diff options
Diffstat (limited to 'include/linux/security.h')
| -rw-r--r-- | include/linux/security.h | 102 |
1 files changed, 75 insertions, 27 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index fe52cdeab0a6..c673dfd4dffc 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
| @@ -34,12 +34,6 @@ | |||
| 34 | #include <linux/xfrm.h> | 34 | #include <linux/xfrm.h> |
| 35 | #include <net/flow.h> | 35 | #include <net/flow.h> |
| 36 | 36 | ||
| 37 | /* only a char in selinux superblock security struct flags */ | ||
| 38 | #define FSCONTEXT_MNT 0x01 | ||
| 39 | #define CONTEXT_MNT 0x02 | ||
| 40 | #define ROOTCONTEXT_MNT 0x04 | ||
| 41 | #define DEFCONTEXT_MNT 0x08 | ||
| 42 | |||
| 43 | extern unsigned securebits; | 37 | extern unsigned securebits; |
| 44 | 38 | ||
| 45 | struct ctl_table; | 39 | struct ctl_table; |
| @@ -63,7 +57,6 @@ extern int cap_inode_need_killpriv(struct dentry *dentry); | |||
| 63 | extern int cap_inode_killpriv(struct dentry *dentry); | 57 | extern int cap_inode_killpriv(struct dentry *dentry); |
| 64 | extern int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags); | 58 | extern int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags); |
| 65 | extern void cap_task_reparent_to_init (struct task_struct *p); | 59 | extern void cap_task_reparent_to_init (struct task_struct *p); |
| 66 | extern int cap_task_kill(struct task_struct *p, struct siginfo *info, int sig, u32 secid); | ||
| 67 | extern int cap_task_setscheduler (struct task_struct *p, int policy, struct sched_param *lp); | 60 | extern int cap_task_setscheduler (struct task_struct *p, int policy, struct sched_param *lp); |
| 68 | extern int cap_task_setioprio (struct task_struct *p, int ioprio); | 61 | extern int cap_task_setioprio (struct task_struct *p, int ioprio); |
| 69 | extern int cap_task_setnice (struct task_struct *p, int nice); | 62 | extern int cap_task_setnice (struct task_struct *p, int nice); |
| @@ -114,6 +107,32 @@ struct request_sock; | |||
| 114 | 107 | ||
| 115 | #ifdef CONFIG_SECURITY | 108 | #ifdef CONFIG_SECURITY |
| 116 | 109 | ||
| 110 | struct security_mnt_opts { | ||
| 111 | char **mnt_opts; | ||
| 112 | int *mnt_opts_flags; | ||
| 113 | int num_mnt_opts; | ||
| 114 | }; | ||
| 115 | |||
| 116 | static inline void security_init_mnt_opts(struct security_mnt_opts *opts) | ||
| 117 | { | ||
| 118 | opts->mnt_opts = NULL; | ||
| 119 | opts->mnt_opts_flags = NULL; | ||
| 120 | opts->num_mnt_opts = 0; | ||
| 121 | } | ||
| 122 | |||
| 123 | static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | ||
| 124 | { | ||
| 125 | int i; | ||
| 126 | if (opts->mnt_opts) | ||
| 127 | for(i = 0; i < opts->num_mnt_opts; i++) | ||
| 128 | kfree(opts->mnt_opts[i]); | ||
| 129 | kfree(opts->mnt_opts); | ||
| 130 | opts->mnt_opts = NULL; | ||
| 131 | kfree(opts->mnt_opts_flags); | ||
| 132 | opts->mnt_opts_flags = NULL; | ||
| 133 | opts->num_mnt_opts = 0; | ||
| 134 | } | ||
| 135 | |||
| 117 | /** | 136 | /** |
| 118 | * struct security_operations - main security structure | 137 | * struct security_operations - main security structure |
| 119 | * | 138 | * |
| @@ -262,19 +281,19 @@ struct request_sock; | |||
| 262 | * @sb_get_mnt_opts: | 281 | * @sb_get_mnt_opts: |
| 263 | * Get the security relevant mount options used for a superblock | 282 | * Get the security relevant mount options used for a superblock |
| 264 | * @sb the superblock to get security mount options from | 283 | * @sb the superblock to get security mount options from |
| 265 | * @mount_options array for pointers to mount options | 284 | * @opts binary data structure containing all lsm mount data |
| 266 | * @mount_flags array of ints specifying what each mount options is | ||
| 267 | * @num_opts number of options in the arrays | ||
| 268 | * @sb_set_mnt_opts: | 285 | * @sb_set_mnt_opts: |
| 269 | * Set the security relevant mount options used for a superblock | 286 | * Set the security relevant mount options used for a superblock |
| 270 | * @sb the superblock to set security mount options for | 287 | * @sb the superblock to set security mount options for |
| 271 | * @mount_options array for pointers to mount options | 288 | * @opts binary data structure containing all lsm mount data |
| 272 | * @mount_flags array of ints specifying what each mount options is | ||
| 273 | * @num_opts number of options in the arrays | ||
| 274 | * @sb_clone_mnt_opts: | 289 | * @sb_clone_mnt_opts: |
