/*
   * Security plug functions
   *
   * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com>
   * Copyright (C) 2001-2002 Greg Kroah-Hartman <greg@kroah.com>
   * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com>

   * Copyright (C) 2016 Mellanox Technologies

   *
   *	This program is free software; you can redistribute it and/or modify
   *	it under the terms of the GNU General Public License as published by
   *	the Free Software Foundation; either version 2 of the License, or
   *	(at your option) any later version.
   */

  #include <linux/bpf.h>

  #include <linux/capability.h>

  #include <linux/dcache.h>

  #include <linux/module.h>
  #include <linux/init.h>
  #include <linux/kernel.h>

  #include <linux/lsm_hooks.h>

  #include <linux/integrity.h>

  #include <linux/ima.h>

  #include <linux/evm.h>

  #include <linux/fsnotify.h>

  #include <linux/mman.h>
  #include <linux/mount.h>
  #include <linux/personality.h>

  #include <linux/backing-dev.h>

  #include <linux/string.h>

  #include <net/flow.h>

  #include <trace/events/initcall.h>

  #define MAX_LSM_EVM_XATTR	2

  /* Maximum number of letters for an LSM name string */
  #define SECURITY_NAME_MAX	10

  struct security_hook_heads security_hook_heads __lsm_ro_after_init;

  static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);

  char *lsm_names;

  /* Boot-time LSM user choice */

  static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
  	CONFIG_DEFAULT_SECURITY;

  static void __init do_security_initcalls(void)
  {

  	int ret;

  	initcall_t call;
  	initcall_entry_t *ce;
  
  	ce = __security_initcall_start;

  	trace_initcall_level("security");

  	while (ce < __security_initcall_end) {
  		call = initcall_from_entry(ce);
  		trace_initcall_start(call);
  		ret = call();
  		trace_initcall_finish(call, ret);
  		ce++;

  	}
  }
  
  /**
   * security_init - initializes the security framework
   *
   * This should be called early in the kernel initialization sequence.
   */
  int __init security_init(void)
  {

  	int i;

  	struct hlist_head *list = (struct hlist_head *) &security_hook_heads;

  	for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct hlist_head);

  	     i++)

  		INIT_HLIST_HEAD(&list[i]);

  	pr_info("Security Framework initialized
  ");

  	/*

  	 * Load minor LSMs, with the capability module always first.

  	 */
  	capability_add_hooks();

  	yama_add_hooks();

  	loadpin_add_hooks();

  	/*

  	 * Load all the remaining security modules.

  	 */

  	do_security_initcalls();
  
  	return 0;
  }

  /* Save user chosen LSM */
  static int __init choose_lsm(char *str)
  {
  	strncpy(chosen_lsm, str, SECURITY_NAME_MAX);
  	return 1;
  }
  __setup("security=", choose_lsm);

  static bool match_last_lsm(const char *list, const char *lsm)
  {
  	const char *last;
  
  	if (WARN_ON(!list || !lsm))
  		return false;
  	last = strrchr(list, ',');
  	if (last)
  		/* Pass the comma, strcmp() will check for '\0' */
  		last++;
  	else
  		last = list;
  	return !strcmp(last, lsm);
  }

  static int lsm_append(char *new, char **result)
  {
  	char *cp;
  
  	if (*result == NULL) {
  		*result = kstrdup(new, GFP_KERNEL);

  		if (*result == NULL)
  			return -ENOMEM;

  	} else {

  		/* Check if it is the last registered name */
  		if (match_last_lsm(*result, new))
  			return 0;

  		cp = kasprintf(GFP_KERNEL, "%s,%s", *result, new);
  		if (cp == NULL)
  			return -ENOMEM;
  		kfree(*result);
  		*result = cp;
  	}
  	return 0;
  }

  /**
   * security_module_enable - Load given security module on boot ?

   * @module: the name of the module

   *
   * Each LSM must pass this method before registering its own operations
   * to avoid security registration races. This method may also be used

   * to check if your LSM is currently loaded during kernel initialization.

   *

   * Returns:
   *
   * true if:
   *
   * - The passed LSM is the one chosen by user at boot time,
   * - or the passed LSM is configured as the default and the user did not
   *   choose an alternate LSM at boot time.
   *

   * Otherwise, return false.
   */

  int __init security_module_enable(const char *module)

  {

  	return !strcmp(module, chosen_lsm);

  }

  /**
   * security_add_hooks - Add a modules hooks to the hook lists.
   * @hooks: the hooks to add
   * @count: the number of hooks to add
   * @lsm: the name of the security module
   *
   * Each LSM has to register its hooks with the infrastructure.
   */
  void __init security_add_hooks(struct security_hook_list *hooks, int count,
  				char *lsm)
  {
  	int i;
  
  	for (i = 0; i < count; i++) {
  		hooks[i].lsm = lsm;

  		hlist_add_tail_rcu(&hooks[i].list, hooks[i].head);

