Eric Lee / smarc-ti-linux-kernel

Download as
Browse Code ยป

Commit 1996a10948e50e546dc2b64276723c0b64d3173b

Authored by Jan Engelhardt
Committed by James Morris
1 parent 63cb344923
Exists in master and in 20 other branches dlt-processor-sdk-linux-03.00.00.04, newt-ti-linux-3.12.y, processor-sdk-linux-01.00.00, processor-sdk-linux-02.00.01, smarc-ti-linux-3.12.10, smarc-ti-linux-3.12.y, smarc-ti-linux-3.14.y, smarc-ti-linux-3.15.y, smarc-ti-lsk-linux-4.1.y, smarct3x-processor-sdk-04.01.00.06, smarct3x-processor-sdk-linux-02.00.01, smarct3x-processor-sdk-linux-03.00.00.04, smarct4x-800-processor-sdk-linux-02.00.01, smarct4x-processor-sdk-04.01.00.06, smarct4x-processor-sdk-linux-02.00.01, smarct4x-processor-sdk-linux-03.00.00.04, ti-linux-3.12.y, ti-linux-3.14.y, ti-linux-3.15.y, ti-lsk-linux-4.1.y

security/selinux: constify function pointer tables and fields 

Constify function pointer tables and fields.

Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: James Morris <jmorris@namei.org>

Showing 3 changed files with 4 additions and 4 deletions Inline Diff

include/linux/security.h
Diff comments   View file @ 1996a10
1 /* 1 /*
2 * Linux Security plug 2 * Linux Security plug
3 * 3 *
4 * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com> 4 * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com>
5 * Copyright (C) 2001 Greg Kroah-Hartman <greg@kroah.com> 5 * Copyright (C) 2001 Greg Kroah-Hartman <greg@kroah.com>
6 * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com> 6 * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com>
7 * Copyright (C) 2001 James Morris <jmorris@intercode.com.au> 7 * Copyright (C) 2001 James Morris <jmorris@intercode.com.au>
8 * Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group) 8 * Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group)
9 * 9 *
10 * This program is free software; you can redistribute it and/or modify 10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License as published by 11 * it under the terms of the GNU General Public License as published by
12 * the Free Software Foundation; either version 2 of the License, or 12 * the Free Software Foundation; either version 2 of the License, or
13 * (at your option) any later version. 13 * (at your option) any later version.
14 * 14 *
15 * Due to this file being licensed under the GPL there is controversy over 15 * Due to this file being licensed under the GPL there is controversy over
16 * whether this permits you to write a module that #includes this file 16 * whether this permits you to write a module that #includes this file
17 * without placing your module under the GPL. Please consult a lawyer for 17 * without placing your module under the GPL. Please consult a lawyer for
18 * advice before doing this. 18 * advice before doing this.
19 * 19 *
20 */ 20 */
21 21
22 #ifndef __LINUX_SECURITY_H 22 #ifndef __LINUX_SECURITY_H
23 #define __LINUX_SECURITY_H 23 #define __LINUX_SECURITY_H
24 24
25 #include <linux/fs.h> 25 #include <linux/fs.h>
26 #include <linux/binfmts.h> 26 #include <linux/binfmts.h>
27 #include <linux/signal.h> 27 #include <linux/signal.h>
28 #include <linux/resource.h> 28 #include <linux/resource.h>
29 #include <linux/sem.h> 29 #include <linux/sem.h>
30 #include <linux/shm.h> 30 #include <linux/shm.h>
31 #include <linux/msg.h> 31 #include <linux/msg.h>
32 #include <linux/sched.h> 32 #include <linux/sched.h>
33 #include <linux/key.h> 33 #include <linux/key.h>
34 #include <linux/xfrm.h> 34 #include <linux/xfrm.h>
35 #include <net/flow.h> 35 #include <net/flow.h>
36 36
37 /* only a char in selinux superblock security struct flags */ 37 /* only a char in selinux superblock security struct flags */
