aboutsummaryrefslogtreecommitdiffstats
path: root/include/linux/security.h
diff options
context:
space:
mode:
Diffstat (limited to 'include/linux/security.h')
-rw-r--r--include/linux/security.h239
1 files changed, 203 insertions, 36 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index 6bc2aad494ff..9f56fb8a4a6c 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -31,6 +31,8 @@
31#include <linux/msg.h> 31#include <linux/msg.h>
32#include <linux/sched.h> 32#include <linux/sched.h>
33#include <linux/key.h> 33#include <linux/key.h>
34#include <linux/xfrm.h>
35#include <net/flow.h>
34 36
35struct ctl_table; 37struct ctl_table;
36 38
@@ -88,6 +90,7 @@ extern int cap_netlink_recv(struct sk_buff *skb, int cap);
88struct nfsctl_arg; 90struct nfsctl_arg;
89struct sched_param; 91struct sched_param;
90struct swap_info_struct; 92struct swap_info_struct;
93struct request_sock;
91 94
92/* bprm_apply_creds unsafe reasons */ 95/* bprm_apply_creds unsafe reasons */
93#define LSM_UNSAFE_SHARE 1 96#define LSM_UNSAFE_SHARE 1
@@ -812,9 +815,19 @@ struct swap_info_struct;
812 * which is used to copy security attributes between local stream sockets. 815 * which is used to copy security attributes between local stream sockets.
813 * @sk_free_security: 816 * @sk_free_security:
814 * Deallocate security structure. 817 * Deallocate security structure.
815 * @sk_getsid: 818 * @sk_clone_security:
816 * Retrieve the LSM-specific sid for the sock to enable caching of network 819 * Clone/copy security structure.
820 * @sk_getsecid:
821 * Retrieve the LSM-specific secid for the sock to enable caching of network
817 * authorizations. 822 * authorizations.
823 * @sock_graft:
824 * Sets the socket's isec sid to the sock's sid.
825 * @inet_conn_request:
826 * Sets the openreq's sid to socket's sid with MLS portion taken from peer sid.
827 * @inet_csk_clone:
828 * Sets the new child socket's sid to the openreq sid.
829 * @req_classify_flow:
830 * Sets the flow's sid to the openreq sid.
818 * 831 *
819 * Security hooks for XFRM operations. 832 * Security hooks for XFRM operations.
820 * 833 *
@@ -823,9 +836,10 @@ struct swap_info_struct;
823 * used by the XFRM system. 836 * used by the XFRM system.
824 * @sec_ctx contains the security context information being provided by 837 * @sec_ctx contains the security context information being provided by
825 * the user-level policy update program (e.g., setkey). 838 * the user-level policy update program (e.g., setkey).
826 * Allocate a security structure to the xp->security field. 839 * @sk refers to the sock from which to derive the security context.
827 * The security field is initialized to NULL when the xfrm_policy is 840 * Allocate a security structure to the xp->security field; the security
828 * allocated. 841 * field is initialized to NULL when the xfrm_policy is allocated. Only
842 * one of sec_ctx or sock can be specified.
829 * Return 0 if operation was successful (memory to allocate, legal context) 843 * Return 0 if operation was successful (memory to allocate, legal context)
830 * @xfrm_policy_clone_security: 844 * @xfrm_policy_clone_security:
831 * @old contains an existing xfrm_policy in the SPD. 845 * @old contains an existing xfrm_policy in the SPD.
@@ -844,9 +858,14 @@ struct swap_info_struct;
844 * Database by the XFRM system. 858 * Database by the XFRM system.
845 * @sec_ctx contains the security context information being provided by 859 * @sec_ctx contains the security context information being provided by
846 * the user-level SA generation program (e.g., setkey or racoon). 860 * the user-level SA generation program (e.g., setkey or racoon).
847 * Allocate a security structure to the x->security field. The 861 * @polsec contains the security context information associated with a xfrm
848 * security field is initialized to NULL when the xfrm_state is 862 * policy rule from which to take the base context. polsec must be NULL
849 * allocated. 863 * when sec_ctx is specified.
