diff options
author | James Morris <jmorris@namei.org> | 2007-10-17 02:31:32 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-10-17 11:43:07 -0400 |
commit | 20510f2f4e2dabb0ff6c13901807627ec9452f98 (patch) | |
tree | d64b9eeb90d577f7f9688a215c4c6c3c2405188a /security | |
parent | 5c3b447457789374cdb7b03afe2540d48c649a36 (diff) |
security: Convert LSM into a static interface
Convert LSM into a static interface, as the ability to unload a security
module is not required by in-tree users and potentially complicates the
overall security architecture.
Needlessly exported LSM symbols have been unexported, to help reduce API
abuse.
Parameters for the capability and root_plug modules are now specified
at boot.
The SECURITY_FRAMEWORK_VERSION macro has also been removed.
In a nutshell, there is no safe way to unload an LSM. The modular interface
is thus unecessary and broken infrastructure. It is used only by out-of-tree
modules, which are often binary-only, illegal, abusive of the API and
dangerous, e.g. silently re-vectoring SELinux.
[akpm@linux-foundation.org: cleanups]
[akpm@linux-foundation.org: USB Kconfig fix]
[randy.dunlap@oracle.com: fix LSM kernel-doc]
Signed-off-by: James Morris <jmorris@namei.org>
Acked-by: Chris Wright <chrisw@sous-sol.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: "Serge E. Hallyn" <serue@us.ibm.com>
Acked-by: Arjan van de Ven <arjan@infradead.org>
Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'security')
-rw-r--r-- | security/Kconfig | 6 | ||||
-rw-r--r-- | security/capability.c | 24 | ||||
-rw-r--r-- | security/commoncap.c | 3 | ||||
-rw-r--r-- | security/dummy.c | 1 | ||||
-rw-r--r-- | security/root_plug.c | 31 | ||||
-rw-r--r-- | security/security.c | 964 | ||||
-rw-r--r-- | security/selinux/hooks.c | 2 | ||||
-rw-r--r-- | security/selinux/xfrm.c | 1 |
8 files changed, 961 insertions, 71 deletions
diff --git a/security/Kconfig b/security/Kconfig index 460e5c9cf496..a94ee94cf491 100644 --- a/security/Kconfig +++ b/security/Kconfig | |||
@@ -74,15 +74,15 @@ config SECURITY_NETWORK_XFRM | |||
74 | If you are unsure how to answer this question, answer N. | 74 | If you are unsure how to answer this question, answer N. |
75 | 75 | ||
76 | config SECURITY_CAPABILITIES | 76 | config SECURITY_CAPABILITIES |
77 | tristate "Default Linux Capabilities" | 77 | bool "Default Linux Capabilities" |
78 | depends on SECURITY | 78 | depends on SECURITY |
79 | help | 79 | help |
80 | This enables the "default" Linux capabilities functionality. | 80 | This enables the "default" Linux capabilities functionality. |
81 | If you are unsure how to answer this question, answer Y. | 81 | If you are unsure how to answer this question, answer Y. |
82 | 82 | ||
83 | config SECURITY_ROOTPLUG | 83 | config SECURITY_ROOTPLUG |
84 | tristate "Root Plug Support" | 84 | bool "Root Plug Support" |
85 | depends on USB && SECURITY | 85 | depends on USB=y && SECURITY |
86 | help | 86 | help |
87 | This is a sample LSM module that should only be used as such. | 87 | This is a sample LSM module that should only be used as such. |
88 | It prevents any programs running with egid == 0 if a specific | 88 | It prevents any programs running with egid == 0 if a specific |
diff --git a/security/capability.c b/security/capability.c index 38296a005465..fda6a14cb24d 100644 --- a/security/capability.c +++ b/security/capability.c | |||
@@ -8,7 +8,6 @@ | |||
8 | * | 8 | * |
9 | */ | 9 | */ |
10 | 10 | ||
11 | #include <linux/module.h> | ||
12 | #include <linux/init.h> | 11 | #include <linux/init.h> |
13 | #include <linux/kernel.h> | 12 | #include <linux/kernel.h> |
14 | #include <linux/security.h> | 13 | #include <linux/security.h> |
@@ -52,7 +51,6 @@ static int secondary; | |||
52 | 51 | ||
53 | static int capability_disable; | 52 | static int capability_disable; |
54 | module_param_named(disable, capability_disable, int, 0); | 53 | module_param_named(disable, capability_disable, int, 0); |
55 | MODULE_PARM_DESC(disable, "To disable capabilities module set disable = 1"); | ||
56 | 54 | ||
57 | static int __init capability_init (void) | 55 | static int __init capability_init (void) |
58 | { | 56 | { |
@@ -75,26 +73,4 @@ static int __init capability_init (void) | |||
75 | return 0; | 73 | return 0; |
76 | } | 74 | } |
77 | 75 | ||
78 | static void __exit capability_exit (void) | ||
79 | { | ||
80 | if (capability_disable) | ||
81 | return; | ||
82 | /* remove ourselves from the security framework */ | ||
83 | if (secondary) { | ||
84 | if (mod_unreg_security (KBUILD_MODNAME, &capability_ops)) | ||
85 | printk (KERN_INFO "Failure unregistering capabilities " | ||
86 | "with primary module.\n"); | ||
87 | return; | ||
88 | } | ||
89 | |||
90 | if (unregister_security (&capability_ops)) { | ||
91 | printk (KERN_INFO | ||
92 | "Failure unregistering capabilities with the kernel\n"); | ||
93 | } | ||
94 | } | ||
95 | |||
96 | security_initcall (capability_init); | 76 | security_initcall (capability_init); |
97 | module_exit (capability_exit); | ||
98 | |||
99 | MODULE_DESCRIPTION("Standard Linux Capabilities Security Module"); | ||
100 | MODULE_LICENSE("GPL"); | ||
diff --git a/security/commoncap.c b/security/commoncap.c index 7520361663e8..0f8a2ce3f3a6 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
@@ -339,6 +339,3 @@ EXPORT_SYMBOL(cap_task_post_setuid); | |||
339 | EXPORT_SYMBOL(cap_task_reparent_to_init); | 339 | EXPORT_SYMBOL(cap_task_reparent_to_init); |
340 | EXPORT_SYMBOL(cap_syslog); | 340 | EXPORT_SYMBOL(cap_syslog); |
341 | EXPORT_SYMBOL(cap_vm_enough_memory); | 341 | EXPORT_SYMBOL(cap_vm_enough_memory); |
342 | |||
343 | MODULE_DESCRIPTION("Standard Linux Common Capabilities Security Module"); | ||
