aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorJames Morris <jmorris@namei.org>2007-10-17 02:31:32 -0400
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-10-17 11:43:07 -0400
commit20510f2f4e2dabb0ff6c13901807627ec9452f98 (patch)
treed64b9eeb90d577f7f9688a215c4c6c3c2405188a /security
parent5c3b447457789374cdb7b03afe2540d48c649a36 (diff)
security: Convert LSM into a static interface
Convert LSM into a static interface, as the ability to unload a security module is not required by in-tree users and potentially complicates the overall security architecture. Needlessly exported LSM symbols have been unexported, to help reduce API abuse. Parameters for the capability and root_plug modules are now specified at boot. The SECURITY_FRAMEWORK_VERSION macro has also been removed. In a nutshell, there is no safe way to unload an LSM. The modular interface is thus unecessary and broken infrastructure. It is used only by out-of-tree modules, which are often binary-only, illegal, abusive of the API and dangerous, e.g. silently re-vectoring SELinux. [akpm@linux-foundation.org: cleanups] [akpm@linux-foundation.org: USB Kconfig fix] [randy.dunlap@oracle.com: fix LSM kernel-doc] Signed-off-by: James Morris <jmorris@namei.org> Acked-by: Chris Wright <chrisw@sous-sol.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: "Serge E. Hallyn" <serue@us.ibm.com> Acked-by: Arjan van de Ven <arjan@infradead.org> Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'security')
-rw-r--r--security/Kconfig6
-rw-r--r--security/capability.c24
-rw-r--r--security/commoncap.c3
-rw-r--r--security/dummy.c1
-rw-r--r--security/root_plug.c31
-rw-r--r--security/security.c964
-rw-r--r--security/selinux/hooks.c2
-rw-r--r--security/selinux/xfrm.c1
8 files changed, 961 insertions, 71 deletions
diff --git a/security/Kconfig b/security/Kconfig
index 460e5c9cf496..a94ee94cf491 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -74,15 +74,15 @@ config SECURITY_NETWORK_XFRM
74 If you are unsure how to answer this question, answer N. 74 If you are unsure how to answer this question, answer N.
75 75
76config SECURITY_CAPABILITIES 76config SECURITY_CAPABILITIES
77 tristate "Default Linux Capabilities" 77 bool "Default Linux Capabilities"
78 depends on SECURITY 78 depends on SECURITY
79 help 79 help
80 This enables the "default" Linux capabilities functionality. 80 This enables the "default" Linux capabilities functionality.
81 If you are unsure how to answer this question, answer Y. 81 If you are unsure how to answer this question, answer Y.
82 82
83config SECURITY_ROOTPLUG 83config SECURITY_ROOTPLUG
84 tristate "Root Plug Support" 84 bool "Root Plug Support"
85 depends on USB && SECURITY 85 depends on USB=y && SECURITY
86 help 86 help
87 This is a sample LSM module that should only be used as such. 87 This is a sample LSM module that should only be used as such.
88 It prevents any programs running with egid == 0 if a specific 88 It prevents any programs running with egid == 0 if a specific
diff --git a/security/capability.c b/security/capability.c
index 38296a005465..fda6a14cb24d 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -8,7 +8,6 @@
8 * 8 *
9 */ 9 */
10 10
11#include <linux/module.h>
12#include <linux/init.h> 11#include <linux/init.h>
13#include <linux/kernel.h> 12#include <linux/kernel.h>
14#include <linux/security.h> 13#include <linux/security.h>
@@ -52,7 +51,6 @@ static int secondary;
52 51
53static int capability_disable; 52static int capability_disable;
54module_param_named(disable, capability_disable, int, 0); 53module_param_named(disable, capability_disable, int, 0);
55MODULE_PARM_DESC(disable, "To disable capabilities module set disable = 1");
56 54
57static int __init capability_init (void) 55static int __init capability_init (void)
58{ 56{
@@ -75,26 +73,4 @@ static int __init capability_init (void)
75 return 0; 73 return 0;
76} 74}
77 75
78static void __exit capability_exit (void)
79{
80 if (capability_disable)
81 return;
82 /* remove ourselves from the security framework */
83 if (secondary) {
84 if (mod_unreg_security (KBUILD_MODNAME, &capability_ops))
85 printk (KERN_INFO "Failure unregistering capabilities "
86 "with primary module.\n");
87 return;
88 }
89
90 if (unregister_security (&capability_ops)) {
91 printk (KERN_INFO
92 "Failure unregistering capabilities with the kernel\n");
93 }
94}
95
96security_initcall (capability_init); 76security_initcall (capability_init);
97module_exit (capability_exit);
98
99MODULE_DESCRIPTION("Standard Linux Capabilities Security Module");
100MODULE_LICENSE("GPL");
diff --git a/security/commoncap.c b/security/commoncap.c
index 7520361663e8..0f8a2ce3f3a6 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -339,6 +339,3 @@ EXPORT_SYMBOL(cap_task_post_setuid);
339EXPORT_SYMBOL(cap_task_reparent_to_init); 339EXPORT_SYMBOL(cap_task_reparent_to_init);
340EXPORT_SYMBOL(cap_syslog); 340EXPORT_SYMBOL(cap_syslog);
341EXPORT_SYMBOL(cap_vm_enough_memory); 341EXPORT_SYMBOL(cap_vm_enough_memory);
342
343MODULE_DESCRIPTION("Standard Linux Common Capabilities Security Module");
344MODULE_LICENSE("GPL");
diff --git a/security/dummy.c b/security/dummy.c
index 64b647a0d9a6..4129dcf3daec 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -15,7 +15,6 @@
15#undef DEBUG 15#undef DEBUG
16 16
17#include <linux/capability.h> 17#include <linux/capability.h>
18#include <linux/module.h>
19#include <linux/kernel.h> 18#include <linux/kernel.h>
20#include <linux/mman.h> 19#include <linux/mman.h>
21#include <linux/pagemap.h> 20#include <linux/pagemap.h>
diff --git a/security/root_plug.c b/security/root_plug.c
index 38dd4f3e641f..870f13095bb6 100644
--- a/security/root_plug.c
+++ b/security/root_plug.c
@@ -22,11 +22,11 @@
22 * License. 22 * License.
