aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@g5.osdl.org>2006-05-02 00:43:05 -0400
committerLinus Torvalds <torvalds@g5.osdl.org>2006-05-02 00:43:05 -0400
commit532f57da408c5a5710075d17047e2d97bdfd22f3 (patch)
tree3fb378bea1816f637aeeed0df805d0c30969cfc3 /include
parent46c5ea3c9ae7fbc6e52a13c92e59d4fc7f4ca80a (diff)
parent2ad312d2093ae506ae0fa184d8d026b559083087 (diff)
Merge branch 'audit.b10' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current
* 'audit.b10' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/audit-current: [PATCH] Audit Filter Performance [PATCH] Rework of IPC auditing [PATCH] More user space subject labels [PATCH] Reworked patch for labels on user space messages [PATCH] change lspp ipc auditing [PATCH] audit inode patch [PATCH] support for context based audit filtering, part 2 [PATCH] support for context based audit filtering [PATCH] no need to wank with task_lock() and pinning task down in audit_syscall_exit() [PATCH] drop task argument of audit_syscall_{entry,exit} [PATCH] drop gfp_mask in audit_log_exit() [PATCH] move call of audit_free() into do_exit() [PATCH] sockaddr patch [PATCH] deal with deadlocks in audit_free()
Diffstat (limited to 'include')
-rw-r--r--include/linux/audit.h22
-rw-r--r--include/linux/netlink.h1
-rw-r--r--include/linux/security.h16
-rw-r--r--include/linux/selinux.h177
4 files changed, 193 insertions, 23 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 1c47c59058c1..b74c148f14e3 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -83,6 +83,7 @@
83#define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */ 83#define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */
84#define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */ 84#define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */
85#define AUDIT_CWD 1307 /* Current working directory */ 85#define AUDIT_CWD 1307 /* Current working directory */
86#define AUDIT_IPC_SET_PERM 1311 /* IPC new permissions record type */
86 87
87#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ 88#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
88#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ 89#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
@@ -145,6 +146,11 @@
145#define AUDIT_PERS 10 146#define AUDIT_PERS 10
146#define AUDIT_ARCH 11 147#define AUDIT_ARCH 11
147#define AUDIT_MSGTYPE 12 148#define AUDIT_MSGTYPE 12
149#define AUDIT_SE_USER 13 /* security label user */
150#define AUDIT_SE_ROLE 14 /* security label role */
151#define AUDIT_SE_TYPE 15 /* security label type */
152#define AUDIT_SE_SEN 16 /* security label sensitivity label */
153#define AUDIT_SE_CLR 17 /* security label clearance label */
148 154
149 /* These are ONLY useful when checking 155 /* These are ONLY useful when checking
150 * at syscall exit time (AUDIT_AT_EXIT). */ 156 * at syscall exit time (AUDIT_AT_EXIT). */
@@ -287,10 +293,10 @@ struct netlink_skb_parms;
287 /* Public API */ 293 /* Public API */
288extern int audit_alloc(struct task_struct *task); 294extern int audit_alloc(struct task_struct *task);
289extern void audit_free(struct task_struct *task); 295extern void audit_free(struct task_struct *task);
290extern void audit_syscall_entry(struct task_struct *task, int arch, 296extern void audit_syscall_entry(int arch,
291 int major, unsigned long a0, unsigned long a1, 297 int major, unsigned long a0, unsigned long a1,
292 unsigned long a2, unsigned long a3); 298 unsigned long a2, unsigned long a3);
293extern void audit_syscall_exit(struct task_struct *task, int failed, long return_code); 299extern void audit_syscall_exit(int failed, long return_code);
294extern void audit_getname(const char *name); 300extern void audit_getname(const char *name);
295extern void audit_putname(const char *name); 301extern void audit_putname(const char *name);
296extern void __audit_inode(const char *name, const struct inode *inode, unsigned flags); 302extern void __audit_inode(const char *name, const struct inode *inode, unsigned flags);
@@ -314,7 +320,8 @@ extern void auditsc_get_stamp(struct audit_context *ctx,
314 struct timespec *t, unsigned int *serial); 320 struct timespec *t, unsigned int *serial);
315extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid); 321extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid);
316extern uid_t audit_get_loginuid(struct audit_context *ctx); 322extern uid_t audit_get_loginuid(struct audit_context *ctx);
317extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp); 323extern int audit_ipc_obj(struct kern_ipc_perm *ipcp);
324extern int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp);
318extern int audit_socketcall(int nargs, unsigned long *args); 325extern int audit_socketcall(int nargs, unsigned long *args);
319extern int audit_sockaddr(int len, void *addr); 326extern int audit_sockaddr(int len, void *addr);
320extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt); 327extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt);
@@ -323,8 +330,8 @@ extern int audit_set_macxattr(const char *name);
323#else 330#else
324#define audit_alloc(t) ({ 0; }) 331#define audit_alloc(t) ({ 0; })
325#define audit_free(t) do { ; } while (0) 332#define audit_free(t) do { ; } while (0)
326#define audit_syscall_entry(t,ta,a,b,c,d,e) do { ; } while (0) 333#define audit_syscall_entry(ta,a,b,c,d,e) do { ; } while (0)
327#define audit_syscall_exit(t,f,r) do { ; } while (0) 334#define audit_syscall_exit(f,r) do { ; } while (0)
328#define audit_getname(n) do { ; } while (0) 335#define audit_getname(n) do { ; } while (0)
329#define audit_putname(n) do { ; } while (0) 336#define audit_putname(n) do { ; } while (0)
330#define __audit_inode(n,i,f) do { ; } while (0) 337#define __audit_inode(n,i,f) do { ; } while (0)
@@ -333,7 +340,8 @@ extern int audit_set_macxattr(const char *name);
333#define audit_inode_child(d,i,p) do { ; } while (0) 340#define audit_inode_child(d,i,p) do { ; } while (0)
334#define auditsc_get_stamp(c,t,s) do { BUG(); } while (0) 341#define auditsc_get_stamp(c,t,s) do { BUG(); } while (0)
335#define audit_get_loginuid(c) ({ -1; }) 342#define audit_get_loginuid(c) ({ -1; })
336#define audit_ipc_perms(q,u,g,m,i) ({ 0; }) 343#define audit_ipc_obj(i) ({ 0; })
344#define audit_ipc_set_perm(q,u,g,m,i) ({ 0; })
337#define audit_socketcall(n,a) ({ 0; }) 345#define audit_socketcall(n,a) ({ 0; })
338#define audit_sockaddr(len, addr) ({ 0; }) 346#define audit_sockaddr(len, addr) ({ 0; })
339#define audit_avc_path(dentry, mnt) ({ 0; }) 347#define audit_avc_path(dentry, mnt) ({ 0; })
@@ -366,7 +374,7 @@ extern void audit_log_d_path(struct audit_buffer *ab,
366extern int audit_filter_user(struct netlink_skb_parms *cb, int type); 374extern int audit_filter_user(struct netlink_skb_parms *cb, int type);
367extern int audit_filter_type(int type); 375extern int audit_filter_type(int type);
368extern int audit_receive_filter(int type, int pid, int uid, int seq, 376extern int audit_receive_filter(int type, int pid, int uid, int seq,
369 void *data, size_t datasz, uid_t loginuid); 377 void *data, size_t datasz, uid_t loginuid, u32 sid);
370#else 378#else
371#define audit_log(c,g,t,f,...) do { ; } while (0) 379#define audit_log(c,g,t,f,...) do { ; } while (0)
372#define audit_log_start(c,g,t) ({ NULL; }) 380#define audit_log_start(c,g,t) ({ NULL; })
diff --git a/include/linux/netlink.h b/include/linux/netlink.h
index f8f3d1c927f8..87b8a5703ebc 100644
--- a/include/linux/netlink.h
+++ b/include/linux/netlink.h
@@ -143,6 +143,7 @@ struct netlink_skb_parms
143 __u32 dst_group; 143 __u32 dst_group;
144 kernel_cap_t eff_cap; 144 kernel_cap_t eff_cap;
145 __u32 loginuid; /* Login (audit) uid */ 145 __u32 loginuid; /* Login (audit) uid */
146 __u32 sid; /* SELinux security id */
146}; 147};
147 148
148#define NETLINK_CB(skb) (*(struct netlink_skb_parms*)&((skb)->cb)) 149#define NETLINK_CB(skb) (*(struct netlink_skb_parms*)&((skb)->cb))
diff --git a/include/linux/security.h b/include/linux/security.h
index aaa0a5cdbf75..1bab48f6aeac 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -869,11 +869,6 @@ struct swap_info_struct;
869 * @ipcp contains the kernel IPC permission structure 869 * @ipcp contains the kernel IPC permission structure
870 * @flag contains the desired (requested) permission set 870 * @flag contains the desired (requested) permission set
871 * Return 0 if permission is granted. 871 * Return 0 if permission is granted.