  	}
  	if (lsm_append(lsm, &lsm_names) < 0)
  		panic("%s - Cannot get early memory.
  ", __func__);
  }

  int call_lsm_notifier(enum lsm_event event, void *data)
  {
  	return atomic_notifier_call_chain(&lsm_notifier_chain, event, data);
  }
  EXPORT_SYMBOL(call_lsm_notifier);
  
  int register_lsm_notifier(struct notifier_block *nb)
  {
  	return atomic_notifier_chain_register(&lsm_notifier_chain, nb);
  }
  EXPORT_SYMBOL(register_lsm_notifier);
  
  int unregister_lsm_notifier(struct notifier_block *nb)
  {
  	return atomic_notifier_chain_unregister(&lsm_notifier_chain, nb);
  }
  EXPORT_SYMBOL(unregister_lsm_notifier);

  /*

   * Hook list operation macros.

   *

   * call_void_hook:
   *	This is a hook that does not return a value.

   *

   * call_int_hook:
   *	This is a hook that returns a value.

   */

  #define call_void_hook(FUNC, ...)				\
  	do {							\
  		struct security_hook_list *P;			\
  								\

  		hlist_for_each_entry(P, &security_hook_heads.FUNC, list) \

  			P->hook.FUNC(__VA_ARGS__);		\
  	} while (0)
  
  #define call_int_hook(FUNC, IRC, ...) ({			\
  	int RC = IRC;						\
  	do {							\
  		struct security_hook_list *P;			\
  								\

  		hlist_for_each_entry(P, &security_hook_heads.FUNC, list) { \

  			RC = P->hook.FUNC(__VA_ARGS__);		\
  			if (RC != 0)				\
  				break;				\
  		}						\
  	} while (0);						\
  	RC;							\
  })

  /* Security operations */

  int security_binder_set_context_mgr(struct task_struct *mgr)
  {

  	return call_int_hook(binder_set_context_mgr, 0, mgr);

  }
  
  int security_binder_transaction(struct task_struct *from,
  				struct task_struct *to)
  {

  	return call_int_hook(binder_transaction, 0, from, to);

  }
  
  int security_binder_transfer_binder(struct task_struct *from,
  				    struct task_struct *to)
  {

  	return call_int_hook(binder_transfer_binder, 0, from, to);

  }
  
  int security_binder_transfer_file(struct task_struct *from,
  				  struct task_struct *to, struct file *file)
  {

  	return call_int_hook(binder_transfer_file, 0, from, to, file);

  }

  int security_ptrace_access_check(struct task_struct *child, unsigned int mode)

  {

  	return call_int_hook(ptrace_access_check, 0, child, mode);

  }
  
  int security_ptrace_traceme(struct task_struct *parent)
  {

  	return call_int_hook(ptrace_traceme, 0, parent);

  }
  
  int security_capget(struct task_struct *target,
  		     kernel_cap_t *effective,
  		     kernel_cap_t *inheritable,
  		     kernel_cap_t *permitted)
  {

  	return call_int_hook(capget, 0, target,
  				effective, inheritable, permitted);

  }

  int security_capset(struct cred *new, const struct cred *old,
  		    const kernel_cap_t *effective,
  		    const kernel_cap_t *inheritable,
  		    const kernel_cap_t *permitted)

  {

  	return call_int_hook(capset, 0, new, old,
  				effective, inheritable, permitted);

  }

  int security_capable(const struct cred *cred, struct user_namespace *ns,

  		     int cap)

  {

  	return call_int_hook(capable, 0, cred, ns, cap, SECURITY_CAP_AUDIT);

  }

  int security_capable_noaudit(const struct cred *cred, struct user_namespace *ns,
  			     int cap)

  {

  	return call_int_hook(capable, 0, cred, ns, cap, SECURITY_CAP_NOAUDIT);

  }

  int security_quotactl(int cmds, int type, int id, struct super_block *sb)
  {

  	return call_int_hook(quotactl, 0, cmds, type, id, sb);

  }
  
  int security_quota_on(struct dentry *dentry)
  {

  	return call_int_hook(quota_on, 0, dentry);

  }

  int security_syslog(int type)

  {

  	return call_int_hook(syslog, 0, type);

  }

  int security_settime64(const struct timespec64 *ts, const struct timezone *tz)

  {

  	return call_int_hook(settime, 0, ts, tz);

  }

  int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
  {

  	struct security_hook_list *hp;
  	int cap_sys_admin = 1;
  	int rc;
  
