Merge branch 'audit.b10' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current

* 'audit.b10' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current: [PATCH] Audit Filter Performance [PATCH] Rework of IPC auditing [PATCH] More user space subject labels [PATCH] Reworked patch for labels on user space messages [PATCH] change lspp ipc auditing [PATCH] audit inode patch [PATCH] support for context based audit filtering, part 2 [PATCH] support for context based audit filtering [PATCH] no need to wank with task_lock() and pinning task down in audit_syscall_exit() [PATCH] drop task argument of audit_syscall_{entry,exit} [PATCH] drop gfp_mask in audit_log_exit() [PATCH] move call of audit_free() into do_exit() [PATCH] sockaddr patch [PATCH] deal with deadlocks in audit_free()
author: Linus Torvalds <torvalds@g5.osdl.org> 2006-05-02 00:43:05 -0400
committer: Linus Torvalds <torvalds@g5.osdl.org> 2006-05-02 00:43:05 -0400
commit: 532f57da408c5a5710075d17047e2d97bdfd22f3 (patch)
tree: 3fb378bea1816f637aeeed0df805d0c30969cfc3 /include/linux
parent: 46c5ea3c9ae7fbc6e52a13c92e59d4fc7f4ca80a (diff)
parent: 2ad312d2093ae506ae0fa184d8d026b559083087 (diff)
4 files changed, 193 insertions, 23 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 1c47c59058c1..b74c148f14e3 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -83,6 +83,7 @@
 #define AUDIT_CONFIG_CHANGE     1305    /* Audit system configuration change */
 #define AUDIT_SOCKADDR          1306    /* sockaddr copied as syscall arg */
 #define AUDIT_CWD               1307    /* Current working directory */
+#define AUDIT_IPC_SET_PERM      1311    /* IPC new permissions record type */
 #define AUDIT_AVC               1400    /* SE Linux avc denial or grant */
 #define AUDIT_SELINUX_ERR       1401    /* Internal SE Linux Errors */
@@ -145,6 +146,11 @@
 #define AUDIT_PERS      10
 #define AUDIT_ARCH      11
 #define AUDIT_MSGTYPE   12
+#define AUDIT_SE_USER   13      /* security label user */
+#define AUDIT_SE_ROLE   14      /* security label role */
+#define AUDIT_SE_TYPE   15      /* security label type */
+#define AUDIT_SE_SEN    16      /* security label sensitivity label */
+#define AUDIT_SE_CLR    17      /* security label clearance label */
                                /* These are ONLY useful when checking
                                 * at syscall exit time (AUDIT_AT_EXIT). */
@@ -287,10 +293,10 @@ struct netlink_skb_parms;
                                /* Public API */
 extern int  audit_alloc(struct task_struct *task);
 extern void audit_free(struct task_struct *task);
-extern void audit_syscall_entry(struct task_struct *task, int arch,
+extern void audit_syscall_entry(int arch,
                                int major, unsigned long a0, unsigned long a1,
                                unsigned long a2, unsigned long a3);
-extern void audit_syscall_exit(struct task_struct *task, int failed, long return_code);
+extern void audit_syscall_exit(int failed, long return_code);
 extern void audit_getname(const char *name);
 extern void audit_putname(const char *name);
 extern void __audit_inode(const char *name, const struct inode *inode, unsigned flags);
@@ -314,7 +320,8 @@ extern void auditsc_get_stamp(struct audit_context *ctx,
                              struct timespec *t, unsigned int *serial);
 extern int  audit_set_loginuid(struct task_struct *task, uid_t loginuid);
 extern uid_t audit_get_loginuid(struct audit_context *ctx);
-extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp);
+extern int audit_ipc_obj(struct kern_ipc_perm *ipcp);
+extern int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp);
 extern int audit_socketcall(int nargs, unsigned long *args);
 extern int audit_sockaddr(int len, void *addr);
 extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt);
@@ -323,8 +330,8 @@ extern int audit_set_macxattr(const char *name);
 #else
 #define audit_alloc(t) ({ 0; })
 #define audit_free(t) do { ; } while (0)
-#define audit_syscall_entry(t,ta,a,b,c,d,e) do { ; } while (0)