38 #define FSCONTEXT_MNT 0x01 38 #define FSCONTEXT_MNT 0x01
39 #define CONTEXT_MNT 0x02 39 #define CONTEXT_MNT 0x02
40 #define ROOTCONTEXT_MNT 0x04 40 #define ROOTCONTEXT_MNT 0x04
41 #define DEFCONTEXT_MNT 0x08 41 #define DEFCONTEXT_MNT 0x08
42 42
43 /* 43 /*
44 * Bounding set 44 * Bounding set
45 */ 45 */
46 extern kernel_cap_t cap_bset; 46 extern kernel_cap_t cap_bset;
47 47
48 extern unsigned securebits; 48 extern unsigned securebits;
49 49
50 struct ctl_table; 50 struct ctl_table;
51 51
52 /* 52 /*
53 * These functions are in security/capability.c and are used 53 * These functions are in security/capability.c and are used
54 * as the default capabilities functions 54 * as the default capabilities functions
55 */ 55 */
56 extern int cap_capable (struct task_struct *tsk, int cap); 56 extern int cap_capable (struct task_struct *tsk, int cap);
57 extern int cap_settime (struct timespec *ts, struct timezone *tz); 57 extern int cap_settime (struct timespec *ts, struct timezone *tz);
58 extern int cap_ptrace (struct task_struct *parent, struct task_struct *child); 58 extern int cap_ptrace (struct task_struct *parent, struct task_struct *child);
59 extern int cap_capget (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); 59 extern int cap_capget (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted);
60 extern int cap_capset_check (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); 60 extern int cap_capset_check (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted);
61 extern void cap_capset_set (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); 61 extern void cap_capset_set (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted);
62 extern int cap_bprm_set_security (struct linux_binprm *bprm); 62 extern int cap_bprm_set_security (struct linux_binprm *bprm);
63 extern void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe); 63 extern void cap_bprm_apply_creds (struct linux_binprm *bprm, int unsafe);
64 extern int cap_bprm_secureexec(struct linux_binprm *bprm); 64 extern int cap_bprm_secureexec(struct linux_binprm *bprm);
65 extern int cap_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags); 65 extern int cap_inode_setxattr(struct dentry *dentry, char *name, void *value, size_t size, int flags);
66 extern int cap_inode_removexattr(struct dentry *dentry, char *name); 66 extern int cap_inode_removexattr(struct dentry *dentry, char *name);
67 extern int cap_inode_need_killpriv(struct dentry *dentry); 67 extern int cap_inode_need_killpriv(struct dentry *dentry);
68 extern int cap_inode_killpriv(struct dentry *dentry); 68 extern int cap_inode_killpriv(struct dentry *dentry);
69 extern int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags); 69 extern int cap_task_post_setuid (uid_t old_ruid, uid_t old_euid, uid_t old_suid, int flags);
70 extern void cap_task_reparent_to_init (struct task_struct *p); 70 extern void cap_task_reparent_to_init (struct task_struct *p);
71 extern int cap_task_kill(struct task_struct *p, struct siginfo *info, int sig, u32 secid); 71 extern int cap_task_kill(struct task_struct *p, struct siginfo *info, int sig, u32 secid);
72 extern int cap_task_setscheduler (struct task_struct *p, int policy, struct sched_param *lp); 72 extern int cap_task_setscheduler (struct task_struct *p, int policy, struct sched_param *lp);
73 extern int cap_task_setioprio (struct task_struct *p, int ioprio); 73 extern int cap_task_setioprio (struct task_struct *p, int ioprio);
74 extern int cap_task_setnice (struct task_struct *p, int nice); 74 extern int cap_task_setnice (struct task_struct *p, int nice);
