tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / security.h
at v6.8-rc5 60 kB view raw
1/* 2 * Linux Security plug 3 * 4 * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com> 5 * Copyright (C) 2001 Greg Kroah-Hartman <greg@kroah.com> 6 * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com> 7 * Copyright (C) 2001 James Morris <jmorris@intercode.com.au> 8 * Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group) 9 * Copyright (C) 2016 Mellanox Techonologies 10 * 11 * This program is free software; you can redistribute it and/or modify 12 * it under the terms of the GNU General Public License as published by 13 * the Free Software Foundation; either version 2 of the License, or 14 * (at your option) any later version. 15 * 16 * Due to this file being licensed under the GPL there is controversy over 17 * whether this permits you to write a module that #includes this file 18 * without placing your module under the GPL. Please consult a lawyer for 19 * advice before doing this. 20 * 21 */ 22 23#ifndef __LINUX_SECURITY_H 24#define __LINUX_SECURITY_H 25 26#include <linux/kernel_read_file.h> 27#include <linux/key.h> 28#include <linux/capability.h> 29#include <linux/fs.h> 30#include <linux/slab.h> 31#include <linux/err.h> 32#include <linux/string.h> 33#include <linux/mm.h> 34#include <linux/sockptr.h> 35#include <uapi/linux/lsm.h> 36 37struct linux_binprm; 38struct cred; 39struct rlimit; 40struct kernel_siginfo; 41struct sembuf; 42struct kern_ipc_perm; 43struct audit_context; 44struct super_block; 45struct inode; 46struct dentry; 47struct file; 48struct vfsmount; 49struct path; 50struct qstr; 51struct iattr; 52struct fown_struct; 53struct file_operations; 54struct msg_msg; 55struct xattr; 56struct kernfs_node; 57struct xfrm_sec_ctx; 58struct mm_struct; 59struct fs_context; 60struct fs_parameter; 61enum fs_value_type; 62struct watch; 63struct watch_notification; 64struct lsm_ctx; 65 66/* Default (no) options for the capable function */ 67#define CAP_OPT_NONE 0x0 68/* If capable should audit the security request */ 69#define CAP_OPT_NOAUDIT BIT(1) 70/* If capable is being called by a setid function */ 71#define CAP_OPT_INSETID BIT(2) 72 73/* LSM Agnostic defines for security_sb_set_mnt_opts() flags */ 74#define SECURITY_LSM_NATIVE_LABELS 1 75 76struct ctl_table; 77struct audit_krule; 78struct user_namespace; 79struct timezone; 80 81enum lsm_event { 82 LSM_POLICY_CHANGE, 83}; 84 85/* 86 * These are reasons that can be passed to the security_locked_down() 87 * LSM hook. Lockdown reasons that protect kernel integrity (ie, the 88 * ability for userland to modify kernel code) are placed before 89 * LOCKDOWN_INTEGRITY_MAX. Lockdown reasons that protect kernel 90 * confidentiality (ie, the ability for userland to extract 91 * information from the running kernel that would otherwise be 92 * restricted) are placed before LOCKDOWN_CONFIDENTIALITY_MAX. 93 * 94 * LSM authors should note that the semantics of any given lockdown 95 * reason are not guaranteed to be stable - the same reason may block 96 * one set of features in one kernel release, and a slightly different 97 * set of features in a later kernel release. LSMs that seek to expose 98 * lockdown policy at any level of granularity other than "none", 99 * "integrity" or "confidentiality" are responsible for either 100 * ensuring that they expose a consistent level of functionality to 101 * userland, or ensuring that userland is aware that this is 102 * potentially a moving target. It is easy to misuse this information 103 * in a way that could break userspace. Please be careful not to do 104 * so. 105 * 106 * If you add to this, remember to extend lockdown_reasons in 107 * security/lockdown/lockdown.c. 108 */ 109enum lockdown_reason { 110 LOCKDOWN_NONE, 111 LOCKDOWN_MODULE_SIGNATURE, 112 LOCKDOWN_DEV_MEM, 113 LOCKDOWN_EFI_TEST, 114 LOCKDOWN_KEXEC, 115 LOCKDOWN_HIBERNATION, 116 LOCKDOWN_PCI_ACCESS, 117 LOCKDOWN_IOPORT, 118 LOCKDOWN_MSR, 119 LOCKDOWN_ACPI_TABLES, 120 LOCKDOWN_DEVICE_TREE, 121 LOCKDOWN_PCMCIA_CIS, 122 LOCKDOWN_TIOCSSERIAL, 123 LOCKDOWN_MODULE_PARAMETERS, 124 LOCKDOWN_MMIOTRACE, 125 LOCKDOWN_DEBUGFS, 126 LOCKDOWN_XMON_WR, 127 LOCKDOWN_BPF_WRITE_USER, 128 LOCKDOWN_DBG_WRITE_KERNEL, 129 LOCKDOWN_RTAS_ERROR_INJECTION, 130 LOCKDOWN_INTEGRITY_MAX, 131 LOCKDOWN_KCORE, 132 LOCKDOWN_KPROBES, 133 LOCKDOWN_BPF_READ_KERNEL, 134 LOCKDOWN_DBG_READ_KERNEL, 135 LOCKDOWN_PERF, 136 LOCKDOWN_TRACEFS, 137 LOCKDOWN_XMON_RW, 138 LOCKDOWN_XFRM_SECRET, 139 LOCKDOWN_CONFIDENTIALITY_MAX, 140}; 141 142extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1]; 143extern u32 lsm_active_cnt; 144extern const struct lsm_id *lsm_idlist[]; 145 146/* These functions are in security/commoncap.c */ 147extern int cap_capable(const struct cred *cred, struct user_namespace *ns, 148 int cap, unsigned int opts); 149extern int cap_settime(const struct timespec64 *ts, const struct timezone *tz); 150extern int cap_ptrace_access_check(struct task_struct *child, unsigned int mode); 151extern int cap_ptrace_traceme(struct task_struct *parent); 152extern int cap_capget(const struct task_struct *target, kernel_cap_t *effective, 153 kernel_cap_t *inheritable, kernel_cap_t *permitted); 154extern int cap_capset(struct cred *new, const struct cred *old, 155 const kernel_cap_t *effective, 156 const kernel_cap_t *inheritable, 157 const kernel_cap_t *permitted); 158extern int cap_bprm_creds_from_file(struct linux_binprm *bprm, const struct file *file); 159int cap_inode_setxattr(struct dentry *dentry, const char *name, 160 const void *value, size_t size, int flags); 161int cap_inode_removexattr(struct mnt_idmap *idmap, 162 struct dentry *dentry, const char *name); 163int cap_inode_need_killpriv(struct dentry *dentry); 164int cap_inode_killpriv(struct mnt_idmap *idmap, struct dentry *dentry); 165int cap_inode_getsecurity(struct mnt_idmap *idmap, 166 struct inode *inode, const char *name, void **buffer, 167 bool alloc); 168extern int cap_mmap_addr(unsigned long addr); 169extern int cap_mmap_file(struct file *file, unsigned long reqprot, 170 unsigned long prot, unsigned long flags); 171extern int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags); 172extern int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3, 173 unsigned long arg4, unsigned long arg5); 174extern int cap_task_setscheduler(struct task_struct *p); 175extern int cap_task_setioprio(struct task_struct *p, int ioprio); 176extern int cap_task_setnice(struct task_struct *p, int nice); 177extern int cap_vm_enough_memory(struct mm_struct *mm, long pages); 178 179struct msghdr; 180struct sk_buff; 181struct sock; 182struct sockaddr; 183struct socket; 184struct flowi_common; 185struct dst_entry; 186struct xfrm_selector; 187struct xfrm_policy; 188struct xfrm_state; 189struct xfrm_user_sec_ctx; 190struct seq_file; 191struct sctp_association; 192 193#ifdef CONFIG_MMU 194extern unsigned long mmap_min_addr; 195extern unsigned long dac_mmap_min_addr; 196#else 197#define mmap_min_addr 0UL 198#define dac_mmap_min_addr 0UL 199#endif 200 201/* 202 * Values used in the task_security_ops calls 203 */ 204/* setuid or setgid, id0 == uid or gid */ 205#define LSM_SETID_ID 1 206 207/* setreuid or setregid, id0 == real, id1 == eff */ 208#define LSM_SETID_RE 2 209 210/* setresuid or setresgid, id0 == real, id1 == eff, uid2 == saved */ 211#define LSM_SETID_RES 4 212 213/* setfsuid or setfsgid, id0 == fsuid or fsgid */ 214#define LSM_SETID_FS 8 215 216/* Flags for security_task_prlimit(). */ 217#define LSM_PRLIMIT_READ 1 218#define LSM_PRLIMIT_WRITE 2 219 220/* forward declares to avoid warnings */ 221struct sched_param; 222struct request_sock; 223 224/* bprm->unsafe reasons */ 225#define LSM_UNSAFE_SHARE 1 226#define LSM_UNSAFE_PTRACE 2 227#define LSM_UNSAFE_NO_NEW_PRIVS 4 228 229#ifdef CONFIG_MMU 230extern int mmap_min_addr_handler(struct ctl_table *table, int write, 231 void *buffer, size_t *lenp, loff_t *ppos); 232#endif 233 234/* security_inode_init_security callback function to write xattrs */ 235typedef int (*initxattrs) (struct inode *inode, 236 const struct xattr *xattr_array, void *fs_data); 237 238 239/* Keep the kernel_load_data_id enum in sync with kernel_read_file_id */ 240#define __data_id_enumify(ENUM, dummy) LOADING_ ## ENUM, 241#define __data_id_stringify(dummy, str) #str, 242 243enum kernel_load_data_id { 244 __kernel_read_file_id(__data_id_enumify) 245}; 246 247static const char * const kernel_load_data_str[] = { 248 __kernel_read_file_id(__data_id_stringify) 249}; 250 251static inline const char *kernel_load_data_id_str(enum kernel_load_data_id id) 252{ 253 if ((unsigned)id >= LOADING_MAX_ID) 254 return kernel_load_data_str[LOADING_UNKNOWN]; 255 256 return kernel_load_data_str[id]; 257} 258 259#ifdef CONFIG_SECURITY 260 261int call_blocking_lsm_notifier(enum lsm_event event, void *data); 262int register_blocking_lsm_notifier(struct notifier_block *nb); 263int unregister_blocking_lsm_notifier(struct notifier_block *nb); 264 265/* prototypes */ 266extern int security_init(void); 267extern int early_security_init(void); 268extern u64 lsm_name_to_attr(const char *name); 269 270/* Security operations */ 271int security_binder_set_context_mgr(const struct cred *mgr); 272int security_binder_transaction(const struct cred *from, 273 const struct cred *to); 274int security_binder_transfer_binder(const struct cred *from, 275 const struct cred *to); 276int security_binder_transfer_file(const struct cred *from, 277 const struct cred *to, const struct file *file); 278int security_ptrace_access_check(struct task_struct *child, unsigned int mode); 279int security_ptrace_traceme(struct task_struct *parent); 280int security_capget(const struct task_struct *target, 281 kernel_cap_t *effective, 282 kernel_cap_t *inheritable, 283 kernel_cap_t *permitted); 284int security_capset(struct cred *new, const struct cred *old, 285 const kernel_cap_t *effective, 286 const kernel_cap_t *inheritable, 287 const kernel_cap_t *permitted); 288int security_capable(const struct cred *cred, 289 struct user_namespace *ns, 290 int cap, 291 unsigned int opts); 292int security_quotactl(int cmds, int type, int id, const struct super_block *sb); 293int security_quota_on(struct dentry *dentry); 294int security_syslog(int type); 295int security_settime64(const struct timespec64 *ts, const struct timezone *tz); 296int security_vm_enough_memory_mm(struct mm_struct *mm, long pages); 297int security_bprm_creds_for_exec(struct linux_binprm *bprm); 298int security_bprm_creds_from_file(struct linux_binprm *bprm, const struct file *file); 299int security_bprm_check(struct linux_binprm *bprm); 300void security_bprm_committing_creds(const struct linux_binprm *bprm); 301void security_bprm_committed_creds(const struct linux_binprm *bprm); 302int security_fs_context_submount(struct fs_context *fc, struct super_block *reference); 303int security_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc); 304int security_fs_context_parse_param(struct fs_context *fc, struct fs_parameter *param); 305int security_sb_alloc(struct super_block *sb); 306void security_sb_delete(struct super_block *sb); 307void security_sb_free(struct super_block *sb); 308void security_free_mnt_opts(void **mnt_opts); 309int security_sb_eat_lsm_opts(char *options, void **mnt_opts); 310int security_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts); 311int security_sb_remount(struct super_block *sb, void *mnt_opts); 312int security_sb_kern_mount(const struct super_block *sb); 313int security_sb_show_options(struct seq_file *m, struct super_block *sb); 314int security_sb_statfs(struct dentry *dentry); 315int security_sb_mount(const char *dev_name, const struct path *path, 316 const char *type, unsigned long flags, void *data); 317int security_sb_umount(struct vfsmount *mnt, int flags); 318int security_sb_pivotroot(const struct path *old_path, const struct path *new_path); 319int security_sb_set_mnt_opts(struct super_block *sb, 320 void *mnt_opts, 321 unsigned long kern_flags, 322 unsigned long *set_kern_flags); 323int security_sb_clone_mnt_opts(const struct super_block *oldsb, 324 struct super_block *newsb, 325 unsigned long kern_flags, 326 unsigned long *set_kern_flags); 327int security_move_mount(const struct path *from_path, const struct path *to_path); 328int security_dentry_init_security(struct dentry *dentry, int mode, 329 const struct qstr *name, 330 const char **xattr_name, void **ctx, 331 u32 *ctxlen); 332int security_dentry_create_files_as(struct dentry *dentry, int mode, 333 struct qstr *name, 334 const struct cred *old, 335 struct cred *new); 336int security_path_notify(const struct path *path, u64 mask, 337 unsigned int obj_type); 338int security_inode_alloc(struct inode *inode); 339void security_inode_free(struct inode *inode); 340int security_inode_init_security(struct inode *inode, struct inode *dir, 341 const struct qstr *qstr, 342 initxattrs initxattrs, void *fs_data); 343int security_inode_init_security_anon(struct inode *inode, 344 const struct qstr *name, 345 const struct inode *context_inode); 346int security_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode); 347int security_inode_link(struct dentry *old_dentry, struct inode *dir, 348 struct dentry *new_dentry); 349int security_inode_unlink(struct inode *dir, struct dentry *dentry); 350int security_inode_symlink(struct inode *dir, struct dentry *dentry, 351 const char *old_name); 352int security_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode); 353int security_inode_rmdir(struct inode *dir, struct dentry *dentry); 354int security_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev); 355int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry, 356 struct inode *new_dir, struct dentry *new_dentry, 357 unsigned int flags); 358int security_inode_readlink(struct dentry *dentry); 359int security_inode_follow_link(struct dentry *dentry, struct inode *inode, 360 bool rcu); 361int security_inode_permission(struct inode *inode, int mask); 362int security_inode_setattr(struct mnt_idmap *idmap, 363 struct dentry *dentry, struct iattr *attr); 364int security_inode_getattr(const struct path *path); 365int security_inode_setxattr(struct mnt_idmap *idmap, 366 struct dentry *dentry, const char *name, 367 const void *value, size_t size, int flags); 368int security_inode_set_acl(struct mnt_idmap *idmap, 369 struct dentry *dentry, const char *acl_name, 370 struct posix_acl *kacl); 371int security_inode_get_acl(struct mnt_idmap *idmap, 372 struct dentry *dentry, const char *acl_name); 373int security_inode_remove_acl(struct mnt_idmap *idmap, 374 struct dentry *dentry, const char *acl_name); 375void security_inode_post_setxattr(struct dentry *dentry, const char *name, 376 const void *value, size_t size, int flags); 377int security_inode_getxattr(struct dentry *dentry, const char *name); 378int security_inode_listxattr(struct dentry *dentry); 379int security_inode_removexattr(struct mnt_idmap *idmap, 380 struct dentry *dentry, const char *name); 381int security_inode_need_killpriv(struct dentry *dentry); 382int security_inode_killpriv(struct mnt_idmap *idmap, struct dentry *dentry); 383int security_inode_getsecurity(struct mnt_idmap *idmap, 384 struct inode *inode, const char *name, 385 void **buffer, bool alloc); 386int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags); 387int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); 388void security_inode_getsecid(struct inode *inode, u32 *secid); 389int security_inode_copy_up(struct dentry *src, struct cred **new); 390int security_inode_copy_up_xattr(const char *name); 391int security_kernfs_init_security(struct kernfs_node *kn_dir, 392 struct kernfs_node *kn); 393int security_file_permission(struct file *file, int mask); 394int security_file_alloc(struct file *file); 395void security_file_free(struct file *file); 396int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg); 397int security_file_ioctl_compat(struct file *file, unsigned int cmd, 398 unsigned long arg); 399int security_mmap_file(struct file *file, unsigned