| 275 | * Copy all security options from a given superblock to another | 290 | * Copy all security options from a given superblock to another |
| 276 | * @oldsb old superblock which contain information to clone | 291 | * @oldsb old superblock which contain information to clone |
| 277 | * @newsb new superblock which needs filled in | 292 | * @newsb new superblock which needs filled in |
| 293 | * @sb_parse_opts_str: | ||
| 294 | * Parse a string of security data filling in the opts structure | ||
| 295 | * @options string containing all mount options known by the LSM | ||
| 296 | * @opts binary data structure usable by the LSM | ||
| 278 | * | 297 | * |
| 279 | * Security hooks for inode operations. | 298 | * Security hooks for inode operations. |
| 280 | * | 299 | * |
| @@ -1238,8 +1257,7 @@ struct security_operations { | |||
| 1238 | 1257 | ||
| 1239 | int (*sb_alloc_security) (struct super_block * sb); | 1258 | int (*sb_alloc_security) (struct super_block * sb); |
| 1240 | void (*sb_free_security) (struct super_block * sb); | 1259 | void (*sb_free_security) (struct super_block * sb); |
| 1241 | int (*sb_copy_data)(struct file_system_type *type, | 1260 | int (*sb_copy_data)(char *orig, char *copy); |
| 1242 | void *orig, void *copy); | ||
| 1243 | int (*sb_kern_mount) (struct super_block *sb, void *data); | 1261 | int (*sb_kern_mount) (struct super_block *sb, void *data); |
| 1244 | int (*sb_statfs) (struct dentry *dentry); | 1262 | int (*sb_statfs) (struct dentry *dentry); |
| 1245 | int (*sb_mount) (char *dev_name, struct nameidata * nd, | 1263 | int (*sb_mount) (char *dev_name, struct nameidata * nd, |
| @@ -1257,12 +1275,12 @@ struct security_operations { | |||
| 1257 | void (*sb_post_pivotroot) (struct nameidata * old_nd, | 1275 | void (*sb_post_pivotroot) (struct nameidata * old_nd, |
| 1258 | struct nameidata * new_nd); | 1276 | struct nameidata * new_nd); |
| 1259 | int (*sb_get_mnt_opts) (const struct super_block *sb, | 1277 | int (*sb_get_mnt_opts) (const struct super_block *sb, |
| 1260 | char ***mount_options, int **flags, | 1278 | struct security_mnt_opts *opts); |
| 1261 | int *num_opts); | 1279 | int (*sb_set_mnt_opts) (struct super_block *sb, |
| 1262 | int (*sb_set_mnt_opts) (struct super_block *sb, char **mount_options, | 1280 | struct security_mnt_opts *opts); |
| 1263 | int *flags, int num_opts); | ||
| 1264 | void (*sb_clone_mnt_opts) (const struct super_block *oldsb, | 1281 | void (*sb_clone_mnt_opts) (const struct super_block *oldsb, |
| 1265 | struct super_block *newsb); | 1282 | struct super_block *newsb); |
| 1283 | int (*sb_parse_opts_str) (char *options, struct security_mnt_opts *opts); | ||
| 1266 | 1284 | ||
| 1267 | int (*inode_alloc_security) (struct inode *inode); | 1285 | int (*inode_alloc_security) (struct inode *inode); |
| 1268 | void (*inode_free_security) (struct inode *inode); | 1286 | void (*inode_free_security) (struct inode *inode); |
| @@ -1507,7 +1525,7 @@ int security_bprm_check(struct linux_binprm *bprm); | |||
| 1507 | int security_bprm_secureexec(struct linux_binprm *bprm); | 1525 | int security_bprm_secureexec(struct linux_binprm *bprm); |
| 1508 | int security_sb_alloc(struct super_block *sb); | 1526 | int security_sb_alloc(struct super_block *sb); |
| 1509 | void security_sb_free(struct super_block *sb); | 1527 | void security_sb_free(struct super_block *sb); |
| 1510 | int security_sb_copy_data(struct file_system_type *type, void *orig, void *copy); | 1528 | int security_sb_copy_data(char *orig, char *copy); |
| 1511 | int security_sb_kern_mount(struct super_block *sb, void *data); | 1529 | int security_sb_kern_mount(struct super_block *sb, void *data); |
| 1512 | int security_sb_statfs(struct dentry *dentry); | 1530 | int security_sb_statfs(struct dentry *dentry); |
| 1513 | int security_sb_mount(char *dev_name, struct nameidata *nd, | 1531 | int security_sb_mount(char *dev_name, struct nameidata *nd, |
| @@ -1520,12 +1538,12 @@ void security_sb_post_remount(struct vfsmount *mnt, unsigned long flags, void *d | |||
| 1520 | void security_sb_post_addmount(struct vfsmount *mnt, struct nameidata *mountpoint_nd); | 1538 | void security_sb_post_addmount(struct vfsmount *mnt, struct nameidata *mountpoint_nd); |
| 1521 | int security_sb_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd); | 1539 | int security_sb_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd); |