872 * @ipc_getsecurity:
873 * Copy the security label associated with the ipc object into
874 * @buffer. @buffer may be NULL to request the size of the buffer
875 * required. @size indicates the size of @buffer in bytes. Return
876 * number of bytes used/required on success.
877 * 872 *
878 * Security hooks for individual messages held in System V IPC message queues 873 * Security hooks for individual messages held in System V IPC message queues
879 * @msg_msg_alloc_security: 874 * @msg_msg_alloc_security:
@@ -1223,7 +1218,6 @@ struct security_operations {
1223 void (*task_to_inode)(struct task_struct *p, struct inode *inode); 1218 void (*task_to_inode)(struct task_struct *p, struct inode *inode);
1224 1219
1225 int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag); 1220 int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag);
1226 int (*ipc_getsecurity)(struct kern_ipc_perm *ipcp, void *buffer, size_t size);
1227 1221
1228 int (*msg_msg_alloc_security) (struct msg_msg * msg); 1222 int (*msg_msg_alloc_security) (struct msg_msg * msg);
1229 void (*msg_msg_free_security) (struct msg_msg * msg); 1223 void (*msg_msg_free_security) (struct msg_msg * msg);
@@ -1887,11 +1881,6 @@ static inline int security_ipc_permission (struct kern_ipc_perm *ipcp,
1887 return security_ops->ipc_permission (ipcp, flag); 1881 return security_ops->ipc_permission (ipcp, flag);
1888} 1882}
1889 1883
1890static inline int security_ipc_getsecurity(struct kern_ipc_perm *ipcp, void *buffer, size_t size)
1891{
1892 return security_ops->ipc_getsecurity(ipcp, buffer, size);
1893}
1894
1895static inline int security_msg_msg_alloc (struct msg_msg * msg) 1884static inline int security_msg_msg_alloc (struct msg_msg * msg)
1896{ 1885{
1897 return security_ops->msg_msg_alloc_security (msg); 1886 return security_ops->msg_msg_alloc_security (msg);
@@ -2532,11 +2521,6 @@ static inline int security_ipc_permission (struct kern_ipc_perm *ipcp,
2532 return 0; 2521 return 0;
2533} 2522}
2534 2523
2535static inline int security_ipc_getsecurity(struct kern_ipc_perm *ipcp, void *buffer, size_t size)
2536{
2537 return -EOPNOTSUPP;
2538}
2539
2540static inline int security_msg_msg_alloc (struct msg_msg * msg) 2524static inline int security_msg_msg_alloc (struct msg_msg * msg)
2541{ 2525{
2542 return 0; 2526 return 0;
diff --git a/include/linux/selinux.h b/include/linux/selinux.h
new file mode 100644
index 000000000000..4047bcde4484
--- /dev/null
+++ b/include/linux/selinux.h
@@ -0,0 +1,177 @@
1/*
2 * SELinux services exported to the rest of the kernel.
3 *
4 * Author: James Morris <jmorris@redhat.com>
5 *
6 * Copyright (C) 2005 Red Hat, Inc., James Morris <jmorris@redhat.com>
7 * Copyright (C) 2006 Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com>
8 * Copyright (C) 2006 IBM Corporation, Timothy R. Chavez <tinytim@us.ibm.com>
9 *
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2,
12 * as published by the Free Software Foundation.
13 */
14#ifndef _LINUX_SELINUX_H
15#define _LINUX_SELINUX_H
16
17struct selinux_audit_rule;
18struct audit_context;
19struct inode;
20struct kern_ipc_perm;
21
22#ifdef CONFIG_SECURITY_SELINUX
23
24/**
25 * selinux_audit_rule_init - alloc/init an selinux audit rule structure.
26 * @field: the field this rule refers to
27 * @op: the operater the rule uses
28 * @rulestr: the text "target" of the rule
29 * @rule: pointer to the new rule structure returned via this
30 *
31 * Returns 0 if successful, -errno if not. On success, the rule structure
32 * will be allocated internally. The caller must free this structure with
33 * selinux_audit_rule_free() after use.
34 */
35int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
36 struct selinux_audit_rule **rule);
37
38/**
39 * selinux_audit_rule_free - free an selinux audit rule structure.