75 extern int cap_syslog (int type); 75 extern int cap_syslog (int type);
76 extern int cap_vm_enough_memory(struct mm_struct *mm, long pages); 76 extern int cap_vm_enough_memory(struct mm_struct *mm, long pages);
77 77
78 struct msghdr; 78 struct msghdr;
79 struct sk_buff; 79 struct sk_buff;
80 struct sock; 80 struct sock;
81 struct sockaddr; 81 struct sockaddr;
82 struct socket; 82 struct socket;
83 struct flowi; 83 struct flowi;
84 struct dst_entry; 84 struct dst_entry;
85 struct xfrm_selector; 85 struct xfrm_selector;
86 struct xfrm_policy; 86 struct xfrm_policy;
87 struct xfrm_state; 87 struct xfrm_state;
88 struct xfrm_user_sec_ctx; 88 struct xfrm_user_sec_ctx;
89 89
90 extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb); 90 extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb);
91 extern int cap_netlink_recv(struct sk_buff *skb, int cap); 91 extern int cap_netlink_recv(struct sk_buff *skb, int cap);
92 92
93 extern unsigned long mmap_min_addr; 93 extern unsigned long mmap_min_addr;
94 /* 94 /*
95 * Values used in the task_security_ops calls 95 * Values used in the task_security_ops calls
96 */ 96 */
97 /* setuid or setgid, id0 == uid or gid */ 97 /* setuid or setgid, id0 == uid or gid */
98 #define LSM_SETID_ID 1 98 #define LSM_SETID_ID 1
99 99
100 /* setreuid or setregid, id0 == real, id1 == eff */ 100 /* setreuid or setregid, id0 == real, id1 == eff */
101 #define LSM_SETID_RE 2 101 #define LSM_SETID_RE 2
102 102
103 /* setresuid or setresgid, id0 == real, id1 == eff, uid2 == saved */ 103 /* setresuid or setresgid, id0 == real, id1 == eff, uid2 == saved */
104 #define LSM_SETID_RES 4 104 #define LSM_SETID_RES 4
105 105
106 /* setfsuid or setfsgid, id0 == fsuid or fsgid */ 106 /* setfsuid or setfsgid, id0 == fsuid or fsgid */
107 #define LSM_SETID_FS 8 107 #define LSM_SETID_FS 8
108 108
109 /* forward declares to avoid warnings */ 109 /* forward declares to avoid warnings */
110 struct nfsctl_arg; 110 struct nfsctl_arg;
111 struct sched_param; 111 struct sched_param;
112 struct swap_info_struct; 112 struct swap_info_struct;
113 struct request_sock; 113 struct request_sock;
114 114
115 /* bprm_apply_creds unsafe reasons */ 115 /* bprm_apply_creds unsafe reasons */
116 #define LSM_UNSAFE_SHARE 1 116 #define LSM_UNSAFE_SHARE 1
117 #define LSM_UNSAFE_PTRACE 2 117 #define LSM_UNSAFE_PTRACE 2
118 #define LSM_UNSAFE_PTRACE_CAP 4 118 #define LSM_UNSAFE_PTRACE_CAP 4
119 119
120 #ifdef CONFIG_SECURITY 120 #ifdef CONFIG_SECURITY
121 121
122 /** 122 /**
123 * struct security_operations - main security structure 123 * struct security_operations - main security structure
124 * 124 *
125 * Security hooks for program execution operations. 125 * Security hooks for program execution operations.
126 * 126 *
127 * @bprm_alloc_security: 127 * @bprm_alloc_security:
128 * Allocate and attach a security structure to the @bprm->security field. 128 * Allocate and attach a security structure to the @bprm->security field.
129 * The security field is initialized to NULL when the bprm structure is 129 * The security field is initialized to NULL when the bprm structure is
130 * allocated. 130 * allocated.
131 * @bprm contains the linux_binprm structure to be modified. 131 * @bprm contains the linux_binprm structure to be modified.
132 * Return 0 if operation was successful. 132 * Return 0 if operation was successful.
133 * @bprm_free_security: 133 * @bprm_free_security:
134 * @bprm contains the linux_binprm structure to be modified. 134 * @bprm contains the linux_binprm structure to be modified.
135 * Deallocate and clear the @bprm->security field. 135 * Deallocate and clear the @bprm->security field.