  	/*
  	 * The module will respond with a positive value if
  	 * it thinks the __vm_enough_memory() call should be
  	 * made with the cap_sys_admin set. If all of the modules
  	 * agree that it should be set it will. If any module
  	 * thinks it should not be set it won't.
  	 */

  	hlist_for_each_entry(hp, &security_hook_heads.vm_enough_memory, list) {

  		rc = hp->hook.vm_enough_memory(mm, pages);
  		if (rc <= 0) {
  			cap_sys_admin = 0;
  			break;
  		}
  	}
  	return __vm_enough_memory(mm, pages, cap_sys_admin);

  }

  int security_bprm_set_creds(struct linux_binprm *bprm)

  {

  	return call_int_hook(bprm_set_creds, 0, bprm);

  }

  int security_bprm_check(struct linux_binprm *bprm)

  {

  	int ret;

  	ret = call_int_hook(bprm_check_security, 0, bprm);

  	if (ret)
  		return ret;
  	return ima_bprm_check(bprm);

  }

  void security_bprm_committing_creds(struct linux_binprm *bprm)

  {

  	call_void_hook(bprm_committing_creds, bprm);

  }

  void security_bprm_committed_creds(struct linux_binprm *bprm)

  {

  	call_void_hook(bprm_committed_creds, bprm);

  }

  int security_sb_alloc(struct super_block *sb)
  {

  	return call_int_hook(sb_alloc_security, 0, sb);

  }
  
  void security_sb_free(struct super_block *sb)
  {

  	call_void_hook(sb_free_security, sb);

  }

  int security_sb_copy_data(char *orig, char *copy)

  {

  	return call_int_hook(sb_copy_data, 0, orig, copy);

  }

  EXPORT_SYMBOL(security_sb_copy_data);

  int security_sb_remount(struct super_block *sb, void *data)
  {

  	return call_int_hook(sb_remount, 0, sb, data);

  }

  int security_sb_kern_mount(struct super_block *sb, int flags, void *data)

  {

  	return call_int_hook(sb_kern_mount, 0, sb, flags, data);

  }

  int security_sb_show_options(struct seq_file *m, struct super_block *sb)
  {

  	return call_int_hook(sb_show_options, 0, m, sb);

  }

  int security_sb_statfs(struct dentry *dentry)
  {

  	return call_int_hook(sb_statfs, 0, dentry);

  }

  int security_sb_mount(const char *dev_name, const struct path *path,

                         const char *type, unsigned long flags, void *data)

  {

  	return call_int_hook(sb_mount, 0, dev_name, path, type, flags, data);

  }

  int security_sb_umount(struct vfsmount *mnt, int flags)
  {

  	return call_int_hook(sb_umount, 0, mnt, flags);

  }

  int security_sb_pivotroot(const struct path *old_path, const struct path *new_path)

  {

  	return call_int_hook(sb_pivotroot, 0, old_path, new_path);

  }

  int security_sb_set_mnt_opts(struct super_block *sb,

  				struct security_mnt_opts *opts,
  				unsigned long kern_flags,
  				unsigned long *set_kern_flags)

  {

  	return call_int_hook(sb_set_mnt_opts,
  				opts->num_mnt_opts ? -EOPNOTSUPP : 0, sb,
  				opts, kern_flags, set_kern_flags);

  }

  EXPORT_SYMBOL(security_sb_set_mnt_opts);

  int security_sb_clone_mnt_opts(const struct super_block *oldsb,

  				struct super_block *newsb,
  				unsigned long kern_flags,
  				unsigned long *set_kern_flags)

  {

  	return call_int_hook(sb_clone_mnt_opts, 0, oldsb, newsb,
  				kern_flags, set_kern_flags);

  }

  EXPORT_SYMBOL(security_sb_clone_mnt_opts);
  
  int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts)
  {

  	return call_int_hook(sb_parse_opts_str, 0, options, opts);

  }
  EXPORT_SYMBOL(security_sb_parse_opts_str);

  int security_inode_alloc(struct inode *inode)
  {
  	inode->i_security = NULL;

  	return call_int_hook(inode_alloc_security, 0, inode);

  }
  
  void security_inode_free(struct inode *inode)
  {

  	integrity_inode_free(inode);

  	call_void_hook(inode_free_security, inode);

  }

  int security_dentry_init_security(struct dentry *dentry, int mode,

  					const struct qstr *name, void **ctx,

  					u32 *ctxlen)
  {

  	return call_int_hook(dentry_init_security, -EOPNOTSUPP, dentry, mode,
  				name, ctx, ctxlen);

  }
  EXPORT_SYMBOL(security_dentry_init_security);

  int security_dentry_create_files_as(struct dentry *dentry, int mode,
  				    struct qstr *name,
  				    const struct cred *old, struct cred *new)
  {
  	return call_int_hook(dentry_create_files_as, 0, dentry, mode,
  				name, old, new);
  }
  EXPORT_SYMBOL(security_dentry_create_files_as);

  int security_inode_init_security(struct inode *inode, struct inode *dir,

  				 const struct qstr *qstr,
  				 const initxattrs initxattrs, void *fs_data)

