diff options
Diffstat (limited to 'include/linux/security.h')
-rw-r--r-- | include/linux/security.h | 92 |
1 files changed, 83 insertions, 9 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index 0e43460d374e..f7e0ae018712 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
@@ -30,6 +30,7 @@ | |||
30 | #include <linux/shm.h> | 30 | #include <linux/shm.h> |
31 | #include <linux/msg.h> | 31 | #include <linux/msg.h> |
32 | #include <linux/sched.h> | 32 | #include <linux/sched.h> |
33 | #include <linux/key.h> | ||
33 | 34 | ||
34 | struct ctl_table; | 35 | struct ctl_table; |
35 | 36 | ||
@@ -385,6 +386,9 @@ struct swap_info_struct; | |||
385 | * NULL to request the size of the buffer required. @size indicates | 386 | * NULL to request the size of the buffer required. @size indicates |
386 | * the size of @buffer in bytes. Note that @name is the remainder | 387 | * the size of @buffer in bytes. Note that @name is the remainder |
387 | * of the attribute name after the security. prefix has been removed. | 388 | * of the attribute name after the security. prefix has been removed. |
389 | * @err is the return value from the preceding fs getxattr call, | ||
390 | * and can be used by the security module to determine whether it | ||
391 | * should try and canonicalize the attribute value. | ||
388 | * Return number of bytes used/required on success. | 392 | * Return number of bytes used/required on success. |
389 | * @inode_setsecurity: | 393 | * @inode_setsecurity: |
390 | * Set the security label associated with @name for @inode from the | 394 | * Set the security label associated with @name for @inode from the |
@@ -785,6 +789,27 @@ struct swap_info_struct; | |||
785 | * @sk_free_security: | 789 | * @sk_free_security: |
786 | * Deallocate security structure. | 790 | * Deallocate security structure. |
787 | * | 791 | * |
792 | * Security hooks affecting all Key Management operations | ||
793 | * | ||
794 | * @key_alloc: | ||
795 | * Permit allocation of a key and assign security data. Note that key does | ||
796 | * not have a serial number assigned at this point. | ||
797 | * @key points to the key. | ||
798 | * Return 0 if permission is granted, -ve error otherwise. | ||
799 | * @key_free: | ||
800 | * Notification of destruction; free security data. | ||
801 | * @key points to the key. | ||
802 | * No return value. | ||
803 | * @key_permission: | ||
804 | * See whether a specific operational right is granted to a process on a | ||
805 | * key. | ||
806 | * @key_ref refers to the key (key pointer + possession attribute bit). | ||
807 | * @context points to the process to provide the context against which to | ||
808 | * evaluate the security data on the key. | ||
809 | * @perm describes the combination of permissions required of this key. | ||
810 | * Return 1 if permission granted, 0 if permission denied and -ve it the | ||
811 | * normal permissions model should be effected. | ||
812 | * | ||
788 | * Security hooks affecting all System V IPC operations. | 813 | * Security hooks affecting all System V IPC operations. |
789 | * | 814 | * |
790 | * @ipc_permission: | 815 | * @ipc_permission: |
@@ -1091,7 +1116,7 @@ struct security_operations { | |||
1091 | int (*inode_getxattr) (struct dentry *dentry, char *name); | 1116 | int (*inode_getxattr) (struct dentry *dentry, char *name); |
1092 | int (*inode_listxattr) (struct dentry *dentry); | 1117 | int (*inode_listxattr) (struct dentry *dentry); |
1093 | int (*inode_removexattr) (struct dentry *dentry, char *name); | 1118 | int (*inode_removexattr) (struct dentry *dentry, char *name); |
1094 | int (*inode_getsecurity)(struct inode *inode, const char *name, void *buffer, size_t size); | 1119 | int (*inode_getsecurity)(struct inode *inode, const char *name, void *buffer, size_t size, int err); |
1095 | int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags); | 1120 | int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags); |
1096 | int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size); | 1121 | int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size); |
1097 | 1122 | ||
@@ -1210,9 +1235,20 @@ struct security_operations { | |||
1210 | int (*socket_shutdown) (struct socket * sock, int how); | 1235 | int (*socket_shutdown) (struct socket * sock, int how); |
1211 | int (*socket_sock_rcv_skb) (struct sock * sk, struct sk_buff * skb); | 1236 | int (*socket_sock_rcv_skb) (struct sock * sk, struct sk_buff * skb); |
1212 | int (*socket_getpeersec) (struct socket *sock, char __user *optval, int __user *optlen, unsigned len); | 1237 | int (*socket_getpeersec) (struct socket *sock, char __user *optval, int __user *optlen, unsigned len); |
1213 | int (*sk_alloc_security) (struct sock *sk, int family, int priority); | 1238 | int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority); |
