tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / security.h
at v2.6.14 94 kB view raw
1/* 2 * Linux Security plug 3 * 4 * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com> 5 * Copyright (C) 2001 Greg Kroah-Hartman <greg@kroah.com> 6 * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com> 7 * Copyright (C) 2001 James Morris <jmorris@intercode.com.au> 8 * Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group) 9 * 10 * This program is free software; you can redistribute it and/or modify 11 * it under the terms of the GNU General Public License as published by 12 * the Free Software Foundation; either version 2 of the License, or 13 * (at your option) any later version. 14 * 15 * Due to this file being licensed under the GPL there is controversy over 16 * whether this permits you to write a module that #includes this file 17 * without placing your module under the GPL. Please consult a lawyer for 18 * advice before doing this. 19 * 20 */ 21 22#ifndef __LINUX_SECURITY_H 23#define __LINUX_SECURITY_H 24 25#include <linux/fs.h> 26#include <linux/binfmts.h> 27#include <linux/signal.h> 28#include <linux/resource.h> 29#include <linux/sem.h> 30#include <linux/shm.h> 31#include <linux/msg.h> 32#include <linux/sched.h> 33 34struct ctl_table; 35 36/* 37 * These functions are in security/capability.c and are used 38 * as the default capabilities functions 39 */ 40extern int cap_capable (struct task_struct *tsk, int cap); 41extern int cap_settime (struct timespec *ts, struct timezone *tz); 42extern int cap_ptrace (struct task_struct *parent, struct task_struct *child); 43extern int cap_capget (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); 44extern int cap_capset_check (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); 45extern void cap_capset_set (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); 46extern int cap_bprm_set_security (struct linux_binprm *bprm); 47extern void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe); 48extern int cap_bprm_secureexec(struct linux_binprm *bprm); 49extern int cap_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags); 50extern int cap_inode_removexattr(struct dentry *dentry, char *name); 51extern int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags); 52extern void cap_task_reparent_to_init (struct task_struct *p); 53extern int cap_syslog (int type); 54extern int cap_vm_enough_memory (long pages); 55 56struct msghdr; 57struct sk_buff; 58struct sock; 59struct sockaddr; 60struct socket; 61 62extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb); 63extern int cap_netlink_recv(struct sk_buff *skb); 64 65/* 66 * Values used in the task_security_ops calls 67 */ 68/* setuid or setgid, id0 == uid or gid */ 69#define LSM_SETID_ID 1 70 71/* setreuid or setregid, id0 == real, id1 == eff */ 72#define LSM_SETID_RE 2 73 74/* setresuid or setresgid, id0 == real, id1 == eff, uid2 == saved */ 75#define LSM_SETID_RES 4 76 77/* setfsuid or setfsgid, id0 == fsuid or fsgid */ 78#define LSM_SETID_FS 8 79 80/* forward declares to avoid warnings */ 81struct nfsctl_arg; 82struct sched_param; 83struct swap_info_struct; 84 85/* bprm_apply_creds unsafe reasons */ 86#define LSM_UNSAFE_SHARE 1 87#define LSM_UNSAFE_PTRACE 2 88#define LSM_UNSAFE_PTRACE_CAP 4 89 90#ifdef CONFIG_SECURITY 91 92/** 93 * struct security_operations - main security structure 94 * 95 * Security hooks for program execution operations. 96 * 97 * @bprm_alloc_security: 98 * Allocate and attach a security structure to the @bprm->security field. 99 * The security field is initialized to NULL when the bprm structure is 100 * allocated. 101 * @bprm contains the linux_binprm structure to be modified. 102 * Return 0 if operation was successful. 103 * @bprm_free_security: 104 * @bprm contains the linux_binprm structure to be modified. 105 * Deallocate and clear the @bprm->security field. 106 * @bprm_apply_creds: 107 * Compute and set the security attributes of a process being transformed 108 * by an execve operation based on the old attributes (current->security) 109 * and the information saved in @bprm->security by the set_security hook. 110 * Since this hook function (and its caller) are void, this hook can not 111 * return an error. However, it can leave the security attributes of the 112 * process unchanged if an access failure occurs at this point. 113 * bprm_apply_creds is called under task_lock. @unsafe indicates various 114 * reasons why it may be unsafe to change security state. 115 * @bprm contains the linux_binprm structure. 116 * @bprm_post_apply_creds: 117 * Runs after bprm_apply_creds with the task_lock dropped, so that 118 * functions which cannot be called safely under the task_lock can 119 * be used. This hook is a good place to perform state changes on 120 * the process such as closing open file descriptors to which access 121 * is no longer granted if the attributes were changed. 122 * Note that a security module might need to save state between 123 * bprm_apply_creds and bprm_post_apply_creds to store the decision 124 * on whether the process may proceed. 125 * @bprm contains the linux_binprm structure. 126 * @bprm_set_security: 127 * Save security information in the bprm->security field, typically based 128 * on information about the bprm->file, for later use by the apply_creds 129 * hook. This hook may also optionally check permissions (e.g. for 130 * transitions between security domains). 131 * This hook may be called multiple times during a single execve, e.g. for 132 * interpreters. The hook can tell whether it has already been called by 133 * checking to see if @bprm->security is non-NULL. If so, then the hook 134 * may decide either to retain the security information saved earlier or 135 * to replace it. 136 * @bprm contains the linux_binprm structure. 137 * Return 0 if the hook is successful and permission is granted. 138 * @bprm_check_security: 139 * This hook mediates the point when a search for a binary handler will 140 * begin. It allows a check the @bprm->security value which is set in 141 * the preceding set_security call. The primary difference from 142 * set_security is that the argv list and envp list are reliably 143 * available in @bprm. This hook may be called multiple times 144 * during a single execve; and in each pass set_security is called 145 * first. 146 * @bprm contains the linux_binprm structure. 147 * Return 0 if the hook is successful and permission is granted. 148 * @bprm_secureexec: 149 * Return a boolean value (0 or 1) indicating whether a "secure exec" 150 * is required. The flag is passed in the auxiliary table 151 * on the initial stack to the ELF interpreter to indicate whether libc 152 * should enable secure mode. 153 * @bprm contains the linux_binprm structure. 154 * 155 * Security hooks for filesystem operations. 156 * 157 * @sb_alloc_security: 158 * Allocate and attach a security structure to the sb->s_security field. 159 * The s_security field is initialized to NULL when the structure is 160 * allocated. 161 * @sb contains the super_block structure to be modified. 162 * Return 0 if operation was successful. 163 * @sb_free_security: 164 * Deallocate and clear the sb->s_security field. 165 * @sb contains the super_block structure to be modified. 166 * @sb_statfs: 167 * Check permission before obtaining filesystem statistics for the @sb 168 * filesystem. 169 * @sb contains the super_block structure for the filesystem. 170 * Return 0 if permission is granted. 171 * @sb_mount: 172 * Check permission before an object specified by @dev_name is mounted on 173 * the mount point named by @nd. For an ordinary mount, @dev_name 174 * identifies a device if the file system type requires a device. For a 175 * remount (@flags & MS_REMOUNT), @dev_name is irrelevant. For a 176 * loopback/bind mount (@flags & MS_BIND), @dev_name identifies the 177 * pathname of the object being mounted. 178 * @dev_name contains the name for object being mounted. 179 * @nd contains the nameidata structure for mount point object. 180 * @type contains the filesystem type. 181 * @flags contains the mount flags. 182 * @data contains the filesystem-specific data. 183 * Return 0 if permission is granted. 184 * @sb_copy_data: 185 * Allow mount option data to be copied prior to parsing by the filesystem, 186 * so that the security module can extract security-specific mount 187 * options cleanly (a filesystem may modify the data e.g. with strsep()). 188 * This also allows the original mount data to be stripped of security- 189 * specific options to avoid having to make filesystems aware of them. 190 * @type the type of filesystem being mounted. 191 * @orig the original mount data copied from userspace. 192 * @copy copied data which will be passed to the security module. 193 * Returns 0 if the copy was successful. 194 * @sb_check_sb: 195 * Check permission before the device with superblock @mnt->sb is mounted 196 * on the mount point named by @nd. 197 * @mnt contains the vfsmount for device being mounted. 198 * @nd contains the nameidata object for the mount point. 199 * Return 0 if permission is granted. 200 * @sb_umount: 201 * Check permission before the @mnt file system is unmounted. 202 * @mnt contains the mounted file system. 203 * @flags contains the unmount flags, e.g. MNT_FORCE. 204 * Return 0 if permission is granted. 205 * @sb_umount_close: 206 * Close any files in the @mnt mounted filesystem that are held open by 207 * the security module. This hook is called during an umount operation 208 * prior to checking whether the filesystem is still busy. 209 * @mnt contains the mounted filesystem. 210 * @sb_umount_busy: 211 * Handle a failed umount of the @mnt mounted filesystem, e.g. re-opening 212 * any files that were closed by umount_close. This hook is called during 213 * an umount operation if the umount fails after a call to the 214 * umount_close hook. 215 * @mnt contains the mounted filesystem. 216 * @sb_post_remount: 217 * Update the security module's state when a filesystem is remounted. 218 * This hook is only called if the remount was successful. 219 * @mnt contains the mounted file system. 220 * @flags contains the new filesystem flags. 221 * @data contains the filesystem-specific data. 222 * @sb_post_mountroot: 223 * Update the security module's state when the root filesystem is mounted. 224 * This hook is only called if the mount was successful. 225 * @sb_post_addmount: 226 * Update the security module's state when a filesystem is mounted. 227 * This hook is called any time a mount is successfully grafetd to 228 * the tree. 229 * @mnt contains the mounted filesystem. 230 * @mountpoint_nd contains the nameidata structure for the mount point. 231 * @sb_pivotroot: 232 * Check permission before pivoting the root filesystem. 233 * @old_nd contains the nameidata structure for the new location of the current root (put_old). 234 * @new_nd contains the nameidata structure for the new root (new_root). 235 * Return 0 if permission is granted. 236 * @sb_post_pivotroot: 237 * Update module state after a successful pivot. 238 * @old_nd contains the nameidata structure for the old root. 239 * @new_nd contains the nameidata structure for the new root. 240 * 241 * Security hooks for inode operations. 242 * 243 * @inode_alloc_security: 244 * Allocate and attach a security structure to @inode->i_security. The 245 * i_security field is initialized to NULL when the inode structure is 246 * allocated. 247 * @inode contains the inode structure. 248 * Return 0 if operation was successful. 249 * @inode_free_security: 250 * @inode contains the inode structure. 251 * Deallocate the inode security structure and set @inode->i_security to 252 * NULL. 253 * @inode_init_security: 254 * Obtain the security attribute name suffix and value to set on a newly 255 * created inode and set up the incore security field for the new inode. 256 * This hook is called by the fs code as part of the inode creation 257 * transaction and provides for atomic labeling of the inode, unlike 258 * the post_create/mkdir/... hooks called by the VFS. The hook function 259 * is expected to allocate the name and value via kmalloc, with the caller 260 * being responsible for calling kfree after using them. 261 * If the security module does not use security attributes or does 262 * not wish to put a security attribute on this particular inode, 263 * then it should return -EOPNOTSUPP to skip this processing. 264 * @inode contains the inode structure of the newly created inode. 265 * @dir contains the inode structure of the parent directory. 266 * @name will be set to the allocated name suffix (e.g. selinux). 267 * @value will be set to the allocated attribute value. 