tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / security.h
at v2.6.13 97 kB view raw
1/* 2 * Linux Security plug 3 * 4 * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com> 5 * Copyright (C) 2001 Greg Kroah-Hartman <greg@kroah.com> 6 * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com> 7 * Copyright (C) 2001 James Morris <jmorris@intercode.com.au> 8 * Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group) 9 * 10 * This program is free software; you can redistribute it and/or modify 11 * it under the terms of the GNU General Public License as published by 12 * the Free Software Foundation; either version 2 of the License, or 13 * (at your option) any later version. 14 * 15 * Due to this file being licensed under the GPL there is controversy over 16 * whether this permits you to write a module that #includes this file 17 * without placing your module under the GPL. Please consult a lawyer for 18 * advice before doing this. 19 * 20 */ 21 22#ifndef __LINUX_SECURITY_H 23#define __LINUX_SECURITY_H 24 25#include <linux/fs.h> 26#include <linux/binfmts.h> 27#include <linux/signal.h> 28#include <linux/resource.h> 29#include <linux/sem.h> 30#include <linux/shm.h> 31#include <linux/msg.h> 32#include <linux/sched.h> 33 34struct ctl_table; 35 36/* 37 * These functions are in security/capability.c and are used 38 * as the default capabilities functions 39 */ 40extern int cap_capable (struct task_struct *tsk, int cap); 41extern int cap_settime (struct timespec *ts, struct timezone *tz); 42extern int cap_ptrace (struct task_struct *parent, struct task_struct *child); 43extern int cap_capget (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); 44extern int cap_capset_check (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); 45extern void cap_capset_set (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); 46extern int cap_bprm_set_security (struct linux_binprm *bprm); 47extern void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe); 48extern int cap_bprm_secureexec(struct linux_binprm *bprm); 49extern int cap_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags); 50extern int cap_inode_removexattr(struct dentry *dentry, char *name); 51extern int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags); 52extern void cap_task_reparent_to_init (struct task_struct *p); 53extern int cap_syslog (int type); 54extern int cap_vm_enough_memory (long pages); 55 56struct msghdr; 57struct sk_buff; 58struct sock; 59struct sockaddr; 60struct socket; 61 62extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb); 63extern int cap_netlink_recv(struct sk_buff *skb); 64 65/* 66 * Values used in the task_security_ops calls 67 */ 68/* setuid or setgid, id0 == uid or gid */ 69#define LSM_SETID_ID 1 70 71/* setreuid or setregid, id0 == real, id1 == eff */ 72#define LSM_SETID_RE 2 73 74/* setresuid or setresgid, id0 == real, id1 == eff, uid2 == saved */ 75#define LSM_SETID_RES 4 76 77/* setfsuid or setfsgid, id0 == fsuid or fsgid */ 78#define LSM_SETID_FS 8 79 80/* forward declares to avoid warnings */ 81struct nfsctl_arg; 82struct sched_param; 83struct swap_info_struct; 84 85/* bprm_apply_creds unsafe reasons */ 86#define LSM_UNSAFE_SHARE 1 87#define LSM_UNSAFE_PTRACE 2 88#define LSM_UNSAFE_PTRACE_CAP 4 89 90#ifdef CONFIG_SECURITY 91 92/** 93 * struct security_operations - main security structure 94 * 95 * Security hooks for program execution operations. 96 * 97 * @bprm_alloc_security: 98 * Allocate and attach a security structure to the @bprm->security field. 99 * The security field is initialized to NULL when the bprm structure is 100 * allocated. 101 * @bprm contains the linux_binprm structure to be modified. 102 * Return 0 if operation was successful. 103 * @bprm_free_security: 104 * @bprm contains the linux_binprm structure to be modified. 105 * Deallocate and clear the @bprm->security field. 106 * @bprm_apply_creds: 107 * Compute and set the security attributes of a process being transformed 108 * by an execve operation based on the old attributes (current->security) 109 * and the information saved in @bprm->security by the set_security hook. 110 * Since this hook function (and its caller) are void, this hook can not 111 * return an error. However, it can leave the security attributes of the 112 * process unchanged if an access failure occurs at this point. 113 * bprm_apply_creds is called under task_lock. @unsafe indicates various 114 * reasons why it may be unsafe to change security state. 115 * @bprm contains the linux_binprm structure. 116 * @bprm_post_apply_creds: 117 * Runs after bprm_apply_creds with the task_lock dropped, so that 118 * functions which cannot be called safely under the task_lock can 119 * be used. This hook is a good place to perform state changes on 120 * the process such as closing open file descriptors to which access 121 * is no longer granted if the attributes were changed. 122 * Note that a security module might need to save state between 123 * bprm_apply_creds and bprm_post_apply_creds to store the decision 124 * on whether the process may proceed. 125 * @bprm contains the linux_binprm structure. 126 * @bprm_set_security: 127 * Save security information in the bprm->security field, typically based 128 * on information about the bprm->file, for later use by the apply_creds 129 * hook. This hook may also optionally check permissions (e.g. for 130 * transitions between security domains). 131 * This hook may be called multiple times during a single execve, e.g. for 132 * interpreters. The hook can tell whether it has already been called by 133 * checking to see if @bprm->security is non-NULL. If so, then the hook 134 * may decide either to retain the security information saved earlier or 135 * to replace it. 136 * @bprm contains the linux_binprm structure. 137 * Return 0 if the hook is successful and permission is granted. 138 * @bprm_check_security: 139 * This hook mediates the point when a search for a binary handler will 140 * begin. It allows a check the @bprm->security value which is set in 141 * the preceding set_security call. The primary difference from 142 * set_security is that the argv list and envp list are reliably 143 * available in @bprm. This hook may be called multiple times 144 * during a single execve; and in each pass set_security is called 145 * first. 146 * @bprm contains the linux_binprm structure. 147 * Return 0 if the hook is successful and permission is granted. 148 * @bprm_secureexec: 149 * Return a boolean value (0 or 1) indicating whether a "secure exec" 150 * is required. The flag is passed in the auxiliary table 151 * on the initial stack to the ELF interpreter to indicate whether libc 152 * should enable secure mode. 153 * @bprm contains the linux_binprm structure. 154 * 155 * Security hooks for filesystem operations. 156 * 157 * @sb_alloc_security: 158 * Allocate and attach a security structure to the sb->s_security field. 159 * The s_security field is initialized to NULL when the structure is 160 * allocated. 161 * @sb contains the super_block structure to be modified. 162 * Return 0 if operation was successful. 163 * @sb_free_security: 164 * Deallocate and clear the sb->s_security field. 165 * @sb contains the super_block structure to be modified. 166 * @sb_statfs: 167 * Check permission before obtaining filesystem statistics for the @sb 168 * filesystem. 169 * @sb contains the super_block structure for the filesystem. 170 * Return 0 if permission is granted. 171 * @sb_mount: 172 * Check permission before an object specified by @dev_name is mounted on 173 * the mount point named by @nd. For an ordinary mount, @dev_name 174 * identifies a device if the file system type requires a device. For a 175 * remount (@flags & MS_REMOUNT), @dev_name is irrelevant. For a 176 * loopback/bind mount (@flags & MS_BIND), @dev_name identifies the 177 * pathname of the object being mounted. 178 * @dev_name contains the name for object being mounted. 179 * @nd contains the nameidata structure for mount point object. 180 * @type contains the filesystem type. 181 * @flags contains the mount flags. 182 * @data contains the filesystem-specific data. 183 * Return 0 if permission is granted. 184 * @sb_copy_data: 185 * Allow mount option data to be copied prior to parsing by the filesystem, 186 * so that the security module can extract security-specific mount 187 * options cleanly (a filesystem may modify the data e.g. with strsep()). 188 * This also allows the original mount data to be stripped of security- 189 * specific options to avoid having to make filesystems aware of them. 190 * @type the type of filesystem being mounted. 191 * @orig the original mount data copied from userspace. 192 * @copy copied data which will be passed to the security module. 193 * Returns 0 if the copy was successful. 194 * @sb_check_sb: 195 * Check permission before the device with superblock @mnt->sb is mounted 196 * on the mount point named by @nd. 197 * @mnt contains the vfsmount for device being mounted. 198 * @nd contains the nameidata object for the mount point. 199 * Return 0 if permission is granted. 200 * @sb_umount: 201 * Check permission before the @mnt file system is unmounted. 202 * @mnt contains the mounted file system. 203 * @flags contains the unmount flags, e.g. MNT_FORCE. 204 * Return 0 if permission is granted. 205 * @sb_umount_close: 206 * Close any files in the @mnt mounted filesystem that are held open by 207 * the security module. This hook is called during an umount operation 208 * prior to checking whether the filesystem is still busy. 209 * @mnt contains the mounted filesystem. 210 * @sb_umount_busy: 211 * Handle a failed umount of the @mnt mounted filesystem, e.g. re-opening 212 * any files that were closed by umount_close. This hook is called during 213 * an umount operation if the umount fails after a call to the 214 * umount_close hook. 215 * @mnt contains the mounted filesystem. 216 * @sb_post_remount: 217 * Update the security module's state when a filesystem is remounted. 218 * This hook is only called if the remount was successful. 219 * @mnt contains the mounted file system. 220 * @flags contains the new filesystem flags. 221 * @data contains the filesystem-specific data. 222 * @sb_post_mountroot: 223 * Update the security module's state when the root filesystem is mounted. 224 * This hook is only called if the mount was successful. 225 * @sb_post_addmount: 226 * Update the security module's state when a filesystem is mounted. 227 * This hook is called any time a mount is successfully grafetd to 228 * the tree. 229 * @mnt contains the mounted filesystem. 230 * @mountpoint_nd contains the nameidata structure for the mount point. 231 * @sb_pivotroot: 232 * Check permission before pivoting the root filesystem. 233 * @old_nd contains the nameidata structure for the new location of the current root (put_old). 234 * @new_nd contains the nameidata structure for the new root (new_root). 235 * Return 0 if permission is granted. 236 * @sb_post_pivotroot: 237 * Update module state after a successful pivot. 238 * @old_nd contains the nameidata structure for the old root. 239 * @new_nd contains the nameidata structure for the new root. 240 * 241 * Security hooks for inode operations. 242 * 243 * @inode_alloc_security: 244 * Allocate and attach a security structure to @inode->i_security. The 245 * i_security field is initialized to NULL when the inode structure is 246 * allocated. 247 * @inode contains the inode structure. 248 * Return 0 if operation was successful. 249 * @inode_free_security: 250 * @inode contains the inode structure. 251 * Deallocate the inode security structure and set @inode->i_security to 252 * NULL. 253 * @inode_create: 254 * Check permission to create a regular file. 255 * @dir contains inode structure of the parent of the new file. 256 * @dentry contains the dentry structure for the file to be created. 257 * @mode contains the file mode of the file to be created. 258 * Return 0 if permission is granted. 259 * @inode_post_create: 260 * Set the security attributes on a newly created regular file. This hook 261 * is called after a file has been successfully created. 262 * @dir contains the inode structure of the parent directory of the new file. 263 * @dentry contains the the dentry structure for the newly created file. 264 * @mode contains the file mode. 265 * @inode_link: 266 * Check permission before creating a new hard link to a file. 267 * @old_dentry contains the dentry structure for an existing link to the file. 268 * @dir contains the inode structure of the parent directory of the new link. 269 * @new_dentry contains the dentry structure for the new link. 270 * Return 0 if permission is granted. 271 * @inode_post_link: 272 * Set security attributes for a new hard link to a file. 273 * @old_dentry contains the dentry structure for the existing link. 274 * @dir contains the inode structure of the parent directory of the new file. 275 * @new_dentry contains the dentry structure for the new file link. 276 * @inode_unlink: 277 * Check the permission to remove a hard link to a file. 278 * @dir contains the inode structure of parent directory of the file. 279 * @dentry contains the dentry structure for file to be unlinked. 