Now available: The Design and Implementation of the FreeBSD Operating System (Second Edition)
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]
FreeBSD/Linux Kernel Cross Reference
sys/security/security.c
Version:
- FREEBSD - FREEBSD-13-STABLE - FREEBSD-13-0 - FREEBSD-12-STABLE - FREEBSD-12-0 - FREEBSD-11-STABLE - FREEBSD-11-0 - FREEBSD-10-STABLE - FREEBSD-10-0 - FREEBSD-9-STABLE - FREEBSD-9-0 - FREEBSD-8-STABLE - FREEBSD-8-0 - FREEBSD-7-STABLE - FREEBSD-7-0 - FREEBSD-6-STABLE - FREEBSD-6-0 - FREEBSD-5-STABLE - FREEBSD-5-0 - FREEBSD-4-STABLE - FREEBSD-3-STABLE - FREEBSD22 - l41 - OPENBSD - linux-2.6 - MK84 - PLAN9 - xnu-8792
SearchContext: - none - 3 - 10
SearchContext: - none - 3 - 10
1 /* 2 * Security plug functions 3 * 4 * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com> 5 * Copyright (C) 2001-2002 Greg Kroah-Hartman <greg@kroah.com> 6 * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com> 7 * 8 * This program is free software; you can redistribute it and/or modify 9 * it under the terms of the GNU General Public License as published by 10 * the Free Software Foundation; either version 2 of the License, or 11 * (at your option) any later version. 12 */ 13 14 #include <linux/capability.h> 15 #include <linux/module.h> 16 #include <linux/init.h> 17 #include <linux/kernel.h> 18 #include <linux/security.h> 19 #include <linux/integrity.h> 20 #include <linux/ima.h> 21 #include <linux/evm.h> 22 #include <linux/fsnotify.h> 23 #include <linux/mman.h> 24 #include <linux/mount.h> 25 #include <linux/personality.h> 26 #include <linux/backing-dev.h> 27 #include <net/flow.h> 28 29 #define MAX_LSM_EVM_XATTR 2 30 31 /* Boot-time LSM user choice */ 32 static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] = 33 CONFIG_DEFAULT_SECURITY; 34 35 static struct security_operations *security_ops; 36 static struct security_operations default_security_ops = { 37 .name = "default", 38 }; 39 40 static inline int __init verify(struct security_operations *ops) 41 { 42 /* verify the security_operations structure exists */ 43 if (!ops) 44 return -EINVAL; 45 security_fixup_ops(ops); 46 return 0; 47 } 48 49 static void __init do_security_initcalls(void) 50 { 51 initcall_t *call; 52 call = __security_initcall_start; 53 while (call < __security_initcall_end) { 54 (*call) (); 55 call++; 56 } 57 } 58 59 /** 60 * security_init - initializes the security framework 61 * 62 * This should be called early in the kernel initialization sequence. 63 */ 64 int __init security_init(void) 65 { 66 printk(KERN_INFO "Security Framework initialized\n"); 67 68 security_fixup_ops(&default_security_ops); 69 security_ops = &default_security_ops; 70 do_security_initcalls(); 71 72 return 0; 73 } 74 75 void reset_security_ops(void) 76 { 77 security_ops = &default_security_ops; 78 } 79 80 /* Save user chosen LSM */ 81 static int __init choose_lsm(char *str) 82 { 83 strncpy(chosen_lsm, str, SECURITY_NAME_MAX); 84 return 1; 85 } 86 __setup("security=", choose_lsm); 87 88 /** 89 * security_module_enable - Load given security module on boot ? 90 * @ops: a pointer to the struct security_operations that is to be checked. 91 * 92 * Each LSM must pass this method before registering its own operations 93 * to avoid security registration races. This method may also be used 94 * to check if your LSM is currently loaded during kernel initialization. 95 * 96 * Return true if: 97 * -The passed LSM is the one chosen by user at boot time, 98 * -or the passed LSM is configured as the default and the user did not 99 * choose an alternate LSM at boot time. 100 * Otherwise, return false. 101 */ 102 int __init security_module_enable(struct security_operations *ops) 103 { 104 return !strcmp(ops->name, chosen_lsm); 105 } 106 107 /** 108 * register_security - registers a security framework with the kernel 109 * @ops: a pointer to the struct security_options that is to be registered 110 * 111 * This function allows a security module to register itself with the 112 * kernel security subsystem. Some rudimentary checking is done on the @ops 113 * value passed to this function. You'll need to check first if your LSM 114 * is allowed to register its @ops by calling security_module_enable(@ops). 115 * 116 * If there is already a security module registered with the kernel, 117 * an error will be returned. Otherwise %0 is returned on success. 118 */ 119 int __init register_security(struct security_operations *ops) 120 { 121 if (verify(ops)) { 122 printk(KERN_DEBUG "%s could not verify " 123 "security_operations structure.