268 * @len will be set to the length of the value. 269 * Returns 0 if @name and @value have been successfully set, 270 * -EOPNOTSUPP if no security attribute is needed, or 271 * -ENOMEM on memory allocation failure. 272 * @inode_create: 273 * Check permission to create a regular file. 274 * @dir contains inode structure of the parent of the new file. 275 * @dentry contains the dentry structure for the file to be created. 276 * @mode contains the file mode of the file to be created. 277 * Return 0 if permission is granted. 278 * @inode_link: 279 * Check permission before creating a new hard link to a file. 280 * @old_dentry contains the dentry structure for an existing link to the file. 281 * @dir contains the inode structure of the parent directory of the new link. 282 * @new_dentry contains the dentry structure for the new link. 283 * Return 0 if permission is granted. 284 * @inode_unlink: 285 * Check the permission to remove a hard link to a file. 286 * @dir contains the inode structure of parent directory of the file. 287 * @dentry contains the dentry structure for file to be unlinked. 288 * Return 0 if permission is granted. 289 * @inode_symlink: 290 * Check the permission to create a symbolic link to a file. 291 * @dir contains the inode structure of parent directory of the symbolic link. 292 * @dentry contains the dentry structure of the symbolic link. 293 * @old_name contains the pathname of file. 294 * Return 0 if permission is granted. 295 * @inode_mkdir: 296 * Check permissions to create a new directory in the existing directory 297 * associated with inode strcture @dir. 298 * @dir containst the inode structure of parent of the directory to be created. 299 * @dentry contains the dentry structure of new directory. 300 * @mode contains the mode of new directory. 301 * Return 0 if permission is granted. 302 * @inode_rmdir: 303 * Check the permission to remove a directory. 304 * @dir contains the inode structure of parent of the directory to be removed. 305 * @dentry contains the dentry structure of directory to be removed. 306 * Return 0 if permission is granted. 307 * @inode_mknod: 308 * Check permissions when creating a special file (or a socket or a fifo 309 * file created via the mknod system call). Note that if mknod operation 310 * is being done for a regular file, then the create hook will be called 311 * and not this hook. 312 * @dir contains the inode structure of parent of the new file. 313 * @dentry contains the dentry structure of the new file. 314 * @mode contains the mode of the new file. 315 * @dev contains the the device number. 316 * Return 0 if permission is granted. 317 * @inode_rename: 318 * Check for permission to rename a file or directory. 319 * @old_dir contains the inode structure for parent of the old link. 320 * @old_dentry contains the dentry structure of the old link. 321 * @new_dir contains the inode structure for parent of the new link. 322 * @new_dentry contains the dentry structure of the new link. 323 * Return 0 if permission is granted. 324 * @inode_readlink: 325 * Check the permission to read the symbolic link. 326 * @dentry contains the dentry structure for the file link. 327 * Return 0 if permission is granted. 328 * @inode_follow_link: 329 * Check permission to follow a symbolic link when looking up a pathname. 330 * @dentry contains the dentry structure for the link. 331 * @nd contains the nameidata structure for the parent directory. 332 * Return 0 if permission is granted. 333 * @inode_permission: 334 * Check permission before accessing an inode. This hook is called by the 335 * existing Linux permission function, so a security module can use it to 336 * provide additional checking for existing Linux permission checks. 337 * Notice that this hook is called when a file is opened (as well as many 338 * other operations), whereas the file_security_ops permission hook is 339 * called when the actual read/write operations are performed. 340 * @inode contains the inode structure to check. 341 * @mask contains the permission mask. 342 * @nd contains the nameidata (may be NULL). 343 * Return 0 if permission is granted. 344 * @inode_setattr: 345 * Check permission before setting file attributes. Note that the kernel 346 * call to notify_change is performed from several locations, whenever 347 * file attributes change (such as when a file is truncated, chown/chmod 348 * operations, transferring disk quotas, etc). 349 * @dentry contains the dentry structure for the file. 350 * @attr is the iattr structure containing the new file attributes. 351 * Return 0 if permission is granted. 352 * @inode_getattr: 353 * Check permission before obtaining file attributes. 354 * @mnt is the vfsmount where the dentry was looked up 355 * @dentry contains the dentry structure for the file. 356 * Return 0 if permission is granted. 357 * @inode_delete: 358 * @inode contains the inode structure for deleted inode. 359 * This hook is called when a deleted inode is released (i.e. an inode 360 * with no hard links has its use count drop to zero). A security module 361 * can use this hook to release any persistent label associated with the 362 * inode. 363 * @inode_setxattr: 364 * Check permission before setting the extended attributes 365 * @value identified by @name for @dentry. 366 * Return 0 if permission is granted. 367 * @inode_post_setxattr: 368 * Update inode security field after successful setxattr operation. 369 * @value identified by @name for @dentry. 370 * @inode_getxattr: 371 * Check permission before obtaining the extended attributes 372 * identified by @name for @dentry. 373 * Return 0 if permission is granted. 374 * @inode_listxattr: 375 * Check permission before obtaining the list of extended attribute 376 * names for @dentry. 377 * Return 0 if permission is granted. 378 * @inode_removexattr: 379 * Check permission before removing the extended attribute 380 * identified by @name for @dentry. 381 * Return 0 if permission is granted. 382 * @inode_getsecurity: 383 * Copy the extended attribute representation of the security label 384 * associated with @name for @inode into @buffer. @buffer may be 385 * NULL to request the size of the buffer required. @size indicates 386 * the size of @buffer in bytes. Note that @name is the remainder 387 * of the attribute name after the security. prefix has been removed. 388 * Return number of bytes used/required on success. 389 * @inode_setsecurity: 390 * Set the security label associated with @name for @inode from the 391 * extended attribute value @value. @size indicates the size of the 392 * @value in bytes. @flags may be XATTR_CREATE, XATTR_REPLACE, or 0. 393 * Note that @name is the remainder of the attribute name after the 394 * security. prefix has been removed. 395 * Return 0 on success. 396 * @inode_listsecurity: 397 * Copy the extended attribute names for the security labels 398 * associated with @inode into @buffer. The maximum size of @buffer 399 * is specified by @buffer_size. @buffer may be NULL to request 400 * the size of the buffer required. 401 * Returns number of bytes used/required on success. 402 * 403 * Security hooks for file operations 404 * 405 * @file_permission: 406 * Check file permissions before accessing an open file. This hook is 407 * called by various operations that read or write files. A security 408 * module can use this hook to perform additional checking on these 409 * operations, e.g. to revalidate permissions on use to support privilege 410 * bracketing or policy changes. Notice that this hook is used when the 411 * actual read/write operations are performed, whereas the 412 * inode_security_ops hook is called when a file is opened (as well as 413 * many other operations). 414 * Caveat: Although this hook can be used to revalidate permissions for 415 * various system call operations that read or write files, it does not 416 * address the revalidation of permissions for memory-mapped files. 417 * Security modules must handle this separately if they need such 418 * revalidation. 419 * @file contains the file structure being accessed. 420 * @mask contains the requested permissions. 421 * Return 0 if permission is granted. 422 * @file_alloc_security: 423 * Allocate and attach a security structure to the file->f_security field. 424 * The security field is initialized to NULL when the structure is first 425 * created. 426 * @file contains the file structure to secure. 427 * Return 0 if the hook is successful and permission is granted. 428 * @file_free_security: 429 * Deallocate and free any security structures stored in file->f_security. 430 * @file contains the file structure being modified. 431 * @file_ioctl: 432 * @file contains the file structure. 433 * @cmd contains the operation to perform. 434 * @arg contains the operational arguments. 435 * Check permission for an ioctl operation on @file. Note that @arg can 436 * sometimes represents a user space pointer; in other cases, it may be a 437 * simple integer value. When @arg represents a user space pointer, it 438 * should never be used by the security module. 439 * Return 0 if permission is granted. 440 * @file_mmap : 441 * Check permissions for a mmap operation. The @file may be NULL, e.g. 442 * if mapping anonymous memory. 443 * @file contains the file structure for file to map (may be NULL). 444 * @reqprot contains the protection requested by the application. 445 * @prot contains the protection that will be applied by the kernel. 446 * @flags contains the operational flags. 447 * Return 0 if permission is granted. 448 * @file_mprotect: 449 * Check permissions before changing memory access permissions. 450 * @vma contains the memory region to modify. 451 * @reqprot contains the protection requested by the application. 452 * @prot contains the protection that will be applied by the kernel. 453 * Return 0 if permission is granted. 454 * @file_lock: 455 * Check permission before performing file locking operations. 456 * Note: this hook mediates both flock and fcntl style locks. 457 * @file contains the file structure. 458 * @cmd contains the posix-translated lock operation to perform 459 * (e.g. F_RDLCK, F_WRLCK). 460 * Return 0 if permission is granted. 461 * @file_fcntl: 462 * Check permission before allowing the file operation specified by @cmd 463 * from being performed on the file @file. Note that @arg can sometimes 464 * represents a user space pointer; in other cases, it may be a simple 465 * integer value. When @arg represents a user space pointer, it should 466 * never be used by the security module. 467 * @file contains the file structure. 468 * @cmd contains the operation to be performed. 469 * @arg contains the operational arguments. 470 * Return 0 if permission is granted. 471 * @file_set_fowner: 472 * Save owner security information (typically from current->security) in 473 * file->f_security for later use by the send_sigiotask hook. 474 * @file contains the file structure to update. 475 * Return 0 on success. 476 * @file_send_sigiotask: 477 * Check permission for the file owner @fown to send SIGIO or SIGURG to the 478 * process @tsk. Note that this hook is sometimes called from interrupt. 479 * Note that the fown_struct, @fown, is never outside the context of a 480 * struct file, so the file structure (and associated security information) 481 * can always be obtained: 482 * (struct file *)((long)fown - offsetof(struct file,f_owner)); 483 * @tsk contains the structure of task receiving signal. 484 * @fown contains the file owner information. 485 * @sig is the signal that will be sent. When 0, kernel sends SIGIO. 486 * Return 0 if permission is granted. 487 * @file_receive: 488 * This hook allows security modules to control the ability of a process 489 * to receive an open file descriptor via socket IPC. 490 * @file contains the file structure being received. 491 * Return 0 if permission is granted. 492 * 493 * Security hooks for task operations. 494 * 495 * @task_create: 496 * Check permission before creating a child process. See the clone(2) 497 * manual page for definitions of the @clone_flags. 498 * @clone_flags contains the flags indicating what should be shared. 499 * Return 0 if permission is granted. 500 * @task_alloc_security: 501 * @p contains the task_struct for child process. 502 * Allocate and attach a security structure to the p->security field. The 503 * security field is initialized to NULL when the task structure is 504 * allocated. 505 * Return 0 if operation was successful. 506 * @task_free_security: 507 * @p contains the task_struct for process. 508 * Deallocate and clear the p->security field. 