344 | MODULE_LICENSE("GPL"); | ||
diff --git a/security/dummy.c b/security/dummy.c index 64b647a0d9a6..4129dcf3daec 100644 --- a/security/dummy.c +++ b/security/dummy.c | |||
@@ -15,7 +15,6 @@ | |||
15 | #undef DEBUG | 15 | #undef DEBUG |
16 | 16 | ||
17 | #include <linux/capability.h> | 17 | #include <linux/capability.h> |
18 | #include <linux/module.h> | ||
19 | #include <linux/kernel.h> | 18 | #include <linux/kernel.h> |
20 | #include <linux/mman.h> | 19 | #include <linux/mman.h> |
21 | #include <linux/pagemap.h> | 20 | #include <linux/pagemap.h> |
diff --git a/security/root_plug.c b/security/root_plug.c index 38dd4f3e641f..870f13095bb6 100644 --- a/security/root_plug.c +++ b/security/root_plug.c | |||
@@ -22,11 +22,11 @@ | |||
22 | * License. | 22 | * License. |
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include <linux/module.h> | ||
26 | #include <linux/kernel.h> | 25 | #include <linux/kernel.h> |
27 | #include <linux/init.h> | 26 | #include <linux/init.h> |
28 | #include <linux/security.h> | 27 | #include <linux/security.h> |
29 | #include <linux/usb.h> | 28 | #include <linux/usb.h> |
29 | #include <linux/moduleparam.h> | ||
30 | 30 | ||
31 | /* flag to keep track of how we were registered */ | 31 | /* flag to keep track of how we were registered */ |
32 | static int secondary; | 32 | static int secondary; |
@@ -36,22 +36,14 @@ static int vendor_id = 0x0557; | |||
36 | static int product_id = 0x2008; | 36 | static int product_id = 0x2008; |
37 | 37 | ||
38 | module_param(vendor_id, uint, 0400); | 38 | module_param(vendor_id, uint, 0400); |
39 | MODULE_PARM_DESC(vendor_id, "USB Vendor ID of device to look for"); | ||
40 | |||
41 | module_param(product_id, uint, 0400); | 39 | module_param(product_id, uint, 0400); |
42 | MODULE_PARM_DESC(product_id, "USB Product ID of device to look for"); | ||
43 | 40 | ||
44 | /* should we print out debug messages */ | 41 | /* should we print out debug messages */ |
45 | static int debug = 0; | 42 | static int debug = 0; |
46 | 43 | ||
47 | module_param(debug, bool, 0600); | 44 | module_param(debug, bool, 0600); |
48 | MODULE_PARM_DESC(debug, "Debug enabled or not"); | ||
49 | 45 | ||
50 | #if defined(CONFIG_SECURITY_ROOTPLUG_MODULE) | ||
51 | #define MY_NAME THIS_MODULE->name | ||
52 | #else | ||
53 | #define MY_NAME "root_plug" | 46 | #define MY_NAME "root_plug" |
54 | #endif | ||
55 | 47 | ||
56 | #define root_dbg(fmt, arg...) \ | 48 | #define root_dbg(fmt, arg...) \ |
57 | do { \ | 49 | do { \ |
@@ -117,25 +109,4 @@ static int __init rootplug_init (void) | |||
117 | return 0; | 109 | return 0; |
118 | } | 110 | } |
119 | 111 | ||
120 | static void __exit rootplug_exit (void) | ||
121 | { | ||
122 | /* remove ourselves from the security framework */ | ||
123 | if (secondary) { | ||
124 | if (mod_unreg_security (MY_NAME, &rootplug_security_ops)) | ||
125 | printk (KERN_INFO "Failure unregistering Root Plug " | ||
126 | " module with primary module.\n"); | ||
127 | } else { | ||
128 | if (unregister_security (&rootplug_security_ops)) { | ||
129 | printk (KERN_INFO "Failure unregistering Root Plug " | ||
130 | "module with the kernel\n"); | ||
131 | } | ||
132 | } | ||
133 | printk (KERN_INFO "Root Plug module removed\n"); | ||
134 | } | ||
135 | |||
136 | security_initcall (rootplug_init); | 112 | security_initcall (rootplug_init); |
137 | module_exit (rootplug_exit); | ||
138 | |||
139 | MODULE_DESCRIPTION("Root Plug sample LSM module, written for Linux Journal article"); | ||
140 | MODULE_LICENSE("GPL"); | ||
141 | |||
diff --git a/security/security.c b/security/security.c index 27e5863d30f1..5b1c034815a8 100644 --- a/security/security.c +++ b/security/security.c | |||
@@ -17,7 +17,6 @@ | |||
17 | #include <linux/kernel.h> | 17 | #include <linux/kernel.h> |
18 | #include <linux/security.h> | 18 | #include <linux/security.h> |
19 | 19 | ||
20 | #define SECURITY_FRAMEWORK_VERSION "1.0.0" | ||
21 | 20 | ||
22 | /* things that live in dummy.c */ | 21 | /* things that live in dummy.c */ |
23 | extern struct security_operations dummy_security_ops; | 22 | extern struct security_operations dummy_security_ops; |
@@ -52,8 +51,7 @@ static void __init do_security_initcalls(void) | |||
52 | */ | 51 | */ |
53 | int __init security_init(void) | 52 | int __init security_init(void) |
54 | { | 53 | { |
55 | printk(KERN_INFO "Security Framework v" SECURITY_FRAMEWORK_VERSION | 54 | printk(KERN_INFO "Security Framework initialized\n"); |
56 | " initialized\n"); | ||
57 | 55 | ||
58 | if (verify(&dummy_security_ops)) { | 56 | if (verify(&dummy_security_ops)) { |
59 | printk(KERN_ERR "%s could not verify " | 57 | printk(KERN_ERR "%s could not verify " |
@@ -173,8 +171,958 @@ int mod_unreg_security(const char *name, struct security_operations *ops) | |||
173 | return security_ops->unregister_security(name, ops); | 171 | return security_ops->unregister_security(name, ops); |
174 | } | 172 | } |
175 | 173 | ||
176 | EXPORT_SYMBOL_GPL(register_security); | 174 | /* Security operations */ |
177 | EXPORT_SYMBOL_GPL(unregister_security); | 175 | |
178 | EXPORT_SYMBOL_GPL(mod_reg_security); | 176 | int security_ptrace(struct task_struct *parent, struct task_struct *child) |
179 | EXPORT_SYMBOL_GPL(mod_unreg_security); | 177 | { |
180 | EXPORT_SYMBOL(security_ops); | 178 | return security_ops->ptrace(parent, child); |
179 | } | ||
180 | |||
181 | int security_capget(struct task_struct *target, | ||
182 | kernel_cap_t *effective, | ||
183 | kernel_cap_t *inheritable, | ||
184 | kernel_cap_t *permitted) | ||
185 | { | ||
186 | return security_ops->capget(target, effective, inheritable, permitted); | ||
187 | } | ||
188 | |||
189 | int security_capset_check(struct task_struct *target, | ||
