diff options
author | Kentaro Takeda <takedakn@nttdata.co.jp> | 2008-12-16 23:24:15 -0500 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2008-12-31 18:07:37 -0500 |
commit | be6d3e56a6b9b3a4ee44a0685e39e595073c6f0d (patch) | |
tree | 3a770f4cc676efeba443b28caa1ad195eeff49bc /include/linux | |
parent | 6a94cb73064c952255336cc57731904174b2c58f (diff) |
introduce new LSM hooks where vfsmount is available.
Add new LSM hooks for path-based checks. Call them on directory-modifying
operations at the points where we still know the vfsmount involved.
Signed-off-by: Kentaro Takeda <takedakn@nttdata.co.jp>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Toshiharu Harada <haradats@nttdata.co.jp>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Diffstat (limited to 'include/linux')
-rw-r--r-- | include/linux/security.h | 137 |
1 files changed, 137 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index 3416cb85e77b..b92b5e453f64 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
@@ -335,17 +335,37 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
335 | * @dir contains the inode structure of the parent directory of the new link. | 335 | * @dir contains the inode structure of the parent directory of the new link. |
336 | * @new_dentry contains the dentry structure for the new link. | 336 | * @new_dentry contains the dentry structure for the new link. |
337 | * Return 0 if permission is granted. | 337 | * Return 0 if permission is granted. |
338 | * @path_link: | ||
339 | * Check permission before creating a new hard link to a file. | ||
340 | * @old_dentry contains the dentry structure for an existing link | ||
341 | * to the file. | ||
342 | * @new_dir contains the path structure of the parent directory of | ||
343 | * the new link. | ||
344 | * @new_dentry contains the dentry structure for the new link. | ||
345 | * Return 0 if permission is granted. | ||
338 | * @inode_unlink: | 346 | * @inode_unlink: |
339 | * Check the permission to remove a hard link to a file. | 347 | * Check the permission to remove a hard link to a file. |
340 | * @dir contains the inode structure of parent directory of the file. | 348 | * @dir contains the inode structure of parent directory of the file. |
341 | * @dentry contains the dentry structure for file to be unlinked. | 349 | * @dentry contains the dentry structure for file to be unlinked. |
342 | * Return 0 if permission is granted. | 350 | * Return 0 if permission is granted. |
351 | * @path_unlink: | ||
352 | * Check the permission to remove a hard link to a file. | ||
353 | * @dir contains the path structure of parent directory of the file. | ||
354 | * @dentry contains the dentry structure for file to be unlinked. | ||
355 | * Return 0 if permission is granted. | ||
343 | * @inode_symlink: | 356 | * @inode_symlink: |
344 | * Check the permission to create a symbolic link to a file. | 357 | * Check the permission to create a symbolic link to a file. |
345 | * @dir contains the inode structure of parent directory of the symbolic link. | 358 | * @dir contains the inode structure of parent directory of the symbolic link. |
346 | * @dentry contains the dentry structure of the symbolic link. | 359 | * @dentry contains the dentry structure of the symbolic link. |
347 | * @old_name contains the pathname of file. | 360 | * @old_name contains the pathname of file. |
348 | * Return 0 if permission is granted. | 361 | * Return 0 if permission is granted. |
362 | * @path_symlink: | ||
363 | * Check the permission to create a symbolic link to a file. | ||
364 | * @dir contains the path structure of parent directory of | ||
365 | * the symbolic link. | ||
366 | * @dentry contains the dentry structure of the symbolic link. | ||
367 | * @old_name contains the pathname of file. | ||
368 | * Return 0 if permission is granted. | ||
349 | * @inode_mkdir: | 369 | * @inode_mkdir: |
350 | * Check permissions to create a new directory in the existing directory | 370 | * Check permissions to create a new directory in the existing directory |
351 | * associated with inode strcture @dir. | 371 | * associated with inode strcture @dir. |
@@ -353,11 +373,25 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
353 | * @dentry contains the dentry structure of new directory. | 373 | * @dentry contains the dentry structure of new directory. |
354 | * @mode contains the mode of new directory. | 374 | * @mode contains the mode of new directory. |
355 | * Return 0 if permission is granted. | 375 | * Return 0 if permission is granted. |
376 | * @path_mkdir: | ||
377 | * Check permissions to create a new directory in the existing directory | ||
378 | * associated with path strcture @path. | ||
