diff options
Diffstat (limited to 'include/linux')
-rw-r--r-- | include/linux/cred.h | 1 | ||||
-rw-r--r-- | include/linux/key.h | 3 | ||||
-rw-r--r-- | include/linux/keyctl.h | 1 | ||||
-rw-r--r-- | include/linux/sched.h | 1 | ||||
-rw-r--r-- | include/linux/security.h | 38 |
5 files changed, 44 insertions, 0 deletions
diff --git a/include/linux/cred.h b/include/linux/cred.h index 85439abdbc80..24520a539c6f 100644 --- a/include/linux/cred.h +++ b/include/linux/cred.h | |||
@@ -152,6 +152,7 @@ struct cred { | |||
152 | extern void __put_cred(struct cred *); | 152 | extern void __put_cred(struct cred *); |
153 | extern void exit_creds(struct task_struct *); | 153 | extern void exit_creds(struct task_struct *); |
154 | extern int copy_creds(struct task_struct *, unsigned long); | 154 | extern int copy_creds(struct task_struct *, unsigned long); |
155 | extern struct cred *cred_alloc_blank(void); | ||
155 | extern struct cred *prepare_creds(void); | 156 | extern struct cred *prepare_creds(void); |
156 | extern struct cred *prepare_exec_creds(void); | 157 | extern struct cred *prepare_exec_creds(void); |
157 | extern struct cred *prepare_usermodehelper_creds(void); | 158 | extern struct cred *prepare_usermodehelper_creds(void); |
diff --git a/include/linux/key.h b/include/linux/key.h index 33e0165de100..cd50dfa1d4c2 100644 --- a/include/linux/key.h +++ b/include/linux/key.h | |||
@@ -278,6 +278,8 @@ static inline key_serial_t key_serial(struct key *key) | |||
278 | extern ctl_table key_sysctls[]; | 278 | extern ctl_table key_sysctls[]; |
279 | #endif | 279 | #endif |
280 | 280 | ||
281 | extern void key_replace_session_keyring(void); | ||
282 | |||
281 | /* | 283 | /* |
282 | * the userspace interface | 284 | * the userspace interface |
283 | */ | 285 | */ |
@@ -300,6 +302,7 @@ extern void key_init(void); | |||
300 | #define key_fsuid_changed(t) do { } while(0) | 302 | #define key_fsuid_changed(t) do { } while(0) |
301 | #define key_fsgid_changed(t) do { } while(0) | 303 | #define key_fsgid_changed(t) do { } while(0) |
302 | #define key_init() do { } while(0) | 304 | #define key_init() do { } while(0) |
305 | #define key_replace_session_keyring() do { } while(0) | ||
303 | 306 | ||
304 | #endif /* CONFIG_KEYS */ | 307 | #endif /* CONFIG_KEYS */ |
305 | #endif /* __KERNEL__ */ | 308 | #endif /* __KERNEL__ */ |
diff --git a/include/linux/keyctl.h b/include/linux/keyctl.h index c0688eb72093..bd383f1944fb 100644 --- a/include/linux/keyctl.h +++ b/include/linux/keyctl.h | |||
@@ -52,5 +52,6 @@ | |||
52 | #define KEYCTL_SET_TIMEOUT 15 /* set key timeout */ | 52 | #define KEYCTL_SET_TIMEOUT 15 /* set key timeout */ |
53 | #define KEYCTL_ASSUME_AUTHORITY 16 /* assume request_key() authorisation */ | 53 | #define KEYCTL_ASSUME_AUTHORITY 16 /* assume request_key() authorisation */ |
54 | #define KEYCTL_GET_SECURITY 17 /* get key security label */ | 54 | #define KEYCTL_GET_SECURITY 17 /* get key security label */ |
55 | #define KEYCTL_SESSION_TO_PARENT 18 /* apply session keyring to parent process */ | ||
55 | 56 | ||
56 | #endif /* _LINUX_KEYCTL_H */ | 57 | #endif /* _LINUX_KEYCTL_H */ |
diff --git a/include/linux/sched.h b/include/linux/sched.h index 5c7ce13c1696..9304027673b0 100644 --- a/include/linux/sched.h +++ b/include/linux/sched.h | |||
@@ -1292,6 +1292,7 @@ struct task_struct { | |||
1292 | struct mutex cred_guard_mutex; /* guard against foreign influences on | 1292 | struct mutex cred_guard_mutex; /* guard against foreign influences on |
1293 | * credential calculations | 1293 | * credential calculations |
1294 | * (notably. ptrace) */ | 1294 | * (notably. ptrace) */ |
1295 | struct cred *replacement_session_keyring; /* for KEYCTL_SESSION_TO_PARENT */ | ||
1295 | 1296 | ||
1296 | char comm[TASK_COMM_LEN]; /* executable name excluding path | 1297 | char comm[TASK_COMM_LEN]; /* executable name excluding path |
1297 | - access with [gs]et_task_comm (which lock | 1298 | - access with [gs]et_task_comm (which lock |
diff --git a/include/linux/security.h b/include/linux/security.h index 40ba39ea68ce..97de3fe3dd0d 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