long prot, 400 unsigned long flags); 401int security_mmap_addr(unsigned long addr); 402int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, 403 unsigned long prot); 404int security_file_lock(struct file *file, unsigned int cmd); 405int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg); 406void security_file_set_fowner(struct file *file); 407int security_file_send_sigiotask(struct task_struct *tsk, 408 struct fown_struct *fown, int sig); 409int security_file_receive(struct file *file); 410int security_file_open(struct file *file); 411int security_file_truncate(struct file *file); 412int security_task_alloc(struct task_struct *task, unsigned long clone_flags); 413void security_task_free(struct task_struct *task); 414int security_cred_alloc_blank(struct cred *cred, gfp_t gfp); 415void security_cred_free(struct cred *cred); 416int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp); 417void security_transfer_creds(struct cred *new, const struct cred *old); 418void security_cred_getsecid(const struct cred *c, u32 *secid); 419int security_kernel_act_as(struct cred *new, u32 secid); 420int security_kernel_create_files_as(struct cred *new, struct inode *inode); 421int security_kernel_module_request(char *kmod_name); 422int security_kernel_load_data(enum kernel_load_data_id id, bool contents); 423int security_kernel_post_load_data(char *buf, loff_t size, 424 enum kernel_load_data_id id, 425 char *description); 426int security_kernel_read_file(struct file *file, enum kernel_read_file_id id, 427 bool contents); 428int security_kernel_post_read_file(struct file *file, char *buf, loff_t size, 429 enum kernel_read_file_id id); 430int security_task_fix_setuid(struct cred *new, const struct cred *old, 431 int flags); 432int security_task_fix_setgid(struct cred *new, const struct cred *old, 433 int flags); 434int security_task_fix_setgroups(struct cred *new, const struct cred *old); 435int security_task_setpgid(struct task_struct *p, pid_t pgid); 436int security_task_getpgid(struct task_struct *p); 437int security_task_getsid(struct task_struct *p); 438void security_current_getsecid_subj(u32 *secid); 439void security_task_getsecid_obj(struct task_struct *p, u32 *secid); 440int security_task_setnice(struct task_struct *p, int nice); 441int security_task_setioprio(struct task_struct *p, int ioprio); 442int security_task_getioprio(struct task_struct *p); 443int security_task_prlimit(const struct cred *cred, const struct cred *tcred, 444 unsigned int flags); 445int security_task_setrlimit(struct task_struct *p, unsigned int resource, 446 struct rlimit *new_rlim); 447int security_task_setscheduler(struct task_struct *p); 448int security_task_getscheduler(struct task_struct *p); 449int security_task_movememory(struct task_struct *p); 450int security_task_kill(struct task_struct *p, struct kernel_siginfo *info, 451 int sig, const struct cred *cred); 452int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, 453 unsigned long arg4, unsigned long arg5); 454void security_task_to_inode(struct task_struct *p, struct inode *inode); 455int security_create_user_ns(const struct cred *cred); 456int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag); 457void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid); 458int security_msg_msg_alloc(struct msg_msg *msg); 459void security_msg_msg_free(struct msg_msg *msg); 460int security_msg_queue_alloc(struct kern_ipc_perm *msq); 461void security_msg_queue_free(struct kern_ipc_perm *msq); 462int security_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg); 463int security_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd); 464int security_msg_queue_msgsnd(struct kern_ipc_perm *msq, 465 struct msg_msg *msg, int msqflg); 466int security_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, 467 struct task_struct *target, long type, int mode); 468int security_shm_alloc(struct kern_ipc_perm *shp); 469void security_shm_free(struct kern_ipc_perm *shp); 470int security_shm_associate(struct kern_ipc_perm *shp, int shmflg); 471int security_shm_shmctl(struct kern_ipc_perm *shp, int cmd); 472int security_shm_shmat(struct kern_ipc_perm *shp, char __user *shmaddr, int shmflg); 473int security_sem_alloc(struct kern_ipc_perm *sma); 474void security_sem_free(struct kern_ipc_perm *sma); 475int security_sem_associate(struct kern_ipc_perm *sma, int semflg); 476int security_sem_semctl(struct kern_ipc_perm *sma, int cmd); 477int security_sem_semop(struct kern_ipc_perm *sma, struct sembuf *sops, 478 unsigned nsops, int alter); 479void security_d_instantiate(struct dentry *dentry, struct inode *inode); 480int security_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx, 481 size_t __user *size, u32 flags); 482int security_setselfattr(unsigned int attr, struct lsm_ctx __user *ctx, 483 size_t size, u32 flags); 484int security_getprocattr(struct task_struct *p, int lsmid, const char *name, 485 char **value); 486int security_setprocattr(int lsmid, const char *name, void *value, size_t size); 487int security_netlink_send(struct sock *sk, struct sk_buff *skb); 488int security_ismaclabel(const char *name); 489int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); 490int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); 491void security_release_secctx(char *secdata, u32 seclen); 492void security_inode_invalidate_secctx(struct inode *inode); 493int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen); 494int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen); 495int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen); 496int security_locked_down(enum lockdown_reason what); 497int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, size_t *uctx_len, 498 void *val, size_t val_len, u64 id, u64 flags); 499#else /* CONFIG_SECURITY */ 500 501static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data) 502{ 503 return 0; 504} 505 506static inline int register_blocking_lsm_notifier(struct notifier_block *nb) 507{ 508 return 0; 509} 510 511static inline int unregister_blocking_lsm_notifier(struct notifier_block *nb) 512{ 513 return 0; 514} 515 516static inline u64 lsm_name_to_attr(const char *name) 517{ 518 return LSM_ATTR_UNDEF; 519} 520 521static inline void security_free_mnt_opts(void **mnt_opts) 522{ 523} 524 525/* 526 * This is the default capabilities functionality. Most of these functions 527 * are just stubbed out, but a few must call the proper capable code. 528 */ 529 530static inline int security_init(void) 531{ 532 return 0; 533} 534 535static inline int early_security_init(void) 536{ 537 return 0; 538} 539 540static inline int security_binder_set_context_mgr(const struct cred *mgr) 541{ 542 return 0; 543} 544 545static inline int security_binder_transaction(const struct cred *from, 546 const struct cred *to) 547{ 548 return 0; 549} 550 551static inline int security_binder_transfer_binder(const struct cred *from, 552 const struct cred *to) 553{ 554 return 0; 555} 556 557static inline int security_binder_transfer_file(const struct cred *from, 558 const struct cred *to, 559 const struct file *file) 560{ 561 return 0; 562} 563 564static inline int security_ptrace_access_check(struct task_struct *child, 565 unsigned int mode) 566{ 567 return cap_ptrace_access_check(child, mode); 568} 569 570static inline int security_ptrace_traceme(struct task_struct *parent) 571{ 572 return cap_ptrace_traceme(parent); 573} 574 575static inline int security_capget(const struct task_struct *target, 576 kernel_cap_t *effective, 577 kernel_cap_t *inheritable, 578 kernel_cap_t *permitted) 579{ 580 return cap_capget(target, effective, inheritable, permitted); 581} 582 583static inline int security_capset(struct cred *new, 584 const struct cred *old, 585 const kernel_cap_t *effective, 586 const kernel_cap_t *inheritable, 587 const kernel_cap_t *permitted) 588{ 589 return cap_capset(new, old, effective, inheritable, permitted); 590} 591 592static inline int security_capable(const struct cred *cred, 593 struct user_namespace *ns, 594 int cap, 595 unsigned