1 files changed, 31 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index a16d6b7c4ebe..40ba39ea68ce 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -998,6 +998,17 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *      Sets the connection's peersid to the secmark on skb.
 * @req_classify_flow:
 *      Sets the flow's sid to the openreq sid.
+ * @tun_dev_create:
+ *      Check permissions prior to creating a new TUN device.
+ * @tun_dev_post_create:
+ *      This hook allows a module to update or allocate a per-socket security
+ *      structure.
+ *      @sk contains the newly created sock structure.
+ * @tun_dev_attach:
+ *      Check permissions prior to attaching to a persistent TUN device.  This
+ *      hook can also be used by the module to update any security state
+ *      associated with the TUN device's sock structure.
+ *      @sk contains the existing sock structure.
 *
 * Security hooks for XFRM operations.
 *
@@ -1597,6 +1608,9 @@ struct security_operations {
        void (*inet_csk_clone) (struct sock *newsk, const struct request_sock *req);
        void (*inet_conn_established) (struct sock *sk, struct sk_buff *skb);
        void (*req_classify_flow) (const struct request_sock *req, struct flowi *fl);
+        int (*tun_dev_create)(void);
+        void (*tun_dev_post_create)(struct sock *sk);
+        int (*tun_dev_attach)(struct sock *sk);
 #endif  /* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -2586,6 +2600,9 @@ void security_inet_csk_clone(struct sock *newsk,
                        const struct request_sock *req);
 void security_inet_conn_established(struct sock *sk,
                        struct sk_buff *skb);
+int security_tun_dev_create(void);
+void security_tun_dev_post_create(struct sock *sk);
+int security_tun_dev_attach(struct sock *sk);
 #else   /* CONFIG_SECURITY_NETWORK */
 static inline int security_unix_stream_connect(struct socket *sock,
@@ -2736,6 +2753,20 @@ static inline void security_inet_conn_established(struct sock *sk,
                        struct sk_buff *skb)
 {
 }
+static inline int security_tun_dev_create(void)
+{
+        return 0;
+}
+static inline void security_tun_dev_post_create(struct sock *sk)
+{
+}
+static inline int security_tun_dev_attach(struct sock *sk)
+{
+        return 0;
+}
 #endif  /* CONFIG_SECURITY_NETWORK */
 #ifdef CONFIG_SECURITY_NETWORK_XFRM

diff --git a/include/linux/security.h b/include/linux/security.h index a16d6b7c4ebe..40ba39ea68ce 100644 --- a/include/linux/security.h +++ b/include/linux/security.h
@@ -998,6 +998,17 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
998	* Sets the connection's peersid to the secmark on skb.	998	* Sets the connection's peersid to the secmark on skb.
999	* @req_classify_flow:	999	* @req_classify_flow:
1000	* Sets the flow's sid to the openreq sid.	1000	* Sets the flow's sid to the openreq sid.
		1001	* @tun_dev_create:
		1002	* Check permissions prior to creating a new TUN device.
		1003	* @tun_dev_post_create:
		1004	* This hook allows a module to update or allocate a per-socket security
		1005	* structure.
		1006	* @sk contains the newly created sock structure.
		1007	* @tun_dev_attach:
		1008	* Check permissions prior to attaching to a persistent TUN device. This
		1009	* hook can also be used by the module to update any security state
		1010	* associated with the TUN device's sock structure.
		1011	* @sk contains the existing sock structure.
1001	*	1012	*
1002	* Security hooks for XFRM operations.	1013	* Security hooks for XFRM operations.
1003	*	1014	*
@@ -1597,6 +1608,9 @@ struct security_operations {
1597	void (inet_csk_clone) (struct sock newsk, const struct request_sock *req);	1608	void (inet_csk_clone) (struct sock newsk, const struct request_sock *req);
1598	void (inet_conn_established) (struct sock sk, struct sk_buff *skb);	1609	void (inet_conn_established) (struct sock sk, struct sk_buff *skb);
1599	void (req_classify_flow) (const struct request_sock req, struct flowi *fl);	1610	void (req_classify_flow) (const struct request_sock req, struct flowi *fl);
		1611	int (*tun_dev_create)(void);
		1612	void (tun_dev_post_create)(struct sock sk);
		1613	int (tun_dev_attach)(struct sock sk);
1600	#endif /* CONFIG_SECURITY_NETWORK */	1614	#endif /* CONFIG_SECURITY_NETWORK */
1601		1615
1602	#ifdef CONFIG_SECURITY_NETWORK_XFRM	1616	#ifdef CONFIG_SECURITY_NETWORK_XFRM
@@ -2586,6 +2600,9 @@ void security_inet_csk_clone(struct sock *newsk,
2586	const struct request_sock *req);	2600	const struct request_sock *req);
2587	void security_inet_conn_established(struct sock *sk,	2601	void security_inet_conn_established(struct sock *sk,
2588	struct sk_buff *skb);	2602	struct sk_buff *skb);
		2603	int security_tun_dev_create(void);
		2604	void security_tun_dev_post_create(struct sock *sk);
		2605	int security_tun_dev_attach(struct sock *sk);
2589		2606
2590	#else /* CONFIG_SECURITY_NETWORK */	2607	#else /* CONFIG_SECURITY_NETWORK */
2591	static inline int security_unix_stream_connect(struct socket *sock,	2608	static inline int security_unix_stream_connect(struct socket *sock,
@@ -2736,6 +2753,20 @@ static inline void security_inet_conn_established(struct sock *sk,
2736	struct sk_buff *skb)	2753	struct sk_buff *skb)
2737	{	2754	{
2738	}	2755	}
		2756
		2757	static inline int security_tun_dev_create(void)
		2758	{
		2759	return 0;
		2760	}
		2761
		2762	static inline void security_tun_dev_post_create(struct sock *sk)
		2763	{
		2764	}
		2765
		2766	static inline int security_tun_dev_attach(struct sock *sk)
		2767	{
		2768	return 0;
		2769	}
2739	#endif /* CONFIG_SECURITY_NETWORK */	2770	#endif /* CONFIG_SECURITY_NETWORK */
2740		2771
2741	#ifdef CONFIG_SECURITY_NETWORK_XFRM	2772	#ifdef CONFIG_SECURITY_NETWORK_XFRM