379 | * @dir containst the path structure of parent of the directory | ||
380 | * to be created. | ||
381 | * @dentry contains the dentry structure of new directory. | ||
382 | * @mode contains the mode of new directory. | ||
383 | * Return 0 if permission is granted. | ||
356 | * @inode_rmdir: | 384 | * @inode_rmdir: |
357 | * Check the permission to remove a directory. | 385 | * Check the permission to remove a directory. |
358 | * @dir contains the inode structure of parent of the directory to be removed. | 386 | * @dir contains the inode structure of parent of the directory to be removed. |
359 | * @dentry contains the dentry structure of directory to be removed. | 387 | * @dentry contains the dentry structure of directory to be removed. |
360 | * Return 0 if permission is granted. | 388 | * Return 0 if permission is granted. |
389 | * @path_rmdir: | ||
390 | * Check the permission to remove a directory. | ||
391 | * @dir contains the path structure of parent of the directory to be | ||
392 | * removed. | ||
393 | * @dentry contains the dentry structure of directory to be removed. | ||
394 | * Return 0 if permission is granted. | ||
361 | * @inode_mknod: | 395 | * @inode_mknod: |
362 | * Check permissions when creating a special file (or a socket or a fifo | 396 | * Check permissions when creating a special file (or a socket or a fifo |
363 | * file created via the mknod system call). Note that if mknod operation | 397 | * file created via the mknod system call). Note that if mknod operation |
@@ -368,6 +402,15 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
368 | * @mode contains the mode of the new file. | 402 | * @mode contains the mode of the new file. |
369 | * @dev contains the device number. | 403 | * @dev contains the device number. |
370 | * Return 0 if permission is granted. | 404 | * Return 0 if permission is granted. |
405 | * @path_mknod: | ||
406 | * Check permissions when creating a file. Note that this hook is called | ||
407 | * even if mknod operation is being done for a regular file. | ||
408 | * @dir contains the path structure of parent of the new file. | ||
409 | * @dentry contains the dentry structure of the new file. | ||
410 | * @mode contains the mode of the new file. | ||
411 | * @dev contains the undecoded device number. Use new_decode_dev() to get | ||
412 | * the decoded device number. | ||
413 | * Return 0 if permission is granted. | ||
371 | * @inode_rename: | 414 | * @inode_rename: |
372 | * Check for permission to rename a file or directory. | 415 | * Check for permission to rename a file or directory. |
373 | * @old_dir contains the inode structure for parent of the old link. | 416 | * @old_dir contains the inode structure for parent of the old link. |
@@ -375,6 +418,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
375 | * @new_dir contains the inode structure for parent of the new link. | 418 | * @new_dir contains the inode structure for parent of the new link. |
376 | * @new_dentry contains the dentry structure of the new link. | 419 | * @new_dentry contains the dentry structure of the new link. |
377 | * Return 0 if permission is granted. | 420 | * Return 0 if permission is granted. |
421 | * @path_rename: | ||
422 | * Check for permission to rename a file or directory. | ||
423 | * @old_dir contains the path structure for parent of the old link. | ||
424 | * @old_dentry contains the dentry structure of the old link. | ||
425 | * @new_dir contains the path structure for parent of the new link. | ||
426 | * @new_dentry contains the dentry structure of the new link. | ||
427 | * Return 0 if permission is granted. | ||
378 | * @inode_readlink: | 428 | * @inode_readlink: |
379 | * Check the permission to read the symbolic link. | 429 | * Check the permission to read the symbolic link. |
380 | * @dentry contains the dentry structure for the file link. | 430 | * @dentry contains the dentry structure for the file link. |
@@ -403,6 +453,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
403 | * @dentry contains the dentry structure for the file. | 453 | * @dentry contains the dentry structure for the file. |
404 | * @attr is the iattr structure containing the new file attributes. | 454 | * @attr is the iattr structure containing the new file attributes. |
405 | * Return 0 if permission is granted. | 455 | * Return 0 if permission is granted. |
456 | * @path_truncate: | ||
457 | * Check permission before truncating a file. | ||
458 | * @path contains the path structure for the file. | ||
459 | * @length is the new length of the file. | ||
460 | * @time_attrs is the flags passed to do_truncate(). | ||
461 | * Return 0 if permission is granted. | ||
406 | * @inode_getattr: | 462 | * @inode_getattr: |
