X-Git-Url: http://ftp.safe.ca/?a=blobdiff_plain;f=include%2Flinux%2Fsecurity.h;h=fea1f4aa4dd54e7980fdb02ee9a56885ff303d84;hb=69626f23bce6521367ac1e6a2a6e8fba8f0a848a;hp=c554f60f18e4e1b3399973360bed004c8affdcab;hpb=b385a144ee790f00e8559bcb8024d042863f9be1;p=safe%2Fjmp%2Flinux-2.6 diff --git a/include/linux/security.h b/include/linux/security.h index c554f60..fea1f4a 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -34,7 +34,13 @@ #include #include +extern unsigned securebits; + +/* Maximum number of letters for an LSM name string */ +#define SECURITY_NAME_MAX 10 + struct ctl_table; +struct audit_krule; /* * These functions are in security/capability.c and are used @@ -51,10 +57,15 @@ extern void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe); extern int cap_bprm_secureexec(struct linux_binprm *bprm); extern int cap_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags); extern int cap_inode_removexattr(struct dentry *dentry, char *name); +extern int cap_inode_need_killpriv(struct dentry *dentry); +extern int cap_inode_killpriv(struct dentry *dentry); extern int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags); extern void cap_task_reparent_to_init (struct task_struct *p); +extern int cap_task_setscheduler (struct task_struct *p, int policy, struct sched_param *lp); +extern int cap_task_setioprio (struct task_struct *p, int ioprio); +extern int cap_task_setnice (struct task_struct *p, int nice); extern int cap_syslog (int type); -extern int cap_vm_enough_memory (long pages); +extern int cap_vm_enough_memory(struct mm_struct *mm, long pages); struct msghdr; struct sk_buff; @@ -71,6 +82,7 @@ struct xfrm_user_sec_ctx; extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb); extern int cap_netlink_recv(struct sk_buff *skb, int cap); +extern unsigned long mmap_min_addr; /* * Values used in the task_security_ops calls */ @@ -99,9 +111,41 @@ struct request_sock; #ifdef CONFIG_SECURITY +struct security_mnt_opts { + char **mnt_opts; + int *mnt_opts_flags; + int num_mnt_opts; +}; + +static inline void security_init_mnt_opts(struct security_mnt_opts *opts) +{ + opts->mnt_opts = NULL; + opts->mnt_opts_flags = NULL; + opts->num_mnt_opts = 0; +} + +static inline void security_free_mnt_opts(struct security_mnt_opts *opts) +{ + int i; + if (opts->mnt_opts) + for(i = 0; i < opts->num_mnt_opts; i++) + kfree(opts->mnt_opts[i]); + kfree(opts->mnt_opts); + opts->mnt_opts = NULL; + kfree(opts->mnt_opts_flags); + opts->mnt_opts_flags = NULL; + opts->num_mnt_opts = 0; +} + /** * struct security_operations - main security structure * + * Security module identifier. + * + * @name: + * A string that acts as a unique identifeir for the LSM with max number + * of characters = SECURITY_NAME_MAX. + * * Security hooks for program execution operations. * * @bprm_alloc_security: @@ -229,9 +273,6 @@ struct request_sock; * @mnt contains the mounted file system. * @flags contains the new filesystem flags. * @data contains the filesystem-specific data. - * @sb_post_mountroot: - * Update the security module's state when the root filesystem is mounted. - * This hook is only called if the mount was successful. * @sb_post_addmount: * Update the security module's state when a filesystem is mounted. * This hook is called any time a mount is successfully grafetd to @@ -247,6 +288,22 @@ struct request_sock; * Update module state after a successful pivot. * @old_nd contains the nameidata structure for the old root. * @new_nd contains the nameidata structure for the new root. + * @sb_get_mnt_opts: + * Get the security relevant mount options used for a superblock + * @sb the superblock to get security mount options from + * @opts binary data structure containing all lsm mount data + * @sb_set_mnt_opts: + * Set the security relevant mount options used for a superblock + * @sb the superblock to set security mount options for + * @opts binary data structure containing all lsm mount data + * @sb_clone_mnt_opts: + * Copy all security options from a given superblock to another + * @oldsb old superblock which contain information to clone + * @newsb new superblock which needs filled in + * @sb_parse_opts_str: + * Parse a string of security data filling in the opts structure + * @options string containing all mount options known by the LSM + * @opts binary data structure usable by the LSM * * Security hooks for inode operations. * @@ -322,7 +379,7 @@ struct request_sock; * @dir contains the inode structure of parent of the new file. * @dentry contains the dentry structure of the new file. * @mode contains the mode of the new file. - * @dev contains the the device number. + * @dev contains the device number. * Return 0 if permission is granted. * @inode_rename: * Check for permission to rename a file or directory. @@ -390,15 +447,12 @@ struct request_sock; * identified by @name for @dentry. * Return 0 if permission is granted. * @inode_getsecurity: - * Copy the extended attribute representation of the security label - * associated with @name for @inode into @buffer. @buffer may be - * NULL to request the size of the buffer required. @size indicates - * the size of @buffer in bytes. Note that @name is the remainder - * of the attribute name after the security. prefix has been removed. - * @err is the return value from the preceding fs getxattr call, - * and can be used by the security module to determine whether it - * should try and canonicalize the attribute value. - * Return number of bytes used/required on success. + * Retrieve a copy of the extended attribute representation of the + * security label associated with @name for @inode via @buffer. Note that + * @name is the remainder of the attribute name after the security prefix + * has been removed. @alloc is used to specify of the call should return a + * value via the buffer or just the value length Return size of buffer on + * success. * @inode_setsecurity: * Set the security label associated with @name for @inode from the * extended attribute value @value. @size indicates the size of the @@ -412,6 +466,23 @@ struct request_sock; * is specified by @buffer_size. @buffer may be NULL to request * the size of the buffer required. * Returns number of bytes used/required on success. + * @inode_need_killpriv: + * Called when an inode has been changed. + * @dentry is the dentry being changed. + * Return <0 on error to abort the inode change operation. + * Return 0 if inode_killpriv does not need to be called. + * Return >0 if inode_killpriv does need to be called. + * @inode_killpriv: + * The setuid bit is being removed. Remove similar security labels. + * Called with the dentry->d_inode->i_mutex held. + * @dentry is the dentry being changed. + * Return 0 on success. If error is returned, then the operation + * causing setuid bit removal is failed. + * @inode_getsecid: + * Get the secid associated with the node. + * @inode contains a pointer to the inode. + * @secid contains a pointer to the location where result will be saved. + * In case of failure, @secid will be set to zero. * * Security hooks for file operations * @@ -503,6 +574,13 @@ struct request_sock; * @file contains the file structure being received. * Return 0 if permission is granted. * + * Security hook for dentry + * + * @dentry_open + * Save open-time permission checking state for later use upon + * file_permission, and recheck access if anything has changed + * since inode_permission. + * * Security hooks for task operations. * * @task_create: @@ -573,6 +651,8 @@ struct request_sock; * @task_getsecid: * Retrieve the security identifier of the process @p. * @p contains the task_struct for the process and place is into @secid. + * In case of failure, @secid will be set to zero. + * * @task_setgroups: * Check permission before setting the supplementary group set of the * current process. @@ -799,9 +879,11 @@ struct request_sock; * incoming sk_buff @skb has been associated with a particular socket, @sk. * @sk contains the sock (not socket) associated with the incoming sk_buff. * @skb contains the incoming network data. - * @socket_getpeersec: + * @socket_getpeersec_stream: * This hook allows the security module to provide peer socket security - * state to userspace via getsockopt SO_GETPEERSEC. + * state for unix or connected tcp sockets to userspace via getsockopt + * SO_GETPEERSEC. For tcp sockets this can be meaningful if the + * socket is associated with an ipsec SA. * @sock is the local socket. * @optval userspace memory where the security state is to be copied. * @optlen userspace int where the module should copy the actual length @@ -810,6 +892,17 @@ struct request_sock; * by the caller. * Return 0 if all is well, otherwise, typical getsockopt return * values. + * @socket_getpeersec_dgram: + * This hook allows the security module to provide peer socket security + * state for udp sockets on a per-packet basis to userspace via + * getsockopt SO_GETPEERSEC. The application must first have indicated + * the IP_PASSSEC option via getsockopt. It can then retrieve the + * security state returned by this hook for a packet via the SCM_SECURITY + * ancillary message type. + * @skb is the skbuff for the packet being queried + * @secdata is a pointer to a buffer in which to copy the security data + * @seclen is the maximum length for @secdata + * Return 0 on success, error on failure. * @sk_alloc_security: * Allocate and attach a security structure to the sk->sk_security field, * which is used to copy security attributes between local stream sockets. @@ -834,24 +927,24 @@ struct request_sock; * Security hooks for XFRM operations. * * @xfrm_policy_alloc_security: - * @xp contains the xfrm_policy being added to Security Policy Database - * used by the XFRM system. + * @ctxp is a pointer to the xfrm_sec_ctx being added to Security Policy + * Database used by the XFRM system. * @sec_ctx contains the security context information being provided by * the user-level policy update program (e.g., setkey). * Allocate a security structure to the xp->security field; the security * field is initialized to NULL when the