  {

  	struct xattr new_xattrs[MAX_LSM_EVM_XATTR + 1];
  	struct xattr *lsm_xattr, *evm_xattr, *xattr;

  	int ret;

  	if (unlikely(IS_PRIVATE(inode)))

  		return 0;

  	if (!initxattrs)

  		return call_int_hook(inode_init_security, -EOPNOTSUPP, inode,
  				     dir, qstr, NULL, NULL, NULL);

  	memset(new_xattrs, 0, sizeof(new_xattrs));

  	lsm_xattr = new_xattrs;

  	ret = call_int_hook(inode_init_security, -EOPNOTSUPP, inode, dir, qstr,

  						&lsm_xattr->name,
  						&lsm_xattr->value,
  						&lsm_xattr->value_len);
  	if (ret)
  		goto out;

  
  	evm_xattr = lsm_xattr + 1;
  	ret = evm_inode_init_security(inode, lsm_xattr, evm_xattr);
  	if (ret)
  		goto out;

  	ret = initxattrs(inode, new_xattrs, fs_data);
  out:

  	for (xattr = new_xattrs; xattr->value != NULL; xattr++)

  		kfree(xattr->value);

  	return (ret == -EOPNOTSUPP) ? 0 : ret;
  }
  EXPORT_SYMBOL(security_inode_init_security);
  
  int security_old_inode_init_security(struct inode *inode, struct inode *dir,

  				     const struct qstr *qstr, const char **name,

  				     void **value, size_t *len)

  {
  	if (unlikely(IS_PRIVATE(inode)))

  		return -EOPNOTSUPP;

  	return call_int_hook(inode_init_security, -EOPNOTSUPP, inode, dir,
  			     qstr, name, value, len);

  }

  EXPORT_SYMBOL(security_old_inode_init_security);

  #ifdef CONFIG_SECURITY_PATH

  int security_path_mknod(const struct path *dir, struct dentry *dentry, umode_t mode,

  			unsigned int dev)
  {

  	if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))

  		return 0;

  	return call_int_hook(path_mknod, 0, dir, dentry, mode, dev);

  }
  EXPORT_SYMBOL(security_path_mknod);

  int security_path_mkdir(const struct path *dir, struct dentry *dentry, umode_t mode)

  {

  	if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))

  		return 0;

  	return call_int_hook(path_mkdir, 0, dir, dentry, mode);

  }

  EXPORT_SYMBOL(security_path_mkdir);

  int security_path_rmdir(const struct path *dir, struct dentry *dentry)

  {

  	if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))

  		return 0;

  	return call_int_hook(path_rmdir, 0, dir, dentry);

  }

  int security_path_unlink(const struct path *dir, struct dentry *dentry)

  {

  	if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))

  		return 0;

  	return call_int_hook(path_unlink, 0, dir, dentry);

  }

  EXPORT_SYMBOL(security_path_unlink);

  int security_path_symlink(const struct path *dir, struct dentry *dentry,

  			  const char *old_name)
  {

  	if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))

  		return 0;

  	return call_int_hook(path_symlink, 0, dir, dentry, old_name);

  }

  int security_path_link(struct dentry *old_dentry, const struct path *new_dir,

  		       struct dentry *new_dentry)
  {

  	if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry))))

  		return 0;

  	return call_int_hook(path_link, 0, old_dentry, new_dir, new_dentry);

  }

  int security_path_rename(const struct path *old_dir, struct dentry *old_dentry,
  			 const struct path *new_dir, struct dentry *new_dentry,

  			 unsigned int flags)

  {

  	if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry)) ||
  		     (d_is_positive(new_dentry) && IS_PRIVATE(d_backing_inode(new_dentry)))))

  		return 0;

  
  	if (flags & RENAME_EXCHANGE) {

  		int err = call_int_hook(path_rename, 0, new_dir, new_dentry,
  					old_dir, old_dentry);

  		if (err)
  			return err;
  	}

  	return call_int_hook(path_rename, 0, old_dir, old_dentry, new_dir,
  				new_dentry);

  }

  EXPORT_SYMBOL(security_path_rename);

  int security_path_truncate(const struct path *path)

  {

  	if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))

  		return 0;

  	return call_int_hook(path_truncate, 0, path);

  }

  int security_path_chmod(const struct path *path, umode_t mode)

  {

  	if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))

  		return 0;

  	return call_int_hook(path_chmod, 0, path, mode);

  }

  int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid)

  {

  	if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))

  		return 0;

  	return call_int_hook(path_chown, 0, path, uid, gid);

  }

  int security_path_chroot(const struct path *path)

  {

  	return call_int_hook(path_chroot, 0, path);