407 | * Check permission before obtaining file attributes. | 463 | * Check permission before obtaining file attributes. |
408 | * @mnt is the vfsmount where the dentry was looked up | 464 | * @mnt is the vfsmount where the dentry was looked up |
@@ -1331,6 +1387,22 @@ struct security_operations { | |||
1331 | struct super_block *newsb); | 1387 | struct super_block *newsb); |
1332 | int (*sb_parse_opts_str) (char *options, struct security_mnt_opts *opts); | 1388 | int (*sb_parse_opts_str) (char *options, struct security_mnt_opts *opts); |
1333 | 1389 | ||
1390 | #ifdef CONFIG_SECURITY_PATH | ||
1391 | int (*path_unlink) (struct path *dir, struct dentry *dentry); | ||
1392 | int (*path_mkdir) (struct path *dir, struct dentry *dentry, int mode); | ||
1393 | int (*path_rmdir) (struct path *dir, struct dentry *dentry); | ||
1394 | int (*path_mknod) (struct path *dir, struct dentry *dentry, int mode, | ||
1395 | unsigned int dev); | ||
1396 | int (*path_truncate) (struct path *path, loff_t length, | ||
1397 | unsigned int time_attrs); | ||
1398 | int (*path_symlink) (struct path *dir, struct dentry *dentry, | ||
1399 | const char *old_name); | ||
1400 | int (*path_link) (struct dentry *old_dentry, struct path *new_dir, | ||
1401 | struct dentry *new_dentry); | ||
1402 | int (*path_rename) (struct path *old_dir, struct dentry *old_dentry, | ||
1403 | struct path *new_dir, struct dentry *new_dentry); | ||
1404 | #endif | ||
1405 | |||
1334 | int (*inode_alloc_security) (struct inode *inode); | 1406 | int (*inode_alloc_security) (struct inode *inode); |
1335 | void (*inode_free_security) (struct inode *inode); | 1407 | void (*inode_free_security) (struct inode *inode); |
1336 | int (*inode_init_security) (struct inode *inode, struct inode *dir, | 1408 | int (*inode_init_security) (struct inode *inode, struct inode *dir, |
@@ -2705,6 +2777,71 @@ static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi | |||
2705 | 2777 | ||
2706 | #endif /* CONFIG_SECURITY_NETWORK_XFRM */ | 2778 | #endif /* CONFIG_SECURITY_NETWORK_XFRM */ |
2707 | 2779 | ||
2780 | #ifdef CONFIG_SECURITY_PATH | ||
2781 | int security_path_unlink(struct path *dir, struct dentry *dentry); | ||
2782 | int security_path_mkdir(struct path *dir, struct dentry *dentry, int mode); | ||
2783 | int security_path_rmdir(struct path *dir, struct dentry *dentry); | ||
2784 | int security_path_mknod(struct path *dir, struct dentry *dentry, int mode, | ||
2785 | unsigned int dev); | ||
2786 | int security_path_truncate(struct path *path, loff_t length, | ||
2787 | unsigned int time_attrs); | ||
2788 | int security_path_symlink(struct path *dir, struct dentry *dentry, | ||
2789 | const char *old_name); | ||
2790 | int security_path_link(struct dentry *old_dentry, struct path *new_dir, | ||
2791 | struct dentry *new_dentry); | ||
2792 | int security_path_rename(struct path *old_dir, struct dentry *old_dentry, | ||
2793 | struct path *new_dir, struct dentry *new_dentry); | ||
2794 | #else /* CONFIG_SECURITY_PATH */ | ||
2795 | static inline int security_path_unlink(struct path *dir, struct dentry *dentry) | ||
2796 | { | ||
2797 | return 0; | ||
2798 | } | ||
2799 | |||
2800 | static inline int security_path_mkdir(struct path *dir, struct dentry *dentry, | ||
2801 | int mode) | ||
2802 | { | ||
2803 | return 0; | ||
2804 | } | ||
2805 | |||
2806 | static inline int security_path_rmdir(struct path *dir, struct dentry *dentry) | ||
2807 | { | ||
2808 | return 0; | ||
2809 | } | ||
2810 | |||
2811 | static inline int security_path_mknod(struct path *dir, struct dentry *dentry, | ||
2812 | int mode, unsigned int dev) | ||
2813 | { | ||
2814 | return 0; | ||
2815 | } | ||
2816 | |||
2817 | static inline int security_path_truncate(struct path *path, loff_t length, | ||
2818 | unsigned int time_attrs) | ||
2819 | { | ||
2820 | return 0; | ||
2821 | } | ||
2822 | |||
2823 | static inline int security_path_symlink(struct path *dir, struct dentry *dentry, | ||
2824 | const char *old_name) | ||
2825 | { | ||
2826 | return 0; | ||
2827 | } | ||
2828 | |||
2829 | static inline int security_path_link(struct dentry *old_dentry, | ||
2830 | struct path *new_dir, | ||
2831 | struct dentry *new_dentry) | ||
2832 | { | ||
2833 | return 0; | ||
2834 | } | ||
2835 | |||
2836 | static inline int security_path_rename(struct path *old_dir, | ||
2837 | struct dentry *old_dentry, | ||
2838 | struct path *new_dir, | ||
2839 | struct dentry *new_dentry) | ||
2840 | { | ||
2841 | return 0; | ||
2842 | } | ||
2843 | #endif /* CONFIG_SECURITY_PATH */ | ||
2844 | |||
2708 | #ifdef CONFIG_KEYS | 2845 | #ifdef CONFIG_KEYS |
2709 | #ifdef CONFIG_SECURITY | 2846 | #ifdef CONFIG_SECURITY |
2710 | 2847 | ||