509 * @task_setuid: 510 * Check permission before setting one or more of the user identity 511 * attributes of the current process. The @flags parameter indicates 512 * which of the set*uid system calls invoked this hook and how to 513 * interpret the @id0, @id1, and @id2 parameters. See the LSM_SETID 514 * definitions at the beginning of this file for the @flags values and 515 * their meanings. 516 * @id0 contains a uid. 517 * @id1 contains a uid. 518 * @id2 contains a uid. 519 * @flags contains one of the LSM_SETID_* values. 520 * Return 0 if permission is granted. 521 * @task_post_setuid: 522 * Update the module's state after setting one or more of the user 523 * identity attributes of the current process. The @flags parameter 524 * indicates which of the set*uid system calls invoked this hook. If 525 * @flags is LSM_SETID_FS, then @old_ruid is the old fs uid and the other 526 * parameters are not used. 527 * @old_ruid contains the old real uid (or fs uid if LSM_SETID_FS). 528 * @old_euid contains the old effective uid (or -1 if LSM_SETID_FS). 529 * @old_suid contains the old saved uid (or -1 if LSM_SETID_FS). 530 * @flags contains one of the LSM_SETID_* values. 531 * Return 0 on success. 532 * @task_setgid: 533 * Check permission before setting one or more of the group identity 534 * attributes of the current process. The @flags parameter indicates 535 * which of the set*gid system calls invoked this hook and how to 536 * interpret the @id0, @id1, and @id2 parameters. See the LSM_SETID 537 * definitions at the beginning of this file for the @flags values and 538 * their meanings. 539 * @id0 contains a gid. 540 * @id1 contains a gid. 541 * @id2 contains a gid. 542 * @flags contains one of the LSM_SETID_* values. 543 * Return 0 if permission is granted. 544 * @task_setpgid: 545 * Check permission before setting the process group identifier of the 546 * process @p to @pgid. 547 * @p contains the task_struct for process being modified. 548 * @pgid contains the new pgid. 549 * Return 0 if permission is granted. 550 * @task_getpgid: 551 * Check permission before getting the process group identifier of the 552 * process @p. 553 * @p contains the task_struct for the process. 554 * Return 0 if permission is granted. 555 * @task_getsid: 556 * Check permission before getting the session identifier of the process 557 * @p. 558 * @p contains the task_struct for the process. 559 * Return 0 if permission is granted. 560 * @task_setgroups: 561 * Check permission before setting the supplementary group set of the 562 * current process. 563 * @group_info contains the new group information. 564 * Return 0 if permission is granted. 565 * @task_setnice: 566 * Check permission before setting the nice value of @p to @nice. 567 * @p contains the task_struct of process. 568 * @nice contains the new nice value. 569 * Return 0 if permission is granted. 570 * @task_setrlimit: 571 * Check permission before setting the resource limits of the current 572 * process for @resource to @new_rlim. The old resource limit values can 573 * be examined by dereferencing (current->signal->rlim + resource). 574 * @resource contains the resource whose limit is being set. 575 * @new_rlim contains the new limits for @resource. 576 * Return 0 if permission is granted. 577 * @task_setscheduler: 578 * Check permission before setting scheduling policy and/or parameters of 579 * process @p based on @policy and @lp. 580 * @p contains the task_struct for process. 581 * @policy contains the scheduling policy. 582 * @lp contains the scheduling parameters. 583 * Return 0 if permission is granted. 584 * @task_getscheduler: 585 * Check permission before obtaining scheduling information for process 586 * @p. 587 * @p contains the task_struct for process. 588 * Return 0 if permission is granted. 589 * @task_kill: 590 * Check permission before sending signal @sig to @p. @info can be NULL, 591 * the constant 1, or a pointer to a siginfo structure. If @info is 1 or 592 * SI_FROMKERNEL(info) is true, then the signal should be viewed as coming 593 * from the kernel and should typically be permitted. 594 * SIGIO signals are handled separately by the send_sigiotask hook in 595 * file_security_ops. 596 * @p contains the task_struct for process. 597 * @info contains the signal information. 598 * @sig contains the signal value. 599 * Return 0 if permission is granted. 600 * @task_wait: 601 * Check permission before allowing a process to reap a child process @p 602 * and collect its status information. 603 * @p contains the task_struct for process. 604 * Return 0 if permission is granted. 605 * @task_prctl: 606 * Check permission before performing a process control operation on the 607 * current process. 608 * @option contains the operation. 609 * @arg2 contains a argument. 610 * @arg3 contains a argument. 611 * @arg4 contains a argument. 612 * @arg5 contains a argument. 613 * Return 0 if permission is granted. 614 * @task_reparent_to_init: 615 * Set the security attributes in @p->security for a kernel thread that 616 * is being reparented to the init task. 617 * @p contains the task_struct for the kernel thread. 618 * @task_to_inode: 619 * Set the security attributes for an inode based on an associated task's 620 * security attributes, e.g. for /proc/pid inodes. 621 * @p contains the task_struct for the task. 622 * @inode contains the inode structure for the inode. 623 * 624 * Security hooks for Netlink messaging. 625 * 626 * @netlink_send: 627 * Save security information for a netlink message so that permission 628 * checking can be performed when the message is processed. The security 629 * information can be saved using the eff_cap field of the 630 * netlink_skb_parms structure. Also may be used to provide fine 631 * grained control over message transmission. 632 * @sk associated sock of task sending the message., 633 * @skb contains the sk_buff structure for the netlink message. 634 * Return 0 if the information was successfully saved and message 635 * is allowed to be transmitted. 636 * @netlink_recv: 637 * Check permission before processing the received netlink message in 638 * @skb. 639 * @skb contains the sk_buff structure for the netlink message. 640 * Return 0 if permission is granted. 641 * 642 * Security hooks for Unix domain networking. 643 * 644 * @unix_stream_connect: 645 * Check permissions before establishing a Unix domain stream connection 646 * between @sock and @other. 647 * @sock contains the socket structure. 648 * @other contains the peer socket structure. 649 * Return 0 if permission is granted. 650 * @unix_may_send: 651 * Check permissions before connecting or sending datagrams from @sock to 652 * @other. 653 * @sock contains the socket structure. 654 * @sock contains the peer socket structure. 655 * Return 0 if permission is granted. 656 * 657 * The @unix_stream_connect and @unix_may_send hooks were necessary because 658 * Linux provides an alternative to the conventional file name space for Unix 659 * domain sockets. Whereas binding and connecting to sockets in the file name 660 * space is mediated by the typical file permissions (and caught by the mknod 661 * and permission hooks in inode_security_ops), binding and connecting to 662 * sockets in the abstract name space is completely unmediated. Sufficient 663 * control of Unix domain sockets in the abstract name space isn't possible 664 * using only the socket layer hooks, since we need to know the actual target 665 * socket, which is not looked up until we are inside the af_unix code. 666 * 667 * Security hooks for socket operations. 668 * 669 * @socket_create: 670 * Check permissions prior to creating a new socket. 671 * @family contains the requested protocol family. 672 * @type contains the requested communications type. 673 * @protocol contains the requested protocol. 674 * @kern set to 1 if a kernel socket. 675 * Return 0 if permission is granted. 676 * @socket_post_create: 677 * This hook allows a module to update or allocate a per-socket security 678 * structure. Note that the security field was not added directly to the 679 * socket structure, but rather, the socket security information is stored 680 * in the associated inode. Typically, the inode alloc_security hook will 681 * allocate and and attach security information to 682 * sock->inode->i_security. This hook may be used to update the 683 * sock->inode->i_security field with additional information that wasn't 684 * available when the inode was allocated. 685 * @sock contains the newly created socket structure. 686 * @family contains the requested protocol family. 687 * @type contains the requested communications type. 688 * @protocol contains the requested protocol. 689 * @kern set to 1 if a kernel socket. 690 * @socket_bind: 691 * Check permission before socket protocol layer bind operation is 692 * performed and the socket @sock is bound to the address specified in the 693 * @address parameter. 694 * @sock contains the socket structure. 695 * @address contains the address to bind to. 696 * @addrlen contains the length of address. 697 * Return 0 if permission is granted. 698 * @socket_connect: 699 * Check permission before socket protocol layer connect operation 700 * attempts to connect socket @sock to a remote address, @address. 701 * @sock contains the socket structure. 702 * @address contains the address of remote endpoint. 703 * @addrlen contains the length of address. 704 * Return 0 if permission is granted. 705 * @socket_listen: 706 * Check permission before socket protocol layer listen operation. 707 * @sock contains the socket structure. 708 * @backlog contains the maximum length for the pending connection queue. 709 * Return 0 if permission is granted. 710 * @socket_accept: 711 * Check permission before accepting a new connection. Note that the new 712 * socket, @newsock, has been created and some information copied to it, 713 * but the accept operation has not actually been performed. 714 * @sock contains the listening socket structure. 715 * @newsock contains the newly created server socket for connection. 716 * Return 0 if permission is granted. 717 * @socket_post_accept: 718 * This hook allows a security module to copy security 719 * information into the newly created socket's inode. 720 * @sock contains the listening socket structure. 721 * @newsock contains the newly created server socket for connection. 722 * @socket_sendmsg: 723 * Check permission before transmitting a message to another socket. 724 * @sock contains the socket structure. 725 * @msg contains the message to be transmitted. 726 * @size contains the size of message. 727 * Return 0 if permission is granted. 728 * @socket_recvmsg: 729 * Check permission before receiving a message from a socket. 730 * @sock contains the socket structure. 731 * @msg contains the message structure. 732 * @size contains the size of message structure. 733 * @flags contains the operational flags. 734 * Return 0 if permission is granted. 735 * @socket_getsockname: 736 * Check permission before the local address (name) of the socket object 737 * @sock is retrieved. 738 * @sock contains the socket structure. 739 * Return 0 if permission is granted. 740 * @socket_getpeername: 741 * Check permission before the remote address (name) of a socket object 742 * @sock is retrieved. 743 * @sock contains the socket structure. 744 * Return 0 if permission is granted. 745 * @socket_getsockopt: 746 * Check permissions before retrieving the options associated with socket 747 * @sock. 748 * @sock contains the socket structure. 749 * @level contains the protocol level to retrieve option from. 750 * @optname contains the name of option to retrieve. 751 * Return 0 if permission is granted. 752 * @socket_setsockopt: 753 * Check permissions before setting the options associated with socket 754 * @sock. 755 * @sock contains the socket structure. 756 * @level contains the protocol level to set options for. 757 * @optname contains the name of the option to set. 758 * Return 0 if permission is granted. 759 * @socket_shutdown: 760 * Checks permission before all or part of a connection on the socket 761 * @sock is shut down. 762 * @sock contains the socket structure. 763 * @how contains the flag indicating how future sends and receives are handled. 764 * Return 0 if permission is granted. 765 * @socket_sock_rcv_skb: 766 * Check permissions on incoming network packets. This hook is distinct 767 * from Netfilter's IP input hooks since it is the first time that the 768 * incoming sk_buff @skb has been associated with a particular socket, @sk. 769 * @sk contains the sock (not socket) associated with the incoming sk_buff. 770 * @skb contains the incoming network data. 771 * @socket_getpeersec: 772 * This hook allows the security module to provide peer socket security 773 * state to userspace via getsockopt SO_GETPEERSEC. 