190 | kernel_cap_t *effective, | ||
191 | kernel_cap_t *inheritable, | ||
192 | kernel_cap_t *permitted) | ||
193 | { | ||
194 | return security_ops->capset_check(target, effective, inheritable, permitted); | ||
195 | } | ||
196 | |||
197 | void security_capset_set(struct task_struct *target, | ||
198 | kernel_cap_t *effective, | ||
199 | kernel_cap_t *inheritable, | ||
200 | kernel_cap_t *permitted) | ||
201 | { | ||
202 | security_ops->capset_set(target, effective, inheritable, permitted); | ||
203 | } | ||
204 | |||
205 | int security_capable(struct task_struct *tsk, int cap) | ||
206 | { | ||
207 | return security_ops->capable(tsk, cap); | ||
208 | } | ||
209 | |||
210 | int security_acct(struct file *file) | ||
211 | { | ||
212 | return security_ops->acct(file); | ||
213 | } | ||
214 | |||
215 | int security_sysctl(struct ctl_table *table, int op) | ||
216 | { | ||
217 | return security_ops->sysctl(table, op); | ||
218 | } | ||
219 | |||
220 | int security_quotactl(int cmds, int type, int id, struct super_block *sb) | ||
221 | { | ||
222 | return security_ops->quotactl(cmds, type, id, sb); | ||
223 | } | ||
224 | |||
225 | int security_quota_on(struct dentry *dentry) | ||
226 | { | ||
227 | return security_ops->quota_on(dentry); | ||
228 | } | ||
229 | |||
230 | int security_syslog(int type) | ||
231 | { | ||
232 | return security_ops->syslog(type); | ||
233 | } | ||
234 | |||
235 | int security_settime(struct timespec *ts, struct timezone *tz) | ||
236 | { | ||
237 | return security_ops->settime(ts, tz); | ||
238 | } | ||
239 | |||
240 | int security_vm_enough_memory(long pages) | ||
241 | { | ||
242 | return security_ops->vm_enough_memory(current->mm, pages); | ||
243 | } | ||
244 | |||
245 | int security_vm_enough_memory_mm(struct mm_struct *mm, long pages) | ||
246 | { | ||
247 | return security_ops->vm_enough_memory(mm, pages); | ||
248 | } | ||
249 | |||
250 | int security_bprm_alloc(struct linux_binprm *bprm) | ||
251 | { | ||
252 | return security_ops->bprm_alloc_security(bprm); | ||
253 | } | ||
254 | |||
255 | void security_bprm_free(struct linux_binprm *bprm) | ||
256 | { | ||
257 | security_ops->bprm_free_security(bprm); | ||
258 | } | ||
259 | |||
260 | void security_bprm_apply_creds(struct linux_binprm *bprm, int unsafe) | ||
261 | { | ||
262 | security_ops->bprm_apply_creds(bprm, unsafe); | ||
263 | } | ||
264 | |||
265 | void security_bprm_post_apply_creds(struct linux_binprm *bprm) | ||
266 | { | ||
267 | security_ops->bprm_post_apply_creds(bprm); | ||
268 | } | ||
269 | |||
270 | int security_bprm_set(struct linux_binprm *bprm) | ||
271 | { | ||
272 | return security_ops->bprm_set_security(bprm); | ||
273 | } | ||
274 | |||
275 | int security_bprm_check(struct linux_binprm *bprm) | ||
276 | { | ||
277 | return security_ops->bprm_check_security(bprm); | ||
278 | } | ||
279 | |||
280 | int security_bprm_secureexec(struct linux_binprm *bprm) | ||
281 | { | ||
282 | return security_ops->bprm_secureexec(bprm); | ||
283 | } | ||
284 | |||
285 | int security_sb_alloc(struct super_block *sb) | ||
286 | { | ||
287 | return security_ops->sb_alloc_security(sb); | ||
288 | } | ||
289 | |||
290 | void security_sb_free(struct super_block *sb) | ||
291 | { | ||
292 | security_ops->sb_free_security(sb); | ||
293 | } | ||
294 | |||
295 | int security_sb_copy_data(struct file_system_type *type, void *orig, void *copy) | ||
296 | { | ||
297 | return security_ops->sb_copy_data(type, orig, copy); | ||
298 | } | ||
299 | |||
300 | int security_sb_kern_mount(struct super_block *sb, void *data) | ||
301 | { | ||
302 | return security_ops->sb_kern_mount(sb, data); | ||
303 | } | ||
304 | |||
305 | int security_sb_statfs(struct dentry *dentry) | ||
306 | { | ||
307 | return security_ops->sb_statfs(dentry); | ||
308 | } | ||
309 | |||
310 | int security_sb_mount(char *dev_name, struct nameidata *nd, | ||
311 | char *type, unsigned long flags, void *data) | ||
312 | { | ||
313 | return security_ops->sb_mount(dev_name, nd, type, flags, data); | ||
314 | } | ||
315 | |||
316 | int security_sb_check_sb(struct vfsmount *mnt, struct nameidata *nd) | ||
317 | { | ||
318 | return security_ops->sb_check_sb(mnt, nd); | ||
319 | } | ||
320 | |||
321 | int security_sb_umount(struct vfsmount *mnt, int flags) | ||
322 | { | ||
323 | return security_ops->sb_umount(mnt, flags); | ||
324 | } | ||
325 | |||
326 | void security_sb_umount_close(struct vfsmount *mnt) | ||
327 | { | ||
328 | security_ops->sb_umount_close(mnt); | ||
329 | } | ||
330 | |||
331 | void security_sb_umount_busy(struct vfsmount *mnt) | ||
332 | { | ||
333 | security_ops->sb_umount_busy(mnt); | ||
334 | } | ||
335 | |||
336 | void security_sb_post_remount(struct vfsmount *mnt, unsigned long flags, void *data) | ||
337 | { | ||
338 | security_ops->sb_post_remount(mnt, flags, data); | ||
339 | } | ||
340 | |||
341 | void security_sb_post_mountroot(void) | ||
342 | { | ||
343 | security_ops->sb_post_mountroot(); | ||
344 | } | ||
345 | |||
346 | void security_sb_post_addmount(struct vfsmount *mnt, struct nameidata *mountpoint_nd) | ||
347 | { | ||
348 | security_ops->sb_post_addmount(mnt, mountpoint_nd); | ||
349 | } | ||
350 | |||
351 | int security_sb_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd) | ||
352 | { | ||
353 | return security_ops->sb_pivotroot(old_nd, new_nd); | ||
354 | } | ||
355 | |||
356 | void security_sb_post_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd) | ||
357 | { | ||
358 | security_ops->sb_post_pivotroot(old_nd, new_nd); | ||
359 | } | ||
360 | |||
361 | int security_inode_alloc(struct inode *inode) | ||
362 | { | ||
363 | inode->i_security = NULL; | ||
364 | return security_ops->inode_alloc_security(inode); | ||