40 * @rule: pointer to the audit rule to be freed
41 *
42 * This will free all memory associated with the given rule.
43 * If @rule is NULL, no operation is performed.
44 */
45void selinux_audit_rule_free(struct selinux_audit_rule *rule);
46
47/**
48 * selinux_audit_rule_match - determine if a context ID matches a rule.
49 * @ctxid: the context ID to check
50 * @field: the field this rule refers to
51 * @op: the operater the rule uses
52 * @rule: pointer to the audit rule to check against
53 * @actx: the audit context (can be NULL) associated with the check
54 *
55 * Returns 1 if the context id matches the rule, 0 if it does not, and
56 * -errno on failure.
57 */
58int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op,
59 struct selinux_audit_rule *rule,
60 struct audit_context *actx);
61
62/**
63 * selinux_audit_set_callback - set the callback for policy reloads.
64 * @callback: the function to call when the policy is reloaded
65 *
66 * This sets the function callback function that will update the rules
67 * upon policy reloads. This callback should rebuild all existing rules
68 * using selinux_audit_rule_init().
69 */
70void selinux_audit_set_callback(int (*callback)(void));
71
72/**
73 * selinux_task_ctxid - determine a context ID for a process.
74 * @tsk: the task object
75 * @ctxid: ID value returned via this
76 *
77 * On return, ctxid will contain an ID for the context. This value
78 * should only be used opaquely.
79 */
80void selinux_task_ctxid(struct task_struct *tsk, u32 *ctxid);
81
82/**
83 * selinux_ctxid_to_string - map a security context ID to a string
84 * @ctxid: security context ID to be converted.
85 * @ctx: address of context string to be returned
86 * @ctxlen: length of returned context string.
87 *
88 * Returns 0 if successful, -errno if not. On success, the context
89 * string will be allocated internally, and the caller must call
90 * kfree() on it after use.
91 */
92int selinux_ctxid_to_string(u32 ctxid, char **ctx, u32 *ctxlen);
93
94/**
95 * selinux_get_inode_sid - get the inode's security context ID
96 * @inode: inode structure to get the sid from.
97 * @sid: pointer to security context ID to be filled in.
98 *
99 * Returns nothing
100 */
101void selinux_get_inode_sid(const struct inode *inode, u32 *sid);
102
103/**
104 * selinux_get_ipc_sid - get the ipc security context ID
105 * @ipcp: ipc structure to get the sid from.
106 * @sid: pointer to security context ID to be filled in.
107 *
108 * Returns nothing
109 */
110void selinux_get_ipc_sid(const struct kern_ipc_perm *ipcp, u32 *sid);
111
112/**
113 * selinux_get_task_sid - return the SID of task
114 * @tsk: the task whose SID will be returned
115 * @sid: pointer to security context ID to be filled in.
116 *
117 * Returns nothing
118 */
119void selinux_get_task_sid(struct task_struct *tsk, u32 *sid);
120
121
122#else
123
124static inline int selinux_audit_rule_init(u32 field, u32 op,
125 char *rulestr,
126 struct selinux_audit_rule **rule)
127{
128 return -ENOTSUPP;
129}
130
131static inline void selinux_audit_rule_free(struct selinux_audit_rule *rule)
132{
133 return;
134}
135
136static inline int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op,
137 struct selinux_audit_rule *rule,
138 struct audit_context *actx)
139{
140 return 0;
141}
142
143static inline void selinux_audit_set_callback(int (*callback)(void))
144{
145 return;
146}
147
148static inline void selinux_task_ctxid(struct task_struct *tsk, u32 *ctxid)
149{
150 *ctxid = 0;
151}
152
153static inline int selinux_ctxid_to_string(u32 ctxid, char **ctx, u32 *ctxlen)
154{
155 *ctx = NULL;
156 *ctxlen = 0;
157 return 0;
158}
159
160static inline void selinux_get_inode_sid(const struct inode *inode, u32 *sid)
161{
162 *sid = 0;
163}
164
165static inline void selinux_get_ipc_sid(const struct kern_ipc_perm *ipcp, u32 *sid)
166{
167 *sid = 0;
168}
169
170static inline void selinux_get_task_sid(struct task_struct *tsk, u32 *sid)
171{
172 *sid = 0;
173}
174
175#endif /* CONFIG_SECURITY_SELINUX */
176
177#endif /* _LINUX_SELINUX_H */