diff options
Diffstat (limited to 'include/linux/security.h')
| -rw-r--r-- | include/linux/security.h | 68 |
1 files changed, 35 insertions, 33 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index fea1f4aa4dd5..e6299e50e210 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
| @@ -34,8 +34,6 @@ | |||
| 34 | #include <linux/xfrm.h> | 34 | #include <linux/xfrm.h> |
| 35 | #include <net/flow.h> | 35 | #include <net/flow.h> |
| 36 | 36 | ||
| 37 | extern unsigned securebits; | ||
| 38 | |||
| 39 | /* Maximum number of letters for an LSM name string */ | 37 | /* Maximum number of letters for an LSM name string */ |
| 40 | #define SECURITY_NAME_MAX 10 | 38 | #define SECURITY_NAME_MAX 10 |
| 41 | 39 | ||
| @@ -61,6 +59,8 @@ extern int cap_inode_need_killpriv(struct dentry *dentry); | |||
| 61 | extern int cap_inode_killpriv(struct dentry *dentry); | 59 | extern int cap_inode_killpriv(struct dentry *dentry); |
| 62 | extern int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags); | 60 | extern int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags); |
| 63 | extern void cap_task_reparent_to_init (struct task_struct *p); | 61 | extern void cap_task_reparent_to_init (struct task_struct *p); |
| 62 | extern int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, | ||
| 63 | unsigned long arg4, unsigned long arg5, long *rc_p); | ||
| 64 | extern int cap_task_setscheduler (struct task_struct *p, int policy, struct sched_param *lp); | 64 | extern int cap_task_setscheduler (struct task_struct *p, int policy, struct sched_param *lp); |
| 65 | extern int cap_task_setioprio (struct task_struct *p, int ioprio); | 65 | extern int cap_task_setioprio (struct task_struct *p, int ioprio); |
| 66 | extern int cap_task_setnice (struct task_struct *p, int nice); | 66 | extern int cap_task_setnice (struct task_struct *p, int nice); |
| @@ -230,7 +230,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
| 230 | * loopback/bind mount (@flags & MS_BIND), @dev_name identifies the | 230 | * loopback/bind mount (@flags & MS_BIND), @dev_name identifies the |
| 231 | * pathname of the object being mounted. | 231 | * pathname of the object being mounted. |
| 232 | * @dev_name contains the name for object being mounted. | 232 | * @dev_name contains the name for object being mounted. |
| 233 | * @nd contains the nameidata structure for mount point object. | 233 | * @path contains the path for mount point object. |
| 234 | * @type contains the filesystem type. | 234 | * @type contains the filesystem type. |
| 235 | * @flags contains the mount flags. | 235 | * @flags contains the mount flags. |
| 236 | * @data contains the filesystem-specific data. | 236 | * @data contains the filesystem-specific data. |
| @@ -249,7 +249,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
| 249 | * Check permission before the device with superblock @mnt->sb is mounted | 249 | * Check permission before the device with superblock @mnt->sb is mounted |
| 250 | * on the mount point named by @nd. | 250 | * on the mount point named by @nd. |
| 251 | * @mnt contains the vfsmount for device being mounted. | 251 | * @mnt contains the vfsmount for device being mounted. |
| 252 | * @nd contains the nameidata object for the mount point. | 252 | * @path contains the path for the mount point. |
| 253 | * Return 0 if permission is granted. | 253 | * Return 0 if permission is granted. |
| 254 | * @sb_umount: | 254 | * @sb_umount: |
| 255 | * Check permission before the @mnt file system is unmounted. | 255 | * Check permission before the @mnt file system is unmounted. |
| @@ -278,16 +278,16 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
| 278 | * This hook is called any time a mount is successfully grafetd to | 278 | * This hook is called any time a mount is successfully grafetd to |
| 279 | * the tree. | 279 | * the tree. |
| 280 | * @mnt contains the mounted filesystem. | 280 | * @mnt contains the mounted filesystem. |