@@ -653,6 +653,11 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
653 | * manual page for definitions of the @clone_flags. | 653 | * manual page for definitions of the @clone_flags. |
654 | * @clone_flags contains the flags indicating what should be shared. | 654 | * @clone_flags contains the flags indicating what should be shared. |
655 | * Return 0 if permission is granted. | 655 | * Return 0 if permission is granted. |
656 | * @cred_alloc_blank: | ||
657 | * @cred points to the credentials. | ||
658 | * @gfp indicates the atomicity of any memory allocations. | ||
659 | * Only allocate sufficient memory and attach to @cred such that | ||
660 | * cred_transfer() will not get ENOMEM. | ||
656 | * @cred_free: | 661 | * @cred_free: |
657 | * @cred points to the credentials. | 662 | * @cred points to the credentials. |
658 | * Deallocate and clear the cred->security field in a set of credentials. | 663 | * Deallocate and clear the cred->security field in a set of credentials. |
@@ -665,6 +670,10 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
665 | * @new points to the new credentials. | 670 | * @new points to the new credentials. |
666 | * @old points to the original credentials. | 671 | * @old points to the original credentials. |
667 | * Install a new set of credentials. | 672 | * Install a new set of credentials. |
673 | * @cred_transfer: | ||
674 | * @new points to the new credentials. | ||
675 | * @old points to the original credentials. | ||
676 | * Transfer data from original creds to new creds | ||
668 | * @kernel_act_as: | 677 | * @kernel_act_as: |
669 | * Set the credentials for a kernel service to act as (subjective context). | 678 | * Set the credentials for a kernel service to act as (subjective context). |
670 | * @new points to the credentials to be modified. | 679 | * @new points to the credentials to be modified. |
@@ -1103,6 +1112,13 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) | |||
1103 | * Return the length of the string (including terminating NUL) or -ve if | 1112 | * Return the length of the string (including terminating NUL) or -ve if |
1104 | * an error. | 1113 | * an error. |
1105 | * May also return 0 (and a NULL buffer pointer) if there is no label. | 1114 | * May also return 0 (and a NULL buffer pointer) if there is no label. |
1115 | * @key_session_to_parent: | ||
1116 | * Forcibly assign the session keyring from a process to its parent | ||
1117 | * process. | ||
1118 | * @cred: Pointer to process's credentials | ||
1119 | * @parent_cred: Pointer to parent process's credentials | ||
1120 | * @keyring: Proposed new session keyring | ||
1121 | * Return 0 if permission is granted, -ve error otherwise. | ||
1106 | * | 1122 | * |
1107 | * Security hooks affecting all System V IPC operations. | 1123 | * Security hooks affecting all System V IPC operations. |
1108 | * | 1124 | * |
@@ -1498,10 +1514,12 @@ struct security_operations { | |||
1498 | int (*dentry_open) (struct file *file, const struct cred *cred); | 1514 | int (*dentry_open) (struct file *file, const struct cred *cred); |
1499 | 1515 | ||
1500 | int (*task_create) (unsigned long clone_flags); | 1516 | int (*task_create) (unsigned long clone_flags); |
1517 | int (*cred_alloc_blank) (struct cred *cred, gfp_t gfp); | ||
1501 | void (*cred_free) (struct cred *cred); | 1518 | void (*cred_free) (struct cred *cred); |
1502 | int (*cred_prepare)(struct cred *new, const struct cred *old, | 1519 | int (*cred_prepare)(struct cred *new, const struct cred *old, |
1503 | gfp_t gfp); | 1520 | gfp_t gfp); |
1504 | void (*cred_commit)(struct cred *new, const struct cred *old); | 1521 | void (*cred_commit)(struct cred *new, const struct cred *old); |
1522 | void (*cred_transfer)(struct cred *new, const struct cred *old); | ||
1505 | int (*kernel_act_as)(struct cred *new, u32 secid); | 1523 | int (*kernel_act_as)(struct cred *new, u32 secid); |
1506 | int (*kernel_create_files_as)(struct cred *new, struct inode *inode); | 1524 | int (*kernel_create_files_as)(struct cred *new, struct inode *inode); |
1507 | int (*kernel_module_request)(void); | 1525 | int (*kernel_module_request)(void); |