+#define audit_syscall_entry(ta,a,b,c,d,e) do { ; } while (0)
-#define audit_syscall_exit(t,f,r) do { ; } while (0)
+#define audit_syscall_exit(f,r) do { ; } while (0)
 #define audit_getname(n) do { ; } while (0)
 #define audit_putname(n) do { ; } while (0)
 #define __audit_inode(n,i,f) do { ; } while (0)
@@ -333,7 +340,8 @@ extern int audit_set_macxattr(const char *name);
 #define audit_inode_child(d,i,p) do { ; } while (0)
 #define auditsc_get_stamp(c,t,s) do { BUG(); } while (0)
 #define audit_get_loginuid(c) ({ -1; })
-#define audit_ipc_perms(q,u,g,m,i) ({ 0; })
+#define audit_ipc_obj(i) ({ 0; })
+#define audit_ipc_set_perm(q,u,g,m,i) ({ 0; })
 #define audit_socketcall(n,a) ({ 0; })
 #define audit_sockaddr(len, addr) ({ 0; })
 #define audit_avc_path(dentry, mnt) ({ 0; })
@@ -366,7 +374,7 @@ extern void		    audit_log_d_path(struct audit_buffer *ab,
 extern int audit_filter_user(struct netlink_skb_parms *cb, int type);
 extern int audit_filter_type(int type);
 extern int  audit_receive_filter(int type, int pid, int uid, int seq,
-                                 void *data, size_t datasz, uid_t loginuid);
+                         void *data, size_t datasz, uid_t loginuid, u32 sid);
 #else
 #define audit_log(c,g,t,f,...) do { ; } while (0)
 #define audit_log_start(c,g,t) ({ NULL; })
diff --git a/include/linux/netlink.h b/include/linux/netlink.h
index f8f3d1c927f8..87b8a5703ebc 100644
--- a/include/linux/netlink.h
+++ b/include/linux/netlink.h
@@ -143,6 +143,7 @@ struct netlink_skb_parms
        __u32                   dst_group;
        kernel_cap_t            eff_cap;
        __u32                   loginuid;       /* Login (audit) uid */
+        __u32                   sid;            /* SELinux security id */
 };
 #define NETLINK_CB(skb)         (*(struct netlink_skb_parms*)&((skb)->cb))
diff --git a/include/linux/security.h b/include/linux/security.h
index aaa0a5cdbf75..1bab48f6aeac 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -869,11 +869,6 @@ struct swap_info_struct;
 *      @ipcp contains the kernel IPC permission structure
 *      @flag contains the desired (requested) permission set
 *      Return 0 if permission is granted.
- * @ipc_getsecurity:
- *      Copy the security label associated with the ipc object into
- *      @buffer.  @buffer may be NULL to request the size of the buffer 
- *      required.  @size indicates the size of @buffer in bytes. Return 
- *      number of bytes used/required on success.
 *
 * Security hooks for individual messages held in System V IPC message queues
 * @msg_msg_alloc_security:
@@ -1223,7 +1218,6 @@ struct security_operations {
        void (*task_to_inode)(struct task_struct *p, struct inode *inode);
        int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag);
-        int (*ipc_getsecurity)(struct kern_ipc_perm *ipcp, void *buffer, size_t size);
        int (*msg_msg_alloc_security) (struct msg_msg * msg);
        void (*msg_msg_free_security) (struct msg_msg * msg);
@@ -1887,11 +1881,6 @@ static inline int security_ipc_permission (struct kern_ipc_perm *ipcp,
        return security_ops->ipc_permission (ipcp, flag);
 }
-static inline int security_ipc_getsecurity(struct kern_ipc_perm *ipcp, void *buffer, size_t size)
-{
-        return security_ops->ipc_getsecurity(ipcp, buffer, size);
-}
 static inline int security_msg_msg_alloc (struct msg_msg * msg)
 {
        return security_ops->msg_msg_alloc_security (msg);
@@ -2532,11 +2521,6 @@ static inline int security_ipc_permission (struct kern_ipc_perm *ipcp,
        return 0;
 }
-static inline int security_ipc_getsecurity(struct kern_ipc_perm *ipcp, void *buffer, size_t size)
-{
-        return -EOPNOTSUPP;
-}
 static inline int security_msg_msg_alloc (struct msg_msg * msg)
 {
        return 0;
diff --git a/include/linux/selinux.h b/include/linux/selinux.h
new file mode 100644
index 000000000000..4047bcde4484
--- /dev/null
+++ b/include/linux/selinux.h
@@ -0,0 +1,177 @@
+/*
+ * SELinux services exported to the rest of the kernel.