\n", __func__); 124 return -EINVAL; 125 } 126 127 if (security_ops != &default_security_ops) 128 return -EAGAIN; 129 130 security_ops = ops; 131 132 return 0; 133 } 134 135 /* Security operations */ 136 137 int security_ptrace_access_check(struct task_struct *child, unsigned int mode) 138 { 139 #ifdef CONFIG_SECURITY_YAMA_STACKED 140 int rc; 141 rc = yama_ptrace_access_check(child, mode); 142 if (rc) 143 return rc; 144 #endif 145 return security_ops->ptrace_access_check(child, mode); 146 } 147 148 int security_ptrace_traceme(struct task_struct *parent) 149 { 150 #ifdef CONFIG_SECURITY_YAMA_STACKED 151 int rc; 152 rc = yama_ptrace_traceme(parent); 153 if (rc) 154 return rc; 155 #endif 156 return security_ops->ptrace_traceme(parent); 157 } 158 159 int security_capget(struct task_struct *target, 160 kernel_cap_t *effective, 161 kernel_cap_t *inheritable, 162 kernel_cap_t *permitted) 163 { 164 return security_ops->capget(target, effective, inheritable, permitted); 165 } 166 167 int security_capset(struct cred *new, const struct cred *old, 168 const kernel_cap_t *effective, 169 const kernel_cap_t *inheritable, 170 const kernel_cap_t *permitted) 171 { 172 return security_ops->capset(new, old, 173 effective, inheritable, permitted); 174 } 175 176 int security_capable(const struct cred *cred, struct user_namespace *ns, 177 int cap) 178 { 179 return security_ops->capable(cred, ns, cap, SECURITY_CAP_AUDIT); 180 } 181 182 int security_capable_noaudit(const struct cred *cred, struct user_namespace *ns, 183 int cap) 184 { 185 return security_ops->capable(cred, ns, cap, SECURITY_CAP_NOAUDIT); 186 } 187 188 int security_quotactl(int cmds, int type, int id, struct super_block *sb) 189 { 190 return security_ops->quotactl(cmds, type, id, sb); 191 } 192 193 int security_quota_on(struct dentry *dentry) 194 { 195 return security_ops->quota_on(dentry); 196 } 197 198 int security_syslog(int type) 199 { 200 return security_ops->syslog(type); 201 } 202 203 int security_settime(const struct timespec *ts, const struct timezone *tz) 204 { 205 return security_ops->settime(ts, tz); 206 } 207 208 int security_vm_enough_memory_mm(struct mm_struct *mm, long pages) 209 { 210 return security_ops->vm_enough_memory(mm, pages); 211 } 212 213 int security_bprm_set_creds(struct linux_binprm *bprm) 214 { 215 return security_ops->bprm_set_creds(bprm); 216 } 217 218 int security_bprm_check(struct linux_binprm *bprm) 219 { 220 int ret; 221 222 ret = security_ops->bprm_check_security(bprm); 223 if (ret) 224 return ret; 225 return ima_bprm_check(bprm); 226 } 227 228 void security_bprm_committing_creds(struct linux_binprm *bprm) 229 { 230 security_ops->bprm_committing_creds(bprm); 231 } 232 233 void security_bprm_committed_creds(struct linux_binprm *bprm) 234 { 235 security_ops->bprm_committed_creds(bprm); 236 } 237 238 int security_bprm_secureexec(struct linux_binprm *bprm) 239 { 240 return security_ops->bprm_secureexec(bprm); 241 } 242 243 int security_sb_alloc(struct super_block *sb) 244 { 245 return security_ops->sb_alloc_security(sb); 246 } 247 248 void security_sb_free(struct super_block *sb) 249 { 250 security_ops->sb_free_security(sb); 251 } 252 253 int security_sb_copy_data(char *orig, char *copy) 254 { 255 return security_ops->sb_copy_data(orig, copy); 256 } 257 EXPORT_SYMBOL(security_sb_copy_data); 258 259 int security_sb_remount(struct super_block *sb, void *data) 260 { 261 return security_ops->sb_remount(sb, data); 262 } 263 264 int security_sb_kern_mount(struct super_block *sb, int flags, void *data) 265 { 266 return security_ops->sb_kern_mount(sb, flags, data); 267 } 268 269 int security_sb_show_options(struct seq_file *m, struct super_block *sb) 270 { 271 return security_ops->sb_show_options(m, sb); 272 } 273 274 int security_sb_statfs(struct dentry *dentry) 275 { 276 return security_ops->sb_statfs(dentry); 277 } 278 279 int security_sb_mount(const char *dev_name, struct path *path, 280 const char *type, unsigned long flags, void *data) 281 { 282 return security_ops->sb_mount(dev_name, path, type, flags, data); 283 } 284 285 int security_sb_umount(struct vfsmount *mnt, int flags) 286 { 287 return security_ops->sb_umount(mnt, flags); 288 } 289 290 int security_sb_pivotroot(struct path *old_path, struct path *new_path) 291 { 292 return security_ops->sb_pivotroot(old_path, new_path); 293 } 294 295 int security_sb_set_mnt_opts(struct super_block *sb, 296 struct security_mnt_opts *opts) 297 { 298 return security_ops->sb_set_mnt_opts(sb, opts); 299 } 300 EXPORT_SYMBOL(security_sb_set_mnt_opts); 301 302 void security_sb_clone_mnt_opts(const struct super_block *oldsb, 303 struct super_block *newsb) 304 { 305 security_ops->sb_clone_mnt_opts(oldsb, newsb); 306 } 307 EXPORT_SYMBOL(security_sb_clone_mnt_opts); 308 309 int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts) 310 { 311 return security_ops->sb_parse_opts_str(options, opts); 312 } 313 EXPORT_SYMBOL(security_sb_parse_opts_str); 314 315 int security_inode_alloc(struct inode *inode) 316 { 317 inode->i_security = NULL; 318 return security_ops->inode_alloc_security(inode); 319 } 320 321 void security_inode_free(struct inode *inode) 322 { 323 integrity_inode_free(inode); 324 security_ops->inode_free_security(inode); 325 } 326 327 int security_inode_init_security(struct inode *inode, struct inode *dir, 328 const struct qstr *qstr, 329 const initxattrs initxattrs, void *fs_data) 330 { 331 struct xattr new_xattrs[MAX_LSM_EVM_XATTR + 1]; 332 struct xattr *lsm_xattr, *evm_xattr, *xattr; 333 int ret; 334 335 if (unlikely(IS_PRIVATE(inode))) 336 return 0; 337 338 memset(new_xattrs, 0, sizeof new_xattrs); 339 if (!initxattrs) 340 return security_ops->inode_init_security(inode, dir, qstr, 341 NULL, NULL, NULL); 342 lsm_xattr = new_xattrs; 343 ret = security_ops->inode_init_security(inode, dir, qstr, 344 &lsm_xattr->name, 345 &lsm_xattr->value, 346 &lsm_xattr->value_len); 347 if (ret) 348 goto out; 349 350 evm_xattr = lsm_xattr + 1; 351 ret = evm_inode_init_security(inode, lsm_xattr, evm_xattr); 352 if (ret) 353 goto out; 354 ret = initxattrs(inode, new_xattrs, fs_data); 355 out: 356 for (xattr = new_xattrs; xattr->name != NULL; xattr++) { 357 kfree(xattr->name); 358 kfree(xattr->value); 359 } 360 return (ret == -EOPNOTSUPP) ? 