774 * @sock is the local socket. 775 * @optval userspace memory where the security state is to be copied. 776 * @optlen userspace int where the module should copy the actual length 777 * of the security state. 778 * @len as input is the maximum length to copy to userspace provided 779 * by the caller. 780 * Return 0 if all is well, otherwise, typical getsockopt return 781 * values. 782 * @sk_alloc_security: 783 * Allocate and attach a security structure to the sk->sk_security field, 784 * which is used to copy security attributes between local stream sockets. 785 * @sk_free_security: 786 * Deallocate security structure. 787 * 788 * Security hooks affecting all System V IPC operations. 789 * 790 * @ipc_permission: 791 * Check permissions for access to IPC 792 * @ipcp contains the kernel IPC permission structure 793 * @flag contains the desired (requested) permission set 794 * Return 0 if permission is granted. 795 * 796 * Security hooks for individual messages held in System V IPC message queues 797 * @msg_msg_alloc_security: 798 * Allocate and attach a security structure to the msg->security field. 799 * The security field is initialized to NULL when the structure is first 800 * created. 801 * @msg contains the message structure to be modified. 802 * Return 0 if operation was successful and permission is granted. 803 * @msg_msg_free_security: 804 * Deallocate the security structure for this message. 805 * @msg contains the message structure to be modified. 806 * 807 * Security hooks for System V IPC Message Queues 808 * 809 * @msg_queue_alloc_security: 810 * Allocate and attach a security structure to the 811 * msq->q_perm.security field. The security field is initialized to 812 * NULL when the structure is first created. 813 * @msq contains the message queue structure to be modified. 814 * Return 0 if operation was successful and permission is granted. 815 * @msg_queue_free_security: 816 * Deallocate security structure for this message queue. 817 * @msq contains the message queue structure to be modified. 818 * @msg_queue_associate: 819 * Check permission when a message queue is requested through the 820 * msgget system call. This hook is only called when returning the 821 * message queue identifier for an existing message queue, not when a 822 * new message queue is created. 823 * @msq contains the message queue to act upon. 824 * @msqflg contains the operation control flags. 825 * Return 0 if permission is granted. 826 * @msg_queue_msgctl: 827 * Check permission when a message control operation specified by @cmd 828 * is to be performed on the message queue @msq. 829 * The @msq may be NULL, e.g. for IPC_INFO or MSG_INFO. 830 * @msq contains the message queue to act upon. May be NULL. 831 * @cmd contains the operation to be performed. 832 * Return 0 if permission is granted. 833 * @msg_queue_msgsnd: 834 * Check permission before a message, @msg, is enqueued on the message 835 * queue, @msq. 836 * @msq contains the message queue to send message to. 837 * @msg contains the message to be enqueued. 838 * @msqflg contains operational flags. 839 * Return 0 if permission is granted. 840 * @msg_queue_msgrcv: 841 * Check permission before a message, @msg, is removed from the message 842 * queue, @msq. The @target task structure contains a pointer to the 843 * process that will be receiving the message (not equal to the current 844 * process when inline receives are being performed). 845 * @msq contains the message queue to retrieve message from. 846 * @msg contains the message destination. 847 * @target contains the task structure for recipient process. 848 * @type contains the type of message requested. 849 * @mode contains the operational flags. 850 * Return 0 if permission is granted. 851 * 852 * Security hooks for System V Shared Memory Segments 853 * 854 * @shm_alloc_security: 855 * Allocate and attach a security structure to the shp->shm_perm.security 856 * field. The security field is initialized to NULL when the structure is 857 * first created. 858 * @shp contains the shared memory structure to be modified. 859 * Return 0 if operation was successful and permission is granted. 860 * @shm_free_security: 861 * Deallocate the security struct for this memory segment. 862 * @shp contains the shared memory structure to be modified. 863 * @shm_associate: 864 * Check permission when a shared memory region is requested through the 865 * shmget system call. This hook is only called when returning the shared 866 * memory region identifier for an existing region, not when a new shared 867 * memory region is created. 868 * @shp contains the shared memory structure to be modified. 869 * @shmflg contains the operation control flags. 870 * Return 0 if permission is granted. 871 * @shm_shmctl: 872 * Check permission when a shared memory control operation specified by 873 * @cmd is to be performed on the shared memory region @shp. 874 * The @shp may be NULL, e.g. for IPC_INFO or SHM_INFO. 875 * @shp contains shared memory structure to be modified. 876 * @cmd contains the operation to be performed. 877 * Return 0 if permission is granted. 878 * @shm_shmat: 879 * Check permissions prior to allowing the shmat system call to attach the 880 * shared memory segment @shp to the data segment of the calling process. 881 * The attaching address is specified by @shmaddr. 882 * @shp contains the shared memory structure to be modified. 883 * @shmaddr contains the address to attach memory region to. 884 * @shmflg contains the operational flags. 885 * Return 0 if permission is granted. 886 * 887 * Security hooks for System V Semaphores 888 * 889 * @sem_alloc_security: 890 * Allocate and attach a security structure to the sma->sem_perm.security 891 * field. The security field is initialized to NULL when the structure is 892 * first created. 893 * @sma contains the semaphore structure 894 * Return 0 if operation was successful and permission is granted. 895 * @sem_free_security: 896 * deallocate security struct for this semaphore 897 * @sma contains the semaphore structure. 898 * @sem_associate: 899 * Check permission when a semaphore is requested through the semget 900 * system call. This hook is only called when returning the semaphore 901 * identifier for an existing semaphore, not when a new one must be 902 * created. 903 * @sma contains the semaphore structure. 904 * @semflg contains the operation control flags. 905 * Return 0 if permission is granted. 906 * @sem_semctl: 907 * Check permission when a semaphore operation specified by @cmd is to be 908 * performed on the semaphore @sma. The @sma may be NULL, e.g. for 909 * IPC_INFO or SEM_INFO. 910 * @sma contains the semaphore structure. May be NULL. 911 * @cmd contains the operation to be performed. 912 * Return 0 if permission is granted. 913 * @sem_semop 914 * Check permissions before performing operations on members of the 915 * semaphore set @sma. If the @alter flag is nonzero, the semaphore set 916 * may be modified. 917 * @sma contains the semaphore structure. 918 * @sops contains the operations to perform. 919 * @nsops contains the number of operations to perform. 920 * @alter contains the flag indicating whether changes are to be made. 921 * Return 0 if permission is granted. 922 * 923 * @ptrace: 924 * Check permission before allowing the @parent process to trace the 925 * @child process. 926 * Security modules may also want to perform a process tracing check 927 * during an execve in the set_security or apply_creds hooks of 928 * binprm_security_ops if the process is being traced and its security 929 * attributes would be changed by the execve. 930 * @parent contains the task_struct structure for parent process. 931 * @child contains the task_struct structure for child process. 932 * Return 0 if permission is granted. 933 * @capget: 934 * Get the @effective, @inheritable, and @permitted capability sets for 935 * the @target process. The hook may also perform permission checking to 936 * determine if the current process is allowed to see the capability sets 937 * of the @target process. 938 * @target contains the task_struct structure for target process. 939 * @effective contains the effective capability set. 940 * @inheritable contains the inheritable capability set. 941 * @permitted contains the permitted capability set. 942 * Return 0 if the capability sets were successfully obtained. 943 * @capset_check: 944 * Check permission before setting the @effective, @inheritable, and 945 * @permitted capability sets for the @target process. 946 * Caveat: @target is also set to current if a set of processes is 947 * specified (i.e. all processes other than current and init or a 948 * particular process group). Hence, the capset_set hook may need to 949 * revalidate permission to the actual target process. 950 * @target contains the task_struct structure for target process. 951 * @effective contains the effective capability set. 952 * @inheritable contains the inheritable capability set. 953 * @permitted contains the permitted capability set. 954 * Return 0 if permission is granted. 955 * @capset_set: 956 * Set the @effective, @inheritable, and @permitted capability sets for 957 * the @target process. Since capset_check cannot always check permission 958 * to the real @target process, this hook may also perform permission 959 * checking to determine if the current process is allowed to set the 960 * capability sets of the @target process. However, this hook has no way 961 * of returning an error due to the structure of the sys_capset code. 962 * @target contains the task_struct structure for target process. 963 * @effective contains the effective capability set. 964 * @inheritable contains the inheritable capability set. 965 * @permitted contains the permitted capability set. 966 * @acct: 967 * Check permission before enabling or disabling process accounting. If 968 * accounting is being enabled, then @file refers to the open file used to 969 * store accounting records. If accounting is being disabled, then @file 970 * is NULL. 971 * @file contains the file structure for the accounting file (may be NULL). 972 * Return 0 if permission is granted. 973 * @sysctl: 974 * Check permission before accessing the @table sysctl variable in the 975 * manner specified by @op. 976 * @table contains the ctl_table structure for the sysctl variable. 977 * @op contains the operation (001 = search, 002 = write, 004 = read). 978 * Return 0 if permission is granted. 979 * @capable: 980 * Check whether the @tsk process has the @cap capability. 981 * @tsk contains the task_struct for the process. 982 * @cap contains the capability <include/linux/capability.h>. 983 * Return 0 if the capability is granted for @tsk. 984 * @syslog: 985 * Check permission before accessing the kernel message ring or changing 986 * logging to the console. 987 * See the syslog(2) manual page for an explanation of the @type values. 988 * @type contains the type of action. 989 * Return 0 if permission is granted. 990 * @settime: 991 * Check permission to change the system time. 992 * struct timespec and timezone are defined in include/linux/time.h 993 * @ts contains new time 994 * @tz contains new timezone 995 * Return 0 if permission is granted. 996 * @vm_enough_memory: 997 * Check permissions for allocating a new virtual mapping. 998 * @pages contains the number of pages. 999 * Return 0 if permission is granted. 1000 * 1001 * @register_security: 1002 * allow module stacking. 1003 * @name contains the name of the security module being stacked. 1004 * @ops contains a pointer to the struct security_operations of the module to stack. 1005 * @unregister_security: 1006 * remove a stacked module. 1007 * @name contains the name of the security module being unstacked. 1008 * @ops contains a pointer to the struct security_operations of the module to unstack. 1009 * 1010 * This is the main security structure. 