1 files changed, 46 insertions, 33 deletions

diff --git a/include/linux/security.h b/include/linux/security.h
index c642bb8b8f5a..ca02f1716736 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -25,6 +25,7 @@
 #include <linux/fs.h>
 #include <linux/fsnotify.h>
 #include <linux/binfmts.h>
+#include <linux/dcache.h>
 #include <linux/signal.h>
 #include <linux/resource.h>
 #include <linux/sem.h>
@@ -46,14 +47,15 @@
 
 struct ctl_table;
 struct audit_krule;
+struct user_namespace;
 
 /*
  * These functions are in security/capability.c and are used
  * as the default capabilities functions
  */
 extern int cap_capable(struct task_struct *tsk, const struct cred *cred,
-                       int cap, int audit);
-extern int cap_settime(struct timespec *ts, struct timezone *tz);
+                       struct user_namespace *ns, int cap, int audit);
+extern int cap_settime(const struct timespec *ts, const struct timezone *tz);
 extern int cap_ptrace_access_check(struct task_struct *child, unsigned int mode);
 extern int cap_ptrace_traceme(struct task_struct *parent);
 extern int cap_capget(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted);
@@ -267,6 +269,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *      @orig the original mount data copied from userspace.
  *      @copy copied data which will be passed to the security module.
  *      Returns 0 if the copy was successful.
+ * @sb_remount:
+ *      Extracts security system specifc mount options and verifys no changes
+ *      are being made to those options.
+ *      @sb superblock being remounted
+ *      @data contains the filesystem-specific data.
+ *      Return 0 if permission is granted.
  * @sb_umount:
  *      Check permission before the @mnt file system is unmounted.
  *      @mnt contains the mounted file system.
@@ -315,6 +323,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *      then it should return -EOPNOTSUPP to skip this processing.
  *      @inode contains the inode structure of the newly created inode.
  *      @dir contains the inode structure of the parent directory.
+ *      @qstr contains the last path component of the new object
  *      @name will be set to the allocated name suffix (e.g. selinux).
  *      @value will be set to the allocated attribute value.
  *      @len will be set to the length of the value.
@@ -1254,15 +1263,10 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
  *      credentials.
  *      @tsk contains the task_struct for the process.
  *      @cred contains the credentials to use.
+ *      @ns contains the user namespace we want the capability in
  *      @cap contains the capability <include/linux/capability.h>.
  *      @audit: Whether to write an audit message or not
  *      Return 0 if the capability is granted for @tsk.
- * @sysctl:
- *      Check permission before accessing the @table sysctl variable in the
- *      manner specified by @op.
- *      @table contains the ctl_table structure for the sysctl variable.
- *      @op contains the operation (001 = search, 002 = write, 004 = read).
- *      Return 0 if permission is granted.
  * @syslog:
  *      Check permission before accessing the kernel message ring or changing
  *      logging to the console.
@@ -1382,12 +1386,11 @@ struct security_operations {
                        const kernel_cap_t *inheritable,
                        const kernel_cap_t *permitted);
         int (*capable) (struct task_struct *tsk, const struct cred *cred,
-                        int cap, int audit);
-        int (*sysctl) (struct ctl_table *table, int op);
+                        struct user_namespace *ns, int cap, int audit);
         int (*quotactl) (int cmds, int type, int id, struct super_block *sb);
         int (*quota_on) (struct dentry *dentry);
         int (*syslog) (int type);
-        int (*settime) (struct timespec *ts, struct timezone *tz);
+        int (*settime) (const struct timespec *ts, const struct timezone *tz);
         int (*vm_enough_memory) (struct mm_struct *mm, long pages);
 
         int (*bprm_set_creds) (struct linux_binprm *bprm);
@@ -1399,6 +1402,7 @@ struct security_operations {
         int (*sb_alloc_security) (struct super_block *sb);
         void (*sb_free_security) (struct super_block *sb);
         int (*sb_copy_data) (char *orig, char *copy);
+        int (*sb_remount) (struct super_block *sb, void *data);
         int (*sb_kern_mount) (struct super_block *sb, int flags, void *data);
         int (*sb_show_options) (struct seq_file *m, struct super_block *sb);
         int (*sb_statfs) (struct dentry *dentry);
@@ -1435,7 +1439,8 @@ struct security_operations {
         int (*inode_alloc_security) (struct inode *inode);
         void (*inode_free_security) (struct inode *inode);
         int (*inode_init_security) (struct inode *inode, struct inode *dir,
-                                    char **name, void **value, size_t *len);
+                                    const struct qstr *qstr, char **name,
+                                    void **value, size_t *len);
         int (*inode_create) (struct inode *dir,
                              struct dentry *dentry, int mode);
         int (*inode_link) (struct dentry *old_dentry,
@@ -1623,7 +1628,7 @@ struct security_operations {
         int (*xfrm_policy_lookup) (struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
         int (*xfrm_state_pol_flow_match) (struct xfrm_state *x,
                                           struct xfrm_policy *xp,
-                                          struct flowi *fl);
+                                          const struct flowi *fl);
         int (*xfrm_decode_session) (struct sk_buff *skb, u32 *secid, int ckall);
 #endif  /* CONFIG_SECURITY_NETWORK_XFRM */
 