23 */ 23 */
24 24
25#include <linux/module.h>
26#include <linux/kernel.h> 25#include <linux/kernel.h>
27#include <linux/init.h> 26#include <linux/init.h>
28#include <linux/security.h> 27#include <linux/security.h>
29#include <linux/usb.h> 28#include <linux/usb.h>
29#include <linux/moduleparam.h>
30 30
31/* flag to keep track of how we were registered */ 31/* flag to keep track of how we were registered */
32static int secondary; 32static int secondary;
@@ -36,22 +36,14 @@ static int vendor_id = 0x0557;
36static int product_id = 0x2008; 36static int product_id = 0x2008;
37 37
38module_param(vendor_id, uint, 0400); 38module_param(vendor_id, uint, 0400);
39MODULE_PARM_DESC(vendor_id, "USB Vendor ID of device to look for");
40
41module_param(product_id, uint, 0400); 39module_param(product_id, uint, 0400);
42MODULE_PARM_DESC(product_id, "USB Product ID of device to look for");
43 40
44/* should we print out debug messages */ 41/* should we print out debug messages */
45static int debug = 0; 42static int debug = 0;
46 43
47module_param(debug, bool, 0600); 44module_param(debug, bool, 0600);
48MODULE_PARM_DESC(debug, "Debug enabled or not");
49 45
50#if defined(CONFIG_SECURITY_ROOTPLUG_MODULE)
51#define MY_NAME THIS_MODULE->name
52#else
53#define MY_NAME "root_plug" 46#define MY_NAME "root_plug"
54#endif
55 47
56#define root_dbg(fmt, arg...) \ 48#define root_dbg(fmt, arg...) \
57 do { \ 49 do { \
@@ -117,25 +109,4 @@ static int __init rootplug_init (void)
117 return 0; 109 return 0;
118} 110}
119 111
120static void __exit rootplug_exit (void)
121{
122 /* remove ourselves from the security framework */
123 if (secondary) {
124 if (mod_unreg_security (MY_NAME, &rootplug_security_ops))
125 printk (KERN_INFO "Failure unregistering Root Plug "
126 " module with primary module.\n");
127 } else {
128 if (unregister_security (&rootplug_security_ops)) {
129 printk (KERN_INFO "Failure unregistering Root Plug "
130 "module with the kernel\n");
131 }
132 }
133 printk (KERN_INFO "Root Plug module removed\n");
134}
135
136security_initcall (rootplug_init); 112security_initcall (rootplug_init);
137module_exit (rootplug_exit);
138
139MODULE_DESCRIPTION("Root Plug sample LSM module, written for Linux Journal article");
140MODULE_LICENSE("GPL");
141
diff --git a/security/security.c b/security/security.c
index 27e5863d30f1..5b1c034815a8 100644
--- a/security/security.c
+++ b/security/security.c
@@ -17,7 +17,6 @@
17#include <linux/kernel.h> 17#include <linux/kernel.h>
18#include <linux/security.h> 18#include <linux/security.h>
19 19
20#define SECURITY_FRAMEWORK_VERSION "1.0.0"
21 20
22/* things that live in dummy.c */ 21/* things that live in dummy.c */
23extern struct security_operations dummy_security_ops; 22extern struct security_operations dummy_security_ops;
@@ -52,8 +51,7 @@ static void __init do_security_initcalls(void)
52 */ 51 */
53int __init security_init(void) 52int __init security_init(void)
54{ 53{
55 printk(KERN_INFO "Security Framework v" SECURITY_FRAMEWORK_VERSION 54 printk(KERN_INFO "Security Framework initialized\n");
56 " initialized\n");
57 55
58 if (verify(&dummy_security_ops)) { 56 if (verify(&dummy_security_ops)) {
59 printk(KERN_ERR "%s could not verify " 57 printk(KERN_ERR "%s could not verify "
@@ -173,8 +171,958 @@ int mod_unreg_security(const char *name, struct security_operations *ops)
173 return security_ops->unregister_security(name, ops); 171 return security_ops->unregister_security(name, ops);
174} 172}
175 173
176EXPORT_SYMBOL_GPL(register_security); 174/* Security operations */
177EXPORT_SYMBOL_GPL(unregister_security); 175
178EXPORT_SYMBOL_GPL(mod_reg_security); 176int security_ptrace(struct task_struct *parent, struct task_struct *child)
179EXPORT_SYMBOL_GPL(mod_unreg_security); 177{
180EXPORT_SYMBOL(security_ops); 178 return security_ops->ptrace(parent, child);
179}
180
181int security_capget(struct task_struct *target,
182 kernel_cap_t *effective,
183 kernel_cap_t *inheritable,
184 kernel_cap_t *permitted)
185{
186 return security_ops->capget(target, effective, inheritable, permitted);
187}
188
189int security_capset_check(struct task_struct *target,
190 kernel_cap_t *effective,
191 kernel_cap_t *inheritable,
192 kernel_cap_t *permitted)
193{
194 return security_ops->capset_check(target, effective, inheritable, permitted);
195}
196
197void security_capset_set(struct task_struct *target,
198 kernel_cap_t *effective,
199 kernel_cap_t *inheritable,