1011 */ 1012struct security_operations { 1013 int (*ptrace) (struct task_struct * parent, struct task_struct * child); 1014 int (*capget) (struct task_struct * target, 1015 kernel_cap_t * effective, 1016 kernel_cap_t * inheritable, kernel_cap_t * permitted); 1017 int (*capset_check) (struct task_struct * target, 1018 kernel_cap_t * effective, 1019 kernel_cap_t * inheritable, 1020 kernel_cap_t * permitted); 1021 void (*capset_set) (struct task_struct * target, 1022 kernel_cap_t * effective, 1023 kernel_cap_t * inheritable, 1024 kernel_cap_t * permitted); 1025 int (*acct) (struct file * file); 1026 int (*sysctl) (struct ctl_table * table, int op); 1027 int (*capable) (struct task_struct * tsk, int cap); 1028 int (*quotactl) (int cmds, int type, int id, struct super_block * sb); 1029 int (*quota_on) (struct dentry * dentry); 1030 int (*syslog) (int type); 1031 int (*settime) (struct timespec *ts, struct timezone *tz); 1032 int (*vm_enough_memory) (long pages); 1033 1034 int (*bprm_alloc_security) (struct linux_binprm * bprm); 1035 void (*bprm_free_security) (struct linux_binprm * bprm); 1036 void (*bprm_apply_creds) (struct linux_binprm * bprm, int unsafe); 1037 void (*bprm_post_apply_creds) (struct linux_binprm * bprm); 1038 int (*bprm_set_security) (struct linux_binprm * bprm); 1039 int (*bprm_check_security) (struct linux_binprm * bprm); 1040 int (*bprm_secureexec) (struct linux_binprm * bprm); 1041 1042 int (*sb_alloc_security) (struct super_block * sb); 1043 void (*sb_free_security) (struct super_block * sb); 1044 int (*sb_copy_data)(struct file_system_type *type, 1045 void *orig, void *copy); 1046 int (*sb_kern_mount) (struct super_block *sb, void *data); 1047 int (*sb_statfs) (struct super_block * sb); 1048 int (*sb_mount) (char *dev_name, struct nameidata * nd, 1049 char *type, unsigned long flags, void *data); 1050 int (*sb_check_sb) (struct vfsmount * mnt, struct nameidata * nd); 1051 int (*sb_umount) (struct vfsmount * mnt, int flags); 1052 void (*sb_umount_close) (struct vfsmount * mnt); 1053 void (*sb_umount_busy) (struct vfsmount * mnt); 1054 void (*sb_post_remount) (struct vfsmount * mnt, 1055 unsigned long flags, void *data); 1056 void (*sb_post_mountroot) (void); 1057 void (*sb_post_addmount) (struct vfsmount * mnt, 1058 struct nameidata * mountpoint_nd); 1059 int (*sb_pivotroot) (struct nameidata * old_nd, 1060 struct nameidata * new_nd); 1061 void (*sb_post_pivotroot) (struct nameidata * old_nd, 1062 struct nameidata * new_nd); 1063 1064 int (*inode_alloc_security) (struct inode *inode); 1065 void (*inode_free_security) (struct inode *inode); 1066 int (*inode_init_security) (struct inode *inode, struct inode *dir, 1067 char **name, void **value, size_t *len); 1068 int (*inode_create) (struct inode *dir, 1069 struct dentry *dentry, int mode); 1070 int (*inode_link) (struct dentry *old_dentry, 1071 struct inode *dir, struct dentry *new_dentry); 1072 int (*inode_unlink) (struct inode *dir, struct dentry *dentry); 1073 int (*inode_symlink) (struct inode *dir, 1074 struct dentry *dentry, const char *old_name); 1075 int (*inode_mkdir) (struct inode *dir, struct dentry *dentry, int mode); 1076 int (*inode_rmdir) (struct inode *dir, struct dentry *dentry); 1077 int (*inode_mknod) (struct inode *dir, struct dentry *dentry, 1078 int mode, dev_t dev); 1079 int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry, 1080 struct inode *new_dir, struct dentry *new_dentry); 1081 int (*inode_readlink) (struct dentry *dentry); 1082 int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd); 1083 int (*inode_permission) (struct inode *inode, int mask, struct nameidata *nd); 1084 int (*inode_setattr) (struct dentry *dentry, struct iattr *attr); 1085 int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry); 1086 void (*inode_delete) (struct inode *inode); 1087 int (*inode_setxattr) (struct dentry *dentry, char *name, void *value, 1088 size_t size, int flags); 1089 void (*inode_post_setxattr) (struct dentry *dentry, char *name, void *value, 1090 size_t size, int flags); 1091 int (*inode_getxattr) (struct dentry *dentry, char *name); 1092 int (*inode_listxattr) (struct dentry *dentry); 1093 int (*inode_removexattr) (struct dentry *dentry, char *name); 1094 int (*inode_getsecurity)(struct inode *inode, const char *name, void *buffer, size_t size); 1095 int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags); 1096 int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size); 1097 1098 int (*file_permission) (struct file * file, int mask); 1099 int (*file_alloc_security) (struct file * file); 1100 void (*file_free_security) (struct file * file); 1101 int (*file_ioctl) (struct file * file, unsigned int cmd, 1102 unsigned long arg); 1103 int (*file_mmap) (struct file * file, 1104 unsigned long reqprot, 1105 unsigned long prot, unsigned long flags); 1106 int (*file_mprotect) (struct vm_area_struct * vma, 1107 unsigned long reqprot, 1108 unsigned long prot); 1109 int (*file_lock) (struct file * file, unsigned int cmd); 1110 int (*file_fcntl) (struct file * file, unsigned int cmd, 1111 unsigned long arg); 1112 int (*file_set_fowner) (struct file * file); 1113 int (*file_send_sigiotask) (struct task_struct * tsk, 1114 struct fown_struct * fown, int sig); 1115 int (*file_receive) (struct file * file); 1116 1117 int (*task_create) (unsigned long clone_flags); 1118 int (*task_alloc_security) (struct task_struct * p); 1119 void (*task_free_security) (struct task_struct * p); 1120 int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags); 1121 int (*task_post_setuid) (uid_t old_ruid /* or fsuid */ , 1122 uid_t old_euid, uid_t old_suid, int flags); 1123 int (*task_setgid) (gid_t id0, gid_t id1, gid_t id2, int flags); 1124 int (*task_setpgid) (struct task_struct * p, pid_t pgid); 1125 int (*task_getpgid) (struct task_struct * p); 1126 int (*task_getsid) (struct task_struct * p); 1127 int (*task_setgroups) (struct group_info *group_info); 1128 int (*task_setnice) (struct task_struct * p, int nice); 1129 int (*task_setrlimit) (unsigned int resource, struct rlimit * new_rlim); 1130 int (*task_setscheduler) (struct task_struct * p, int policy, 1131 struct sched_param * lp); 1132 int (*task_getscheduler) (struct task_struct * p); 1133 int (*task_kill) (struct task_struct * p, 1134 struct siginfo * info, int sig); 1135 int (*task_wait) (struct task_struct * p); 1136 int (*task_prctl) (int option, unsigned long arg2, 1137 unsigned long arg3, unsigned long arg4, 1138 unsigned long arg5); 1139 void (*task_reparent_to_init) (struct task_struct * p); 1140 void (*task_to_inode)(struct task_struct *p, struct inode *inode); 1141 1142 int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag); 1143 1144 int (*msg_msg_alloc_security) (struct msg_msg * msg); 1145 void (*msg_msg_free_security) (struct msg_msg * msg); 1146 1147 int (*msg_queue_alloc_security) (struct msg_queue * msq); 1148 void (*msg_queue_free_security) (struct msg_queue * msq); 1149 int (*msg_queue_associate) (struct msg_queue * msq, int msqflg); 1150 int (*msg_queue_msgctl) (struct msg_queue * msq, int cmd); 1151 int (*msg_queue_msgsnd) (struct msg_queue * msq, 1152 struct msg_msg * msg, int msqflg); 1153 int (*msg_queue_msgrcv) (struct msg_queue * msq, 1154 struct msg_msg * msg, 1155 struct task_struct * target, 1156 long type, int mode); 1157 1158 int (*shm_alloc_security) (struct shmid_kernel * shp); 1159 void (*shm_free_security) (struct shmid_kernel * shp); 1160 int (*shm_associate) (struct shmid_kernel * shp, int shmflg); 1161 int (*shm_shmctl) (struct shmid_kernel * shp, int cmd); 1162 int (*shm_shmat) (struct shmid_kernel * shp, 1163 char __user *shmaddr, int shmflg); 1164 1165 int (*sem_alloc_security) (struct sem_array * sma); 1166 void (*sem_free_security) (struct sem_array * sma); 1167 int (*sem_associate) (struct sem_array * sma, int semflg); 1168 int (*sem_semctl) (struct sem_array * sma, int cmd); 1169 int (*sem_semop) (struct sem_array * sma, 1170 struct sembuf * sops, unsigned nsops, int alter); 1171 1172 int (*netlink_send) (struct sock * sk, struct sk_buff * skb); 1173 int (*netlink_recv) (struct sk_buff * skb); 1174 1175 /* allow module stacking */ 1176 int (*register_security) (const char *name, 1177 struct security_operations *ops); 1178 int (*unregister_security) (const char *name, 1179 struct security_operations *ops); 1180 1181 void (*d_instantiate) (struct dentry *dentry, struct inode *inode); 1182 1183 int (*getprocattr)(struct task_struct *p, char *name, void *value, size_t size); 1184 int (*setprocattr)(struct task_struct *p, char *name, void *value, size_t size); 1185 1186#ifdef CONFIG_SECURITY_NETWORK 1187 int (*unix_stream_connect) (struct socket * sock, 1188 struct socket * other, struct sock * newsk); 1189 int (*unix_may_send) (struct socket * sock, struct socket * other); 1190 1191 int (*socket_create) (int family, int type, int protocol, int kern); 1192 void (*socket_post_create) (struct socket * sock, int family, 1193 int type, int protocol, int kern); 1194 int (*socket_bind) (struct socket * sock, 1195 struct sockaddr * address, int addrlen); 1196 int (*socket_connect) (struct socket * sock, 1197 struct sockaddr * address, int addrlen); 1198 int (*socket_listen) (struct socket * sock, int backlog); 1199 int (*socket_accept) (struct socket * sock, struct socket * newsock); 1200 void (*socket_post_accept) (struct socket * sock, 1201 struct socket * newsock); 1202 int (*socket_sendmsg) (struct socket * sock, 1203 struct msghdr * msg, int size); 1204 int (*socket_recvmsg) (struct socket * sock, 1205 struct msghdr * msg, int size, int flags); 1206 int (*socket_getsockname) (struct socket * sock); 1207 int (*socket_getpeername) (struct socket * sock); 1208 int (*socket_getsockopt) (struct socket * sock, int level, int optname); 1209 int (*socket_setsockopt) (struct socket * sock, int level, int optname); 1210 int (*socket_shutdown) (struct socket * sock, int how); 1211 int (*socket_sock_rcv_skb) (struct sock * sk, struct sk_buff * skb); 1212 int (*socket_getpeersec) (struct socket *sock, char __user *optval, int __user *optlen, unsigned len); 1213 int (*sk_alloc_security) (struct sock *sk, int family, int priority); 1214 void (*sk_free_security) (struct sock *sk); 1215#endif /* CONFIG_SECURITY_NETWORK */ 1216}; 1217 1218/* global variables */ 1219extern struct security_operations *security_ops; 1220 1221/* inline stuff */ 1222static inline int security_ptrace (struct task_struct * parent, struct task_struct * child) 1223{ 1224 return security_ops->ptrace (parent, child); 1225} 1226 1227static inline int security_capget (struct task_struct *target, 1228 kernel_cap_t *effective, 1229 kernel_cap_t *inheritable, 1230 kernel_cap_t *permitted) 1231{ 1232 return security_ops->capget (target, effective, inheritable, permitted); 1233} 1234 1235static inline int security_capset_check (struct task_struct *target, 1236 kernel_cap_t *effective, 1237 kernel_cap_t *inheritable, 1238 kernel_cap_t *permitted) 1239{ 1240 return security_ops->capset_check (target, effective, inheritable, permitted); 1241} 1242 1243static inline void security_capset_set (struct task_struct *target, 1244 kernel_cap_t *effective, 1245 kernel_cap_t *inheritable, 1246 kernel_cap_t *permitted) 1247{ 1248 security_ops->capset_set (target, effective, inheritable, permitted); 1249} 1250 1251static inline int security_acct (struct file *file) 1252{ 1253 return security_ops->acct (file); 1254} 1255 1256static inline int security_sysctl(struct ctl_table *table, int op) 1257{ 1258 return security_ops->sysctl(table, op); 1259} 1260 1261static inline int security_quotactl (int cmds, int type, int id, 1262 struct super_block *sb) 1263{ 1264 return security_ops->quotactl (cmds, type, id, sb); 1265} 1266 1267static inline int security_quota_on (struct dentry * dentry) 1268{ 1269 return security_ops->quota_on (dentry); 1270} 1271 1272static inline int security_syslog(int type) 1273{ 1274 return security_ops->syslog(type); 1275} 1276 1277static inline int security_settime(struct timespec *ts, struct timezone *tz) 1278{ 1279 return security_ops->settime(ts, tz); 1280} 1281 1282 1283static inline int security_vm_enough_memory(long pages) 1284{ 1285 return security_ops->vm_enough_memory(pages); 1286} 1287 1288static inline int security_bprm_alloc (struct linux_binprm *bprm) 1289{ 1290 return security_ops->bprm_alloc_security (bprm); 1291} 1292static inline void security_bprm_free (struct linux_binprm *bprm) 1293{ 1294 security_ops->bprm_free_security (bprm); 1295} 1296static inline void security_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) 1297{ 1298 security_ops->bprm_apply_creds (bprm, unsafe); 1299} 1300static inline void security_bprm_post_apply_creds (struct linux_binprm *bprm) 1301{ 1302 security_ops->bprm_post_apply_creds (bprm); 1303} 1304static inline int security_bprm_set (struct linux_binprm *bprm) 1305{ 1306 return security_ops->bprm_set_security (bprm); 1307} 1308 1309static inline int security_bprm_check (struct linux_binprm *bprm) 1310{ 1311 return security_ops->bprm_check_security (bprm); 1312} 1313 1314static inline int security_bprm_secureexec (struct linux_binprm *bprm) 1315{ 1316 return security_ops->bprm_secureexec (bprm); 1317} 1318 1319static inline int security_sb_alloc (struct super_block *sb) 1320{ 