| 281 | * @mountpoint_nd contains the nameidata structure for the mount point. | 281 | * @mountpoint contains the path for the mount point. |
| 282 | * @sb_pivotroot: | 282 | * @sb_pivotroot: |
| 283 | * Check permission before pivoting the root filesystem. | 283 | * Check permission before pivoting the root filesystem. |
| 284 | * @old_nd contains the nameidata structure for the new location of the current root (put_old). | 284 | * @old_path contains the path for the new location of the current root (put_old). |
| 285 | * @new_nd contains the nameidata structure for the new root (new_root). | 285 | * @new_path contains the path for the new root (new_root). |
| 286 | * Return 0 if permission is granted. | 286 | * Return 0 if permission is granted. |
| 287 | * @sb_post_pivotroot: | 287 | * @sb_post_pivotroot: |
| 288 | * Update module state after a successful pivot. | 288 | * Update module state after a successful pivot. |
| 289 | * @old_nd contains the nameidata structure for the old root. | 289 | * @old_path contains the path for the old root. |
| 290 | * @new_nd contains the nameidata structure for the new root. | 290 | * @new_path contains the path for the new root. |
| 291 | * @sb_get_mnt_opts: | 291 | * @sb_get_mnt_opts: |
| 292 | * Get the security relevant mount options used for a superblock | 292 | * Get the security relevant mount options used for a superblock |
| 293 | * @sb the superblock to get security mount options from | 293 | * @sb the superblock to get security mount options from |
| @@ -720,7 +720,9 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
| 720 | * @arg3 contains a argument. | 720 | * @arg3 contains a argument. |
| 721 | * @arg4 contains a argument. | 721 | * @arg4 contains a argument. |
| 722 | * @arg5 contains a argument. | 722 | * @arg5 contains a argument. |
| 723 | * Return 0 if permission is granted. | 723 | * @rc_p contains a pointer to communicate back the forced return code |
| 724 | * Return 0 if permission is granted, and non-zero if the security module | ||
| 725 | * has taken responsibility (setting *rc_p) for the prctl call. | ||
| 724 | * @task_reparent_to_init: | 726 | * @task_reparent_to_init: |
| 725 | * Set the security attributes in @p->security for a kernel thread that | 727 | * Set the security attributes in @p->security for a kernel thread that |
| 726 | * is being reparented to the init task. | 728 | * is being reparented to the init task. |
| @@ -1315,20 +1317,20 @@ struct security_operations { | |||
| 1315 | int (*sb_copy_data)(char *orig, char *copy); | 1317 | int (*sb_copy_data)(char *orig, char *copy); |
| 1316 | int (*sb_kern_mount) (struct super_block *sb, void *data); | 1318 | int (*sb_kern_mount) (struct super_block *sb, void *data); |
| 1317 | int (*sb_statfs) (struct dentry *dentry); | 1319 | int (*sb_statfs) (struct dentry *dentry); |
| 1318 | int (*sb_mount) (char *dev_name, struct nameidata * nd, | 1320 | int (*sb_mount) (char *dev_name, struct path *path, |
| 1319 | char *type, unsigned long flags, void *data); | 1321 | char *type, unsigned long flags, void *data); |
| 1320 | int (*sb_check_sb) (struct vfsmount * mnt, struct nameidata * nd); | 1322 | int (*sb_check_sb) (struct vfsmount * mnt, struct path *path); |
| 1321 | int (*sb_umount) (struct vfsmount * mnt, int flags); | 1323 | int (*sb_umount) (struct vfsmount * mnt, int flags); |
| 1322 | void (*sb_umount_close) (struct vfsmount * mnt); | 1324 | void (*sb_umount_close) (struct vfsmount * mnt); |
| 1323 | void (*sb_umount_busy) (struct vfsmount * mnt); | 1325 | void (*sb_umount_busy) (struct vfsmount * mnt); |
| 1324 | void (*sb_post_remount) (struct vfsmount * mnt, | 1326 | void (*sb_post_remount) (struct vfsmount * mnt, |
| 1325 | unsigned long flags, void *data); | 1327 | unsigned long flags, void *data); |
| 1326 | void (*sb_post_addmount) (struct vfsmount * mnt, | 1328 | void (*sb_post_addmount) (struct vfsmount * mnt, |