0 : ret; 361 } 362 EXPORT_SYMBOL(security_inode_init_security); 363 364 int security_old_inode_init_security(struct inode *inode, struct inode *dir, 365 const struct qstr *qstr, char **name, 366 void **value, size_t *len) 367 { 368 if (unlikely(IS_PRIVATE(inode))) 369 return -EOPNOTSUPP; 370 return security_ops->inode_init_security(inode, dir, qstr, name, value, 371 len); 372 } 373 EXPORT_SYMBOL(security_old_inode_init_security); 374 375 #ifdef CONFIG_SECURITY_PATH 376 int security_path_mknod(struct path *dir, struct dentry *dentry, umode_t mode, 377 unsigned int dev) 378 { 379 if (unlikely(IS_PRIVATE(dir->dentry->d_inode))) 380 return 0; 381 return security_ops->path_mknod(dir, dentry, mode, dev); 382 } 383 EXPORT_SYMBOL(security_path_mknod); 384 385 int security_path_mkdir(struct path *dir, struct dentry *dentry, umode_t mode) 386 { 387 if (unlikely(IS_PRIVATE(dir->dentry->d_inode))) 388 return 0; 389 return security_ops->path_mkdir(dir, dentry, mode); 390 } 391 EXPORT_SYMBOL(security_path_mkdir); 392 393 int security_path_rmdir(struct path *dir, struct dentry *dentry) 394 { 395 if (unlikely(IS_PRIVATE(dir->dentry->d_inode))) 396 return 0; 397 return security_ops->path_rmdir(dir, dentry); 398 } 399 400 int security_path_unlink(struct path *dir, struct dentry *dentry) 401 { 402 if (unlikely(IS_PRIVATE(dir->dentry->d_inode))) 403 return 0; 404 return security_ops->path_unlink(dir, dentry); 405 } 406 EXPORT_SYMBOL(security_path_unlink); 407 408 int security_path_symlink(struct path *dir, struct dentry *dentry, 409 const char *old_name) 410 { 411 if (unlikely(IS_PRIVATE(dir->dentry->d_inode))) 412 return 0; 413 return security_ops->path_symlink(dir, dentry, old_name); 414 } 415 416 int security_path_link(struct dentry *old_dentry, struct path *new_dir, 417 struct dentry *new_dentry) 418 { 419 if (unlikely(IS_PRIVATE(old_dentry->d_inode))) 420 return 0; 421 return security_ops->path_link(old_dentry, new_dir, new_dentry); 422 } 423 424 int security_path_rename(struct path *old_dir, struct dentry *old_dentry, 425 struct path *new_dir, struct dentry *new_dentry) 426 { 427 if (unlikely(IS_PRIVATE(old_dentry->d_inode) || 428 (new_dentry->d_inode && IS_PRIVATE(new_dentry->d_inode)))) 429 return 0; 430 return security_ops->path_rename(old_dir, old_dentry, new_dir, 431 new_dentry); 432 } 433 EXPORT_SYMBOL(security_path_rename); 434 435 int security_path_truncate(struct path *path) 436 { 437 if (unlikely(IS_PRIVATE(path->dentry->d_inode))) 438 return 0; 439 return security_ops->path_truncate(path); 440 } 441 442 int security_path_chmod(struct path *path, umode_t mode) 443 { 444 if (unlikely(IS_PRIVATE(path->dentry->d_inode))) 445 return 0; 446 return security_ops->path_chmod(path, mode); 447 } 448 449 int security_path_chown(struct path *path, kuid_t uid, kgid_t gid) 450 { 451 if (unlikely(IS_PRIVATE(path->dentry->d_inode))) 452 return 0; 453 return security_ops->path_chown(path, uid, gid); 454 } 455 456 int security_path_chroot(struct path *path) 457 { 458 return security_ops->path_chroot(path); 459 } 460 #endif 461 462 int security_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) 463 { 464 if (unlikely(IS_PRIVATE(dir))) 465 return 0; 466 return security_ops->inode_create(dir, dentry, mode); 467 } 468 EXPORT_SYMBOL_GPL(security_inode_create); 469 470 int security_inode_link(struct dentry *old_dentry, struct inode *dir, 471 struct dentry *new_dentry) 472 { 473 if (unlikely(IS_PRIVATE(old_dentry->d_inode))) 474 return 0; 475 return security_ops->inode_link(old_dentry, dir, new_dentry); 476 } 477 478 int security_inode_unlink(struct inode *dir, struct dentry *dentry) 479 { 480 if (unlikely(IS_PRIVATE(dentry->d_inode))) 481 return 0; 482 return security_ops->inode_unlink(dir, dentry); 483 } 484 485 int security_inode_symlink(struct inode *dir, struct dentry *dentry, 486 const char *old_name) 487 { 488 if (unlikely(IS_PRIVATE(dir))) 489 return 0; 490 return security_ops->inode_symlink(dir, dentry, old_name); 491 } 492 493 int security_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode) 494 { 495 if (unlikely(IS_PRIVATE(dir))) 496 return 0; 497 return security_ops->inode_mkdir(dir, dentry, mode); 498 } 499 EXPORT_SYMBOL_GPL(security_inode_mkdir); 500 501 int security_inode_rmdir(struct inode *dir, struct dentry *dentry) 502 { 503 if (unlikely(IS_PRIVATE(dentry->d_inode))) 504 return 0; 505 return security_ops->inode_rmdir(dir, dentry); 506 } 507 508 int security_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) 509 { 510 if (unlikely(IS_PRIVATE(dir))) 511 return 0; 512 return