+ *
+ * Author: James Morris <jmorris@redhat.com>
+ *
+ * Copyright (C) 2005 Red Hat, Inc., James Morris <jmorris@redhat.com>
+ * Copyright (C) 2006 Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
+ * Copyright (C) 2006 IBM Corporation, Timothy R. Chavez <tinytim@us.ibm.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2,
+ * as published by the Free Software Foundation.
+ */
+#ifndef _LINUX_SELINUX_H
+#define _LINUX_SELINUX_H
+struct selinux_audit_rule;
+struct audit_context;
+struct inode;
+struct kern_ipc_perm;
+#ifdef CONFIG_SECURITY_SELINUX
+/**
+ *      selinux_audit_rule_init - alloc/init an selinux audit rule structure.
+ *      @field: the field this rule refers to
+ *      @op: the operater the rule uses
+ *      @rulestr: the text "target" of the rule
+ *      @rule: pointer to the new rule structure returned via this
+ *
+ *      Returns 0 if successful, -errno if not.  On success, the rule structure
+ *      will be allocated internally.  The caller must free this structure with
+ *      selinux_audit_rule_free() after use.
+ */
+int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
+                            struct selinux_audit_rule **rule);
+/**
+ *      selinux_audit_rule_free - free an selinux audit rule structure.
+ *      @rule: pointer to the audit rule to be freed
+ *
+ *      This will free all memory associated with the given rule.
+ *      If @rule is NULL, no operation is performed.
+ */
+void selinux_audit_rule_free(struct selinux_audit_rule *rule);
+/**
+ *      selinux_audit_rule_match - determine if a context ID matches a rule.
+ *      @ctxid: the context ID to check
+ *      @field: the field this rule refers to
+ *      @op: the operater the rule uses
+ *      @rule: pointer to the audit rule to check against
+ *      @actx: the audit context (can be NULL) associated with the check
+ *
+ *      Returns 1 if the context id matches the rule, 0 if it does not, and
+ *      -errno on failure.
+ */
+int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op,
+                             struct selinux_audit_rule *rule,
+                             struct audit_context *actx);
+/**
+ *      selinux_audit_set_callback - set the callback for policy reloads.
+ *      @callback: the function to call when the policy is reloaded
+ *
+ *      This sets the function callback function that will update the rules
+ *      upon policy reloads.  This callback should rebuild all existing rules
+ *      using selinux_audit_rule_init().
+ */
+void selinux_audit_set_callback(int (*callback)(void));
+/**
+ *      selinux_task_ctxid - determine a context ID for a process.
+ *      @tsk: the task object
+ *      @ctxid: ID value returned via this
+ *
+ *      On return, ctxid will contain an ID for the context.  This value
+ *      should only be used opaquely.
+ */
+void selinux_task_ctxid(struct task_struct *tsk, u32 *ctxid);
+/**
+ *     selinux_ctxid_to_string - map a security context ID to a string
+ *     @ctxid: security context ID to be converted.
+ *     @ctx: address of context string to be returned
+ *     @ctxlen: length of returned context string.
+ *
+ *     Returns 0 if successful, -errno if not.  On success, the context
+ *     string will be allocated internally, and the caller must call
+ *     kfree() on it after use.
+ */
+int selinux_ctxid_to_string(u32 ctxid, char **ctx, u32 *ctxlen);
+/**
+ *     selinux_get_inode_sid - get the inode's security context ID
+ *     @inode: inode structure to get the sid from.