365 | } | ||
366 | |||
367 | void security_inode_free(struct inode *inode) | ||
368 | { | ||
369 | security_ops->inode_free_security(inode); | ||
370 | } | ||
371 | |||
372 | int security_inode_init_security(struct inode *inode, struct inode *dir, | ||
373 | char **name, void **value, size_t *len) | ||
374 | { | ||
375 | if (unlikely(IS_PRIVATE(inode))) | ||
376 | return -EOPNOTSUPP; | ||
377 | return security_ops->inode_init_security(inode, dir, name, value, len); | ||
378 | } | ||
379 | EXPORT_SYMBOL(security_inode_init_security); | ||
380 | |||
381 | int security_inode_create(struct inode *dir, struct dentry *dentry, int mode) | ||
382 | { | ||
383 | if (unlikely(IS_PRIVATE(dir))) | ||
384 | return 0; | ||
385 | return security_ops->inode_create(dir, dentry, mode); | ||
386 | } | ||
387 | |||
388 | int security_inode_link(struct dentry *old_dentry, struct inode *dir, | ||
389 | struct dentry *new_dentry) | ||
390 | { | ||
391 | if (unlikely(IS_PRIVATE(old_dentry->d_inode))) | ||
392 | return 0; | ||
393 | return security_ops->inode_link(old_dentry, dir, new_dentry); | ||
394 | } | ||
395 | |||
396 | int security_inode_unlink(struct inode *dir, struct dentry *dentry) | ||
397 | { | ||
398 | if (unlikely(IS_PRIVATE(dentry->d_inode))) | ||
399 | return 0; | ||
400 | return security_ops->inode_unlink(dir, dentry); | ||
401 | } | ||
402 | |||
403 | int security_inode_symlink(struct inode *dir, struct dentry *dentry, | ||
404 | const char *old_name) | ||
405 | { | ||
406 | if (unlikely(IS_PRIVATE(dir))) | ||
407 | return 0; | ||
408 | return security_ops->inode_symlink(dir, dentry, old_name); | ||
409 | } | ||
410 | |||
411 | int security_inode_mkdir(struct inode *dir, struct dentry *dentry, int mode) | ||
412 | { | ||
413 | if (unlikely(IS_PRIVATE(dir))) | ||
414 | return 0; | ||
415 | return security_ops->inode_mkdir(dir, dentry, mode); | ||
416 | } | ||
417 | |||
418 | int security_inode_rmdir(struct inode *dir, struct dentry *dentry) | ||
419 | { | ||
420 | if (unlikely(IS_PRIVATE(dentry->d_inode))) | ||
421 | return 0; | ||
422 | return security_ops->inode_rmdir(dir, dentry); | ||
423 | } | ||
424 | |||
425 | int security_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev) | ||
426 | { | ||
427 | if (unlikely(IS_PRIVATE(dir))) | ||
428 | return 0; | ||
429 | return security_ops->inode_mknod(dir, dentry, mode, dev); | ||
430 | } | ||
431 | |||
432 | int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry, | ||
433 | struct inode *new_dir, struct dentry *new_dentry) | ||
434 | { | ||
435 | if (unlikely(IS_PRIVATE(old_dentry->d_inode) || | ||
436 | (new_dentry->d_inode && IS_PRIVATE(new_dentry->d_inode)))) | ||
437 | return 0; | ||
438 | return security_ops->inode_rename(old_dir, old_dentry, | ||
439 | new_dir, new_dentry); | ||
440 | } | ||
441 | |||
442 | int security_inode_readlink(struct dentry *dentry) | ||
443 | { | ||
444 | if (unlikely(IS_PRIVATE(dentry->d_inode))) | ||
445 | return 0; | ||
446 | return security_ops->inode_readlink(dentry); | ||
447 | } | ||
448 | |||
449 | int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd) | ||
450 | { | ||
451 | if (unlikely(IS_PRIVATE(dentry->d_inode))) | ||
452 | return 0; | ||
453 | return security_ops->inode_follow_link(dentry, nd); | ||
454 | } | ||
455 | |||
456 | int security_inode_permission(struct inode *inode, int mask, struct nameidata *nd) | ||
457 | { | ||
458 | if (unlikely(IS_PRIVATE(inode))) | ||
459 | return 0; | ||
460 | return security_ops->inode_permission(inode, mask, nd); | ||
461 | } | ||
462 | |||
463 | int security_inode_setattr(struct dentry *dentry, struct iattr *attr) | ||
464 | { | ||
465 | if (unlikely(IS_PRIVATE(dentry->d_inode))) | ||
466 | return 0; | ||
467 | return security_ops->inode_setattr(dentry, attr); | ||
468 | } | ||
469 | |||
470 | int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) | ||
471 | { | ||
472 | if (unlikely(IS_PRIVATE(dentry->d_inode))) | ||
473 | return 0; | ||
474 | return security_ops->inode_getattr(mnt, dentry); | ||
475 | } | ||
476 | |||
477 | void security_inode_delete(struct inode *inode) | ||
478 | { | ||
479 | if (unlikely(IS_PRIVATE(inode))) | ||
480 | return; | ||
481 | security_ops->inode_delete(inode); | ||
482 | } | ||
483 | |||
484 | int security_inode_setxattr(struct dentry *dentry, char *name, | ||
485 | void *value, size_t size, int flags) | ||
486 | { | ||
487 | if (unlikely(IS_PRIVATE(dentry->d_inode))) | ||
488 | return 0; | ||
489 | return security_ops->inode_setxattr(dentry, name, value, size, flags); | ||
490 | } | ||
491 | |||
492 | void security_inode_post_setxattr(struct dentry *dentry, char *name, | ||
493 | void *value, size_t size, int flags) | ||
494 | { | ||
495 | if (unlikely(IS_PRIVATE(dentry->d_inode))) | ||
496 | return; | ||
497 | security_ops->inode_post_setxattr(dentry, name, value, size, flags); | ||
498 | } | ||
499 | |||
500 | int security_inode_getxattr(struct dentry *dentry, char *name) | ||
501 | { | ||
502 | if (unlikely(IS_PRIVATE(dentry->d_inode))) | ||
503 | return 0; | ||
504 | return security_ops->inode_getxattr(dentry, name); | ||
505 | } | ||
506 | |||
507 | int security_inode_listxattr(struct dentry *dentry) | ||
508 | { | ||
509 | if (unlikely(IS_PRIVATE(dentry->d_inode))) | ||
510 | return 0; | ||
511 | return security_ops->inode_listxattr(dentry); | ||
512 | } | ||
513 | |||
514 | int security_inode_removexattr(struct dentry *dentry, char *name) | ||
515 | { | ||
516 | if (unlikely(IS_PRIVATE(dentry->d_inode))) | ||
517 | return 0; | ||
518 | return security_ops->inode_removexattr(dentry, name); | ||
519 | } | ||
520 | |||
521 | const char *security_inode_xattr_getsuffix(void) | ||
522 | { | ||
