25
25
#include <linux/fs.h>
26
26
#include <linux/fsnotify.h>
27
27
#include <linux/binfmts.h>
28
#include <linux/dcache.h>
28
29
#include <linux/signal.h>
29
30
#include <linux/resource.h>
30
31
#include <linux/sem.h>
48
49
struct audit_krule;
50
struct user_namespace;
51
53
* These functions are in security/capability.c and are used
52
54
* as the default capabilities functions
54
56
extern int cap_capable(struct task_struct *tsk, const struct cred *cred,
56
extern int cap_settime(struct timespec *ts, struct timezone *tz);
57
struct user_namespace *ns, int cap, int audit);
58
extern int cap_settime(const struct timespec *ts, const struct timezone *tz);
57
59
extern int cap_ptrace_access_check(struct task_struct *child, unsigned int mode);
58
60
extern int cap_ptrace_traceme(struct task_struct *parent);
59
61
extern int cap_capget(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted);
267
269
* @orig the original mount data copied from userspace.
268
270
* @copy copied data which will be passed to the security module.
269
271
* Returns 0 if the copy was successful.
273
* Extracts security system specifc mount options and verifys no changes
274
* are being made to those options.
275
* @sb superblock being remounted
276
* @data contains the filesystem-specific data.
277
* Return 0 if permission is granted.
271
279
* Check permission before the @mnt file system is unmounted.
272
280
* @mnt contains the mounted file system.
315
323
* then it should return -EOPNOTSUPP to skip this processing.
316
324
* @inode contains the inode structure of the newly created inode.
317
325
* @dir contains the inode structure of the parent directory.
326
* @qstr contains the last path component of the new object
318
327
* @name will be set to the allocated name suffix (e.g. selinux).
319
328
* @value will be set to the allocated attribute value.
320
329
* @len will be set to the length of the value.
1255
1264
* @tsk contains the task_struct for the process.
1256
1265
* @cred contains the credentials to use.
1266
* @ns contains the user namespace we want the capability in
1257
1267
* @cap contains the capability <include/linux/capability.h>.
1258
1268
* @audit: Whether to write an audit message or not
1259
1269
* Return 0 if the capability is granted for @tsk.
1261
* Check permission before accessing the @table sysctl variable in the
1262
* manner specified by @op.
1263
* @table contains the ctl_table structure for the sysctl variable.
1264
* @op contains the operation (001 = search, 002 = write, 004 = read).
1265
* Return 0 if permission is granted.
1267
1271
* Check permission before accessing the kernel message ring or changing
1268
1272
* logging to the console.
1382
1386
const kernel_cap_t *inheritable,
1383
1387
const kernel_cap_t *permitted);
1384
1388
int (*capable) (struct task_struct *tsk, const struct cred *cred,
1385
int cap, int audit);
1386
int (*sysctl) (struct ctl_table *table, int op);
1389
struct user_namespace *ns, int cap, int audit);
1387
1390
int (*quotactl) (int cmds, int type, int id, struct super_block *sb);
1388
1391
int (*quota_on) (struct dentry *dentry);
1389
1392
int (*syslog) (int type);
1390
int (*settime) (struct timespec *ts, struct timezone *tz);
1393
int (*settime) (const struct timespec *ts, const struct timezone *tz);
1391
1394
int (*vm_enough_memory) (struct mm_struct *mm, long pages);
1393
1396
int (*bprm_set_creds) (struct linux_binprm *bprm);
1399
1402
int (*sb_alloc_security) (struct super_block *sb);
1400
1403
void (*sb_free_security) (struct super_block *sb);
1401
1404
int (*sb_copy_data) (char *orig, char *copy);
1405
int (*sb_remount) (struct super_block *sb, void *data);
1402
1406
int (*sb_kern_mount) (struct super_block *sb, int flags, void *data);
1403
1407
int (*sb_show_options) (struct seq_file *m, struct super_block *sb);
1404
1408
int (*sb_statfs) (struct dentry *dentry);
1435
1439
int (*inode_alloc_security) (struct inode *inode);
1436
1440
void (*inode_free_security) (struct inode *inode);
1437
1441
int (*inode_init_security) (struct inode *inode, struct inode *dir,
1438
char **name, void **value, size_t *len);
1442
const struct qstr *qstr, char **name,
1443
void **value, size_t *len);
1439
1444
int (*inode_create) (struct inode *dir,
1440
1445
struct dentry *dentry, int mode);
1441
1446
int (*inode_link) (struct dentry *old_dentry,
1451
1456
struct inode *new_dir, struct dentry *new_dentry);
1452
1457
int (*inode_readlink) (struct dentry *dentry);
1453
1458
int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd);
1454
int (*inode_permission) (struct inode *inode, int mask);
1459
int (*inode_permission) (struct inode *inode, int mask, unsigned flags);
1455
1460
int (*inode_setattr) (struct dentry *dentry, struct iattr *attr);
1456
1461
int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry);
