diff options
Diffstat (limited to 'include/linux')
| -rw-r--r-- | include/linux/audit.h | 22 | ||||
| -rw-r--r-- | include/linux/netlink.h | 1 | ||||
| -rw-r--r-- | include/linux/security.h | 16 | ||||
| -rw-r--r-- | include/linux/selinux.h | 177 |
4 files changed, 193 insertions, 23 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h index 1c47c59058c1..b74c148f14e3 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h | |||
| @@ -83,6 +83,7 @@ | |||
| 83 | #define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */ | 83 | #define AUDIT_CONFIG_CHANGE 1305 /* Audit system configuration change */ |
| 84 | #define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */ | 84 | #define AUDIT_SOCKADDR 1306 /* sockaddr copied as syscall arg */ |
| 85 | #define AUDIT_CWD 1307 /* Current working directory */ | 85 | #define AUDIT_CWD 1307 /* Current working directory */ |
| 86 | #define AUDIT_IPC_SET_PERM 1311 /* IPC new permissions record type */ | ||
| 86 | 87 | ||
| 87 | #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ | 88 | #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ |
| 88 | #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ | 89 | #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ |
| @@ -145,6 +146,11 @@ | |||
| 145 | #define AUDIT_PERS 10 | 146 | #define AUDIT_PERS 10 |
| 146 | #define AUDIT_ARCH 11 | 147 | #define AUDIT_ARCH 11 |
| 147 | #define AUDIT_MSGTYPE 12 | 148 | #define AUDIT_MSGTYPE 12 |
| 149 | #define AUDIT_SE_USER 13 /* security label user */ | ||
| 150 | #define AUDIT_SE_ROLE 14 /* security label role */ | ||
| 151 | #define AUDIT_SE_TYPE 15 /* security label type */ | ||
| 152 | #define AUDIT_SE_SEN 16 /* security label sensitivity label */ | ||
| 153 | #define AUDIT_SE_CLR 17 /* security label clearance label */ | ||
| 148 | 154 | ||
| 149 | /* These are ONLY useful when checking | 155 | /* These are ONLY useful when checking |
| 150 | * at syscall exit time (AUDIT_AT_EXIT). */ | 156 | * at syscall exit time (AUDIT_AT_EXIT). */ |
| @@ -287,10 +293,10 @@ struct netlink_skb_parms; | |||
| 287 | /* Public API */ | 293 | /* Public API */ |
| 288 | extern int audit_alloc(struct task_struct *task); | 294 | extern int audit_alloc(struct task_struct *task); |
| 289 | extern void audit_free(struct task_struct *task); | 295 | extern void audit_free(struct task_struct *task); |
| 290 | extern void audit_syscall_entry(struct task_struct *task, int arch, | 296 | extern void audit_syscall_entry(int arch, |
| 291 | int major, unsigned long a0, unsigned long a1, | 297 | int major, unsigned long a0, unsigned long a1, |
| 292 | unsigned long a2, unsigned long a3); | 298 | unsigned long a2, unsigned long a3); |
| 293 | extern void audit_syscall_exit(struct task_struct *task, int failed, long return_code); | 299 | extern void audit_syscall_exit(int failed, long return_code); |
| 294 | extern void audit_getname(const char *name); | 300 | extern void audit_getname(const char *name); |
| 295 | extern void audit_putname(const char *name); | 301 | extern void audit_putname(const char *name); |
| 296 | extern void __audit_inode(const char *name, const struct inode *inode, unsigned flags); | 302 | extern void __audit_inode(const char *name, const struct inode *inode, unsigned flags); |
| @@ -314,7 +320,8 @@ extern void auditsc_get_stamp(struct audit_context *ctx, | |||
| 314 | struct timespec *t, unsigned int *serial); | 320 | struct timespec *t, unsigned int *serial); |
| 315 | extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid); | 321 | extern int audit_set_loginuid(struct task_struct *task, uid_t loginuid); |