523 | return security_ops->inode_xattr_getsuffix(); | ||
524 | } | ||
525 | |||
526 | int security_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err) | ||
527 | { | ||
528 | if (unlikely(IS_PRIVATE(inode))) | ||
529 | return 0; | ||
530 | return security_ops->inode_getsecurity(inode, name, buffer, size, err); | ||
531 | } | ||
532 | |||
533 | int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) | ||
534 | { | ||
535 | if (unlikely(IS_PRIVATE(inode))) | ||
536 | return 0; | ||
537 | return security_ops->inode_setsecurity(inode, name, value, size, flags); | ||
538 | } | ||
539 | |||
540 | int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) | ||
541 | { | ||
542 | if (unlikely(IS_PRIVATE(inode))) | ||
543 | return 0; | ||
544 | return security_ops->inode_listsecurity(inode, buffer, buffer_size); | ||
545 | } | ||
546 | |||
547 | int security_file_permission(struct file *file, int mask) | ||
548 | { | ||
549 | return security_ops->file_permission(file, mask); | ||
550 | } | ||
551 | |||
552 | int security_file_alloc(struct file *file) | ||
553 | { | ||
554 | return security_ops->file_alloc_security(file); | ||
555 | } | ||
556 | |||
557 | void security_file_free(struct file *file) | ||
558 | { | ||
559 | security_ops->file_free_security(file); | ||
560 | } | ||
561 | |||
562 | int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg) | ||
563 | { | ||
564 | return security_ops->file_ioctl(file, cmd, arg); | ||
565 | } | ||
566 | |||
567 | int security_file_mmap(struct file *file, unsigned long reqprot, | ||
568 | unsigned long prot, unsigned long flags, | ||
569 | unsigned long addr, unsigned long addr_only) | ||
570 | { | ||
571 | return security_ops->file_mmap(file, reqprot, prot, flags, addr, addr_only); | ||
572 | } | ||
573 | |||
574 | int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, | ||
575 | unsigned long prot) | ||
576 | { | ||
577 | return security_ops->file_mprotect(vma, reqprot, prot); | ||
578 | } | ||
579 | |||
580 | int security_file_lock(struct file *file, unsigned int cmd) | ||
581 | { | ||
582 | return security_ops->file_lock(file, cmd); | ||
583 | } | ||
584 | |||
585 | int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg) | ||
586 | { | ||
587 | return security_ops->file_fcntl(file, cmd, arg); | ||
588 | } | ||
589 | |||
590 | int security_file_set_fowner(struct file *file) | ||
591 | { | ||
592 | return security_ops->file_set_fowner(file); | ||
593 | } | ||
594 | |||
595 | int security_file_send_sigiotask(struct task_struct *tsk, | ||
596 | struct fown_struct *fown, int sig) | ||
597 | { | ||
598 | return security_ops->file_send_sigiotask(tsk, fown, sig); | ||
599 | } | ||
600 | |||
601 | int security_file_receive(struct file *file) | ||
602 | { | ||
603 | return security_ops->file_receive(file); | ||
604 | } | ||
605 | |||
606 | int security_dentry_open(struct file *file) | ||
607 | { | ||
608 | return security_ops->dentry_open(file); | ||
609 | } | ||
610 | |||
611 | int security_task_create(unsigned long clone_flags) | ||
612 | { | ||
613 | return security_ops->task_create(clone_flags); | ||
614 | } | ||
615 | |||
616 | int security_task_alloc(struct task_struct *p) | ||
617 | { | ||
618 | return security_ops->task_alloc_security(p); | ||
619 | } | ||
620 | |||
621 | void security_task_free(struct task_struct *p) | ||
622 | { | ||
623 | security_ops->task_free_security(p); | ||
624 | } | ||
625 | |||
626 | int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) | ||
627 | { | ||
628 | return security_ops->task_setuid(id0, id1, id2, flags); | ||
629 | } | ||
630 | |||
631 | int security_task_post_setuid(uid_t old_ruid, uid_t old_euid, | ||
632 | uid_t old_suid, int flags) | ||
633 | { | ||
634 | return security_ops->task_post_setuid(old_ruid, old_euid, old_suid, flags); | ||
635 | } | ||
636 | |||
637 | int security_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) | ||
638 | { | ||
639 | return security_ops->task_setgid(id0, id1, id2, flags); | ||
640 | } | ||
641 | |||
642 | int security_task_setpgid(struct task_struct *p, pid_t pgid) | ||
643 | { | ||
644 | return security_ops->task_setpgid(p, pgid); | ||
645 | } | ||
646 | |||
647 | int security_task_getpgid(struct task_struct *p) | ||
648 | { | ||
649 | return security_ops->task_getpgid(p); | ||
650 | } | ||
651 | |||
652 | int security_task_getsid(struct task_struct *p) | ||
653 | { | ||
654 | return security_ops->task_getsid(p); | ||
655 | } | ||
656 | |||
657 | void security_task_getsecid(struct task_struct *p, u32 *secid) | ||
658 | { | ||
659 | security_ops->task_getsecid(p, secid); | ||
660 | } | ||
661 | EXPORT_SYMBOL(security_task_getsecid); | ||
662 | |||
663 | int security_task_setgroups(struct group_info *group_info) | ||
664 | { | ||
665 | return security_ops->task_setgroups(group_info); | ||
666 | } | ||
667 | |||
668 | int security_task_setnice(struct task_struct *p, int nice) | ||
669 | { | ||
670 | return security_ops->task_setnice(p, nice); | ||
671 | } | ||
672 | |||
673 | int security_task_setioprio(struct task_struct *p, int ioprio) | ||
674 | { | ||
675 | return security_ops->task_setioprio(p, ioprio); | ||
676 | } | ||
677 | |||
678 | int security_task_getioprio(struct task_struct *p) | ||
679 | { | ||
680 | return security_ops->task_getioprio(p); | ||
681 | } | ||
682 | |||
683 | int security_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) | ||
684 | { | ||
685 | return security_ops->task_setrlimit(resource, new_rlim); | ||
686 | } | ||
687 | |||
688 | int security_task_setscheduler(struct task_struct *p, | ||
689 | int policy, struct sched_param *lp) | ||
690 | { | ||
691 | return security_ops->task_setscheduler(p, policy, lp); | ||
692 | } | ||
693 | |||