200 kernel_cap_t *permitted)
201{
202 security_ops->capset_set(target, effective, inheritable, permitted);
203}
204
205int security_capable(struct task_struct *tsk, int cap)
206{
207 return security_ops->capable(tsk, cap);
208}
209
210int security_acct(struct file *file)
211{
212 return security_ops->acct(file);
213}
214
215int security_sysctl(struct ctl_table *table, int op)
216{
217 return security_ops->sysctl(table, op);
218}
219
220int security_quotactl(int cmds, int type, int id, struct super_block *sb)
221{
222 return security_ops->quotactl(cmds, type, id, sb);
223}
224
225int security_quota_on(struct dentry *dentry)
226{
227 return security_ops->quota_on(dentry);
228}
229
230int security_syslog(int type)
231{
232 return security_ops->syslog(type);
233}
234
235int security_settime(struct timespec *ts, struct timezone *tz)
236{
237 return security_ops->settime(ts, tz);
238}
239
240int security_vm_enough_memory(long pages)
241{
242 return security_ops->vm_enough_memory(current->mm, pages);
243}
244
245int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
246{
247 return security_ops->vm_enough_memory(mm, pages);
248}
249
250int security_bprm_alloc(struct linux_binprm *bprm)
251{
252 return security_ops->bprm_alloc_security(bprm);
253}
254
255void security_bprm_free(struct linux_binprm *bprm)
256{
257 security_ops->bprm_free_security(bprm);
258}
259
260void security_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
261{
262 security_ops->bprm_apply_creds(bprm, unsafe);
263}
264
265void security_bprm_post_apply_creds(struct linux_binprm *bprm)
266{
267 security_ops->bprm_post_apply_creds(bprm);
268}
269
270int security_bprm_set(struct linux_binprm *bprm)
271{
272 return security_ops->bprm_set_security(bprm);
273}
274
275int security_bprm_check(struct linux_binprm *bprm)
276{
277 return security_ops->bprm_check_security(bprm);
278}
279
280int security_bprm_secureexec(struct linux_binprm *bprm)
281{
282 return security_ops->bprm_secureexec(bprm);
283}
284
285int security_sb_alloc(struct super_block *sb)
286{
287 return security_ops->sb_alloc_security(sb);
288}
289
290void security_sb_free(struct super_block *sb)
291{
292 security_ops->sb_free_security(sb);
293}
294
295int security_sb_copy_data(struct file_system_type *type, void *orig, void *copy)
296{
297 return security_ops->sb_copy_data(type, orig, copy);
298}
299
300int security_sb_kern_mount(struct super_block *sb, void *data)
301{
302 return security_ops->sb_kern_mount(sb, data);
303}
304
305int security_sb_statfs(struct dentry *dentry)
306{
307 return security_ops->sb_statfs(dentry);
308}
309
310int security_sb_mount(char *dev_name, struct nameidata *nd,
311 char *type, unsigned long flags, void *data)
312{
313 return security_ops->sb_mount(dev_name, nd, type, flags, data);
314}
315
316int security_sb_check_sb(struct vfsmount *mnt, struct nameidata *nd)
317{
318 return security_ops->sb_check_sb(mnt, nd);
319}
320
321int security_sb_umount(struct vfsmount *mnt, int flags)
322{
323 return security_ops->sb_umount(mnt, flags);
324}
325
326void security_sb_umount_close(struct vfsmount *mnt)
327{
328 security_ops->sb_umount_close(mnt);
329}
330
331void security_sb_umount_busy(struct vfsmount *mnt)
332{
333 security_ops->sb_umount_busy(mnt);
334}
335
336void security_sb_post_remount(struct vfsmount *mnt, unsigned long flags, void *data)
337{
338 security_ops->sb_post_remount(mnt, flags, data);
339}
340
341void security_sb_post_mountroot(void)
342{
343 security_ops->sb_post_mountroot();
344}
345
346void security_sb_post_addmount(struct vfsmount *mnt, struct nameidata *mountpoint_nd)
347{
348 security_ops->sb_post_addmount(mnt, mountpoint_nd);
349}
350
351int security_sb_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd)
352{
353 return security_ops->sb_pivotroot(old_nd, new_nd);
354}
355
356void security_sb_post_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd)
357{
358 security_ops->sb_post_pivotroot(old_nd, new_nd);
359}
360
361int security_inode_alloc(struct inode *inode)
362{
363 inode->i_security = NULL;
364 return security_ops->inode_alloc_security(inode);
365}
366
367void security_inode_free(struct inode *inode)
368{
369 security_ops->inode_free_security(inode);
370}
371
372int security_inode_init_security(struct inode *inode, struct inode *dir,
373 char **name, void **value, size_t *len)
374{
375 if (unlikely(IS_PRIVATE(inode)))
376 return -EOPNOTSUPP;
