1 files changed, 45 insertions, 24 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index d0a28fd1747a..50737c70e78e 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -53,8 +53,9 @@ extern void cap_capset_set(struct task_struct *target, kernel_cap_t *effective,
 extern int cap_bprm_set_security(struct linux_binprm *bprm);
 extern void cap_bprm_apply_creds(struct linux_binprm *bprm, int unsafe);
 extern int cap_bprm_secureexec(struct linux_binprm *bprm);
-extern int cap_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags);
+extern int cap_inode_setxattr(struct dentry *dentry, const char *name,
-extern int cap_inode_removexattr(struct dentry *dentry, char *name);
+                              const void *value, size_t size, int flags);
+extern int cap_inode_removexattr(struct dentry *dentry, const char *name);
 extern int cap_inode_need_killpriv(struct dentry *dentry);
 extern int cap_inode_killpriv(struct dentry *dentry);
 extern int cap_task_post_setuid(uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags);
@@ -1008,6 +1009,17 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      @perm describes the combination of permissions required of this key.
 *      Return 1 if permission granted, 0 if permission denied and -ve it the
 *      normal permissions model should be effected.
+ * @key_getsecurity:
+ *      Get a textual representation of the security context attached to a key
+ *      for the purposes of honouring KEYCTL_GETSECURITY.  This function
+ *      allocates the storage for the NUL-terminated string and the caller
+ *      should free it.
+ *      @key points to the key to be queried.
+ *      @_buffer points to a pointer that should be set to point to the
+ *       resulting string (if no label or an error occurs).
+ *      Return the length of the string (including terminating NUL) or -ve if
+ *      an error.
+ *      May also return 0 (and a NULL buffer pointer) if there is no label.
 *
 * Security hooks affecting all System V IPC operations.
 *
@@ -1362,13 +1374,13 @@ struct security_operations {
        int (*inode_setattr)    (struct dentry *dentry, struct iattr *attr);
        int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry);
        void (*inode_delete) (struct inode *inode);
-        int (*inode_setxattr) (struct dentry *dentry, char *name, void *value,
+        int (*inode_setxattr) (struct dentry *dentry, const char *name,
-                               size_t size, int flags);
+                               const void *value, size_t size, int flags);
-        void (*inode_post_setxattr) (struct dentry *dentry, char *name, void *value,
+        void (*inode_post_setxattr) (struct dentry *dentry, const char *name,
-                                     size_t size, int flags);
+                                     const void *value, size_t size, int flags);
-        int (*inode_getxattr) (struct dentry *dentry, char *name);
+        int (*inode_getxattr) (struct dentry *dentry, const char *name);
        int (*inode_listxattr) (struct dentry *dentry);
-        int (*inode_removexattr) (struct dentry *dentry, char *name);
+        int (*inode_removexattr) (struct dentry *dentry, const char *name);
        int (*inode_need_killpriv) (struct dentry *dentry);
        int (*inode_killpriv) (struct dentry *dentry);
        int (*inode_getsecurity) (const struct inode *inode, const char *name, void **buffer, bool alloc);
@@ -1469,7 +1481,7 @@ struct security_operations {
        int (*getprocattr) (struct task_struct *p, char *name, char **value);
        int (*setprocattr) (struct task_struct *p, char *name, void *value, size_t size);
        int (*secid_to_secctx) (u32 secid, char **secdata, u32 *seclen);
-        int (*secctx_to_secid) (char *secdata, u32 seclen, u32 *secid);
+        int (*secctx_to_secid) (const char *secdata, u32 seclen, u32 *secid);
        void (*release_secctx) (char *secdata, u32 seclen);
 #ifdef CONFIG_SECURITY_NETWORK