security_ops->inode_mknod(dir, dentry, mode, dev); 513 } 514 515 int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry, 516 struct inode *new_dir, struct dentry *new_dentry) 517 { 518 if (unlikely(IS_PRIVATE(old_dentry->d_inode) || 519 (new_dentry->d_inode && IS_PRIVATE(new_dentry->d_inode)))) 520 return 0; 521 return security_ops->inode_rename(old_dir, old_dentry, 522 new_dir, new_dentry); 523 } 524 525 int security_inode_readlink(struct dentry *dentry) 526 { 527 if (unlikely(IS_PRIVATE(dentry->d_inode))) 528 return 0; 529 return security_ops->inode_readlink(dentry); 530 } 531 532 int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd) 533 { 534 if (unlikely(IS_PRIVATE(dentry->d_inode))) 535 return 0; 536 return security_ops->inode_follow_link(dentry, nd); 537 } 538 539 int security_inode_permission(struct inode *inode, int mask) 540 { 541 if (unlikely(IS_PRIVATE(inode))) 542 return 0; 543 return security_ops->inode_permission(inode, mask); 544 } 545 546 int security_inode_setattr(struct dentry *dentry, struct iattr *attr) 547 { 548 int ret; 549 550 if (unlikely(IS_PRIVATE(dentry->d_inode))) 551 return 0; 552 ret = security_ops->inode_setattr(dentry, attr); 553 if (ret) 554 return ret; 555 return evm_inode_setattr(dentry, attr); 556 } 557 EXPORT_SYMBOL_GPL(security_inode_setattr); 558 559 int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 560 { 561 if (unlikely(IS_PRIVATE(dentry->d_inode))) 562 return 0; 563 return security_ops->inode_getattr(mnt, dentry); 564 } 565 566 int security_inode_setxattr(struct dentry *dentry, const char *name, 567 const void *value, size_t size, int flags) 568 { 569 int ret; 570 571 if (unlikely(IS_PRIVATE(dentry->d_inode))) 572 return 0; 573 ret = security_ops->inode_setxattr(dentry, name, value, size, flags); 574 if (ret) 575 return ret; 576 ret = ima_inode_setxattr(dentry, name, value, size); 577 if (ret) 578 return ret; 579 return evm_inode_setxattr(dentry, name, value, size); 580 } 581 582 void security_inode_post_setxattr(struct dentry *dentry, const char *name, 583 const void *value, size_t size, int flags) 584 { 585 if (unlikely(IS_PRIVATE(dentry->d_inode))) 586 return; 587 security_ops->inode_post_setxattr(dentry, name, value, size, flags); 588 evm_inode_post_setxattr(dentry, name, value, size); 589 } 590 591 int security_inode_getxattr(struct dentry *dentry, const char *name) 592 { 593 if (unlikely(IS_PRIVATE(dentry->d_inode))) 594 return 0; 595 return security_ops->inode_getxattr(dentry, name); 596 } 597 598 int security_inode_listxattr(struct dentry *dentry) 599 { 600 if (unlikely(IS_PRIVATE(dentry->d_inode))) 601 return 0; 602 return security_ops->inode_listxattr(dentry); 603 } 604 605 int security_inode_removexattr(struct dentry *dentry, const char *name) 606 { 607 int ret; 608 609 if (unlikely(IS_PRIVATE(dentry->d_inode))) 610 return 0; 611 ret = security_ops->inode_removexattr(dentry, name); 612 if (ret) 613 return ret; 614 ret = ima_inode_removexattr(dentry, name); 615 if (ret) 616 return ret; 617 return evm_inode_removexattr(dentry, name); 618 } 619 620 int security_inode_need_killpriv(struct dentry *dentry) 621 { 622 return security_ops->inode_need_killpriv(dentry); 623 } 624 625 int security_inode_killpriv(struct dentry *dentry) 626 { 627 return security_ops->inode_killpriv(dentry); 628 } 629 630 int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc) 631 { 632 if (unlikely(IS_PRIVATE(inode))) 633 return -EOPNOTSUPP; 634 return security_ops->inode_getsecurity(inode, name, buffer, alloc); 635 } 636 637 int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) 638 { 639 if (unlikely(IS_PRIVATE(inode))) 640 return -EOPNOTSUPP; 641 return security_ops->inode_setsecurity(inode, name, value, size, flags); 642 } 643 644 int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 645 { 646 if (unlikely(IS_PRIVATE(inode))) 647 return 0; 648 return security_ops->inode_listsecurity(inode, buffer, buffer_size); 649 } 650 651 void security_inode_getsecid(const struct inode *inode, u32 *secid) 652 { 653 security_ops->inode_getsecid(inode, secid); 654 } 655 656 int security_file_permission(struct file *file, int mask) 657 { 658 int ret; 659 660 ret = security_ops->file_permission(file, mask); 661 if (ret) 662 return ret; 663 664 return fsnotify_perm(file, mask); 665 } 666 667 int security_file_alloc(struct file *file) 668 { 669 return security_ops->file_alloc_security(file); 670 } 671 672 void security_file_free(struct file *file) 673 { 674 security_ops->file_free_security(file); 675 } 676 677 int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg) 678 { 679 return security_ops->file_ioctl(file, cmd, arg); 680 } 681 682 static inline unsigned long mmap_prot(struct file *file, unsigned long prot) 683 { 684 /* 685 * Does we have PROT_READ and does the application expect 686 * it to imply PROT_EXEC? If not, nothing to talk about... 687 */ 688 if ((prot & (PROT_READ | PROT_EXEC)) != PROT_READ) 689 return prot; 690 if (!(current->personality & READ_IMPLIES_EXEC)) 691 return prot; 692 /* 693 * if that's an anonymous mapping, let it. 694 */ 695 if (!file) 696 return prot | PROT_EXEC; 697 /* 698 * ditto if it's not on noexec mount, except that on !MMU we need 699 * BDI_CAP_EXEC_MMAP (== VM_MAYEXEC) in this case 700 */ 701 if (!