  }

  #endif

  int security_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)

  {
  	if (unlikely(IS_PRIVATE(dir)))
  		return 0;

  	return call_int_hook(inode_create, 0, dir, dentry, mode);

  }

  EXPORT_SYMBOL_GPL(security_inode_create);

  
  int security_inode_link(struct dentry *old_dentry, struct inode *dir,
  			 struct dentry *new_dentry)
  {

  	if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry))))

  		return 0;

  	return call_int_hook(inode_link, 0, old_dentry, dir, new_dentry);

  }
  
  int security_inode_unlink(struct inode *dir, struct dentry *dentry)
  {

  	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))

  		return 0;

  	return call_int_hook(inode_unlink, 0, dir, dentry);

  }
  
  int security_inode_symlink(struct inode *dir, struct dentry *dentry,
  			    const char *old_name)
  {
  	if (unlikely(IS_PRIVATE(dir)))
  		return 0;

  	return call_int_hook(inode_symlink, 0, dir, dentry, old_name);

  }

  int security_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)

  {
  	if (unlikely(IS_PRIVATE(dir)))
  		return 0;

  	return call_int_hook(inode_mkdir, 0, dir, dentry, mode);

  }

  EXPORT_SYMBOL_GPL(security_inode_mkdir);

  
  int security_inode_rmdir(struct inode *dir, struct dentry *dentry)
  {

  	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))

  		return 0;

  	return call_int_hook(inode_rmdir, 0, dir, dentry);

  }

  int security_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)

  {
  	if (unlikely(IS_PRIVATE(dir)))
  		return 0;

  	return call_int_hook(inode_mknod, 0, dir, dentry, mode, dev);

  }
  
  int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,

  			   struct inode *new_dir, struct dentry *new_dentry,
  			   unsigned int flags)

  {

          if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry)) ||
              (d_is_positive(new_dentry) && IS_PRIVATE(d_backing_inode(new_dentry)))))

  		return 0;

  
  	if (flags & RENAME_EXCHANGE) {

  		int err = call_int_hook(inode_rename, 0, new_dir, new_dentry,

  						     old_dir, old_dentry);
  		if (err)
  			return err;
  	}

  	return call_int_hook(inode_rename, 0, old_dir, old_dentry,

  					   new_dir, new_dentry);
  }
  
  int security_inode_readlink(struct dentry *dentry)
  {

  	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))

  		return 0;

  	return call_int_hook(inode_readlink, 0, dentry);

  }

  int security_inode_follow_link(struct dentry *dentry, struct inode *inode,
  			       bool rcu)

  {

  	if (unlikely(IS_PRIVATE(inode)))

  		return 0;

  	return call_int_hook(inode_follow_link, 0, dentry, inode, rcu);

  }

  int security_inode_permission(struct inode *inode, int mask)

  {
  	if (unlikely(IS_PRIVATE(inode)))
  		return 0;

  	return call_int_hook(inode_permission, 0, inode, mask);

  }
  
  int security_inode_setattr(struct dentry *dentry, struct iattr *attr)
  {

  	int ret;

  	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))

  		return 0;

  	ret = call_int_hook(inode_setattr, 0, dentry, attr);

  	if (ret)
  		return ret;
  	return evm_inode_setattr(dentry, attr);

  }

  EXPORT_SYMBOL_GPL(security_inode_setattr);

  int security_inode_getattr(const struct path *path)

  {

  	if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))

  		return 0;

  	return call_int_hook(inode_getattr, 0, path);

  }

  int security_inode_setxattr(struct dentry *dentry, const char *name,
  			    const void *value, size_t size, int flags)

  {

  	int ret;

  	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))

  		return 0;

  	/*
  	 * SELinux and Smack integrate the cap call,
  	 * so assume that all LSMs supplying this call do so.
  	 */
  	ret = call_int_hook(inode_setxattr, 1, dentry, name, value, size,

  				flags);

  
  	if (ret == 1)
  		ret = cap_inode_setxattr(dentry, name, value, size, flags);

  	if (ret)
  		return ret;

  	ret = ima_inode_setxattr(dentry, name, value, size);
  	if (ret)
  		return ret;

  	return evm_inode_setxattr(dentry, name, value, size);

  }

  void security_inode_post_setxattr(struct dentry *dentry, const char *name,
  				  const void *value, size_t size, int flags)

  {

  	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))

  		return;

  	call_void_hook(inode_post_setxattr, dentry, name, value, size, flags);

  	evm_inode_post_setxattr(dentry, name, value, size);

  }

  int security_inode_getxattr(struct dentry *dentry, const char *name)

  {

  	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))

  		return 0;

  	return call_int_hook(inode_getxattr, 0, dentry, name);

  }
  
  int security_inode_listxattr(struct dentry *dentry)
  {

  	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))

  		return 0;

  	return call_int_hook(inode_listxattr, 0, dentry);

