aboutsummaryrefslogtreecommitdiffstats
path: root/include/linux/security.h
diff options
context:
space:
mode:
Diffstat (limited to 'include/linux/security.h')
-rw-r--r--include/linux/security.h92
1 files changed, 83 insertions, 9 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index 0e43460d374e..f7e0ae018712 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -30,6 +30,7 @@
30#include <linux/shm.h> 30#include <linux/shm.h>
31#include <linux/msg.h> 31#include <linux/msg.h>
32#include <linux/sched.h> 32#include <linux/sched.h>
33#include <linux/key.h>
33 34
34struct ctl_table; 35struct ctl_table;
35 36
@@ -385,6 +386,9 @@ struct swap_info_struct;
385 * NULL to request the size of the buffer required. @size indicates 386 * NULL to request the size of the buffer required. @size indicates
386 * the size of @buffer in bytes. Note that @name is the remainder 387 * the size of @buffer in bytes. Note that @name is the remainder
387 * of the attribute name after the security. prefix has been removed. 388 * of the attribute name after the security. prefix has been removed.
389 * @err is the return value from the preceding fs getxattr call,
390 * and can be used by the security module to determine whether it
391 * should try and canonicalize the attribute value.
388 * Return number of bytes used/required on success. 392 * Return number of bytes used/required on success.
389 * @inode_setsecurity: 393 * @inode_setsecurity:
390 * Set the security label associated with @name for @inode from the 394 * Set the security label associated with @name for @inode from the
@@ -785,6 +789,27 @@ struct swap_info_struct;
785 * @sk_free_security: 789 * @sk_free_security:
786 * Deallocate security structure. 790 * Deallocate security structure.
787 * 791 *
792 * Security hooks affecting all Key Management operations
793 *
794 * @key_alloc:
795 * Permit allocation of a key and assign security data. Note that key does
796 * not have a serial number assigned at this point.
797 * @key points to the key.
798 * Return 0 if permission is granted, -ve error otherwise.
799 * @key_free:
800 * Notification of destruction; free security data.
801 * @key points to the key.
802 * No return value.
803 * @key_permission:
804 * See whether a specific operational right is granted to a process on a
805 * key.
806 * @key_ref refers to the key (key pointer + possession attribute bit).
807 * @context points to the process to provide the context against which to
808 * evaluate the security data on the key.
809 * @perm describes the combination of permissions required of this key.
810 * Return 1 if permission granted, 0 if permission denied and -ve it the
811 * normal permissions model should be effected.
812 *
788 * Security hooks affecting all System V IPC operations. 813 * Security hooks affecting all System V IPC operations.
789 * 814 *
790 * @ipc_permission: 815 * @ipc_permission:
@@ -1091,7 +1116,7 @@ struct security_operations {
1091 int (*inode_getxattr) (struct dentry *dentry, char *name); 1116 int (*inode_getxattr) (struct dentry *dentry, char *name);
1092 int (*inode_listxattr) (struct dentry *dentry); 1117 int (*inode_listxattr) (struct dentry *dentry);
1093 int (*inode_removexattr) (struct dentry *dentry, char *name); 1118 int (*inode_removexattr) (struct dentry *dentry, char *name);
1094 int (*inode_getsecurity)(struct inode *inode, const char *name, void *buffer, size_t size); 1119 int (*inode_getsecurity)(struct inode *inode, const char *name, void *buffer, size_t size, int err);
1095 int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags); 1120 int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags);
1096 int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size); 1121 int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size);
1097 1122
@@ -1210,9 +1235,20 @@ struct security_operations {
1210 int (*socket_shutdown) (struct socket * sock, int how); 1235 int (*socket_shutdown) (struct socket * sock, int how);
1211 int (*socket_sock_rcv_skb) (struct sock * sk, struct sk_buff * skb); 1236 int (*socket_sock_rcv_skb) (struct sock * sk, struct sk_buff * skb);