+ *     @sid: pointer to security context ID to be filled in.
+ *
+ *     Returns nothing
+ */
+void selinux_get_inode_sid(const struct inode *inode, u32 *sid);
+/**
+ *     selinux_get_ipc_sid - get the ipc security context ID
+ *     @ipcp: ipc structure to get the sid from.
+ *     @sid: pointer to security context ID to be filled in.
+ *
+ *     Returns nothing
+ */
+void selinux_get_ipc_sid(const struct kern_ipc_perm *ipcp, u32 *sid);
+/**
+ *     selinux_get_task_sid - return the SID of task
+ *     @tsk: the task whose SID will be returned
+ *     @sid: pointer to security context ID to be filled in.
+ *
+ *     Returns nothing
+ */
+void selinux_get_task_sid(struct task_struct *tsk, u32 *sid);
+#else
+static inline int selinux_audit_rule_init(u32 field, u32 op,
+                                          char *rulestr,
+                                          struct selinux_audit_rule **rule)
+{
+        return -ENOTSUPP;
+}
+static inline void selinux_audit_rule_free(struct selinux_audit_rule *rule)
+{
+        return;
+}
+static inline int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op,
+                                           struct selinux_audit_rule *rule,
+                                           struct audit_context *actx)
+{
+        return 0;
+}
+static inline void selinux_audit_set_callback(int (*callback)(void))
+{
+        return;
+}
+static inline void selinux_task_ctxid(struct task_struct *tsk, u32 *ctxid)
+{
+        *ctxid = 0;
+}
+static inline int selinux_ctxid_to_string(u32 ctxid, char **ctx, u32 *ctxlen)
+{
+       *ctx = NULL;
+       *ctxlen = 0;
+       return 0;
+}
+static inline void selinux_get_inode_sid(const struct inode *inode, u32 *sid)
+{
+        *sid = 0;
+}
+static inline void selinux_get_ipc_sid(const struct kern_ipc_perm *ipcp, u32 *sid)
+{
+        *sid = 0;
+}
+static inline void selinux_get_task_sid(struct task_struct *tsk, u32 *sid)
+{
+        *sid = 0;
+}
+#endif  /* CONFIG_SECURITY_SELINUX */
+#endif /* _LINUX_SELINUX_H */
author	Linus Torvalds <torvalds@g5.osdl.org>	2006-05-02 00:43:05 -0400
committer	Linus Torvalds <torvalds@g5.osdl.org>	2006-05-02 00:43:05 -0400
commit	532f57da408c5a5710075d17047e2d97bdfd22f3 (patch)
tree	3fb378bea1816f637aeeed0df805d0c30969cfc3 /include/linux
parent	46c5ea3c9ae7fbc6e52a13c92e59d4fc7f4ca80a (diff)
parent	2ad312d2093ae506ae0fa184d8d026b559083087 (diff)

diff --git a/include/linux/audit.h b/include/linux/audit.h index 1c47c59058c1..b74c148f14e3 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h
@@ -83,6 +83,7 @@
83	#define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */	83	#define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */
84	#define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */	84	#define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */
85	#define AUDIT_CWD 1307 /* Current working directory */	85	#define AUDIT_CWD 1307 /* Current working directory */
		86	#define AUDIT_IPC_SET_PERM 1311 /* IPC new permissions record type */
86		87
87	#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */	88	#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
88	#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */	89	#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
@@ -145,6 +146,11 @@