| 316 | extern uid_t audit_get_loginuid(struct audit_context *ctx); | 322 | extern uid_t audit_get_loginuid(struct audit_context *ctx); |
| 317 | extern int audit_ipc_perms(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp); | 323 | extern int audit_ipc_obj(struct kern_ipc_perm *ipcp); |
| 324 | extern int audit_ipc_set_perm(unsigned long qbytes, uid_t uid, gid_t gid, mode_t mode, struct kern_ipc_perm *ipcp); | ||
| 318 | extern int audit_socketcall(int nargs, unsigned long *args); | 325 | extern int audit_socketcall(int nargs, unsigned long *args); |
| 319 | extern int audit_sockaddr(int len, void *addr); | 326 | extern int audit_sockaddr(int len, void *addr); |
| 320 | extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt); | 327 | extern int audit_avc_path(struct dentry *dentry, struct vfsmount *mnt); |
| @@ -323,8 +330,8 @@ extern int audit_set_macxattr(const char *name); | |||
| 323 | #else | 330 | #else |
| 324 | #define audit_alloc(t) ({ 0; }) | 331 | #define audit_alloc(t) ({ 0; }) |
| 325 | #define audit_free(t) do { ; } while (0) | 332 | #define audit_free(t) do { ; } while (0) |
| 326 | #define audit_syscall_entry(t,ta,a,b,c,d,e) do { ; } while (0) | 333 | #define audit_syscall_entry(ta,a,b,c,d,e) do { ; } while (0) |
| 327 | #define audit_syscall_exit(t,f,r) do { ; } while (0) | 334 | #define audit_syscall_exit(f,r) do { ; } while (0) |
| 328 | #define audit_getname(n) do { ; } while (0) | 335 | #define audit_getname(n) do { ; } while (0) |
| 329 | #define audit_putname(n) do { ; } while (0) | 336 | #define audit_putname(n) do { ; } while (0) |
| 330 | #define __audit_inode(n,i,f) do { ; } while (0) | 337 | #define __audit_inode(n,i,f) do { ; } while (0) |
| @@ -333,7 +340,8 @@ extern int audit_set_macxattr(const char *name); | |||
| 333 | #define audit_inode_child(d,i,p) do { ; } while (0) | 340 | #define audit_inode_child(d,i,p) do { ; } while (0) |
| 334 | #define auditsc_get_stamp(c,t,s) do { BUG(); } while (0) | 341 | #define auditsc_get_stamp(c,t,s) do { BUG(); } while (0) |
| 335 | #define audit_get_loginuid(c) ({ -1; }) | 342 | #define audit_get_loginuid(c) ({ -1; }) |
| 336 | #define audit_ipc_perms(q,u,g,m,i) ({ 0; }) | 343 | #define audit_ipc_obj(i) ({ 0; }) |
| 344 | #define audit_ipc_set_perm(q,u,g,m,i) ({ 0; }) | ||
| 337 | #define audit_socketcall(n,a) ({ 0; }) | 345 | #define audit_socketcall(n,a) ({ 0; }) |
| 338 | #define audit_sockaddr(len, addr) ({ 0; }) | 346 | #define audit_sockaddr(len, addr) ({ 0; }) |
| 339 | #define audit_avc_path(dentry, mnt) ({ 0; }) | 347 | #define audit_avc_path(dentry, mnt) ({ 0; }) |
| @@ -366,7 +374,7 @@ extern void audit_log_d_path(struct audit_buffer *ab, | |||
| 366 | extern int audit_filter_user(struct netlink_skb_parms *cb, int type); | 374 | extern int audit_filter_user(struct netlink_skb_parms *cb, int type); |
| 367 | extern int audit_filter_type(int type); | 375 | extern int audit_filter_type(int type); |
| 368 | extern int audit_receive_filter(int type, int pid, int uid, int seq, | 376 | extern int audit_receive_filter(int type, int pid, int uid, int seq, |
| 369 | void *data, size_t datasz, uid_t loginuid); | 377 | void *data, size_t datasz, uid_t loginuid, u32 sid); |
| 370 | #else | 378 | #else |
| 371 | #define audit_log(c,g,t,f,...) do { ; } while (0) | 379 | #define audit_log(c,g,t,f,...) do { ; } while (0) |
| 372 | #define audit_log_start(c,g,t) ({ NULL; }) | 380 | #define audit_log_start(c,g,t) ({ NULL; }) |
diff --git a/include/linux/netlink.h b/include/linux/netlink.h index f8f3d1c927f8..87b8a5703ebc 100644 --- a/include/linux/netlink.h +++ b/include/linux/netlink.h | |||
| @@ -143,6 +143,7 @@ struct netlink_skb_parms | |||
