diff options
Diffstat (limited to 'include/linux/security.h')
| -rw-r--r-- | include/linux/security.h | 71 |
1 files changed, 62 insertions, 9 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index 239e40d0450b..3158dd982d27 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
| @@ -33,7 +33,7 @@ | |||
| 33 | #include <linux/sched.h> | 33 | #include <linux/sched.h> |
| 34 | #include <linux/key.h> | 34 | #include <linux/key.h> |
| 35 | #include <linux/xfrm.h> | 35 | #include <linux/xfrm.h> |
| 36 | #include <linux/gfp.h> | 36 | #include <linux/slab.h> |
| 37 | #include <net/flow.h> | 37 | #include <net/flow.h> |
| 38 | 38 | ||
| 39 | /* Maximum number of letters for an LSM name string */ | 39 | /* Maximum number of letters for an LSM name string */ |
| @@ -76,7 +76,7 @@ extern int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, | |||
| 76 | extern int cap_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp); | 76 | extern int cap_task_setscheduler(struct task_struct *p, int policy, struct sched_param *lp); |
| 77 | extern int cap_task_setioprio(struct task_struct *p, int ioprio); | 77 | extern int cap_task_setioprio(struct task_struct *p, int ioprio); |
| 78 | extern int cap_task_setnice(struct task_struct *p, int nice); | 78 | extern int cap_task_setnice(struct task_struct *p, int nice); |
| 79 | extern int cap_syslog(int type); | 79 | extern int cap_syslog(int type, bool from_file); |
| 80 | extern int cap_vm_enough_memory(struct mm_struct *mm, long pages); | 80 | extern int cap_vm_enough_memory(struct mm_struct *mm, long pages); |
| 81 | 81 | ||
| 82 | struct msghdr; | 82 | struct msghdr; |
| @@ -95,8 +95,15 @@ struct seq_file; | |||
| 95 | extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb); | 95 | extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb); |
| 96 | extern int cap_netlink_recv(struct sk_buff *skb, int cap); | 96 | extern int cap_netlink_recv(struct sk_buff *skb, int cap); |
| 97 | 97 | ||
| 98 | void reset_security_ops(void); | ||
| 99 | |||
| 100 | #ifdef CONFIG_MMU | ||
| 98 | extern unsigned long mmap_min_addr; | 101 | extern unsigned long mmap_min_addr; |
| 99 | extern unsigned long dac_mmap_min_addr; | 102 | extern unsigned long dac_mmap_min_addr; |
| 103 | #else | ||
| 104 | #define dac_mmap_min_addr 0UL | ||
| 105 | #endif | ||
| 106 | |||
| 100 | /* | 107 | /* |
| 101 | * Values used in the task_security_ops calls | 108 | * Values used in the task_security_ops calls |
| 102 | */ | 109 | */ |
| @@ -121,6 +128,7 @@ struct request_sock; | |||
| 121 | #define LSM_UNSAFE_PTRACE 2 | 128 | #define LSM_UNSAFE_PTRACE 2 |
| 122 | #define LSM_UNSAFE_PTRACE_CAP 4 | 129 | #define LSM_UNSAFE_PTRACE_CAP 4 |
| 123 | 130 | ||
| 131 | #ifdef CONFIG_MMU | ||
| 124 | /* | 132 | /* |
| 125 | * If a hint addr is less than mmap_min_addr change hint to be as | 133 | * If a hint addr is less than mmap_min_addr change hint to be as |
| 126 | * low as possible but still greater than mmap_min_addr | 134 | * low as possible but still greater than mmap_min_addr |
| @@ -135,6 +143,7 @@ static inline unsigned long round_hint_to_min(unsigned long hint) | |||
| 135 | } | 143 | } |
| 136 | extern int mmap_min_addr_handler(struct ctl_table *table, int write, | 144 | extern int mmap_min_addr_handler(struct ctl_table *table, int write, |
| 137 | void __user *buffer, size_t *lenp, loff_t *ppos); | 145 | void __user *buffer, size_t *lenp, loff_t *ppos); |
| 146 | #endif | ||
| 138 | 147 | ||
| 139 | #ifdef CONFIG_SECURITY | 148 | #ifdef CONFIG_SECURITY |
| 140 | 149 | ||
| @@ -447,6 +456,22 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
| 447 | * @new_dir contains the path structure for parent of the new link. | 456 | * @new_dir contains the path structure for parent of the new link. |