377 return security_ops->inode_init_security(inode, dir, name, value, len);
378}
379EXPORT_SYMBOL(security_inode_init_security);
380
381int security_inode_create(struct inode *dir, struct dentry *dentry, int mode)
382{
383 if (unlikely(IS_PRIVATE(dir)))
384 return 0;
385 return security_ops->inode_create(dir, dentry, mode);
386}
387
388int security_inode_link(struct dentry *old_dentry, struct inode *dir,
389 struct dentry *new_dentry)
390{
391 if (unlikely(IS_PRIVATE(old_dentry->d_inode)))
392 return 0;
393 return security_ops->inode_link(old_dentry, dir, new_dentry);
394}
395
396int security_inode_unlink(struct inode *dir, struct dentry *dentry)
397{
398 if (unlikely(IS_PRIVATE(dentry->d_inode)))
399 return 0;
400 return security_ops->inode_unlink(dir, dentry);
401}
402
403int security_inode_symlink(struct inode *dir, struct dentry *dentry,
404 const char *old_name)
405{
406 if (unlikely(IS_PRIVATE(dir)))
407 return 0;
408 return security_ops->inode_symlink(dir, dentry, old_name);
409}
410
411int security_inode_mkdir(struct inode *dir, struct dentry *dentry, int mode)
412{
413 if (unlikely(IS_PRIVATE(dir)))
414 return 0;
415 return security_ops->inode_mkdir(dir, dentry, mode);
416}
417
418int security_inode_rmdir(struct inode *dir, struct dentry *dentry)
419{
420 if (unlikely(IS_PRIVATE(dentry->d_inode)))
421 return 0;
422 return security_ops->inode_rmdir(dir, dentry);
423}
424
425int security_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev)
426{
427 if (unlikely(IS_PRIVATE(dir)))
428 return 0;
429 return security_ops->inode_mknod(dir, dentry, mode, dev);
430}
431
432int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
433 struct inode *new_dir, struct dentry *new_dentry)
434{
435 if (unlikely(IS_PRIVATE(old_dentry->d_inode) ||
436 (new_dentry->d_inode && IS_PRIVATE(new_dentry->d_inode))))
437 return 0;
438 return security_ops->inode_rename(old_dir, old_dentry,
439 new_dir, new_dentry);
440}
441
442int security_inode_readlink(struct dentry *dentry)
443{
444 if (unlikely(IS_PRIVATE(dentry->d_inode)))
445 return 0;
446 return security_ops->inode_readlink(dentry);
447}
448
449int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd)
450{
451 if (unlikely(IS_PRIVATE(dentry->d_inode)))
452 return 0;
453 return security_ops->inode_follow_link(dentry, nd);
454}
455
456int security_inode_permission(struct inode *inode, int mask, struct nameidata *nd)
457{
458 if (unlikely(IS_PRIVATE(inode)))
459 return 0;
460 return security_ops->inode_permission(inode, mask, nd);
461}
462
463int security_inode_setattr(struct dentry *dentry, struct iattr *attr)
464{
465 if (unlikely(IS_PRIVATE(dentry->d_inode)))
466 return 0;
467 return security_ops->inode_setattr(dentry, attr);
468}
469
470int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
471{
472 if (unlikely(IS_PRIVATE(dentry->d_inode)))
473 return 0;
474 return security_ops->inode_getattr(mnt, dentry);
475}
476
477void security_inode_delete(struct inode *inode)
478{
479 if (unlikely(IS_PRIVATE(inode)))
480 return;
481 security_ops->inode_delete(inode);
482}
483
484int security_inode_setxattr(struct dentry *dentry, char *name,
485 void *value, size_t size, int flags)
486{
487 if (unlikely(IS_PRIVATE(dentry->d_inode)))
488 return 0;
489 return security_ops->inode_setxattr(dentry, name, value, size, flags);
490}
491
492void security_inode_post_setxattr(struct dentry *dentry, char *name,
493 void *value, size_t size, int flags)
494{
495 if (unlikely(IS_PRIVATE(dentry->d_inode)))
496 return;
497 security_ops->inode_post_setxattr(dentry, name, value, size, flags);
498}
499
500int security_inode_getxattr(struct dentry *dentry, char *name)
501{
502 if (unlikely(IS_PRIVATE(dentry->d_inode)))
503 return 0;
504 return security_ops->inode_getxattr(dentry, name);
505}
506
507int security_inode_listxattr(struct dentry *dentry)
508{
509 if (unlikely(IS_PRIVATE(dentry->d_inode)))
510 return 0;
511 return security_ops->inode_listxattr(dentry);
512}
513
514int security_inode_removexattr(struct dentry *dentry, char *name)
515{
516 if (unlikely(IS_PRIVATE(dentry->d_inode)))
517 return 0;
518 return security_ops->inode_removexattr(dentry, name);
519}
520
521const char *security_inode_xattr_getsuffix(void)
522{
523 return security_ops->inode_xattr_getsuffix();
524}
525
526int security_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
527{
528 if (unlikely(IS_PRIVATE(inode)))
529 return 0;
530 return security_ops->inode_getsecurity(inode, name, buffer, size, err);