@@ -1639,6 +1657,9 @@ struct security_operations { | |||
1639 | const struct cred *cred, | 1657 | const struct cred *cred, |
1640 | key_perm_t perm); | 1658 | key_perm_t perm); |
1641 | int (*key_getsecurity)(struct key *key, char **_buffer); | 1659 | int (*key_getsecurity)(struct key *key, char **_buffer); |
1660 | int (*key_session_to_parent)(const struct cred *cred, | ||
1661 | const struct cred *parent_cred, | ||
1662 | struct key *key); | ||
1642 | #endif /* CONFIG_KEYS */ | 1663 | #endif /* CONFIG_KEYS */ |
1643 | 1664 | ||
1644 | #ifdef CONFIG_AUDIT | 1665 | #ifdef CONFIG_AUDIT |
@@ -1755,9 +1776,11 @@ int security_file_send_sigiotask(struct task_struct *tsk, | |||
1755 | int security_file_receive(struct file *file); | 1776 | int security_file_receive(struct file *file); |
1756 | int security_dentry_open(struct file *file, const struct cred *cred); | 1777 | int security_dentry_open(struct file *file, const struct cred *cred); |
1757 | int security_task_create(unsigned long clone_flags); | 1778 | int security_task_create(unsigned long clone_flags); |
1779 | int security_cred_alloc_blank(struct cred *cred, gfp_t gfp); | ||
1758 | void security_cred_free(struct cred *cred); | 1780 | void security_cred_free(struct cred *cred); |
1759 | int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp); | 1781 | int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp); |
1760 | void security_commit_creds(struct cred *new, const struct cred *old); | 1782 | void security_commit_creds(struct cred *new, const struct cred *old); |
1783 | void security_transfer_creds(struct cred *new, const struct cred *old); | ||
1761 | int security_kernel_act_as(struct cred *new, u32 secid); | 1784 | int security_kernel_act_as(struct cred *new, u32 secid); |
1762 | int security_kernel_create_files_as(struct cred *new, struct inode *inode); | 1785 | int security_kernel_create_files_as(struct cred *new, struct inode *inode); |
1763 | int security_kernel_module_request(void); | 1786 | int security_kernel_module_request(void); |
@@ -2286,6 +2309,9 @@ static inline int security_task_create(unsigned long clone_flags) | |||
2286 | return 0; | 2309 | return 0; |
2287 | } | 2310 | } |
2288 | 2311 | ||
2312 | static inline void security_cred_alloc_blank(struct cred *cred, gfp_t gfp) | ||
2313 | { } | ||
2314 | |||
2289 | static inline void security_cred_free(struct cred *cred) | 2315 | static inline void security_cred_free(struct cred *cred) |
2290 | { } | 2316 | { } |
2291 | 2317 | ||
@@ -2301,6 +2327,11 @@ static inline void security_commit_creds(struct cred *new, | |||
2301 | { | 2327 | { |
2302 | } | 2328 | } |
2303 | 2329 | ||
2330 | static inline void security_transfer_creds(struct cred *new, | ||
2331 | const struct cred *old) | ||
2332 | { | ||
2333 | } | ||
2334 | |||
2304 | static inline int security_kernel_act_as(struct cred *cred, u32 secid) | 2335 | static inline int security_kernel_act_as(struct cred *cred, u32 secid) |
2305 | { | 2336 | { |
2306 | return 0; | 2337 | return 0; |
@@ -2923,6 +2954,9 @@ void security_key_free(struct key *key); | |||
2923 | int security_key_permission(key_ref_t key_ref, | 2954 | int security_key_permission(key_ref_t key_ref, |
2924 | const struct cred *cred, key_perm_t perm); | 2955 | const struct cred *cred, key_perm_t perm); |
2925 | int security_key_getsecurity(struct key *key, char **_buffer); | 2956 | int security_key_getsecurity(struct key *key, char **_buffer); |
2957 | int security_key_session_to_parent(const struct cred *cred, | ||
2958 | const struct cred *parent_cred, | ||
2959 | struct key *key); | ||
2926 | 2960 | ||
2927 | #else | 2961 | #else |
2928 | 2962 | ||
@@ -2950,6 +2984,10 @@ static inline int security_key_getsecurity(struct key *key, char **_buffer) | |||
2950 | return 0; | 2984 | return 0; |
2951 | } | 2985 | } |
2952 | 2986 | ||
2987 | static inline int security_key_session_to_parent(const struct cred *cred, | ||
2988 | const struct cred *parent_cred, | ||
2989 | struct key *key); | ||
2990 | |||
2953 | #endif | 2991 | #endif |
2954 | #endif /* CONFIG_KEYS */ | 2992 | #endif /* CONFIG_KEYS */ |
2955 | 2993 | ||