280 * Return 0 if permission is granted. 281 * @inode_symlink: 282 * Check the permission to create a symbolic link to a file. 283 * @dir contains the inode structure of parent directory of the symbolic link. 284 * @dentry contains the dentry structure of the symbolic link. 285 * @old_name contains the pathname of file. 286 * Return 0 if permission is granted. 287 * @inode_post_symlink: 288 * @dir contains the inode structure of the parent directory of the new link. 289 * @dentry contains the dentry structure of new symbolic link. 290 * @old_name contains the pathname of file. 291 * Set security attributes for a newly created symbolic link. Note that 292 * @dentry->d_inode may be NULL, since the filesystem might not 293 * instantiate the dentry (e.g. NFS). 294 * @inode_mkdir: 295 * Check permissions to create a new directory in the existing directory 296 * associated with inode strcture @dir. 297 * @dir containst the inode structure of parent of the directory to be created. 298 * @dentry contains the dentry structure of new directory. 299 * @mode contains the mode of new directory. 300 * Return 0 if permission is granted. 301 * @inode_post_mkdir: 302 * Set security attributes on a newly created directory. 303 * @dir contains the inode structure of parent of the directory to be created. 304 * @dentry contains the dentry structure of new directory. 305 * @mode contains the mode of new directory. 306 * @inode_rmdir: 307 * Check the permission to remove a directory. 308 * @dir contains the inode structure of parent of the directory to be removed. 309 * @dentry contains the dentry structure of directory to be removed. 310 * Return 0 if permission is granted. 311 * @inode_mknod: 312 * Check permissions when creating a special file (or a socket or a fifo 313 * file created via the mknod system call). Note that if mknod operation 314 * is being done for a regular file, then the create hook will be called 315 * and not this hook. 316 * @dir contains the inode structure of parent of the new file. 317 * @dentry contains the dentry structure of the new file. 318 * @mode contains the mode of the new file. 319 * @dev contains the the device number. 320 * Return 0 if permission is granted. 321 * @inode_post_mknod: 322 * Set security attributes on a newly created special file (or socket or 323 * fifo file created via the mknod system call). 324 * @dir contains the inode structure of parent of the new node. 325 * @dentry contains the dentry structure of the new node. 326 * @mode contains the mode of the new node. 327 * @dev contains the the device number. 328 * @inode_rename: 329 * Check for permission to rename a file or directory. 330 * @old_dir contains the inode structure for parent of the old link. 331 * @old_dentry contains the dentry structure of the old link. 332 * @new_dir contains the inode structure for parent of the new link. 333 * @new_dentry contains the dentry structure of the new link. 334 * Return 0 if permission is granted. 335 * @inode_post_rename: 336 * Set security attributes on a renamed file or directory. 337 * @old_dir contains the inode structure for parent of the old link. 338 * @old_dentry contains the dentry structure of the old link. 339 * @new_dir contains the inode structure for parent of the new link. 340 * @new_dentry contains the dentry structure of the new link. 341 * @inode_readlink: 342 * Check the permission to read the symbolic link. 343 * @dentry contains the dentry structure for the file link. 344 * Return 0 if permission is granted. 345 * @inode_follow_link: 346 * Check permission to follow a symbolic link when looking up a pathname. 347 * @dentry contains the dentry structure for the link. 348 * @nd contains the nameidata structure for the parent directory. 349 * Return 0 if permission is granted. 350 * @inode_permission: 351 * Check permission before accessing an inode. This hook is called by the 352 * existing Linux permission function, so a security module can use it to 353 * provide additional checking for existing Linux permission checks. 354 * Notice that this hook is called when a file is opened (as well as many 355 * other operations), whereas the file_security_ops permission hook is 356 * called when the actual read/write operations are performed. 357 * @inode contains the inode structure to check. 358 * @mask contains the permission mask. 359 * @nd contains the nameidata (may be NULL). 360 * Return 0 if permission is granted. 361 * @inode_setattr: 362 * Check permission before setting file attributes. Note that the kernel 363 * call to notify_change is performed from several locations, whenever 364 * file attributes change (such as when a file is truncated, chown/chmod 365 * operations, transferring disk quotas, etc). 366 * @dentry contains the dentry structure for the file. 367 * @attr is the iattr structure containing the new file attributes. 368 * Return 0 if permission is granted. 369 * @inode_getattr: 370 * Check permission before obtaining file attributes. 371 * @mnt is the vfsmount where the dentry was looked up 372 * @dentry contains the dentry structure for the file. 373 * Return 0 if permission is granted. 374 * @inode_delete: 375 * @inode contains the inode structure for deleted inode. 376 * This hook is called when a deleted inode is released (i.e. an inode 377 * with no hard links has its use count drop to zero). A security module 378 * can use this hook to release any persistent label associated with the 379 * inode. 380 * @inode_setxattr: 381 * Check permission before setting the extended attributes 382 * @value identified by @name for @dentry. 383 * Return 0 if permission is granted. 384 * @inode_post_setxattr: 385 * Update inode security field after successful setxattr operation. 386 * @value identified by @name for @dentry. 387 * @inode_getxattr: 388 * Check permission before obtaining the extended attributes 389 * identified by @name for @dentry. 390 * Return 0 if permission is granted. 391 * @inode_listxattr: 392 * Check permission before obtaining the list of extended attribute 393 * names for @dentry. 394 * Return 0 if permission is granted. 395 * @inode_removexattr: 396 * Check permission before removing the extended attribute 397 * identified by @name for @dentry. 398 * Return 0 if permission is granted. 399 * @inode_getsecurity: 400 * Copy the extended attribute representation of the security label 401 * associated with @name for @inode into @buffer. @buffer may be 402 * NULL to request the size of the buffer required. @size indicates 403 * the size of @buffer in bytes. Note that @name is the remainder 404 * of the attribute name after the security. prefix has been removed. 405 * Return number of bytes used/required on success. 406 * @inode_setsecurity: 407 * Set the security label associated with @name for @inode from the 408 * extended attribute value @value. @size indicates the size of the 409 * @value in bytes. @flags may be XATTR_CREATE, XATTR_REPLACE, or 0. 410 * Note that @name is the remainder of the attribute name after the 411 * security. prefix has been removed. 412 * Return 0 on success. 413 * @inode_listsecurity: 414 * Copy the extended attribute names for the security labels 415 * associated with @inode into @buffer. The maximum size of @buffer 416 * is specified by @buffer_size. @buffer may be NULL to request 417 * the size of the buffer required. 418 * Returns number of bytes used/required on success. 419 * 420 * Security hooks for file operations 421 * 422 * @file_permission: 423 * Check file permissions before accessing an open file. This hook is 424 * called by various operations that read or write files. A security 425 * module can use this hook to perform additional checking on these 426 * operations, e.g. to revalidate permissions on use to support privilege 427 * bracketing or policy changes. Notice that this hook is used when the 428 * actual read/write operations are performed, whereas the 429 * inode_security_ops hook is called when a file is opened (as well as 430 * many other operations). 431 * Caveat: Although this hook can be used to revalidate permissions for 432 * various system call operations that read or write files, it does not 433 * address the revalidation of permissions for memory-mapped files. 434 * Security modules must handle this separately if they need such 435 * revalidation. 436 * @file contains the file structure being accessed. 437 * @mask contains the requested permissions. 438 * Return 0 if permission is granted. 439 * @file_alloc_security: 440 * Allocate and attach a security structure to the file->f_security field. 441 * The security field is initialized to NULL when the structure is first 442 * created. 443 * @file contains the file structure to secure. 444 * Return 0 if the hook is successful and permission is granted. 445 * @file_free_security: 446 * Deallocate and free any security structures stored in file->f_security. 447 * @file contains the file structure being modified. 448 * @file_ioctl: 449 * @file contains the file structure. 450 * @cmd contains the operation to perform. 451 * @arg contains the operational arguments. 452 * Check permission for an ioctl operation on @file. Note that @arg can 453 * sometimes represents a user space pointer; in other cases, it may be a 454 * simple integer value. When @arg represents a user space pointer, it 455 * should never be used by the security module. 456 * Return 0 if permission is granted. 457 * @file_mmap : 458 * Check permissions for a mmap operation. The @file may be NULL, e.g. 459 * if mapping anonymous memory. 460 * @file contains the file structure for file to map (may be NULL). 461 * @reqprot contains the protection requested by the application. 462 * @prot contains the protection that will be applied by the kernel. 463 * @flags contains the operational flags. 464 * Return 0 if permission is granted. 465 * @file_mprotect: 466 * Check permissions before changing memory access permissions. 467 * @vma contains the memory region to modify. 468 * @reqprot contains the protection requested by the application. 469 * @prot contains the protection that will be applied by the kernel. 470 * Return 0 if permission is granted. 471 * @file_lock: 472 * Check permission before performing file locking operations. 473 * Note: this hook mediates both flock and fcntl style locks. 474 * @file contains the file structure. 475 * @cmd contains the posix-translated lock operation to perform 476 * (e.g. F_RDLCK, F_WRLCK). 477 * Return 0 if permission is granted. 478 * @file_fcntl: 479 * Check permission before allowing the file operation specified by @cmd 480 * from being performed on the file @file. Note that @arg can sometimes 481 * represents a user space pointer; in other cases, it may be a simple 482 * integer value. When @arg represents a user space pointer, it should 483 * never be used by the security module. 484 * @file contains the file structure. 485 * @cmd contains the operation to be performed. 486 * @arg contains the operational arguments. 487 * Return 0 if permission is granted. 488 * @file_set_fowner: 489 * Save owner security information (typically from current->security) in 490 * file->f_security for later use by the send_sigiotask hook. 491 * @file contains the file structure to update. 492 * Return 0 on success. 493 * @file_send_sigiotask: 494 * Check permission for the file owner @fown to send SIGIO or SIGURG to the 495 * process @tsk. Note that this hook is sometimes called from interrupt. 496 * Note that the fown_struct, @fown, is never outside the context of a 497 * struct file, so the file structure (and associated security information) 498 * can always be obtained: 499 * (struct file *)((long)fown - offsetof(struct file,f_owner)); 500 * @tsk contains the structure of task receiving signal. 501 * @fown contains the file owner information. 502 * @sig is the signal that will be sent. When 0, kernel sends SIGIO. 503 * Return 0 if permission is granted. 504 * @file_receive: 505 * This hook allows security modules to control the ability of a process 506 * to receive an open file descriptor via socket IPC. 507 * @file contains the file structure being received. 508 * Return 0 if permission is granted. 509 * 510 * Security hooks for task operations. 511 * 512 * @task_create: 513 * Check permission before creating a child process. See the clone(2) 514 * manual page for definitions of the @clone_flags. 515 * @clone_flags contains the flags indicating what should be shared. 516 * Return 0 if permission is granted. 517 * @task_alloc_security: 518 * @p contains the task_struct for child process. 519 * Allocate and attach a security structure to the p->security field. The 520 * security field is initialized to NULL when the task structure is 521 * allocated. 522 * Return 0 if operation was successful. 523 * @task_free_security: 524 * @p contains the task_struct for process. 525 * Deallocate and clear the p->security field. 