| 1327 | struct nameidata * mountpoint_nd); | 1329 | struct path *mountpoint); |
| 1328 | int (*sb_pivotroot) (struct nameidata * old_nd, | 1330 | int (*sb_pivotroot) (struct path *old_path, |
| 1329 | struct nameidata * new_nd); | 1331 | struct path *new_path); |
| 1330 | void (*sb_post_pivotroot) (struct nameidata * old_nd, | 1332 | void (*sb_post_pivotroot) (struct path *old_path, |
| 1331 | struct nameidata * new_nd); | 1333 | struct path *new_path); |
| 1332 | int (*sb_get_mnt_opts) (const struct super_block *sb, | 1334 | int (*sb_get_mnt_opts) (const struct super_block *sb, |
| 1333 | struct security_mnt_opts *opts); | 1335 | struct security_mnt_opts *opts); |
| 1334 | int (*sb_set_mnt_opts) (struct super_block *sb, | 1336 | int (*sb_set_mnt_opts) (struct super_block *sb, |
| @@ -1420,7 +1422,7 @@ struct security_operations { | |||
| 1420 | int (*task_wait) (struct task_struct * p); | 1422 | int (*task_wait) (struct task_struct * p); |
| 1421 | int (*task_prctl) (int option, unsigned long arg2, | 1423 | int (*task_prctl) (int option, unsigned long arg2, |
| 1422 | unsigned long arg3, unsigned long arg4, | 1424 | unsigned long arg3, unsigned long arg4, |
| 1423 | unsigned long arg5); | 1425 | unsigned long arg5, long *rc_p); |
| 1424 | void (*task_reparent_to_init) (struct task_struct * p); | 1426 | void (*task_reparent_to_init) (struct task_struct * p); |
| 1425 | void (*task_to_inode)(struct task_struct *p, struct inode *inode); | 1427 | void (*task_to_inode)(struct task_struct *p, struct inode *inode); |
| 1426 | 1428 | ||
| @@ -1593,16 +1595,16 @@ void security_sb_free(struct super_block *sb); | |||
| 1593 | int security_sb_copy_data(char *orig, char *copy); | 1595 | int security_sb_copy_data(char *orig, char *copy); |
| 1594 | int security_sb_kern_mount(struct super_block *sb, void *data); | 1596 | int security_sb_kern_mount(struct super_block *sb, void *data); |
| 1595 | int security_sb_statfs(struct dentry *dentry); | 1597 | int security_sb_statfs(struct dentry *dentry); |
| 1596 | int security_sb_mount(char *dev_name, struct nameidata *nd, | 1598 | int security_sb_mount(char *dev_name, struct path *path, |
| 1597 | char *type, unsigned long flags, void *data); | 1599 | char *type, unsigned long flags, void *data); |
| 1598 | int security_sb_check_sb(struct vfsmount *mnt, struct nameidata *nd); | 1600 | int security_sb_check_sb(struct vfsmount *mnt, struct path *path); |
| 1599 | int security_sb_umount(struct vfsmount *mnt, int flags); | 1601 | int security_sb_umount(struct vfsmount *mnt, int flags); |
| 1600 | void security_sb_umount_close(struct vfsmount *mnt); | 1602 | void security_sb_umount_close(struct vfsmount *mnt); |
| 1601 | void security_sb_umount_busy(struct vfsmount *mnt); | 1603 | void security_sb_umount_busy(struct vfsmount *mnt); |
| 1602 | void security_sb_post_remount(struct vfsmount *mnt, unsigned long flags, void *data); | 1604 | void security_sb_post_remount(struct vfsmount *mnt, unsigned long flags, void *data); |
| 1603 | void security_sb_post_addmount(struct vfsmount *mnt, struct nameidata *mountpoint_nd); | 1605 | void security_sb_post_addmount(struct vfsmount *mnt, struct path *mountpoint); |
| 1604 | int security_sb_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd); | 1606 | int security_sb_pivotroot(struct path *old_path, struct path *new_path); |
| 1605 | void security_sb_post_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd); | 1607 | void security_sb_post_pivotroot(struct path *old_path, struct path *new_path); |
| 1606 | int security_sb_get_mnt_opts(const struct super_block *sb, | 1608 | int security_sb_get_mnt_opts(const struct super_block *sb, |
| 1607 | struct security_mnt_opts *opts); | 1609 | struct security_mnt_opts *opts); |
| 1608 | int security_sb_set_mnt_opts(struct super_block *sb, struct security_mnt_opts *opts); | 1610 | int security_sb_set_mnt_opts(struct super_block *sb, struct security_mnt_opts *opts); |