| 143 | __u32 dst_group; | 143 | __u32 dst_group; |
| 144 | kernel_cap_t eff_cap; | 144 | kernel_cap_t eff_cap; |
| 145 | __u32 loginuid; /* Login (audit) uid */ | 145 | __u32 loginuid; /* Login (audit) uid */ |
| 146 | __u32 sid; /* SELinux security id */ | ||
| 146 | }; | 147 | }; |
| 147 | 148 | ||
| 148 | #define NETLINK_CB(skb) (*(struct netlink_skb_parms*)&((skb)->cb)) | 149 | #define NETLINK_CB(skb) (*(struct netlink_skb_parms*)&((skb)->cb)) |
diff --git a/include/linux/security.h b/include/linux/security.h index aaa0a5cdbf75..1bab48f6aeac 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
| @@ -869,11 +869,6 @@ struct swap_info_struct; | |||
| 869 | * @ipcp contains the kernel IPC permission structure | 869 | * @ipcp contains the kernel IPC permission structure |
| 870 | * @flag contains the desired (requested) permission set | 870 | * @flag contains the desired (requested) permission set |
| 871 | * Return 0 if permission is granted. | 871 | * Return 0 if permission is granted. |
| 872 | * @ipc_getsecurity: | ||
| 873 | * Copy the security label associated with the ipc object into | ||
| 874 | * @buffer. @buffer may be NULL to request the size of the buffer | ||
| 875 | * required. @size indicates the size of @buffer in bytes. Return | ||
| 876 | * number of bytes used/required on success. | ||
| 877 | * | 872 | * |
| 878 | * Security hooks for individual messages held in System V IPC message queues | 873 | * Security hooks for individual messages held in System V IPC message queues |
| 879 | * @msg_msg_alloc_security: | 874 | * @msg_msg_alloc_security: |
| @@ -1223,7 +1218,6 @@ struct security_operations { | |||
| 1223 | void (*task_to_inode)(struct task_struct *p, struct inode *inode); | 1218 | void (*task_to_inode)(struct task_struct *p, struct inode *inode); |
| 1224 | 1219 | ||
| 1225 | int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag); | 1220 | int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag); |
| 1226 | int (*ipc_getsecurity)(struct kern_ipc_perm *ipcp, void *buffer, size_t size); | ||
| 1227 | 1221 | ||
| 1228 | int (*msg_msg_alloc_security) (struct msg_msg * msg); | 1222 | int (*msg_msg_alloc_security) (struct msg_msg * msg); |
| 1229 | void (*msg_msg_free_security) (struct msg_msg * msg); | 1223 | void (*msg_msg_free_security) (struct msg_msg * msg); |
| @@ -1887,11 +1881,6 @@ static inline int security_ipc_permission (struct kern_ipc_perm *ipcp, | |||
| 1887 | return security_ops->ipc_permission (ipcp, flag); | 1881 | return security_ops->ipc_permission (ipcp, flag); |
| 1888 | } | 1882 | } |
| 1889 | 1883 | ||
| 1890 | static inline int security_ipc_getsecurity(struct kern_ipc_perm *ipcp, void *buffer, size_t size) | ||
| 1891 | { | ||
| 1892 | return security_ops->ipc_getsecurity(ipcp, buffer, size); | ||
| 1893 | } | ||
| 1894 | |||
| 1895 | static inline int security_msg_msg_alloc (struct msg_msg * msg) | 1884 | static inline int security_msg_msg_alloc (struct msg_msg * msg) |
| 1896 | { | 1885 | { |
| 1897 | return security_ops->msg_msg_alloc_security (msg); | 1886 | return security_ops->msg_msg_alloc_security (msg); |
| @@ -2532,11 +2521,6 @@ static inline int security_ipc_permission (struct kern_ipc_perm *ipcp, | |||
| 2532 | return 0; | 2521 | return 0; |
| 2533 | } | 2522 | } |
| 2534 | 2523 | ||
| 2535 | static inline int security_ipc_getsecurity(struct kern_ipc_perm *ipcp, void *buffer, size_t size) | ||
| 2536 | { | ||
| 2537 | return -EOPNOTSUPP; | ||
| 2538 | } | ||
| 2539 | |||
| 2540 | static inline int security_msg_msg_alloc (struct msg_msg * msg) | 2524 | static inline int security_msg_msg_alloc (struct msg_msg * msg) |
| 2541 | { | 2525 | { |