1321 return security_ops->sb_alloc_security (sb); 1322} 1323 1324static inline void security_sb_free (struct super_block *sb) 1325{ 1326 security_ops->sb_free_security (sb); 1327} 1328 1329static inline int security_sb_copy_data (struct file_system_type *type, 1330 void *orig, void *copy) 1331{ 1332 return security_ops->sb_copy_data (type, orig, copy); 1333} 1334 1335static inline int security_sb_kern_mount (struct super_block *sb, void *data) 1336{ 1337 return security_ops->sb_kern_mount (sb, data); 1338} 1339 1340static inline int security_sb_statfs (struct super_block *sb) 1341{ 1342 return security_ops->sb_statfs (sb); 1343} 1344 1345static inline int security_sb_mount (char *dev_name, struct nameidata *nd, 1346 char *type, unsigned long flags, 1347 void *data) 1348{ 1349 return security_ops->sb_mount (dev_name, nd, type, flags, data); 1350} 1351 1352static inline int security_sb_check_sb (struct vfsmount *mnt, 1353 struct nameidata *nd) 1354{ 1355 return security_ops->sb_check_sb (mnt, nd); 1356} 1357 1358static inline int security_sb_umount (struct vfsmount *mnt, int flags) 1359{ 1360 return security_ops->sb_umount (mnt, flags); 1361} 1362 1363static inline void security_sb_umount_close (struct vfsmount *mnt) 1364{ 1365 security_ops->sb_umount_close (mnt); 1366} 1367 1368static inline void security_sb_umount_busy (struct vfsmount *mnt) 1369{ 1370 security_ops->sb_umount_busy (mnt); 1371} 1372 1373static inline void security_sb_post_remount (struct vfsmount *mnt, 1374 unsigned long flags, void *data) 1375{ 1376 security_ops->sb_post_remount (mnt, flags, data); 1377} 1378 1379static inline void security_sb_post_mountroot (void) 1380{ 1381 security_ops->sb_post_mountroot (); 1382} 1383 1384static inline void security_sb_post_addmount (struct vfsmount *mnt, 1385 struct nameidata *mountpoint_nd) 1386{ 1387 security_ops->sb_post_addmount (mnt, mountpoint_nd); 1388} 1389 1390static inline int security_sb_pivotroot (struct nameidata *old_nd, 1391 struct nameidata *new_nd) 1392{ 1393 return security_ops->sb_pivotroot (old_nd, new_nd); 1394} 1395 1396static inline void security_sb_post_pivotroot (struct nameidata *old_nd, 1397 struct nameidata *new_nd) 1398{ 1399 security_ops->sb_post_pivotroot (old_nd, new_nd); 1400} 1401 1402static inline int security_inode_alloc (struct inode *inode) 1403{ 1404 if (unlikely (IS_PRIVATE (inode))) 1405 return 0; 1406 return security_ops->inode_alloc_security (inode); 1407} 1408 1409static inline void security_inode_free (struct inode *inode) 1410{ 1411 if (unlikely (IS_PRIVATE (inode))) 1412 return; 1413 security_ops->inode_free_security (inode); 1414} 1415 1416static inline int security_inode_init_security (struct inode *inode, 1417 struct inode *dir, 1418 char **name, 1419 void **value, 1420 size_t *len) 1421{ 1422 if (unlikely (IS_PRIVATE (inode))) 1423 return -EOPNOTSUPP; 1424 return security_ops->inode_init_security (inode, dir, name, value, len); 1425} 1426 1427static inline int security_inode_create (struct inode *dir, 1428 struct dentry *dentry, 1429 int mode) 1430{ 1431 if (unlikely (IS_PRIVATE (dir))) 1432 return 0; 1433 return security_ops->inode_create (dir, dentry, mode); 1434} 1435 1436static inline int security_inode_link (struct dentry *old_dentry, 1437 struct inode *dir, 1438 struct dentry *new_dentry) 1439{ 1440 if (unlikely (IS_PRIVATE (old_dentry->d_inode))) 1441 return 0; 1442 return security_ops->inode_link (old_dentry, dir, new_dentry); 1443} 1444 1445static inline int security_inode_unlink (struct inode *dir, 1446 struct dentry *dentry) 1447{ 1448 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1449 return 0; 1450 return security_ops->inode_unlink (dir, dentry); 1451} 1452 1453static inline int security_inode_symlink (struct inode *dir, 1454 struct dentry *dentry, 1455 const char *old_name) 1456{ 1457 if (unlikely (IS_PRIVATE (dir))) 1458 return 0; 1459 return security_ops->inode_symlink (dir, dentry, old_name); 1460} 1461 1462static inline int security_inode_mkdir (struct inode *dir, 1463 struct dentry *dentry, 1464 int mode) 1465{ 1466 if (unlikely (IS_PRIVATE (dir))) 1467 return 0; 1468 return security_ops->inode_mkdir (dir, dentry, mode); 1469} 1470 1471static inline int security_inode_rmdir (struct inode *dir, 1472 struct dentry *dentry) 1473{ 1474 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1475 return 0; 1476 return security_ops->inode_rmdir (dir, dentry); 1477} 1478 1479static inline int security_inode_mknod (struct inode *dir, 1480 struct dentry *dentry, 1481 int mode, dev_t dev) 1482{ 1483 if (unlikely (IS_PRIVATE (dir))) 1484 return 0; 1485 return security_ops->inode_mknod (dir, dentry, mode, dev); 1486} 1487 1488static inline int security_inode_rename (struct inode *old_dir, 1489 struct dentry *old_dentry, 1490 struct inode *new_dir, 1491 struct dentry *new_dentry) 1492{ 1493 if (unlikely (IS_PRIVATE (old_dentry->d_inode) || 1494 (new_dentry->d_inode && IS_PRIVATE (new_dentry->d_inode)))) 1495 return 0; 1496 return security_ops->inode_rename (old_dir, old_dentry, 1497 new_dir, new_dentry); 1498} 1499 1500static inline int security_inode_readlink (struct dentry *dentry) 1501{ 1502 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1503 return 0; 1504 return security_ops->inode_readlink (dentry); 1505} 1506 1507static inline int security_inode_follow_link (struct dentry *dentry, 1508 struct nameidata *nd) 1509{ 1510 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1511 return 0; 1512 return security_ops->inode_follow_link (dentry, nd); 1513} 1514 1515static inline int security_inode_permission (struct inode *inode, int mask, 1516 struct nameidata *nd) 1517{ 1518 if (unlikely (IS_PRIVATE (inode))) 1519 return 0; 1520 return security_ops->inode_permission (inode, mask, nd); 1521} 1522 1523static inline int security_inode_setattr (struct dentry *dentry, 1524 struct iattr *attr) 1525{ 1526 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1527 return 0; 1528 return security_ops->inode_setattr (dentry, attr); 1529} 1530 1531static inline int security_inode_getattr (struct vfsmount *mnt, 1532 struct dentry *dentry) 1533{ 1534 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1535 return 0; 1536 return security_ops->inode_getattr (mnt, dentry); 1537} 1538 1539static inline void security_inode_delete (struct inode *inode) 1540{ 1541 if (unlikely (IS_PRIVATE (inode))) 1542 return; 1543 security_ops->inode_delete (inode); 1544} 1545 1546static inline int security_inode_setxattr (struct dentry *dentry, char *name, 1547 void *value, size_t size, int flags) 1548{ 1549 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1550 return 0; 1551 return security_ops->inode_setxattr (dentry, name, value, size, flags); 1552} 1553 1554static inline void security_inode_post_setxattr (struct dentry *dentry, char *name, 1555 void *value, size_t size, int flags) 1556{ 1557 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1558 return; 1559 security_ops->inode_post_setxattr (dentry, name, value, size, flags); 1560} 1561 1562static inline int security_inode_getxattr (struct dentry *dentry, char *name) 1563{ 1564 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1565 return 0; 1566 return security_ops->inode_getxattr (dentry, name); 1567} 1568 1569static inline int security_inode_listxattr (struct dentry *dentry) 1570{ 1571 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1572 return 0; 1573 return security_ops->inode_listxattr (dentry); 1574} 1575 1576static inline int security_inode_removexattr (struct dentry *dentry, char *name) 1577{ 1578 if (unlikely (IS_PRIVATE (dentry->d_inode))) 1579 return 0; 1580 return security_ops->inode_removexattr (dentry, name); 1581} 1582 1583static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size) 1584{ 1585 if (unlikely (IS_PRIVATE (inode))) 1586 return 0; 1587 return security_ops->inode_getsecurity(inode, name, buffer, size); 1588} 1589 1590static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) 1591{ 1592 if (unlikely (IS_PRIVATE (inode))) 1593 return 0; 1594 return security_ops->inode_setsecurity(inode, name, value, size, flags); 1595} 1596 1597static inline int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 1598{ 1599 if (unlikely (IS_PRIVATE (inode))) 1600 return 0; 1601 return security_ops->inode_listsecurity(inode, buffer, buffer_size); 1602} 1603 1604static inline int security_file_permission (struct file *file, int mask) 1605{ 1606 return security_ops->file_permission (file, mask); 1607} 1608 1609static inline int security_file_alloc (struct file *file) 1610{ 1611 return security_ops->file_alloc_security (file); 1612} 1613 1614static inline void security_file_free (struct file *file) 1615{ 1616 security_ops->file_free_security (file); 1617} 1618 1619static inline int security_file_ioctl (struct file *file, unsigned int cmd, 1620 unsigned long arg) 1621{ 1622 return security_ops->file_ioctl (file, cmd, arg); 1623} 1624 1625static inline int security_file_mmap (struct file *file, unsigned long reqprot, 1626 unsigned long prot, 1627 unsigned long flags) 1628{ 1629 return security_ops->file_mmap (file, reqprot, prot, flags); 1630} 1631 1632static inline int security_file_mprotect (struct vm_area_struct *vma, 1633 unsigned long reqprot, 1634 unsigned long prot) 1635{ 1636 return security_ops->file_mprotect (vma, reqprot, prot); 1637} 1638 1639static inline int security_file_lock (struct file *file, unsigned int cmd) 1640{ 1641 return security_ops->file_lock (file, cmd); 1642} 1643 1644static inline int security_file_fcntl (struct file *file, unsigned int cmd, 1645 unsigned long arg) 1646{ 1647 return security_ops->file_fcntl (file, cmd, arg); 1648} 1649 1650static inline int security_file_set_fowner (struct file *file) 1651{ 1652 return security_ops->file_set_fowner (file); 1653} 1654 1655static inline int security_file_send_sigiotask (struct task_struct *tsk, 1656 struct fown_struct *fown, 1657 int sig) 1658{ 1659 return security_ops->file_send_sigiotask (tsk, fown, sig); 1660} 1661 1662static inline int security_file_receive (struct file *file) 1663{ 1664 return security_ops->file_receive (file); 1665} 1666 1667static inline int security_task_create (unsigned long clone_flags) 1668{ 1669 return security_ops->task_create (clone_flags); 1670} 1671 1672static inline int security_task_alloc (struct task_struct *p) 1673{ 1674 return security_ops->task_alloc_security (p); 1675} 1676 1677static inline void security_task_free (struct task_struct *p) 1678{ 1679 security_ops->task_free_security (p); 1680} 1681 1682static inline int security_task_setuid (uid_t id0, uid_t id1, uid_t id2, 1683 int flags) 1684{ 1685 return security_ops->task_setuid (id0, id1, id2, flags); 1686} 1687 1688static inline int security_task_post_setuid (uid_t old_ruid, uid_t old_euid, 1689 uid_t old_suid, int flags) 1690{ 1691 return security_ops->task_post_setuid (old_ruid, old_euid, old_suid, flags); 1692} 1693 1694static inline int security_task_setgid (gid_t id0, gid_t id1, gid_t id2, 1695 int flags) 1696{ 1697 return security_ops->task_setgid (id0, id1, id2, flags); 1698} 1699 1700static inline int security_task_setpgid (struct task_struct *p, pid_t pgid) 1701{ 1702 return security_ops->task_setpgid (p, pgid); 1703} 1704 1705static inline int security_task_getpgid (struct task_struct *p) 1706{ 1707 return security_ops->task_getpgid (p); 1708} 1709 1710static inline int security_task_getsid (struct task_struct *p) 1711{ 1712 return security_ops->task_getsid (p); 1713} 1714 1715static inline int security_task_setgroups (struct group_info *group_info) 1716{ 1717 return security_ops->task_setgroups (group_info); 1718} 1719 1720static inline int security_task_setnice (struct task_struct *p, int nice) 1721{ 1722 return security_ops->task_setnice (p, nice); 1723} 1724 1725static inline int security_task_setrlimit (unsigned int resource, 1726 struct rlimit *new_rlim) 1727{ 1728 return security_ops->task_setrlimit (resource, new_rlim); 1729} 1730 1731static inline int security_task_setscheduler (struct task_struct *p, 1732 int policy, 1733 struct sched_param *lp) 1734{ 1735 return security_ops->task_setscheduler (p, policy, lp); 1736} 1737 1738static inline int security_task_getscheduler (struct task_struct *p) 1739{ 1740 return security_ops->task_getscheduler (p); 1741} 1742 1743static inline int security_task_kill (struct task_struct *p, 1744 struct siginfo *info, int sig) 1745{ 1746 return security_ops->task_kill (p, info, sig); 1747} 1748 1749static inline int security_task_wait (struct task_struct *p) 1750{ 1751 return security_ops->task_wait (p); 1752} 1753 1754static inline int security_task_prctl (int option, unsigned long arg2, 1755 