xfrm_policy is allocated. * Return 0 if operation was successful (memory to allocate, legal context) * @xfrm_policy_clone_security: - * @old contains an existing xfrm_policy in the SPD. - * @new contains a new xfrm_policy being cloned from old. - * Allocate a security structure to the new->security field - * that contains the information from the old->security field. + * @old_ctx contains an existing xfrm_sec_ctx. + * @new_ctxp contains a new xfrm_sec_ctx being cloned from old. + * Allocate a security structure in new_ctxp that contains the + * information from the old_ctx structure. * Return 0 if operation was successful (memory to allocate). * @xfrm_policy_free_security: - * @xp contains the xfrm_policy + * @ctx contains the xfrm_sec_ctx * Deallocate xp->security. * @xfrm_policy_delete_security: - * @xp contains the xfrm_policy. + * @ctx contains the xfrm_sec_ctx. * Authorize deletion of xp->security. * @xfrm_state_alloc_security: * @x contains the xfrm_state being added to the Security Association @@ -871,7 +964,7 @@ struct request_sock; * @x contains the xfrm_state. * Authorize deletion of x->security. * @xfrm_policy_lookup: - * @xp contains the xfrm_policy for which the access control is being + * @ctx contains the xfrm_sec_ctx for which the access control is being * checked. * @fl_secid contains the flow security label that is used to authorize * access to the policy xp. @@ -921,6 +1014,11 @@ struct request_sock; * @ipcp contains the kernel IPC permission structure * @flag contains the desired (requested) permission set * Return 0 if permission is granted. + * @ipc_getsecid: + * Get the secid associated with the ipc object. + * @ipcp contains the kernel IPC permission structure. + * @secid contains a pointer to the location where result will be saved. + * In case of failure, @secid will be set to zero. * * Security hooks for individual messages held in System V IPC message queues * @msg_msg_alloc_security: @@ -1124,6 +1222,7 @@ struct request_sock; * Return 0 if permission is granted. * @vm_enough_memory: * Check permissions for allocating a new virtual mapping. + * @mm contains the mm struct it is being added to. * @pages contains the number of pages. * Return 0 if permission is granted. * @@ -1131,24 +1230,57 @@ struct request_sock; * allow module stacking. * @name contains the name of the security module being stacked. * @ops contains a pointer to the struct security_operations of the module to stack. - * @unregister_security: - * remove a stacked module. - * @name contains the name of the security module being unstacked. - * @ops contains a pointer to the struct security_operations of the module to unstack. * * @secid_to_secctx: * Convert secid to security context. * @secid contains the security ID. * @secdata contains the pointer that stores the converted security context. + * @secctx_to_secid: + * Convert security context to secid. + * @secid contains the pointer to the generated security ID. + * @secdata contains the security context. * * @release_secctx: * Release the security context. * @secdata contains the security context. * @seclen contains the length of the security context. * + * Security hooks for Audit + * + * @audit_rule_init: + * Allocate and initialize an LSM audit rule structure. + * @field contains the required Audit action. Fields flags are defined in include/linux/audit.h + * @op contains the operator the rule uses. + * @rulestr contains the context where the rule will be applied to. + * @lsmrule contains a pointer to receive the result. + * Return 0 if @lsmrule has been successfully set, + * -EINVAL in case of an invalid rule. + * + * @audit_rule_known: + * Specifies whether given @rule contains any fields related to current LSM. + * @rule contains the audit rule of interest. + * Return 1 in case of relation found, 0 otherwise. + * + * @audit_rule_match: + * Determine if given @secid matches a rule previously approved + * by @audit_rule_known. + * @secid contains the security id in question. + * @field contains the field which relates to current LSM. + * @op contains the operator that will be used for matching. + * @rule points to the audit rule that will be checked against. + * @actx points to the audit context associated with the check. + * Return 1 if secid matches the rule, 0 if it does not, -ERRNO on failure. + * + * @audit_rule_free: + * Deallocate the LSM audit rule structure previously allocated by + * audit_rule_init. + * @rule contains the allocated rule + * * This is the main security structure. */ struct security_operations { + char name[SECURITY_NAME_MAX + 1]; + int (*ptrace) (struct task_struct * parent, struct task_struct * child); int (*capget) (struct task_struct * target, kernel_cap_t * effective, @@ -1168,7 +1300,7 @@ struct security_operations { int (*quota_on) (struct dentry * dentry); int (*syslog) (int type); int (*settime) (struct timespec *ts, struct timezone *tz); - int (*vm_enough_memory) (long pages); + int (*vm_enough_memory) (struct mm_struct *mm, long pages); int (*bprm_alloc_security) (struct linux_binprm * bprm); void (*bprm_free_security) (struct linux_binprm * bprm); @@ -1180,8 +1312,7 @@ struct security_operations { int (*sb_alloc_security) (struct super_block * sb); void (*sb_free_security) (struct super_block * sb); - int (*sb_copy_data)(struct file_system_type *type, - void *orig, void *copy); + int (*sb_copy_data)(char *orig, char *copy); int (*sb_kern_mount) (struct super_block *sb, void *data); int (*sb_statfs) (struct dentry *dentry); int (*sb_mount) (char *dev_name, struct nameidata * nd, @@ -1192,13 +1323,19 @@ struct security_operations { void (*sb_umount_busy) (struct vfsmount * mnt); void (*sb_post_remount) (struct vfsmount * mnt, unsigned long flags, void *data); - void (*sb_post_mountroot) (void); void (*sb_post_addmount) (struct vfsmount * mnt, struct nameidata * mountpoint_nd); int (*sb_pivotroot) (struct nameidata * old_nd, struct nameidata * new_nd); void (*sb_post_pivotroot) (struct nameidata * old_nd, struct nameidata * new_nd); + int (*sb_get_mnt_opts) (const struct super_block *sb, + struct security_mnt_opts *opts); + int (*sb_set_mnt_opts) (struct super_block *sb, + struct security_mnt_opts *opts); + void (*sb_clone_mnt_opts) (const struct super_block *oldsb, + struct super_block *newsb); + int (*sb_parse_opts_str) (char *options, struct security_mnt_opts *opts); int (*inode_alloc_security) (struct inode *inode); void (*inode_free_security) (struct inode *inode); @@ -1230,10 +1367,12 @@ struct security_operations { int (*inode_getxattr) (struct dentry *dentry, char *name); int (*inode_listxattr) (struct dentry *dentry); int (*inode_removexattr) (struct dentry *dentry, char *name); - const char *(*inode_xattr_getsuffix) (void); - int (*inode_getsecurity)(const struct inode *inode, const char *name, void *buffer, size_t size, int err); + int (*inode_need_killpriv) (struct dentry *dentry); + int (*inode_killpriv) (struct dentry *dentry); + int (*inode_getsecurity)(const struct inode *inode, const char *name, void **buffer, bool alloc); int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags); int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size); + void (*inode_getsecid)(const struct inode *inode, u32 *secid); int (*file_permission) (struct file * file, int mask); int (*file_alloc_security) (struct file * file); @@ -1241,8 +1380,9 @@ struct security_operations { int (*file_ioctl) (struct file * file, unsigned int cmd, unsigned long arg); int (*file_mmap) (struct file * file, - unsigned long reqprot, - unsigned long prot, unsigned long flags); + unsigned long reqprot, unsigned long prot, + unsigned long flags, unsigned long addr, + unsigned long addr_only); int (*file_mprotect) (struct vm_area_struct * vma, unsigned long reqprot, unsigned long prot); @@ -1253,6 +1393,7 @@ struct security_operations { int (*file_send_sigiotask) (struct task_struct * tsk, struct fown_struct * fown, int sig); int (*file_receive) (struct file * file); + int (*dentry_open) (struct file *file); int (*task_create) (unsigned long clone_flags); int (*task_alloc_security) (struct task_struct * p); @@ -1284,6 +1425,7 @@ struct security_operations { void (*task_to_inode)(struct task_struct *p, struct inode *inode); int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag); + void (*ipc_getsecid) (struct kern_ipc_perm *ipcp, u32 *secid); int (*msg_msg_alloc_security) (struct msg_msg * msg); void (*msg_msg_free_security) (struct msg_msg * msg); @@ -1319,14 +1461,13 @@ struct security_operations { /* allow module stacking */ int (*register_security) (const char *name, struct security_operations *ops); - int (*unregister_security) (const char *name, - struct security_operations *ops); void (*d_instantiate) (struct dentry *dentry, struct inode *inode); - int (*getprocattr)(struct task_struct *p, char *name, void *value, size_t size); + int (*getprocattr)(struct task_struct *p, char *name, char **value); int (*setprocattr)(struct task_struct *p, char *name, void *value, size_t size); int (*secid_to_secctx)(u32 secid, char **secdata, u32 *seclen); + int (*secctx_to_secid)(char *secdata, u32 seclen, u32 *secid); void (*release_secctx)(char *secdata, u32 seclen); #ifdef CONFIG_SECURITY_NETWORK @@ -1370,17 +1511,17 @@ struct security_operations { #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_NETWORK_XFRM - int (*xfrm_policy_alloc_security) (struct xfrm_policy *xp, + int (*xfrm_policy_alloc_security) (struct xfrm_sec_ctx **ctxp, struct xfrm_user_sec_ctx *sec_ctx); - int (*xfrm_policy_clone_security) (struct xfrm_policy *old, struct xfrm_policy *new); - void (*xfrm_policy_free_security) (struct xfrm_policy *xp); - int (*xfrm_policy_delete_security) (struct xfrm_policy *xp); + int (*xfrm_policy_clone_security) (struct xfrm_sec_ctx *old_ctx, struct xfrm_sec_ctx **new_ctx); + void (*xfrm_policy_free_security) (struct xfrm_sec_ctx *ctx); + int (*xfrm_policy_delete_security) (struct xfrm_sec_ctx *ctx); int (*xfrm_state_alloc_security) (struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx, u32 secid); void (*xfrm_state_free_security) (struct xfrm_state *x); int (*xfrm_state_delete_security) (struct xfrm_state *x); - int (*xfrm_policy_lookup)(struct xfrm_policy *xp, u32 fl_secid, u8 dir); + int (*xfrm_policy_lookup)(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir); int (*xfrm_state_pol_flow_match)(struct xfrm_state *x, struct xfrm_policy *xp, struct flowi *fl); int (*xfrm_decode_session)(struct sk_buff *skb, u32 *secid, int ckall); @@ -1396,15 +1537,213 @@ struct security_operations { #endif /* CONFIG_KEYS */ +#ifdef CONFIG_AUDIT + int (*audit_rule_init)(u32 field, u32 op, char *rulestr, void **lsmrule); + int (*audit_rule_known)(struct audit_krule *krule); + int (*audit_rule_match)(u32 secid, u32 field, u32 op, void *lsmrule, + struct audit_context *actx); + void (*audit_rule_free)(void *lsmrule); +#endif /* CONFIG_AUDIT */ +}; + +/* prototypes */ +extern int security_init (void); +extern int security_module_enable(struct security_operations *ops); +extern int register_security (struct security_operations *ops); +extern int mod_reg_security (const char *name, struct security_operations *ops); +extern struct dentry *securityfs_create_file(const char *name, mode_t mode, + struct dentry *parent, void *data, + const struct file_operations *fops); +extern struct dentry *securityfs_create_dir(const char *name, struct dentry *parent); +extern void securityfs_remove(struct dentry *dentry); + + +/* Security operations */ +int security_ptrace(struct task_struct *parent, struct task_struct *child); +int security_capget(struct task_struct *target, + kernel_cap_t *effective, + kernel_cap_t *inheritable, + kernel_cap_t *permitted); +int security_capset_check(struct task_struct *target, + kernel_cap_t *effective, + kernel_cap_t *inheritable, + kernel_cap_t *permitted); +void security_capset_set(struct task_struct *target, + kernel_cap_t *effective, + kernel_cap_t *inheritable, + kernel_cap_t *permitted); +int security_capable(struct task_struct *tsk, int cap); +int security_acct(struct file *file); +int security_sysctl(struct ctl_table *table, int op); +int security_quotactl(int cmds, int type, int id, struct super_block *sb); +int security_quota_on(struct dentry *dentry); +int security_syslog(int type); +int security_settime(struct timespec *ts, struct timezone *tz); +int security_vm_enough_memory(long pages); +int security_vm_enough_memory_mm(struct mm_struct *mm, long pages); +int security_bprm_alloc(struct linux_binprm *bprm); +void security_bprm_free(struct linux_binprm *bprm); +void security_bprm_apply_creds(struct linux_binprm *bprm, int unsafe); +void security_bprm_post_apply_creds(struct linux_binprm *bprm); +int security_bprm_set(struct linux_binprm *bprm); +int security_bprm_check(struct linux_binprm *bprm); +int security_bprm_secureexec(struct linux_binprm *bprm); +int security_sb_alloc(struct super_block *sb); +void security_sb_free(struct super_block *sb); +int security_sb_copy_data(char *orig, char *copy); +int security_sb_kern_mount(struct super_block *sb, void *data); +int security_sb_statfs(struct dentry *dentry); +int security_sb_mount(char *dev_name, struct nameidata *nd, + char *type, unsigned long flags, void *data); +int security_sb_check_sb(struct vfsmount *mnt, struct nameidata *nd); +int security_sb_umount(struct vfsmount *mnt, int flags); +void security_sb_umount_close(struct vfsmount *mnt); +void security_sb_umount_busy(struct vfsmount *mnt); +void security_sb_post_remount(struct vfsmount *mnt, unsigned long flags, void *data); +void security_sb_post_addmount(struct vfsmount *mnt, struct nameidata *mountpoint_nd); +int security_sb_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd); +void security_sb_post_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd); +int security_sb_get_mnt_opts(const struct super_block *sb, + struct security_mnt_opts *opts); +int security_sb_set_mnt_opts(struct super_block *sb, struct security_mnt_opts *opts); +void security_sb_clone_mnt_opts(const struct super_block *oldsb, + struct super_block *newsb); +int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts); + +int security_inode_alloc(struct inode *inode); +void security_inode_free(struct inode *inode); +int security_inode_init_security(struct inode *inode, struct inode *dir, + char **name, void **value, size_t *len); +int security_inode_create(struct inode *dir, struct dentry *dentry, int mode); +int security_inode_link(struct dentry *old_dentry, struct inode *dir, + struct dentry *new_dentry); +int security_inode_unlink(struct inode *dir, struct dentry *dentry); +int security_inode_symlink(struct inode *dir, struct dentry *dentry, + const char *old_name); +int security_inode_mkdir(struct inode *dir, struct dentry *dentry, int mode); +int security_inode_rmdir(struct inode *dir, struct dentry *dentry); +int security_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev); +int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry, + struct inode *new_dir, struct dentry *new_dentry); +int security_inode_readlink(struct dentry *dentry); +int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd); +int security_inode_permission(struct inode *inode, int mask, struct nameidata *nd); +int security_inode_setattr(struct dentry *dentry, struct iattr *attr); +int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry); +void security_inode_delete(struct inode *inode); +int security_inode_setxattr(struct dentry *dentry, char *name, + void *value, size_t size, int flags); +void security_inode_post_setxattr(struct dentry *dentry, char *name, + void *value, size_t size, int flags); +int security_inode_getxattr(struct dentry *dentry, char *name); +int security_inode_listxattr(struct dentry *dentry); +int security_inode_removexattr(struct dentry *dentry, char *name); +int security_inode_need_killpriv(struct dentry *dentry); +int security_inode_killpriv(struct dentry *dentry); +int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc); +int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags); +int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); +void security_inode_getsecid(const struct inode *inode, u32 *secid); +int security_file_permission(struct file *file, int mask); +int security_file_alloc(struct file *file); +void security_file_free(struct file *file); +int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg); +int security_file_mmap(struct file *file, unsigned long reqprot, + unsigned long prot, unsigned long flags, + unsigned long addr, unsigned long addr_only); +int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, + unsigned long prot); +int security_file_lock(struct file *file, unsigned int cmd); +int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg); +int security_file_set_fowner(struct file *file); +int security_file_send_sigiotask(struct task_struct *tsk, + struct fown_struct *fown, int sig); +int security_file_receive(struct file *file); +int security_dentry_open(struct file *file); +int security_task_create(unsigned long clone_flags); +int security_task_alloc(struct task_struct *p); +void security_task_free(struct task_struct *p); +int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags); +int security_task_post_setuid(uid_t old_ruid, uid_t old_euid, + uid_t old_suid, int flags); +int security_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags); +int security_task_setpgid(struct task_struct *p, pid_t pgid); +int security_task_getpgid(struct task_struct *p); +int security_task_getsid(struct task_struct *p); +void security_task_getsecid(struct task_struct *p, u32 *secid); +int security_task_setgroups(struct group_info *group_info); +int security_task_setnice(struct task_struct *p, int nice); +int security_task_setioprio(struct task_struct *p, int ioprio); +int security_task_getioprio(struct task_struct *p); +int security_task_setrlimit(unsigned int resource, struct rlimit *new_rlim); +int security_task_setscheduler(struct task_struct *p, + int policy, struct sched_param *lp); +int security_task_getscheduler(struct task_struct *p); +int security_task_movememory(struct task_struct *p); +int security_task_kill(struct task_struct *p, struct siginfo *info, + int sig, u32 secid); +int security_task_wait(struct task_struct *p); +int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, + unsigned long arg4, unsigned long arg5); +void security_task_reparent_to_init(struct task_struct *p); +void security_task_to_inode(struct task_struct *p, struct inode *inode); +int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag); +void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid); +int security_msg_msg_alloc(struct msg_msg *msg); +void security_msg_msg_free(struct msg_msg *msg); +int security_msg_queue_alloc(struct msg_queue *msq); +void security_msg_queue_free(struct msg_queue *msq); +int security_msg_queue_associate(struct msg_queue *msq, int msqflg); +int security_msg_queue_msgctl(struct msg_queue *msq, int cmd); +int security_msg_queue_msgsnd(struct msg_queue *msq, + struct msg_msg *msg, int msqflg); +int security_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, + struct task_struct *target, long type, int mode); +int security_shm_alloc(struct shmid_kernel *shp); +void security_shm_free(struct shmid_kernel *shp); +int security_shm_associate(struct shmid_kernel *shp, int shmflg); +int security_shm_shmctl(struct shmid_kernel *shp, int cmd); +int security_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, int shmflg); +int security_sem_alloc(struct sem_array *sma); +void security_sem_free(struct sem_array *sma); +int security_sem_associate(struct sem_array *sma, int semflg); +int security_sem_semctl(struct sem_array *sma, int cmd); +int security_sem_semop(struct sem_array *sma, struct sembuf *sops, + unsigned nsops, int alter); +void security_d_instantiate (struct dentry *dentry, struct inode *inode); +int security_getprocattr(struct task_struct *p, char *name, char **value); +int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size); +int security_netlink_send(struct sock *sk, struct sk_buff *skb); +int security_netlink_recv(struct sk_buff *skb, int cap); +int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); +int security_secctx_to_secid(char *secdata, u32 seclen, u32 *secid); +void security_release_secctx(char *secdata, u32 seclen); + +#else /* CONFIG_SECURITY */ +struct security_mnt_opts { }; -/* global variables */ -extern struct security_operations *security_ops; +static inline void security_init_mnt_opts(struct security_mnt_opts *opts) +{ +} + +static inline void security_free_mnt_opts(struct security_mnt_opts *opts) +{ +} + +/* + * This is the default capabilities functionality. Most of these functions + * are just stubbed out, but a few must call the proper capable code. + */ + +static inline int security_init(void) +{ + return 0; +} -/* inline stuff */ -static inline int security_ptrace (struct task_struct * parent, struct task_struct * child) +static inline int security_ptrace (struct task_struct *parent, struct task_struct * child) { - return security_ops->ptrace (parent, child); + return cap_ptrace (parent, child); } static inline int security_capget (struct task_struct *target, @@ -1412,7 +1751,7 @@ static inline int security_capget (struct task_struct *target, kernel_cap_t *inheritable, kernel_cap_t *permitted) { - return security_ops->capget (target, effective, inheritable, permitted); + return cap_capget (target, effective, inheritable, permitted); } static inline int security_capset_check (struct task_struct *target, @@ -1420,7 +1759,7 @@ static inline int security_capset_check (struct task_struct *target, kernel_cap_t *inheritable, kernel_cap_t *permitted) { - return security_ops->capset_check (target, effective, inheritable, permitted); + return cap_capset_check (target, effective, inheritable, permitted); } static inline void security_capset_set (struct task_struct *target, @@ -1428,246 +1767,236 @@ static inline void security_capset_set (struct task_struct *target, kernel_cap_t *inheritable, kernel_cap_t *permitted) { - security_ops->capset_set (target, effective, inheritable, permitted); + cap_capset_set (target, effective, inheritable, permitted); } static inline int security_capable(struct task_struct *tsk, int cap) { - return security_ops->capable(tsk, cap); + return cap_capable(tsk, cap); } static inline int security_acct (struct file *file) { - return security_ops->acct (file); + return 0; } static inline int security_sysctl(struct ctl_table *table, int op) { - return security_ops->sysctl(table, op); + return 0; } static inline int security_quotactl (int cmds, int type, int id, - struct super_block *sb) + struct super_block * sb) { - return security_ops->quotactl (cmds, type, id, sb); + return 0; } static inline int security_quota_on (struct dentry * dentry) { - return security_ops->quota_on (dentry); + return 0; } static inline int security_syslog(int type) { - return security_ops->syslog(type); + return cap_syslog(type); } static inline int security_settime(struct timespec *ts, struct timezone *tz) { - return security_ops->settime(ts, tz); + return cap_settime(ts, tz); } - static inline int security_vm_enough_memory(long pages) { - return security_ops->vm_enough_memory(pages); + return cap_vm_enough_memory(current->mm, pages); } -static inline int security_bprm_alloc (struct linux_binprm *bprm) +static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages) { - return security_ops->bprm_alloc_security (bprm); + return cap_vm_enough_memory(mm, pages); } -static inline void security_bprm_free (struct linux_binprm *bprm) + +static inline int security_bprm_alloc (struct linux_binprm *bprm) { - security_ops->bprm_free_security (bprm); + return 0; } + +static inline void security_bprm_free (struct linux_binprm *bprm) +{ } + static inline void security_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) -{ - security_ops->bprm_apply_creds (bprm, unsafe); +{ + cap_bprm_apply_creds (bprm, unsafe); } + static inline void security_bprm_post_apply_creds (struct linux_binprm *bprm) { - security_ops->bprm_post_apply_creds (bprm); + return; } + static inline int security_bprm_set (struct linux_binprm *bprm) { - return security_ops->bprm_set_security (bprm); + return cap_bprm_set_security (bprm); } static inline int security_bprm_check (struct linux_binprm *bprm) { - return security_ops->bprm_check_security (bprm); + return 0; } static inline int security_bprm_secureexec (struct linux_binprm *bprm) { - return security_ops->bprm_secureexec (bprm); + return cap_bprm_secureexec(bprm); } static inline int security_sb_alloc (struct super_block *sb) { - return security_ops->sb_alloc_security (sb); + return 0; } static inline void security_sb_free (struct super_block *sb) -{ - security_ops->sb_free_security (sb); -} +{ } -static inline int security_sb_copy_data (struct file_system_type *type, - void *orig, void *copy) +static inline int security_sb_copy_data (char *orig, char *copy) { - return security_ops->sb_copy_data (type, orig, copy); + return 0; } static inline int security_sb_kern_mount (struct super_block *sb, void *data) { - return security_ops->sb_kern_mount (sb, data); + return 0; } static inline int security_sb_statfs (struct dentry *dentry) { - return security_ops->sb_statfs (dentry); + return 0; } static inline int security_sb_mount (char *dev_name, struct nameidata *nd, char *type, unsigned long flags, void *data) { - return security_ops->sb_mount (dev_name, nd, type, flags, data); + return 0; } static inline int security_sb_check_sb (struct vfsmount *mnt, struct nameidata *nd) { - return security_ops->sb_check_sb (mnt, nd); + return 0; } static inline int security_sb_umount (struct vfsmount *mnt, int flags) { - return security_ops->sb_umount (mnt, flags); + return 0; } static inline void security_sb_umount_close (struct vfsmount *mnt) -{ - security_ops->sb_umount_close (mnt); -} +{ } static inline void security_sb_umount_busy (struct vfsmount *mnt) -{ - security_ops->sb_umount_busy (mnt); -} +{ } static inline void security_sb_post_remount (struct vfsmount *mnt, unsigned long flags, void *data) -{ - security_ops->sb_post_remount (mnt, flags, data); -} - -static inline void security_sb_post_mountroot (void) -{ - security_ops->sb_post_mountroot (); -} +{ } static inline void security_sb_post_addmount (struct vfsmount *mnt, struct nameidata *mountpoint_nd) -{ - security_ops->sb_post_addmount (mnt, mountpoint_nd); -} +{ } static inline int security_sb_pivotroot (struct nameidata *old_nd, struct nameidata *new_nd) { - return security_ops->sb_pivotroot (old_nd, new_nd); + return 0; } static inline void security_sb_post_pivotroot (struct nameidata *old_nd, struct nameidata *new_nd) +{ } +static inline int security_sb_get_mnt_opts(const struct super_block *sb, + struct security_mnt_opts *opts) { - security_ops->sb_post_pivotroot (old_nd, new_nd); + security_init_mnt_opts(opts); + return 0; } -static inline int security_inode_alloc (struct inode *inode) +static inline int security_sb_set_mnt_opts(struct super_block *sb, + struct security_mnt_opts *opts) +{ + return 0; +} + +static inline void security_sb_clone_mnt_opts(const struct super_block *oldsb, + struct super_block *newsb) +{ } + +static inline int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts) { - inode->i_security = NULL; - return security_ops->inode_alloc_security (inode); + return 0; } -static inline void security_inode_free (struct inode *inode) +static inline int security_inode_alloc (struct inode *inode) { - security_ops->inode_free_security (inode); + return 0; } +static inline void security_inode_free (struct inode *inode) +{ } + static inline int security_inode_init_security (struct inode *inode, struct inode *dir, char **name, void **value, size_t *len) { - if (unlikely (IS_PRIVATE (inode))) - return -EOPNOTSUPP; - return security_ops->inode_init_security (inode, dir, name, value, len); + return -EOPNOTSUPP; } static inline int security_inode_create (struct inode *dir, struct dentry *dentry, int mode) { - if (unlikely (IS_PRIVATE (dir))) - return 0; - return security_ops->inode_create (dir, dentry, mode); + return 0; } static inline int security_inode_link (struct dentry *old_dentry, struct inode *dir, struct dentry *new_dentry) { - if (unlikely (IS_PRIVATE (old_dentry->d_inode))) - return 0; - return security_ops->inode_link (old_dentry, dir, new_dentry); + return 0; } static inline int security_inode_unlink (struct inode *dir, struct dentry *dentry) { - if (unlikely (IS_PRIVATE (dentry->d_inode))) - return 0; - return security_ops->inode_unlink (dir, dentry); + return 0; } static inline int security_inode_symlink (struct inode *dir, struct dentry *dentry, const char *old_name) { - if (unlikely (IS_PRIVATE (dir))) - return 0; - return security_ops->inode_symlink (dir, dentry, old_name); + return 0; } static inline int security_inode_mkdir (struct inode *dir, struct dentry *dentry, int mode) { - if (unlikely (IS_PRIVATE (dir))) - return 0; - return security_ops->inode_mkdir (dir, dentry, mode); + return 0; } static inline int security_inode_rmdir (struct inode *dir, struct dentry *dentry) { - if (unlikely (IS_PRIVATE (dentry->d_inode))) - return 0; - return security_ops->inode_rmdir (dir, dentry); + return 0; } static inline int security_inode_mknod (struct inode *dir, struct dentry *dentry, int mode, dev_t dev) { - if (unlikely (IS_PRIVATE (dir))) - return 0; - return security_ops->inode_mknod (dir, dentry, mode, dev); + return 0; } static inline int security_inode_rename (struct inode *old_dir, @@ -1675,291 +2004,268 @@ static inline int security_inode_rename (struct inode *old_dir, struct inode *new_dir, struct dentry *new_dentry) { - if (unlikely (IS_PRIVATE (old_dentry->d_inode) || - (new_dentry->d_inode && IS_PRIVATE (new_dentry->d_inode)))) - return 0; - return security_ops->inode_rename (old_dir, old_dentry, - new_dir, new_dentry); + return 0; } static inline int security_inode_readlink (struct dentry *dentry) { - if (unlikely (IS_PRIVATE (dentry->d_inode))) - return 0; - return security_ops->inode_readlink (dentry); + return 0; } static inline int security_inode_follow_link (struct dentry *dentry, struct nameidata *nd) { - if (unlikely (IS_PRIVATE (dentry->d_inode))) - return 0; - return security_ops->inode_follow_link (dentry, nd); + return 0; } static inline int security_inode_permission (struct inode *inode, int mask, struct nameidata *nd) { - if (unlikely (IS_PRIVATE (inode))) - return 0; - return security_ops->inode_permission (inode, mask, nd); + return 0; } static inline int security_inode_setattr (struct dentry *dentry, struct iattr *attr) { - if (unlikely (IS_PRIVATE (dentry->d_inode))) - return 0; - return security_ops->inode_setattr (dentry, attr); + return 0; } static inline int security_inode_getattr (struct vfsmount *mnt, struct dentry *dentry) { - if (unlikely (IS_PRIVATE (dentry->d_inode))) - return 0; - return security_ops->inode_getattr (mnt, dentry); + return 0; } static inline void security_inode_delete (struct inode *inode) -{ - if (unlikely (IS_PRIVATE (inode))) - return; - security_ops->inode_delete (inode); -} +{ } static inline int security_inode_setxattr (struct dentry *dentry, char *name, void *value, size_t size, int flags) { - if (unlikely (IS_PRIVATE (dentry->d_inode))) - return 0; - return security_ops->inode_setxattr (dentry, name, value, size, flags); + return cap_inode_setxattr(dentry, name, value, size, flags); } static inline void security_inode_post_setxattr (struct dentry *dentry, char *name, - void *value, size_t size, int flags) -{ - if (unlikely (IS_PRIVATE (dentry->d_inode))) - return; - security_ops->inode_post_setxattr (dentry, name, value, size, flags); -} + void *value, size_t size, int flags) +{ } static inline int security_inode_getxattr (struct dentry *dentry, char *name) { - if (unlikely (IS_PRIVATE (dentry->d_inode))) - return 0; - return security_ops->inode_getxattr (dentry, name); + return 0; } static inline int security_inode_listxattr (struct dentry *dentry) { - if (unlikely (IS_PRIVATE (dentry->d_inode))) - return 0; - return security_ops->inode_listxattr (dentry); + return 0; } static inline int security_inode_removexattr (struct dentry *dentry, char *name) { - if (unlikely (IS_PRIVATE (dentry->d_inode))) - return 0; - return security_ops->inode_removexattr (dentry, name); + return cap_inode_removexattr(dentry, name); +} + +static inline int security_inode_need_killpriv(struct dentry *dentry) +{ + return cap_inode_need_killpriv(dentry); } -static inline const char *security_inode_xattr_getsuffix(void) +static inline int security_inode_killpriv(struct dentry *dentry) { - return security_ops->inode_xattr_getsuffix(); + return cap_inode_killpriv(dentry); } -static inline int security_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err) +static inline int security_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc) { - if (unlikely (IS_PRIVATE (inode))) - return 0; - return security_ops->inode_getsecurity(inode, name, buffer, size, err); + return -EOPNOTSUPP; } static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) { - if (unlikely (IS_PRIVATE (inode))) - return 0; - return security_ops->inode_setsecurity(inode, name, value, size, flags); + return -EOPNOTSUPP; } static inline int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) { - if (unlikely (IS_PRIVATE (inode))) - return 0; - return security_ops->inode_listsecurity(inode, buffer, buffer_size); + return 0; +} + +static inline void security_inode_getsecid(const struct inode *inode, u32 *secid) +{ + *secid = 0; } static inline int security_file_permission (struct file *file, int mask) { - return security_ops->file_permission (file, mask); + return 0; } static inline int security_file_alloc (struct file *file) { - return security_ops->file_alloc_security (file); + return 0; } static inline void security_file_free (struct file *file) -{ - security_ops->file_free_security (file); -} +{ } static inline int security_file_ioctl (struct file *file, unsigned int cmd, unsigned long arg) { - return security_ops->file_ioctl (file, cmd, arg); + return 0; } static inline int security_file_mmap (struct file *file, unsigned long reqprot, unsigned long prot, - unsigned long flags) + unsigned long flags, + unsigned long addr, + unsigned long addr_only) { - return security_ops->file_mmap (file, reqprot, prot, flags); + return 0; } static inline int security_file_mprotect (struct vm_area_struct *vma, unsigned long reqprot, unsigned long prot) { - return security_ops->file_mprotect (vma, reqprot, prot); + return 0; } static inline int security_file_lock (struct file *file, unsigned int cmd) { - return security_ops->file_lock (file, cmd); + return 0; } static inline int security_file_fcntl (struct file *file, unsigned int cmd, unsigned long arg) { - return security_ops->file_fcntl (file, cmd, arg); + return 0; } static inline int security_file_set_fowner (struct file *file) { - return security_ops->file_set_fowner (file); + return 0; } static inline int security_file_send_sigiotask (struct task_struct *tsk, struct fown_struct *fown, int sig) { - return security_ops->file_send_sigiotask (tsk, fown, sig); + return 0; } static inline int security_file_receive (struct file *file) { - return security_ops->file_receive (file); + return 0; +} + +static inline int security_dentry_open (struct file *file) +{ + return 0; } static inline int security_task_create (unsigned long clone_flags) { - return security_ops->task_create (clone_flags); + return 0; } static inline int security_task_alloc (struct task_struct *p) { - return security_ops->task_alloc_security (p); + return 0; } static inline void security_task_free (struct task_struct *p) -{ - security_ops->task_free_security (p); -} +{ } static inline int security_task_setuid (uid_t id0, uid_t id1, uid_t id2, int flags) { - return security_ops->task_setuid (id0, id1, id2, flags); + return 0; } static inline int security_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags) { - return security_ops->task_post_setuid (old_ruid, old_euid, old_suid, flags); + return cap_task_post_setuid (old_ruid, old_euid, old_suid, flags); } static inline int security_task_setgid (gid_t id0, gid_t id1, gid_t id2, int flags) { - return security_ops->task_setgid (id0, id1, id2, flags); + return 0; } static inline int security_task_setpgid (struct task_struct *p, pid_t pgid) { - return security_ops->task_setpgid (p, pgid); + return 0; } static inline int security_task_getpgid (struct task_struct *p) { - return security_ops->task_getpgid (p); + return 0; } static inline int security_task_getsid (struct task_struct *p) { - return security_ops->task_getsid (p); + return 0; } static inline void security_task_getsecid (struct task_struct *p, u32 *secid) { - security_ops->task_getsecid (p, secid); + *secid = 0; } static inline int security_task_setgroups (struct group_info *group_info) { - return security_ops->task_setgroups (group_info); + return 0; } static inline int security_task_setnice (struct task_struct *p, int nice) { - return security_ops->task_setnice (p, nice); + return cap_task_setnice(p, nice); } static inline int security_task_setioprio (struct task_struct *p, int ioprio) { - return security_ops->task_setioprio (p, ioprio); + return cap_task_setioprio(p, ioprio); } static inline int security_task_getioprio (struct task_struct *p) { - return security_ops->task_getioprio (p); + return 0; } static inline int security_task_setrlimit (unsigned int resource, struct rlimit *new_rlim) { - return security_ops->task_setrlimit (resource, new_rlim); + return 0; } static inline int security_task_setscheduler (struct task_struct *p, int policy, struct sched_param *lp) { - return security_ops->task_setscheduler (p, policy, lp); + return cap_task_setscheduler(p, policy, lp); } static inline int security_task_getscheduler (struct task_struct *p) { - return security_ops->task_getscheduler (p); + return 0; } static inline int security_task_movememory (struct task_struct *p) { - return security_ops->task_movememory (p); + return 0; } static inline int security_task_kill (struct task_struct *p, struct siginfo *info, int sig, u32 secid) { - return security_ops->task_kill (p, info, sig, secid); + return 0; } static inline int security_task_wait (struct task_struct *p) { - return security_ops->task_wait (p); + return 0; } static inline int security_task_prctl (int option, unsigned long arg2, @@ -1967,60 +2273,59 @@ static inline int security_task_prctl (int option, unsigned long arg2, unsigned long arg4, unsigned long arg5) { - return security_ops->task_prctl (option, arg2, arg3, arg4, arg5); + return 0; } static inline void security_task_reparent_to_init (struct task_struct *p) { - security_ops->task_reparent_to_init (p); + cap_task_reparent_to_init (p); } static inline void security_task_to_inode(struct task_struct *p, struct inode *inode) -{ - security_ops->task_to_inode(p, inode); -} +{ } static inline int security_ipc_permission (struct kern_ipc_perm *ipcp, short flag) { - return security_ops->ipc_permission (ipcp, flag); + return 0; } -static inline int security_msg_msg_alloc (struct msg_msg * msg) +static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) { - return security_ops->msg_msg_alloc_security (msg); + *secid = 0; } -static inline void security_msg_msg_free (struct msg_msg * msg) +static inline int security_msg_msg_alloc (struct msg_msg * msg) { - security_ops->msg_msg_free_security(msg); + return 0; } +static inline void security_msg_msg_free (struct msg_msg * msg) +{ } + static inline int security_msg_queue_alloc (struct msg_queue *msq) { - return security_ops->msg_queue_alloc_security (msq); + return 0; } static inline void security_msg_queue_free (struct msg_queue *msq) -{ - security_ops->msg_queue_free_security (msq); -} +{ } static inline int security_msg_queue_associate (struct msg_queue * msq, int msqflg) { - return security_ops->msg_queue_associate (msq, msqflg); + return 0; } static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd) { - return security_ops->msg_queue_msgctl (msq, cmd); + return 0; } static inline int security_msg_queue_msgsnd (struct msg_queue * msq, struct msg_msg * msg, int msqflg) { - return security_ops->msg_queue_msgsnd (msq, msg, msqflg); + return 0; } static inline int security_msg_queue_msgrcv (struct msg_queue * msq, @@ -2028,769 +2333,111 @@ static inline int security_msg_queue_msgrcv (struct msg_queue * msq, struct task_struct * target, long type, int mode) { - return security_ops->msg_queue_msgrcv (msq, msg, target, type, mode); + return 0; } static inline int security_shm_alloc (struct shmid_kernel *shp) { - return security_ops->shm_alloc_security (shp); + return 0; } static inline void security_shm_free (struct shmid_kernel *shp) -{ - security_ops->shm_free_security (shp); -} +{ } static inline int security_shm_associate (struct shmid_kernel * shp, int shmflg) { - return security_ops->shm_associate(shp, shmflg); + return 0; } static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd) { - return security_ops->shm_shmctl (shp, cmd); + return 0; } static inline int security_shm_shmat (struct shmid_kernel * shp, char __user *shmaddr, int shmflg) { - return security_ops->shm_shmat(shp, shmaddr, shmflg); + return 0; } static inline int security_sem_alloc (struct sem_array *sma) { - return security_ops->sem_alloc_security (sma); + return 0; } static inline void security_sem_free (struct sem_array *sma) -{ - security_ops->sem_free_security (sma); -} +{ } static inline int security_sem_associate (struct sem_array * sma, int semflg) { - return security_ops->sem_associate (sma, semflg); + return 0; } static inline int security_sem_semctl (struct sem_array * sma, int cmd) { - return security_ops->sem_semctl(sma, cmd); + return 0; } static inline int security_sem_semop (struct sem_array * sma, struct sembuf * sops, unsigned nsops, int alter) { - return security_ops->sem_semop(sma, sops, nsops, alter); + return 0; } static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode) +{ } + +static inline int security_getprocattr(struct task_struct *p, char *name, char **value) +{ + return -EINVAL; +} + +static inline int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size) { - if (unlikely (inode && IS_PRIVATE (inode))) - return; - security_ops->d_instantiate (dentry, inode); + return -EINVAL; } -static inline int security_getprocattr(struct task_struct *p, char *name, void *value, size_t size) +static inline int security_netlink_send (struct sock *sk, struct sk_buff *skb) { - return security_ops->getprocattr(p, name, value, size); + return cap_netlink_send (sk, skb); } -static inline int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size) +static inline int security_netlink_recv (struct sk_buff *skb, int cap) { - return security_ops->setprocattr(p, name, value, size); + return cap_netlink_recv (skb, cap); +} + +static inline struct dentry *securityfs_create_dir(const char *name, + struct dentry *parent) +{ + return ERR_PTR(-ENODEV); } -static inline int security_netlink_send(struct sock *sk, struct sk_buff * skb) +static inline struct dentry *securityfs_create_file(const char *name, + mode_t mode, + struct dentry *parent, + void *data, + const struct file_operations *fops) { - return security_ops->netlink_send(sk, skb); + return ERR_PTR(-ENODEV); } -static inline int security_netlink_recv(struct sk_buff * skb, int cap) +static inline void securityfs_remove(struct dentry *dentry) { - return security_ops->netlink_recv(skb, cap); } static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) { - return security_ops->secid_to_secctx(secid, secdata, seclen); + return -EOPNOTSUPP; } -static inline void security_release_secctx(char *secdata, u32 seclen) +static inline int security_secctx_to_secid(char *secdata, + u32 seclen, + u32 *secid) { - return security_ops->release_secctx(secdata, seclen); -} - -/* prototypes */ -extern int security_init (void); -extern int register_security (struct security_operations *ops); -extern int unregister_security (struct security_operations *ops); -extern int mod_reg_security (const char *name, struct security_operations *ops); -extern int mod_unreg_security (const char *name, struct security_operations *ops); -extern struct dentry *securityfs_create_file(const char *name, mode_t mode, - struct dentry *parent, void *data, - struct file_operations *fops); -extern struct dentry *securityfs_create_dir(const char *name, struct dentry *parent); -extern void securityfs_remove(struct dentry *dentry); - - -#else /* CONFIG_SECURITY */ - -/* - * This is the default capabilities functionality. Most of these functions - * are just stubbed out, but a few must call the proper capable code. - */ - -static inline int security_init(void) -{ - return 0; -} - -static inline int security_ptrace (struct task_struct *parent, struct task_struct * child) -{ - return cap_ptrace (parent, child); -} - -static inline int security_capget (struct task_struct *target, - kernel_cap_t *effective, - kernel_cap_t *inheritable, - kernel_cap_t *permitted) -{ - return cap_capget (target, effective, inheritable, permitted); -} - -static inline int security_capset_check (struct task_struct *target, - kernel_cap_t *effective, - kernel_cap_t *inheritable, - kernel_cap_t *permitted) -{ - return cap_capset_check (target, effective, inheritable, permitted); -} - -static inline void security_capset_set (struct task_struct *target, - kernel_cap_t *effective, - kernel_cap_t *inheritable, - kernel_cap_t *permitted) -{ - cap_capset_set (target, effective, inheritable, permitted); -} - -static inline int security_capable(struct task_struct *tsk, int cap) -{ - return cap_capable(tsk, cap); -} - -static inline int security_acct (struct file *file) -{ - return 0; -} - -static inline int security_sysctl(struct ctl_table *table, int op) -{ - return 0; -} - -static inline int security_quotactl (int cmds, int type, int id, - struct super_block * sb) -{ - return 0; -} - -static inline int security_quota_on (struct dentry * dentry) -{ - return 0; -} - -static inline int security_syslog(int type) -{ - return cap_syslog(type); -} - -static inline int security_settime(struct timespec *ts, struct timezone *tz) -{ - return cap_settime(ts, tz); -} - -static inline int security_vm_enough_memory(long pages) -{ - return cap_vm_enough_memory(pages); -} - -static inline int security_bprm_alloc (struct linux_binprm *bprm) -{ - return 0; -} - -static inline void security_bprm_free (struct linux_binprm *bprm) -{ } - -static inline void security_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) -{ - cap_bprm_apply_creds (bprm, unsafe); -} - -static inline void security_bprm_post_apply_creds (struct linux_binprm *bprm) -{ - return; -} - -static inline int security_bprm_set (struct linux_binprm *bprm) -{ - return cap_bprm_set_security (bprm); -} - -static inline int security_bprm_check (struct linux_binprm *bprm) -{ - return 0; -} - -static inline int security_bprm_secureexec (struct linux_binprm *bprm) -{ - return cap_bprm_secureexec(bprm); -} - -static inline int security_sb_alloc (struct super_block *sb) -{ - return 0; -} - -static inline void security_sb_free (struct super_block *sb) -{ } - -static inline int security_sb_copy_data (struct file_system_type *type, - void *orig, void *copy) -{ - return 0; -} - -static inline int security_sb_kern_mount (struct super_block *sb, void *data) -{ - return 0; -} - -static inline int security_sb_statfs (struct dentry *dentry) -{ - return 0; -} - -static inline int security_sb_mount (char *dev_name, struct nameidata *nd, - char *type, unsigned long flags, - void *data) -{ - return 0; -} - -static inline int security_sb_check_sb (struct vfsmount *mnt, - struct nameidata *nd) -{ - return 0; -} - -static inline int security_sb_umount (struct vfsmount *mnt, int flags) -{ - return 0; -} - -static inline void security_sb_umount_close (struct vfsmount *mnt) -{ } - -static inline void security_sb_umount_busy (struct vfsmount *mnt) -{ } - -static inline void security_sb_post_remount (struct vfsmount *mnt, - unsigned long flags, void *data) -{ } - -static inline void security_sb_post_mountroot (void) -{ } - -static inline void security_sb_post_addmount (struct vfsmount *mnt, - struct nameidata *mountpoint_nd) -{ } - -static inline int security_sb_pivotroot (struct nameidata *old_nd, - struct nameidata *new_nd) -{ - return 0; -} - -static inline void security_sb_post_pivotroot (struct nameidata *old_nd, - struct nameidata *new_nd) -{ } - -static inline int security_inode_alloc (struct inode *inode) -{ - return 0; -} - -static inline void security_inode_free (struct inode *inode) -{ } - -static inline int security_inode_init_security (struct inode *inode, - struct inode *dir, - char **name, - void **value, - size_t *len) -{ - return -EOPNOTSUPP; -} - -static inline int security_inode_create (struct inode *dir, - struct dentry *dentry, - int mode) -{ - return 0; -} - -static inline int security_inode_link (struct dentry *old_dentry, - struct inode *dir, - struct dentry *new_dentry) -{ - return 0; -} - -static inline int security_inode_unlink (struct inode *dir, - struct dentry *dentry) -{ - return 0; -} - -static inline int security_inode_symlink (struct inode *dir, - struct dentry *dentry, - const char *old_name) -{ - return 0; -} - -static inline int security_inode_mkdir (struct inode *dir, - struct dentry *dentry, - int mode) -{ - return 0; -} - -static inline int security_inode_rmdir (struct inode *dir, - struct dentry *dentry) -{ - return 0; -} - -static inline int security_inode_mknod (struct inode *dir, - struct dentry *dentry, - int mode, dev_t dev) -{ - return 0; -} - -static inline int security_inode_rename (struct inode *old_dir, - struct dentry *old_dentry, - struct inode *new_dir, - struct dentry *new_dentry) -{ - return 0; -} - -static inline int security_inode_readlink (struct dentry *dentry) -{ - return 0; -} - -static inline int security_inode_follow_link (struct dentry *dentry, - struct nameidata *nd) -{ - return 0; -} - -static inline int security_inode_permission (struct inode *inode, int mask, - struct nameidata *nd) -{ - return 0; -} - -static inline int security_inode_setattr (struct dentry *dentry, - struct iattr *attr) -{ - return 0; -} - -static inline int security_inode_getattr (struct vfsmount *mnt, - struct dentry *dentry) -{ - return 0; -} - -static inline void security_inode_delete (struct inode *inode) -{ } - -static inline int security_inode_setxattr (struct dentry *dentry, char *name, - void *value, size_t size, int flags) -{ - return cap_inode_setxattr(dentry, name, value, size, flags); -} - -static inline void security_inode_post_setxattr (struct dentry *dentry, char *name, - void *value, size_t size, int flags) -{ } - -static inline int security_inode_getxattr (struct dentry *dentry, char *name) -{ - return 0; -} - -static inline int security_inode_listxattr (struct dentry *dentry) -{ - return 0; -} - -static inline int security_inode_removexattr (struct dentry *dentry, char *name) -{ - return cap_inode_removexattr(dentry, name); -} - -static inline const char *security_inode_xattr_getsuffix (void) -{ - return NULL ; -} - -static inline int security_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err) -{ - return -EOPNOTSUPP; -} - -static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) -{ - return -EOPNOTSUPP; -} - -static inline int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) -{ - return 0; -} - -static inline int security_file_permission (struct file *file, int mask) -{ - return 0; -} - -static inline int security_file_alloc (struct file *file) -{ - return 0; -} - -static inline void security_file_free (struct file *file) -{ } - -static inline int security_file_ioctl (struct file *file, unsigned int cmd, - unsigned long arg) -{ - return 0; -} - -static inline int security_file_mmap (struct file *file, unsigned long reqprot, - unsigned long prot, - unsigned long flags) -{ - return 0; -} - -static inline int security_file_mprotect (struct vm_area_struct *vma, - unsigned long reqprot, - unsigned long prot) -{ - return 0; -} - -static inline int security_file_lock (struct file *file, unsigned int cmd) -{ - return 0; -} - -static inline int security_file_fcntl (struct file *file, unsigned int cmd, - unsigned long arg) -{ - return 0; -} - -static inline int security_file_set_fowner (struct file *file) -{ - return 0; -} - -static inline int security_file_send_sigiotask (struct task_struct *tsk, - struct fown_struct *fown, - int sig) -{ - return 0; -} - -static inline int security_file_receive (struct file *file) -{ - return 0; -} - -static inline int security_task_create (unsigned long clone_flags) -{ - return 0; -} - -static inline int security_task_alloc (struct task_struct *p) -{ - return 0; -} - -static inline void security_task_free (struct task_struct *p) -{ } - -static inline int security_task_setuid (uid_t id0, uid_t id1, uid_t id2, - int flags) -{ - return 0; -} - -static inline int security_task_post_setuid (uid_t old_ruid, uid_t old_euid, - uid_t old_suid, int flags) -{ - return cap_task_post_setuid (old_ruid, old_euid, old_suid, flags); -} - -static inline int security_task_setgid (gid_t id0, gid_t id1, gid_t id2, - int flags) -{ - return 0; -} - -static inline int security_task_setpgid (struct task_struct *p, pid_t pgid) -{ - return 0; -} - -static inline int security_task_getpgid (struct task_struct *p) -{ - return 0; -} - -static inline int security_task_getsid (struct task_struct *p) -{ - return 0; -} - -static inline void security_task_getsecid (struct task_struct *p, u32 *secid) -{ } - -static inline int security_task_setgroups (struct group_info *group_info) -{ - return 0; -} - -static inline int security_task_setnice (struct task_struct *p, int nice) -{ - return 0; -} - -static inline int security_task_setioprio (struct task_struct *p, int ioprio) -{ - return 0; -} - -static inline int security_task_getioprio (struct task_struct *p) -{ - return 0; -} - -static inline int security_task_setrlimit (unsigned int resource, - struct rlimit *new_rlim) -{ - return 0; -} - -static inline int security_task_setscheduler (struct task_struct *p, - int policy, - struct sched_param *lp) -{ - return 0; -} - -static inline int security_task_getscheduler (struct task_struct *p) -{ - return 0; -} - -static inline int security_task_movememory (struct task_struct *p) -{ - return 0; -} - -static inline int security_task_kill (struct task_struct *p, - struct siginfo *info, int sig, - u32 secid) -{ - return 0; -} - -static inline int security_task_wait (struct task_struct *p) -{ - return 0; -} - -static inline int security_task_prctl (int option, unsigned long arg2, - unsigned long arg3, - unsigned long arg4, - unsigned long arg5) -{ - return 0; -} - -static inline void security_task_reparent_to_init (struct task_struct *p) -{ - cap_task_reparent_to_init (p); -} - -static inline void security_task_to_inode(struct task_struct *p, struct inode *inode) -{ } - -static inline int security_ipc_permission (struct kern_ipc_perm *ipcp, - short flag) -{ - return 0; -} - -static inline int security_msg_msg_alloc (struct msg_msg * msg) -{ - return 0; -} - -static inline void security_msg_msg_free (struct msg_msg * msg) -{ } - -static inline int security_msg_queue_alloc (struct msg_queue *msq) -{ - return 0; -} - -static inline void security_msg_queue_free (struct msg_queue *msq) -{ } - -static inline int security_msg_queue_associate (struct msg_queue * msq, - int msqflg) -{ - return 0; -} - -static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd) -{ - return 0; -} - -static inline int security_msg_queue_msgsnd (struct msg_queue * msq, - struct msg_msg * msg, int msqflg) -{ - return 0; -} - -static inline int security_msg_queue_msgrcv (struct msg_queue * msq, - struct msg_msg * msg, - struct task_struct * target, - long type, int mode) -{ - return 0; -} - -static inline int security_shm_alloc (struct shmid_kernel *shp) -{ - return 0; -} - -static inline void security_shm_free (struct shmid_kernel *shp) -{ } - -static inline int security_shm_associate (struct shmid_kernel * shp, - int shmflg) -{ - return 0; -} - -static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd) -{ - return 0; -} - -static inline int security_shm_shmat (struct shmid_kernel * shp, - char __user *shmaddr, int shmflg) -{ - return 0; -} - -static inline int security_sem_alloc (struct sem_array *sma) -{ - return 0; -} - -static inline void security_sem_free (struct sem_array *sma) -{ } - -static inline int security_sem_associate (struct sem_array * sma, int semflg) -{ - return 0; -} - -static inline int security_sem_semctl (struct sem_array * sma, int cmd) -{ - return 0; -} - -static inline int security_sem_semop (struct sem_array * sma, - struct sembuf * sops, unsigned nsops, - int alter) -{ - return 0; -} - -static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode) -{ } - -static inline int security_getprocattr(struct task_struct *p, char *name, void *value, size_t size) -{ - return -EINVAL; -} - -static inline int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size) -{ - return -EINVAL; -} - -static inline int security_netlink_send (struct sock *sk, struct sk_buff *skb) -{ - return cap_netlink_send (sk, skb); -} - -static inline int security_netlink_recv (struct sk_buff *skb, int cap) -{ - return cap_netlink_recv (skb, cap); -} - -static inline struct dentry *securityfs_create_dir(const char *name, - struct dentry *parent) -{ - return ERR_PTR(-ENODEV); -} - -static inline struct dentry *securityfs_create_file(const char *name, - mode_t mode, - struct dentry *parent, - void *data, - struct file_operations *fops) -{ - return ERR_PTR(-ENODEV); -} - -static inline void securityfs_remove(struct dentry *dentry) -{ -} - -static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) -{ - return -EOPNOTSUPP; + return -EOPNOTSUPP; } static inline void security_release_secctx(char *secdata, u32 seclen) @@ -2799,170 +2446,43 @@ static inline void security_release_secctx(char *secdata, u32 seclen) #endif /* CONFIG_SECURITY */ #ifdef CONFIG_SECURITY_NETWORK -static inline int security_unix_stream_connect(struct socket * sock, - struct socket * other, - struct sock * newsk) -{ - return security_ops->unix_stream_connect(sock, other, newsk); -} - - -static inline int security_unix_may_send(struct socket * sock, - struct socket * other) -{ - return security_ops->unix_may_send(sock, other); -} - -static inline int security_socket_create (int family, int type, - int protocol, int kern) -{ - return security_ops->socket_create(family, type, protocol, kern); -} - -static inline int security_socket_post_create(struct socket * sock, - int family, - int type, - int protocol, int kern) -{ - return security_ops->socket_post_create(sock, family, type, - protocol, kern); -} - -static inline int security_socket_bind(struct socket * sock, - struct sockaddr * address, - int addrlen) -{ - return security_ops->socket_bind(sock, address, addrlen); -} - -static inline int security_socket_connect(struct socket * sock, - struct sockaddr * address, - int addrlen) -{ - return security_ops->socket_connect(sock, address, addrlen); -} - -static inline int security_socket_listen(struct socket * sock, int backlog) -{ - return security_ops->socket_listen(sock, backlog); -} - -static inline int security_socket_accept(struct socket * sock, - struct socket * newsock) -{ - return security_ops->socket_accept(sock, newsock); -} - -static inline void security_socket_post_accept(struct socket * sock, - struct socket * newsock) -{ - security_ops->socket_post_accept(sock, newsock); -} - -static inline int security_socket_sendmsg(struct socket * sock, - struct msghdr * msg, int size) -{ - return security_ops->socket_sendmsg(sock, msg, size); -} - -static inline int security_socket_recvmsg(struct socket * sock, - struct msghdr * msg, int size, - int flags) -{ - return security_ops->socket_recvmsg(sock, msg, size, flags); -} - -static inline int security_socket_getsockname(struct socket * sock) -{ - return security_ops->socket_getsockname(sock); -} - -static inline int security_socket_getpeername(struct socket * sock) -{ - return security_ops->socket_getpeername(sock); -} - -static inline int security_socket_getsockopt(struct socket * sock, - int level, int optname) -{ - return security_ops->socket_getsockopt(sock, level, optname); -} - -static