int opts) 596{ 597 return cap_capable(cred, ns, cap, opts); 598} 599 600static inline int security_quotactl(int cmds, int type, int id, 601 const struct super_block *sb) 602{ 603 return 0; 604} 605 606static inline int security_quota_on(struct dentry *dentry) 607{ 608 return 0; 609} 610 611static inline int security_syslog(int type) 612{ 613 return 0; 614} 615 616static inline int security_settime64(const struct timespec64 *ts, 617 const struct timezone *tz) 618{ 619 return cap_settime(ts, tz); 620} 621 622static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages) 623{ 624 return __vm_enough_memory(mm, pages, cap_vm_enough_memory(mm, pages)); 625} 626 627static inline int security_bprm_creds_for_exec(struct linux_binprm *bprm) 628{ 629 return 0; 630} 631 632static inline int security_bprm_creds_from_file(struct linux_binprm *bprm, 633 const struct file *file) 634{ 635 return cap_bprm_creds_from_file(bprm, file); 636} 637 638static inline int security_bprm_check(struct linux_binprm *bprm) 639{ 640 return 0; 641} 642 643static inline void security_bprm_committing_creds(const struct linux_binprm *bprm) 644{ 645} 646 647static inline void security_bprm_committed_creds(const struct linux_binprm *bprm) 648{ 649} 650 651static inline int security_fs_context_submount(struct fs_context *fc, 652 struct super_block *reference) 653{ 654 return 0; 655} 656static inline int security_fs_context_dup(struct fs_context *fc, 657 struct fs_context *src_fc) 658{ 659 return 0; 660} 661static inline int security_fs_context_parse_param(struct fs_context *fc, 662 struct fs_parameter *param) 663{ 664 return -ENOPARAM; 665} 666 667static inline int security_sb_alloc(struct super_block *sb) 668{ 669 return 0; 670} 671 672static inline void security_sb_delete(struct super_block *sb) 673{ } 674 675static inline void security_sb_free(struct super_block *sb) 676{ } 677 678static inline int security_sb_eat_lsm_opts(char *options, 679 void **mnt_opts) 680{ 681 return 0; 682} 683 684static inline int security_sb_remount(struct super_block *sb, 685 void *mnt_opts) 686{ 687 return 0; 688} 689 690static inline int security_sb_mnt_opts_compat(struct super_block *sb, 691 void *mnt_opts) 692{ 693 return 0; 694} 695 696 697static inline int security_sb_kern_mount(struct super_block *sb) 698{ 699 return 0; 700} 701 702static inline int security_sb_show_options(struct seq_file *m, 703 struct super_block *sb) 704{ 705 return 0; 706} 707 708static inline int security_sb_statfs(struct dentry *dentry) 709{ 710 return 0; 711} 712 713static inline int security_sb_mount(const char *dev_name, const struct path *path, 714 const char *type, unsigned long flags, 715 void *data) 716{ 717 return 0; 718} 719 720static inline int security_sb_umount(struct vfsmount *mnt, int flags) 721{ 722 return 0; 723} 724 725static inline int security_sb_pivotroot(const struct path *old_path, 726 const struct path *new_path) 727{ 728 return 0; 729} 730 731static inline int security_sb_set_mnt_opts(struct super_block *sb, 732 void *mnt_opts, 733 unsigned long kern_flags, 734 unsigned long *set_kern_flags) 735{ 736 return 0; 737} 738 739static inline int security_sb_clone_mnt_opts(const struct super_block *oldsb, 740 struct super_block *newsb, 741 unsigned long kern_flags, 742 unsigned long *set_kern_flags) 743{ 744 return 0; 745} 746 747static inline int security_move_mount(const struct path *from_path, 748 const struct path *to_path) 749{ 750 return 0; 751} 752 753static inline int security_path_notify(const struct path *path, u64 mask, 754 unsigned int obj_type) 755{ 756 return 0; 757} 758 759static inline int security_inode_alloc(struct inode *inode) 760{ 761 return 0; 762} 763 764static inline void security_inode_free(struct inode *inode) 765{ } 766 767static inline int security_dentry_init_security(struct dentry *dentry, 768 int mode, 769 const struct qstr *name, 770 const char **xattr_name, 771 void **ctx, 772 u32 *ctxlen) 773{ 774 return -EOPNOTSUPP; 775} 776 777static inline int security_dentry_create_files_as(struct dentry *dentry, 778 int mode, struct qstr *name, 779 const struct cred *old, 780 struct cred *new) 781{ 782 return 0; 783} 784 785 786static inline int security_inode_init_security(struct inode *inode, 787 struct inode *dir, 788 const struct qstr *qstr, 789 const initxattrs xattrs, 790 void *fs_data) 791{ 792 return 0; 793} 794 795static inline int security_inode_init_security_anon(struct inode *inode, 796 const struct qstr *name, 797 const struct inode *context_inode) 798{ 799 return 0; 800} 801 802static inline int security_inode_create(struct inode *dir, 803 struct dentry *dentry, 804 umode_t mode) 805{ 806 return 0; 807} 808 809static inline int security_inode_link(struct dentry *old_dentry, 810 struct inode *dir, 811 struct dentry *new_dentry) 812{ 813 return 0; 814} 815 816static inline int security_inode_unlink(struct inode *dir, 817 struct dentry *dentry) 818{ 819 return 0; 820} 821 822static inline int security_inode_symlink(struct inode *dir, 823 struct dentry *dentry, 824 const char *old_name) 825{ 826 return 0; 827} 828 829static inline int security_inode_mkdir(struct inode *dir, 830 struct dentry *dentry, 831 int mode) 832{ 833 return 0; 834} 835 836static inline int security_inode_rmdir(struct inode *dir, 837 struct dentry *dentry) 838{ 839 return 0; 840} 841 842static inline int security_inode_mknod(struct inode *dir, 843 struct dentry *dentry, 844 int mode, dev_t dev) 845{ 846 return 0; 847} 848 849static inline int security_inode_rename(struct inode *old_dir, 850 struct dentry *old_dentry, 851 struct inode *new_dir, 852 struct dentry *new_dentry, 853 unsigned int flags) 854{ 855 return 0; 856} 857 858static inline int security_inode_readlink(struct dentry *dentry) 859{ 860 return 0; 861} 862 863static inline int security_inode_follow_link(struct dentry *dentry, 864 struct inode *inode, 865 bool rcu) 866{ 867 return 0; 868} 869 870static inline int security_inode_permission(struct inode *inode, int mask) 871{ 872 return 0; 873} 874 875static inline int security_inode_setattr(struct mnt_idmap *idmap, 876 struct dentry *dentry, 877 struct iattr *attr) 878{ 879 return 0; 880} 881 882static inline int security_inode_getattr(const struct path *path) 883{ 884 return 0; 885} 886 887static inline int security_inode_setxattr(struct mnt_idmap *idmap, 888 struct dentry *dentry, const char *name, const void *value, 889 size_t size, int flags) 890{ 891 return cap_inode_setxattr(dentry, name, value, size, flags); 892} 893 894static inline int security_inode_set_acl(struct mnt_idmap *idmap, 895 struct dentry *dentry, 896 const char *acl_name, 897 struct posix_acl *kacl) 898{ 899 return 0; 900} 901 902static inline int security_inode_get_acl(struct mnt_idmap *idmap, 903 struct dentry *dentry, 904 const char *acl_name) 905{ 906 return 0; 907} 908 909static inline int security_inode_remove_acl(struct mnt_idmap *idmap, 910 struct dentry *dentry, 911 const char *acl_name) 912{ 913 return 0; 914} 915 916static inline void security_inode_post_setxattr(struct dentry *dentry, 917 const char *name, const void *value, size_t size, int flags) 918{ } 919 920static inline int security_inode_getxattr(struct dentry *dentry, 921 const char *name) 922{ 923 return 0; 924} 925 926static inline int security_inode_listxattr(struct dentry *dentry) 927{ 928 return 0; 929} 930 931static inline int security_inode_removexattr(struct mnt_idmap *idmap, 932 struct dentry *dentry, 933 const char *name) 934{ 935 return cap_inode_removexattr(idmap, dentry, name); 936} 937 938static inline int security_inode_need_killpriv(struct dentry *dentry) 939{ 940 return cap_inode_need_killpriv(dentry); 941} 942 943static inline int security_inode_killpriv(struct mnt_idmap *idmap, 944 struct dentry *dentry) 945{ 946 return cap_inode_killpriv(idmap, dentry); 947} 948 949static inline int security_inode_getsecurity(struct mnt_idmap *idmap, 950 struct inode *inode, 951 const char *name, void **buffer, 952 bool alloc) 953{ 954 return