136 * @bprm_apply_creds: 136 * @bprm_apply_creds:
137 * Compute and set the security attributes of a process being transformed 137 * Compute and set the security attributes of a process being transformed
138 * by an execve operation based on the old attributes (current->security) 138 * by an execve operation based on the old attributes (current->security)
139 * and the information saved in @bprm->security by the set_security hook. 139 * and the information saved in @bprm->security by the set_security hook.
140 * Since this hook function (and its caller) are void, this hook can not 140 * Since this hook function (and its caller) are void, this hook can not
141 * return an error. However, it can leave the security attributes of the 141 * return an error. However, it can leave the security attributes of the
142 * process unchanged if an access failure occurs at this point. 142 * process unchanged if an access failure occurs at this point.
143 * bprm_apply_creds is called under task_lock. @unsafe indicates various 143 * bprm_apply_creds is called under task_lock. @unsafe indicates various
144 * reasons why it may be unsafe to change security state. 144 * reasons why it may be unsafe to change security state.
145 * @bprm contains the linux_binprm structure. 145 * @bprm contains the linux_binprm structure.
146 * @bprm_post_apply_creds: 146 * @bprm_post_apply_creds:
147 * Runs after bprm_apply_creds with the task_lock dropped, so that 147 * Runs after bprm_apply_creds with the task_lock dropped, so that
148 * functions which cannot be called safely under the task_lock can 148 * functions which cannot be called safely under the task_lock can
149 * be used. This hook is a good place to perform state changes on 149 * be used. This hook is a good place to perform state changes on
150 * the process such as closing open file descriptors to which access 150 * the process such as closing open file descriptors to which access
151 * is no longer granted if the attributes were changed. 151 * is no longer granted if the attributes were changed.
152 * Note that a security module might need to save state between 152 * Note that a security module might need to save state between
153 * bprm_apply_creds and bprm_post_apply_creds to store the decision 153 * bprm_apply_creds and bprm_post_apply_creds to store the decision
154 * on whether the process may proceed. 154 * on whether the process may proceed.
155 * @bprm contains the linux_binprm structure. 155 * @bprm contains the linux_binprm structure.
156 * @bprm_set_security: 156 * @bprm_set_security:
157 * Save security information in the bprm->security field, typically based 157 * Save security information in the bprm->security field, typically based
158 * on information about the bprm->file, for later use by the apply_creds 158 * on information about the bprm->file, for later use by the apply_creds
159 * hook. This hook may also optionally check permissions (e.g. for 159 * hook. This hook may also optionally check permissions (e.g. for
160 * transitions between security domains). 160 * transitions between security domains).
161 * This hook may be called multiple times during a single execve, e.g. for 161 * This hook may be called multiple times during a single execve, e.g. for
162 * interpreters. The hook can tell whether it has already been called by 162 * interpreters. The hook can tell whether it has already been called by
163 * checking to see if @bprm->security is non-NULL. If so, then the hook 163 * checking to see if @bprm->security is non-NULL. If so, then the hook
164 * may decide either to retain the security information saved earlier or 164 * may decide either to retain the security information saved earlier or
165 * to replace it. 165 * to replace it.
166 * @bprm contains the linux_binprm structure. 166 * @bprm contains the linux_binprm structure.
167 * Return 0 if the hook is successful and permission is granted. 167 * Return 0 if the hook is successful and permission is granted.
168 * @bprm_check_security: 168 * @bprm_check_security:
169 * This hook mediates the point when a search for a binary handler will 169 * This hook mediates the point when a search for a binary handler will
170 * begin. It allows a check the @bprm->security value which is set in 170 * begin. It allows a check the @bprm->security value which is set in
171 * the preceding set_security call. The primary difference from 171 * the preceding set_security call. The primary difference from
172 * set_security is that the argv list and envp list are reliably 172 * set_security is that the argv list and envp list are reliably
173 * available in @bprm. This hook may be called multiple times 173 * available in @bprm. This hook may be called multiple times
174 * during a single execve; and in each pass set_security is called 174 * during a single execve; and in each pass set_security is called
175 * first. 175 * first.
176 * @bprm contains the linux_binprm structure. 176 * @bprm contains the linux_binprm structure.