145	#define AUDIT_PERS 10	146	#define AUDIT_PERS 10
146	#define AUDIT_ARCH 11	147	#define AUDIT_ARCH 11
147	#define AUDIT_MSGTYPE 12	148	#define AUDIT_MSGTYPE 12
		149	#define AUDIT_SE_USER 13 /* security label user */
		150	#define AUDIT_SE_ROLE 14 /* security label role */
		151	#define AUDIT_SE_TYPE 15 /* security label type */
		152	#define AUDIT_SE_SEN 16 /* security label sensitivity label */
		153	#define AUDIT_SE_CLR 17 /* security label clearance label */
148		154
149	/* These are ONLY useful when checking	155	/* These are ONLY useful when checking
150	* at syscall exit time (AUDIT_AT_EXIT). */	156	* at syscall exit time (AUDIT_AT_EXIT). */
@@ -287,10 +293,10 @@ struct netlink_skb_parms;
287	/* Public API */	293	/* Public API */
288	extern int audit_alloc(struct task_struct *task);	294	extern int audit_alloc(struct task_struct *task);
289	extern void audit_free(struct task_struct *task);	295	extern void audit_free(struct task_struct *task);
290	extern void audit_syscall_entry(struct task_struct *task, int arch,	296	extern void audit_syscall_entry(int arch,
291	int major, unsigned long a0, unsigned long a1,	297	int major, unsigned long a0, unsigned long a1,
292	unsigned long a2, unsigned long a3);	298	unsigned long a2, unsigned long a3);
293	extern void audit_syscall_exit(struct task_struct *task, int failed, long return_code);	299	extern void audit_syscall_exit(int failed, long return_code);
294	extern void audit_getname(const char *name);	300	extern void audit_getname(const char *name);
295	extern void audit_putname(const char *name);	301	extern void audit_putname(const char *name);
296	extern void __audit_inode(const char name, const struct inode inode, unsigned flags);	302	extern void __audit_inode(const char name, const struct inode inode, unsigned flags);
@@ -314,7 +320,8 @@ extern void auditsc_get_stamp(struct audit_context *ctx,
314	struct timespec t, unsigned int serial);	320	struct timespec t, unsigned int serial);
315	extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid);	321	extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid);
316	extern uid_t audit_get_loginuid(struct audit_context *ctx);	322	extern uid_t audit_get_loginuid(struct audit_context *ctx);
317	extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp);	323	extern int audit_ipc_obj(struct kern_ipc_perm *ipcp);
		324	extern int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp);
318	extern int audit_socketcall(int nargs, unsigned long *args);	325	extern int audit_socketcall(int nargs, unsigned long *args);
319	extern int audit_sockaddr(int len, void *addr);	326	extern int audit_sockaddr(int len, void *addr);
320	extern int audit_avc_path(struct dentry dentry, struct vfsmount mnt);	327	extern int audit_avc_path(struct dentry dentry, struct vfsmount mnt);
@@ -323,8 +330,8 @@ extern int audit_set_macxattr(const char *name);
323	#else	330	#else
324	#define audit_alloc(t) ({ 0; })	331	#define audit_alloc(t) ({ 0; })
325	#define audit_free(t) do { ; } while (0)	332	#define audit_free(t) do { ; } while (0)
326	#define audit_syscall_entry(t,ta,a,b,c,d,e) do { ; } while (0)	333	#define audit_syscall_entry(ta,a,b,c,d,e) do { ; } while (0)
327	#define audit_syscall_exit(t,f,r) do { ; } while (0)	334	#define audit_syscall_exit(f,r) do { ; } while (0)