@@ -1537,7 +1549,7 @@ struct security_operations {
        int (*key_permission) (key_ref_t key_ref,
                               struct task_struct *context,
                               key_perm_t perm);
+        int (*key_getsecurity)(struct key *key, char **_buffer);
 #endif  /* CONFIG_KEYS */
 #ifdef CONFIG_AUDIT
@@ -1633,13 +1645,13 @@ int security_inode_permission(struct inode *inode, int mask, struct nameidata *n
 int security_inode_setattr(struct dentry *dentry, struct iattr *attr);
 int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry);
 void security_inode_delete(struct inode *inode);
-int security_inode_setxattr(struct dentry *dentry, char *name,
+int security_inode_setxattr(struct dentry *dentry, const char *name,
-                            void *value, size_t size, int flags);
+                            const void *value, size_t size, int flags);
-void security_inode_post_setxattr(struct dentry *dentry, char *name,
+void security_inode_post_setxattr(struct dentry *dentry, const char *name,
-                                  void *value, size_t size, int flags);
+                                  const void *value, size_t size, int flags);
-int security_inode_getxattr(struct dentry *dentry, char *name);
+int security_inode_getxattr(struct dentry *dentry, const char *name);
 int security_inode_listxattr(struct dentry *dentry);
-int security_inode_removexattr(struct dentry *dentry, char *name);
+int security_inode_removexattr(struct dentry *dentry, const char *name);
 int security_inode_need_killpriv(struct dentry *dentry);
 int security_inode_killpriv(struct dentry *dentry);
 int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc);
@@ -1718,7 +1730,7 @@ int security_setprocattr(struct task_struct *p, char *name, void *value, size_t
 int security_netlink_send(struct sock *sk, struct sk_buff *skb);
 int security_netlink_recv(struct sk_buff *skb, int cap);
 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
-int security_secctx_to_secid(char *secdata, u32 seclen, u32 *secid);
+int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
 void security_release_secctx(char *secdata, u32 seclen);
 #else /* CONFIG_SECURITY */
@@ -2041,17 +2053,18 @@ static inline int security_inode_getattr(struct vfsmount *mnt,
 static inline void security_inode_delete(struct inode *inode)
 { }
-static inline int security_inode_setxattr(struct dentry *dentry, char *name,
+static inline int security_inode_setxattr(struct dentry *dentry,
-                                           void *value, size_t size, int flags)
+                const char *name, const void *value, size_t size, int flags)
 {
        return cap_inode_setxattr(dentry, name, value, size, flags);
 }
-static inline void security_inode_post_setxattr(struct dentry *dentry, char *name,
+static inline void security_inode_post_setxattr(struct dentry *dentry,
-                                                 void *value, size_t size, int flags)
+                const char *name, const void *value, size_t size, int flags)
 { }
-static inline int security_inode_getxattr(struct dentry *dentry, char *name)
+static inline int security_inode_getxattr(struct dentry *dentry,
+                        const char *name)
 {
        return 0;
 }
@@ -2061,7 +2074,8 @@ static inline int security_inode_listxattr(struct dentry *dentry)
        return 0;
 }
-static inline int security_inode_removexattr(struct dentry *dentry, char *name)
+static inline int security_inode_removexattr(struct dentry *dentry,
+                        const char *name)
 {
        return cap_inode_removexattr(dentry, name);
 }
@@ -2435,7 +2449,7 @@ static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *secle
        return -EOPNOTSUPP;
 }
-static inline int security_secctx_to_secid(char *secdata,
+static inline int security_secctx_to_secid(const char *secdata,
                                           u32 seclen,
                                           u32 *secid)
