struct dentry *old_dentry, struct inode *dir, | 1705 | int security_inode_link(struct dentry *old_dentry, struct inode *dir, |
1702 | struct dentry *new_dentry); | 1706 | struct dentry *new_dentry); |
@@ -1883,11 +1887,6 @@ int security_real_capable_noaudit(struct task_struct *tsk, int cap) | |||
1883 | return ret; | 1887 | return ret; |
1884 | } | 1888 | } |
1885 | 1889 | ||
1886 | static inline int security_sysctl(struct ctl_table *table, int op) | ||
1887 | { | ||
1888 | return 0; | ||
1889 | } | ||
1890 | |||
1891 | static inline int security_quotactl(int cmds, int type, int id, | 1890 | static inline int security_quotactl(int cmds, int type, int id, |
1892 | struct super_block *sb) | 1891 | struct super_block *sb) |
1893 | { | 1892 | { |
@@ -1965,6 +1964,11 @@ static inline int security_sb_copy_data(char *orig, char *copy) | |||
1965 | return 0; | 1964 | return 0; |
1966 | } | 1965 | } |
1967 | 1966 | ||
1967 | static inline int security_sb_remount(struct super_block *sb, void *data) | ||
1968 | { | ||
1969 | return 0; | ||
1970 | } | ||
1971 | |||
1968 | static inline int security_sb_kern_mount(struct super_block *sb, int flags, void *data) | 1972 | static inline int security_sb_kern_mount(struct super_block *sb, int flags, void *data) |
1969 | { | 1973 | { |
1970 | return 0; | 1974 | return 0; |
@@ -2024,6 +2028,7 @@ static inline void security_inode_free(struct inode *inode) | |||
2024 | 2028 | ||
2025 | static inline int security_inode_init_security(struct inode *inode, | 2029 | static inline int security_inode_init_security(struct inode *inode, |
2026 | struct inode *dir, | 2030 | struct inode *dir, |
2031 | const struct qstr *qstr, | ||
2027 | char **name, | 2032 | char **name, |
2028 | void **value, | 2033 | void **value, |
2029 | size_t *len) | 2034 | size_t *len) |