864 * @secid contains the secid from which to take the mls portion of the context.
865 * Allocate a security structure to the x->security field; the security
866 * field is initialized to NULL when the xfrm_state is allocated. Set the
867 * context to correspond to either sec_ctx or polsec, with the mls portion
868 * taken from secid in the latter case.
850 * Return 0 if operation was successful (memory to allocate, legal context). 869 * Return 0 if operation was successful (memory to allocate, legal context).
851 * @xfrm_state_free_security: 870 * @xfrm_state_free_security:
852 * @x contains the xfrm_state. 871 * @x contains the xfrm_state.
@@ -857,13 +876,27 @@ struct swap_info_struct;
857 * @xfrm_policy_lookup: 876 * @xfrm_policy_lookup:
858 * @xp contains the xfrm_policy for which the access control is being 877 * @xp contains the xfrm_policy for which the access control is being
859 * checked. 878 * checked.
860 * @sk_sid contains the sock security label that is used to authorize 879 * @fl_secid contains the flow security label that is used to authorize
861 * access to the policy xp. 880 * access to the policy xp.
862 * @dir contains the direction of the flow (input or output). 881 * @dir contains the direction of the flow (input or output).
863 * Check permission when a sock selects a xfrm_policy for processing 882 * Check permission when a flow selects a xfrm_policy for processing
864 * XFRMs on a packet. The hook is called when selecting either a 883 * XFRMs on a packet. The hook is called when selecting either a
865 * per-socket policy or a generic xfrm policy. 884 * per-socket policy or a generic xfrm policy.
866 * Return 0 if permission is granted. 885 * Return 0 if permission is granted.
886 * @xfrm_state_pol_flow_match:
887 * @x contains the state to match.
888 * @xp contains the policy to check for a match.
889 * @fl contains the flow to check for a match.
890 * Return 1 if there is a match.
891 * @xfrm_flow_state_match:
892 * @fl contains the flow key to match.
893 * @xfrm points to the xfrm_state to match.
894 * Return 1 if there is a match.
895 * @xfrm_decode_session:
896 * @skb points to skb to decode.
897 * @secid points to the flow key secid to set.
898 * @ckall says if all xfrms used should be checked for same secid.
899 * Return 0 if ckall is zero or all xfrms used have the same secid.
867 * 900 *
868 * Security hooks affecting all Key Management operations 901 * Security hooks affecting all Key Management operations
869 * 902 *
@@ -1308,8 +1341,8 @@ struct security_operations {
1308 int (*unix_may_send) (struct socket * sock, struct socket * other); 1341 int (*unix_may_send) (struct socket * sock, struct socket * other);
1309 1342
1310 int (*socket_create) (int family, int type, int protocol, int kern); 1343 int (*socket_create) (int family, int type, int protocol, int kern);
1311 void (*socket_post_create) (struct socket * sock, int family, 1344 int (*socket_post_create) (struct socket * sock, int family,
1312 int type, int protocol, int kern); 1345 int type, int protocol, int kern);
1313 int (*socket_bind) (struct socket * sock, 1346 int (*socket_bind) (struct socket * sock,
1314 struct sockaddr * address, int addrlen); 1347 struct sockaddr * address, int addrlen);
1315 int (*socket_connect) (struct socket * sock, 1348 int (*socket_connect) (struct socket * sock,
@@ -1332,18 +1365,31 @@ struct security_operations {
1332 int (*socket_getpeersec_dgram) (struct socket *sock, struct sk_buff *skb, u32 *secid); 1365 int (*socket_getpeersec_dgram) (struct socket *sock, struct sk_buff *skb, u32 *secid);
1333 int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority); 1366 int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority);
1334 void (*sk_free_security) (struct sock *sk); 1367 void (*sk_free_security) (struct sock *sk);