  }

  int security_inode_removexattr(struct dentry *dentry, const char *name)

  {

  	int ret;

  	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))

  		return 0;

  	/*
  	 * SELinux and Smack integrate the cap call,
  	 * so assume that all LSMs supplying this call do so.
  	 */
  	ret = call_int_hook(inode_removexattr, 1, dentry, name);
  	if (ret == 1)
  		ret = cap_inode_removexattr(dentry, name);

  	if (ret)
  		return ret;

  	ret = ima_inode_removexattr(dentry, name);
  	if (ret)
  		return ret;

  	return evm_inode_removexattr(dentry, name);

  }

  int security_inode_need_killpriv(struct dentry *dentry)
  {

  	return call_int_hook(inode_need_killpriv, 0, dentry);

  }
  
  int security_inode_killpriv(struct dentry *dentry)
  {

  	return call_int_hook(inode_killpriv, 0, dentry);

  }

  int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)

  {

  	struct security_hook_list *hp;
  	int rc;

  	if (unlikely(IS_PRIVATE(inode)))

  		return -EOPNOTSUPP;

  	/*
  	 * Only one module will provide an attribute with a given name.
  	 */

  	hlist_for_each_entry(hp, &security_hook_heads.inode_getsecurity, list) {

  		rc = hp->hook.inode_getsecurity(inode, name, buffer, alloc);
  		if (rc != -EOPNOTSUPP)
  			return rc;
  	}
  	return -EOPNOTSUPP;

  }
  
  int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
  {

  	struct security_hook_list *hp;
  	int rc;

  	if (unlikely(IS_PRIVATE(inode)))

  		return -EOPNOTSUPP;

  	/*
  	 * Only one module will provide an attribute with a given name.
  	 */

  	hlist_for_each_entry(hp, &security_hook_heads.inode_setsecurity, list) {

  		rc = hp->hook.inode_setsecurity(inode, name, value, size,
  								flags);
  		if (rc != -EOPNOTSUPP)
  			return rc;
  	}
  	return -EOPNOTSUPP;

  }
  
  int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
  {
  	if (unlikely(IS_PRIVATE(inode)))
  		return 0;

  	return call_int_hook(inode_listsecurity, 0, inode, buffer, buffer_size);

  }

  EXPORT_SYMBOL(security_inode_listsecurity);

  void security_inode_getsecid(struct inode *inode, u32 *secid)

  {

  	call_void_hook(inode_getsecid, inode, secid);

  }

  int security_inode_copy_up(struct dentry *src, struct cred **new)
  {
  	return call_int_hook(inode_copy_up, 0, src, new);
  }
  EXPORT_SYMBOL(security_inode_copy_up);

  int security_inode_copy_up_xattr(const char *name)
  {
  	return call_int_hook(inode_copy_up_xattr, -EOPNOTSUPP, name);
  }
  EXPORT_SYMBOL(security_inode_copy_up_xattr);

  int security_file_permission(struct file *file, int mask)
  {

  	int ret;

  	ret = call_int_hook(file_permission, 0, file, mask);

  	if (ret)
  		return ret;
  
  	return fsnotify_perm(file, mask);

  }
  
  int security_file_alloc(struct file *file)
  {

  	return call_int_hook(file_alloc_security, 0, file);

  }
  
  void security_file_free(struct file *file)
  {

  	call_void_hook(file_free_security, file);

  }
  
  int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
  {

  	return call_int_hook(file_ioctl, 0, file, cmd, arg);

  }

  static inline unsigned long mmap_prot(struct file *file, unsigned long prot)

  {

  	/*

  	 * Does we have PROT_READ and does the application expect
  	 * it to imply PROT_EXEC?  If not, nothing to talk about...

  	 */

  	if ((prot & (PROT_READ | PROT_EXEC)) != PROT_READ)
  		return prot;

  	if (!(current->personality & READ_IMPLIES_EXEC))

  		return prot;
  	/*
  	 * if that's an anonymous mapping, let it.
  	 */
  	if (!file)
  		return prot | PROT_EXEC;
  	/*
  	 * ditto if it's not on noexec mount, except that on !MMU we need

  	 * NOMMU_MAP_EXEC (== VM_MAYEXEC) in this case

  	 */

  	if (!path_noexec(&file->f_path)) {

  #ifndef CONFIG_MMU

  		if (file->f_op->mmap_capabilities) {
  			unsigned caps = file->f_op->mmap_capabilities(file);
  			if (!(caps & NOMMU_MAP_EXEC))
  				return prot;
  		}

  #endif

  		return prot | PROT_EXEC;