@@ -1662,14 +1667,16 @@ int security_capset(struct cred *new, const struct cred *old,
                     const kernel_cap_t *effective,
                     const kernel_cap_t *inheritable,
                     const kernel_cap_t *permitted);
-int security_capable(int cap);
-int security_real_capable(struct task_struct *tsk, int cap);
-int security_real_capable_noaudit(struct task_struct *tsk, int cap);
-int security_sysctl(struct ctl_table *table, int op);
+int security_capable(struct user_namespace *ns, const struct cred *cred,
+                        int cap);
+int security_real_capable(struct task_struct *tsk, struct user_namespace *ns,
+                        int cap);
+int security_real_capable_noaudit(struct task_struct *tsk,
+                        struct user_namespace *ns, int cap);
 int security_quotactl(int cmds, int type, int id, struct super_block *sb);
 int security_quota_on(struct dentry *dentry);
 int security_syslog(int type);
-int security_settime(struct timespec *ts, struct timezone *tz);
+int security_settime(const struct timespec *ts, const struct timezone *tz);
 int security_vm_enough_memory(long pages);
 int security_vm_enough_memory_mm(struct mm_struct *mm, long pages);
 int security_vm_enough_memory_kern(long pages);
@@ -1681,6 +1688,7 @@ int security_bprm_secureexec(struct linux_binprm *bprm);
 int security_sb_alloc(struct super_block *sb);
 void security_sb_free(struct super_block *sb);
 int security_sb_copy_data(char *orig, char *copy);
+int security_sb_remount(struct super_block *sb, void *data);
 int security_sb_kern_mount(struct super_block *sb, int flags, void *data);
 int security_sb_show_options(struct seq_file *m, struct super_block *sb);
 int security_sb_statfs(struct dentry *dentry);
@@ -1696,7 +1704,8 @@ int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts);
 int security_inode_alloc(struct inode *inode);
 void security_inode_free(struct inode *inode);
 int security_inode_init_security(struct inode *inode, struct inode *dir,
-                                  char **name, void **value, size_t *len);
+                                 const struct qstr *qstr, char **name,
+                                 void **value, size_t *len);
 int security_inode_create(struct inode *dir, struct dentry *dentry, int mode);
 int security_inode_link(struct dentry *old_dentry, struct inode *dir,
                          struct dentry *new_dentry);
@@ -1856,38 +1865,34 @@ static inline int security_capset(struct cred *new,
         return cap_capset(new, old, effective, inheritable, permitted);
 }
 
-static inline int security_capable(int cap)
+static inline int security_capable(struct user_namespace *ns,
+                                   const struct cred *cred, int cap)
 {
-        return cap_capable(current, current_cred(), cap, SECURITY_CAP_AUDIT);
+        return cap_capable(current, cred, ns, cap, SECURITY_CAP_AUDIT);
 }
 
-static inline int security_real_capable(struct task_struct *tsk, int cap)
+static inline int security_real_capable(struct task_struct *tsk, struct user_namespace *ns, int cap)
 {
         int ret;
 
         rcu_read_lock();
-        ret = cap_capable(tsk, __task_cred(tsk), cap, SECURITY_CAP_AUDIT);
+        ret = cap_capable(tsk, __task_cred(tsk), ns, cap, SECURITY_CAP_AUDIT);
         rcu_read_unlock();
         return ret;
 }
 
 static inline
-int security_real_capable_noaudit(struct task_struct *tsk, int cap)
+int security_real_capable_noaudit(struct task_struct *tsk, struct user_namespace *ns, int cap)
 {
         int ret;
 
         rcu_read_lock();
-        ret = cap_capable(tsk, __task_cred(tsk), cap,
+        ret = cap_capable(tsk, __task_cred(tsk), ns, cap,
                                SECURITY_CAP_NOAUDIT);
         rcu_read_unlock();
         return ret;
 }
 
-static inline int security_sysctl(struct ctl_table *table, int op)
-{
-        return 0;
-}
-
 static inline int security_quotactl(int cmds, int type, int id,
                                      struct super_block *sb)
 {
@@ -1904,7 +1909,8 @@ static inline int security_syslog(int type)
         return 0;
 }
 
-static inline int security_settime(struct timespec *ts, struct timezone *tz)
+static inline int security_settime(const struct timespec *ts,
+                                   const struct timezone *tz)
 {
         return cap_settime(ts, tz);
 }
@@ -1964,6 +1970,11 @@ static inline int security_sb_copy_data(char *orig, char *copy)
         return 0;
 }
 
+static inline int security_sb_remount(struct super_block *sb, void *data)
+{
+        return 0;
+}
+
 static inline int security_sb_kern_mount(struct super_block *sb, int flags, void *data)
 {
         return 0;
@@ -2023,6 +2034,7 @@ static inline void security_inode_free(struct inode *inode)
 
 static inline int security_inode_init_security(struct inode *inode,
                                                 struct inode *dir,
+                                                const struct qstr *qstr,
                                                 char **name,
                                                 void **value,
                                                 size_t *len)
@@ -2761,7 +2773,8 @@ int security_xfrm_state_delete(struct xfrm_state *x);
 void security_xfrm_state_free(struct xfrm_state *x);
 int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
 int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
-                                       struct xfrm_policy *xp, struct flowi *fl);
+                                       struct xfrm_policy *xp,
+                                       const struct flowi *fl);
 int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid);
 void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl);
 
@@ -2813,7 +2826,7 @@ static inline int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_s
 }
 
 static inline int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
-                        struct xfrm_policy *xp, struct flowi *fl)
+                        struct xfrm_policy *xp, const struct flowi *fl)
 {
         return 1;
 }