694 | int security_task_getscheduler(struct task_struct *p) | ||
695 | { | ||
696 | return security_ops->task_getscheduler(p); | ||
697 | } | ||
698 | |||
699 | int security_task_movememory(struct task_struct *p) | ||
700 | { | ||
701 | return security_ops->task_movememory(p); | ||
702 | } | ||
703 | |||
704 | int security_task_kill(struct task_struct *p, struct siginfo *info, | ||
705 | int sig, u32 secid) | ||
706 | { | ||
707 | return security_ops->task_kill(p, info, sig, secid); | ||
708 | } | ||
709 | |||
710 | int security_task_wait(struct task_struct *p) | ||
711 | { | ||
712 | return security_ops->task_wait(p); | ||
713 | } | ||
714 | |||
715 | int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, | ||
716 | unsigned long arg4, unsigned long arg5) | ||
717 | { | ||
718 | return security_ops->task_prctl(option, arg2, arg3, arg4, arg5); | ||
719 | } | ||
720 | |||
721 | void security_task_reparent_to_init(struct task_struct *p) | ||
722 | { | ||
723 | security_ops->task_reparent_to_init(p); | ||
724 | } | ||
725 | |||
726 | void security_task_to_inode(struct task_struct *p, struct inode *inode) | ||
727 | { | ||
728 | security_ops->task_to_inode(p, inode); | ||
729 | } | ||
730 | |||
731 | int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag) | ||
732 | { | ||
733 | return security_ops->ipc_permission(ipcp, flag); | ||
734 | } | ||
735 | |||
736 | int security_msg_msg_alloc(struct msg_msg *msg) | ||
737 | { | ||
738 | return security_ops->msg_msg_alloc_security(msg); | ||
739 | } | ||
740 | |||
741 | void security_msg_msg_free(struct msg_msg *msg) | ||
742 | { | ||
743 | security_ops->msg_msg_free_security(msg); | ||
744 | } | ||
745 | |||
746 | int security_msg_queue_alloc(struct msg_queue *msq) | ||
747 | { | ||
748 | return security_ops->msg_queue_alloc_security(msq); | ||
749 | } | ||
750 | |||
751 | void security_msg_queue_free(struct msg_queue *msq) | ||
752 | { | ||
753 | security_ops->msg_queue_free_security(msq); | ||
754 | } | ||
755 | |||
756 | int security_msg_queue_associate(struct msg_queue *msq, int msqflg) | ||
757 | { | ||
758 | return security_ops->msg_queue_associate(msq, msqflg); | ||
759 | } | ||
760 | |||
761 | int security_msg_queue_msgctl(struct msg_queue *msq, int cmd) | ||
762 | { | ||
763 | return security_ops->msg_queue_msgctl(msq, cmd); | ||
764 | } | ||
765 | |||
766 | int security_msg_queue_msgsnd(struct msg_queue *msq, | ||
767 | struct msg_msg *msg, int msqflg) | ||
768 | { | ||
769 | return security_ops->msg_queue_msgsnd(msq, msg, msqflg); | ||
770 | } | ||
771 | |||
772 | int security_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, | ||
773 | struct task_struct *target, long type, int mode) | ||
774 | { | ||
775 | return security_ops->msg_queue_msgrcv(msq, msg, target, type, mode); | ||
776 | } | ||
777 | |||
778 | int security_shm_alloc(struct shmid_kernel *shp) | ||
779 | { | ||
780 | return security_ops->shm_alloc_security(shp); | ||
781 | } | ||
782 | |||
783 | void security_shm_free(struct shmid_kernel *shp) | ||
784 | { | ||
785 | security_ops->shm_free_security(shp); | ||
786 | } | ||
787 | |||
788 | int security_shm_associate(struct shmid_kernel *shp, int shmflg) | ||
789 | { | ||
790 | return security_ops->shm_associate(shp, shmflg); | ||
791 | } | ||
792 | |||
793 | int security_shm_shmctl(struct shmid_kernel *shp, int cmd) | ||
794 | { | ||
795 | return security_ops->shm_shmctl(shp, cmd); | ||
796 | } | ||
797 | |||
798 | int security_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, int shmflg) | ||
799 | { | ||
800 | return security_ops->shm_shmat(shp, shmaddr, shmflg); | ||
801 | } | ||
802 | |||
803 | int security_sem_alloc(struct sem_array *sma) | ||
804 | { | ||
805 | return security_ops->sem_alloc_security(sma); | ||
806 | } | ||
807 | |||
808 | void security_sem_free(struct sem_array *sma) | ||
809 | { | ||
810 | security_ops->sem_free_security(sma); | ||
811 | } | ||
812 | |||
813 | int security_sem_associate(struct sem_array *sma, int semflg) | ||
814 | { | ||
815 | return security_ops->sem_associate(sma, semflg); | ||
816 | } | ||
817 | |||
818 | int security_sem_semctl(struct sem_array *sma, int cmd) | ||
819 | { | ||
820 | return security_ops->sem_semctl(sma, cmd); | ||
821 | } | ||
822 | |||
823 | int security_sem_semop(struct sem_array *sma, struct sembuf *sops, | ||
824 | unsigned nsops, int alter) | ||
825 | { | ||
826 | return security_ops->sem_semop(sma, sops, nsops, alter); | ||
827 | } | ||
828 | |||
829 | void security_d_instantiate(struct dentry *dentry, struct inode *inode) | ||
830 | { | ||
831 | if (unlikely(inode && IS_PRIVATE(inode))) | ||
832 | return; | ||
833 | security_ops->d_instantiate(dentry, inode); | ||
834 | } | ||
835 | EXPORT_SYMBOL(security_d_instantiate); | ||
836 | |||
837 | int security_getprocattr(struct task_struct *p, char *name, char **value) | ||
838 | { | ||
839 | return security_ops->getprocattr(p, name, value); | ||
840 | } | ||
841 | |||
842 | int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size) | ||
843 | { | ||
844 | return security_ops->setprocattr(p, name, value, size); | ||
845 | } | ||
846 | |||
847 | int security_netlink_send(struct sock *sk, struct sk_buff *skb) | ||
848 | { | ||
849 | return security_ops->netlink_send(sk, skb); | ||
850 | } | ||
851 | EXPORT_SYMBOL(security_netlink_send); | ||
852 | |||
853 | int security_netlink_recv(struct sk_buff *skb, int cap) | ||
854 | { | ||
855 | return security_ops->netlink_recv(skb, cap); | ||
856 | } | ||
857 | EXPORT_SYMBOL(security_netlink_recv); | ||
858 | |||
859 | int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) | ||
860 | { | ||
861 | return security_ops->secid_to_secctx(secid, secdata, seclen); | ||