526 * @task_setuid: 527 * Check permission before setting one or more of the user identity 528 * attributes of the current process. The @flags parameter indicates 529 * which of the set*uid system calls invoked this hook and how to 530 * interpret the @id0, @id1, and @id2 parameters. See the LSM_SETID 531 * definitions at the beginning of this file for the @flags values and 532 * their meanings. 533 * @id0 contains a uid. 534 * @id1 contains a uid. 535 * @id2 contains a uid. 536 * @flags contains one of the LSM_SETID_* values. 537 * Return 0 if permission is granted. 538 * @task_post_setuid: 539 * Update the module's state after setting one or more of the user 540 * identity attributes of the current process. The @flags parameter 541 * indicates which of the set*uid system calls invoked this hook. If 542 * @flags is LSM_SETID_FS, then @old_ruid is the old fs uid and the other 543 * parameters are not used. 544 * @old_ruid contains the old real uid (or fs uid if LSM_SETID_FS). 545 * @old_euid contains the old effective uid (or -1 if LSM_SETID_FS). 546 * @old_suid contains the old saved uid (or -1 if LSM_SETID_FS). 547 * @flags contains one of the LSM_SETID_* values. 548 * Return 0 on success. 549 * @task_setgid: 550 * Check permission before setting one or more of the group identity 551 * attributes of the current process. The @flags parameter indicates 552 * which of the set*gid system calls invoked this hook and how to 553 * interpret the @id0, @id1, and @id2 parameters. See the LSM_SETID 554 * definitions at the beginning of this file for the @flags values and 555 * their meanings. 556 * @id0 contains a gid. 557 * @id1 contains a gid. 558 * @id2 contains a gid. 559 * @flags contains one of the LSM_SETID_* values. 560 * Return 0 if permission is granted. 561 * @task_setpgid: 562 * Check permission before setting the process group identifier of the 563 * process @p to @pgid. 564 * @p contains the task_struct for process being modified. 565 * @pgid contains the new pgid. 566 * Return 0 if permission is granted. 567 * @task_getpgid: 568 * Check permission before getting the process group identifier of the 569 * process @p. 570 * @p contains the task_struct for the process. 571 * Return 0 if permission is granted. 572 * @task_getsid: 573 * Check permission before getting the session identifier of the process 574 * @p. 575 * @p contains the task_struct for the process. 576 * Return 0 if permission is granted. 577 * @task_setgroups: 578 * Check permission before setting the supplementary group set of the 579 * current process. 580 * @group_info contains the new group information. 581 * Return 0 if permission is granted. 582 * @task_setnice: 583 * Check permission before setting the nice value of @p to @nice. 584 * @p contains the task_struct of process. 585 * @nice contains the new nice value. 586 * Return 0 if permission is granted. 587 * @task_setrlimit: 588 * Check permission before setting the resource limits of the current 589 * process for @resource to @new_rlim. The old resource limit values can 590 * be examined by dereferencing (current->signal->rlim + resource). 591 * @resource contains the resource whose limit is being set. 592 * @new_rlim contains the new limits for @resource. 593 * Return 0 if permission is granted. 594 * @task_setscheduler: 595 * Check permission before setting scheduling policy and/or parameters of 596 * process @p based on @policy and @lp. 597 * @p contains the task_struct for process. 598 * @policy contains the scheduling policy. 599 * @lp contains the scheduling parameters. 600 * Return 0 if permission is granted. 601 * @task_getscheduler: 602 * Check permission before obtaining scheduling information for process 603 * @p. 604 * @p contains the task_struct for process. 605 * Return 0 if permission is granted. 606 * @task_kill: 607 * Check permission before sending signal @sig to @p. @info can be NULL, 608 * the constant 1, or a pointer to a siginfo structure. If @info is 1 or 609 * SI_FROMKERNEL(info) is true, then the signal should be viewed as coming 610 * from the kernel and should typically be permitted. 611 * SIGIO signals are handled separately by the send_sigiotask hook in 612 * file_security_ops. 613 * @p contains the task_struct for process. 614 * @info contains the signal information. 615 * @sig contains the signal value. 616 * Return 0 if permission is granted. 617 * @task_wait: 618 * Check permission before allowing a process to reap a child process @p 619 * and collect its status information. 620 * @p contains the task_struct for process. 621 * Return 0 if permission is granted. 622 * @task_prctl: 623 * Check permission before performing a process control operation on the 624 * current process. 625 * @option contains the operation. 626 * @arg2 contains a argument. 627 * @arg3 contains a argument. 628 * @arg4 contains a argument. 629 * @arg5 contains a argument. 630 * Return 0 if permission is granted. 631 * @task_reparent_to_init: 632 * Set the security attributes in @p->security for a kernel thread that 633 * is being reparented to the init task. 634 * @p contains the task_struct for the kernel thread. 635 * @task_to_inode: 636 * Set the security attributes for an inode based on an associated task's 637 * security attributes, e.g. for /proc/pid inodes. 638 * @p contains the task_struct for the task. 639 * @inode contains the inode structure for the inode. 640 * 641 * Security hooks for Netlink messaging. 642 * 643 * @netlink_send: 644 * Save security information for a netlink message so that permission 645 * checking can be performed when the message is processed. The security 646 * information can be saved using the eff_cap field of the 647 * netlink_skb_parms structure. Also may be used to provide fine 648 * grained control over message transmission. 649 * @sk associated sock of task sending the message., 650 * @skb contains the sk_buff structure for the netlink message. 651 * Return 0 if the information was successfully saved and message 652 * is allowed to be transmitted. 653 * @netlink_recv: 654 * Check permission before processing the received netlink message in 655 * @skb. 656 * @skb contains the sk_buff structure for the netlink message. 657 * Return 0 if permission is granted. 658 * 659 * Security hooks for Unix domain networking. 660 * 661 * @unix_stream_connect: 662 * Check permissions before establishing a Unix domain stream connection 663 * between @sock and @other. 664 * @sock contains the socket structure. 665 * @other contains the peer socket structure. 666 * Return 0 if permission is granted. 667 * @unix_may_send: 668 * Check permissions before connecting or sending datagrams from @sock to 669 * @other. 670 * @sock contains the socket structure. 671 * @sock contains the peer socket structure. 672 * Return 0 if permission is granted. 673 * 674 * The @unix_stream_connect and @unix_may_send hooks were necessary because 675 * Linux provides an alternative to the conventional file name space for Unix 676 * domain sockets. Whereas binding and connecting to sockets in the file name 677 * space is mediated by the typical file permissions (and caught by the mknod 678 * and permission hooks in inode_security_ops), binding and connecting to 679 * sockets in the abstract name space is completely unmediated. Sufficient 680 * control of Unix domain sockets in the abstract name space isn't possible 681 * using only the socket layer hooks, since we need to know the actual target 682 * socket, which is not looked up until we are inside the af_unix code. 683 * 684 * Security hooks for socket operations. 685 * 686 * @socket_create: 687 * Check permissions prior to creating a new socket. 688 * @family contains the requested protocol family. 689 * @type contains the requested communications type. 690 * @protocol contains the requested protocol. 691 * @kern set to 1 if a kernel socket. 692 * Return 0 if permission is granted. 693 * @socket_post_create: 694 * This hook allows a module to update or allocate a per-socket security 695 * structure. Note that the security field was not added directly to the 696 * socket structure, but rather, the socket security information is stored 697 * in the associated inode. Typically, the inode alloc_security hook will 698 * allocate and and attach security information to 699 * sock->inode->i_security. This hook may be used to update the 700 * sock->inode->i_security field with additional information that wasn't 701 * available when the inode was allocated. 702 * @sock contains the newly created socket structure. 703 * @family contains the requested protocol family. 704 * @type contains the requested communications type. 705 * @protocol contains the requested protocol. 706 * @kern set to 1 if a kernel socket. 707 * @socket_bind: 708 * Check permission before socket protocol layer bind operation is 709 * performed and the socket @sock is bound to the address specified in the 710 * @address parameter. 711 * @sock contains the socket structure. 712 * @address contains the address to bind to. 713 * @addrlen contains the length of address. 714 * Return 0 if permission is granted. 715 * @socket_connect: 716 * Check permission before socket protocol layer connect operation 717 * attempts to connect socket @sock to a remote address, @address. 718 * @sock contains the socket structure. 719 * @address contains the address of remote endpoint. 720 * @addrlen contains the length of address. 721 * Return 0 if permission is granted. 722 * @socket_listen: 723 * Check permission before socket protocol layer listen operation. 724 * @sock contains the socket structure. 725 * @backlog contains the maximum length for the pending connection queue. 726 * Return 0 if permission is granted. 727 * @socket_accept: 728 * Check permission before accepting a new connection. Note that the new 729 * socket, @newsock, has been created and some information copied to it, 730 * but the accept operation has not actually been performed. 731 * @sock contains the listening socket structure. 732 * @newsock contains the newly created server socket for connection. 733 * Return 0 if permission is granted. 734 * @socket_post_accept: 735 * This hook allows a security module to copy security 736 * information into the newly created socket's inode. 737 * @sock contains the listening socket structure. 738 * @newsock contains the newly created server socket for connection. 739 * @socket_sendmsg: 740 * Check permission before transmitting a message to another socket. 741 * @sock contains the socket structure. 742 * @msg contains the message to be transmitted. 743 * @size contains the size of message. 744 * Return 0 if permission is granted. 745 * @socket_recvmsg: 746 * Check permission before receiving a message from a socket. 747 * @sock contains the socket structure. 748 * @msg contains the message structure. 749 * @size contains the size of message structure. 750 * @flags contains the operational flags. 751 * Return 0 if permission is granted. 752 * @socket_getsockname: 753 * Check permission before the local address (name) of the socket object 754 * @sock is retrieved. 755 * @sock contains the socket structure. 756 * Return 0 if permission is granted. 757 * @socket_getpeername: 758 * Check permission before the remote address (name) of a socket object 759 * @sock is retrieved. 760 * @sock contains the socket structure. 761 * Return 0 if permission is granted. 762 * @socket_getsockopt: 763 * Check permissions before retrieving the options associated with socket 764 * @sock. 765 * @sock contains the socket structure. 766 * @level contains the protocol level to retrieve option from. 767 * @optname contains the name of option to retrieve. 768 * Return 0 if permission is granted. 769 * @socket_setsockopt: 770 * Check permissions before setting the options associated with socket 771 * @sock. 772 * @sock contains the socket structure. 773 * @level contains the protocol level to set options for. 774 * @optname contains the name of the option to set. 775 * Return 0 if permission is granted. 776 * @socket_shutdown: 777 * Checks permission before all or part of a connection on the socket 778 * @sock is shut down. 779 * @sock contains the socket structure. 780 * @how contains the flag indicating how future sends and receives are handled. 781 * Return 0 if permission is granted. 782 * @socket_sock_rcv_skb: 783 * Check permissions on incoming network packets. This hook is distinct 784 * from Netfilter's IP input hooks since it is the first time that the 785 * incoming sk_buff @skb has been associated with a particular socket, @sk. 786 * @sk contains the sock (not socket) associated with the incoming sk_buff. 787 * @skb contains the incoming network data. 788 * @socket_getpeersec: 789 * This hook allows the security module to provide peer socket security 790 * state to userspace via getsockopt SO_GETPEERSEC. 791 * @sock is the local socket. 792 * @optval userspace memory where the security state is to be copied. 793 * @optlen userspace int where the module should copy the actual length 794 * of the security state. 