| 2542 | return 0; | 2526 | return 0; |
diff --git a/include/linux/selinux.h b/include/linux/selinux.h new file mode 100644 index 000000000000..4047bcde4484 --- /dev/null +++ b/include/linux/selinux.h | |||
| @@ -0,0 +1,177 @@ | |||
| 1 | /* | ||
| 2 | * SELinux services exported to the rest of the kernel. | ||
| 3 | * | ||
| 4 | * Author: James Morris <jmorris@redhat.com> | ||
| 5 | * | ||
| 6 | * Copyright (C) 2005 Red Hat, Inc., James Morris <jmorris@redhat.com> | ||
| 7 | * Copyright (C) 2006 Trusted Computer Solutions, Inc. <dgoeddel@trustedcs.com> | ||
| 8 | * Copyright (C) 2006 IBM Corporation, Timothy R. Chavez <tinytim@us.ibm.com> | ||
| 9 | * | ||
| 10 | * This program is free software; you can redistribute it and/or modify | ||
| 11 | * it under the terms of the GNU General Public License version 2, | ||
| 12 | * as published by the Free Software Foundation. | ||
| 13 | */ | ||
| 14 | #ifndef _LINUX_SELINUX_H | ||
| 15 | #define _LINUX_SELINUX_H | ||
| 16 | |||
| 17 | struct selinux_audit_rule; | ||
| 18 | struct audit_context; | ||
| 19 | struct inode; | ||
| 20 | struct kern_ipc_perm; | ||
| 21 | |||
| 22 | #ifdef CONFIG_SECURITY_SELINUX | ||
| 23 | |||
| 24 | /** | ||
| 25 | * selinux_audit_rule_init - alloc/init an selinux audit rule structure. | ||
| 26 | * @field: the field this rule refers to | ||
| 27 | * @op: the operater the rule uses | ||
| 28 | * @rulestr: the text "target" of the rule | ||
| 29 | * @rule: pointer to the new rule structure returned via this | ||
| 30 | * | ||
| 31 | * Returns 0 if successful, -errno if not. On success, the rule structure | ||
| 32 | * will be allocated internally. The caller must free this structure with | ||
| 33 | * selinux_audit_rule_free() after use. | ||
| 34 | */ | ||
| 35 | int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, | ||
| 36 | struct selinux_audit_rule **rule); | ||
| 37 | |||
| 38 | /** | ||
| 39 | * selinux_audit_rule_free - free an selinux audit rule structure. | ||
| 40 | * @rule: pointer to the audit rule to be freed | ||
| 41 | * | ||
| 42 | * This will free all memory associated with the given rule. | ||
| 43 | * If @rule is NULL, no operation is performed. | ||
| 44 | */ | ||
| 45 | void selinux_audit_rule_free(struct selinux_audit_rule *rule); | ||
| 46 | |||
| 47 | /** | ||
| 48 | * selinux_audit_rule_match - determine if a context ID matches a rule. | ||
| 49 | * @ctxid: the context ID to check | ||
| 50 | * @field: the field this rule refers to | ||
| 51 | * @op: the operater the rule uses | ||
| 52 | * @rule: pointer to the audit rule to check against | ||
| 53 | * @actx: the audit context (can be NULL) associated with the check | ||
| 54 | * | ||
| 55 | * Returns 1 if the context id matches the rule, 0 if it does not, and | ||
| 56 | * -errno on failure. | ||
| 57 | */ | ||
| 58 | int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op, | ||
| 59 | struct selinux_audit_rule *rule, | ||
| 60 | struct audit_context *actx); | ||
| 61 | |||
| 62 | /** | ||
| 63 | * selinux_audit_set_callback - set the callback for policy reloads. | ||
| 64 | * @callback: the function to call when the policy is reloaded | ||
| 65 | * | ||
| 66 | * This sets the function callback function that will update the rules | ||
| 67 | * upon policy reloads. This callback should rebuild all existing rules | ||
| 68 | * using selinux_audit_rule_init(). | ||
| 69 | */ | ||
| 70 | void selinux_audit_set_callback(int (*callback)(void)); | ||
| 71 | |||
| 72 | /** | ||
| 73 | * selinux_task_ctxid - determine a context ID for a process. | ||
| 74 | * @tsk: the task object | ||
| 75 | * @ctxid: ID value returned via this | ||