531}
532
533int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
534{
535 if (unlikely(IS_PRIVATE(inode)))
536 return 0;
537 return security_ops->inode_setsecurity(inode, name, value, size, flags);
538}
539
540int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
541{
542 if (unlikely(IS_PRIVATE(inode)))
543 return 0;
544 return security_ops->inode_listsecurity(inode, buffer, buffer_size);
545}
546
547int security_file_permission(struct file *file, int mask)
548{
549 return security_ops->file_permission(file, mask);
550}
551
552int security_file_alloc(struct file *file)
553{
554 return security_ops->file_alloc_security(file);
555}
556
557void security_file_free(struct file *file)
558{
559 security_ops->file_free_security(file);
560}
561
562int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
563{
564 return security_ops->file_ioctl(file, cmd, arg);
565}
566
567int security_file_mmap(struct file *file, unsigned long reqprot,
568 unsigned long prot, unsigned long flags,
569 unsigned long addr, unsigned long addr_only)
570{
571 return security_ops->file_mmap(file, reqprot, prot, flags, addr, addr_only);
572}
573
574int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
575 unsigned long prot)
576{
577 return security_ops->file_mprotect(vma, reqprot, prot);
578}
579
580int security_file_lock(struct file *file, unsigned int cmd)
581{
582 return security_ops->file_lock(file, cmd);
583}
584
585int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
586{
587 return security_ops->file_fcntl(file, cmd, arg);
588}
589
590int security_file_set_fowner(struct file *file)
591{
592 return security_ops->file_set_fowner(file);
593}
594
595int security_file_send_sigiotask(struct task_struct *tsk,
596 struct fown_struct *fown, int sig)
597{
598 return security_ops->file_send_sigiotask(tsk, fown, sig);
599}
600
601int security_file_receive(struct file *file)
602{
603 return security_ops->file_receive(file);
604}
605
606int security_dentry_open(struct file *file)
607{
608 return security_ops->dentry_open(file);
609}
610
611int security_task_create(unsigned long clone_flags)
612{
613 return security_ops->task_create(clone_flags);
614}
615
616int security_task_alloc(struct task_struct *p)
617{
618 return security_ops->task_alloc_security(p);
619}
620
621void security_task_free(struct task_struct *p)
622{
623 security_ops->task_free_security(p);
624}
625
626int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
627{
628 return security_ops->task_setuid(id0, id1, id2, flags);
629}
630
631int security_task_post_setuid(uid_t old_ruid, uid_t old_euid,
632 uid_t old_suid, int flags)
633{
634 return security_ops->task_post_setuid(old_ruid, old_euid, old_suid, flags);
635}
636
637int security_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
638{
639 return security_ops->task_setgid(id0, id1, id2, flags);
640}
641
642int security_task_setpgid(struct task_struct *p, pid_t pgid)
643{
644 return security_ops->task_setpgid(p, pgid);
645}
646
647int security_task_getpgid(struct task_struct *p)
648{
649 return security_ops->task_getpgid(p);
650}
651
652int security_task_getsid(struct task_struct *p)
653{
654 return security_ops->task_getsid(p);
655}
656
657void security_task_getsecid(struct task_struct *p, u32 *secid)
658{
659 security_ops->task_getsecid(p, secid);
660}
661EXPORT_SYMBOL(security_task_getsecid);
662
663int security_task_setgroups(struct group_info *group_info)
664{
665 return security_ops->task_setgroups(group_info);
666}
667
668int security_task_setnice(struct task_struct *p, int nice)
669{
670 return security_ops->task_setnice(p, nice);
671}
672
673int security_task_setioprio(struct task_struct *p, int ioprio)
674{
675 return security_ops->task_setioprio(p, ioprio);
676}
677
678int security_task_getioprio(struct task_struct *p)
679{
680 return security_ops->task_getioprio(p);
681}
682
683int security_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
684{
685 return security_ops->task_setrlimit(resource, new_rlim);
686}
687
688int security_task_setscheduler(struct task_struct *p,
689 int policy, struct sched_param *lp)
690{
691 return security_ops->task_setscheduler(p, policy, lp);
692}
693
694int security_task_getscheduler(struct task_struct *p)
695{
696 return security_ops->task_getscheduler(p);
697}
698
699int security_task_movememory(struct task_struct *p)
700{
701 return security_ops->task_movememory(p);
702}
703