177 * Return 0 if the hook is successful and permission is granted. 177 * Return 0 if the hook is successful and permission is granted.
178 * @bprm_secureexec: 178 * @bprm_secureexec:
179 * Return a boolean value (0 or 1) indicating whether a "secure exec" 179 * Return a boolean value (0 or 1) indicating whether a "secure exec"
180 * is required. The flag is passed in the auxiliary table 180 * is required. The flag is passed in the auxiliary table
181 * on the initial stack to the ELF interpreter to indicate whether libc 181 * on the initial stack to the ELF interpreter to indicate whether libc
182 * should enable secure mode. 182 * should enable secure mode.
183 * @bprm contains the linux_binprm structure. 183 * @bprm contains the linux_binprm structure.
184 * 184 *
185 * Security hooks for filesystem operations. 185 * Security hooks for filesystem operations.
186 * 186 *
187 * @sb_alloc_security: 187 * @sb_alloc_security:
188 * Allocate and attach a security structure to the sb->s_security field. 188 * Allocate and attach a security structure to the sb->s_security field.
189 * The s_security field is initialized to NULL when the structure is 189 * The s_security field is initialized to NULL when the structure is
190 * allocated. 190 * allocated.
191 * @sb contains the super_block structure to be modified. 191 * @sb contains the super_block structure to be modified.
192 * Return 0 if operation was successful. 192 * Return 0 if operation was successful.
193 * @sb_free_security: 193 * @sb_free_security:
194 * Deallocate and clear the sb->s_security field. 194 * Deallocate and clear the sb->s_security field.
195 * @sb contains the super_block structure to be modified. 195 * @sb contains the super_block structure to be modified.
196 * @sb_statfs: 196 * @sb_statfs:
197 * Check permission before obtaining filesystem statistics for the @mnt 197 * Check permission before obtaining filesystem statistics for the @mnt
198 * mountpoint. 198 * mountpoint.
199 * @dentry is a handle on the superblock for the filesystem. 199 * @dentry is a handle on the superblock for the filesystem.
200 * Return 0 if permission is granted. 200 * Return 0 if permission is granted.
201 * @sb_mount: 201 * @sb_mount:
202 * Check permission before an object specified by @dev_name is mounted on 202 * Check permission before an object specified by @dev_name is mounted on
203 * the mount point named by @nd. For an ordinary mount, @dev_name 203 * the mount point named by @nd. For an ordinary mount, @dev_name
204 * identifies a device if the file system type requires a device. For a 204 * identifies a device if the file system type requires a device. For a
205 * remount (@flags & MS_REMOUNT), @dev_name is irrelevant. For a 205 * remount (@flags & MS_REMOUNT), @dev_name is irrelevant. For a
206 * loopback/bind mount (@flags & MS_BIND), @dev_name identifies the 206 * loopback/bind mount (@flags & MS_BIND), @dev_name identifies the
207 * pathname of the object being mounted. 207 * pathname of the object being mounted.
208 * @dev_name contains the name for object being mounted. 208 * @dev_name contains the name for object being mounted.
209 * @nd contains the nameidata structure for mount point object. 209 * @nd contains the nameidata structure for mount point object.
210 * @type contains the filesystem type. 210 * @type contains the filesystem type.
211 * @flags contains the mount flags. 211 * @flags contains the mount flags.
212 * @data contains the filesystem-specific data. 212 * @data contains the filesystem-specific data.
213 * Return 0 if permission is granted. 213 * Return 0 if permission is granted.
214 * @sb_copy_data: 214 * @sb_copy_data:
215 * Allow mount option data to be copied prior to parsing by the filesystem, 215 * Allow mount option data to be copied prior to parsing by the filesystem,
216 * so that the security module can extract security-specific mount 216 * so that the security module can extract security-specific mount
217 * options cleanly (a filesystem may modify the data e.g. with strsep()). 217 * options cleanly (a filesystem may modify the data e.g. with strsep()).