1335 unsigned int (*sk_getsid) (struct sock *sk, struct flowi *fl, u8 dir); 1368 void (*sk_clone_security) (const struct sock *sk, struct sock *newsk);
1369 void (*sk_getsecid) (struct sock *sk, u32 *secid);
1370 void (*sock_graft)(struct sock* sk, struct socket *parent);
1371 int (*inet_conn_request)(struct sock *sk, struct sk_buff *skb,
1372 struct request_sock *req);
1373 void (*inet_csk_clone)(struct sock *newsk, const struct request_sock *req);
1374 void (*req_classify_flow)(const struct request_sock *req, struct flowi *fl);
1336#endif /* CONFIG_SECURITY_NETWORK */ 1375#endif /* CONFIG_SECURITY_NETWORK */
1337 1376
1338#ifdef CONFIG_SECURITY_NETWORK_XFRM 1377#ifdef CONFIG_SECURITY_NETWORK_XFRM
1339 int (*xfrm_policy_alloc_security) (struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx); 1378 int (*xfrm_policy_alloc_security) (struct xfrm_policy *xp,
1379 struct xfrm_user_sec_ctx *sec_ctx, struct sock *sk);
1340 int (*xfrm_policy_clone_security) (struct xfrm_policy *old, struct xfrm_policy *new); 1380 int (*xfrm_policy_clone_security) (struct xfrm_policy *old, struct xfrm_policy *new);
1341 void (*xfrm_policy_free_security) (struct xfrm_policy *xp); 1381 void (*xfrm_policy_free_security) (struct xfrm_policy *xp);
1342 int (*xfrm_policy_delete_security) (struct xfrm_policy *xp); 1382 int (*xfrm_policy_delete_security) (struct xfrm_policy *xp);
1343 int (*xfrm_state_alloc_security) (struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx); 1383 int (*xfrm_state_alloc_security) (struct xfrm_state *x,
1384 struct xfrm_user_sec_ctx *sec_ctx, struct xfrm_sec_ctx *polsec,
1385 u32 secid);
1344 void (*xfrm_state_free_security) (struct xfrm_state *x); 1386 void (*xfrm_state_free_security) (struct xfrm_state *x);
1345 int (*xfrm_state_delete_security) (struct xfrm_state *x); 1387 int (*xfrm_state_delete_security) (struct xfrm_state *x);
1346 int (*xfrm_policy_lookup)(struct xfrm_policy *xp, u32 sk_sid, u8 dir); 1388 int (*xfrm_policy_lookup)(struct xfrm_policy *xp, u32 fl_secid, u8 dir);
1389 int (*xfrm_state_pol_flow_match)(struct xfrm_state *x,
1390 struct xfrm_policy *xp, struct flowi *fl);
1391 int (*xfrm_flow_state_match)(struct flowi *fl, struct xfrm_state *xfrm);
1392 int (*xfrm_decode_session)(struct sk_buff *skb, u32 *secid, int ckall);
1347#endif /* CONFIG_SECURITY_NETWORK_XFRM */ 1393#endif /* CONFIG_SECURITY_NETWORK_XFRM */
1348 1394
1349 /* key management security hooks */ 1395 /* key management security hooks */
@@ -2778,13 +2824,13 @@ static inline int security_socket_create (int family, int type,
2778 return security_ops->socket_create(family, type, protocol, kern); 2824 return security_ops->socket_create(family, type, protocol, kern);
2779} 2825}
2780 2826
2781static inline void security_socket_post_create(struct socket * sock, 2827static inline int security_socket_post_create(struct socket * sock,
2782 int family, 2828 int family,
2783 int type, 2829 int type,
2784 int protocol, int kern) 2830 int protocol, int kern)
2785{ 2831{
2786 security_ops->socket_post_create(sock, family, type, 2832 return security_ops->socket_post_create(sock, family, type,
2787 protocol, kern); 2833 protocol, kern);
2788} 2834}
2789 2835
2790static inline int security_socket_bind(struct socket * sock, 2836static inline int security_socket_bind(struct socket * sock,
@@ -2885,9 +2931,36 @@ static inline void security_sk_free(struct sock *sk)
2885 return security_ops->sk_free_security(sk); 2931 return security_ops->sk_free_security(sk);
2886} 2932}
2887 2933
2888static inline unsigned int security_sk_sid(struct sock *sk, struct flowi *fl, u8 dir) 2934static inline void security_sk_clone(const struct sock *sk, struct sock *newsk)
2935{
2936 return security_ops->sk_clone_security(sk, newsk);
2937}
2938
2939static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