862 | } | ||
863 | EXPORT_SYMBOL(security_secid_to_secctx); | ||
864 | |||
865 | void security_release_secctx(char *secdata, u32 seclen) | ||
866 | { | ||
867 | return security_ops->release_secctx(secdata, seclen); | ||
868 | } | ||
869 | EXPORT_SYMBOL(security_release_secctx); | ||
870 | |||
871 | #ifdef CONFIG_SECURITY_NETWORK | ||
872 | |||
873 | int security_unix_stream_connect(struct socket *sock, struct socket *other, | ||
874 | struct sock *newsk) | ||
875 | { | ||
876 | return security_ops->unix_stream_connect(sock, other, newsk); | ||
877 | } | ||
878 | EXPORT_SYMBOL(security_unix_stream_connect); | ||
879 | |||
880 | int security_unix_may_send(struct socket *sock, struct socket *other) | ||
881 | { | ||
882 | return security_ops->unix_may_send(sock, other); | ||
883 | } | ||
884 | EXPORT_SYMBOL(security_unix_may_send); | ||
885 | |||
886 | int security_socket_create(int family, int type, int protocol, int kern) | ||
887 | { | ||
888 | return security_ops->socket_create(family, type, protocol, kern); | ||
889 | } | ||
890 | |||
891 | int security_socket_post_create(struct socket *sock, int family, | ||
892 | int type, int protocol, int kern) | ||
893 | { | ||
894 | return security_ops->socket_post_create(sock, family, type, | ||
895 | protocol, kern); | ||
896 | } | ||
897 | |||
898 | int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) | ||
899 | { | ||
900 | return security_ops->socket_bind(sock, address, addrlen); | ||
901 | } | ||
902 | |||
903 | int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) | ||
904 | { | ||
905 | return security_ops->socket_connect(sock, address, addrlen); | ||
906 | } | ||
907 | |||
908 | int security_socket_listen(struct socket *sock, int backlog) | ||
909 | { | ||
910 | return security_ops->socket_listen(sock, backlog); | ||
911 | } | ||
912 | |||
913 | int security_socket_accept(struct socket *sock, struct socket *newsock) | ||
914 | { | ||
915 | return security_ops->socket_accept(sock, newsock); | ||
916 | } | ||
917 | |||
918 | void security_socket_post_accept(struct socket *sock, struct socket *newsock) | ||
919 | { | ||
920 | security_ops->socket_post_accept(sock, newsock); | ||
921 | } | ||
922 | |||
923 | int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size) | ||
924 | { | ||
925 | return security_ops->socket_sendmsg(sock, msg, size); | ||
926 | } | ||
927 | |||
928 | int security_socket_recvmsg(struct socket *sock, struct msghdr *msg, | ||
929 | int size, int flags) | ||
930 | { | ||
931 | return security_ops->socket_recvmsg(sock, msg, size, flags); | ||
932 | } | ||
933 | |||
934 | int security_socket_getsockname(struct socket *sock) | ||
935 | { | ||
936 | return security_ops->socket_getsockname(sock); | ||
937 | } | ||
938 | |||
939 | int security_socket_getpeername(struct socket *sock) | ||
940 | { | ||
941 | return security_ops->socket_getpeername(sock); | ||
942 | } | ||
943 | |||
944 | int security_socket_getsockopt(struct socket *sock, int level, int optname) | ||
945 | { | ||
946 | return security_ops->socket_getsockopt(sock, level, optname); | ||
947 | } | ||
948 | |||
949 | int security_socket_setsockopt(struct socket *sock, int level, int optname) | ||
950 | { | ||
951 | return security_ops->socket_setsockopt(sock, level, optname); | ||
952 | } | ||
953 | |||
954 | int security_socket_shutdown(struct socket *sock, int how) | ||
955 | { | ||
956 | return security_ops->socket_shutdown(sock, how); | ||
957 | } | ||
958 | |||
959 | int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) | ||
960 | { | ||
961 | return security_ops->socket_sock_rcv_skb(sk, skb); | ||
962 | } | ||
963 | EXPORT_SYMBOL(security_sock_rcv_skb); | ||
964 | |||
965 | int security_socket_getpeersec_stream(struct socket *sock, char __user *optval, | ||
966 | int __user *optlen, unsigned len) | ||
967 | { | ||
968 | return security_ops->socket_getpeersec_stream(sock, optval, optlen, len); | ||
969 | } | ||
970 | |||
971 | int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) | ||
972 | { | ||
973 | return security_ops->socket_getpeersec_dgram(sock, skb, secid); | ||
974 | } | ||
975 | EXPORT_SYMBOL(security_socket_getpeersec_dgram); | ||
976 | |||
977 | int security_sk_alloc(struct sock *sk, int family, gfp_t priority) | ||
978 | { | ||
979 | return security_ops->sk_alloc_security(sk, family, priority); | ||
980 | } | ||
981 | |||
982 | void security_sk_free(struct sock *sk) | ||
983 | { | ||
984 | return security_ops->sk_free_security(sk); | ||
985 | } | ||
986 | |||
987 | void security_sk_clone(const struct sock *sk, struct sock *newsk) | ||
988 | { | ||
989 | return security_ops->sk_clone_security(sk, newsk); | ||
990 | } | ||
991 | |||
992 | void security_sk_classify_flow(struct sock *sk, struct flowi *fl) | ||
993 | { | ||
994 | security_ops->sk_getsecid(sk, &fl->secid); | ||
995 | } | ||
996 | EXPORT_SYMBOL(security_sk_classify_flow); | ||
997 | |||
998 | void security_req_classify_flow(const struct request_sock *req, struct flowi *fl) | ||
999 | { | ||
1000 | security_ops->req_classify_flow(req, fl); | ||
1001 | } | ||
1002 | EXPORT_SYMBOL(security_req_classify_flow); | ||
1003 | |||
1004 | void security_sock_graft(struct sock *sk, struct socket *parent) | ||
1005 | { | ||
1006 | security_ops->sock_graft(sk, parent); | ||
1007 | } | ||
1008 | EXPORT_SYMBOL(security_sock_graft); | ||
1009 | |||
1010 | int security_inet_conn_request(struct sock *sk, | ||
1011 | struct sk_buff *skb, struct request_sock *req) | ||
1012 | { | ||
1013 | return security_ops->inet_conn_request(sk, skb, req); | ||
1014 | } | ||
1015 | EXPORT_SYMBOL(security_inet_conn_request); | ||
1016 | |||
1017 | void security_inet_csk_clone(struct sock *newsk, | ||