unsigned long arg3, 1756 unsigned long arg4, 1757 unsigned long arg5) 1758{ 1759 return security_ops->task_prctl (option, arg2, arg3, arg4, arg5); 1760} 1761 1762static inline void security_task_reparent_to_init (struct task_struct *p) 1763{ 1764 security_ops->task_reparent_to_init (p); 1765} 1766 1767static inline void security_task_to_inode(struct task_struct *p, struct inode *inode) 1768{ 1769 security_ops->task_to_inode(p, inode); 1770} 1771 1772static inline int security_ipc_permission (struct kern_ipc_perm *ipcp, 1773 short flag) 1774{ 1775 return security_ops->ipc_permission (ipcp, flag); 1776} 1777 1778static inline int security_msg_msg_alloc (struct msg_msg * msg) 1779{ 1780 return security_ops->msg_msg_alloc_security (msg); 1781} 1782 1783static inline void security_msg_msg_free (struct msg_msg * msg) 1784{ 1785 security_ops->msg_msg_free_security(msg); 1786} 1787 1788static inline int security_msg_queue_alloc (struct msg_queue *msq) 1789{ 1790 return security_ops->msg_queue_alloc_security (msq); 1791} 1792 1793static inline void security_msg_queue_free (struct msg_queue *msq) 1794{ 1795 security_ops->msg_queue_free_security (msq); 1796} 1797 1798static inline int security_msg_queue_associate (struct msg_queue * msq, 1799 int msqflg) 1800{ 1801 return security_ops->msg_queue_associate (msq, msqflg); 1802} 1803 1804static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd) 1805{ 1806 return security_ops->msg_queue_msgctl (msq, cmd); 1807} 1808 1809static inline int security_msg_queue_msgsnd (struct msg_queue * msq, 1810 struct msg_msg * msg, int msqflg) 1811{ 1812 return security_ops->msg_queue_msgsnd (msq, msg, msqflg); 1813} 1814 1815static inline int security_msg_queue_msgrcv (struct msg_queue * msq, 1816 struct msg_msg * msg, 1817 struct task_struct * target, 1818 long type, int mode) 1819{ 1820 return security_ops->msg_queue_msgrcv (msq, msg, target, type, mode); 1821} 1822 1823static inline int security_shm_alloc (struct shmid_kernel *shp) 1824{ 1825 return security_ops->shm_alloc_security (shp); 1826} 1827 1828static inline void security_shm_free (struct shmid_kernel *shp) 1829{ 1830 security_ops->shm_free_security (shp); 1831} 1832 1833static inline int security_shm_associate (struct shmid_kernel * shp, 1834 int shmflg) 1835{ 1836 return security_ops->shm_associate(shp, shmflg); 1837} 1838 1839static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd) 1840{ 1841 return security_ops->shm_shmctl (shp, cmd); 1842} 1843 1844static inline int security_shm_shmat (struct shmid_kernel * shp, 1845 char __user *shmaddr, int shmflg) 1846{ 1847 return security_ops->shm_shmat(shp, shmaddr, shmflg); 1848} 1849 1850static inline int security_sem_alloc (struct sem_array *sma) 1851{ 1852 return security_ops->sem_alloc_security (sma); 1853} 1854 1855static inline void security_sem_free (struct sem_array *sma) 1856{ 1857 security_ops->sem_free_security (sma); 1858} 1859 1860static inline int security_sem_associate (struct sem_array * sma, int semflg) 1861{ 1862 return security_ops->sem_associate (sma, semflg); 1863} 1864 1865static inline int security_sem_semctl (struct sem_array * sma, int cmd) 1866{ 1867 return security_ops->sem_semctl(sma, cmd); 1868} 1869 1870static inline int security_sem_semop (struct sem_array * sma, 1871 struct sembuf * sops, unsigned nsops, 1872 int alter) 1873{ 1874 return security_ops->sem_semop(sma, sops, nsops, alter); 1875} 1876 1877static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode) 1878{ 1879 if (unlikely (inode && IS_PRIVATE (inode))) 1880 return; 1881 security_ops->d_instantiate (dentry, inode); 1882} 1883 1884static inline int security_getprocattr(struct task_struct *p, char *name, void *value, size_t size) 1885{ 1886 return security_ops->getprocattr(p, name, value, size); 1887} 1888 1889static inline int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size) 1890{ 1891 return security_ops->setprocattr(p, name, value, size); 1892} 1893 1894static inline int security_netlink_send(struct sock *sk, struct sk_buff * skb) 1895{ 1896 return security_ops->netlink_send(sk, skb); 1897} 1898 1899static inline int security_netlink_recv(struct sk_buff * skb) 1900{ 1901 return security_ops->netlink_recv(skb); 1902} 1903 1904/* prototypes */ 1905extern int security_init (void); 1906extern int register_security (struct security_operations *ops); 1907extern int unregister_security (struct security_operations *ops); 1908extern int mod_reg_security (const char *name, struct security_operations *ops); 1909extern int mod_unreg_security (const char *name, struct security_operations *ops); 1910extern struct dentry *securityfs_create_file(const char *name, mode_t mode, 1911 struct dentry *parent, void *data, 1912 struct file_operations *fops); 1913extern struct dentry *securityfs_create_dir(const char *name, struct dentry *parent); 1914extern void securityfs_remove(struct dentry *dentry); 1915 1916 1917#else /* CONFIG_SECURITY */ 1918 1919/* 1920 * This is the default capabilities functionality. Most of these functions 1921 * are just stubbed out, but a few must call the proper capable code. 1922 */ 1923 1924static inline int security_init(void) 1925{ 1926 return 0; 1927} 1928 1929static inline int security_ptrace (struct task_struct *parent, struct task_struct * child) 1930{ 1931 return cap_ptrace (parent, child); 1932} 1933 1934static inline int security_capget (struct task_struct *target, 1935 kernel_cap_t *effective, 1936 kernel_cap_t *inheritable, 1937 kernel_cap_t *permitted) 1938{ 1939 return cap_capget (target, effective, inheritable, permitted); 1940} 1941 1942static inline int security_capset_check (struct task_struct *target, 1943 kernel_cap_t *effective, 1944 kernel_cap_t *inheritable, 1945 kernel_cap_t *permitted) 1946{ 1947 return cap_capset_check (target, effective, inheritable, permitted); 1948} 1949 1950static inline void security_capset_set (struct task_struct *target, 1951 kernel_cap_t *effective, 1952 kernel_cap_t *inheritable, 1953 kernel_cap_t *permitted) 1954{ 1955 cap_capset_set (target, effective, inheritable, permitted); 1956} 1957 1958static inline int security_acct (struct file *file) 1959{ 1960 return 0; 1961} 1962 1963static inline int security_sysctl(struct ctl_table *table, int op) 1964{ 1965 return 0; 1966} 1967 1968static inline int security_quotactl (int cmds, int type, int id, 1969 struct super_block * sb) 1970{ 1971 return 0; 1972} 1973 1974static inline int security_quota_on (struct dentry * dentry) 1975{ 1976 return 0; 1977} 1978 1979static inline int security_syslog(int type) 1980{ 1981 return cap_syslog(type); 1982} 1983 1984static inline int security_settime(struct timespec *ts, struct timezone *tz) 1985{ 1986 return cap_settime(ts, tz); 1987} 1988 1989static inline int security_vm_enough_memory(long pages) 1990{ 1991 return cap_vm_enough_memory(pages); 1992} 1993 1994static inline int security_bprm_alloc (struct linux_binprm *bprm) 1995{ 1996 return 0; 1997} 1998 1999static inline void security_bprm_free (struct linux_binprm *bprm) 2000{ } 2001 2002static inline void security_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) 2003{ 2004 cap_bprm_apply_creds (bprm, unsafe); 2005} 2006 2007static inline void security_bprm_post_apply_creds (struct linux_binprm *bprm) 2008{ 2009 return; 2010} 2011 2012static inline int security_bprm_set (struct linux_binprm *bprm) 2013{ 2014 return cap_bprm_set_security (bprm); 2015} 2016 2017static inline int security_bprm_check (struct linux_binprm *bprm) 2018{ 2019 return 0; 2020} 2021 2022static inline int security_bprm_secureexec (struct linux_binprm *bprm) 2023{ 2024 return cap_bprm_secureexec(bprm); 2025} 2026 2027static inline int security_sb_alloc (struct super_block *sb) 2028{ 2029 return 0; 2030} 2031 2032static inline void security_sb_free (struct super_block *sb) 2033{ } 2034 2035static inline int security_sb_copy_data (struct file_system_type *type, 2036 void *orig, void *copy) 2037{ 2038 return 0; 2039} 2040 2041static inline int security_sb_kern_mount (struct super_block *sb, void *data) 2042{ 2043 return 0; 2044} 2045 2046static inline int security_sb_statfs (struct super_block *sb) 2047{ 2048 return 0; 2049} 2050 2051static inline int security_sb_mount (char *dev_name, struct nameidata *nd, 2052 char *type, unsigned long flags, 2053 void *data) 2054{ 2055 return 0; 2056} 2057 2058static inline int security_sb_check_sb (struct vfsmount *mnt, 2059 struct nameidata *nd) 2060{ 2061 return 0; 2062} 2063 2064static inline int security_sb_umount (struct vfsmount *mnt, int flags) 2065{ 2066 return 0; 2067} 2068 2069static inline void security_sb_umount_close (struct vfsmount *mnt) 2070{ } 2071 2072static inline void security_sb_umount_busy (struct vfsmount *mnt) 2073{ } 2074 2075static inline void security_sb_post_remount (struct vfsmount *mnt, 2076 unsigned long flags, void *data) 2077{ } 2078 2079static inline void security_sb_post_mountroot (void) 2080{ } 2081 2082static inline void security_sb_post_addmount (struct vfsmount *mnt, 2083 struct nameidata *mountpoint_nd) 2084{ } 2085 2086static inline int security_sb_pivotroot (struct nameidata *old_nd, 2087 struct nameidata *new_nd) 2088{ 2089 return 0; 2090} 2091 2092static inline void security_sb_post_pivotroot (struct nameidata *old_nd, 2093 struct nameidata *new_nd) 2094{ } 2095 2096static inline int security_inode_alloc (struct inode *inode) 2097{ 2098 return 0; 2099} 2100 2101static inline void security_inode_free (struct inode *inode) 2102{ } 2103 2104static inline int security_inode_init_security (struct inode *inode, 2105 struct inode *dir, 2106 char **name, 2107 void **value, 2108 size_t *len) 2109{ 2110 return -EOPNOTSUPP; 2111} 2112 2113static inline int security_inode_create (struct inode *dir, 2114 struct dentry *dentry, 2115 int mode) 2116{ 2117 return 0; 2118} 2119 2120static inline int security_inode_link (struct dentry *old_dentry, 2121 struct inode *dir, 2122 struct dentry *new_dentry) 2123{ 2124 return 0; 2125} 2126 2127static inline int security_inode_unlink (struct inode *dir, 2128 struct dentry *dentry) 2129{ 2130 return 0; 2131} 2132 2133static inline int security_inode_symlink (struct inode *dir, 2134 struct dentry *dentry, 2135 const char *old_name) 2136{ 2137 return 0; 2138} 2139 2140static inline int security_inode_mkdir (struct inode *dir, 2141 struct dentry *dentry, 2142 int mode) 2143{ 2144 return 0; 2145} 2146 2147static inline int security_inode_rmdir (struct inode *dir, 2148 struct dentry *dentry) 2149{ 2150 return 0; 2151} 2152 2153static inline int security_inode_mknod (struct inode *dir, 2154 struct dentry *dentry, 2155 int mode, dev_t dev) 2156{ 2157 return 0; 2158} 2159 2160static inline int security_inode_rename (struct inode *old_dir, 2161 struct dentry *old_dentry, 2162 struct inode *new_dir, 2163 struct dentry *new_dentry) 2164{ 2165 return 0; 2166} 2167 2168static inline int security_inode_readlink (struct dentry *dentry) 2169{ 2170 return 0; 2171} 2172 2173static inline int security_inode_follow_link (struct dentry *dentry, 2174 struct nameidata *nd) 2175{ 2176 return 0; 2177} 2178 2179static inline int security_inode_permission (struct inode *inode, int mask, 2180 struct nameidata *nd) 2181{ 2182 return 0; 2183} 2184 2185static inline int security_inode_setattr (struct dentry *dentry, 2186 struct iattr *attr) 2187{ 2188 return 0; 2189} 2190 2191static inline int security_inode_getattr (struct vfsmount *mnt, 2192 struct dentry *dentry) 2193{ 2194 return 0; 2195} 2196 2197static inline void security_inode_delete (struct inode *inode) 2198{ } 2199 2200static inline int security_inode_setxattr (struct dentry *dentry, char *name, 2201 void *value, size_t size, int flags) 2202{ 2203 return cap_inode_setxattr(dentry, name, value, size, flags); 2204} 2205 2206static inline void security_inode_post_setxattr (struct dentry *dentry, char *name, 2207 void *value, size_t size, int flags) 2208{ } 2209 2210static inline int security_inode_getxattr (struct dentry *dentry, char *name) 2211{ 2212 return 0; 2213} 2214 2215static inline int security_inode_listxattr (struct dentry *dentry) 2216{ 2217 return 0; 2218} 2219 2220static inline int security_inode_removexattr (struct dentry *dentry, char *name) 2221{ 2222 return cap_inode_removexattr(dentry, name); 2223} 2224 2225static inline int security_inode_getsecurity(struct inode *inode, const char *name, void *buffer, size_t size) 2226{ 2227 return -EOPNOTSUPP; 2228} 2229 2230static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) 2231{ 2232 return -EOPNOTSUPP; 2233} 2234 2235static inline int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 2236{ 2237 return 0; 2238} 2239 2240static