inline int security_socket_setsockopt(struct socket * sock, - int level, int optname) -{ - return security_ops->socket_setsockopt(sock, level, optname); -} - -static inline int security_socket_shutdown(struct socket * sock, int how) -{ - return security_ops->socket_shutdown(sock, how); -} - -static inline int security_sock_rcv_skb (struct sock * sk, - struct sk_buff * skb) -{ - return security_ops->socket_sock_rcv_skb (sk, skb); -} - -static inline int security_socket_getpeersec_stream(struct socket *sock, char __user *optval, - int __user *optlen, unsigned len) -{ - return security_ops->socket_getpeersec_stream(sock, optval, optlen, len); -} - -static inline int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) -{ - return security_ops->socket_getpeersec_dgram(sock, skb, secid); -} - -static inline int security_sk_alloc(struct sock *sk, int family, gfp_t priority) -{ - return security_ops->sk_alloc_security(sk, family, priority); -} - -static inline void security_sk_free(struct sock *sk) -{ - return security_ops->sk_free_security(sk); -} - -static inline void security_sk_clone(const struct sock *sk, struct sock *newsk) -{ - return security_ops->sk_clone_security(sk, newsk); -} - -static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl) -{ - security_ops->sk_getsecid(sk, &fl->secid); -} - -static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl) -{ - security_ops->req_classify_flow(req, fl); -} - -static inline void security_sock_graft(struct sock* sk, struct socket *parent) -{ - security_ops->sock_graft(sk, parent); -} - -static inline int security_inet_conn_request(struct sock *sk, - struct sk_buff *skb, struct request_sock *req) -{ - return security_ops->inet_conn_request(sk, skb, req); -} -static inline void security_inet_csk_clone(struct sock *newsk, - const struct request_sock *req) -{ - security_ops->inet_csk_clone(newsk, req); -} +int security_unix_stream_connect(struct socket *sock, struct socket *other, + struct sock *newsk); +int security_unix_may_send(struct socket *sock, struct socket *other); +int security_socket_create(int family, int type, int protocol, int kern); +int security_socket_post_create(struct socket *sock, int family, + int type, int protocol, int kern); +int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen); +int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen); +int security_socket_listen(struct socket *sock, int backlog); +int security_socket_accept(struct socket *sock, struct socket *newsock); +void security_socket_post_accept(struct socket *sock, struct socket *newsock); +int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size); +int security_socket_recvmsg(struct socket *sock, struct msghdr *msg, + int size, int flags); +int security_socket_getsockname(struct socket *sock); +int security_socket_getpeername(struct socket *sock); +int security_socket_getsockopt(struct socket *sock, int level, int optname); +int security_socket_setsockopt(struct socket *sock, int level, int optname); +int security_socket_shutdown(struct socket *sock, int how); +int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb); +int security_socket_getpeersec_stream(struct socket *sock, char __user *optval, + int __user *optlen, unsigned len); +int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid); +int security_sk_alloc(struct sock *sk, int family, gfp_t priority); +void security_sk_free(struct sock *sk); +void security_sk_clone(const struct sock *sk, struct sock *newsk); +void security_sk_classify_flow(struct sock *sk, struct flowi *fl); +void security_req_classify_flow(const struct request_sock *req, struct flowi *fl); +void security_sock_graft(struct sock*sk, struct socket *parent); +int security_inet_conn_request(struct sock *sk, + struct sk_buff *skb, struct request_sock *req); +void security_inet_csk_clone(struct sock *newsk, + const struct request_sock *req); +void security_inet_conn_established(struct sock *sk, + struct sk_buff *skb); -static inline void security_inet_conn_established(struct sock *sk, - struct sk_buff *skb) -{ - security_ops->inet_conn_established(sk, skb); -} #else /* CONFIG_SECURITY_NETWORK */ static inline int security_unix_stream_connect(struct socket * sock, struct socket * other, @@ -3120,92 +2640,39 @@ static inline void security_inet_conn_established(struct sock *sk, #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_NETWORK_XFRM -static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx) -{ - return security_ops->xfrm_policy_alloc_security(xp, sec_ctx); -} -static inline int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new) -{ - return security_ops->xfrm_policy_clone_security(old, new); -} - -static inline void security_xfrm_policy_free(struct xfrm_policy *xp) -{ - security_ops->xfrm_policy_free_security(xp); -} - -static inline int security_xfrm_policy_delete(struct xfrm_policy *xp) -{ - return security_ops->xfrm_policy_delete_security(xp); -} - -static inline int security_xfrm_state_alloc(struct xfrm_state *x, - struct xfrm_user_sec_ctx *sec_ctx) -{ - return security_ops->xfrm_state_alloc_security(x, sec_ctx, 0); -} - -static inline int security_xfrm_state_alloc_acquire(struct xfrm_state *x, - struct xfrm_sec_ctx *polsec, u32 secid) -{ - if (!polsec) - return 0; - /* - * We want the context to be taken from secid which is usually - * from the sock. - */ - return security_ops->xfrm_state_alloc_security(x, NULL, secid); -} - -static inline int security_xfrm_state_delete(struct xfrm_state *x) -{ - return security_ops->xfrm_state_delete_security(x); -} - -static inline void security_xfrm_state_free(struct xfrm_state *x) -{ - security_ops->xfrm_state_free_security(x); -} - -static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir) -{ - return security_ops->xfrm_policy_lookup(xp, fl_secid, dir); -} - -static inline int security_xfrm_state_pol_flow_match(struct xfrm_state *x, - struct xfrm_policy *xp, struct flowi *fl) -{ - return security_ops->xfrm_state_pol_flow_match(x, xp, fl); -} +int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_user_sec_ctx *sec_ctx); +int security_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, struct xfrm_sec_ctx **new_ctxp); +void security_xfrm_policy_free(struct xfrm_sec_ctx *ctx); +int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx); +int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx); +int security_xfrm_state_alloc_acquire(struct xfrm_state *x, + struct xfrm_sec_ctx *polsec, u32 secid); +int security_xfrm_state_delete(struct xfrm_state *x); +void security_xfrm_state_free(struct xfrm_state *x); +int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir); +int security_xfrm_state_pol_flow_match(struct xfrm_state *x, + struct xfrm_policy *xp, struct flowi *fl); +int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid); +void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl); -static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid) -{ - return security_ops->xfrm_decode_session(skb, secid, 1); -} - -static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl) -{ - int rc = security_ops->xfrm_decode_session(skb, &fl->secid, 0); - - BUG_ON(rc); -} #else /* CONFIG_SECURITY_NETWORK_XFRM */ -static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx) + +static inline int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_user_sec_ctx *sec_ctx) { return 0; } -static inline int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new) +static inline int security_xfrm_policy_clone(struct xfrm_sec_ctx *old, struct xfrm_sec_ctx **new_ctxp) { return 0; } -static inline void security_xfrm_policy_free(struct xfrm_policy *xp) +static inline void security_xfrm_policy_free(struct xfrm_sec_ctx *ctx) { } -static inline int security_xfrm_policy_delete(struct xfrm_policy *xp) +static inline int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) { return 0; } @@ -3231,7 +2698,7 @@ static inline int security_xfrm_state_delete(struct xfrm_state *x) return 0; } -static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir) +static inline int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir) { return 0; } @@ -3255,47 +2722,67 @@ static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi #ifdef CONFIG_KEYS #ifdef CONFIG_SECURITY + +int security_key_alloc(struct key *key, struct task_struct *tsk, unsigned long flags); +void security_key_free(struct key *key); +int security_key_permission(key_ref_t key_ref, + struct task_struct *context, key_perm_t perm); + +#else + static inline int security_key_alloc(struct key *key, struct task_struct *tsk, unsigned long flags) { - return security_ops->key_alloc(key, tsk, flags); + return 0; } static inline void security_key_free(struct key *key) { - security_ops->key_free(key); } static inline int security_key_permission(key_ref_t key_ref, struct task_struct *context, key_perm_t perm) { - return security_ops->key_permission(key_ref, context, perm); + return 0; } +#endif +#endif /* CONFIG_KEYS */ + +#ifdef CONFIG_AUDIT +#ifdef CONFIG_SECURITY +int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule); +int security_audit_rule_known(struct audit_krule *krule); +int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule, + struct audit_context *actx); +void security_audit_rule_free(void *lsmrule); + #else -static inline int security_key_alloc(struct key *key, - struct task_struct *tsk, - unsigned long flags) +static inline int security_audit_rule_init(u32 field, u32 op, char *rulestr, + void **lsmrule) { return 0; } -static inline void security_key_free(struct key *key) +static inline int security_audit_rule_known(struct audit_krule *krule) { + return 0; } -static inline int security_key_permission(key_ref_t key_ref, - struct task_struct *context, - key_perm_t perm) +static inline int security_audit_rule_match(u32 secid, u32 field, u32 op, + void *lsmrule, struct audit_context *actx) { return 0; } -#endif -#endif /* CONFIG_KEYS */ +static inline void security_audit_rule_free(void *lsmrule) +{ } + +#endif /* CONFIG_SECURITY */ +#endif /* CONFIG_AUDIT */ #endif /* ! __LINUX_SECURITY_H */