cap_inode_getsecurity(idmap, inode, name, buffer, alloc); 955} 956 957static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) 958{ 959 return -EOPNOTSUPP; 960} 961 962static inline int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 963{ 964 return 0; 965} 966 967static inline void security_inode_getsecid(struct inode *inode, u32 *secid) 968{ 969 *secid = 0; 970} 971 972static inline int security_inode_copy_up(struct dentry *src, struct cred **new) 973{ 974 return 0; 975} 976 977static inline int security_kernfs_init_security(struct kernfs_node *kn_dir, 978 struct kernfs_node *kn) 979{ 980 return 0; 981} 982 983static inline int security_inode_copy_up_xattr(const char *name) 984{ 985 return -EOPNOTSUPP; 986} 987 988static inline int security_file_permission(struct file *file, int mask) 989{ 990 return 0; 991} 992 993static inline int security_file_alloc(struct file *file) 994{ 995 return 0; 996} 997 998static inline void security_file_free(struct file *file) 999{ } 1000 1001static inline int security_file_ioctl(struct file *file, unsigned int cmd, 1002 unsigned long arg) 1003{ 1004 return 0; 1005} 1006 1007static inline int security_file_ioctl_compat(struct file *file, 1008 unsigned int cmd, 1009 unsigned long arg) 1010{ 1011 return 0; 1012} 1013 1014static inline int security_mmap_file(struct file *file, unsigned long prot, 1015 unsigned long flags) 1016{ 1017 return 0; 1018} 1019 1020static inline int security_mmap_addr(unsigned long addr) 1021{ 1022 return cap_mmap_addr(addr); 1023} 1024 1025static inline int security_file_mprotect(struct vm_area_struct *vma, 1026 unsigned long reqprot, 1027 unsigned long prot) 1028{ 1029 return 0; 1030} 1031 1032static inline int security_file_lock(struct file *file, unsigned int cmd) 1033{ 1034 return 0; 1035} 1036 1037static inline int security_file_fcntl(struct file *file, unsigned int cmd, 1038 unsigned long arg) 1039{ 1040 return 0; 1041} 1042 1043static inline void security_file_set_fowner(struct file *file) 1044{ 1045 return; 1046} 1047 1048static inline int security_file_send_sigiotask(struct task_struct *tsk, 1049 struct fown_struct *fown, 1050 int sig) 1051{ 1052 return 0; 1053} 1054 1055static inline int security_file_receive(struct file *file) 1056{ 1057 return 0; 1058} 1059 1060static inline int security_file_open(struct file *file) 1061{ 1062 return 0; 1063} 1064 1065static inline int security_file_truncate(struct file *file) 1066{ 1067 return 0; 1068} 1069 1070static inline int security_task_alloc(struct task_struct *task, 1071 unsigned long clone_flags) 1072{ 1073 return 0; 1074} 1075 1076static inline void security_task_free(struct task_struct *task) 1077{ } 1078 1079static inline int security_cred_alloc_blank(struct cred *cred, gfp_t gfp) 1080{ 1081 return 0; 1082} 1083 1084static inline void security_cred_free(struct cred *cred) 1085{ } 1086 1087static inline int security_prepare_creds(struct cred *new, 1088 const struct cred *old, 1089 gfp_t gfp) 1090{ 1091 return 0; 1092} 1093 1094static inline void security_transfer_creds(struct cred *new, 1095 const struct cred *old) 1096{ 1097} 1098 1099static inline void security_cred_getsecid(const struct cred *c, u32 *secid) 1100{ 1101 *secid = 0; 1102} 1103 1104static inline int security_kernel_act_as(struct cred *cred, u32 secid) 1105{ 1106 return 0; 1107} 1108 1109static inline int security_kernel_create_files_as(struct cred *cred, 1110 struct inode *inode) 1111{ 1112 return 0; 1113} 1114 1115static inline int security_kernel_module_request(char *kmod_name) 1116{ 1117 return 0; 1118} 1119 1120static inline int security_kernel_load_data(enum kernel_load_data_id id, bool contents) 1121{ 1122 return 0; 1123} 1124 1125static inline int security_kernel_post_load_data(char *buf, loff_t size, 1126 enum kernel_load_data_id id, 1127 char *description) 1128{ 1129 return 0; 1130} 1131 1132static inline int security_kernel_read_file(struct file *file, 1133 enum kernel_read_file_id id, 1134 bool contents) 1135{ 1136 return 0; 1137} 1138 1139static inline int security_kernel_post_read_file(struct file *file, 1140 char *buf, loff_t size, 1141 enum kernel_read_file_id id) 1142{ 1143 return 0; 1144} 1145 1146static inline int security_task_fix_setuid(struct cred *new, 1147 const struct cred *old, 1148 int flags) 1149{ 1150 return cap_task_fix_setuid(new, old, flags); 1151} 1152 1153static inline int security_task_fix_setgid(struct cred *new, 1154 const struct cred *old, 1155 int flags) 1156{ 1157 return 0; 1158} 1159 1160static inline int security_task_fix_setgroups(struct cred *new, 1161 const struct cred *old) 1162{ 1163 return 0; 1164} 1165 1166static inline int security_task_setpgid(struct task_struct *p, pid_t pgid) 1167{ 1168 return 0; 1169} 1170 1171static inline int security_task_getpgid(struct task_struct *p) 1172{ 1173 return 0; 1174} 1175 1176static inline int security_task_getsid(struct task_struct *p) 1177{ 1178 return 0; 1179} 1180 1181static inline void security_current_getsecid_subj(u32 *secid) 1182{ 1183 *secid = 0; 1184} 1185 1186static inline void security_task_getsecid_obj(struct task_struct *p, u32 *secid) 1187{ 1188 *secid = 0; 1189} 1190 1191static inline int security_task_setnice(struct task_struct *p, int nice) 1192{ 1193 return cap_task_setnice(p, nice); 1194} 1195 1196static inline int security_task_setioprio(struct task_struct *p, int ioprio) 1197{ 1198 return cap_task_setioprio(p, ioprio); 1199} 1200 1201static inline int security_task_getioprio(struct task_struct *p) 1202{ 1203 return 0; 1204} 1205 1206static inline int security_task_prlimit(const struct cred *cred, 1207 const struct cred *tcred, 1208 unsigned int flags) 1209{ 1210 return 0; 1211} 1212 1213static inline int security_task_setrlimit(struct task_struct *p, 1214 unsigned int resource, 1215 struct rlimit *new_rlim) 1216{ 1217 return 0; 1218} 1219 1220static inline int security_task_setscheduler(struct task_struct *p) 1221{ 1222 return cap_task_setscheduler(p); 1223} 1224 1225static inline int security_task_getscheduler(struct task_struct *p) 1226{ 1227 return 0; 1228} 1229 1230static inline int security_task_movememory(struct task_struct *p) 1231{ 1232 return 0; 1233} 1234 1235static inline int security_task_kill(struct task_struct *p, 1236 struct kernel_siginfo *info, int sig, 1237 const struct cred *cred) 1238{ 1239 return 0; 1240} 1241 1242static inline int security_task_prctl(int option, unsigned long arg2, 1243 unsigned long arg3, 1244 unsigned long arg4, 1245 unsigned long arg5) 1246{ 1247 return cap_task_prctl(option, arg2, arg3, arg4, arg5); 1248} 1249 1250static inline void security_task_to_inode(struct task_struct *p, struct inode *inode) 1251{ } 1252 1253static inline int security_create_user_ns(const struct cred *cred) 1254{ 1255 return 0; 1256} 1257 1258static inline int security_ipc_permission(struct kern_ipc_perm *ipcp, 1259 short flag) 1260{ 1261 return 0; 1262} 1263 1264static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 1265{ 1266 *secid = 0; 1267} 1268 1269static inline int security_msg_msg_alloc(struct msg_msg *msg) 1270{ 1271 return 0; 1272} 1273 1274static inline void security_msg_msg_free(struct msg_msg *msg) 1275{ } 1276 1277static inline int security_msg_queue_alloc(struct kern_ipc_perm *msq) 1278{ 1279 return 0; 1280} 1281 1282static inline void security_msg_queue_free(struct kern_ipc_perm *msq) 1283{ } 1284 1285static inline int security_msg_queue_associate(struct kern_ipc_perm *msq, 1286 int msqflg) 1287{ 1288 return 0; 1289} 1290 1291static inline int security_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) 1292{ 1293 return 0; 1294} 1295 1296static inline int security_msg_queue_msgsnd(struct kern_ipc_perm *msq, 1297 struct msg_msg *msg, int msqflg) 1298{ 1299 return 0; 1300} 1301 1302static inline int security_msg_queue_msgrcv(struct kern_ipc_perm *msq, 1303 struct msg_msg *msg, 1304 struct task_struct *target, 1305 long type, int mode) 1306{ 1307 return 0; 1308} 1309 1310static inline int security_shm_alloc(struct kern_ipc_perm *shp) 1311{ 1312 return 0; 1313} 1314 