aboutsummaryrefslogtreecommitdiffstats
path: root/security/smack/smack.h
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2009-06-11 13:01:41 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2009-06-11 13:01:41 -0400
commit3296ca27f50ecbd71db1d808c7a72d311027f919 (patch)
tree833eaa58b2013bda86d4bd95faf6efad7a2d5ca4 /security/smack/smack.h
parente893123c7378192c094747dadec326b7c000c190 (diff)
parent73fbad283cfbbcf02939bdbda31fc4a30e729cca (diff)
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (44 commits) nommu: Provide mmap_min_addr definition. TOMOYO: Add description of lists and structures. TOMOYO: Remove unused field. integrity: ima audit dentry_open failure TOMOYO: Remove unused parameter. security: use mmap_min_addr indepedently of security models TOMOYO: Simplify policy reader. TOMOYO: Remove redundant markers. SELinux: define audit permissions for audit tree netlink messages TOMOYO: Remove unused mutex. tomoyo: avoid get+put of task_struct smack: Remove redundant initialization. integrity: nfsd imbalance bug fix rootplug: Remove redundant initialization. smack: do not beyond ARRAY_SIZE of data integrity: move ima_counts_get integrity: path_check update IMA: Add __init notation to ima functions IMA: Minimal IMA policy and boot param for TCB IMA policy selinux: remove obsolete read buffer limit from sel_read_bool ...
Diffstat (limited to 'security/smack/smack.h')
-rw-r--r--security/smack/smack.h108
1 files changed, 106 insertions, 2 deletions
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 42ef313f9856..243bec175be0 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -20,6 +20,7 @@
20#include <net/netlabel.h> 20#include <net/netlabel.h>
21#include <linux/list.h> 21#include <linux/list.h>
22#include <linux/rculist.h> 22#include <linux/rculist.h>
23#include <linux/lsm_audit.h>
23 24
24/* 25/*
25 * Why 23? CIPSO is constrained to 30, so a 32 byte buffer is 26 * Why 23? CIPSO is constrained to 30, so a 32 byte buffer is
@@ -179,6 +180,20 @@ struct smack_known {
179#define MAY_NOT 0 180#define MAY_NOT 0
180 181
181/* 182/*
183 * Number of access types used by Smack (rwxa)
184 */
185#define SMK_NUM_ACCESS_TYPE 4
186
187/*
188 * Smack audit data; is empty if CONFIG_AUDIT not set
189 * to save some stack
190 */
191struct smk_audit_info {
192#ifdef CONFIG_AUDIT
193 struct common_audit_data a;
194#endif
195};
196/*
182 * These functions are in smack_lsm.c 197 * These functions are in smack_lsm.c
183 */ 198 */
184struct inode_smack *new_inode_smack(char *); 199struct inode_smack *new_inode_smack(char *);
@@ -186,8 +201,8 @@ struct inode_smack *new_inode_smack(char *);
186/* 201/*
187 * These functions are in smack_access.c 202 * These functions are in smack_access.c
188 */ 203 */
189int smk_access(char *, char *, int); 204int smk_access(char *, char *, int, struct smk_audit_info *);
190int smk_curacc(char *, u32); 205int smk_curacc(char *, u32, struct smk_audit_info *);
191int smack_to_cipso(const char *, struct smack_cipso *); 206int smack_to_cipso(const char *, struct smack_cipso *);
192void smack_from_cipso(u32, char *, char *); 207void smack_from_cipso(u32, char *, char *);
193char *smack_from_secid(const u32); 208char *smack_from_secid(const u32);
@@ -237,4 +252,93 @@ static inline char *smk_of_inode(const struct inode *isp)
237 return sip->smk_inode; 252 return sip->smk_inode;
238} 253}
239 254
255/*
256 * logging functions
257 */
258#define SMACK_AUDIT_DENIED 0x1
259#define SMACK_AUDIT_ACCEPT 0x2
260extern int log_policy;
261
262void smack_log(char *subject_label, char *object_label,
263 int request,
264 int result, struct smk_audit_info *auditdata);
265
266#ifdef CONFIG_AUDIT
267
268/*
269 * some inline functions to set up audit data
270 * they do nothing if CONFIG_AUDIT is not set
271 *
272 */
273static inline void smk_ad_init(struct smk_audit_info *a, const char *func,
274 char type)
275{
276 memset(a, 0, sizeof(*a));
277 a->a.type = type;
278 a->a.function = func;
279}
280
281static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a,
282 struct task_struct *t)
283{
284 a->a.u.tsk = t;
285}
286static inline void smk_ad_setfield_u_fs_path_dentry(struct smk_audit_info *a,
287 struct dentry *d)
288{
289 a->a.u.fs.path.dentry = d;
290}
291static inline void smk_ad_setfield_u_fs_path_mnt(struct smk_audit_info *a,
292 struct vfsmount *m)
293{
294 a->a.u.fs.path.mnt = m;
295}
296static inline void smk_ad_setfield_u_fs_inode(struct smk_audit_info *a,
297 struct inode *i)
298{
299 a->a.u.fs.inode = i;
300}
301static inline void smk_ad_setfield_u_fs_path(struct smk_audit_info *a,
302 struct path p)
303{
304 a->a.u.fs.path = p;
305}
306static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a,
307 struct sock *sk)
308{
309 a->a.u.net.sk = sk;
310}
311
312#else /* no AUDIT */
313
314static inline void smk_ad_init(struct smk_audit_info *a, const char *func,
315 char type)
316{
317}
318static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a,
319 struct task_struct *t)
320{
321}
322static inline void smk_ad_setfield_u_fs_path_dentry(struct smk_audit_info *a,
323 struct dentry *d)
324{
325}
326static inline void smk_ad_setfield_u_fs_path_mnt(struct smk_audit_info *a,
327 struct vfsmount *m)
328{
329}
330static inline void smk_ad_setfield_u_fs_inode(struct smk_audit_info *a,
331 struct inode *i)
332{
333}
334static inline void smk_ad_setfield_u_fs_path(struct smk_audit_info *a,
335 struct path p)
336{
337}
338static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a,
339 struct sock *sk)
340{
341}
342#endif
343
240#endif /* _SECURITY_SMACK_H */ 344#endif /* _SECURITY_SMACK_H */