2889{ 2940{
2890 return security_ops->sk_getsid(sk, fl, dir); 2941 security_ops->sk_getsecid(sk, &fl->secid);
2942}
2943
2944static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
2945{
2946 security_ops->req_classify_flow(req, fl);
2947}
2948
2949static inline void security_sock_graft(struct sock* sk, struct socket *parent)
2950{
2951 security_ops->sock_graft(sk, parent);
2952}
2953
2954static inline int security_inet_conn_request(struct sock *sk,
2955 struct sk_buff *skb, struct request_sock *req)
2956{
2957 return security_ops->inet_conn_request(sk, skb, req);
2958}
2959
2960static inline void security_inet_csk_clone(struct sock *newsk,
2961 const struct request_sock *req)
2962{
2963 security_ops->inet_csk_clone(newsk, req);
2891} 2964}
2892#else /* CONFIG_SECURITY_NETWORK */ 2965#else /* CONFIG_SECURITY_NETWORK */
2893static inline int security_unix_stream_connect(struct socket * sock, 2966static inline int security_unix_stream_connect(struct socket * sock,
@@ -2909,11 +2982,12 @@ static inline int security_socket_create (int family, int type,
2909 return 0; 2982 return 0;
2910} 2983}
2911 2984
2912static inline void security_socket_post_create(struct socket * sock, 2985static inline int security_socket_post_create(struct socket * sock,
2913 int family, 2986 int family,
2914 int type, 2987 int type,
2915 int protocol, int kern) 2988 int protocol, int kern)
2916{ 2989{
2990 return 0;
2917} 2991}
2918 2992
2919static inline int security_socket_bind(struct socket * sock, 2993static inline int security_socket_bind(struct socket * sock,
@@ -3011,16 +3085,43 @@ static inline void security_sk_free(struct sock *sk)
3011{ 3085{
3012} 3086}
3013 3087
3014static inline unsigned int security_sk_sid(struct sock *sk, struct flowi *fl, u8 dir) 3088static inline void security_sk_clone(const struct sock *sk, struct sock *newsk)
3089{
3090}
3091
3092static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
3093{
3094}
3095
3096static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
3097{
3098}
3099
3100static inline void security_sock_graft(struct sock* sk, struct socket *parent)
3101{
3102}
3103
3104static inline int security_inet_conn_request(struct sock *sk,
3105 struct sk_buff *skb, struct request_sock *req)
3015{ 3106{
3016 return 0; 3107 return 0;
3017} 3108}
3109
3110static inline void security_inet_csk_clone(struct sock *newsk,
3111 const struct request_sock *req)
3112{
3113}
3018#endif /* CONFIG_SECURITY_NETWORK */ 3114#endif /* CONFIG_SECURITY_NETWORK */
3019 3115
3020#ifdef CONFIG_SECURITY_NETWORK_XFRM 3116#ifdef CONFIG_SECURITY_NETWORK_XFRM
3021static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx) 3117static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx)
3022{ 3118{
3023 return security_ops->xfrm_policy_alloc_security(xp, sec_ctx); 3119 return security_ops->xfrm_policy_alloc_security(xp, sec_ctx, NULL);
3120}
3121
3122static inline int security_xfrm_sock_policy_alloc(struct xfrm_policy *xp, struct sock *sk)
3123{
3124 return security_ops->xfrm_policy_alloc_security(xp, NULL, sk);
3024} 3125}
3025 3126
3026static inline int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new) 3127static inline int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new)
@@ -3038,9 +3139,18 @@ static inline int security_xfrm_policy_delete(struct xfrm_policy *xp)
3038 return security_ops->xfrm_policy_delete_security(xp); 3139 return security_ops->xfrm_policy_delete_security(xp);
3039} 3140}
3040 3141
3041static inline int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx) 3142static inline int security_xfrm_state_alloc(struct xfrm_state *x,
3143 struct xfrm_user_sec_ctx *sec_ctx)
3042{ 3144{
3043 return security_ops->xfrm_state_alloc_security(x, sec_ctx); 3145 return security_ops->xfrm_state_alloc_security(x, sec_ctx, NULL, 0);
3146}
3147