795 * @len as input is the maximum length to copy to userspace provided 796 * by the caller. 797 * Return 0 if all is well, otherwise, typical getsockopt return 798 * values. 799 * @sk_alloc_security: 800 * Allocate and attach a security structure to the sk->sk_security field, 801 * which is used to copy security attributes between local stream sockets. 802 * @sk_free_security: 803 * Deallocate security structure. 804 * 805 * Security hooks affecting all System V IPC operations. 806 * 807 * @ipc_permission: 808 * Check permissions for access to IPC 809 * @ipcp contains the kernel IPC permission structure 810 * @flag contains the desired (requested) permission set 811 * Return 0 if permission is granted. 812 * 813 * Security hooks for individual messages held in System V IPC message queues 814 * @msg_msg_alloc_security: 815 * Allocate and attach a security structure to the msg->security field. 816 * The security field is initialized to NULL when the structure is first 817 * created. 818 * @msg contains the message structure to be modified. 819 * Return 0 if operation was successful and permission is granted. 820 * @msg_msg_free_security: 821 * Deallocate the security structure for this message. 822 * @msg contains the message structure to be modified. 823 * 824 * Security hooks for System V IPC Message Queues 825 * 826 * @msg_queue_alloc_security: 827 * Allocate and attach a security structure to the 828 * msq->q_perm.security field. The security field is initialized to 829 * NULL when the structure is first created. 830 * @msq contains the message queue structure to be modified. 831 * Return 0 if operation was successful and permission is granted. 832 * @msg_queue_free_security: 833 * Deallocate security structure for this message queue. 834 * @msq contains the message queue structure to be modified. 835 * @msg_queue_associate: 836 * Check permission when a message queue is requested through the 837 * msgget system call. This hook is only called when returning the 838 * message queue identifier for an existing message queue, not when a 839 * new message queue is created. 840 * @msq contains the message queue to act upon. 841 * @msqflg contains the operation control flags. 842 * Return 0 if permission is granted. 843 * @msg_queue_msgctl: 844 * Check permission when a message control operation specified by @cmd 845 * is to be performed on the message queue @msq. 846 * The @msq may be NULL, e.g. for IPC_INFO or MSG_INFO. 847 * @msq contains the message queue to act upon. May be NULL. 848 * @cmd contains the operation to be performed. 849 * Return 0 if permission is granted. 850 * @msg_queue_msgsnd: 851 * Check permission before a message, @msg, is enqueued on the message 852 * queue, @msq. 853 * @msq contains the message queue to send message to. 854 * @msg contains the message to be enqueued. 855 * @msqflg contains operational flags. 856 * Return 0 if permission is granted. 857 * @msg_queue_msgrcv: 858 * Check permission before a message, @msg, is removed from the message 859 * queue, @msq. The @target task structure contains a pointer to the 860 * process that will be receiving the message (not equal to the current 861 * process when inline receives are being performed). 862 * @msq contains the message queue to retrieve message from. 863 * @msg contains the message destination. 864 * @target contains the task structure for recipient process. 865 * @type contains the type of message requested. 866 * @mode contains the operational flags. 867 * Return 0 if permission is granted. 868 * 869 * Security hooks for System V Shared Memory Segments 870 * 871 * @shm_alloc_security: 872 * Allocate and attach a security structure to the shp->shm_perm.security 873 * field. The security field is initialized to NULL when the structure is 874 * first created. 875 * @shp contains the shared memory structure to be modified. 876 * Return 0 if operation was successful and permission is granted. 877 * @shm_free_security: 878 * Deallocate the security struct for this memory segment. 879 * @shp contains the shared memory structure to be modified. 880 * @shm_associate: 881 * Check permission when a shared memory region is requested through the 882 * shmget system call. This hook is only called when returning the shared 883 * memory region identifier for an existing region, not when a new shared 884 * memory region is created. 885 * @shp contains the shared memory structure to be modified. 886 * @shmflg contains the operation control flags. 887 * Return 0 if permission is granted. 888 * @shm_shmctl: 889 * Check permission when a shared memory control operation specified by 890 * @cmd is to be performed on the shared memory region @shp. 891 * The @shp may be NULL, e.g. for IPC_INFO or SHM_INFO. 892 * @shp contains shared memory structure to be modified. 893 * @cmd contains the operation to be performed. 894 * Return 0 if permission is granted. 895 * @shm_shmat: 896 * Check permissions prior to allowing the shmat system call to attach the 897 * shared memory segment @shp to the data segment of the calling process. 898 * The attaching address is specified by @shmaddr. 899 * @shp contains the shared memory structure to be modified. 900 * @shmaddr contains the address to attach memory region to. 901 * @shmflg contains the operational flags. 902 * Return 0 if permission is granted. 903 * 904 * Security hooks for System V Semaphores 905 * 906 * @sem_alloc_security: 907 * Allocate and attach a security structure to the sma->sem_perm.security 908 * field. The security field is initialized to NULL when the structure is 909 * first created. 910 * @sma contains the semaphore structure 911 * Return 0 if operation was successful and permission is granted. 912 * @sem_free_security: 913 * deallocate security struct for this semaphore 914 * @sma contains the semaphore structure. 915 * @sem_associate: 916 * Check permission when a semaphore is requested through the semget 917 * system call. This hook is only called when returning the semaphore 918 * identifier for an existing semaphore, not when a new one must be 919 * created. 920 * @sma contains the semaphore structure. 921 * @semflg contains the operation control flags. 922 * Return 0 if permission is granted. 923 * @sem_semctl: 924 * Check permission when a semaphore operation specified by @cmd is to be 925 * performed on the semaphore @sma. The @sma may be NULL, e.g. for 926 * IPC_INFO or SEM_INFO. 927 * @sma contains the semaphore structure. May be NULL. 928 * @cmd contains the operation to be performed. 929 * Return 0 if permission is granted. 930 * @sem_semop 931 * Check permissions before performing operations on members of the 932 * semaphore set @sma. If the @alter flag is nonzero, the semaphore set 933 * may be modified. 934 * @sma contains the semaphore structure. 935 * @sops contains the operations to perform. 936 * @nsops contains the number of operations to perform. 937 * @alter contains the flag indicating whether changes are to be made. 938 * Return 0 if permission is granted. 939 * 940 * @ptrace: 941 * Check permission before allowing the @parent process to trace the 942 * @child process. 943 * Security modules may also want to perform a process tracing check 944 * during an execve in the set_security or apply_creds hooks of 945 * binprm_security_ops if the process is being traced and its security 946 * attributes would be changed by the execve. 947 * @parent contains the task_struct structure for parent process. 948 * @child contains the task_struct structure for child process. 949 * Return 0 if permission is granted. 950 * @capget: 951 * Get the @effective, @inheritable, and @permitted capability sets for 952 * the @target process. The hook may also perform permission checking to 953 * determine if the current process is allowed to see the capability sets 954 * of the @target process. 955 * @target contains the task_struct structure for target process. 956 * @effective contains the effective capability set. 957 * @inheritable contains the inheritable capability set. 958 * @permitted contains the permitted capability set. 959 * Return 0 if the capability sets were successfully obtained. 960 * @capset_check: 961 * Check permission before setting the @effective, @inheritable, and 962 * @permitted capability sets for the @target process. 963 * Caveat: @target is also set to current if a set of processes is 964 * specified (i.e. all processes other than current and init or a 965 * particular process group). Hence, the capset_set hook may need to 966 * revalidate permission to the actual target process. 967 * @target contains the task_struct structure for target process. 968 * @effective contains the effective capability set. 969 * @inheritable contains the inheritable capability set. 970 * @permitted contains the permitted capability set. 971 * Return 0 if permission is granted. 972 * @capset_set: 973 * Set the @effective, @inheritable, and @permitted capability sets for 974 * the @target process. Since capset_check cannot always check permission 975 * to the real @target process, this hook may also perform permission 976 * checking to determine if the current process is allowed to set the 977 * capability sets of the @target process. However, this hook has no way 978 * of returning an error due to the structure of the sys_capset code. 979 * @target contains the task_struct structure for target process. 980 * @effective contains the effective capability set. 981 * @inheritable contains the inheritable capability set. 982 * @permitted contains the permitted capability set. 983 * @acct: 984 * Check permission before enabling or disabling process accounting. If 985 * accounting is being enabled, then @file refers to the open file used to 986 * store accounting records. If accounting is being disabled, then @file 987 * is NULL. 988 * @file contains the file structure for the accounting file (may be NULL). 989 * Return 0 if permission is granted. 990 * @sysctl: 991 * Check permission before accessing the @table sysctl variable in the 992 * manner specified by @op. 993 * @table contains the ctl_table structure for the sysctl variable. 994 * @op contains the operation (001 = search, 002 = write, 004 = read). 995 * Return 0 if permission is granted. 996 * @capable: 997 * Check whether the @tsk process has the @cap capability. 998 * @tsk contains the task_struct for the process. 999 * @cap contains the capability <include/linux/capability.h>. 1000 * Return 0 if the capability is granted for @tsk. 1001 * @syslog: 1002 * Check permission before accessing the kernel message ring or changing 1003 * logging to the console. 1004 * See the syslog(2) manual page for an explanation of the @type values. 1005 * @type contains the type of action. 1006 * Return 0 if permission is granted. 1007 * @settime: 1008 * Check permission to change the system time. 1009 * struct timespec and timezone are defined in include/linux/time.h 1010 * @ts contains new time 1011 * @tz contains new timezone 1012 * Return 0 if permission is granted. 1013 * @vm_enough_memory: 1014 * Check permissions for allocating a new virtual mapping. 1015 * @pages contains the number of pages. 1016 * Return 0 if permission is granted. 1017 * 1018 * @register_security: 1019 * allow module stacking. 1020 * @name contains the name of the security module being stacked. 1021 * @ops contains a pointer to the struct security_operations of the module to stack. 1022 * @unregister_security: 1023 * remove a stacked module. 1024 * @name contains the name of the security module being unstacked. 1025 * @ops contains a pointer to the struct security_operations of the module to unstack. 1026 * 1027 * This is the main security structure. 