218 * This also allows the original mount data to be stripped of security- 218 * This also allows the original mount data to be stripped of security-
219 * specific options to avoid having to make filesystems aware of them. 219 * specific options to avoid having to make filesystems aware of them.
220 * @type the type of filesystem being mounted. 220 * @type the type of filesystem being mounted.
221 * @orig the original mount data copied from userspace. 221 * @orig the original mount data copied from userspace.
222 * @copy copied data which will be passed to the security module. 222 * @copy copied data which will be passed to the security module.
223 * Returns 0 if the copy was successful. 223 * Returns 0 if the copy was successful.
224 * @sb_check_sb: 224 * @sb_check_sb:
225 * Check permission before the device with superblock @mnt->sb is mounted 225 * Check permission before the device with superblock @mnt->sb is mounted
226 * on the mount point named by @nd. 226 * on the mount point named by @nd.
227 * @mnt contains the vfsmount for device being mounted. 227 * @mnt contains the vfsmount for device being mounted.
228 * @nd contains the nameidata object for the mount point. 228 * @nd contains the nameidata object for the mount point.
229 * Return 0 if permission is granted. 229 * Return 0 if permission is granted.
230 * @sb_umount: 230 * @sb_umount:
231 * Check permission before the @mnt file system is unmounted. 231 * Check permission before the @mnt file system is unmounted.
232 * @mnt contains the mounted file system. 232 * @mnt contains the mounted file system.
233 * @flags contains the unmount flags, e.g. MNT_FORCE. 233 * @flags contains the unmount flags, e.g. MNT_FORCE.
234 * Return 0 if permission is granted. 234 * Return 0 if permission is granted.
235 * @sb_umount_close: 235 * @sb_umount_close:
236 * Close any files in the @mnt mounted filesystem that are held open by 236 * Close any files in the @mnt mounted filesystem that are held open by
237 * the security module. This hook is called during an umount operation 237 * the security module. This hook is called during an umount operation
238 * prior to checking whether the filesystem is still busy. 238 * prior to checking whether the filesystem is still busy.
239 * @mnt contains the mounted filesystem. 239 * @mnt contains the mounted filesystem.
240 * @sb_umount_busy: 240 * @sb_umount_busy:
241 * Handle a failed umount of the @mnt mounted filesystem, e.g. re-opening 241 * Handle a failed umount of the @mnt mounted filesystem, e.g. re-opening
242 * any files that were closed by umount_close. This hook is called during 242 * any files that were closed by umount_close. This hook is called during
243 * an umount operation if the umount fails after a call to the 243 * an umount operation if the umount fails after a call to the
244 * umount_close hook. 244 * umount_close hook.
245 * @mnt contains the mounted filesystem. 245 * @mnt contains the mounted filesystem.
246 * @sb_post_remount: 246 * @sb_post_remount:
247 * Update the security module's state when a filesystem is remounted. 247 * Update the security module's state when a filesystem is remounted.
248 * This hook is only called if the remount was successful. 248 * This hook is only called if the remount was successful.
249 * @mnt contains the mounted file system. 249 * @mnt contains the mounted file system.
250 * @flags contains the new filesystem flags. 250 * @flags contains the new filesystem flags.
251 * @data contains the filesystem-specific data. 251 * @data contains the filesystem-specific data.
252 * @sb_post_addmount: 252 * @sb_post_addmount:
253 * Update the security module's state when a filesystem is mounted. 253 * Update the security module's state when a filesystem is mounted.
254 * This hook is called any time a mount is successfully grafetd to 254 * This hook is called any time a mount is successfully grafetd to
255 * the tree. 255 * the tree.
256 * @mnt contains the mounted filesystem. 256 * @mnt contains the mounted filesystem.
257 * @mountpoint_nd contains the nameidata structure for the mount point. 257 * @mountpoint_nd contains the nameidata structure for the mount point.
258 * @sb_pivotroot: 258 * @sb_pivotroot:
259 * Check permission before pivoting the root filesystem. 259 * Check permission before pivoting the root filesystem.