704int security_task_kill(struct task_struct *p, struct siginfo *info,
705 int sig, u32 secid)
706{
707 return security_ops->task_kill(p, info, sig, secid);
708}
709
710int security_task_wait(struct task_struct *p)
711{
712 return security_ops->task_wait(p);
713}
714
715int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
716 unsigned long arg4, unsigned long arg5)
717{
718 return security_ops->task_prctl(option, arg2, arg3, arg4, arg5);
719}
720
721void security_task_reparent_to_init(struct task_struct *p)
722{
723 security_ops->task_reparent_to_init(p);
724}
725
726void security_task_to_inode(struct task_struct *p, struct inode *inode)
727{
728 security_ops->task_to_inode(p, inode);
729}
730
731int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
732{
733 return security_ops->ipc_permission(ipcp, flag);
734}
735
736int security_msg_msg_alloc(struct msg_msg *msg)
737{
738 return security_ops->msg_msg_alloc_security(msg);
739}
740
741void security_msg_msg_free(struct msg_msg *msg)
742{
743 security_ops->msg_msg_free_security(msg);
744}
745
746int security_msg_queue_alloc(struct msg_queue *msq)
747{
748 return security_ops->msg_queue_alloc_security(msq);
749}
750
751void security_msg_queue_free(struct msg_queue *msq)
752{
753 security_ops->msg_queue_free_security(msq);
754}
755
756int security_msg_queue_associate(struct msg_queue *msq, int msqflg)
757{
758 return security_ops->msg_queue_associate(msq, msqflg);
759}
760
761int security_msg_queue_msgctl(struct msg_queue *msq, int cmd)
762{
763 return security_ops->msg_queue_msgctl(msq, cmd);
764}
765
766int security_msg_queue_msgsnd(struct msg_queue *msq,
767 struct msg_msg *msg, int msqflg)
768{
769 return security_ops->msg_queue_msgsnd(msq, msg, msqflg);
770}
771
772int security_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
773 struct task_struct *target, long type, int mode)
774{
775 return security_ops->msg_queue_msgrcv(msq, msg, target, type, mode);
776}
777
778int security_shm_alloc(struct shmid_kernel *shp)
779{
780 return security_ops->shm_alloc_security(shp);
781}
782
783void security_shm_free(struct shmid_kernel *shp)
784{
785 security_ops->shm_free_security(shp);
786}
787
788int security_shm_associate(struct shmid_kernel *shp, int shmflg)
789{
790 return security_ops->shm_associate(shp, shmflg);
791}
792
793int security_shm_shmctl(struct shmid_kernel *shp, int cmd)
794{
795 return security_ops->shm_shmctl(shp, cmd);
796}
797
798int security_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, int shmflg)
799{
800 return security_ops->shm_shmat(shp, shmaddr, shmflg);
801}
802
803int security_sem_alloc(struct sem_array *sma)
804{
805 return security_ops->sem_alloc_security(sma);
806}
807
808void security_sem_free(struct sem_array *sma)
809{
810 security_ops->sem_free_security(sma);
811}
812
813int security_sem_associate(struct sem_array *sma, int semflg)
814{
815 return security_ops->sem_associate(sma, semflg);
816}
817
818int security_sem_semctl(struct sem_array *sma, int cmd)
819{
820 return security_ops->sem_semctl(sma, cmd);
821}
822
823int security_sem_semop(struct sem_array *sma, struct sembuf *sops,
824 unsigned nsops, int alter)
825{
826 return security_ops->sem_semop(sma, sops, nsops, alter);
827}
828
829void security_d_instantiate(struct dentry *dentry, struct inode *inode)
830{
831 if (unlikely(inode && IS_PRIVATE(inode)))
832 return;
833 security_ops->d_instantiate(dentry, inode);
834}
835EXPORT_SYMBOL(security_d_instantiate);
836
837int security_getprocattr(struct task_struct *p, char *name, char **value)
838{
839 return security_ops->getprocattr(p, name, value);
840}
841
842int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size)
843{
844 return security_ops->setprocattr(p, name, value, size);
845}
846
847int security_netlink_send(struct sock *sk, struct sk_buff *skb)
848{
849 return security_ops->netlink_send(sk, skb);
850}
851EXPORT_SYMBOL(security_netlink_send);
852
853int security_netlink_recv(struct sk_buff *skb, int cap)
854{
855 return security_ops->netlink_recv(skb, cap);
856}
857EXPORT_SYMBOL(security_netlink_recv);
858
859int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
860{
861 return security_ops->secid_to_secctx(secid, secdata, seclen);
862}
863EXPORT_SYMBOL(security_secid_to_secctx);
864
865void security_release_secctx(char *secdata, u32 seclen)
866{
867 return security_ops->release_secctx(secdata, seclen);
868}
869EXPORT_SYMBOL(security_release_secctx);
870