 {
@@ -2729,6 +2743,7 @@ int security_key_alloc(struct key *key, struct task_struct *tsk, unsigned long f
 void security_key_free(struct key *key);
 int security_key_permission(key_ref_t key_ref,
                            struct task_struct *context, key_perm_t perm);
+int security_key_getsecurity(struct key *key, char **_buffer);
 #else
@@ -2750,6 +2765,12 @@ static inline int security_key_permission(key_ref_t key_ref,
        return 0;
 }
+static inline int security_key_getsecurity(struct key *key, char **_buffer)
+{
+        *_buffer = NULL;
+        return 0;
+}
 #endif
 #endif /* CONFIG_KEYS */

diff --git a/include/linux/security.h b/include/linux/security.h index d0a28fd1747a..50737c70e78e 100644 --- a/include/linux/security.h +++ b/include/linux/security.h
@@ -53,8 +53,9 @@ extern void cap_capset_set(struct task_struct target, kernel_cap_t effective,
53	extern int cap_bprm_set_security(struct linux_binprm *bprm);	53	extern int cap_bprm_set_security(struct linux_binprm *bprm);
54	extern void cap_bprm_apply_creds(struct linux_binprm *bprm, int unsafe);	54	extern void cap_bprm_apply_creds(struct linux_binprm *bprm, int unsafe);
55	extern int cap_bprm_secureexec(struct linux_binprm *bprm);	55	extern int cap_bprm_secureexec(struct linux_binprm *bprm);
56	extern int cap_inode_setxattr(struct dentry dentry, char name, void *value, size_t size, int flags);	56	extern int cap_inode_setxattr(struct dentry dentry, const char name,
57	extern int cap_inode_removexattr(struct dentry dentry, char name);	57	const void *value, size_t size, int flags);
		58	extern int cap_inode_removexattr(struct dentry dentry, const char name);
58	extern int cap_inode_need_killpriv(struct dentry *dentry);	59	extern int cap_inode_need_killpriv(struct dentry *dentry);
59	extern int cap_inode_killpriv(struct dentry *dentry);	60	extern int cap_inode_killpriv(struct dentry *dentry);
60	extern int cap_task_post_setuid(uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags);	61	extern int cap_task_post_setuid(uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags);
@@ -1008,6 +1009,17 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
1008	* @perm describes the combination of permissions required of this key.	1009	* @perm describes the combination of permissions required of this key.
1009	* Return 1 if permission granted, 0 if permission denied and -ve it the	1010	* Return 1 if permission granted, 0 if permission denied and -ve it the
1010	* normal permissions model should be effected.	1011	* normal permissions model should be effected.
		1012	* @key_getsecurity:
		1013	* Get a textual representation of the security context attached to a key
		1014	* for the purposes of honouring KEYCTL_GETSECURITY. This function
		1015	* allocates the storage for the NUL-terminated string and the caller
		1016	* should free it.
		1017	* @key points to the key to be queried.
		1018	* @_buffer points to a pointer that should be set to point to the
		1019	* resulting string (if no label or an error occurs).
		1020	* Return the length of the string (including terminating NUL) or -ve if
		1021	* an error.
		1022	* May also return 0 (and a NULL buffer pointer) if there is no label.
1011	*	1023	*
1012	* Security hooks affecting all System V IPC operations.	1024	* Security hooks affecting all System V IPC operations.
1013	*	1025	*
@@ -1362,13 +1374,13 @@ struct security_operations {
1362	int (inode_setattr) (struct dentry dentry, struct iattr *attr);	1374	int (inode_setattr) (struct dentry dentry, struct iattr *attr);
1363	int (inode_getattr) (struct vfsmount mnt, struct dentry *dentry);	1375	int (inode_getattr) (struct vfsmount mnt, struct dentry *dentry);
1364	void (inode_delete) (struct inode inode);	1376	void (inode_delete) (struct inode inode);
1365	int (inode_setxattr) (struct dentry dentry, char name, void value,	1377	int (inode_setxattr) (struct dentry dentry, const char *name,
1366	size_t size, int flags);	1378	const void *value, size_t size, int flags);