| 76 | * | ||
| 77 | * On return, ctxid will contain an ID for the context. This value | ||
| 78 | * should only be used opaquely. | ||
| 79 | */ | ||
| 80 | void selinux_task_ctxid(struct task_struct *tsk, u32 *ctxid); | ||
| 81 | |||
| 82 | /** | ||
| 83 | * selinux_ctxid_to_string - map a security context ID to a string | ||
| 84 | * @ctxid: security context ID to be converted. | ||
| 85 | * @ctx: address of context string to be returned | ||
| 86 | * @ctxlen: length of returned context string. | ||
| 87 | * | ||
| 88 | * Returns 0 if successful, -errno if not. On success, the context | ||
| 89 | * string will be allocated internally, and the caller must call | ||
| 90 | * kfree() on it after use. | ||
| 91 | */ | ||
| 92 | int selinux_ctxid_to_string(u32 ctxid, char **ctx, u32 *ctxlen); | ||
| 93 | |||
| 94 | /** | ||
| 95 | * selinux_get_inode_sid - get the inode's security context ID | ||
| 96 | * @inode: inode structure to get the sid from. | ||
| 97 | * @sid: pointer to security context ID to be filled in. | ||
| 98 | * | ||
| 99 | * Returns nothing | ||
| 100 | */ | ||
| 101 | void selinux_get_inode_sid(const struct inode *inode, u32 *sid); | ||
| 102 | |||
| 103 | /** | ||
| 104 | * selinux_get_ipc_sid - get the ipc security context ID | ||
| 105 | * @ipcp: ipc structure to get the sid from. | ||
| 106 | * @sid: pointer to security context ID to be filled in. | ||
| 107 | * | ||
| 108 | * Returns nothing | ||
| 109 | */ | ||
| 110 | void selinux_get_ipc_sid(const struct kern_ipc_perm *ipcp, u32 *sid); | ||
| 111 | |||
| 112 | /** | ||
| 113 | * selinux_get_task_sid - return the SID of task | ||
| 114 | * @tsk: the task whose SID will be returned | ||
| 115 | * @sid: pointer to security context ID to be filled in. | ||
| 116 | * | ||
| 117 | * Returns nothing | ||
| 118 | */ | ||
| 119 | void selinux_get_task_sid(struct task_struct *tsk, u32 *sid); | ||
| 120 | |||
| 121 | |||
| 122 | #else | ||
| 123 | |||
| 124 | static inline int selinux_audit_rule_init(u32 field, u32 op, | ||
| 125 | char *rulestr, | ||
| 126 | struct selinux_audit_rule **rule) | ||
| 127 | { | ||
| 128 | return -ENOTSUPP; | ||
| 129 | } | ||
| 130 | |||
| 131 | static inline void selinux_audit_rule_free(struct selinux_audit_rule *rule) | ||
| 132 | { | ||
| 133 | return; | ||
| 134 | } | ||
| 135 | |||
| 136 | static inline int selinux_audit_rule_match(u32 ctxid, u32 field, u32 op, | ||
| 137 | struct selinux_audit_rule *rule, | ||
| 138 | struct audit_context *actx) | ||
| 139 | { | ||
| 140 | return 0; | ||
| 141 | } | ||
| 142 | |||
| 143 | static inline void selinux_audit_set_callback(int (*callback)(void)) | ||
| 144 | { | ||
| 145 | return; | ||
| 146 | } | ||
| 147 | |||
| 148 | static inline void selinux_task_ctxid(struct task_struct *tsk, u32 *ctxid) | ||
| 149 | { | ||
| 150 | *ctxid = 0; | ||
| 151 | } | ||
| 152 | |||
| 153 | static inline int selinux_ctxid_to_string(u32 ctxid, char **ctx, u32 *ctxlen) | ||
| 154 | { | ||
| 155 | *ctx = NULL; | ||
| 156 | *ctxlen = 0; | ||
| 157 | return 0; | ||
| 158 | } | ||
| 159 | |||
| 160 | static inline void selinux_get_inode_sid(const struct inode *inode, u32 *sid) | ||
| 161 | { | ||
| 162 | *sid = 0; | ||
| 163 | } | ||
| 164 | |||
| 165 | static inline void selinux_get_ipc_sid(const struct kern_ipc_perm *ipcp, u32 *sid) | ||
| 166 | { | ||
| 167 | *sid = 0; | ||
| 168 | } | ||
| 169 | |||
| 170 | static inline void selinux_get_task_sid(struct task_struct *tsk, u32 *sid) | ||
| 171 | { | ||
| 172 | *sid = 0; | ||
| 173 | } | ||
| 174 | |||
| 175 | #endif /* CONFIG_SECURITY_SELINUX */ | ||
| 176 | |||
| 177 | #endif /* _LINUX_SELINUX_H */ | ||