871#ifdef CONFIG_SECURITY_NETWORK
872
873int security_unix_stream_connect(struct socket *sock, struct socket *other,
874 struct sock *newsk)
875{
876 return security_ops->unix_stream_connect(sock, other, newsk);
877}
878EXPORT_SYMBOL(security_unix_stream_connect);
879
880int security_unix_may_send(struct socket *sock, struct socket *other)
881{
882 return security_ops->unix_may_send(sock, other);
883}
884EXPORT_SYMBOL(security_unix_may_send);
885
886int security_socket_create(int family, int type, int protocol, int kern)
887{
888 return security_ops->socket_create(family, type, protocol, kern);
889}
890
891int security_socket_post_create(struct socket *sock, int family,
892 int type, int protocol, int kern)
893{
894 return security_ops->socket_post_create(sock, family, type,
895 protocol, kern);
896}
897
898int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
899{
900 return security_ops->socket_bind(sock, address, addrlen);
901}
902
903int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
904{
905 return security_ops->socket_connect(sock, address, addrlen);
906}
907
908int security_socket_listen(struct socket *sock, int backlog)
909{
910 return security_ops->socket_listen(sock, backlog);
911}
912
913int security_socket_accept(struct socket *sock, struct socket *newsock)
914{
915 return security_ops->socket_accept(sock, newsock);
916}
917
918void security_socket_post_accept(struct socket *sock, struct socket *newsock)
919{
920 security_ops->socket_post_accept(sock, newsock);
921}
922
923int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
924{
925 return security_ops->socket_sendmsg(sock, msg, size);
926}
927
928int security_socket_recvmsg(struct socket *sock, struct msghdr *msg,
929 int size, int flags)
930{
931 return security_ops->socket_recvmsg(sock, msg, size, flags);
932}
933
934int security_socket_getsockname(struct socket *sock)
935{
936 return security_ops->socket_getsockname(sock);
937}
938
939int security_socket_getpeername(struct socket *sock)
940{
941 return security_ops->socket_getpeername(sock);
942}
943
944int security_socket_getsockopt(struct socket *sock, int level, int optname)
945{
946 return security_ops->socket_getsockopt(sock, level, optname);
947}
948
949int security_socket_setsockopt(struct socket *sock, int level, int optname)
950{
951 return security_ops->socket_setsockopt(sock, level, optname);
952}
953
954int security_socket_shutdown(struct socket *sock, int how)
955{
956 return security_ops->socket_shutdown(sock, how);
957}
958
959int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
960{
961 return security_ops->socket_sock_rcv_skb(sk, skb);
962}
963EXPORT_SYMBOL(security_sock_rcv_skb);
964
965int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
966 int __user *optlen, unsigned len)
967{
968 return security_ops->socket_getpeersec_stream(sock, optval, optlen, len);
969}
970
971int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
972{
973 return security_ops->socket_getpeersec_dgram(sock, skb, secid);
974}
975EXPORT_SYMBOL(security_socket_getpeersec_dgram);
976
977int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
978{
979 return security_ops->sk_alloc_security(sk, family, priority);
980}
981
982void security_sk_free(struct sock *sk)
983{
984 return security_ops->sk_free_security(sk);
985}
986
987void security_sk_clone(const struct sock *sk, struct sock *newsk)
988{
989 return security_ops->sk_clone_security(sk, newsk);
990}
991
992void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
993{
994 security_ops->sk_getsecid(sk, &fl->secid);
995}
996EXPORT_SYMBOL(security_sk_classify_flow);
997
998void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
999{
1000 security_ops->req_classify_flow(req, fl);
1001}
1002EXPORT_SYMBOL(security_req_classify_flow);
1003
1004void security_sock_graft(struct sock *sk, struct socket *parent)
1005{
1006 security_ops->sock_graft(sk, parent);
1007}
1008EXPORT_SYMBOL(security_sock_graft);
1009
1010int security_inet_conn_request(struct sock *sk,
1011 struct sk_buff *skb, struct request_sock *req)
1012{
1013 return security_ops->inet_conn_request(sk, skb, req);
1014}
1015EXPORT_SYMBOL(security_inet_conn_request);
1016
1017void security_inet_csk_clone(struct sock *newsk,
1018 const struct request_sock *req)
1019{
1020 security_ops->inet_csk_clone(newsk, req);
1021}
1022
1023void security_inet_conn_established(struct sock *sk,
1024 struct sk_buff *skb)
1025{