  	}

  	/* anything on noexec mount won't get PROT_EXEC */
  	return prot;
  }
  
  int security_mmap_file(struct file *file, unsigned long prot,
  			unsigned long flags)
  {
  	int ret;

  	ret = call_int_hook(mmap_file, 0, file, prot,

  					mmap_prot(file, prot), flags);

  	if (ret)
  		return ret;
  	return ima_file_mmap(file, prot);

  }

  int security_mmap_addr(unsigned long addr)
  {

  	return call_int_hook(mmap_addr, 0, addr);

  }

  int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
  			    unsigned long prot)
  {

  	return call_int_hook(file_mprotect, 0, vma, reqprot, prot);

  }
  
  int security_file_lock(struct file *file, unsigned int cmd)
  {

  	return call_int_hook(file_lock, 0, file, cmd);

  }
  
  int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
  {

  	return call_int_hook(file_fcntl, 0, file, cmd, arg);

  }

  void security_file_set_fowner(struct file *file)

  {

  	call_void_hook(file_set_fowner, file);

  }
  
  int security_file_send_sigiotask(struct task_struct *tsk,
  				  struct fown_struct *fown, int sig)
  {

  	return call_int_hook(file_send_sigiotask, 0, tsk, fown, sig);

  }
  
  int security_file_receive(struct file *file)
  {

  	return call_int_hook(file_receive, 0, file);

  }

  int security_file_open(struct file *file)

  {

  	int ret;

  	ret = call_int_hook(file_open, 0, file);

  	if (ret)
  		return ret;
  
  	return fsnotify_perm(file, MAY_OPEN);

  }

  int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
  {
  	return call_int_hook(task_alloc, 0, task, clone_flags);
  }

  void security_task_free(struct task_struct *task)
  {

  	call_void_hook(task_free, task);

  }

  int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
  {

  	return call_int_hook(cred_alloc_blank, 0, cred, gfp);

  }

  void security_cred_free(struct cred *cred)

  {

  	/*
  	 * There is a failure case in prepare_creds() that
  	 * may result in a call here with ->security being NULL.
  	 */
  	if (unlikely(cred->security == NULL))
  		return;

  	call_void_hook(cred_free, cred);

  }

  int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp)

  {

  	return call_int_hook(cred_prepare, 0, new, old, gfp);

  }

  void security_transfer_creds(struct cred *new, const struct cred *old)
  {

  	call_void_hook(cred_transfer, new, old);

  }

  void security_cred_getsecid(const struct cred *c, u32 *secid)
  {
  	*secid = 0;
  	call_void_hook(cred_getsecid, c, secid);
  }
  EXPORT_SYMBOL(security_cred_getsecid);

  int security_kernel_act_as(struct cred *new, u32 secid)
  {

  	return call_int_hook(kernel_act_as, 0, new, secid);

  }
  
  int security_kernel_create_files_as(struct cred *new, struct inode *inode)
  {

  	return call_int_hook(kernel_create_files_as, 0, new, inode);

  }

  int security_kernel_module_request(char *kmod_name)

  {

  	int ret;
  
  	ret = call_int_hook(kernel_module_request, 0, kmod_name);
  	if (ret)
  		return ret;
  	return integrity_kernel_module_request(kmod_name);

  }

  int security_kernel_read_file(struct file *file, enum kernel_read_file_id id)
  {
  	int ret;
  
  	ret = call_int_hook(kernel_read_file, 0, file, id);
  	if (ret)
  		return ret;
  	return ima_read_file(file, id);
  }
  EXPORT_SYMBOL_GPL(security_kernel_read_file);

  int security_kernel_post_read_file(struct file *file, char *buf, loff_t size,
  				   enum kernel_read_file_id id)

  {

  	int ret;
  
  	ret = call_int_hook(kernel_post_read_file, 0, file, buf, size, id);
  	if (ret)
  		return ret;
  	return ima_post_read_file(file, buf, size, id);

  }
  EXPORT_SYMBOL_GPL(security_kernel_post_read_file);

  int security_kernel_load_data(enum kernel_load_data_id id)
  {

  	int ret;
  
  	ret = call_int_hook(kernel_load_data, 0, id);
  	if (ret)
  		return ret;
  	return ima_load_data(id);

  }

  EXPORT_SYMBOL_GPL(security_kernel_load_data);

  int security_task_fix_setuid(struct cred *new, const struct cred *old,
  			     int flags)

  {

  	return call_int_hook(task_fix_setuid, 0, new, old, flags);

  }

  int security_task_setpgid(struct task_struct *p, pid_t pgid)
  {

  	return call_int_hook(task_setpgid, 0, p, pgid);

  }
  
  int security_task_getpgid(struct task_struct *p)
  {

  	return call_int_hook(task_getpgid, 0, p);

  }
  
  int security_task_getsid(struct task_struct *p)
  {

  	return call_int_hook(task_getsid, 0, p);