1028 */ 1029struct security_operations { 1030 int (*ptrace) (struct task_struct * parent, struct task_struct * child); 1031 int (*capget) (struct task_struct * target, 1032 kernel_cap_t * effective, 1033 kernel_cap_t * inheritable, kernel_cap_t * permitted); 1034 int (*capset_check) (struct task_struct * target, 1035 kernel_cap_t * effective, 1036 kernel_cap_t * inheritable, 1037 kernel_cap_t * permitted); 1038 void (*capset_set) (struct task_struct * target, 1039 kernel_cap_t * effective, 1040 kernel_cap_t * inheritable, 1041 kernel_cap_t * permitted); 1042 int (*acct) (struct file * file); 1043 int (*sysctl) (struct ctl_table * table, int op); 1044 int (*capable) (struct task_struct * tsk, int cap); 1045 int (*quotactl) (int cmds, int type, int id, struct super_block * sb); 1046 int (*quota_on) (struct dentry * dentry); 1047 int (*syslog) (int type); 1048 int (*settime) (struct timespec *ts, struct timezone *tz); 1049 int (*vm_enough_memory) (long pages); 1050 1051 int (*bprm_alloc_security) (struct linux_binprm * bprm); 1052 void (*bprm_free_security) (struct linux_binprm * bprm); 1053 void (*bprm_apply_creds) (struct linux_binprm * bprm, int unsafe); 1054 void (*bprm_post_apply_creds) (struct linux_binprm * bprm); 1055 int (*bprm_set_security) (struct linux_binprm * bprm); 1056 int (*bprm_check_security) (struct linux_binprm * bprm); 1057 int (*bprm_secureexec) (struct linux_binprm * bprm); 1058 1059 int (*sb_alloc_security) (struct super_block * sb); 1060 void (*sb_free_security) (struct super_block * sb); 1061 int (*sb_copy_data)(struct file_system_type *type, 1062 void *orig, void *copy); 1063 int (*sb_kern_mount) (struct super_block *sb, void *data); 1064 int (*sb_statfs) (struct super_block * sb); 1065 int (*sb_mount) (char *dev_name, struct nameidata * nd, 1066 char *type, unsigned long flags, void *data); 1067 int (*sb_check_sb) (struct vfsmount * mnt, struct nameidata * nd); 1068 int (*sb_umount) (struct vfsmount * mnt, int flags); 1069 void (*sb_umount_close) (struct vfsmount * mnt); 1070 void (*sb_umount_busy) (struct vfsmount * mnt); 1071 void (*sb_post_remount) (struct vfsmount * mnt, 1072 unsigned long flags, void *data); 1073 void (*sb_post_mountroot) (void); 1074 void (*sb_post_addmount) (struct vfsmount * mnt, 1075 struct nameidata * mountpoint_nd); 1076 int (*sb_pivotroot) (struct nameidata * old_nd, 1077 struct nameidata * new_nd); 1078 void (*sb_post_pivotroot) (struct nameidata * old_nd, 1079 struct nameidata * new_nd); 1080 1081 int (*inode_alloc_security) (struct inode *inode); 1082 void (*inode_free_security) (struct inode *inode); 1083 int (*inode_create) (struct inode *dir, 1084 struct dentry *dentry, int mode); 1085 void (*inode_post_create) (struct inode *dir, 1086 struct dentry *dentry, int mode); 1087 int (*inode_link) (struct dentry *old_dentry, 1088 struct inode *dir, struct dentry *new_dentry); 1089 void (*inode_post_link) (struct dentry *old_dentry, 1090 struct inode *dir, struct dentry *new_dentry); 1091 int (*inode_unlink) (struct inode *dir, struct dentry *dentry); 1092 int (*inode_symlink) (struct inode *dir, 1093 struct dentry *dentry, const char *old_name); 1094 void (*inode_post_symlink) (struct inode *dir, 1095 struct dentry *dentry, 1096 const char *old_name); 1097 int (*inode_mkdir) (struct inode *dir, struct dentry *dentry, int mode); 1098 void (*inode_post_mkdir) (struct inode *dir, struct dentry *dentry, 1099 int mode); 1100 int (*inode_rmdir) (struct inode *dir, struct dentry *dentry); 1101 int (*inode_mknod) (struct inode *dir, struct dentry *dentry, 1102 int mode, dev_t dev); 1103 void (*inode_post_mknod) (struct inode *dir, struct dentry *dentry, 1104 int mode, dev_t dev); 1105 int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry, 1106 struct inode *new_dir, struct dentry *new_dentry); 1107 void (*inode_post_rename) (struct inode *old_dir, 1108 struct dentry *old_dentry, 1109 struct inode *new_dir, 1110 struct dentry *new_dentry); 1111 int (*inode_readlink) (struct dentry *dentry); 1112 int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd); 1113 int (*inode_permission) (struct inode *inode, int mask, struct nameidata *nd); 1114 int (*inode_setattr) (struct dentry *dentry, struct iattr *attr); 1115 int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry); 1116 void (*inode_delete) (struct inode *inode); 1117 int (*inode_setxattr) (struct dentry *dentry, char *name, void *value, 1118 size_t size, int flags); 1119 void (*inode_post_setxattr) (struct dentry *dentry, char *name, void *value, 1120 size_t size, int flags); 1121 int (*inode_getxattr) (struct dentry *dentry, char *name); 1122 int (*inode_listxattr) (struct dentry *dentry); 1123 int (*inode_removexattr) (struct dentry *dentry, char *name); 1124 int (*inode_getsecurity)(struct inode *inode, const char *name, void *buffer, size_t size); 1125 int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags); 1126 int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size); 1127 1128 int (*file_permission) (struct file * file, int mask); 1129 int (*file_alloc_security) (struct file * file); 1130 void (*file_free_security) (struct file * file); 1131 int (*file_ioctl) (struct file * file, unsigned int cmd, 1132 unsigned long arg); 1133 int (*file_mmap) (struct file * file, 1134 unsigned long reqprot, 1135 unsigned long prot, unsigned long flags); 1136 int (*file_mprotect) (struct vm_area_struct * vma, 1137 unsigned long reqprot, 1138 unsigned long prot); 1139 int (*file_lock) (struct file * file, unsigned int cmd); 1140 int (*file_fcntl) (struct file * file, unsigned int cmd, 1141 unsigned long arg); 1142 int (*file_set_fowner) (struct file * file); 1143 int (*file_send_sigiotask) (struct task_struct * tsk, 1144 struct fown_struct * fown, int sig); 1145 int (*file_receive) (struct file * file); 1146 1147 int (*task_create) (unsigned long clone_flags); 1148 int (*task_alloc_security) (struct task_struct * p); 1149 void (*task_free_security) (struct task_struct * p); 1150 int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags); 1151 int (*task_post_setuid) (uid_t old_ruid /* or fsuid */ , 1152 uid_t old_euid, uid_t old_suid, int flags); 1153 int (*task_setgid) (gid_t id0, gid_t id1, gid_t id2, int flags); 1154 int (*task_setpgid) (struct task_struct * p, pid_t pgid); 1155 int (*task_getpgid) (struct task_struct * p); 1156 int (*task_getsid) (struct task_struct * p); 1157 int (*task_setgroups) (struct group_info *group_info); 1158 int (*task_setnice) (struct task_struct * p, int nice); 1159 int (*task_setrlimit) (unsigned int resource, struct rlimit * new_rlim); 1160 int (*task_setscheduler) (struct task_struct * p, int policy, 1161 struct sched_param * lp); 1162 int (*task_getscheduler) (struct task_struct * p); 1163 int (*task_kill) (struct task_struct * p, 1164 struct siginfo * info, int sig); 1165 int (*task_wait) (struct task_struct * p); 1166 int (*task_prctl) (int option, unsigned long arg2, 1167 unsigned long arg3, unsigned long arg4, 1168 unsigned long arg5); 1169 void (*task_reparent_to_init) (struct task_struct * p); 1170 void (*task_to_inode)(struct task_struct *p, struct inode *inode); 1171 1172 int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag); 1173 1174 int (*msg_msg_alloc_security) (struct msg_msg * msg); 1175 void (*msg_msg_free_security) (struct msg_msg * msg); 1176 1177 int (*msg_queue_alloc_security) (struct msg_queue * msq); 1178 void (*msg_queue_free_security) (struct msg_queue * msq); 1179 int (*msg_queue_associate) (struct msg_queue * msq, int msqflg); 1180 int (*msg_queue_msgctl) (struct msg_queue * msq, int cmd); 1181 int (*msg_queue_msgsnd) (struct msg_queue * msq, 1182 struct msg_msg * msg, int msqflg); 1183 int (*msg_queue_msgrcv) (struct msg_queue * msq, 1184 struct msg_msg * msg, 1185 struct task_struct * target, 1186 long type, int mode); 1187 1188 int (*shm_alloc_security) (struct shmid_kernel * shp); 1189 void (*shm_free_security) (struct shmid_kernel * shp); 1190 int (*shm_associate) (struct shmid_kernel * shp, int shmflg); 1191 int (*shm_shmctl) (struct shmid_kernel * shp, int cmd); 1192 int (*shm_shmat) (struct shmid_kernel * shp, 1193 char __user *shmaddr, int shmflg); 1194 1195 int (*sem_alloc_security) (struct sem_array * sma); 1196 void (*sem_free_security) (struct sem_array * sma); 1197 int (*sem_associate) (struct sem_array * sma, int semflg); 1198 int (*sem_semctl) (struct sem_array * sma, int cmd); 1199 int (*sem_semop) (struct sem_array * sma, 1200 struct sembuf * sops, unsigned nsops, int alter); 1201 1202 int (*netlink_send) (struct sock * sk, struct sk_buff * skb); 1203 int (*netlink_recv) (struct sk_buff * skb); 1204 1205 /* allow module stacking */ 1206 int (*register_security) (const char *name, 1207 struct security_operations *ops); 1208 int (*unregister_security) (const char *name, 1209 struct security_operations *ops); 1210 1211 void (*d_instantiate) (struct dentry *dentry, struct inode *inode); 1212 1213 int (*getprocattr)(struct task_struct *p, char *name, void *value, size_t size); 1214 int (*setprocattr)(struct task_struct *p, char *name, void *value, size_t size); 1215 1216#ifdef CONFIG_SECURITY_NETWORK 1217 int (*unix_stream_connect) (struct socket * sock, 1218 struct socket * other, struct sock * newsk); 1219 int (*unix_may_send) (struct socket * sock, struct socket * other); 1220 1221 int (*socket_create) (int family, int type, int protocol, int kern); 1222 void (*socket_post_create) (struct socket * sock, int family, 1223 int type, int protocol, int kern); 1224 int (*socket_bind) (struct socket * sock, 1225 struct sockaddr * address, int addrlen); 1226 int (*socket_connect) (struct socket * sock, 1227 struct sockaddr * address, int addrlen); 1228 int (*socket_listen) (struct socket * sock, int backlog); 1229 int (*socket_accept) (struct socket * sock, struct socket * newsock); 1230 void (*socket_post_accept) (struct socket * sock, 1231 struct socket * newsock); 1232 int (*socket_sendmsg) (struct socket * sock, 1233 struct msghdr * msg, int size); 1234 int (*socket_recvmsg) (struct socket * sock, 1235 struct msghdr * msg, int size, int flags); 1236 int (*socket_getsockname) (struct socket * sock); 1237 int (*socket_getpeername) (struct socket * sock); 1238 int (*socket_getsockopt) (struct socket * sock, int level, int optname); 1239 int (*socket_setsockopt) (struct socket * sock, int level, int optname); 1240 int (*socket_shutdown) (struct socket * sock, int how); 1241 int (*socket_sock_rcv_skb) (struct sock * sk, struct sk_buff * skb); 1242 int (*socket_getpeersec) (struct socket *sock, char __user *optval, int __user *optlen, unsigned len); 1243 int (*sk_alloc_security) (struct sock *sk, int family, int priority); 1244 void (*sk_free_security) (struct sock *sk); 1245#endif /* CONFIG_SECURITY_NETWORK */ 1246}; 1247 1248/* global variables */ 1249extern struct security_operations *security_ops; 1250 1251/* inline stuff */ 1252static inline int security_ptrace (struct task_struct * parent, struct task_struct * child) 1253{ 1254 return security_ops->ptrace (parent, child); 1255} 1256 1257static inline int security_capget (struct task_struct *target, 1258 kernel_cap_t *effective, 1259 kernel_cap_t *inheritable, 1260 kernel_cap_t *permitted) 1261{ 1262 return security_ops->capget (target, effective, inheritable, permitted); 1263} 1264 1265static inline int security_capset_check (struct task_struct *target, 1266 kernel_cap_t *effective, 1267 kernel_cap_t *inheritable, 1268 kernel_cap_t *permitted) 1269{ 1270 return security_ops->capset_check (target, effective, inheritable, permitted); 1271} 1272 1273static inline void security_capset_set (struct task_struct *target, 1274 kernel_cap_t *effective, 1275 kernel_cap_t *inheritable, 1276 kernel_cap_t *permitted) 1277{ 1278 security_ops->capset_set (target, effective, inheritable, permitted); 1279} 1280 1281static inline int security_acct (struct file *file) 1282{ 1283 return security_ops->acct (file); 1284} 1285 1286static inline int security_sysctl(struct ctl_table *table, int op) 1287{ 1288 return security_ops->sysctl(table, op); 1289} 1290 1291static inline int security_quotactl (int cmds, int type, int id, 1292 struct super_block *sb) 1293{ 1294 return security_ops->quotactl (cmds, type, id, sb); 1295} 1296 1297static inline int security_quota_on (struct dentry * dentry) 1298{ 1299 return security_ops->quota_on (dentry); 1300} 1301 1302static inline int security_syslog(int type) 1303{ 1304 return security_ops->syslog(type); 1305} 1306 1307static inline int security_settime(struct timespec *ts, struct timezone *tz) 1308{ 1309 return security_ops->settime(ts, tz); 1310} 1311 1312 1313static inline int security_vm_enough_memory(long pages) 1314{ 1315 return security_ops->vm_enough_memory(pages); 1316} 1317 1318static inline int security_bprm_alloc (struct linux_binprm *bprm) 1319{ 1320 return security_ops->bprm_alloc_security (bprm); 1321} 1322static inline void security_bprm_free (struct linux_binprm *bprm) 1323{ 1324 security_ops->bprm_free_security (bprm); 1325} 1326static inline void security_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) 1327{ 1328 security_ops->bprm_apply_creds (bprm, unsafe); 1329} 1330static inline void security_bprm_post_apply_creds (struct linux_binprm *bprm) 1331{ 1332 security_ops->bprm_post_apply_creds (bprm); 1333} 1334static inline int security_bprm_set (struct linux_binprm *bprm) 1335{ 1336 return security_ops->bprm_set_security (bprm); 1337} 1338 1339static inline int security_bprm_check (struct linux_binprm *bprm) 1340{ 1341 return security_ops->bprm_check_security (bprm); 1342} 1343 1344static inline int security_bprm_secureexec (struct linux_binprm *bprm) 1345{ 1346 return security_ops->bprm_secureexec (bprm); 1347} 1348 1349static inline int security_sb_alloc (struct super_block *sb) 1350{ 1351 return security_ops->sb_alloc_security (sb); 1352} 1353 1354static inline void security_sb_free (struct super_block *sb) 1355{ 1356 security_ops->sb_free_security (sb); 1357} 1358 1359static inline int security_sb_copy_data (struct file_system_type *type, 1360 void *orig, void *copy) 1361{ 1362 return security_ops->sb_copy_data (type, orig, copy); 1363} 1364 1365static inline int security_sb_kern_mount (struct super_block *sb, void *data) 1366{ 1367 return security_ops->sb_kern_mount (sb, data); 1368} 1369 1370static inline int security_sb_statfs (struct super_block *sb) 1371{ 1372 return