1315static inline void security_shm_free(struct kern_ipc_perm *shp) 1316{ } 1317 1318static inline int security_shm_associate(struct kern_ipc_perm *shp, 1319 int shmflg) 1320{ 1321 return 0; 1322} 1323 1324static inline int security_shm_shmctl(struct kern_ipc_perm *shp, int cmd) 1325{ 1326 return 0; 1327} 1328 1329static inline int security_shm_shmat(struct kern_ipc_perm *shp, 1330 char __user *shmaddr, int shmflg) 1331{ 1332 return 0; 1333} 1334 1335static inline int security_sem_alloc(struct kern_ipc_perm *sma) 1336{ 1337 return 0; 1338} 1339 1340static inline void security_sem_free(struct kern_ipc_perm *sma) 1341{ } 1342 1343static inline int security_sem_associate(struct kern_ipc_perm *sma, int semflg) 1344{ 1345 return 0; 1346} 1347 1348static inline int security_sem_semctl(struct kern_ipc_perm *sma, int cmd) 1349{ 1350 return 0; 1351} 1352 1353static inline int security_sem_semop(struct kern_ipc_perm *sma, 1354 struct sembuf *sops, unsigned nsops, 1355 int alter) 1356{ 1357 return 0; 1358} 1359 1360static inline void security_d_instantiate(struct dentry *dentry, 1361 struct inode *inode) 1362{ } 1363 1364static inline int security_getselfattr(unsigned int attr, 1365 struct lsm_ctx __user *ctx, 1366 size_t __user *size, u32 flags) 1367{ 1368 return -EOPNOTSUPP; 1369} 1370 1371static inline int security_setselfattr(unsigned int attr, 1372 struct lsm_ctx __user *ctx, 1373 size_t size, u32 flags) 1374{ 1375 return -EOPNOTSUPP; 1376} 1377 1378static inline int security_getprocattr(struct task_struct *p, int lsmid, 1379 const char *name, char **value) 1380{ 1381 return -EINVAL; 1382} 1383 1384static inline int security_setprocattr(int lsmid, char *name, void *value, 1385 size_t size) 1386{ 1387 return -EINVAL; 1388} 1389 1390static inline int security_netlink_send(struct sock *sk, struct sk_buff *skb) 1391{ 1392 return 0; 1393} 1394 1395static inline int security_ismaclabel(const char *name) 1396{ 1397 return 0; 1398} 1399 1400static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 1401{ 1402 return -EOPNOTSUPP; 1403} 1404 1405static inline int security_secctx_to_secid(const char *secdata, 1406 u32 seclen, 1407 u32 *secid) 1408{ 1409 return -EOPNOTSUPP; 1410} 1411 1412static inline void security_release_secctx(char *secdata, u32 seclen) 1413{ 1414} 1415 1416static inline void security_inode_invalidate_secctx(struct inode *inode) 1417{ 1418} 1419 1420static inline int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 1421{ 1422 return -EOPNOTSUPP; 1423} 1424static inline int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 1425{ 1426 return -EOPNOTSUPP; 1427} 1428static inline int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 1429{ 1430 return -EOPNOTSUPP; 1431} 1432static inline int security_locked_down(enum lockdown_reason what) 1433{ 1434 return 0; 1435} 1436static inline int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, 1437 size_t *uctx_len, void *val, size_t val_len, 1438 u64 id, u64 flags) 1439{ 1440 return -EOPNOTSUPP; 1441} 1442#endif /* CONFIG_SECURITY */ 1443 1444#if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) 1445int security_post_notification(const struct cred *w_cred, 1446 const struct cred *cred, 1447 struct watch_notification *n); 1448#else 1449static inline int security_post_notification(const struct cred *w_cred, 1450 const struct cred *cred, 1451 struct watch_notification *n) 1452{ 1453 return 0; 1454} 1455#endif 1456 1457#if defined(CONFIG_SECURITY) && defined(CONFIG_KEY_NOTIFICATIONS) 1458int security_watch_key(struct key *key); 1459#else 1460static inline int security_watch_key(struct key *key) 1461{ 1462 return 0; 1463} 1464#endif 1465 1466#ifdef CONFIG_SECURITY_NETWORK 1467 1468int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk); 1469int security_unix_may_send(struct socket *sock, struct socket *other); 1470int security_socket_create(int family, int type, int protocol, int kern); 1471int security_socket_post_create(struct socket *sock, int family, 1472 int type, int protocol, int kern); 1473int security_socket_socketpair(struct socket *socka, struct socket *sockb); 1474int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen); 1475int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen); 1476int security_socket_listen(struct socket *sock, int backlog); 1477int security_socket_accept(struct socket *sock, struct socket *newsock); 1478int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size); 1479int security_socket_recvmsg(struct socket *sock, struct msghdr *msg, 1480 int size, int flags); 1481int security_socket_getsockname(struct socket *sock); 1482int security_socket_getpeername(struct socket *sock); 1483int security_socket_getsockopt(struct socket *sock, int level, int optname); 1484int security_socket_setsockopt(struct socket *sock, int level, int optname); 1485int security_socket_shutdown(struct socket *sock, int how); 1486int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb); 1487int security_socket_getpeersec_stream(struct socket *sock, sockptr_t optval, 1488 sockptr_t optlen, unsigned int len); 1489int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid); 1490int security_sk_alloc(struct sock *sk, int family, gfp_t priority); 1491void security_sk_free(struct sock *sk); 1492void security_sk_clone(const struct sock *sk, struct sock *newsk); 1493void security_sk_classify_flow(const struct sock *sk, 1494 struct flowi_common *flic); 1495void security_req_classify_flow(const struct request_sock *req, 1496 struct flowi_common *flic); 1497void security_sock_graft(struct sock*sk, struct socket *parent); 1498int security_inet_conn_request(const struct sock *sk, 1499 struct sk_buff *skb, struct request_sock *req); 1500void security_inet_csk_clone(struct sock *newsk, 1501 const struct request_sock *req); 1502void security_inet_conn_established(struct sock *sk, 1503 struct sk_buff *skb); 1504int security_secmark_relabel_packet(u32 secid); 1505void security_secmark_refcount_inc(void); 1506void security_secmark_refcount_dec(void); 1507int security_tun_dev_alloc_security(void **security); 1508void security_tun_dev_free_security(void *security); 1509int security_tun_dev_create(void); 1510int security_tun_dev_attach_queue(void *security); 1511int security_tun_dev_attach(struct sock *sk, void *security); 1512int security_tun_dev_open(void *security); 1513int security_sctp_assoc_request(struct sctp_association *asoc, struct sk_buff *skb); 1514int security_sctp_bind_connect(struct sock *sk, int optname, 1515 struct sockaddr *address, int addrlen); 1516void security_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk, 1517 struct sock *newsk); 1518int security_sctp_assoc_established(struct sctp_association *asoc, 1519 struct sk_buff *skb); 1520int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk); 1521 1522#else /* CONFIG_SECURITY_NETWORK */ 1523static inline int security_unix_stream_connect(struct sock *sock, 1524 struct sock *other, 1525 struct sock *newsk) 1526{ 1527 return 0; 1528} 1529 1530static inline int security_unix_may_send(struct socket *sock, 1531 struct socket *other) 1532{ 1533 return 0; 1534} 1535 1536static inline int security_socket_create(int family, int type, 1537 int protocol, int kern) 1538{ 1539 return 0; 1540} 1541 1542static inline int security_socket_post_create(struct socket *sock, 1543 int family, 1544 int type, 1545 int protocol, int kern) 1546{ 1547 return 0; 1548} 1549 1550static inline int security_socket_socketpair(struct socket *socka, 1551 struct socket *sockb) 1552{ 1553 return 0; 1554} 1555 1556static inline int security_socket_bind(struct socket *sock, 1557 struct sockaddr *address, 1558 int addrlen) 1559{ 1560 return 0; 1561} 1562 1563static inline int security_socket_connect(struct socket *sock, 1564 struct sockaddr *address, 1565 int addrlen) 1566{ 1567 return 0; 1568} 1569 1570static inline int security_socket_listen(struct socket *sock, int backlog) 1571{ 1572 return 0; 1573} 1574 1575static inline int security_socket_accept(struct socket *sock, 1576 struct