inline int security_file_permission (struct file *file, int mask) 2241{ 2242 return 0; 2243} 2244 2245static inline int security_file_alloc (struct file *file) 2246{ 2247 return 0; 2248} 2249 2250static inline void security_file_free (struct file *file) 2251{ } 2252 2253static inline int security_file_ioctl (struct file *file, unsigned int cmd, 2254 unsigned long arg) 2255{ 2256 return 0; 2257} 2258 2259static inline int security_file_mmap (struct file *file, unsigned long reqprot, 2260 unsigned long prot, 2261 unsigned long flags) 2262{ 2263 return 0; 2264} 2265 2266static inline int security_file_mprotect (struct vm_area_struct *vma, 2267 unsigned long reqprot, 2268 unsigned long prot) 2269{ 2270 return 0; 2271} 2272 2273static inline int security_file_lock (struct file *file, unsigned int cmd) 2274{ 2275 return 0; 2276} 2277 2278static inline int security_file_fcntl (struct file *file, unsigned int cmd, 2279 unsigned long arg) 2280{ 2281 return 0; 2282} 2283 2284static inline int security_file_set_fowner (struct file *file) 2285{ 2286 return 0; 2287} 2288 2289static inline int security_file_send_sigiotask (struct task_struct *tsk, 2290 struct fown_struct *fown, 2291 int sig) 2292{ 2293 return 0; 2294} 2295 2296static inline int security_file_receive (struct file *file) 2297{ 2298 return 0; 2299} 2300 2301static inline int security_task_create (unsigned long clone_flags) 2302{ 2303 return 0; 2304} 2305 2306static inline int security_task_alloc (struct task_struct *p) 2307{ 2308 return 0; 2309} 2310 2311static inline void security_task_free (struct task_struct *p) 2312{ } 2313 2314static inline int security_task_setuid (uid_t id0, uid_t id1, uid_t id2, 2315 int flags) 2316{ 2317 return 0; 2318} 2319 2320static inline int security_task_post_setuid (uid_t old_ruid, uid_t old_euid, 2321 uid_t old_suid, int flags) 2322{ 2323 return cap_task_post_setuid (old_ruid, old_euid, old_suid, flags); 2324} 2325 2326static inline int security_task_setgid (gid_t id0, gid_t id1, gid_t id2, 2327 int flags) 2328{ 2329 return 0; 2330} 2331 2332static inline int security_task_setpgid (struct task_struct *p, pid_t pgid) 2333{ 2334 return 0; 2335} 2336 2337static inline int security_task_getpgid (struct task_struct *p) 2338{ 2339 return 0; 2340} 2341 2342static inline int security_task_getsid (struct task_struct *p) 2343{ 2344 return 0; 2345} 2346 2347static inline int security_task_setgroups (struct group_info *group_info) 2348{ 2349 return 0; 2350} 2351 2352static inline int security_task_setnice (struct task_struct *p, int nice) 2353{ 2354 return 0; 2355} 2356 2357static inline int security_task_setrlimit (unsigned int resource, 2358 struct rlimit *new_rlim) 2359{ 2360 return 0; 2361} 2362 2363static inline int security_task_setscheduler (struct task_struct *p, 2364 int policy, 2365 struct sched_param *lp) 2366{ 2367 return 0; 2368} 2369 2370static inline int security_task_getscheduler (struct task_struct *p) 2371{ 2372 return 0; 2373} 2374 2375static inline int security_task_kill (struct task_struct *p, 2376 struct siginfo *info, int sig) 2377{ 2378 return 0; 2379} 2380 2381static inline int security_task_wait (struct task_struct *p) 2382{ 2383 return 0; 2384} 2385 2386static inline int security_task_prctl (int option, unsigned long arg2, 2387 unsigned long arg3, 2388 unsigned long arg4, 2389 unsigned long arg5) 2390{ 2391 return 0; 2392} 2393 2394static inline void security_task_reparent_to_init (struct task_struct *p) 2395{ 2396 cap_task_reparent_to_init (p); 2397} 2398 2399static inline void security_task_to_inode(struct task_struct *p, struct inode *inode) 2400{ } 2401 2402static inline int security_ipc_permission (struct kern_ipc_perm *ipcp, 2403 short flag) 2404{ 2405 return 0; 2406} 2407 2408static inline int security_msg_msg_alloc (struct msg_msg * msg) 2409{ 2410 return 0; 2411} 2412 2413static inline void security_msg_msg_free (struct msg_msg * msg) 2414{ } 2415 2416static inline int security_msg_queue_alloc (struct msg_queue *msq) 2417{ 2418 return 0; 2419} 2420 2421static inline void security_msg_queue_free (struct msg_queue *msq) 2422{ } 2423 2424static inline int security_msg_queue_associate (struct msg_queue * msq, 2425 int msqflg) 2426{ 2427 return 0; 2428} 2429 2430static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd) 2431{ 2432 return 0; 2433} 2434 2435static inline int security_msg_queue_msgsnd (struct msg_queue * msq, 2436 struct msg_msg * msg, int msqflg) 2437{ 2438 return 0; 2439} 2440 2441static inline int security_msg_queue_msgrcv (struct msg_queue * msq, 2442 struct msg_msg * msg, 2443 struct task_struct * target, 2444 long type, int mode) 2445{ 2446 return 0; 2447} 2448 2449static inline int security_shm_alloc (struct shmid_kernel *shp) 2450{ 2451 return 0; 2452} 2453 2454static inline void security_shm_free (struct shmid_kernel *shp) 2455{ } 2456 2457static inline int security_shm_associate (struct shmid_kernel * shp, 2458 int shmflg) 2459{ 2460 return 0; 2461} 2462 2463static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd) 2464{ 2465 return 0; 2466} 2467 2468static inline int security_shm_shmat (struct shmid_kernel * shp, 2469 char __user *shmaddr, int shmflg) 2470{ 2471 return 0; 2472} 2473 2474static inline int security_sem_alloc (struct sem_array *sma) 2475{ 2476 return 0; 2477} 2478 2479static inline void security_sem_free (struct sem_array *sma) 2480{ } 2481 2482static inline int security_sem_associate (struct sem_array * sma, int semflg) 2483{ 2484 return 0; 2485} 2486 2487static inline int security_sem_semctl (struct sem_array * sma, int cmd) 2488{ 2489 return 0; 2490} 2491 2492static inline int security_sem_semop (struct sem_array * sma, 2493 struct sembuf * sops, unsigned nsops, 2494 int alter) 2495{ 2496 return 0; 2497} 2498 2499static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode) 2500{ } 2501 2502static inline int security_getprocattr(struct task_struct *p, char *name, void *value, size_t size) 2503{ 2504 return -EINVAL; 2505} 2506 2507static inline int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size) 2508{ 2509 return -EINVAL; 2510} 2511 2512static inline int security_netlink_send (struct sock *sk, struct sk_buff *skb) 2513{ 2514 return cap_netlink_send (sk, skb); 2515} 2516 2517static inline int security_netlink_recv (struct sk_buff *skb) 2518{ 2519 return cap_netlink_recv (skb); 2520} 2521 2522#endif /* CONFIG_SECURITY */ 2523 2524#ifdef CONFIG_SECURITY_NETWORK 2525static inline int security_unix_stream_connect(struct socket * sock, 2526 struct socket * other, 2527 struct sock * newsk) 2528{ 2529 return security_ops->unix_stream_connect(sock, other, newsk); 2530} 2531 2532 2533static inline int security_unix_may_send(struct socket * sock, 2534 struct socket * other) 2535{ 2536 return security_ops->unix_may_send(sock, other); 2537} 2538 2539static inline int security_socket_create (int family, int type, 2540 int protocol, int kern) 2541{ 2542 return security_ops->socket_create(family, type, protocol, kern); 2543} 2544 2545static inline void security_socket_post_create(struct socket * sock, 2546 int family, 2547 int type, 2548 int protocol, int kern) 2549{ 2550 security_ops->socket_post_create(sock, family, type, 2551 protocol, kern); 2552} 2553 2554static inline int security_socket_bind(struct socket * sock, 2555 struct sockaddr * address, 2556 int addrlen) 2557{ 2558 return security_ops->socket_bind(sock, address, addrlen); 2559} 2560 2561static inline int security_socket_connect(struct socket * sock, 2562 struct sockaddr * address, 2563 int addrlen) 2564{ 2565 return security_ops->socket_connect(sock, address, addrlen); 2566} 2567 2568static inline int security_socket_listen(struct socket * sock, int backlog) 2569{ 2570 return security_ops->socket_listen(sock, backlog); 2571} 2572 2573static inline int security_socket_accept(struct socket * sock, 2574 struct socket * newsock) 2575{ 2576 return security_ops->socket_accept(sock, newsock); 2577} 2578 2579static inline void security_socket_post_accept(struct socket * sock, 2580 struct socket * newsock) 2581{ 2582 security_ops->socket_post_accept(sock, newsock); 2583} 2584 2585static inline int security_socket_sendmsg(struct socket * sock, 2586 struct msghdr * msg, int size) 2587{ 2588 return security_ops->socket_sendmsg(sock, msg, size); 2589} 2590 2591static inline int security_socket_recvmsg(struct socket * sock, 2592 struct msghdr * msg, int size, 2593 int flags) 2594{ 2595 return security_ops->socket_recvmsg(sock, msg, size, flags); 2596} 2597 2598static inline int security_socket_getsockname(struct socket * sock) 2599{ 2600 return security_ops->socket_getsockname(sock); 2601} 2602 2603static inline int security_socket_getpeername(struct socket * sock) 2604{ 2605 return security_ops->socket_getpeername(sock); 2606} 2607 2608static inline int security_socket_getsockopt(struct socket * sock, 2609 int level, int optname) 2610{ 2611 return security_ops->socket_getsockopt(sock, level, optname); 2612} 2613 2614static inline int security_socket_setsockopt(struct socket * sock, 2615 int level, int optname) 2616{ 2617 return security_ops->socket_setsockopt(sock, level, optname); 2618} 2619 2620static inline int security_socket_shutdown(struct socket * sock, int how) 2621{ 2622 return security_ops->socket_shutdown(sock, how); 2623} 2624 2625static inline int security_sock_rcv_skb (struct sock * sk, 2626 struct sk_buff * skb) 2627{ 2628 return security_ops->socket_sock_rcv_skb (sk, skb); 2629} 2630 2631static inline int security_socket_getpeersec(struct socket *sock, char __user *optval, 2632 int __user *optlen, unsigned len) 2633{ 2634 return security_ops->socket_getpeersec(sock, optval, optlen, len); 2635} 2636 2637static inline int security_sk_alloc(struct sock *sk, int family, gfp_t priority) 2638{ 2639 return security_ops->sk_alloc_security(sk, family, priority); 2640} 2641 2642static inline void security_sk_free(struct sock *sk) 2643{ 2644 return security_ops->sk_free_security(sk); 2645} 2646#else /* CONFIG_SECURITY_NETWORK */ 2647static inline int security_unix_stream_connect(struct socket * sock, 2648 struct socket * other, 2649 struct sock * newsk) 2650{ 2651 return 0; 2652} 2653 2654static inline int security_unix_may_send(struct socket * sock, 2655 struct socket * other) 2656{ 2657 return 0; 2658} 2659 2660static inline int security_socket_create (int family, int type, 2661 int protocol, int kern) 2662{ 2663 return 0; 2664} 2665 2666static inline void security_socket_post_create(struct socket * sock, 2667 int family, 2668 int type, 2669 int protocol, int kern) 2670{ 2671} 2672 2673static inline int security_socket_bind(struct socket * sock, 2674 struct sockaddr * address, 2675 int addrlen) 2676{ 2677 return 0; 2678} 2679 2680static inline int security_socket_connect(struct socket * sock, 2681 struct sockaddr * address, 2682 int addrlen) 2683{ 2684 return 0; 2685} 2686 2687static inline int security_socket_listen(struct socket * sock, int backlog) 2688{ 2689 return 0; 2690} 2691 2692static inline int security_socket_accept(struct socket * sock, 2693 struct socket * newsock) 2694{ 2695 return 0; 2696} 2697 2698static inline void security_socket_post_accept(struct socket * sock, 2699 struct socket * newsock) 2700{ 2701} 2702 2703static inline int security_socket_sendmsg(struct socket * sock, 2704 struct msghdr * msg, int size) 2705{ 2706 return 0; 2707} 2708 2709static inline int security_socket_recvmsg(struct socket * sock, 2710 struct msghdr * msg, int size, 2711 int flags) 2712{ 2713 return 0; 2714} 2715 2716static inline int security_socket_getsockname(struct socket * sock) 2717{ 2718 return 0; 2719} 2720 2721static inline int security_socket_getpeername(struct socket * sock) 2722{ 2723 return 0; 2724} 2725 2726static inline int security_socket_getsockopt(struct socket * sock, 2727 int level, int optname) 2728{ 2729 return 0; 2730} 2731 2732static inline int security_socket_setsockopt(struct socket * sock, 2733 int level, int optname) 2734{ 2735 return 0; 2736} 2737 2738static inline int security_socket_shutdown(struct socket * sock, int how) 2739{ 2740 return 0; 2741} 2742static inline int security_sock_rcv_skb (struct sock * sk, 2743 struct sk_buff * skb) 2744{ 2745 return 0; 2746} 2747 2748static inline int security_socket_getpeersec(struct socket *sock, char __user *optval, 2749 int __user *optlen, unsigned len) 2750{ 2751 return -ENOPROTOOPT; 2752} 2753 2754static inline int security_sk_alloc(struct sock *sk, int family, gfp_t priority) 2755{ 2756 return 0; 2757} 2758 2759static inline void security_sk_free(struct sock *sk) 2760{ 2761} 2762#endif /* CONFIG_SECURITY_NETWORK */ 2763 2764#endif /* ! __LINUX_SECURITY_H */ 2765