security_ops->sb_statfs (sb); 1373} 1374 1375static inline int security_sb_mount (char *dev_name, struct nameidata *nd, 1376 char *type, unsigned long flags, 1377 void *data) 1378{ 1379 return security_ops->sb_mount (dev_name, nd, type, flags, data); 1380} 1381 1382static inline int security_sb_check_sb (struct vfsmount *mnt, 1383 struct nameidata *nd) 1384{ 1385 return security_ops->sb_check_sb (mnt, nd); 1386} 1387 1388static inline int security_sb_umount (struct vfsmount *mnt, int flags) 1389{ 1390 return security_ops->sb_umount (mnt, flags); 1391} 1392 1393static inline void security_sb_umount_close (struct vfsmount *mnt) 1394{ 1395 security_ops->sb_umount_close (mnt); 1396} 1397 1398static inline void security_sb_umount_busy (struct vfsmount *mnt) 1399{ 1400 security_ops->sb_umount_busy (mnt); 1401} 1402 1403static inline void security_sb_post_remount (struct vfsmount *mnt, 1404 unsigned long flags, void *data) 1405{ 1406 security_ops->sb_post_remount (mnt, flags, data); 1407} 1408 1409static inline void security_sb_post_mountroot (void) 1410{ 1411 security_ops->sb_post_mountroot (); 1412} 1413 1414static inline void security_sb_post_addmount (struct vfsmount *mnt, 1415 struct nameidata *mountpoint_nd) 1416{ 1417 security_ops->sb_post_addmount (mnt, mountpoint_nd); 1418} 1419 1420static inline int security_sb_pivotroot (struct nameidata *old_nd, 1421 struct nameidata *new_nd) 1422{ 1423 return security_ops->sb_pivotroot (old_nd, new_nd); 1424} 1425 1426static inline void security_sb_post_pivotroot (struct nameidata *old_nd, 1427 struct nameidata *new_nd) 1428{ 1429 security_ops->sb_post_pivotroot (old_nd, new_nd); 1430} 1431 1432static inline int security_inode_alloc (struct inode *inode) 1433{ 1434 if (unlikely (IS_PRIVATE (inode))) 1435 return 0; 1436 return security_ops->inode_alloc_security (inode); 1437} 1438 1439static inline void security_inode_free (struct inode *inode) 1440{ 1441 if (unlikely (IS_PRIVATE (inode))) 1442 return; 1443 security_ops->inode_free_security (inode); 1444} 1445 1446static inline int security_inode_create (struct inode *dir, 1447 struct dentry *dentry, 1448 int mode) 1449{ 1450 if (unlikely (IS_PRIVATE (dir))) 1451 return 0; 1452 return security_ops->inode_create (dir, dentry, mode); 1453} 1454 1455static inline void security_inode_post_create (struct inode *dir, 1456 struct dentry *dentry, 1457 int mode) 1458{ 1459 if (dentry->d_inode && unlikely (IS_PRIVATE (dentry->d_inode))) 1460 return; 1461 security_ops->inode_post_create (dir, dentry, mode); 1462} 1463 1464static inline int security_inode_link (struct dentry *old_dentry, 1465 struct inode *dir, 1466 struct dentry *new_dentry) 1467{ 1468 if (unlikely (IS_PRIVATE (old_dentry->d_inode))) 1469 return 0; 1470 return security_ops->inode_link (old_dentry, dir, new_dentry); 1471} 1472 1473static inline void security_inode_post_link (struct dentry *old_dentry, 1474 struct inode *dir, 1475 struct dentry *new_dentry) 1476{ 1477 if (new_dentry->d_inode && unlikely (IS_PRIVATE (new_dentry->d_inode))) 1478 return; 1479 security_ops->inode_post_link (old_dentry, dir, new_dentry); 1480} 1481 1482static inline int security_inode_unlink (struct inode *dir, 1483 struct dentry *dentry) 1484{ 1485 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1486 return 0; 1487 return security_ops->inode_unlink (dir, dentry); 1488} 1489 1490static inline int security_inode_symlink (struct inode *dir, 1491 struct dentry *dentry, 1492 const char *old_name) 1493{ 1494 if (unlikely (IS_PRIVATE (dir))) 1495 return 0; 1496 return security_ops->inode_symlink (dir, dentry, old_name); 1497} 1498 1499static inline void security_inode_post_symlink (struct inode *dir, 1500 struct dentry *dentry, 1501 const char *old_name) 1502{ 1503 if (dentry->d_inode && unlikely (IS_PRIVATE (dentry->d_inode))) 1504 return; 1505 security_ops->inode_post_symlink (dir, dentry, old_name); 1506} 1507 1508static inline int security_inode_mkdir (struct inode *dir, 1509 struct dentry *dentry, 1510 int mode) 1511{ 1512 if (unlikely (IS_PRIVATE (dir))) 1513 return 0; 1514 return security_ops->inode_mkdir (dir, dentry, mode); 1515} 1516 1517static inline void security_inode_post_mkdir (struct inode *dir, 1518 struct dentry *dentry, 1519 int mode) 1520{ 1521 if (dentry->d_inode && unlikely (IS_PRIVATE (dentry->d_inode))) 1522 return; 1523 security_ops->inode_post_mkdir (dir, dentry, mode); 1524} 1525 1526static inline int security_inode_rmdir (struct inode *dir, 1527 struct dentry *dentry) 1528{ 1529 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1530 return 0; 1531 return security_ops->inode_rmdir (dir, dentry); 1532} 1533 1534static inline int security_inode_mknod (struct inode *dir, 1535 struct dentry *dentry, 1536 int mode, dev_t dev) 1537{ 1538 if (unlikely (IS_PRIVATE (dir))) 1539 return 0; 1540 return security_ops->inode_mknod (dir, dentry, mode, dev); 1541} 1542 1543static inline void security_inode_post_mknod (struct inode *dir, 1544 struct dentry *dentry, 1545 int mode, dev_t dev) 1546{ 1547 if (dentry->d_inode && unlikely (IS_PRIVATE (dentry->d_inode))) 1548 return; 1549 security_ops->inode_post_mknod (dir, dentry, mode, dev); 1550} 1551 1552static inline int security_inode_rename (struct inode *old_dir, 1553 struct dentry *old_dentry, 1554 struct inode *new_dir, 1555 struct dentry *new_dentry) 1556{ 1557 if (unlikely (IS_PRIVATE (old_dentry->d_inode) || 1558 (new_dentry->d_inode && IS_PRIVATE (new_dentry->d_inode)))) 1559 return 0; 1560 return security_ops->inode_rename (old_dir, old_dentry, 1561 new_dir, new_dentry); 1562} 1563 1564static inline void security_inode_post_rename (struct inode *old_dir, 1565 struct dentry *old_dentry, 1566 struct inode *new_dir, 1567 struct dentry *new_dentry) 1568{ 1569 if (unlikely (IS_PRIVATE (old_dentry->d_inode) || 1570 (new_dentry->d_inode && IS_PRIVATE (new_dentry->d_inode)))) 1571 return; 1572 security_ops->inode_post_rename (old_dir, old_dentry, 1573 new_dir, new_dentry); 1574} 1575 1576static inline int security_inode_readlink (struct dentry *dentry) 1577{ 1578 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1579 return 0; 1580 return security_ops->inode_readlink (dentry); 1581} 1582 1583static inline int security_inode_follow_link (struct dentry *dentry, 1584 struct nameidata *nd) 1585{ 1586 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1587 return 0; 1588 return security_ops->inode_follow_link (dentry, nd); 1589} 1590 1591static inline int security_inode_permission (struct inode *inode, int mask, 1592 struct nameidata *nd) 1593{ 1594 if (unlikely (IS_PRIVATE (inode))) 1595 return 0; 1596 return security_ops->inode_permission (inode, mask, nd); 1597} 1598 1599static inline int security_inode_setattr (struct dentry *dentry, 1600 struct iattr *attr) 1601{ 1602 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1603 return 0; 1604 return security_ops->inode_setattr (dentry, attr); 1605} 1606 1607static inline int security_inode_getattr (struct vfsmount *mnt, 1608 struct dentry *dentry) 1609{ 1610 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1611 return 0; 1612 return security_ops->inode_getattr (mnt, dentry); 1613} 1614 1615static inline void security_inode_delete (struct inode *inode) 1616{ 1617 if (unlikely (IS_PRIVATE (inode))) 1618 return; 1619 security_ops->inode_delete (inode); 1620} 1621 1622static inline int security_inode_setxattr (struct dentry *dentry, char *name, 1623 void *value, size_t size, int flags) 1624{ 1625 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1626 return 0; 1627 return security_ops->inode_setxattr (dentry, name, value, size, flags); 1628} 1629 1630static inline void security_inode_post_setxattr (struct dentry *dentry, char *name, 1631 void *value, size_t size, int flags) 1632{ 1633 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1634 return; 1635 security_ops->inode_post_setxattr (dentry, name, value, size, flags); 1636} 1637 1638static inline int security_inode_getxattr (struct dentry *dentry, char *name) 1639{ 1640 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1641 return 0; 1642 return security_ops->inode_getxattr (dentry, name); 1643} 1644 1645static inline int security_inode_listxattr (struct dentry *dentry) 1646{ 1647 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1648 return 0; 1649 return security_ops->inode_listxattr (dentry); 1650} 1651 1652static inline int security_inode_removexattr (struct dentry *dentry, char *name) 1653{ 1654 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1655 return 0; 1656 return security_ops->inode_removexattr (dentry, name); 1657} 1658 1659static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size) 1660{ 1661 if (unlikely (IS_PRIVATE (inode))) 1662 return 0; 1663 return security_ops->inode_getsecurity(inode, name, buffer, size); 1664} 1665 1666static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) 1667{ 1668 if (unlikely (IS_PRIVATE (inode))) 1669 return 0; 1670 return security_ops->inode_setsecurity(inode, name, value, size, flags); 1671} 1672 1673static inline int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 1674{ 1675 if (unlikely (IS_PRIVATE (inode))) 1676 return 0; 1677 return security_ops->inode_listsecurity(inode, buffer, buffer_size); 1678} 1679 1680static inline int security_file_permission (struct file *file, int mask) 1681{ 1682 return security_ops->file_permission (file, mask); 1683} 1684 1685static inline int security_file_alloc (struct file *file) 1686{ 1687 return security_ops->file_alloc_security (file); 1688} 1689 1690static inline void security_file_free (struct file *file) 1691{ 1692 security_ops->file_free_security (file); 1693} 1694 1695static inline int security_file_ioctl (struct file *file, unsigned int cmd, 1696 unsigned long arg) 1697{ 1698 return security_ops->file_ioctl (file, cmd, arg); 1699} 1700 1701static inline int security_file_mmap (struct file *file, unsigned long reqprot, 1702 unsigned long prot, 1703 unsigned long flags) 1704{ 1705 return security_ops->file_mmap (file, reqprot, prot, flags); 1706} 1707 1708static inline int security_file_mprotect (struct vm_area_struct *vma, 1709 unsigned long reqprot, 1710 unsigned long prot) 1711{ 1712 return security_ops->file_mprotect (vma, reqprot, prot); 1713} 1714 1715static inline int security_file_lock (struct file *file, unsigned int cmd) 1716{ 1717 return security_ops->file_lock (file, cmd); 1718} 1719 1720static inline int security_file_fcntl (struct file *file, unsigned int cmd, 1721 unsigned long arg) 1722{ 1723 return security_ops->file_fcntl (file, cmd, arg); 1724} 1725 1726static inline int security_file_set_fowner (struct file *file) 1727{ 1728 return security_ops->file_set_fowner (file); 1729} 1730 1731static inline int security_file_send_sigiotask (struct task_struct *tsk, 1732 struct fown_struct *fown, 1733 int sig) 1734{ 1735 return security_ops->file_send_sigiotask (tsk, fown, sig); 1736} 1737 1738static inline int security_file_receive (struct file *file) 1739{ 1740 return security_ops->file_receive (file); 1741} 1742 1743static inline int security_task_create (unsigned long clone_flags) 1744{ 1745 return security_ops->task_create (clone_flags); 1746} 1747 1748static inline int security_task_alloc (struct task_struct *p) 1749{ 1750 return security_ops->task_alloc_security (p); 1751} 1752 1753static inline void security_task_free (struct task_struct *p) 1754{ 1755 security_ops->task_free_security (p); 1756} 1757 1758static inline int security_task_setuid (uid_t id0, uid_t id1, uid_t id2, 1759 int flags) 1760{ 1761 return security_ops->task_setuid (id0, id1, id2, flags); 1762} 1763 1764static inline int security_task_post_setuid (uid_t old_ruid, uid_t old_euid, 1765 uid_t old_suid, int flags) 1766{ 1767 return security_ops->task_post_setuid (old_ruid, old_euid, old_suid, flags); 1768} 1769 1770static inline int security_task_setgid (gid_t id0, gid_t id1, gid_t id2, 1771 int flags) 1772{ 1773 return security_ops->task_setgid (id0, id1, id2, flags); 1774} 1775 1776static inline int security_task_setpgid (struct task_struct *p, pid_t pgid) 1777{ 1778 return security_ops->task_setpgid (p, pgid); 1779} 1780 1781static inline int security_task_getpgid (struct task_struct *p) 1782{ 1783 return security_ops->task_getpgid (p); 1784} 1785 1786static inline int security_task_getsid (struct task_struct *p) 1787{ 1788 return security_ops->task_getsid (p); 1789} 1790 1791static inline int security_task_setgroups (struct group_info *group_info) 1792{ 1793 return security_ops->task_setgroups (group_info); 1794} 1795 1796static inline int security_task_setnice (struct task_struct *p, int nice) 1797{ 1798 return security_ops->task_setnice (p, nice); 1799} 1800 1801static inline int security_task_setrlimit (unsigned int resource, 1802 struct rlimit *new_rlim) 1803{ 1804 return security_ops->task_setrlimit (resource, new_rlim); 1805} 1806 1807static inline int security_task_setscheduler (struct task_struct *p, 1808 int policy, 1809 struct sched_param *lp) 1810{ 1811 return security_ops->task_setscheduler (p, policy, lp); 1812} 1813 1814static