socket *newsock) 1577{ 1578 return 0; 1579} 1580 1581static inline int security_socket_sendmsg(struct socket *sock, 1582 struct msghdr *msg, int size) 1583{ 1584 return 0; 1585} 1586 1587static inline int security_socket_recvmsg(struct socket *sock, 1588 struct msghdr *msg, int size, 1589 int flags) 1590{ 1591 return 0; 1592} 1593 1594static inline int security_socket_getsockname(struct socket *sock) 1595{ 1596 return 0; 1597} 1598 1599static inline int security_socket_getpeername(struct socket *sock) 1600{ 1601 return 0; 1602} 1603 1604static inline int security_socket_getsockopt(struct socket *sock, 1605 int level, int optname) 1606{ 1607 return 0; 1608} 1609 1610static inline int security_socket_setsockopt(struct socket *sock, 1611 int level, int optname) 1612{ 1613 return 0; 1614} 1615 1616static inline int security_socket_shutdown(struct socket *sock, int how) 1617{ 1618 return 0; 1619} 1620static inline int security_sock_rcv_skb(struct sock *sk, 1621 struct sk_buff *skb) 1622{ 1623 return 0; 1624} 1625 1626static inline int security_socket_getpeersec_stream(struct socket *sock, 1627 sockptr_t optval, 1628 sockptr_t optlen, 1629 unsigned int len) 1630{ 1631 return -ENOPROTOOPT; 1632} 1633 1634static inline int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 1635{ 1636 return -ENOPROTOOPT; 1637} 1638 1639static inline int security_sk_alloc(struct sock *sk, int family, gfp_t priority) 1640{ 1641 return 0; 1642} 1643 1644static inline void security_sk_free(struct sock *sk) 1645{ 1646} 1647 1648static inline void security_sk_clone(const struct sock *sk, struct sock *newsk) 1649{ 1650} 1651 1652static inline void security_sk_classify_flow(const struct sock *sk, 1653 struct flowi_common *flic) 1654{ 1655} 1656 1657static inline void security_req_classify_flow(const struct request_sock *req, 1658 struct flowi_common *flic) 1659{ 1660} 1661 1662static inline void security_sock_graft(struct sock *sk, struct socket *parent) 1663{ 1664} 1665 1666static inline int security_inet_conn_request(const struct sock *sk, 1667 struct sk_buff *skb, struct request_sock *req) 1668{ 1669 return 0; 1670} 1671 1672static inline void security_inet_csk_clone(struct sock *newsk, 1673 const struct request_sock *req) 1674{ 1675} 1676 1677static inline void security_inet_conn_established(struct sock *sk, 1678 struct sk_buff *skb) 1679{ 1680} 1681 1682static inline int security_secmark_relabel_packet(u32 secid) 1683{ 1684 return 0; 1685} 1686 1687static inline void security_secmark_refcount_inc(void) 1688{ 1689} 1690 1691static inline void security_secmark_refcount_dec(void) 1692{ 1693} 1694 1695static inline int security_tun_dev_alloc_security(void **security) 1696{ 1697 return 0; 1698} 1699 1700static inline void security_tun_dev_free_security(void *security) 1701{ 1702} 1703 1704static inline int security_tun_dev_create(void) 1705{ 1706 return 0; 1707} 1708 1709static inline int security_tun_dev_attach_queue(void *security) 1710{ 1711 return 0; 1712} 1713 1714static inline int security_tun_dev_attach(struct sock *sk, void *security) 1715{ 1716 return 0; 1717} 1718 1719static inline int security_tun_dev_open(void *security) 1720{ 1721 return 0; 1722} 1723 1724static inline int security_sctp_assoc_request(struct sctp_association *asoc, 1725 struct sk_buff *skb) 1726{ 1727 return 0; 1728} 1729 1730static inline int security_sctp_bind_connect(struct sock *sk, int optname, 1731 struct sockaddr *address, 1732 int addrlen) 1733{ 1734 return 0; 1735} 1736 1737static inline void security_sctp_sk_clone(struct sctp_association *asoc, 1738 struct sock *sk, 1739 struct sock *newsk) 1740{ 1741} 1742 1743static inline int security_sctp_assoc_established(struct sctp_association *asoc, 1744 struct sk_buff *skb) 1745{ 1746 return 0; 1747} 1748 1749static inline int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk) 1750{ 1751 return 0; 1752} 1753#endif /* CONFIG_SECURITY_NETWORK */ 1754 1755#ifdef CONFIG_SECURITY_INFINIBAND 1756int security_ib_pkey_access(void *sec, u64 subnet_prefix, u16 pkey); 1757int security_ib_endport_manage_subnet(void *sec, const char *name, u8 port_num); 1758int security_ib_alloc_security(void **sec); 1759void security_ib_free_security(void *sec); 1760#else /* CONFIG_SECURITY_INFINIBAND */ 1761static inline int security_ib_pkey_access(void *sec, u64 subnet_prefix, u16 pkey) 1762{ 1763 return 0; 1764} 1765 1766static inline int security_ib_endport_manage_subnet(void *sec, const char *dev_name, u8 port_num) 1767{ 1768 return 0; 1769} 1770 1771static inline int security_ib_alloc_security(void **sec) 1772{ 1773 return 0; 1774} 1775 1776static inline void security_ib_free_security(void *sec) 1777{ 1778} 1779#endif /* CONFIG_SECURITY_INFINIBAND */ 1780 1781#ifdef CONFIG_SECURITY_NETWORK_XFRM 1782 1783int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, 1784 struct xfrm_user_sec_ctx *sec_ctx, gfp_t gfp); 1785int security_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, struct xfrm_sec_ctx **new_ctxp); 1786void security_xfrm_policy_free(struct xfrm_sec_ctx *ctx); 1787int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx); 1788int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx); 1789int security_xfrm_state_alloc_acquire(struct xfrm_state *x, 1790 struct xfrm_sec_ctx *polsec, u32 secid); 1791int security_xfrm_state_delete(struct xfrm_state *x); 1792void security_xfrm_state_free(struct xfrm_state *x); 1793int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid); 1794int security_xfrm_state_pol_flow_match(struct xfrm_state *x, 1795 struct xfrm_policy *xp, 1796 const struct flowi_common *flic); 1797int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid); 1798void security_skb_classify_flow(struct sk_buff *skb, struct flowi_common *flic); 1799 1800#else /* CONFIG_SECURITY_NETWORK_XFRM */ 1801 1802static inline int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, 1803 struct xfrm_user_sec_ctx *sec_ctx, 1804 gfp_t gfp) 1805{ 1806 return 0; 1807} 1808 1809static inline int security_xfrm_policy_clone(struct xfrm_sec_ctx *old, struct xfrm_sec_ctx **new_ctxp) 1810{ 1811 return 0; 1812} 1813 1814static inline void security_xfrm_policy_free(struct xfrm_sec_ctx *ctx) 1815{ 1816} 1817 1818static inline int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) 1819{ 1820 return 0; 1821} 1822 1823static inline int security_xfrm_state_alloc(struct xfrm_state *x, 1824 struct xfrm_user_sec_ctx *sec_ctx) 1825{ 1826 return 0; 1827} 1828 1829static inline int security_xfrm_state_alloc_acquire(struct xfrm_state *x, 1830 struct xfrm_sec_ctx *polsec, u32 secid) 1831{ 1832 return 0; 1833} 1834 1835static inline void security_xfrm_state_free(struct xfrm_state *x) 1836{ 1837} 1838 1839static inline int security_xfrm_state_delete(struct xfrm_state *x) 1840{ 1841 return 0; 1842} 1843 1844static inline int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid) 1845{ 1846 return 0; 1847} 1848 1849static inline int security_xfrm_state_pol_flow_match(struct xfrm_state *x, 1850 struct xfrm_policy *xp, 1851 const struct flowi_common *flic) 1852{ 1853 return 1; 1854} 1855 1856static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid) 1857{ 1858 return 0; 1859} 1860 1861static inline void security_skb_classify_flow(struct sk_buff *skb, 1862 struct flowi_common *flic) 1863{ 1864} 1865 1866#endif /* CONFIG_SECURITY_NETWORK_XFRM */ 1867 1868#ifdef CONFIG_SECURITY_PATH 1869int security_path_unlink(const struct path *dir, struct dentry *dentry); 1870int security_path_mkdir(const struct path *dir, struct dentry *dentry, umode_t mode); 1871int security_path_rmdir(const struct path *dir, struct dentry *dentry); 1872int security_path_mknod(const struct path *dir, struct dentry *dentry, umode_t mode, 1873 unsigned int dev); 1874int security_path_truncate(const struct path *path); 1875int security_path_symlink(const struct path *dir, struct dentry *dentry, 1876 const char *old_name); 1877int security_path_link(struct dentry *old_dentry, const struct path *new_dir, 1878 struct dentry *new_dentry); 