  }
  
  void security_task_getsecid(struct task_struct *p, u32 *secid)
  {

  	*secid = 0;

  	call_void_hook(task_getsecid, p, secid);

  }
  EXPORT_SYMBOL(security_task_getsecid);

  int security_task_setnice(struct task_struct *p, int nice)
  {

  	return call_int_hook(task_setnice, 0, p, nice);

  }
  
  int security_task_setioprio(struct task_struct *p, int ioprio)
  {

  	return call_int_hook(task_setioprio, 0, p, ioprio);

  }
  
  int security_task_getioprio(struct task_struct *p)
  {

  	return call_int_hook(task_getioprio, 0, p);

  }

  int security_task_prlimit(const struct cred *cred, const struct cred *tcred,
  			  unsigned int flags)
  {
  	return call_int_hook(task_prlimit, 0, cred, tcred, flags);
  }

  int security_task_setrlimit(struct task_struct *p, unsigned int resource,
  		struct rlimit *new_rlim)

  {

  	return call_int_hook(task_setrlimit, 0, p, resource, new_rlim);

  }

  int security_task_setscheduler(struct task_struct *p)

  {

  	return call_int_hook(task_setscheduler, 0, p);

  }
  
  int security_task_getscheduler(struct task_struct *p)
  {

  	return call_int_hook(task_getscheduler, 0, p);

  }
  
  int security_task_movememory(struct task_struct *p)
  {

  	return call_int_hook(task_movememory, 0, p);

  }
  
  int security_task_kill(struct task_struct *p, struct siginfo *info,

  			int sig, const struct cred *cred)

  {

  	return call_int_hook(task_kill, 0, p, info, sig, cred);

  }

  int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,

  			 unsigned long arg4, unsigned long arg5)

  {

  	int thisrc;
  	int rc = -ENOSYS;
  	struct security_hook_list *hp;

  	hlist_for_each_entry(hp, &security_hook_heads.task_prctl, list) {

  		thisrc = hp->hook.task_prctl(option, arg2, arg3, arg4, arg5);
  		if (thisrc != -ENOSYS) {
  			rc = thisrc;
  			if (thisrc != 0)
  				break;
  		}
  	}
  	return rc;

  }
  
  void security_task_to_inode(struct task_struct *p, struct inode *inode)
  {

  	call_void_hook(task_to_inode, p, inode);

  }
  
  int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
  {

  	return call_int_hook(ipc_permission, 0, ipcp, flag);

  }

  void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
  {

  	*secid = 0;

  	call_void_hook(ipc_getsecid, ipcp, secid);

  }

  int security_msg_msg_alloc(struct msg_msg *msg)
  {

  	return call_int_hook(msg_msg_alloc_security, 0, msg);

  }
  
  void security_msg_msg_free(struct msg_msg *msg)
  {

  	call_void_hook(msg_msg_free_security, msg);

  }

  int security_msg_queue_alloc(struct kern_ipc_perm *msq)

  {

  	return call_int_hook(msg_queue_alloc_security, 0, msq);

  }

  void security_msg_queue_free(struct kern_ipc_perm *msq)

  {

  	call_void_hook(msg_queue_free_security, msq);

  }

  int security_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)

  {

  	return call_int_hook(msg_queue_associate, 0, msq, msqflg);

  }

  int security_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)

  {

  	return call_int_hook(msg_queue_msgctl, 0, msq, cmd);

  }

  int security_msg_queue_msgsnd(struct kern_ipc_perm *msq,

  			       struct msg_msg *msg, int msqflg)
  {

  	return call_int_hook(msg_queue_msgsnd, 0, msq, msg, msqflg);

  }

  int security_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,

  			       struct task_struct *target, long type, int mode)
  {

  	return call_int_hook(msg_queue_msgrcv, 0, msq, msg, target, type, mode);

  }

  int security_shm_alloc(struct kern_ipc_perm *shp)

  {

  	return call_int_hook(shm_alloc_security, 0, shp);

  }

  void security_shm_free(struct kern_ipc_perm *shp)

  {

  	call_void_hook(shm_free_security, shp);

  }

  int security_shm_associate(struct kern_ipc_perm *shp, int shmflg)

  {

  	return call_int_hook(shm_associate, 0, shp, shmflg);

  }

  int security_shm_shmctl(struct kern_ipc_perm *shp, int cmd)

  {

  	return call_int_hook(shm_shmctl, 0, shp, cmd);

  }

  int security_shm_shmat(struct kern_ipc_perm *shp, char __user *shmaddr, int shmflg)

  {

  	return call_int_hook(shm_shmat, 0, shp, shmaddr, shmflg);

  }

  int security_sem_alloc(struct kern_ipc_perm *sma)

  {

  	return call_int_hook(sem_alloc_security, 0, sma);

  }

  void security_sem_free(struct kern_ipc_perm *sma)

  {