1214 | void (*sk_free_security) (struct sock *sk); | 1239 | void (*sk_free_security) (struct sock *sk); |
1215 | #endif /* CONFIG_SECURITY_NETWORK */ | 1240 | #endif /* CONFIG_SECURITY_NETWORK */ |
1241 | |||
1242 | /* key management security hooks */ | ||
1243 | #ifdef CONFIG_KEYS | ||
1244 | int (*key_alloc)(struct key *key); | ||
1245 | void (*key_free)(struct key *key); | ||
1246 | int (*key_permission)(key_ref_t key_ref, | ||
1247 | struct task_struct *context, | ||
1248 | key_perm_t perm); | ||
1249 | |||
1250 | #endif /* CONFIG_KEYS */ | ||
1251 | |||
1216 | }; | 1252 | }; |
1217 | 1253 | ||
1218 | /* global variables */ | 1254 | /* global variables */ |
@@ -1580,11 +1616,11 @@ static inline int security_inode_removexattr (struct dentry *dentry, char *name) | |||
1580 | return security_ops->inode_removexattr (dentry, name); | 1616 | return security_ops->inode_removexattr (dentry, name); |
1581 | } | 1617 | } |
1582 | 1618 | ||
1583 | static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size) | 1619 | static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err) |
1584 | { | 1620 | { |
1585 | if (unlikely (IS_PRIVATE (inode))) | 1621 | if (unlikely (IS_PRIVATE (inode))) |
1586 | return 0; | 1622 | return 0; |
1587 | return security_ops->inode_getsecurity(inode, name, buffer, size); | 1623 | return security_ops->inode_getsecurity(inode, name, buffer, size, err); |
1588 | } | 1624 | } |
1589 | 1625 | ||
1590 | static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) | 1626 | static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) |
@@ -2222,7 +2258,7 @@ static inline int security_inode_removexattr (struct dentry *dentry, char *name) | |||
2222 | return cap_inode_removexattr(dentry, name); | 2258 | return cap_inode_removexattr(dentry, name); |
2223 | } | 2259 | } |
2224 | 2260 | ||
2225 | static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size) | 2261 | static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err) |
2226 | { | 2262 | { |
2227 | return -EOPNOTSUPP; | 2263 | return -EOPNOTSUPP; |
2228 | } | 2264 | } |
@@ -2634,8 +2670,7 @@ static inline int security_socket_getpeersec(struct socket *sock, char __user *o | |||
2634 | return security_ops->socket_getpeersec(sock, optval, optlen, len); | 2670 | return security_ops->socket_getpeersec(sock, optval, optlen, len); |
2635 | } | 2671 | } |
2636 | 2672 | ||
2637 | static inline int security_sk_alloc(struct sock *sk, int family, | 2673 | static inline int security_sk_alloc(struct sock *sk, int family, gfp_t priority) |
2638 | unsigned int __nocast priority) | ||
2639 | { | 2674 | { |
2640 | return security_ops->sk_alloc_security(sk, family, priority); | 2675 | return security_ops->sk_alloc_security(sk, family, priority); |
2641 | } | 2676 | } |
@@ -2752,8 +2787,7 @@ static inline int security_socket_getpeersec(struct socket *sock, char __user *o | |||
2752 | return -ENOPROTOOPT; | 2787 | return -ENOPROTOOPT; |
2753 | } | 2788 | } |
2754 | 2789 | ||
2755 | static inline int security_sk_alloc(struct sock *sk, int family, | 2790 | static inline int security_sk_alloc(struct sock *sk, int family, gfp_t priority) |
2756 | unsigned int __nocast priority) | ||
2757 | { | 2791 | { |
2758 | return 0; | 2792 | return 0; |
2759 | } | 2793 | } |
@@ -2763,5 +2797,45 @@ static inline void security_sk_free(struct sock *sk) | |||
2763 | } | 2797 | } |
2764 | #endif /* CONFIG_SECURITY_NETWORK */ | 2798 | #endif /* CONFIG_SECURITY_NETWORK */ |
2765 | 2799 | ||
2800 | #ifdef CONFIG_KEYS | ||
2801 | #ifdef CONFIG_SECURITY | ||
2802 | static inline int security_key_alloc(struct key *key) | ||
2803 | { | ||
2804 | return security_ops->key_alloc(key); | ||
2805 | } | ||
2806 | |||
2807 | static inline void security_key_free(struct key *key) | ||
2808 | { | ||
2809 | security_ops->key_free(key); | ||
2810 | } | ||
2811 | |||
2812 | static inline int security_key_permission(key_ref_t key_ref, | ||
2813 | struct task_struct *context, | ||
2814 | key_perm_t perm) | ||
2815 | { | ||
2816 | return security_ops->key_permission(key_ref, context, perm); | ||
2817 | } | ||
2818 | |||
2819 | #else | ||
2820 | |||
2821 | static inline int security_key_alloc(struct key *key) | ||
2822 | { | ||
2823 | return 0; | ||
2824 | } | ||
2825 | |||
2826 | static inline void security_key_free(struct key *key) | ||
2827 | { | ||
2828 | } | ||
2829 | |||
2830 | static inline int security_key_permission(key_ref_t key_ref, | ||
2831 | struct task_struct *context, | ||
2832 | key_perm_t perm) | ||
2833 | { | ||
2834 | return 0; | ||
2835 | } | ||
2836 | |||
2837 | #endif | ||
2838 | #endif /* CONFIG_KEYS */ | ||
2839 | |||
2766 | #endif /* ! __LINUX_SECURITY_H */ | 2840 | #endif /* ! __LINUX_SECURITY_H */ |
2767 | 2841 | ||