1879int security_path_rename(const struct path *old_dir, struct dentry *old_dentry, 1880 const struct path *new_dir, struct dentry *new_dentry, 1881 unsigned int flags); 1882int security_path_chmod(const struct path *path, umode_t mode); 1883int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid); 1884int security_path_chroot(const struct path *path); 1885#else /* CONFIG_SECURITY_PATH */ 1886static inline int security_path_unlink(const struct path *dir, struct dentry *dentry) 1887{ 1888 return 0; 1889} 1890 1891static inline int security_path_mkdir(const struct path *dir, struct dentry *dentry, 1892 umode_t mode) 1893{ 1894 return 0; 1895} 1896 1897static inline int security_path_rmdir(const struct path *dir, struct dentry *dentry) 1898{ 1899 return 0; 1900} 1901 1902static inline int security_path_mknod(const struct path *dir, struct dentry *dentry, 1903 umode_t mode, unsigned int dev) 1904{ 1905 return 0; 1906} 1907 1908static inline int security_path_truncate(const struct path *path) 1909{ 1910 return 0; 1911} 1912 1913static inline int security_path_symlink(const struct path *dir, struct dentry *dentry, 1914 const char *old_name) 1915{ 1916 return 0; 1917} 1918 1919static inline int security_path_link(struct dentry *old_dentry, 1920 const struct path *new_dir, 1921 struct dentry *new_dentry) 1922{ 1923 return 0; 1924} 1925 1926static inline int security_path_rename(const struct path *old_dir, 1927 struct dentry *old_dentry, 1928 const struct path *new_dir, 1929 struct dentry *new_dentry, 1930 unsigned int flags) 1931{ 1932 return 0; 1933} 1934 1935static inline int security_path_chmod(const struct path *path, umode_t mode) 1936{ 1937 return 0; 1938} 1939 1940static inline int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid) 1941{ 1942 return 0; 1943} 1944 1945static inline int security_path_chroot(const struct path *path) 1946{ 1947 return 0; 1948} 1949#endif /* CONFIG_SECURITY_PATH */ 1950 1951#ifdef CONFIG_KEYS 1952#ifdef CONFIG_SECURITY 1953 1954int security_key_alloc(struct key *key, const struct cred *cred, unsigned long flags); 1955void security_key_free(struct key *key); 1956int security_key_permission(key_ref_t key_ref, const struct cred *cred, 1957 enum key_need_perm need_perm); 1958int security_key_getsecurity(struct key *key, char **_buffer); 1959 1960#else 1961 1962static inline int security_key_alloc(struct key *key, 1963 const struct cred *cred, 1964 unsigned long flags) 1965{ 1966 return 0; 1967} 1968 1969static inline void security_key_free(struct key *key) 1970{ 1971} 1972 1973static inline int security_key_permission(key_ref_t key_ref, 1974 const struct cred *cred, 1975 enum key_need_perm need_perm) 1976{ 1977 return 0; 1978} 1979 1980static inline int security_key_getsecurity(struct key *key, char **_buffer) 1981{ 1982 *_buffer = NULL; 1983 return 0; 1984} 1985 1986#endif 1987#endif /* CONFIG_KEYS */ 1988 1989#ifdef CONFIG_AUDIT 1990#ifdef CONFIG_SECURITY 1991int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); 1992int security_audit_rule_known(struct audit_krule *krule); 1993int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule); 1994void security_audit_rule_free(void *lsmrule); 1995 1996#else 1997 1998static inline int security_audit_rule_init(u32 field, u32 op, char *rulestr, 1999 void **lsmrule) 2000{ 2001 return 0; 2002} 2003 2004static inline int security_audit_rule_known(struct audit_krule *krule) 2005{ 2006 return 0; 2007} 2008 2009static inline int security_audit_rule_match(u32 secid, u32 field, u32 op, 2010 void *lsmrule) 2011{ 2012 return 0; 2013} 2014 2015static inline void security_audit_rule_free(void *lsmrule) 2016{ } 2017 2018#endif /* CONFIG_SECURITY */ 2019#endif /* CONFIG_AUDIT */ 2020 2021#ifdef CONFIG_SECURITYFS 2022 2023extern struct dentry *securityfs_create_file(const char *name, umode_t mode, 2024 struct dentry *parent, void *data, 2025 const struct file_operations *fops); 2026extern struct dentry *securityfs_create_dir(const char *name, struct dentry *parent); 2027struct dentry *securityfs_create_symlink(const char *name, 2028 struct dentry *parent, 2029 const char *target, 2030 const struct inode_operations *iops); 2031extern void securityfs_remove(struct dentry *dentry); 2032 2033#else /* CONFIG_SECURITYFS */ 2034 2035static inline struct dentry *securityfs_create_dir(const char *name, 2036 struct dentry *parent) 2037{ 2038 return ERR_PTR(-ENODEV); 2039} 2040 2041static inline struct dentry *securityfs_create_file(const char *name, 2042 umode_t mode, 2043 struct dentry *parent, 2044 void *data, 2045 const struct file_operations *fops) 2046{ 2047 return ERR_PTR(-ENODEV); 2048} 2049 2050static inline struct dentry *securityfs_create_symlink(const char *name, 2051 struct dentry *parent, 2052 const char *target, 2053 const struct inode_operations *iops) 2054{ 2055 return ERR_PTR(-ENODEV); 2056} 2057 2058static inline void securityfs_remove(struct dentry *dentry) 2059{} 2060 2061#endif 2062 2063#ifdef CONFIG_BPF_SYSCALL 2064union bpf_attr; 2065struct bpf_map; 2066struct bpf_prog; 2067struct bpf_prog_aux; 2068#ifdef CONFIG_SECURITY 2069extern int security_bpf(int cmd, union bpf_attr *attr, unsigned int size); 2070extern int security_bpf_map(struct bpf_map *map, fmode_t fmode); 2071extern int security_bpf_prog(struct bpf_prog *prog); 2072extern int security_bpf_map_alloc(struct bpf_map *map); 2073extern void security_bpf_map_free(struct bpf_map *map); 2074extern int security_bpf_prog_alloc(struct bpf_prog_aux *aux); 2075extern void security_bpf_prog_free(struct bpf_prog_aux *aux); 2076#else 2077static inline int security_bpf(int cmd, union bpf_attr *attr, 2078 unsigned int size) 2079{ 2080 return 0; 2081} 2082 2083static inline int security_bpf_map(struct bpf_map *map, fmode_t fmode) 2084{ 2085 return 0; 2086} 2087 2088static inline int security_bpf_prog(struct bpf_prog *prog) 2089{ 2090 return 0; 2091} 2092 2093static inline int security_bpf_map_alloc(struct bpf_map *map) 2094{ 2095 return 0; 2096} 2097 2098static inline void security_bpf_map_free(struct bpf_map *map) 2099{ } 2100 2101static inline int security_bpf_prog_alloc(struct bpf_prog_aux *aux) 2102{ 2103 return 0; 2104} 2105 2106static inline void security_bpf_prog_free(struct bpf_prog_aux *aux) 2107{ } 2108#endif /* CONFIG_SECURITY */ 2109#endif /* CONFIG_BPF_SYSCALL */ 2110 2111#ifdef CONFIG_PERF_EVENTS 2112struct perf_event_attr; 2113struct perf_event; 2114 2115#ifdef CONFIG_SECURITY 2116extern int security_perf_event_open(struct perf_event_attr *attr, int type); 2117extern int security_perf_event_alloc(struct perf_event *event); 2118extern void security_perf_event_free(struct perf_event *event); 2119extern int security_perf_event_read(struct perf_event *event); 2120extern int security_perf_event_write(struct perf_event *event); 2121#else 2122static inline int security_perf_event_open(struct perf_event_attr *attr, 2123 int type) 2124{ 2125 return 0; 2126} 2127 2128static inline int security_perf_event_alloc(struct perf_event *event) 2129{ 2130 return 0; 2131} 2132 2133static inline void security_perf_event_free(struct perf_event *event) 2134{ 2135} 2136 2137static inline int security_perf_event_read(struct perf_event *event) 2138{ 2139 return 0; 2140} 2141 2142static inline int security_perf_event_write(struct perf_event *event) 2143{ 2144 return 0; 2145} 2146#endif /* CONFIG_SECURITY */ 2147#endif /* CONFIG_PERF_EVENTS */ 2148 2149#ifdef CONFIG_IO_URING 2150#ifdef CONFIG_SECURITY 2151extern int security_uring_override_creds(const struct cred *new); 2152extern int security_uring_sqpoll(void); 2153extern int security_uring_cmd(struct io_uring_cmd *ioucmd); 2154#else 2155static inline int security_uring_override_creds(const struct cred *new) 2156{ 2157 return 0; 2158} 2159static inline int security_uring_sqpoll(void) 2160{ 2161 return 0; 2162} 2163static inline int security_uring_cmd(struct io_uring_cmd *ioucmd) 2164{ 2165 return 0; 2166} 2167#endif /* CONFIG_SECURITY */ 2168#endif /* CONFIG_IO_URING */ 2169 2170#endif /* ! __LINUX_SECURITY_H */