diff options
Diffstat (limited to 'include/linux/security.h')
| -rw-r--r-- | include/linux/security.h | 54 |
1 files changed, 28 insertions, 26 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index 673afbb8238a..4e5a73cdbbef 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
| @@ -86,9 +86,9 @@ extern int cap_inode_setxattr(struct dentry *dentry, const char *name, | |||
| 86 | extern int cap_inode_removexattr(struct dentry *dentry, const char *name); | 86 | extern int cap_inode_removexattr(struct dentry *dentry, const char *name); |
| 87 | extern int cap_inode_need_killpriv(struct dentry *dentry); | 87 | extern int cap_inode_need_killpriv(struct dentry *dentry); |
| 88 | extern int cap_inode_killpriv(struct dentry *dentry); | 88 | extern int cap_inode_killpriv(struct dentry *dentry); |
| 89 | extern int cap_file_mmap(struct file *file, unsigned long reqprot, | 89 | extern int cap_mmap_addr(unsigned long addr); |
| 90 | unsigned long prot, unsigned long flags, | 90 | extern int cap_mmap_file(struct file *file, unsigned long reqprot, |
| 91 | unsigned long addr, unsigned long addr_only); | 91 | unsigned long prot, unsigned long flags); |
| 92 | extern int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags); | 92 | extern int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags); |
| 93 | extern int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, | 93 | extern int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, |
| 94 | unsigned long arg4, unsigned long arg5); | 94 | unsigned long arg4, unsigned long arg5); |
| @@ -144,6 +144,7 @@ struct request_sock; | |||
| 144 | #define LSM_UNSAFE_SHARE 1 | 144 | #define LSM_UNSAFE_SHARE 1 |
| 145 | #define LSM_UNSAFE_PTRACE 2 | 145 | #define LSM_UNSAFE_PTRACE 2 |
| 146 | #define LSM_UNSAFE_PTRACE_CAP 4 | 146 | #define LSM_UNSAFE_PTRACE_CAP 4 |
| 147 | #define LSM_UNSAFE_NO_NEW_PRIVS 8 | ||
| 147 | 148 | ||
| 148 | #ifdef CONFIG_MMU | 149 | #ifdef CONFIG_MMU |
| 149 | extern int mmap_min_addr_handler(struct ctl_table *table, int write, | 150 | extern int mmap_min_addr_handler(struct ctl_table *table, int write, |
| @@ -585,15 +586,17 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
| 585 | * simple integer value. When @arg represents a user space pointer, it | 586 | * simple integer value. When @arg represents a user space pointer, it |
| 586 | * should never be used by the security module. | 587 | * should never be used by the security module. |
| 587 | * Return 0 if permission is granted. | 588 | * Return 0 if permission is granted. |
| 588 | * @file_mmap : | 589 | * @mmap_addr : |
| 590 | * Check permissions for a mmap operation at @addr. | ||
| 591 | * @addr contains virtual address that will be used for the operation. | ||
| 592 | * Return 0 if permission is granted. | ||
| 593 | * @mmap_file : | ||
| 589 | * Check permissions for a mmap operation. The @file may be NULL, e.g. | 594 | * Check permissions for a mmap operation. The @file may be NULL, e.g. |
| 590 | * if mapping anonymous memory. | 595 | * if mapping anonymous memory. |
| 591 | * @file contains the file structure for file to map (may be NULL). | 596 | * @file contains the file structure for file to map (may be NULL). |
| 592 | * @reqprot contains the protection requested by the application. | 597 | * @reqprot contains the protection requested by the application. |
| 593 | * @prot contains the protection that will be applied by the kernel. | 598 | * @prot contains the protection that will be applied by the kernel. |
| 594 | * @flags contains the operational flags. | 599 | * @flags contains the operational flags. |
| 595 | * @addr contains virtual address that will be used for the operation. | ||
| 596 | * @addr_only contains a boolean: 0 if file-backed VMA, otherwise 1. | ||
| 597 | * Return 0 if permission is granted. | 600 | * Return 0 if permission is granted. |
| 598 | * @file_mprotect: | 601 | * @file_mprotect: |
| 599 | * Check permissions before changing memory access permissions. | 602 | * Check permissions before changing memory access permissions. |
| @@ -639,10 +642,7 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
| 639 | * to receive an open file descriptor via socket IPC. | 642 | * to receive an open file descriptor via socket IPC. |
| 640 | * @file contains the file structure being received. | 643 | * @file contains the file structure being received. |
| 641 | * Return 0 if permission is granted. | 644 | * Return 0 if permission is granted. |
| 642 | * | 645 | * @file_open |
| 643 | * Security hook for dentry | ||
| 644 | * | ||
| 645 | * @dentry_open | ||
| 646 | * Save open-time permission checking state for later use upon | 646 | * Save open-time permission checking state for later use upon |
| 647 | * file_permission, and recheck access if anything has changed | 647 | * file_permission, and recheck access if anything has changed |
| 648 | * since inode_permission. | 648 | * since inode_permission. |
| @@ -1483,10 +1483,10 @@ struct security_operations { | |||
| 1483 | void (*file_free_security) (struct file *file); | 1483 | void (*file_free_security) (struct file *file); |