1457
1462
int (*inode_setxattr) (struct dentry *dentry, const char *name,
1623
1628
int (*xfrm_policy_lookup) (struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
1624
1629
int (*xfrm_state_pol_flow_match) (struct xfrm_state *x,
1625
1630
struct xfrm_policy *xp,
1631
const struct flowi *fl);
1627
1632
int (*xfrm_decode_session) (struct sk_buff *skb, u32 *secid, int ckall);
1628
1633
#endif /* CONFIG_SECURITY_NETWORK_XFRM */
1662
1667
const kernel_cap_t *effective,
1663
1668
const kernel_cap_t *inheritable,
1664
1669
const kernel_cap_t *permitted);
1665
int security_capable(const struct cred *cred, int cap);
1666
int security_real_capable(struct task_struct *tsk, int cap);
1667
int security_real_capable_noaudit(struct task_struct *tsk, int cap);
1668
int security_sysctl(struct ctl_table *table, int op);
1670
int security_capable(struct user_namespace *ns, const struct cred *cred,
1672
int security_real_capable(struct task_struct *tsk, struct user_namespace *ns,
1674
int security_real_capable_noaudit(struct task_struct *tsk,
1675
struct user_namespace *ns, int cap);
1669
1676
int security_quotactl(int cmds, int type, int id, struct super_block *sb);
1670
1677
int security_quota_on(struct dentry *dentry);
1671
1678
int security_syslog(int type);
1672
int security_settime(struct timespec *ts, struct timezone *tz);
1679
int security_settime(const struct timespec *ts, const struct timezone *tz);
1673
1680
int security_vm_enough_memory(long pages);
1674
1681
int security_vm_enough_memory_mm(struct mm_struct *mm, long pages);
1675
1682
int security_vm_enough_memory_kern(long pages);
1681
1688
int security_sb_alloc(struct super_block *sb);
1682
1689
void security_sb_free(struct super_block *sb);
1683
1690
int security_sb_copy_data(char *orig, char *copy);
1691
int security_sb_remount(struct super_block *sb, void *data);
1684
1692
int security_sb_kern_mount(struct super_block *sb, int flags, void *data);
1685
1693
int security_sb_show_options(struct seq_file *m, struct super_block *sb);
1686
1694
int security_sb_statfs(struct dentry *dentry);
1696
1704
int security_inode_alloc(struct inode *inode);
1697
1705
void security_inode_free(struct inode *inode);
1698
1706
int security_inode_init_security(struct inode *inode, struct inode *dir,
1699
char **name, void **value, size_t *len);
1707
const struct qstr *qstr, char **name,
1708
void **value, size_t *len);
1700
1709
int security_inode_create(struct inode *dir, struct dentry *dentry, int mode);
1701
1710
int security_inode_link(struct dentry *old_dentry, struct inode *dir,
1702
1711
struct dentry *new_dentry);
1856
1865
return cap_capset(new, old, effective, inheritable, permitted);
1859
static inline int security_capable(const struct cred *cred, int cap)
1868
static inline int security_capable(struct user_namespace *ns,
1869
const struct cred *cred, int cap)
1861
return cap_capable(current, cred, cap, SECURITY_CAP_AUDIT);
1871
return cap_capable(current, cred, ns, cap, SECURITY_CAP_AUDIT);
1864
static inline int security_real_capable(struct task_struct *tsk, int cap)
1874
static inline int security_real_capable(struct task_struct *tsk, struct user_namespace *ns, int cap)
1868
1878
rcu_read_lock();
1869
ret = cap_capable(tsk, __task_cred(tsk), cap, SECURITY_CAP_AUDIT);
1879
ret = cap_capable(tsk, __task_cred(tsk), ns, cap, SECURITY_CAP_AUDIT);
1870
1880
rcu_read_unlock();
1875
int security_real_capable_noaudit(struct task_struct *tsk, int cap)
1885
int security_real_capable_noaudit(struct task_struct *tsk, struct user_namespace *ns, int cap)
1879
1889
rcu_read_lock();
1880
ret = cap_capable(tsk, __task_cred(tsk), cap,
1890
ret = cap_capable(tsk, __task_cred(tsk), ns, cap,
1881
1891
SECURITY_CAP_NOAUDIT);
1882
1892
rcu_read_unlock();
1886
static inline int security_sysctl(struct ctl_table *table, int op)
1891
1896
static inline int security_quotactl(int cmds, int type, int id,
1892
1897
struct super_block *sb)
1907
static inline int security_settime(struct timespec *ts, struct timezone *tz)
1912
static inline int security_settime(const struct timespec *ts,
1913
const struct timezone *tz)
1909
1915
return cap_settime(ts, tz);
2761
2773
void security_xfrm_state_free(struct xfrm_state *x);
2762
2774
int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
2763
2775
int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
2764
struct xfrm_policy *xp, struct flowi *fl);
2776
struct xfrm_policy *xp,
2777
const struct flowi *fl);
2765
2778
int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid);
2766
2779
void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl);
2815
2828
static inline int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
2816
struct xfrm_policy *xp, struct flowi *fl)
2829
struct xfrm_policy *xp, const struct flowi *fl)