| 448 | * @new_dentry contains the dentry structure of the new link. | 457 | * @new_dentry contains the dentry structure of the new link. |
| 449 | * Return 0 if permission is granted. | 458 | * Return 0 if permission is granted. |
| 459 | * @path_chmod: | ||
| 460 | * Check for permission to change DAC's permission of a file or directory. | ||
| 461 | * @dentry contains the dentry structure. | ||
| 462 | * @mnt contains the vfsmnt structure. | ||
| 463 | * @mode contains DAC's mode. | ||
| 464 | * Return 0 if permission is granted. | ||
| 465 | * @path_chown: | ||
| 466 | * Check for permission to change owner/group of a file or directory. | ||
| 467 | * @path contains the path structure. | ||
| 468 | * @uid contains new owner's ID. | ||
| 469 | * @gid contains new group's ID. | ||
| 470 | * Return 0 if permission is granted. | ||
| 471 | * @path_chroot: | ||
| 472 | * Check for permission to change root directory. | ||
| 473 | * @path contains the path structure. | ||
| 474 | * Return 0 if permission is granted. | ||
| 450 | * @inode_readlink: | 475 | * @inode_readlink: |
| 451 | * Check the permission to read the symbolic link. | 476 | * Check the permission to read the symbolic link. |
| 452 | * @dentry contains the dentry structure for the file link. | 477 | * @dentry contains the dentry structure for the file link. |
| @@ -690,6 +715,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
| 690 | * @kernel_module_request: | 715 | * @kernel_module_request: |
| 691 | * Ability to trigger the kernel to automatically upcall to userspace for | 716 | * Ability to trigger the kernel to automatically upcall to userspace for |
| 692 | * userspace to load a kernel module with the given name. | 717 | * userspace to load a kernel module with the given name. |
| 718 | * @kmod_name name of the module requested by the kernel | ||
| 693 | * Return 0 if successful. | 719 | * Return 0 if successful. |
| 694 | * @task_setuid: | 720 | * @task_setuid: |
| 695 | * Check permission before setting one or more of the user identity | 721 | * Check permission before setting one or more of the user identity |
| @@ -961,6 +987,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
| 961 | * Check permissions on incoming network packets. This hook is distinct | 987 | * Check permissions on incoming network packets. This hook is distinct |
| 962 | * from Netfilter's IP input hooks since it is the first time that the | 988 | * from Netfilter's IP input hooks since it is the first time that the |
| 963 | * incoming sk_buff @skb has been associated with a particular socket, @sk. | 989 | * incoming sk_buff @skb has been associated with a particular socket, @sk. |
| 990 | * Must not sleep inside this hook because some callers hold spinlocks. | ||
| 964 | * @sk contains the sock (not socket) associated with the incoming sk_buff. | 991 | * @sk contains the sock (not socket) associated with the incoming sk_buff. |
| 965 | * @skb contains the incoming network data. | 992 | * @skb contains the incoming network data. |
| 966 | * @socket_getpeersec_stream: | 993 | * @socket_getpeersec_stream: |
| @@ -1324,6 +1351,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
| 1324 | * logging to the console. | 1351 | * logging to the console. |
| 1325 | * See the syslog(2) manual page for an explanation of the @type values. | 1352 | * See the syslog(2) manual page for an explanation of the @type values. |
| 1326 | * @type contains the type of action. | 1353 | * @type contains the type of action. |
| 1354 | * @from_file indicates the context of action (if it came from /proc). | ||
| 1327 | * Return 0 if permission is granted. | 1355 | * Return 0 if permission is granted. |
| 1328 | * @settime: | 1356 | * @settime: |