| 1484 | int (*file_ioctl) (struct file *file, unsigned int cmd, | 1484 | int (*file_ioctl) (struct file *file, unsigned int cmd, |
| 1485 | unsigned long arg); | 1485 | unsigned long arg); |
| 1486 | int (*file_mmap) (struct file *file, | 1486 | int (*mmap_addr) (unsigned long addr); |
| 1487 | int (*mmap_file) (struct file *file, | ||
| 1487 | unsigned long reqprot, unsigned long prot, | 1488 | unsigned long reqprot, unsigned long prot, |
| 1488 | unsigned long flags, unsigned long addr, | 1489 | unsigned long flags); |
| 1489 | unsigned long addr_only); | ||
| 1490 | int (*file_mprotect) (struct vm_area_struct *vma, | 1490 | int (*file_mprotect) (struct vm_area_struct *vma, |
| 1491 | unsigned long reqprot, | 1491 | unsigned long reqprot, |
| 1492 | unsigned long prot); | 1492 | unsigned long prot); |
| @@ -1497,7 +1497,7 @@ struct security_operations { | |||
| 1497 | int (*file_send_sigiotask) (struct task_struct *tsk, | 1497 | int (*file_send_sigiotask) (struct task_struct *tsk, |
| 1498 | struct fown_struct *fown, int sig); | 1498 | struct fown_struct *fown, int sig); |
| 1499 | int (*file_receive) (struct file *file); | 1499 | int (*file_receive) (struct file *file); |
| 1500 | int (*dentry_open) (struct file *file, const struct cred *cred); | 1500 | int (*file_open) (struct file *file, const struct cred *cred); |
| 1501 | 1501 | ||
| 1502 | int (*task_create) (unsigned long clone_flags); | 1502 | int (*task_create) (unsigned long clone_flags); |
| 1503 | void (*task_free) (struct task_struct *task); | 1503 | void (*task_free) (struct task_struct *task); |
| @@ -1745,9 +1745,9 @@ int security_file_permission(struct file *file, int mask); | |||
| 1745 | int security_file_alloc(struct file *file); | 1745 | int security_file_alloc(struct file *file); |
| 1746 | void security_file_free(struct file *file); | 1746 | void security_file_free(struct file *file); |
| 1747 | int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg); | 1747 | int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg); |
| 1748 | int security_file_mmap(struct file *file, unsigned long reqprot, | 1748 | int security_mmap_file(struct file *file, unsigned long prot, |
| 1749 | unsigned long prot, unsigned long flags, | 1749 | unsigned long flags); |
| 1750 | unsigned long addr, unsigned long addr_only); | 1750 | int security_mmap_addr(unsigned long addr); |
| 1751 | int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, | 1751 | int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, |
| 1752 | unsigned long prot); | 1752 | unsigned long prot); |
| 1753 | int security_file_lock(struct file *file, unsigned int cmd); | 1753 | int security_file_lock(struct file *file, unsigned int cmd); |
| @@ -1756,7 +1756,7 @@ int security_file_set_fowner(struct file *file); | |||
| 1756 | int security_file_send_sigiotask(struct task_struct *tsk, | 1756 | int security_file_send_sigiotask(struct task_struct *tsk, |
| 1757 | struct fown_struct *fown, int sig); | 1757 | struct fown_struct *fown, int sig); |
| 1758 | int security_file_receive(struct file *file); | 1758 | int security_file_receive(struct file *file); |
| 1759 | int security_dentry_open(struct file *file, const struct cred *cred); | 1759 | int security_file_open(struct file *file, const struct cred *cred); |
| 1760 | int security_task_create(unsigned long clone_flags); | 1760 | int security_task_create(unsigned long clone_flags); |
| 1761 | void security_task_free(struct task_struct *task); | 1761 | void security_task_free(struct task_struct *task); |
| 1762 | int security_cred_alloc_blank(struct cred *cred, gfp_t gfp); | 1762 | int security_cred_alloc_blank(struct cred *cred, gfp_t gfp); |
| @@ -2183,13 +2183,15 @@ static inline int security_file_ioctl(struct file *file, unsigned int cmd, | |||
| 2183 | return 0; | 2183 | return 0; |
| 2184 | } | 2184 | } |
| 2185 | 2185 | ||
| 2186 | static inline int security_file_mmap(struct file *file, unsigned long reqprot, | 2186 | static inline int security_mmap_file(struct file *file, unsigned long prot, |
| 2187 | unsigned long prot, | 2187 | unsigned long flags) |
| 2188 | unsigned long flags, | 2188 | { |
| 2189 | unsigned long addr, | 2189 | return 0; |
| 2190 | unsigned long addr_only) | 2190 | } |
| 2191 | |||
| 2192 | static inline int security_mmap_addr(unsigned long addr) | ||
| 2191 | { | 2193 | { |
| 2192 | return cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); | 2194 | return cap_mmap_addr(addr); |
| 2193 | } | 2195 | } |
| 2194 | 2196 | ||
| 2195 | static inline int security_file_mprotect(struct vm_area_struct *vma, | 2197 | static inline int security_file_mprotect(struct vm_area_struct *vma, |
| @@ -2227,8 +2229,8 @@ static inline int security_file_receive(struct file *file) | |||
| 2227 | return 0; | 2229 | return 0; |
| 2228 | } | 2230 | } |
| 2229 | 2231 | ||
| 2230 | static inline int security_dentry_open(struct file *file, | 2232 | static inline int security_file_open(struct file *file, |
| 2231 | const struct cred *cred) | 2233 | const struct cred *cred) |
| 2232 | { | 2234 | { |
| 2233 | return 0; | 2235 | return 0; |
| 2234 | } | 2236 | } |