1367	void (inode_post_setxattr) (struct dentry dentry, char name, void value,	1379	void (inode_post_setxattr) (struct dentry dentry, const char *name,
1368	size_t size, int flags);	1380	const void *value, size_t size, int flags);
1369	int (inode_getxattr) (struct dentry dentry, char *name);	1381	int (inode_getxattr) (struct dentry dentry, const char *name);
1370	int (inode_listxattr) (struct dentry dentry);	1382	int (inode_listxattr) (struct dentry dentry);
1371	int (inode_removexattr) (struct dentry dentry, char *name);	1383	int (inode_removexattr) (struct dentry dentry, const char *name);
1372	int (inode_need_killpriv) (struct dentry dentry);	1384	int (inode_need_killpriv) (struct dentry dentry);
1373	int (inode_killpriv) (struct dentry dentry);	1385	int (inode_killpriv) (struct dentry dentry);
1374	int (inode_getsecurity) (const struct inode inode, const char name, void *buffer, bool alloc);	1386	int (inode_getsecurity) (const struct inode inode, const char name, void *buffer, bool alloc);
@@ -1469,7 +1481,7 @@ struct security_operations {
1469	int (getprocattr) (struct task_struct p, char name, char *value);	1481	int (getprocattr) (struct task_struct p, char name, char *value);
1470	int (setprocattr) (struct task_struct p, char name, void value, size_t size);	1482	int (setprocattr) (struct task_struct p, char name, void value, size_t size);
1471	int (secid_to_secctx) (u32 secid, char secdata, u32 seclen);	1483	int (secid_to_secctx) (u32 secid, char secdata, u32 seclen);
1472	int (secctx_to_secid) (char secdata, u32 seclen, u32 *secid);	1484	int (secctx_to_secid) (const char secdata, u32 seclen, u32 *secid);
1473	void (release_secctx) (char secdata, u32 seclen);	1485	void (release_secctx) (char secdata, u32 seclen);
1474		1486
1475	#ifdef CONFIG_SECURITY_NETWORK	1487	#ifdef CONFIG_SECURITY_NETWORK
@@ -1537,7 +1549,7 @@ struct security_operations {
1537	int (*key_permission) (key_ref_t key_ref,	1549	int (*key_permission) (key_ref_t key_ref,
1538	struct task_struct *context,	1550	struct task_struct *context,
1539	key_perm_t perm);	1551	key_perm_t perm);
1540		1552	int (key_getsecurity)(struct key key, char **_buffer);
1541	#endif /* CONFIG_KEYS */	1553	#endif /* CONFIG_KEYS */
1542		1554
1543	#ifdef CONFIG_AUDIT	1555	#ifdef CONFIG_AUDIT
@@ -1633,13 +1645,13 @@ int security_inode_permission(struct inode inode, int mask, struct nameidata n
1633	int security_inode_setattr(struct dentry dentry, struct iattr attr);	1645	int security_inode_setattr(struct dentry dentry, struct iattr attr);
1634	int security_inode_getattr(struct vfsmount mnt, struct dentry dentry);	1646	int security_inode_getattr(struct vfsmount mnt, struct dentry dentry);
1635	void security_inode_delete(struct inode *inode);	1647	void security_inode_delete(struct inode *inode);
1636	int security_inode_setxattr(struct dentry dentry, char name,	1648	int security_inode_setxattr(struct dentry dentry, const char name,
1637	void *value, size_t size, int flags);	1649	const void *value, size_t size, int flags);
1638	void security_inode_post_setxattr(struct dentry dentry, char name,	1650	void security_inode_post_setxattr(struct dentry dentry, const char name,
1639	void *value, size_t size, int flags);	1651	const void *value, size_t size, int flags);
1640	int security_inode_getxattr(struct dentry dentry, char name);	1652	int security_inode_getxattr(struct dentry dentry, const char name);
1641	int security_inode_listxattr(struct dentry *dentry);	1653	int security_inode_listxattr(struct dentry *dentry);
1642	int security_inode_removexattr(struct dentry dentry, char name);	1654	int security_inode_removexattr(struct dentry dentry, const char name);
1643	int security_inode_need_killpriv(struct dentry *dentry);	1655	int security_inode_need_killpriv(struct dentry *dentry);
1644	int security_inode_killpriv(struct dentry *dentry);	1656	int security_inode_killpriv(struct dentry *dentry);