328	#define audit_getname(n) do { ; } while (0)	335	#define audit_getname(n) do { ; } while (0)
329	#define audit_putname(n) do { ; } while (0)	336	#define audit_putname(n) do { ; } while (0)
330	#define __audit_inode(n,i,f) do { ; } while (0)	337	#define __audit_inode(n,i,f) do { ; } while (0)
@@ -333,7 +340,8 @@ extern int audit_set_macxattr(const char *name);
333	#define audit_inode_child(d,i,p) do { ; } while (0)	340	#define audit_inode_child(d,i,p) do { ; } while (0)
334	#define auditsc_get_stamp(c,t,s) do { BUG(); } while (0)	341	#define auditsc_get_stamp(c,t,s) do { BUG(); } while (0)
335	#define audit_get_loginuid(c) ({ -1; })	342	#define audit_get_loginuid(c) ({ -1; })
336	#define audit_ipc_perms(q,u,g,m,i) ({ 0; })	343	#define audit_ipc_obj(i) ({ 0; })
		344	#define audit_ipc_set_perm(q,u,g,m,i) ({ 0; })
337	#define audit_socketcall(n,a) ({ 0; })	345	#define audit_socketcall(n,a) ({ 0; })
338	#define audit_sockaddr(len, addr) ({ 0; })	346	#define audit_sockaddr(len, addr) ({ 0; })
339	#define audit_avc_path(dentry, mnt) ({ 0; })	347	#define audit_avc_path(dentry, mnt) ({ 0; })
@@ -366,7 +374,7 @@ extern void audit_log_d_path(struct audit_buffer *ab,
366	extern int audit_filter_user(struct netlink_skb_parms *cb, int type);	374	extern int audit_filter_user(struct netlink_skb_parms *cb, int type);
367	extern int audit_filter_type(int type);	375	extern int audit_filter_type(int type);
368	extern int audit_receive_filter(int type, int pid, int uid, int seq,	376	extern int audit_receive_filter(int type, int pid, int uid, int seq,
369	void *data, size_t datasz, uid_t loginuid);	377	void *data, size_t datasz, uid_t loginuid, u32 sid);
370	#else	378	#else
371	#define audit_log(c,g,t,f,...) do { ; } while (0)	379	#define audit_log(c,g,t,f,...) do { ; } while (0)
372	#define audit_log_start(c,g,t) ({ NULL; })	380	#define audit_log_start(c,g,t) ({ NULL; })


diff --git a/include/linux/netlink.h b/include/linux/netlink.h index f8f3d1c927f8..87b8a5703ebc 100644 --- a/include/linux/netlink.h +++ b/include/linux/netlink.h
@@ -143,6 +143,7 @@ struct netlink_skb_parms
143	__u32 dst_group;	143	__u32 dst_group;
144	kernel_cap_t eff_cap;	144	kernel_cap_t eff_cap;
145	__u32 loginuid; /* Login (audit) uid */	145	__u32 loginuid; /* Login (audit) uid */
		146	__u32 sid; /* SELinux security id */
146	};	147	};
147		148
148	#define NETLINK_CB(skb) ((struct netlink_skb_parms)&((skb)->cb))	149	#define NETLINK_CB(skb) ((struct netlink_skb_parms)&((skb)->cb))


diff --git a/include/linux/security.h b/include/linux/security.h index aaa0a5cdbf75..1bab48f6aeac 100644 --- a/include/linux/security.h +++ b/include/linux/security.h
@@ -869,11 +869,6 @@ struct swap_info_struct;
869	* @ipcp contains the kernel IPC permission structure	869	* @ipcp contains the kernel IPC permission structure
870	* @flag contains the desired (requested) permission set	870	* @flag contains the desired (requested) permission set
871	* Return 0 if permission is granted.	871	* Return 0 if permission is granted.
872	* @ipc_getsecurity:
873	* Copy the security label associated with the ipc object into
874	* @buffer. @buffer may be NULL to request the size of the buffer
875	* required. @size indicates the size of @buffer in bytes. Return
876	* number of bytes used/required on success.