inline int security_task_getscheduler (struct task_struct *p) 1815{ 1816 return security_ops->task_getscheduler (p); 1817} 1818 1819static inline int security_task_kill (struct task_struct *p, 1820 struct siginfo *info, int sig) 1821{ 1822 return security_ops->task_kill (p, info, sig); 1823} 1824 1825static inline int security_task_wait (struct task_struct *p) 1826{ 1827 return security_ops->task_wait (p); 1828} 1829 1830static inline int security_task_prctl (int option, unsigned long arg2, 1831 unsigned long arg3, 1832 unsigned long arg4, 1833 unsigned long arg5) 1834{ 1835 return security_ops->task_prctl (option, arg2, arg3, arg4, arg5); 1836} 1837 1838static inline void security_task_reparent_to_init (struct task_struct *p) 1839{ 1840 security_ops->task_reparent_to_init (p); 1841} 1842 1843static inline void security_task_to_inode(struct task_struct *p, struct inode *inode) 1844{ 1845 security_ops->task_to_inode(p, inode); 1846} 1847 1848static inline int security_ipc_permission (struct kern_ipc_perm *ipcp, 1849 short flag) 1850{ 1851 return security_ops->ipc_permission (ipcp, flag); 1852} 1853 1854static inline int security_msg_msg_alloc (struct msg_msg * msg) 1855{ 1856 return security_ops->msg_msg_alloc_security (msg); 1857} 1858 1859static inline void security_msg_msg_free (struct msg_msg * msg) 1860{ 1861 security_ops->msg_msg_free_security(msg); 1862} 1863 1864static inline int security_msg_queue_alloc (struct msg_queue *msq) 1865{ 1866 return security_ops->msg_queue_alloc_security (msq); 1867} 1868 1869static inline void security_msg_queue_free (struct msg_queue *msq) 1870{ 1871 security_ops->msg_queue_free_security (msq); 1872} 1873 1874static inline int security_msg_queue_associate (struct msg_queue * msq, 1875 int msqflg) 1876{ 1877 return security_ops->msg_queue_associate (msq, msqflg); 1878} 1879 1880static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd) 1881{ 1882 return security_ops->msg_queue_msgctl (msq, cmd); 1883} 1884 1885static inline int security_msg_queue_msgsnd (struct msg_queue * msq, 1886 struct msg_msg * msg, int msqflg) 1887{ 1888 return security_ops->msg_queue_msgsnd (msq, msg, msqflg); 1889} 1890 1891static inline int security_msg_queue_msgrcv (struct msg_queue * msq, 1892 struct msg_msg * msg, 1893 struct task_struct * target, 1894 long type, int mode) 1895{ 1896 return security_ops->msg_queue_msgrcv (msq, msg, target, type, mode); 1897} 1898 1899static inline int security_shm_alloc (struct shmid_kernel *shp) 1900{ 1901 return security_ops->shm_alloc_security (shp); 1902} 1903 1904static inline void security_shm_free (struct shmid_kernel *shp) 1905{ 1906 security_ops->shm_free_security (shp); 1907} 1908 1909static inline int security_shm_associate (struct shmid_kernel * shp, 1910 int shmflg) 1911{ 1912 return security_ops->shm_associate(shp, shmflg); 1913} 1914 1915static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd) 1916{ 1917 return security_ops->shm_shmctl (shp, cmd); 1918} 1919 1920static inline int security_shm_shmat (struct shmid_kernel * shp, 1921 char __user *shmaddr, int shmflg) 1922{ 1923 return security_ops->shm_shmat(shp, shmaddr, shmflg); 1924} 1925 1926static inline int security_sem_alloc (struct sem_array *sma) 1927{ 1928 return security_ops->sem_alloc_security (sma); 1929} 1930 1931static inline void security_sem_free (struct sem_array *sma) 1932{ 1933 security_ops->sem_free_security (sma); 1934} 1935 1936static inline int security_sem_associate (struct sem_array * sma, int semflg) 1937{ 1938 return security_ops->sem_associate (sma, semflg); 1939} 1940 1941static inline int security_sem_semctl (struct sem_array * sma, int cmd) 1942{ 1943 return security_ops->sem_semctl(sma, cmd); 1944} 1945 1946static inline int security_sem_semop (struct sem_array * sma, 1947 struct sembuf * sops, unsigned nsops, 1948 int alter) 1949{ 1950 return security_ops->sem_semop(sma, sops, nsops, alter); 1951} 1952 1953static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode) 1954{ 1955 if (unlikely (inode && IS_PRIVATE (inode))) 1956 return; 1957 security_ops->d_instantiate (dentry, inode); 1958} 1959 1960static inline int security_getprocattr(struct task_struct *p, char *name, void *value, size_t size) 1961{ 1962 return security_ops->getprocattr(p, name, value, size); 1963} 1964 1965static inline int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size) 1966{ 1967 return security_ops->setprocattr(p, name, value, size); 1968} 1969 1970static inline int security_netlink_send(struct sock *sk, struct sk_buff * skb) 1971{ 1972 return security_ops->netlink_send(sk, skb); 1973} 1974 1975static inline int security_netlink_recv(struct sk_buff * skb) 1976{ 1977 return security_ops->netlink_recv(skb); 1978} 1979 1980/* prototypes */ 1981extern int security_init (void); 1982extern int register_security (struct security_operations *ops); 1983extern int unregister_security (struct security_operations *ops); 1984extern int mod_reg_security (const char *name, struct security_operations *ops); 1985extern int mod_unreg_security (const char *name, struct security_operations *ops); 1986 1987 1988#else /* CONFIG_SECURITY */ 1989 1990/* 1991 * This is the default capabilities functionality. Most of these functions 1992 * are just stubbed out, but a few must call the proper capable code. 1993 */ 1994 1995static inline int security_init(void) 1996{ 1997 return 0; 1998} 1999 2000static inline int security_ptrace (struct task_struct *parent, struct task_struct * child) 2001{ 2002 return cap_ptrace (parent, child); 2003} 2004 2005static inline int security_capget (struct task_struct *target, 2006 kernel_cap_t *effective, 2007 kernel_cap_t *inheritable, 2008 kernel_cap_t *permitted) 2009{ 2010 return cap_capget (target, effective, inheritable, permitted); 2011} 2012 2013static inline int security_capset_check (struct task_struct *target, 2014 kernel_cap_t *effective, 2015 kernel_cap_t *inheritable, 2016 kernel_cap_t *permitted) 2017{ 2018 return cap_capset_check (target, effective, inheritable, permitted); 2019} 2020 2021static inline void security_capset_set (struct task_struct *target, 2022 kernel_cap_t *effective, 2023 kernel_cap_t *inheritable, 2024 kernel_cap_t *permitted) 2025{ 2026 cap_capset_set (target, effective, inheritable, permitted); 2027} 2028 2029static inline int security_acct (struct file *file) 2030{ 2031 return 0; 2032} 2033 2034static inline int security_sysctl(struct ctl_table *table, int op) 2035{ 2036 return 0; 2037} 2038 2039static inline int security_quotactl (int cmds, int type, int id, 2040 struct super_block * sb) 2041{ 2042 return 0; 2043} 2044 2045static inline int security_quota_on (struct dentry * dentry) 2046{ 2047 return 0; 2048} 2049 2050static inline int security_syslog(int type) 2051{ 2052 return cap_syslog(type); 2053} 2054 2055static inline int security_settime(struct timespec *ts, struct timezone *tz) 2056{ 2057 return cap_settime(ts, tz); 2058} 2059 2060static inline int security_vm_enough_memory(long pages) 2061{ 2062 return cap_vm_enough_memory(pages); 2063} 2064 2065static inline int security_bprm_alloc (struct linux_binprm *bprm) 2066{ 2067 return 0; 2068} 2069 2070static inline void security_bprm_free (struct linux_binprm *bprm) 2071{ } 2072 2073static inline void security_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) 2074{ 2075 cap_bprm_apply_creds (bprm, unsafe); 2076} 2077 2078static inline void security_bprm_post_apply_creds (struct linux_binprm *bprm) 2079{ 2080 return; 2081} 2082 2083static inline int security_bprm_set (struct linux_binprm *bprm) 2084{ 2085 return cap_bprm_set_security (bprm); 2086} 2087 2088static inline int security_bprm_check (struct linux_binprm *bprm) 2089{ 2090 return 0; 2091} 2092 2093static inline int security_bprm_secureexec (struct linux_binprm *bprm) 2094{ 2095 return cap_bprm_secureexec(bprm); 2096} 2097 2098static inline int security_sb_alloc (struct super_block *sb) 2099{ 2100 return 0; 2101} 2102 2103static inline void security_sb_free (struct super_block *sb) 2104{ } 2105 2106static inline int security_sb_copy_data (struct file_system_type *type, 2107 void *orig, void *copy) 2108{ 2109 return 0; 2110} 2111 2112static inline int security_sb_kern_mount (struct super_block *sb, void *data) 2113{ 2114 return 0; 2115} 2116 2117static inline int security_sb_statfs (struct super_block *sb) 2118{ 2119 return 0; 2120} 2121 2122static inline int security_sb_mount (char *dev_name, struct nameidata *nd, 2123 char *type, unsigned long flags, 2124 void *data) 2125{ 2126 return 0; 2127} 2128 2129static inline int security_sb_check_sb (struct vfsmount *mnt, 2130 struct nameidata *nd) 2131{ 2132 return 0; 2133} 2134 2135static inline int security_sb_umount (struct vfsmount *mnt, int flags) 2136{ 2137 return 0; 2138} 2139 2140static inline void security_sb_umount_close (struct vfsmount *mnt) 2141{ } 2142 2143static inline void security_sb_umount_busy (struct vfsmount *mnt) 2144{ } 2145 2146static inline void security_sb_post_remount (struct vfsmount *mnt, 2147 unsigned long flags, void *data) 2148{ } 2149 2150static inline void security_sb_post_mountroot (void) 2151{ } 2152 2153static inline void security_sb_post_addmount (struct vfsmount *mnt, 2154 struct nameidata *mountpoint_nd) 2155{ } 2156 2157static inline int security_sb_pivotroot (struct nameidata *old_nd, 2158 struct nameidata *new_nd) 2159{ 2160 return 0; 2161} 2162 2163static inline void security_sb_post_pivotroot (struct nameidata *old_nd, 2164 struct nameidata *new_nd) 2165{ } 2166 2167static inline int security_inode_alloc (struct inode *inode) 2168{ 2169 return 0; 2170} 2171 2172static inline void security_inode_free (struct inode *inode) 2173{ } 2174 2175static inline int security_inode_create (struct inode *dir, 2176 struct dentry *dentry, 2177 int mode) 2178{ 2179 return 0; 2180} 2181 2182static inline void security_inode_post_create (struct inode *dir, 2183 struct dentry *dentry, 2184 int mode) 2185{ } 2186 2187static inline int security_inode_link (struct dentry *old_dentry, 2188 struct inode *dir, 2189 struct dentry *new_dentry) 2190{ 2191 return 0; 2192} 2193 2194static inline void security_inode_post_link (struct dentry *old_dentry, 2195 struct inode *dir, 2196 struct dentry *new_dentry) 2197{ } 2198 2199static inline int security_inode_unlink (struct inode *dir, 2200 struct dentry *dentry) 2201{ 2202 return 0; 2203} 2204 2205static inline int security_inode_symlink (struct inode *dir, 2206 struct dentry *dentry, 2207 const char *old_name) 2208{ 2209 return 0; 2210} 2211 2212static inline void security_inode_post_symlink (struct inode *dir, 2213 struct dentry *dentry, 2214 const char *old_name) 2215{ } 2216 2217static inline int security_inode_mkdir (struct inode *dir, 2218 struct dentry *dentry, 2219 int mode) 2220{ 2221 return 0; 2222} 2223 2224static inline void security_inode_post_mkdir (struct inode *dir, 2225 struct dentry *dentry, 2226 int mode) 2227{ } 2228 2229static inline int security_inode_rmdir (struct inode *dir, 2230 struct dentry *dentry) 2231{ 2232 return 0; 2233} 2234 2235static inline int security_inode_mknod (struct inode *dir, 2236 struct dentry *dentry, 2237 int mode, dev_t dev) 2238{ 2239 return 0; 2240} 2241 2242static inline void security_inode_post_mknod (struct inode *dir, 2243 struct dentry *dentry, 2244 int mode, dev_t dev) 2245{ } 2246 2247static inline int security_inode_rename (struct inode *old_dir, 2248 struct dentry *old_dentry, 2249 struct inode *new_dir, 2250 struct dentry *new_dentry) 2251{ 2252 return 0; 2253} 2254 2255static inline void security_inode_post_rename (struct inode *old_dir, 2256 struct dentry *old_dentry, 2257 struct inode *new_dir, 2258 struct dentry *new_dentry) 2259{ } 2260 2261static inline int security_inode_readlink (struct dentry *dentry) 2262{ 2263 return 0; 2264} 2265 2266static inline int security_inode_follow_link (struct dentry *dentry, 2267 struct nameidata *nd) 2268{ 2269 return 0; 2270} 2271 2272static inline int security_inode_permission (struct inode *inode, int mask, 2273 struct nameidata *nd) 2274{ 2275 return 0; 2276} 2277 2278static inline int security_inode_setattr (struct dentry *dentry, 2279 struct iattr *attr) 2280{ 2281 return 0; 2282} 2283 2284static inline int security_inode_getattr (struct vfsmount *mnt, 2285 struct dentry *dentry) 2286{ 2287 return 0; 2288} 2289 2290static inline void security_inode_delete (struct inode *inode) 2291{ } 2292 2293static inline int security_inode_setxattr (struct dentry *dentry, char *name, 2294 void *value, size_t size, int flags) 2295{ 2296 return cap_inode_setxattr(dentry, name, value, size, flags); 2297} 2298 2299static inline void security_inode_post_setxattr (struct dentry *dentry, char *name, 2300 void *value, size_t size, int flags) 2301{ } 2302 2303static inline int security_inode_getxattr (struct dentry *dentry, char *name) 2304{ 2305 return 0; 2306} 2307 2308static inline int security_inode_listxattr (struct dentry *dentry) 2309{ 2310 return 0; 2311} 2312 2313static inline int security_inode_removexattr (struct dentry *dentry, char *name) 