(file->f_path.mnt->mnt_flags & MNT_NOEXEC)) { 702 #ifndef CONFIG_MMU 703 unsigned long caps = 0; 704 struct address_space *mapping = file->f_mapping; 705 if (mapping && mapping->backing_dev_info) 706 caps = mapping->backing_dev_info->capabilities; 707 if (!(caps & BDI_CAP_EXEC_MAP)) 708 return prot; 709 #endif 710 return prot | PROT_EXEC; 711 } 712 /* anything on noexec mount won't get PROT_EXEC */ 713 return prot; 714 } 715 716 int security_mmap_file(struct file *file, unsigned long prot, 717 unsigned long flags) 718 { 719 int ret; 720 ret = security_ops->mmap_file(file, prot, 721 mmap_prot(file, prot), flags); 722 if (ret) 723 return ret; 724 return ima_file_mmap(file, prot); 725 } 726 727 int security_mmap_addr(unsigned long addr) 728 { 729 return security_ops->mmap_addr(addr); 730 } 731 732 int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, 733 unsigned long prot) 734 { 735 return security_ops->file_mprotect(vma, reqprot, prot); 736 } 737 738 int security_file_lock(struct file *file, unsigned int cmd) 739 { 740 return security_ops->file_lock(file, cmd); 741 } 742 743 int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg) 744 { 745 return security_ops->file_fcntl(file, cmd, arg); 746 } 747 748 int security_file_set_fowner(struct file *file) 749 { 750 return security_ops->file_set_fowner(file); 751 } 752 753 int security_file_send_sigiotask(struct task_struct *tsk, 754 struct fown_struct *fown, int sig) 755 { 756 return security_ops->file_send_sigiotask(tsk, fown, sig); 757 } 758 759 int security_file_receive(struct file *file) 760 { 761 return security_ops->file_receive(file); 762 } 763 764 int security_file_open(struct file *file, const struct cred *cred) 765 { 766 int ret; 767 768 ret = security_ops->file_open(file, cred); 769 if (ret) 770 return ret; 771 772 return fsnotify_perm(file, MAY_OPEN); 773 } 774 775 int security_task_create(unsigned long clone_flags) 776 { 777 return security_ops->task_create(clone_flags); 778 } 779 780 void security_task_free(struct task_struct *task) 781 { 782 #ifdef CONFIG_SECURITY_YAMA_STACKED 783 yama_task_free(task); 784 #endif 785 security_ops->task_free(task); 786 } 787 788 int security_cred_alloc_blank(struct cred *cred, gfp_t gfp) 789 { 790 return security_ops->cred_alloc_blank(cred, gfp); 791 } 792 793 void security_cred_free(struct cred *cred) 794 { 795 security_ops->cred_free(cred); 796 } 797 798 int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp) 799 { 800 return security_ops->cred_prepare(new, old, gfp); 801 } 802 803 void security_transfer_creds(struct cred *new, const struct cred *old) 804 { 805 security_ops->cred_transfer(new, old); 806 } 807 808 int security_kernel_act_as(struct cred *new, u32 secid) 809 { 810 return security_ops->kernel_act_as(new, secid); 811 } 812 813 int security_kernel_create_files_as(struct cred *new, struct inode *inode) 814 { 815 return security_ops->kernel_create_files_as(new, inode); 816 } 817 818 int security_kernel_module_request(char *kmod_name) 819 { 820 return security_ops->kernel_module_request(kmod_name); 821 } 822 823 int security_kernel_module_from_file(struct file *file) 824 { 825 int ret; 826 827 ret = security_ops->kernel_module_from_file(file); 828 if (ret) 829 return ret; 830 return ima_module_check(file); 831 } 832 833 int security_task_fix_setuid(struct cred *new, const struct cred *old, 834 int flags) 835 { 836 return security_ops->task_fix_setuid(new, old, flags); 837 } 838 839 int security_task_setpgid(struct task_struct *p, pid_t pgid) 840 { 841 return security_ops->task_setpgid(p, pgid); 842 } 843 844 int security_task_getpgid(struct task_struct *p) 845 { 846 return security_ops->task_getpgid(p); 847 } 848 849 int security_task_getsid(struct task_struct *p) 850 { 851 return security_ops->task_getsid(p); 852 } 853 854 void security_task_getsecid(struct task_struct *p, u32 *secid) 855 { 856 security_ops->task_getsecid(p, secid); 857 } 858 EXPORT_SYMBOL(security_task_getsecid); 859 860 int security_task_setnice(struct task_struct *p, int nice) 861 { 862 return security_ops->task_setnice(p, nice); 863 } 864 865 int security_task_setioprio(struct task_struct *p, int ioprio) 866 { 867 return security_ops->task_setioprio(p, ioprio); 868 } 869 870 int security_task_getioprio(struct task_struct *p) 871 { 872 return security_ops->task_getioprio(p); 873 } 874 875 int security_task_setrlimit(struct task_struct *p, unsigned int resource, 876 struct rlimit *new_rlim) 877 { 878 return security_ops->task_setrlimit(p, resource, new_rlim); 879 } 880 881 int security_task_setscheduler(struct task_struct *p) 882 { 883 return security_ops->task_setscheduler(p); 884 } 885 886 int security_task_getscheduler(struct task_struct *p) 887 { 888 return security_ops->task_getscheduler(p); 889 } 890 891 int security_task_movememory(struct task_struct *p) 892 { 893 return security_ops->task_movememory(p); 894 } 895 896 int security_task_kill(struct task_struct *p, struct siginfo *info, 897 int sig, u32 