877	*	872	*
878	* Security hooks for individual messages held in System V IPC message queues	873	* Security hooks for individual messages held in System V IPC message queues
879	* @msg_msg_alloc_security:	874	* @msg_msg_alloc_security:
@@ -1223,7 +1218,6 @@ struct security_operations {
1223	void (task_to_inode)(struct task_struct p, struct inode *inode);	1218	void (task_to_inode)(struct task_struct p, struct inode *inode);
1224		1219
1225	int (ipc_permission) (struct kern_ipc_perm ipcp, short flag);	1220	int (ipc_permission) (struct kern_ipc_perm ipcp, short flag);
1226	int (ipc_getsecurity)(struct kern_ipc_perm ipcp, void *buffer, size_t size);
1227		1221
1228	int (msg_msg_alloc_security) (struct msg_msg msg);	1222	int (msg_msg_alloc_security) (struct msg_msg msg);
1229	void (msg_msg_free_security) (struct msg_msg msg);	1223	void (msg_msg_free_security) (struct msg_msg msg);
@@ -1887,11 +1881,6 @@ static inline int security_ipc_permission (struct kern_ipc_perm *ipcp,
1887	return security_ops->ipc_permission (ipcp, flag);	1881	return security_ops->ipc_permission (ipcp, flag);
1888	}	1882	}
1889		1883
1890	static inline int security_ipc_getsecurity(struct kern_ipc_perm ipcp, void buffer, size_t size)
1891	{
1892	return security_ops->ipc_getsecurity(ipcp, buffer, size);
1893	}
1894
1895	static inline int security_msg_msg_alloc (struct msg_msg * msg)	1884	static inline int security_msg_msg_alloc (struct msg_msg * msg)
1896	{	1885	{
1897	return security_ops->msg_msg_alloc_security (msg);	1886	return security_ops->msg_msg_alloc_security (msg);
@@ -2532,11 +2521,6 @@ static inline int security_ipc_permission (struct kern_ipc_perm *ipcp,
2532	return 0;	2521	return 0;
2533	}	2522	}
2534		2523
2535	static inline int security_ipc_getsecurity(struct kern_ipc_perm ipcp, void buffer, size_t size)
2536	{
2537	return -EOPNOTSUPP;
2538	}
2539
2540	static inline int security_msg_msg_alloc (struct msg_msg * msg)	2524	static inline int security_msg_msg_alloc (struct msg_msg * msg)
2541	{	2525	{
2542	return 0;	2526	return 0;


diff --git a/include/linux/selinux.h b/include/linux/selinux.h new file mode 100644 index 000000000000..4047bcde4484 --- /dev/null +++ b/include/linux/selinux.h
@@ -0,0 +1,177 @@
		1	/*
		2	* SELinux services exported to the rest of the kernel.
		3	*
		4	* Author: James Morris <jmorris@redhat.com>
		5	*
		6	* Copyright (C) 2005 Red Hat, Inc., James Morris <jmorris@redhat.com>
		7	* Copyright (C) 2006 Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
		8	* Copyright (C) 2006 IBM Corporation, Timothy R. Chavez <tinytim@us.ibm.com>
		9	*
		10	* This program is free software; you can redistribute it and/or modify
		11	* it under the terms of the GNU General Public License version 2,
		12	* as published by the Free Software Foundation.
		13	*/
		14	#ifndef _LINUX_SELINUX_H
		15	#define _LINUX_SELINUX_H
		16
		17	struct selinux_audit_rule;
		18	struct audit_context;
		19	struct inode;
		20	struct kern_ipc_perm;
		21
		22	#ifdef CONFIG_SECURITY_SELINUX
		23
		24	/**
		25	* selinux_audit_rule_init - alloc/init an selinux audit rule structure.
		26	* @field: the field this rule refers to
		27	* @op: the operater the rule uses
		28	* @rulestr: the text "target" of the rule
		29	* @rule: pointer to the new rule structure returned via this
		30	*
		31	* Returns 0 if successful, -errno if not. On success, the rule structure
		32	* will be allocated internally. The caller must free this structure with
		33	* selinux_audit_rule_free() after use.
		34	*/
		35	int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
		36	struct selinux_audit_rule **rule);
		37
		38	/**
		39	* selinux_audit_rule_free - free an selinux audit rule structure.
		40	* @rule: pointer to the audit rule to be freed
		41	*
		42	* This will free all memory associated with the given rule.
		43	* If @rule is NULL, no operation is performed.
		44	*/
		45	void selinux_audit_rule_free(struct selinux_audit_rule *rule);
		46
		47	/**
		48	* selinux_audit_rule_match - determine if a context ID matches a rule.
		49	* @ctxid: the context ID to check
		50	* @field: the field this rule refers to
		51	* @op: the operater the rule uses
		52	* @rule: pointer to the audit rule to check against
		53	* @actx: the audit context (can be NULL) associated with the check
		54	*
		55	* Returns 1 if the context id matches the rule, 0 if it does not, and
		56	* -errno on failure.