3148static inline int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
3149 struct xfrm_sec_ctx *polsec, u32 secid)
3150{
3151 if (!polsec)
3152 return 0;
3153 return security_ops->xfrm_state_alloc_security(x, NULL, polsec, secid);
3044} 3154}
3045 3155
3046static inline int security_xfrm_state_delete(struct xfrm_state *x) 3156static inline int security_xfrm_state_delete(struct xfrm_state *x)
@@ -3053,9 +3163,32 @@ static inline void security_xfrm_state_free(struct xfrm_state *x)
3053 security_ops->xfrm_state_free_security(x); 3163 security_ops->xfrm_state_free_security(x);
3054} 3164}
3055 3165
3056static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir) 3166static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir)
3167{
3168 return security_ops->xfrm_policy_lookup(xp, fl_secid, dir);
3169}
3170
3171static inline int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
3172 struct xfrm_policy *xp, struct flowi *fl)
3057{ 3173{
3058 return security_ops->xfrm_policy_lookup(xp, sk_sid, dir); 3174 return security_ops->xfrm_state_pol_flow_match(x, xp, fl);
3175}
3176
3177static inline int security_xfrm_flow_state_match(struct flowi *fl, struct xfrm_state *xfrm)
3178{
3179 return security_ops->xfrm_flow_state_match(fl, xfrm);
3180}
3181
3182static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
3183{
3184 return security_ops->xfrm_decode_session(skb, secid, 1);
3185}
3186
3187static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
3188{
3189 int rc = security_ops->xfrm_decode_session(skb, &fl->secid, 0);
3190
3191 BUG_ON(rc);
3059} 3192}
3060#else /* CONFIG_SECURITY_NETWORK_XFRM */ 3193#else /* CONFIG_SECURITY_NETWORK_XFRM */
3061static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx) 3194static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx)
@@ -3063,6 +3196,11 @@ static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm
3063 return 0; 3196 return 0;
3064} 3197}
3065 3198
3199static inline int security_xfrm_sock_policy_alloc(struct xfrm_policy *xp, struct sock *sk)
3200{
3201 return 0;
3202}
3203
3066static inline int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new) 3204static inline int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new)
3067{ 3205{
3068 return 0; 3206 return 0;
@@ -3077,7 +3215,14 @@ static inline int security_xfrm_policy_delete(struct xfrm_policy *xp)
3077 return 0; 3215 return 0;
3078} 3216}
3079 3217
3080static inline int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx) 3218static inline int security_xfrm_state_alloc(struct xfrm_state *x,
3219 struct xfrm_user_sec_ctx *sec_ctx)
3220{
3221 return 0;
3222}
3223
3224static inline int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
3225 struct xfrm_sec_ctx *polsec, u32 secid)
3081{ 3226{
3082 return 0; 3227 return 0;
3083} 3228}
@@ -3091,10 +3236,32 @@ static inline int security_xfrm_state_delete(struct xfrm_state *x)
3091 return 0; 3236 return 0;
3092} 3237}
3093 3238
3094static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 sk_sid, u8 dir) 3239static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir)
3240{
3241 return 0;
3242}
3243
3244static inline int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
3245 struct xfrm_policy *xp, struct flowi *fl)
3246{
3247 return 1;
3248}
3249
3250static inline int security_xfrm_flow_state_match(struct flowi *fl,
3251 struct xfrm_state *xfrm)
3252{
3253 return 1;
3254}
3255
3256static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
3095{ 3257{
3096 return 0; 3258 return 0;
3097} 3259}
3260
3261static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
3262{
3263}
3264
3098#endif /* CONFIG_SECURITY_NETWORK_XFRM */ 3265#endif /* CONFIG_SECURITY_NETWORK_XFRM */
3099 3266
3100#ifdef CONFIG_KEYS 3267#ifdef CONFIG_KEYS
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-10 15:17:20 -0500