| 1329 | * Check permission to change the system time. | 1357 | * Check permission to change the system time. |
| @@ -1438,7 +1466,7 @@ struct security_operations { | |||
| 1438 | int (*sysctl) (struct ctl_table *table, int op); | 1466 | int (*sysctl) (struct ctl_table *table, int op); |
| 1439 | int (*quotactl) (int cmds, int type, int id, struct super_block *sb); | 1467 | int (*quotactl) (int cmds, int type, int id, struct super_block *sb); |
| 1440 | int (*quota_on) (struct dentry *dentry); | 1468 | int (*quota_on) (struct dentry *dentry); |
| 1441 | int (*syslog) (int type); | 1469 | int (*syslog) (int type, bool from_file); |
| 1442 | int (*settime) (struct timespec *ts, struct timezone *tz); | 1470 | int (*settime) (struct timespec *ts, struct timezone *tz); |
| 1443 | int (*vm_enough_memory) (struct mm_struct *mm, long pages); | 1471 | int (*vm_enough_memory) (struct mm_struct *mm, long pages); |
| 1444 | 1472 | ||
| @@ -1488,6 +1516,10 @@ struct security_operations { | |||
| 1488 | struct dentry *new_dentry); | 1516 | struct dentry *new_dentry); |
| 1489 | int (*path_rename) (struct path *old_dir, struct dentry *old_dentry, | 1517 | int (*path_rename) (struct path *old_dir, struct dentry *old_dentry, |
| 1490 | struct path *new_dir, struct dentry *new_dentry); | 1518 | struct path *new_dir, struct dentry *new_dentry); |
| 1519 | int (*path_chmod) (struct dentry *dentry, struct vfsmount *mnt, | ||
| 1520 | mode_t mode); | ||
| 1521 | int (*path_chown) (struct path *path, uid_t uid, gid_t gid); | ||
| 1522 | int (*path_chroot) (struct path *path); | ||
| 1491 | #endif | 1523 | #endif |
| 1492 | 1524 | ||
| 1493 | int (*inode_alloc_security) (struct inode *inode); | 1525 | int (*inode_alloc_security) (struct inode *inode); |
| @@ -1557,7 +1589,7 @@ struct security_operations { | |||
| 1557 | void (*cred_transfer)(struct cred *new, const struct cred *old); | 1589 | void (*cred_transfer)(struct cred *new, const struct cred *old); |
| 1558 | int (*kernel_act_as)(struct cred *new, u32 secid); | 1590 | int (*kernel_act_as)(struct cred *new, u32 secid); |
| 1559 | int (*kernel_create_files_as)(struct cred *new, struct inode *inode); | 1591 | int (*kernel_create_files_as)(struct cred *new, struct inode *inode); |
| 1560 | int (*kernel_module_request)(void); | 1592 | int (*kernel_module_request)(char *kmod_name); |
| 1561 | int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags); | 1593 | int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags); |
| 1562 | int (*task_fix_setuid) (struct cred *new, const struct cred *old, | 1594 | int (*task_fix_setuid) (struct cred *new, const struct cred *old, |
| 1563 | int flags); | 1595 | int flags); |
| @@ -1733,7 +1765,7 @@ int security_acct(struct file *file); | |||
| 1733 | int security_sysctl(struct ctl_table *table, int op); | 1765 | int security_sysctl(struct ctl_table *table, int op); |
| 1734 | int security_quotactl(int cmds, int type, int id, struct super_block *sb); | 1766 | int security_quotactl(int cmds, int type, int id, struct super_block *sb); |
| 1735 | int security_quota_on(struct dentry *dentry); | 1767 | int security_quota_on(struct dentry *dentry); |
| 1736 | int security_syslog(int type); | 1768 | int security_syslog(int type, bool from_file); |
| 1737 | int security_settime(struct timespec *ts, struct timezone *tz); | 1769 | int security_settime(struct timespec *ts, struct timezone *tz); |
| 1738 | int security_vm_enough_memory(long pages); | 1770 | int security_vm_enough_memory(long pages); |
| 1739 | int security_vm_enough_memory_mm(struct mm_struct *mm, long pages); | 1771 | int security_vm_enough_memory_mm(struct mm_struct *mm, long pages); |
| @@ -1822,7 +1854,7 @@ void security_commit_creds(struct cred *new, const struct cred *old); | |||