2314{ 2315 return cap_inode_removexattr(dentry, name); 2316} 2317 2318static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size) 2319{ 2320 return -EOPNOTSUPP; 2321} 2322 2323static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) 2324{ 2325 return -EOPNOTSUPP; 2326} 2327 2328static inline int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 2329{ 2330 return 0; 2331} 2332 2333static inline int security_file_permission (struct file *file, int mask) 2334{ 2335 return 0; 2336} 2337 2338static inline int security_file_alloc (struct file *file) 2339{ 2340 return 0; 2341} 2342 2343static inline void security_file_free (struct file *file) 2344{ } 2345 2346static inline int security_file_ioctl (struct file *file, unsigned int cmd, 2347 unsigned long arg) 2348{ 2349 return 0; 2350} 2351 2352static inline int security_file_mmap (struct file *file, unsigned long reqprot, 2353 unsigned long prot, 2354 unsigned long flags) 2355{ 2356 return 0; 2357} 2358 2359static inline int security_file_mprotect (struct vm_area_struct *vma, 2360 unsigned long reqprot, 2361 unsigned long prot) 2362{ 2363 return 0; 2364} 2365 2366static inline int security_file_lock (struct file *file, unsigned int cmd) 2367{ 2368 return 0; 2369} 2370 2371static inline int security_file_fcntl (struct file *file, unsigned int cmd, 2372 unsigned long arg) 2373{ 2374 return 0; 2375} 2376 2377static inline int security_file_set_fowner (struct file *file) 2378{ 2379 return 0; 2380} 2381 2382static inline int security_file_send_sigiotask (struct task_struct *tsk, 2383 struct fown_struct *fown, 2384 int sig) 2385{ 2386 return 0; 2387} 2388 2389static inline int security_file_receive (struct file *file) 2390{ 2391 return 0; 2392} 2393 2394static inline int security_task_create (unsigned long clone_flags) 2395{ 2396 return 0; 2397} 2398 2399static inline int security_task_alloc (struct task_struct *p) 2400{ 2401 return 0; 2402} 2403 2404static inline void security_task_free (struct task_struct *p) 2405{ } 2406 2407static inline int security_task_setuid (uid_t id0, uid_t id1, uid_t id2, 2408 int flags) 2409{ 2410 return 0; 2411} 2412 2413static inline int security_task_post_setuid (uid_t old_ruid, uid_t old_euid, 2414 uid_t old_suid, int flags) 2415{ 2416 return cap_task_post_setuid (old_ruid, old_euid, old_suid, flags); 2417} 2418 2419static inline int security_task_setgid (gid_t id0, gid_t id1, gid_t id2, 2420 int flags) 2421{ 2422 return 0; 2423} 2424 2425static inline int security_task_setpgid (struct task_struct *p, pid_t pgid) 2426{ 2427 return 0; 2428} 2429 2430static inline int security_task_getpgid (struct task_struct *p) 2431{ 2432 return 0; 2433} 2434 2435static inline int security_task_getsid (struct task_struct *p) 2436{ 2437 return 0; 2438} 2439 2440static inline int security_task_setgroups (struct group_info *group_info) 2441{ 2442 return 0; 2443} 2444 2445static inline int security_task_setnice (struct task_struct *p, int nice) 2446{ 2447 return 0; 2448} 2449 2450static inline int security_task_setrlimit (unsigned int resource, 2451 struct rlimit *new_rlim) 2452{ 2453 return 0; 2454} 2455 2456static inline int security_task_setscheduler (struct task_struct *p, 2457 int policy, 2458 struct sched_param *lp) 2459{ 2460 return 0; 2461} 2462 2463static inline int security_task_getscheduler (struct task_struct *p) 2464{ 2465 return 0; 2466} 2467 2468static inline int security_task_kill (struct task_struct *p, 2469 struct siginfo *info, int sig) 2470{ 2471 return 0; 2472} 2473 2474static inline int security_task_wait (struct task_struct *p) 2475{ 2476 return 0; 2477} 2478 2479static inline int security_task_prctl (int option, unsigned long arg2, 2480 unsigned long arg3, 2481 unsigned long arg4, 2482 unsigned long arg5) 2483{ 2484 return 0; 2485} 2486 2487static inline void security_task_reparent_to_init (struct task_struct *p) 2488{ 2489 cap_task_reparent_to_init (p); 2490} 2491 2492static inline void security_task_to_inode(struct task_struct *p, struct inode *inode) 2493{ } 2494 2495static inline int security_ipc_permission (struct kern_ipc_perm *ipcp, 2496 short flag) 2497{ 2498 return 0; 2499} 2500 2501static inline int security_msg_msg_alloc (struct msg_msg * msg) 2502{ 2503 return 0; 2504} 2505 2506static inline void security_msg_msg_free (struct msg_msg * msg) 2507{ } 2508 2509static inline int security_msg_queue_alloc (struct msg_queue *msq) 2510{ 2511 return 0; 2512} 2513 2514static inline void security_msg_queue_free (struct msg_queue *msq) 2515{ } 2516 2517static inline int security_msg_queue_associate (struct msg_queue * msq, 2518 int msqflg) 2519{ 2520 return 0; 2521} 2522 2523static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd) 2524{ 2525 return 0; 2526} 2527 2528static inline int security_msg_queue_msgsnd (struct msg_queue * msq, 2529 struct msg_msg * msg, int msqflg) 2530{ 2531 return 0; 2532} 2533 2534static inline int security_msg_queue_msgrcv (struct msg_queue * msq, 2535 struct msg_msg * msg, 2536 struct task_struct * target, 2537 long type, int mode) 2538{ 2539 return 0; 2540} 2541 2542static inline int security_shm_alloc (struct shmid_kernel *shp) 2543{ 2544 return 0; 2545} 2546 2547static inline void security_shm_free (struct shmid_kernel *shp) 2548{ } 2549 2550static inline int security_shm_associate (struct shmid_kernel * shp, 2551 int shmflg) 2552{ 2553 return 0; 2554} 2555 2556static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd) 2557{ 2558 return 0; 2559} 2560 2561static inline int security_shm_shmat (struct shmid_kernel * shp, 2562 char __user *shmaddr, int shmflg) 2563{ 2564 return 0; 2565} 2566 2567static inline int security_sem_alloc (struct sem_array *sma) 2568{ 2569 return 0; 2570} 2571 2572static inline void security_sem_free (struct sem_array *sma) 2573{ } 2574 2575static inline int security_sem_associate (struct sem_array * sma, int semflg) 2576{ 2577 return 0; 2578} 2579 2580static inline int security_sem_semctl (struct sem_array * sma, int cmd) 2581{ 2582 return 0; 2583} 2584 2585static inline int security_sem_semop (struct sem_array * sma, 2586 struct sembuf * sops, unsigned nsops, 2587 int alter) 2588{ 2589 return 0; 2590} 2591 2592static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode) 2593{ } 2594 2595static inline int security_getprocattr(struct task_struct *p, char *name, void *value, size_t size) 2596{ 2597 return -EINVAL; 2598} 2599 2600static inline int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size) 2601{ 2602 return -EINVAL; 2603} 2604 2605static inline int security_netlink_send (struct sock *sk, struct sk_buff *skb) 2606{ 2607 return cap_netlink_send (sk, skb); 2608} 2609 2610static inline int security_netlink_recv (struct sk_buff *skb) 2611{ 2612 return cap_netlink_recv (skb); 2613} 2614 2615#endif /* CONFIG_SECURITY */ 2616 2617#ifdef CONFIG_SECURITY_NETWORK 2618static inline int security_unix_stream_connect(struct socket * sock, 2619 struct socket * other, 2620 struct sock * newsk) 2621{ 2622 return security_ops->unix_stream_connect(sock, other, newsk); 2623} 2624 2625 2626static inline int security_unix_may_send(struct socket * sock, 2627 struct socket * other) 2628{ 2629 return security_ops->unix_may_send(sock, other); 2630} 2631 2632static inline int security_socket_create (int family, int type, 2633 int protocol, int kern) 2634{ 2635 return security_ops->socket_create(family, type, protocol, kern); 2636} 2637 2638static inline void security_socket_post_create(struct socket * sock, 2639 int family, 2640 int type, 2641 int protocol, int kern) 2642{ 2643 security_ops->socket_post_create(sock, family, type, 2644 protocol, kern); 2645} 2646 2647static inline int security_socket_bind(struct socket * sock, 2648 struct sockaddr * address, 2649 int addrlen) 2650{ 2651 return security_ops->socket_bind(sock, address, addrlen); 2652} 2653 2654static inline int security_socket_connect(struct socket * sock, 2655 struct sockaddr * address, 2656 int addrlen) 2657{ 2658 return security_ops->socket_connect(sock, address, addrlen); 2659} 2660 2661static inline int security_socket_listen(struct socket * sock, int backlog) 2662{ 2663 return security_ops->socket_listen(sock, backlog); 2664} 2665 2666static inline int security_socket_accept(struct socket * sock, 2667 struct socket * newsock) 2668{ 2669 return security_ops->socket_accept(sock, newsock); 2670} 2671 2672static inline void security_socket_post_accept(struct socket * sock, 2673 struct socket * newsock) 2674{ 2675 security_ops->socket_post_accept(sock, newsock); 2676} 2677 2678static inline int security_socket_sendmsg(struct socket * sock, 2679 struct msghdr * msg, int size) 2680{ 2681 return security_ops->socket_sendmsg(sock, msg, size); 2682} 2683 2684static inline int security_socket_recvmsg(struct socket * sock, 2685 struct msghdr * msg, int size, 2686 int flags) 2687{ 2688 return security_ops->socket_recvmsg(sock, msg, size, flags); 2689} 2690 2691static inline int security_socket_getsockname(struct socket * sock) 2692{ 2693 return security_ops->socket_getsockname(sock); 2694} 2695 2696static inline int security_socket_getpeername(struct socket * sock) 2697{ 2698 return security_ops->socket_getpeername(sock); 2699} 2700 2701static inline int security_socket_getsockopt(struct socket * sock, 2702 int level, int optname) 2703{ 2704 return security_ops->socket_getsockopt(sock, level, optname); 2705} 2706 2707static inline int security_socket_setsockopt(struct socket * sock, 2708 int level, int optname) 2709{ 2710 return security_ops->socket_setsockopt(sock, level, optname); 2711} 2712 2713static inline int security_socket_shutdown(struct socket * sock, int how) 2714{ 2715 return security_ops->socket_shutdown(sock, how); 2716} 2717 2718static inline int security_sock_rcv_skb (struct sock * sk, 2719 struct sk_buff * skb) 2720{ 2721 return security_ops->socket_sock_rcv_skb (sk, skb); 2722} 2723 2724static inline int security_socket_getpeersec(struct socket *sock, char __user *optval, 2725 int __user *optlen, unsigned len) 2726{ 2727 return security_ops->socket_getpeersec(sock, optval, optlen, len); 2728} 2729 2730static inline int security_sk_alloc(struct sock *sk, int family, int priority) 2731{ 2732 return security_ops->sk_alloc_security(sk, family, priority); 2733} 2734 2735static inline void security_sk_free(struct sock *sk) 2736{ 2737 return security_ops->sk_free_security(sk); 2738} 2739#else /* CONFIG_SECURITY_NETWORK */ 2740static inline int security_unix_stream_connect(struct socket * sock, 2741 struct socket * other, 2742 struct sock * newsk) 2743{ 2744 return 0; 2745} 2746 2747static inline int security_unix_may_send(struct socket * sock, 2748 struct socket * other) 2749{ 2750 return 0; 2751} 2752 2753static inline int security_socket_create (int family, int type, 2754 int protocol, int kern) 2755{ 2756 return 0; 2757} 2758 2759static inline void security_socket_post_create(struct socket * sock, 2760 int family, 2761 int type, 2762 int protocol, int kern) 2763{ 2764} 2765 2766static inline int security_socket_bind(struct socket * sock, 2767 struct sockaddr * address, 2768 int addrlen) 2769{ 2770 return 0; 2771} 2772 2773static inline int security_socket_connect(struct socket * sock, 2774 struct sockaddr * address, 2775 int addrlen) 2776{ 2777 return 0; 2778} 2779 2780static inline int security_socket_listen(struct socket * sock, int backlog) 2781{ 2782 return 0; 2783} 2784 2785static inline int security_socket_accept(struct socket * sock, 2786 struct socket * newsock) 2787{ 2788 return 0; 2789} 2790 2791static inline void security_socket_post_accept(struct socket * sock, 2792 struct socket * newsock) 2793{ 2794} 2795 2796static inline int security_socket_sendmsg(struct socket * sock, 2797 struct msghdr * msg, int size) 2798{ 2799 return 0; 2800} 2801 2802static inline int security_socket_recvmsg(struct socket * sock, 2803 struct msghdr * msg, int size, 2804 int flags) 2805{ 2806 return 0; 2807} 2808 2809static inline int security_socket_getsockname(struct socket * sock) 2810{ 2811 return 0; 2812} 2813 2814static inline int security_socket_getpeername(struct socket * sock) 2815{ 2816 return 0; 2817} 2818 2819static inline int security_socket_getsockopt(struct socket * sock, 2820 int level, int optname) 2821{ 2822 return 0; 2823} 2824 2825static inline int security_socket_setsockopt(struct socket * sock, 2826 int level, int optname) 2827{ 2828 return 0; 2829} 2830 2831static inline int security_socket_shutdown(struct socket * sock, int how) 2832{ 2833 return 0; 2834} 2835static inline int security_sock_rcv_skb (struct sock * sk, 2836 struct sk_buff * skb) 2837{ 2838 return 0; 2839} 2840 2841static inline int security_socket_getpeersec(struct socket *sock, char __user *optval, 2842 int __user *optlen, unsigned len) 2843{ 2844 return -ENOPROTOOPT; 2845} 2846 2847static inline int security_sk_alloc(struct sock *sk, int family, int priority) 2848{ 2849 return 0; 2850} 2851 2852static inline void security_sk_free(struct sock *sk) 2853{ 2854} 2855#endif /* CONFIG_SECURITY_NETWORK */ 2856 2857#endif /* ! __LINUX_SECURITY_H */ 2858