1212 int (*socket_getpeersec) (struct socket *sock, char __user *optval, int __user *optlen, unsigned len); 1237 int (*socket_getpeersec) (struct socket *sock, char __user *optval, int __user *optlen, unsigned len);
1213 int (*sk_alloc_security) (struct sock *sk, int family, int priority); 1238 int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority);
1214 void (*sk_free_security) (struct sock *sk); 1239 void (*sk_free_security) (struct sock *sk);
1215#endif /* CONFIG_SECURITY_NETWORK */ 1240#endif /* CONFIG_SECURITY_NETWORK */
1241
1242 /* key management security hooks */
1243#ifdef CONFIG_KEYS
1244 int (*key_alloc)(struct key *key);
1245 void (*key_free)(struct key *key);
1246 int (*key_permission)(key_ref_t key_ref,
1247 struct task_struct *context,
1248 key_perm_t perm);
1249
1250#endif /* CONFIG_KEYS */
1251
1216}; 1252};
1217 1253
1218/* global variables */ 1254/* global variables */
@@ -1580,11 +1616,11 @@ static inline int security_inode_removexattr (struct dentry *dentry, char *name)
1580 return security_ops->inode_removexattr (dentry, name); 1616 return security_ops->inode_removexattr (dentry, name);
1581} 1617}
1582 1618
1583static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size) 1619static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
1584{ 1620{
1585 if (unlikely (IS_PRIVATE (inode))) 1621 if (unlikely (IS_PRIVATE (inode)))
1586 return 0; 1622 return 0;
1587 return security_ops->inode_getsecurity(inode, name, buffer, size); 1623 return security_ops->inode_getsecurity(inode, name, buffer, size, err);
1588} 1624}
1589 1625
1590static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) 1626static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
@@ -2222,7 +2258,7 @@ static inline int security_inode_removexattr (struct dentry *dentry, char *name)
2222 return cap_inode_removexattr(dentry, name); 2258 return cap_inode_removexattr(dentry, name);
2223} 2259}
2224 2260
2225static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size) 2261static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size, int err)
2226{ 2262{
2227 return -EOPNOTSUPP; 2263 return -EOPNOTSUPP;
2228} 2264}
@@ -2634,8 +2670,7 @@ static inline int security_socket_getpeersec(struct socket *sock, char __user *o
2634 return security_ops->socket_getpeersec(sock, optval, optlen, len); 2670 return security_ops->socket_getpeersec(sock, optval, optlen, len);
2635} 2671}
2636 2672
2637static inline int security_sk_alloc(struct sock *sk, int family, 2673static inline int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
2638 unsigned int __nocast priority)
2639{ 2674{
2640 return security_ops->sk_alloc_security(sk, family, priority); 2675 return security_ops->sk_alloc_security(sk, family, priority);
2641} 2676}
@@ -2752,8 +2787,7 @@ static inline int security_socket_getpeersec(struct socket *sock, char __user *o
2752 return -ENOPROTOOPT; 2787 return -ENOPROTOOPT;
2753} 2788}
2754 2789
2755static inline int security_sk_alloc(struct sock *sk, int family, 2790static inline int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
2756 unsigned int __nocast priority)
2757{ 2791{
2758 return 0; 2792 return 0;
2759} 2793}
@@ -2763,5 +2797,45 @@ static inline void security_sk_free(struct sock *sk)
2763} 2797}
2764#endif /* CONFIG_SECURITY_NETWORK */ 2798#endif /* CONFIG_SECURITY_NETWORK */
2765 2799
2800#ifdef CONFIG_KEYS
2801#ifdef CONFIG_SECURITY
2802static inline int security_key_alloc(struct key *key)
2803{
2804 return security_ops->key_alloc(key);
2805}
2806
2807static inline void security_key_free(struct key *key)
2808{
2809 security_ops->key_free(key);
2810}
2811
2812static inline int security_key_permission(key_ref_t key_ref,
2813 struct task_struct *context,
2814 key_perm_t perm)
2815{
2816 return security_ops->key_permission(key_ref, context, perm);
2817}
2818
2819#else
2820
2821static inline int security_key_alloc(struct key *key)
2822{
2823 return 0;
2824}
2825
2826static inline void security_key_free(struct key *key)
2827{
2828}
2829
2830static inline int security_key_permission(key_ref_t key_ref,
2831 struct task_struct *context,
2832 key_perm_t perm)
2833{
2834 return 0;
2835}
2836
2837#endif
2838#endif /* CONFIG_KEYS */
2839
2766#endif /* ! __LINUX_SECURITY_H */ 2840#endif /* ! __LINUX_SECURITY_H */
2767 2841