| @@ -1684,7 +1686,7 @@ int security_task_kill(struct task_struct *p, struct siginfo *info, | |||
| 1684 | int sig, u32 secid); | 1686 | int sig, u32 secid); |
| 1685 | int security_task_wait(struct task_struct *p); | 1687 | int security_task_wait(struct task_struct *p); |
| 1686 | int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, | 1688 | int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, |
| 1687 | unsigned long arg4, unsigned long arg5); | 1689 | unsigned long arg4, unsigned long arg5, long *rc_p); |
| 1688 | void security_task_reparent_to_init(struct task_struct *p); | 1690 | void security_task_reparent_to_init(struct task_struct *p); |
| 1689 | void security_task_to_inode(struct task_struct *p, struct inode *inode); | 1691 | void security_task_to_inode(struct task_struct *p, struct inode *inode); |
| 1690 | int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag); | 1692 | int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag); |
| @@ -1872,7 +1874,7 @@ static inline int security_sb_statfs (struct dentry *dentry) | |||
| 1872 | return 0; | 1874 | return 0; |
| 1873 | } | 1875 | } |
| 1874 | 1876 | ||
| 1875 | static inline int security_sb_mount (char *dev_name, struct nameidata *nd, | 1877 | static inline int security_sb_mount (char *dev_name, struct path *path, |
| 1876 | char *type, unsigned long flags, | 1878 | char *type, unsigned long flags, |
| 1877 | void *data) | 1879 | void *data) |
| 1878 | { | 1880 | { |
| @@ -1880,7 +1882,7 @@ static inline int security_sb_mount (char *dev_name, struct nameidata *nd, | |||
| 1880 | } | 1882 | } |
| 1881 | 1883 | ||
| 1882 | static inline int security_sb_check_sb (struct vfsmount *mnt, | 1884 | static inline int security_sb_check_sb (struct vfsmount *mnt, |
| 1883 | struct nameidata *nd) | 1885 | struct path *path) |
| 1884 | { | 1886 | { |
| 1885 | return 0; | 1887 | return 0; |
| 1886 | } | 1888 | } |
| @@ -1901,17 +1903,17 @@ static inline void security_sb_post_remount (struct vfsmount *mnt, | |||
| 1901 | { } | 1903 | { } |
| 1902 | 1904 | ||
| 1903 | static inline void security_sb_post_addmount (struct vfsmount *mnt, | 1905 | static inline void security_sb_post_addmount (struct vfsmount *mnt, |
| 1904 | struct nameidata *mountpoint_nd) | 1906 | struct path *mountpoint) |
| 1905 | { } | 1907 | { } |
| 1906 | 1908 | ||
| 1907 | static inline int security_sb_pivotroot (struct nameidata *old_nd, | 1909 | static inline int security_sb_pivotroot (struct path *old_path, |
| 1908 | struct nameidata *new_nd) | 1910 | struct path *new_path) |
| 1909 | { | 1911 | { |
| 1910 | return 0; | 1912 | return 0; |
| 1911 | } | 1913 | } |
| 1912 | 1914 | ||
| 1913 | static inline void security_sb_post_pivotroot (struct nameidata *old_nd, | 1915 | static inline void security_sb_post_pivotroot (struct path *old_path, |
| 1914 | struct nameidata *new_nd) | 1916 | struct path *new_path) |
| 1915 | { } | 1917 | { } |
| 1916 | static inline int security_sb_get_mnt_opts(const struct super_block *sb, | 1918 | static inline int security_sb_get_mnt_opts(const struct super_block *sb, |
| 1917 | struct security_mnt_opts *opts) | 1919 | struct security_mnt_opts *opts) |
| @@ -2271,9 +2273,9 @@ static inline int security_task_wait (struct task_struct *p) | |||
| 2271 | static inline int security_task_prctl (int option, unsigned long arg2, | 2273 | static inline int security_task_prctl (int option, unsigned long arg2, |
| 2272 | unsigned long arg3, | 2274 | unsigned long arg3, |
| 2273 | unsigned long arg4, | 2275 | unsigned long arg4, |
| 2274 | unsigned long arg5) | 2276 | unsigned long arg5, long *rc_p) |
| 2275 | { | 2277 | { |
| 2276 | return 0; | 2278 | return cap_task_prctl(option, arg2, arg3, arg3, arg5, rc_p); |
| 2277 | } | 2279 | } |
| 2278 | 2280 | ||
| 2279 | static inline void security_task_reparent_to_init (struct task_struct *p) | 2281 | static inline void security_task_reparent_to_init (struct task_struct *p) |