secid) 898 { 899 return security_ops->task_kill(p, info, sig, secid); 900 } 901 902 int security_task_wait(struct task_struct *p) 903 { 904 return security_ops->task_wait(p); 905 } 906 907 int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, 908 unsigned long arg4, unsigned long arg5) 909 { 910 #ifdef CONFIG_SECURITY_YAMA_STACKED 911 int rc; 912 rc = yama_task_prctl(option, arg2, arg3, arg4, arg5); 913 if (rc != -ENOSYS) 914 return rc; 915 #endif 916 return security_ops->task_prctl(option, arg2, arg3, arg4, arg5); 917 } 918 919 void security_task_to_inode(struct task_struct *p, struct inode *inode) 920 { 921 security_ops->task_to_inode(p, inode); 922 } 923 924 int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag) 925 { 926 return security_ops->ipc_permission(ipcp, flag); 927 } 928 929 void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) 930 { 931 security_ops->ipc_getsecid(ipcp, secid); 932 } 933 934 int security_msg_msg_alloc(struct msg_msg *msg) 935 { 936 return security_ops->msg_msg_alloc_security(msg); 937 } 938 939 void security_msg_msg_free(struct msg_msg *msg) 940 { 941 security_ops->msg_msg_free_security(msg); 942 } 943 944 int security_msg_queue_alloc(struct msg_queue *msq) 945 { 946 return security_ops->msg_queue_alloc_security(msq); 947 } 948 949 void security_msg_queue_free(struct msg_queue *msq) 950 { 951 security_ops->msg_queue_free_security(msq); 952 } 953 954 int security_msg_queue_associate(struct msg_queue *msq, int msqflg) 955 { 956 return security_ops->msg_queue_associate(msq, msqflg); 957 } 958 959 int security_msg_queue_msgctl(struct msg_queue *msq, int cmd) 960 { 961 return security_ops->msg_queue_msgctl(msq, cmd); 962 } 963 964 int security_msg_queue_msgsnd(struct msg_queue *msq, 965 struct msg_msg *msg, int msqflg) 966 { 967 return security_ops->msg_queue_msgsnd(msq, msg, msqflg); 968 } 969 970 int security_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 971 struct task_struct *target, long type, int mode) 972 { 973 return security_ops->msg_queue_msgrcv(msq, msg, target, type, mode); 974 } 975 976 int security_shm_alloc(struct shmid_kernel *shp) 977 { 978 return security_ops->shm_alloc_security(shp); 979 } 980 981 void security_shm_free(struct shmid_kernel *shp) 982 { 983 security_ops->shm_free_security(shp); 984 } 985 986 int security_shm_associate(struct shmid_kernel *shp, int shmflg) 987 { 988 return security_ops->shm_associate(shp, shmflg); 989 } 990 991 int security_shm_shmctl(struct shmid_kernel *shp, int cmd) 992 { 993 return security_ops->shm_shmctl(shp, cmd); 994 } 995 996 int security_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, int shmflg) 997 { 998 return security_ops->shm_shmat(shp, shmaddr, shmflg); 999 } 1000 1001 int security_sem_alloc(struct sem_array *sma) 1002 { 1003 return security_ops->sem_alloc_security(sma); 1004 } 1005 1006 void security_sem_free(struct sem_array *sma) 1007 { 1008 security_ops->sem_free_security(sma); 1009 } 1010 1011 int security_sem_associate(struct sem_array *sma, int semflg) 1012 { 1013 return security_ops->sem_associate(sma, semflg); 1014 } 1015 1016 int security_sem_semctl(struct sem_array *sma, int cmd) 1017 { 1018 return security_ops->sem_semctl(sma, cmd); 1019 } 1020 1021 int security_sem_semop(struct sem_array *sma, struct sembuf *sops, 1022 unsigned nsops, int alter) 1023 { 1024 return security_ops->sem_semop(sma, sops, nsops, alter); 1025 } 1026 1027 void security_d_instantiate(struct dentry *dentry, struct inode *inode) 1028 { 1029 if (unlikely(inode && IS_PRIVATE(inode))) 1030 return; 1031 security_ops->d_instantiate(dentry, inode); 1032 } 1033 EXPORT_SYMBOL(security_d_instantiate); 1034 1035 int security_getprocattr(struct task_struct *p, char *name, char **value) 1036 { 1037 return security_ops->getprocattr(p, name, value); 1038 } 1039 1040 int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size) 1041 { 1042 return security_ops->setprocattr(p, name, value, size); 1043 } 1044 1045 int security_netlink_send(struct sock *sk, struct sk_buff *skb) 1046 { 1047 return security_ops->netlink_send(sk, skb); 1048 } 1049 1050 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 1051 { 1052 return security_ops->secid_to_secctx(secid, secdata, seclen); 1053 } 1054 EXPORT_SYMBOL(security_secid_to_secctx); 1055 1056 int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 1057 { 1058 return security_ops->secctx_to_secid(secdata, seclen, secid); 1059 } 1060 EXPORT_SYMBOL(security_secctx_to_secid); 1061 1062 void security_release_secctx(char *secdata, u32 seclen) 1063 { 1064 security_ops->release_secctx(secdata, seclen); 1065 } 1066 EXPORT_SYMBOL(security_release_secctx); 1067 1068 int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 1069 { 1070 return security_ops->inode_notifysecctx(inode, ctx, ctxlen); 1071 } 1072 EXPORT_SYMBOL(security_inode_notifysecctx); 1073 1074 int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 1075 { 1076 return security_ops->inode_setsecctx(dentry, ctx, ctxlen); 1077 } 1078 EXPORT_SYMBOL(security_inode_setsecctx); 1079 1080 int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) 1081 { 1082 return security_ops->inode_getsecctx(inode, ctx, ctxlen); 1083 } 1084 EXPORT_SYMBOL(security_inode_getsecctx); 1085 1086 #ifdef CONFIG_SECURITY_NETWORK 1087 1088 int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk) 1089 { 1090 return security_ops->unix_stream_connect(sock, other, newsk); 1091 } 1092 EXPORT_SYMBOL(security_unix_stream_connect); 1093 1094 int security_unix_may_send(struct socket *sock, struct socket *other) 1095 { 1096 return security_ops->unix_may_send(sock, other); 1097 } 1098 EXPORT_SYMBOL(security_unix_may_send); 1099 1100 int security_socket_create(int family, int type, int protocol, int kern) 1101 { 1102 return security_ops->socket_create(family, type, protocol, kern); 1103 } 1104 1105 int security_socket_post_create(struct socket *sock, int family, 1106 int type, int protocol, int kern) 1107 { 1108 return security_ops->socket_post_create(sock, family, type, 1109 protocol, kern); 1110 } 1111 1112 int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen) 1113 { 1114 return security_ops->socket_bind(sock, address, addrlen); 1115 } 1116 1117 int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen) 1118 { 1119 return security_ops->socket_connect(sock, address, addrlen); 1120 } 1121 1122 int security_socket_listen(struct socket *sock, int backlog) 1123 { 1124 return security_ops->socket_listen(sock, backlog); 1125 } 1126 1127 int security_socket_accept(struct socket *sock, struct socket *newsock) 1128 { 1129 return security_ops->socket_accept(sock, newsock); 1130 } 1131 1132 int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size) 1133 { 1134 return security_ops->socket_sendmsg(sock, msg, size); 1135 } 1136 1137 int security_socket_recvmsg(struct socket *sock, struct msghdr *msg, 1138 int size, int flags) 1139 { 1140 return security_ops->socket_recvmsg(sock, msg, size, flags); 1141 } 1142 1143 int security_socket_getsockname(struct socket *sock) 1144 { 1145 return security_ops->socket_getsockname(sock); 1146 } 1147 1148 int security_socket_getpeername(struct socket *sock) 1149 { 1150 return security_ops->socket_getpeername(sock); 1151 } 1152 1153 int security_socket_getsockopt(struct socket *sock, int level, int optname) 1154 { 1155 return security_ops->socket_getsockopt(sock, level, optname); 1156 } 1157 1158 int security_socket_setsockopt(struct socket *sock, int level, int optname) 1159 { 1160 return security_ops->socket_setsockopt(sock, level, optname); 1161 } 1162 1163 int security_socket_shutdown(struct socket *sock, int how) 1164 { 1165 return security_ops->socket_shutdown(sock, how); 1166 } 1167 1168 int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 1169 { 1170 return security_ops->socket_sock_rcv_skb(sk, skb); 1171 } 1172 EXPORT_SYMBOL(security_sock_rcv_skb); 1173 1174 int security_socket_getpeersec_stream(struct socket *sock, char __user *optval, 1175 int __user *optlen, unsigned len) 1176 { 1177 return security_ops->socket_getpeersec_stream(sock, optval, optlen, len); 1178 } 1179 1180 int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 1181 { 1182 return security_ops->socket_getpeersec_dgram(sock, skb, secid); 1183 } 1184 EXPORT_SYMBOL(security_socket_getpeersec_dgram); 1185 1186 int security_sk_alloc(struct sock *sk, int family, gfp_t priority) 1187 { 1188 return security_ops->sk_alloc_security(sk, family, priority); 1189 } 1190 1191 void security_sk_free(struct sock *sk) 1192 { 1193 security_ops->sk_free_security(sk); 1194 } 1195 1196 void security_sk_clone(const struct sock *sk, struct sock *newsk) 1197 { 1198 security_ops->sk_clone_security(sk, newsk); 1199 } 1200 EXPORT_SYMBOL(security_sk_clone); 1201 1202 void security_sk_classify_flow(struct sock *sk, struct flowi *fl) 1203 { 1204 security_ops->sk_getsecid(sk, &fl->flowi_secid); 1205 } 1206 EXPORT_SYMBOL(security_sk_classify_flow); 1207 1208 void security_req_classify_flow(const struct request_sock *req, struct flowi *fl) 1209 { 1210 security_ops->req_classify_flow(req, fl); 1211 } 1212 EXPORT_SYMBOL(security_req_classify_flow); 1213 1214 void security_sock_graft(struct sock *sk, struct socket *parent) 1215 { 1216 security_ops->sock_graft(sk, parent); 1217 } 1218 EXPORT_SYMBOL(security_sock_graft); 1219 1220 int security_inet_conn_request(struct sock *sk, 1221 struct sk_buff *skb, struct request_sock *req) 1222 { 1223 return security_ops->inet_conn_request(sk, skb, req); 1224 } 1225 EXPORT_SYMBOL(security_inet_conn_request); 1226 1227 void security_inet_csk_clone(struct sock *newsk, 1228 const struct request_sock *req) 1229 { 1230 security_ops->inet_csk_clone(newsk, req); 1231 } 1232 1233 void security_inet_conn_established(struct sock *sk, 1234 struct sk_buff *skb) 1235 { 1236 security_ops->inet_conn_established(sk, skb); 1237 } 1238 1239 int security_secmark_relabel_packet(u32 secid) 1240 { 1241 return security_ops->secmark_relabel_packet(secid); 1242 } 1243 EXPORT_SYMBOL(security_secmark_relabel_packet); 1244 1245 void security_secmark_refcount_inc(void) 1246 { 1247 security_ops->secmark_refcount_inc(); 1248 } 1249 EXPORT_SYMBOL(security_secmark_refcount_inc); 1250 1251 void security_secmark_refcount_dec(void) 