1026 security_ops->inet_conn_established(sk, skb);
1027}
1028
1029#endif /* CONFIG_SECURITY_NETWORK */
1030
1031#ifdef CONFIG_SECURITY_NETWORK_XFRM
1032
1033int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx)
1034{
1035 return security_ops->xfrm_policy_alloc_security(xp, sec_ctx);
1036}
1037EXPORT_SYMBOL(security_xfrm_policy_alloc);
1038
1039int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new)
1040{
1041 return security_ops->xfrm_policy_clone_security(old, new);
1042}
1043
1044void security_xfrm_policy_free(struct xfrm_policy *xp)
1045{
1046 security_ops->xfrm_policy_free_security(xp);
1047}
1048EXPORT_SYMBOL(security_xfrm_policy_free);
1049
1050int security_xfrm_policy_delete(struct xfrm_policy *xp)
1051{
1052 return security_ops->xfrm_policy_delete_security(xp);
1053}
1054
1055int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx)
1056{
1057 return security_ops->xfrm_state_alloc_security(x, sec_ctx, 0);
1058}
1059EXPORT_SYMBOL(security_xfrm_state_alloc);
1060
1061int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
1062 struct xfrm_sec_ctx *polsec, u32 secid)
1063{
1064 if (!polsec)
1065 return 0;
1066 /*
1067 * We want the context to be taken from secid which is usually
1068 * from the sock.
1069 */
1070 return security_ops->xfrm_state_alloc_security(x, NULL, secid);
1071}
1072
1073int security_xfrm_state_delete(struct xfrm_state *x)
1074{
1075 return security_ops->xfrm_state_delete_security(x);
1076}
1077EXPORT_SYMBOL(security_xfrm_state_delete);
1078
1079void security_xfrm_state_free(struct xfrm_state *x)
1080{
1081 security_ops->xfrm_state_free_security(x);
1082}
1083
1084int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir)
1085{
1086 return security_ops->xfrm_policy_lookup(xp, fl_secid, dir);
1087}
1088
1089int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
1090 struct xfrm_policy *xp, struct flowi *fl)
1091{
1092 return security_ops->xfrm_state_pol_flow_match(x, xp, fl);
1093}
1094
1095int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
1096{
1097 return security_ops->xfrm_decode_session(skb, secid, 1);
1098}
1099
1100void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
1101{
1102 int rc = security_ops->xfrm_decode_session(skb, &fl->secid, 0);
1103
1104 BUG_ON(rc);
1105}
1106EXPORT_SYMBOL(security_skb_classify_flow);
1107
1108#endif /* CONFIG_SECURITY_NETWORK_XFRM */
1109
1110#ifdef CONFIG_KEYS
1111
1112int security_key_alloc(struct key *key, struct task_struct *tsk, unsigned long flags)
1113{
1114 return security_ops->key_alloc(key, tsk, flags);
1115}
1116
1117void security_key_free(struct key *key)
1118{
1119 security_ops->key_free(key);
1120}
1121
1122int security_key_permission(key_ref_t key_ref,
1123 struct task_struct *context, key_perm_t perm)
1124{
1125 return security_ops->key_permission(key_ref, context, perm);
1126}
1127
1128#endif /* CONFIG_KEYS */
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 97b7e2738097..83a535b7bc60 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -22,7 +22,6 @@
22 * as published by the Free Software Foundation. 22 * as published by the Free Software Foundation.
23 */ 23 */
24 24
25#include <linux/module.h>
26#include <linux/init.h> 25#include <linux/init.h>
27#include <linux/kernel.h> 26#include <linux/kernel.h>
28#include <linux/ptrace.h> 27#include <linux/ptrace.h>
@@ -86,6 +85,7 @@
86extern unsigned int policydb_loaded_version; 85extern unsigned int policydb_loaded_version;
87extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); 86extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm);
88extern int selinux_compat_net; 87extern int selinux_compat_net;
88extern struct security_operations *security_ops;
89 89
90#ifdef CONFIG_SECURITY_SELINUX_DEVELOP 90#ifdef CONFIG_SECURITY_SELINUX_DEVELOP
91int selinux_enforcing = 0; 91int selinux_enforcing = 0;
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c
index ba715f40b658..cb008d9f0a82 100644
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -31,7 +31,6 @@
31 * 2. Emulating a reasonable SO_PEERSEC across machines 31 * 2. Emulating a reasonable SO_PEERSEC across machines
32 * 3. Testing addition of sk_policy's with security context via setsockopt 32 * 3. Testing addition of sk_policy's with security context via setsockopt
33 */ 33 */
34#include <linux/module.h>
35#include <linux/kernel.h> 34#include <linux/kernel.h>
36#include <linux/init.h> 35#include <linux/init.h>
37#include <linux/security.h> 36#include <linux/security.h>