1645	int security_inode_getsecurity(const struct inode inode, const char name, void **buffer, bool alloc);	1657	int security_inode_getsecurity(const struct inode inode, const char name, void **buffer, bool alloc);
@@ -1718,7 +1730,7 @@ int security_setprocattr(struct task_struct p, char name, void *value, size_t
1718	int security_netlink_send(struct sock sk, struct sk_buff skb);	1730	int security_netlink_send(struct sock sk, struct sk_buff skb);
1719	int security_netlink_recv(struct sk_buff *skb, int cap);	1731	int security_netlink_recv(struct sk_buff *skb, int cap);
1720	int security_secid_to_secctx(u32 secid, char *secdata, u32 seclen);	1732	int security_secid_to_secctx(u32 secid, char *secdata, u32 seclen);
1721	int security_secctx_to_secid(char secdata, u32 seclen, u32 secid);	1733	int security_secctx_to_secid(const char secdata, u32 seclen, u32 secid);
1722	void security_release_secctx(char *secdata, u32 seclen);	1734	void security_release_secctx(char *secdata, u32 seclen);
1723		1735
1724	#else /* CONFIG_SECURITY */	1736	#else /* CONFIG_SECURITY */
@@ -2041,17 +2053,18 @@ static inline int security_inode_getattr(struct vfsmount *mnt,
2041	static inline void security_inode_delete(struct inode *inode)	2053	static inline void security_inode_delete(struct inode *inode)
2042	{ }	2054	{ }
2043		2055
2044	static inline int security_inode_setxattr(struct dentry dentry, char name,	2056	static inline int security_inode_setxattr(struct dentry *dentry,
2045	void *value, size_t size, int flags)	2057	const char name, const void value, size_t size, int flags)
2046	{	2058	{
2047	return cap_inode_setxattr(dentry, name, value, size, flags);	2059	return cap_inode_setxattr(dentry, name, value, size, flags);
2048	}	2060	}
2049		2061
2050	static inline void security_inode_post_setxattr(struct dentry dentry, char name,	2062	static inline void security_inode_post_setxattr(struct dentry *dentry,
2051	void *value, size_t size, int flags)	2063	const char name, const void value, size_t size, int flags)
2052	{ }	2064	{ }
2053		2065
2054	static inline int security_inode_getxattr(struct dentry dentry, char name)	2066	static inline int security_inode_getxattr(struct dentry *dentry,
		2067	const char *name)
2055	{	2068	{
2056	return 0;	2069	return 0;
2057	}	2070	}
@@ -2061,7 +2074,8 @@ static inline int security_inode_listxattr(struct dentry *dentry)
2061	return 0;	2074	return 0;
2062	}	2075	}
2063		2076
2064	static inline int security_inode_removexattr(struct dentry dentry, char name)	2077	static inline int security_inode_removexattr(struct dentry *dentry,
		2078	const char *name)
2065	{	2079	{
2066	return cap_inode_removexattr(dentry, name);	2080	return cap_inode_removexattr(dentry, name);
2067	}	2081	}
@@ -2435,7 +2449,7 @@ static inline int security_secid_to_secctx(u32 secid, char *secdata, u32 secle
2435	return -EOPNOTSUPP;	2449	return -EOPNOTSUPP;
2436	}	2450	}
2437		2451
2438	static inline int security_secctx_to_secid(char *secdata,	2452	static inline int security_secctx_to_secid(const char *secdata,
2439	u32 seclen,	2453	u32 seclen,
2440	u32 *secid)	2454	u32 *secid)
2441	{	2455	{
@@ -2729,6 +2743,7 @@ int security_key_alloc(struct key key, struct task_struct tsk, unsigned long f
2729	void security_key_free(struct key *key);	2743	void security_key_free(struct key *key);
2730	int security_key_permission(key_ref_t key_ref,	2744	int security_key_permission(key_ref_t key_ref,
2731	struct task_struct *context, key_perm_t perm);	2745	struct task_struct *context, key_perm_t perm);
		2746	int security_key_getsecurity(struct key key, char *_buffer);
2732		2747
2733	#else	2748	#else
2734		2749
@@ -2750,6 +2765,12 @@ static inline int security_key_permission(key_ref_t key_ref,
2750	return 0;	2765	return 0;
2751	}	2766	}
2752		2767
		2768	static inline int security_key_getsecurity(struct key key, char *_buffer)
		2769	{
		2770	*_buffer = NULL;
		2771	return 0;
		2772	}
		2773
2753	#endif	2774	#endif
2754	#endif /* CONFIG_KEYS */	2775	#endif /* CONFIG_KEYS */
2755		2776