260 * @old_nd contains the nameidata structure for the new location of the current root (put_old). 260 * @old_nd contains the nameidata structure for the new location of the current root (put_old).
261 * @new_nd contains the nameidata structure for the new root (new_root). 261 * @new_nd contains the nameidata structure for the new root (new_root).
262 * Return 0 if permission is granted. 262 * Return 0 if permission is granted.
263 * @sb_post_pivotroot: 263 * @sb_post_pivotroot:
264 * Update module state after a successful pivot. 264 * Update module state after a successful pivot.
265 * @old_nd contains the nameidata structure for the old root. 265 * @old_nd contains the nameidata structure for the old root.
266 * @new_nd contains the nameidata structure for the new root. 266 * @new_nd contains the nameidata structure for the new root.
267 * @sb_get_mnt_opts: 267 * @sb_get_mnt_opts:
268 * Get the security relevant mount options used for a superblock 268 * Get the security relevant mount options used for a superblock
269 * @sb the superblock to get security mount options from 269 * @sb the superblock to get security mount options from
270 * @mount_options array for pointers to mount options 270 * @mount_options array for pointers to mount options
271 * @mount_flags array of ints specifying what each mount options is 271 * @mount_flags array of ints specifying what each mount options is
272 * @num_opts number of options in the arrays 272 * @num_opts number of options in the arrays
273 * @sb_set_mnt_opts: 273 * @sb_set_mnt_opts:
274 * Set the security relevant mount options used for a superblock 274 * Set the security relevant mount options used for a superblock
275 * @sb the superblock to set security mount options for 275 * @sb the superblock to set security mount options for
276 * @mount_options array for pointers to mount options 276 * @mount_options array for pointers to mount options
277 * @mount_flags array of ints specifying what each mount options is 277 * @mount_flags array of ints specifying what each mount options is
278 * @num_opts number of options in the arrays 278 * @num_opts number of options in the arrays
279 * @sb_clone_mnt_opts: 279 * @sb_clone_mnt_opts:
280 * Copy all security options from a given superblock to another 280 * Copy all security options from a given superblock to another
281 * @oldsb old superblock which contain information to clone 281 * @oldsb old superblock which contain information to clone
282 * @newsb new superblock which needs filled in 282 * @newsb new superblock which needs filled in
283 * 283 *
284 * Security hooks for inode operations. 284 * Security hooks for inode operations.
285 * 285 *
286 * @inode_alloc_security: 286 * @inode_alloc_security:
287 * Allocate and attach a security structure to @inode->i_security. The 287 * Allocate and attach a security structure to @inode->i_security. The
288 * i_security field is initialized to NULL when the inode structure is 288 * i_security field is initialized to NULL when the inode structure is
289 * allocated. 289 * allocated.
290 * @inode contains the inode structure. 290 * @inode contains the inode structure.
291 * Return 0 if operation was successful. 291 * Return 0 if operation was successful.
292 * @inode_free_security: 292 * @inode_free_security:
293 * @inode contains the inode structure. 293 * @inode contains the inode structure.
294 * Deallocate the inode security structure and set @inode->i_security to 294 * Deallocate the inode security structure and set @inode->i_security to
295 * NULL. 295 * NULL.
296 * @inode_init_security: 296 * @inode_init_security:
297 * Obtain the security attribute name suffix and value to set on a newly 297 * Obtain the security attribute name suffix and value to set on a newly
298 * created inode and set up the incore security field for the new inode. 298 * created inode and set up the incore security field for the new inode.
299 * This hook is called by the fs code as part of the inode creation 299 * This hook is called by the fs code as part of the inode creation
300 * transaction and provides for atomic labeling of the inode, unlike 300 * transaction and provides for atomic labeling of the inode, unlike
301 * the post_create/mkdir/... hooks called by the VFS. The hook function 301 * the post_create/mkdir/... hooks called by the VFS. The hook function
302 * is expected to allocate the name and value via kmalloc, with the caller 302 * is expected to allocate the name and value via kmalloc, with the caller
303 * being responsible for calling kfree after using them. 303 * being responsible for calling kfree after using them.