1252 { 1253 security_ops->secmark_refcount_dec(); 1254 } 1255 EXPORT_SYMBOL(security_secmark_refcount_dec); 1256 1257 int security_tun_dev_alloc_security(void **security) 1258 { 1259 return security_ops->tun_dev_alloc_security(security); 1260 } 1261 EXPORT_SYMBOL(security_tun_dev_alloc_security); 1262 1263 void security_tun_dev_free_security(void *security) 1264 { 1265 security_ops->tun_dev_free_security(security); 1266 } 1267 EXPORT_SYMBOL(security_tun_dev_free_security); 1268 1269 int security_tun_dev_create(void) 1270 { 1271 return security_ops->tun_dev_create(); 1272 } 1273 EXPORT_SYMBOL(security_tun_dev_create); 1274 1275 int security_tun_dev_attach_queue(void *security) 1276 { 1277 return security_ops->tun_dev_attach_queue(security); 1278 } 1279 EXPORT_SYMBOL(security_tun_dev_attach_queue); 1280 1281 int security_tun_dev_attach(struct sock *sk, void *security) 1282 { 1283 return security_ops->tun_dev_attach(sk, security); 1284 } 1285 EXPORT_SYMBOL(security_tun_dev_attach); 1286 1287 int security_tun_dev_open(void *security) 1288 { 1289 return security_ops->tun_dev_open(security); 1290 } 1291 EXPORT_SYMBOL(security_tun_dev_open); 1292 1293 #endif /* CONFIG_SECURITY_NETWORK */ 1294 1295 #ifdef CONFIG_SECURITY_NETWORK_XFRM 1296 1297 int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_user_sec_ctx *sec_ctx) 1298 { 1299 return security_ops->xfrm_policy_alloc_security(ctxp, sec_ctx); 1300 } 1301 EXPORT_SYMBOL(security_xfrm_policy_alloc); 1302 1303 int security_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, 1304 struct xfrm_sec_ctx **new_ctxp) 1305 { 1306 return security_ops->xfrm_policy_clone_security(old_ctx, new_ctxp); 1307 } 1308 1309 void security_xfrm_policy_free(struct xfrm_sec_ctx *ctx) 1310 { 1311 security_ops->xfrm_policy_free_security(ctx); 1312 } 1313 EXPORT_SYMBOL(security_xfrm_policy_free); 1314 1315 int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) 1316 { 1317 return security_ops->xfrm_policy_delete_security(ctx); 1318 } 1319 1320 int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx) 1321 { 1322 return security_ops->xfrm_state_alloc_security(x, sec_ctx, 0); 1323 } 1324 EXPORT_SYMBOL(security_xfrm_state_alloc); 1325 1326 int security_xfrm_state_alloc_acquire(struct xfrm_state *x, 1327 struct xfrm_sec_ctx *polsec, u32 secid) 1328 { 1329 if (!polsec) 1330 return 0; 1331 /* 1332 * We want the context to be taken from secid which is usually 1333 * from the sock. 1334 */ 1335 return security_ops->xfrm_state_alloc_security(x, NULL, secid); 1336 } 1337 1338 int security_xfrm_state_delete(struct xfrm_state *x) 1339 { 1340 return security_ops->xfrm_state_delete_security(x); 1341 } 1342 EXPORT_SYMBOL(security_xfrm_state_delete); 1343 1344 void security_xfrm_state_free(struct xfrm_state *x) 1345 { 1346 security_ops->xfrm_state_free_security(x); 1347 } 1348 1349 int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir) 1350 { 1351 return security_ops->xfrm_policy_lookup(ctx, fl_secid, dir); 1352 } 1353 1354 int security_xfrm_state_pol_flow_match(struct xfrm_state *x, 1355 struct xfrm_policy *xp, 1356 const struct flowi *fl) 1357 { 1358 return security_ops->xfrm_state_pol_flow_match(x, xp, fl); 1359 } 1360 1361 int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid) 1362 { 1363 return security_ops->xfrm_decode_session(skb, secid, 1); 1364 } 1365 1366 void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl) 1367 { 1368 int rc = security_ops->xfrm_decode_session(skb, &fl->flowi_secid, 0); 1369 1370 BUG_ON(rc); 1371 } 1372 EXPORT_SYMBOL(security_skb_classify_flow); 1373 1374 #endif /* CONFIG_SECURITY_NETWORK_XFRM */ 1375 1376 #ifdef CONFIG_KEYS 1377 1378 int security_key_alloc(struct key *key, const struct cred *cred, 1379 unsigned long flags) 1380 { 1381 return security_ops->key_alloc(key, cred, flags); 1382 } 1383 1384 void security_key_free(struct key *key) 1385 { 1386 security_ops->key_free(key); 1387 } 1388 1389 int security_key_permission(key_ref_t key_ref, 1390 const struct cred *cred, key_perm_t perm) 1391 { 1392 return security_ops->key_permission(key_ref, cred, perm); 1393 } 1394 1395 int security_key_getsecurity(struct key *key, char **_buffer) 1396 { 1397 return security_ops->key_getsecurity(key, _buffer); 1398 } 1399 1400 #endif /* CONFIG_KEYS */ 1401 1402 #ifdef CONFIG_AUDIT 1403 1404 int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) 1405 { 1406 return security_ops->audit_rule_init(field, op, rulestr, lsmrule); 1407 } 1408 1409 int security_audit_rule_known(struct audit_krule *krule) 1410 { 1411 return security_ops->audit_rule_known(krule); 1412 } 1413 1414 void security_audit_rule_free(void *lsmrule) 1415 { 1416 security_ops->audit_rule_free(lsmrule); 1417 } 1418 1419 int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule, 1420 struct audit_context *actx) 1421 { 1422 return security_ops->audit_rule_match(secid, field, op, lsmrule, actx); 1423 } 1424 1425 #endif /* CONFIG_AUDIT */
Cache object: ed670060cf20322f5e83a4658f32b055
[ source navigation ] [ diff markup ] [ identifier search ] [ freetext search ] [ file search ] [ list types ] [ track identifier ]