1018 | const struct request_sock *req) | ||
1019 | { | ||
1020 | security_ops->inet_csk_clone(newsk, req); | ||
1021 | } | ||
1022 | |||
1023 | void security_inet_conn_established(struct sock *sk, | ||
1024 | struct sk_buff *skb) | ||
1025 | { | ||
1026 | security_ops->inet_conn_established(sk, skb); | ||
1027 | } | ||
1028 | |||
1029 | #endif /* CONFIG_SECURITY_NETWORK */ | ||
1030 | |||
1031 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | ||
1032 | |||
1033 | int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx) | ||
1034 | { | ||
1035 | return security_ops->xfrm_policy_alloc_security(xp, sec_ctx); | ||
1036 | } | ||
1037 | EXPORT_SYMBOL(security_xfrm_policy_alloc); | ||
1038 | |||
1039 | int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new) | ||
1040 | { | ||
1041 | return security_ops->xfrm_policy_clone_security(old, new); | ||
1042 | } | ||
1043 | |||
1044 | void security_xfrm_policy_free(struct xfrm_policy *xp) | ||
1045 | { | ||
1046 | security_ops->xfrm_policy_free_security(xp); | ||
1047 | } | ||
1048 | EXPORT_SYMBOL(security_xfrm_policy_free); | ||
1049 | |||
1050 | int security_xfrm_policy_delete(struct xfrm_policy *xp) | ||
1051 | { | ||
1052 | return security_ops->xfrm_policy_delete_security(xp); | ||
1053 | } | ||
1054 | |||
1055 | int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx) | ||
1056 | { | ||
1057 | return security_ops->xfrm_state_alloc_security(x, sec_ctx, 0); | ||
1058 | } | ||
1059 | EXPORT_SYMBOL(security_xfrm_state_alloc); | ||
1060 | |||
1061 | int security_xfrm_state_alloc_acquire(struct xfrm_state *x, | ||
1062 | struct xfrm_sec_ctx *polsec, u32 secid) | ||
1063 | { | ||
1064 | if (!polsec) | ||
1065 | return 0; | ||
1066 | /* | ||
1067 | * We want the context to be taken from secid which is usually | ||
1068 | * from the sock. | ||
1069 | */ | ||
1070 | return security_ops->xfrm_state_alloc_security(x, NULL, secid); | ||
1071 | } | ||
1072 | |||
1073 | int security_xfrm_state_delete(struct xfrm_state *x) | ||
1074 | { | ||
1075 | return security_ops->xfrm_state_delete_security(x); | ||
1076 | } | ||
1077 | EXPORT_SYMBOL(security_xfrm_state_delete); | ||
1078 | |||
1079 | void security_xfrm_state_free(struct xfrm_state *x) | ||
1080 | { | ||
1081 | security_ops->xfrm_state_free_security(x); | ||
1082 | } | ||
1083 | |||
1084 | int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir) | ||
1085 | { | ||
1086 | return security_ops->xfrm_policy_lookup(xp, fl_secid, dir); | ||
1087 | } | ||
1088 | |||
1089 | int security_xfrm_state_pol_flow_match(struct xfrm_state *x, | ||
1090 | struct xfrm_policy *xp, struct flowi *fl) | ||
1091 | { | ||
1092 | return security_ops->xfrm_state_pol_flow_match(x, xp, fl); | ||
1093 | } | ||
1094 | |||
1095 | int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid) | ||
1096 | { | ||
1097 | return security_ops->xfrm_decode_session(skb, secid, 1); | ||
1098 | } | ||
1099 | |||
1100 | void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl) | ||
1101 | { | ||
1102 | int rc = security_ops->xfrm_decode_session(skb, &fl->secid, 0); | ||
1103 | |||
1104 | BUG_ON(rc); | ||
1105 | } | ||
1106 | EXPORT_SYMBOL(security_skb_classify_flow); | ||
1107 | |||
1108 | #endif /* CONFIG_SECURITY_NETWORK_XFRM */ | ||
1109 | |||
1110 | #ifdef CONFIG_KEYS | ||
1111 | |||
1112 | int security_key_alloc(struct key *key, struct task_struct *tsk, unsigned long flags) | ||
1113 | { | ||
1114 | return security_ops->key_alloc(key, tsk, flags); | ||
1115 | } | ||
1116 | |||
1117 | void security_key_free(struct key *key) | ||
1118 | { | ||
1119 | security_ops->key_free(key); | ||
1120 | } | ||
1121 | |||
1122 | int security_key_permission(key_ref_t key_ref, | ||
1123 | struct task_struct *context, key_perm_t perm) | ||
1124 | { | ||
1125 | return security_ops->key_permission(key_ref, context, perm); | ||
1126 | } | ||
1127 | |||
1128 | #endif /* CONFIG_KEYS */ | ||
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 97b7e2738097..83a535b7bc60 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -22,7 +22,6 @@ | |||
22 | * as published by the Free Software Foundation. | 22 | * as published by the Free Software Foundation. |
23 | */ | 23 | */ |
24 | 24 | ||
25 | #include <linux/module.h> | ||
26 | #include <linux/init.h> | 25 | #include <linux/init.h> |
27 | #include <linux/kernel.h> | 26 | #include <linux/kernel.h> |
28 | #include <linux/ptrace.h> | 27 | #include <linux/ptrace.h> |
@@ -86,6 +85,7 @@ | |||
86 | extern unsigned int policydb_loaded_version; | 85 | extern unsigned int policydb_loaded_version; |
87 | extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); | 86 | extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); |
88 | extern int selinux_compat_net; | 87 | extern int selinux_compat_net; |
88 | extern struct security_operations *security_ops; | ||
89 | 89 | ||
90 | #ifdef CONFIG_SECURITY_SELINUX_DEVELOP | 90 | #ifdef CONFIG_SECURITY_SELINUX_DEVELOP |
91 | int selinux_enforcing = 0; | 91 | int selinux_enforcing = 0; |
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index ba715f40b658..cb008d9f0a82 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c | |||
@@ -31,7 +31,6 @@ | |||
31 | * 2. Emulating a reasonable SO_PEERSEC across machines | 31 | * 2. Emulating a reasonable SO_PEERSEC across machines |
32 | * 3. Testing addition of sk_policy's with security context via setsockopt | 32 | * 3. Testing addition of sk_policy's with security context via setsockopt |
33 | */ | 33 | */ |
34 | #include <linux/module.h> | ||
35 | #include <linux/kernel.h> | 34 | #include <linux/kernel.h> |
36 | #include <linux/init.h> | 35 | #include <linux/init.h> |
37 | #include <linux/security.h> | 36 | #include <linux/security.h> |