diff options
author | Linus Torvalds <torvalds@linux-foundation.org> | 2009-06-11 13:01:41 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2009-06-11 13:01:41 -0400 |
commit | 3296ca27f50ecbd71db1d808c7a72d311027f919 (patch) | |
tree | 833eaa58b2013bda86d4bd95faf6efad7a2d5ca4 /security/smack/smack.h | |
parent | e893123c7378192c094747dadec326b7c000c190 (diff) | |
parent | 73fbad283cfbbcf02939bdbda31fc4a30e729cca (diff) |
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6: (44 commits)
nommu: Provide mmap_min_addr definition.
TOMOYO: Add description of lists and structures.
TOMOYO: Remove unused field.
integrity: ima audit dentry_open failure
TOMOYO: Remove unused parameter.
security: use mmap_min_addr indepedently of security models
TOMOYO: Simplify policy reader.
TOMOYO: Remove redundant markers.
SELinux: define audit permissions for audit tree netlink messages
TOMOYO: Remove unused mutex.
tomoyo: avoid get+put of task_struct
smack: Remove redundant initialization.
integrity: nfsd imbalance bug fix
rootplug: Remove redundant initialization.
smack: do not beyond ARRAY_SIZE of data
integrity: move ima_counts_get
integrity: path_check update
IMA: Add __init notation to ima functions
IMA: Minimal IMA policy and boot param for TCB IMA policy
selinux: remove obsolete read buffer limit from sel_read_bool
...
Diffstat (limited to 'security/smack/smack.h')
-rw-r--r-- | security/smack/smack.h | 108 |
1 files changed, 106 insertions, 2 deletions
diff --git a/security/smack/smack.h b/security/smack/smack.h index 42ef313f9856..243bec175be0 100644 --- a/security/smack/smack.h +++ b/security/smack/smack.h | |||
@@ -20,6 +20,7 @@ | |||
20 | #include <net/netlabel.h> | 20 | #include <net/netlabel.h> |
21 | #include <linux/list.h> | 21 | #include <linux/list.h> |
22 | #include <linux/rculist.h> | 22 | #include <linux/rculist.h> |
23 | #include <linux/lsm_audit.h> | ||
23 | 24 | ||
24 | /* | 25 | /* |
25 | * Why 23? CIPSO is constrained to 30, so a 32 byte buffer is | 26 | * Why 23? CIPSO is constrained to 30, so a 32 byte buffer is |
@@ -179,6 +180,20 @@ struct smack_known { | |||
179 | #define MAY_NOT 0 | 180 | #define MAY_NOT 0 |
180 | 181 | ||
181 | /* | 182 | /* |
183 | * Number of access types used by Smack (rwxa) | ||
184 | */ | ||
185 | #define SMK_NUM_ACCESS_TYPE 4 | ||
186 | |||
187 | /* | ||
188 | * Smack audit data; is empty if CONFIG_AUDIT not set | ||
189 | * to save some stack | ||
190 | */ | ||
191 | struct smk_audit_info { | ||
192 | #ifdef CONFIG_AUDIT | ||
193 | struct common_audit_data a; | ||
194 | #endif | ||
195 | }; | ||
196 | /* | ||
182 | * These functions are in smack_lsm.c | 197 | * These functions are in smack_lsm.c |
183 | */ | 198 | */ |
184 | struct inode_smack *new_inode_smack(char *); | 199 | struct inode_smack *new_inode_smack(char *); |
@@ -186,8 +201,8 @@ struct inode_smack *new_inode_smack(char *); | |||
186 | /* | 201 | /* |
187 | * These functions are in smack_access.c | 202 | * These functions are in smack_access.c |
188 | */ | 203 | */ |
189 | int smk_access(char *, char *, int); | 204 | int smk_access(char *, char *, int, struct smk_audit_info *); |
190 | int smk_curacc(char *, u32); | 205 | int smk_curacc(char *, u32, struct smk_audit_info *); |
191 | int smack_to_cipso(const char *, struct smack_cipso *); | 206 | int smack_to_cipso(const char *, struct smack_cipso *); |