| 1522 | void security_sb_post_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd); | 1540 | void security_sb_post_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd); |
| 1523 | int security_sb_get_mnt_opts(const struct super_block *sb, char ***mount_options, | 1541 | int security_sb_get_mnt_opts(const struct super_block *sb, |
| 1524 | int **flags, int *num_opts); | 1542 | struct security_mnt_opts *opts); |
| 1525 | int security_sb_set_mnt_opts(struct super_block *sb, char **mount_options, | 1543 | int security_sb_set_mnt_opts(struct super_block *sb, struct security_mnt_opts *opts); |
| 1526 | int *flags, int num_opts); | ||
| 1527 | void security_sb_clone_mnt_opts(const struct super_block *oldsb, | 1544 | void security_sb_clone_mnt_opts(const struct super_block *oldsb, |
| 1528 | struct super_block *newsb); | 1545 | struct super_block *newsb); |
| 1546 | int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts); | ||
| 1529 | 1547 | ||
| 1530 | int security_inode_alloc(struct inode *inode); | 1548 | int security_inode_alloc(struct inode *inode); |
| 1531 | void security_inode_free(struct inode *inode); | 1549 | void security_inode_free(struct inode *inode); |
| @@ -1635,6 +1653,16 @@ int security_secctx_to_secid(char *secdata, u32 seclen, u32 *secid); | |||
| 1635 | void security_release_secctx(char *secdata, u32 seclen); | 1653 | void security_release_secctx(char *secdata, u32 seclen); |
| 1636 | 1654 | ||
| 1637 | #else /* CONFIG_SECURITY */ | 1655 | #else /* CONFIG_SECURITY */ |
| 1656 | struct security_mnt_opts { | ||
| 1657 | }; | ||
| 1658 | |||
| 1659 | static inline void security_init_mnt_opts(struct security_mnt_opts *opts) | ||
| 1660 | { | ||
| 1661 | } | ||
| 1662 | |||
| 1663 | static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | ||
| 1664 | { | ||
| 1665 | } | ||
| 1638 | 1666 | ||
| 1639 | /* | 1667 | /* |
| 1640 | * This is the default capabilities functionality. Most of these functions | 1668 | * This is the default capabilities functionality. Most of these functions |
| @@ -1762,8 +1790,7 @@ static inline int security_sb_alloc (struct super_block *sb) | |||
| 1762 | static inline void security_sb_free (struct super_block *sb) | 1790 | static inline void security_sb_free (struct super_block *sb) |
| 1763 | { } | 1791 | { } |
| 1764 | 1792 | ||
| 1765 | static inline int security_sb_copy_data (struct file_system_type *type, | 1793 | static inline int security_sb_copy_data (char *orig, char *copy) |
| 1766 | void *orig, void *copy) | ||
| 1767 | { | 1794 | { |
| 1768 | return 0; | 1795 | return 0; |
| 1769 | } | 1796 | } |
| @@ -1819,6 +1846,27 @@ static inline int security_sb_pivotroot (struct nameidata *old_nd, | |||
| 1819 | static inline void security_sb_post_pivotroot (struct nameidata *old_nd, | 1846 | static inline void security_sb_post_pivotroot (struct nameidata *old_nd, |
| 1820 | struct nameidata *new_nd) | 1847 | struct nameidata *new_nd) |
| 1821 | { } | 1848 | { } |
| 1849 | static inline int security_sb_get_mnt_opts(const struct super_block *sb, | ||
| 1850 | struct security_mnt_opts *opts) | ||
| 1851 | { | ||
| 1852 | security_init_mnt_opts(opts); | ||
| 1853 | return 0; | ||
| 1854 | } | ||
| 1855 | |||
| 1856 | static inline int security_sb_set_mnt_opts(struct super_block *sb, | ||
| 1857 | struct security_mnt_opts *opts) | ||
| 1858 | { | ||
| 1859 | return 0; | ||
| 1860 | } | ||
| 1861 | |||
| 1862 | static inline void security_sb_clone_mnt_opts(const struct super_block *oldsb, | ||
| 1863 | struct super_block *newsb) | ||
| 1864 | { } | ||
| 1865 | |||
| 1866 | static inline int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts) | ||
| 1867 | { | ||
| 1868 | return 0; | ||
| 1869 | } | ||
| 1822 | 1870 | ||
| 1823 | static inline int security_inode_alloc (struct inode *inode) | 1871 | static inline int security_inode_alloc (struct inode *inode) |
| 1824 | { | 1872 | { |
| @@ -2138,7 +2186,7 @@ static inline int security_task_kill (struct task_struct *p, | |||
| 2138 | struct siginfo *info, int sig, | 2186 | struct siginfo *info, int sig, |
| 2139 | u32 secid) | 2187 | u32 secid) |
| 2140 | { | 2188 | { |
| 2141 | return cap_task_kill(p, info, sig, secid); | 2189 | return 0; |
| 2142 | } | 2190 | } |
| 2143 | 2191 | ||
| 2144 | static inline int security_task_wait (struct task_struct *p) | 2192 | static inline int security_task_wait (struct task_struct *p) |