| 1822 | void security_transfer_creds(struct cred *new, const struct cred *old); | 1854 | void security_transfer_creds(struct cred *new, const struct cred *old); |
| 1823 | int security_kernel_act_as(struct cred *new, u32 secid); | 1855 | int security_kernel_act_as(struct cred *new, u32 secid); |
| 1824 | int security_kernel_create_files_as(struct cred *new, struct inode *inode); | 1856 | int security_kernel_create_files_as(struct cred *new, struct inode *inode); |
| 1825 | int security_kernel_module_request(void); | 1857 | int security_kernel_module_request(char *kmod_name); |
| 1826 | int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags); | 1858 | int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags); |
| 1827 | int security_task_fix_setuid(struct cred *new, const struct cred *old, | 1859 | int security_task_fix_setuid(struct cred *new, const struct cred *old, |
| 1828 | int flags); | 1860 | int flags); |
| @@ -1979,9 +2011,9 @@ static inline int security_quota_on(struct dentry *dentry) | |||
| 1979 | return 0; | 2011 | return 0; |
| 1980 | } | 2012 | } |
| 1981 | 2013 | ||
| 1982 | static inline int security_syslog(int type) | 2014 | static inline int security_syslog(int type, bool from_file) |
| 1983 | { | 2015 | { |
| 1984 | return cap_syslog(type); | 2016 | return cap_syslog(type, from_file); |
| 1985 | } | 2017 | } |
| 1986 | 2018 | ||
| 1987 | static inline int security_settime(struct timespec *ts, struct timezone *tz) | 2019 | static inline int security_settime(struct timespec *ts, struct timezone *tz) |
| @@ -2387,7 +2419,7 @@ static inline int security_kernel_create_files_as(struct cred *cred, | |||
| 2387 | return 0; | 2419 | return 0; |
| 2388 | } | 2420 | } |
| 2389 | 2421 | ||
| 2390 | static inline int security_kernel_module_request(void) | 2422 | static inline int security_kernel_module_request(char *kmod_name) |
| 2391 | { | 2423 | { |
| 2392 | return 0; | 2424 | return 0; |
| 2393 | } | 2425 | } |
| @@ -2952,6 +2984,10 @@ int security_path_link(struct dentry *old_dentry, struct path *new_dir, | |||
| 2952 | struct dentry *new_dentry); | 2984 | struct dentry *new_dentry); |
| 2953 | int security_path_rename(struct path *old_dir, struct dentry *old_dentry, | 2985 | int security_path_rename(struct path *old_dir, struct dentry *old_dentry, |
| 2954 | struct path *new_dir, struct dentry *new_dentry); | 2986 | struct path *new_dir, struct dentry *new_dentry); |
| 2987 | int security_path_chmod(struct dentry *dentry, struct vfsmount *mnt, | ||
| 2988 | mode_t mode); | ||
| 2989 | int security_path_chown(struct path *path, uid_t uid, gid_t gid); | ||
| 2990 | int security_path_chroot(struct path *path); | ||
| 2955 | #else /* CONFIG_SECURITY_PATH */ | 2991 | #else /* CONFIG_SECURITY_PATH */ |
| 2956 | static inline int security_path_unlink(struct path *dir, struct dentry *dentry) | 2992 | static inline int security_path_unlink(struct path *dir, struct dentry *dentry) |
| 2957 | { | 2993 | { |
| @@ -3001,6 +3037,23 @@ static inline int security_path_rename(struct path *old_dir, | |||
| 3001 | { | 3037 | { |
| 3002 | return 0; | 3038 | return 0; |
| 3003 | } | 3039 | } |
| 3040 | |||
| 3041 | static inline int security_path_chmod(struct dentry *dentry, | ||
| 3042 | struct vfsmount *mnt, | ||
| 3043 | mode_t mode) | ||
| 3044 | { | ||
| 3045 | return 0; | ||
| 3046 | } | ||
| 3047 | |||
| 3048 | static inline int security_path_chown(struct path *path, uid_t uid, gid_t gid) | ||
| 3049 | { | ||
| 3050 | return 0; | ||
| 3051 | } | ||
| 3052 | |||
| 3053 | static inline int security_path_chroot(struct path *path) | ||
| 3054 | { | ||
| 3055 | return 0; | ||
| 3056 | } | ||
| 3004 | #endif /* CONFIG_SECURITY_PATH */ | 3057 | #endif /* CONFIG_SECURITY_PATH */ |
| 3005 | 3058 | ||
| 3006 | #ifdef CONFIG_KEYS | 3059 | #ifdef CONFIG_KEYS |