192 | void smack_from_cipso(u32, char *, char *); | 207 | void smack_from_cipso(u32, char *, char *); |
193 | char *smack_from_secid(const u32); | 208 | char *smack_from_secid(const u32); |
@@ -237,4 +252,93 @@ static inline char *smk_of_inode(const struct inode *isp) | |||
237 | return sip->smk_inode; | 252 | return sip->smk_inode; |
238 | } | 253 | } |
239 | 254 | ||
255 | /* | ||
256 | * logging functions | ||
257 | */ | ||
258 | #define SMACK_AUDIT_DENIED 0x1 | ||
259 | #define SMACK_AUDIT_ACCEPT 0x2 | ||
260 | extern int log_policy; | ||
261 | |||
262 | void smack_log(char *subject_label, char *object_label, | ||
263 | int request, | ||
264 | int result, struct smk_audit_info *auditdata); | ||
265 | |||
266 | #ifdef CONFIG_AUDIT | ||
267 | |||
268 | /* | ||
269 | * some inline functions to set up audit data | ||
270 | * they do nothing if CONFIG_AUDIT is not set | ||
271 | * | ||
272 | */ | ||
273 | static inline void smk_ad_init(struct smk_audit_info *a, const char *func, | ||
274 | char type) | ||
275 | { | ||
276 | memset(a, 0, sizeof(*a)); | ||
277 | a->a.type = type; | ||
278 | a->a.function = func; | ||
279 | } | ||
280 | |||
281 | static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a, | ||
282 | struct task_struct *t) | ||
283 | { | ||
284 | a->a.u.tsk = t; | ||
285 | } | ||
286 | static inline void smk_ad_setfield_u_fs_path_dentry(struct smk_audit_info *a, | ||
287 | struct dentry *d) | ||
288 | { | ||
289 | a->a.u.fs.path.dentry = d; | ||
290 | } | ||
291 | static inline void smk_ad_setfield_u_fs_path_mnt(struct smk_audit_info *a, | ||
292 | struct vfsmount *m) | ||
293 | { | ||
294 | a->a.u.fs.path.mnt = m; | ||
295 | } | ||
296 | static inline void smk_ad_setfield_u_fs_inode(struct smk_audit_info *a, | ||
297 | struct inode *i) | ||
298 | { | ||
299 | a->a.u.fs.inode = i; | ||
300 | } | ||
301 | static inline void smk_ad_setfield_u_fs_path(struct smk_audit_info *a, | ||
302 | struct path p) | ||
303 | { | ||
304 | a->a.u.fs.path = p; | ||
305 | } | ||
306 | static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a, | ||
307 | struct sock *sk) | ||
308 | { | ||
309 | a->a.u.net.sk = sk; | ||
310 | } | ||
311 | |||
312 | #else /* no AUDIT */ | ||
313 | |||
314 | static inline void smk_ad_init(struct smk_audit_info *a, const char *func, | ||
315 | char type) | ||
316 | { | ||
317 | } | ||
318 | static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a, | ||
319 | struct task_struct *t) | ||
320 | { | ||
321 | } | ||
322 | static inline void smk_ad_setfield_u_fs_path_dentry(struct smk_audit_info *a, | ||
323 | struct dentry *d) | ||
324 | { | ||
325 | } | ||
326 | static inline void smk_ad_setfield_u_fs_path_mnt(struct smk_audit_info *a, | ||
327 | struct vfsmount *m) | ||
328 | { | ||
329 | } | ||
330 | static inline void smk_ad_setfield_u_fs_inode(struct smk_audit_info *a, | ||
331 | struct inode *i) | ||
332 | { | ||
333 | } | ||
334 | static inline void smk_ad_setfield_u_fs_path(struct smk_audit_info *a, | ||
335 | struct path p) | ||
336 | { | ||
337 | } | ||
338 | static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a, | ||
339 | struct sock *sk) | ||
340 | { | ||
341 | } | ||
342 | #endif | ||
343 | |||
240 | #endif /* _SECURITY_SMACK_H */ | 344 | #endif /* _SECURITY_SMACK_H */ |