		57	*/
		58	int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op,
		59	struct selinux_audit_rule *rule,
		60	struct audit_context *actx);
		61
		62	/**
		63	* selinux_audit_set_callback - set the callback for policy reloads.
		64	* @callback: the function to call when the policy is reloaded
		65	*
		66	* This sets the function callback function that will update the rules
		67	* upon policy reloads. This callback should rebuild all existing rules
		68	* using selinux_audit_rule_init().
		69	*/
		70	void selinux_audit_set_callback(int (*callback)(void));
		71
		72	/**
		73	* selinux_task_ctxid - determine a context ID for a process.
		74	* @tsk: the task object
		75	* @ctxid: ID value returned via this
		76	*
		77	* On return, ctxid will contain an ID for the context. This value
		78	* should only be used opaquely.
		79	*/
		80	void selinux_task_ctxid(struct task_struct tsk, u32 ctxid);
		81
		82	/**
		83	* selinux_ctxid_to_string - map a security context ID to a string
		84	* @ctxid: security context ID to be converted.
		85	* @ctx: address of context string to be returned
		86	* @ctxlen: length of returned context string.
		87	*
		88	* Returns 0 if successful, -errno if not. On success, the context
		89	* string will be allocated internally, and the caller must call
		90	* kfree() on it after use.
		91	*/
		92	int selinux_ctxid_to_string(u32 ctxid, char *ctx, u32 ctxlen);
		93
		94	/**
		95	* selinux_get_inode_sid - get the inode's security context ID
		96	* @inode: inode structure to get the sid from.
		97	* @sid: pointer to security context ID to be filled in.
		98	*
		99	* Returns nothing
		100	*/
		101	void selinux_get_inode_sid(const struct inode inode, u32 sid);
		102
		103	/**
		104	* selinux_get_ipc_sid - get the ipc security context ID
		105	* @ipcp: ipc structure to get the sid from.
		106	* @sid: pointer to security context ID to be filled in.
		107	*
		108	* Returns nothing
		109	*/
		110	void selinux_get_ipc_sid(const struct kern_ipc_perm ipcp, u32 sid);
		111
		112	/**
		113	* selinux_get_task_sid - return the SID of task
		114	* @tsk: the task whose SID will be returned
		115	* @sid: pointer to security context ID to be filled in.
		116	*
		117	* Returns nothing
		118	*/
		119	void selinux_get_task_sid(struct task_struct tsk, u32 sid);
		120
		121
		122	#else
		123
		124	static inline int selinux_audit_rule_init(u32 field, u32 op,
		125	char *rulestr,
		126	struct selinux_audit_rule **rule)
		127	{
		128	return -ENOTSUPP;
		129	}
		130
		131	static inline void selinux_audit_rule_free(struct selinux_audit_rule *rule)
		132	{
		133	return;
		134	}
		135
		136	static inline int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op,
		137	struct selinux_audit_rule *rule,
		138	struct audit_context *actx)
		139	{
		140	return 0;
		141	}
		142
		143	static inline void selinux_audit_set_callback(int (*callback)(void))
		144	{
		145	return;
		146	}
		147
		148	static inline void selinux_task_ctxid(struct task_struct tsk, u32 ctxid)
		149	{
		150	*ctxid = 0;
		151	}
		152
		153	static inline int selinux_ctxid_to_string(u32 ctxid, char *ctx, u32 ctxlen)
		154	{
		155	*ctx = NULL;
		156	*ctxlen = 0;
		157	return 0;
		158	}
		159
		160	static inline void selinux_get_inode_sid(const struct inode inode, u32 sid)
		161	{
		162	*sid = 0;
		163	}
		164
		165	static inline void selinux_get_ipc_sid(const struct kern_ipc_perm ipcp, u32 sid)
		166	{
		167	*sid = 0;
		168	}
		169
		170	static inline void selinux_get_task_sid(struct task_struct tsk, u32 sid)
		171	{
		172	*sid = 0;
		173	}
		174
		175	#endif /* CONFIG_SECURITY_SELINUX */
		176
		177	#endif /* _LINUX_SELINUX_H */