304 * If the security module does not use security attributes or does 304 * If the security module does not use security attributes or does
305 * not wish to put a security attribute on this particular inode, 305 * not wish to put a security attribute on this particular inode,
306 * then it should return -EOPNOTSUPP to skip this processing. 306 * then it should return -EOPNOTSUPP to skip this processing.
307 * @inode contains the inode structure of the newly created inode. 307 * @inode contains the inode structure of the newly created inode.
308 * @dir contains the inode structure of the parent directory. 308 * @dir contains the inode structure of the parent directory.
309 * @name will be set to the allocated name suffix (e.g. selinux). 309 * @name will be set to the allocated name suffix (e.g. selinux).
310 * @value will be set to the allocated attribute value. 310 * @value will be set to the allocated attribute value.
311 * @len will be set to the length of the value. 311 * @len will be set to the length of the value.
312 * Returns 0 if @name and @value have been successfully set, 312 * Returns 0 if @name and @value have been successfully set,
313 * -EOPNOTSUPP if no security attribute is needed, or 313 * -EOPNOTSUPP if no security attribute is needed, or
314 * -ENOMEM on memory allocation failure. 314 * -ENOMEM on memory allocation failure.
315 * @inode_create: 315 * @inode_create:
316 * Check permission to create a regular file. 316 * Check permission to create a regular file.
317 * @dir contains inode structure of the parent of the new file. 317 * @dir contains inode structure of the parent of the new file.
318 * @dentry contains the dentry structure for the file to be created. 318 * @dentry contains the dentry structure for the file to be created.
319 * @mode contains the file mode of the file to be created. 319 * @mode contains the file mode of the file to be created.
320 * Return 0 if permission is granted. 320 * Return 0 if permission is granted.
321 * @inode_link: 321 * @inode_link:
322 * Check permission before creating a new hard link to a file. 322 * Check permission before creating a new hard link to a file.
323 * @old_dentry contains the dentry structure for an existing link to the file. 323 * @old_dentry contains the dentry structure for an existing link to the file.
324 * @dir contains the inode structure of the parent directory of the new link. 324 * @dir contains the inode structure of the parent directory of the new link.
325 * @new_dentry contains the dentry structure for the new link. 325 * @new_dentry contains the dentry structure for the new link.
326 * Return 0 if permission is granted. 326 * Return 0 if permission is granted.
327 * @inode_unlink: 327 * @inode_unlink:
328 * Check the permission to remove a hard link to a file. 328 * Check the permission to remove a hard link to a file.
329 * @dir contains the inode structure of parent directory of the file. 329 * @dir contains the inode structure of parent directory of the file.
330 * @dentry contains the dentry structure for file to be unlinked. 330 * @dentry contains the dentry structure for file to be unlinked.
331 * Return 0 if permission is granted. 331 * Return 0 if permission is granted.
332 * @inode_symlink: 332 * @inode_symlink:
333 * Check the permission to create a symbolic link to a file. 333 * Check the permission to create a symbolic link to a file.
334 * @dir contains the inode structure of parent directory of the symbolic link. 334 * @dir contains the inode structure of parent directory of the symbolic link.
335 * @dentry contains the dentry structure of the symbolic link. 335 * @dentry contains the dentry structure of the symbolic link.
336 * @old_name contains the pathname of file. 336 * @old_name contains the pathname of file.
337 * Return 0 if permission is granted. 337 * Return 0 if permission is granted.
338 * @inode_mkdir: 338 * @inode_mkdir:
339 * Check permissions to create a new directory in the existing directory 339 * Check permissions to create a new directory in the existing directory
340 * associated with inode strcture @dir. 340 * associated with inode strcture @dir.
341 * @dir containst the inode structure of parent of the directory to be created. 341 * @dir containst the inode structure of parent of the directory to be created.
342 * @dentry contains the dentry structure of new directory. 342 * @dentry contains the dentry structure of new directory.
343 * @mode contains the mode of new directory. 343 * @mode contains the mode of new directory.
344 * Return 0 if permission is granted. 344 * Return 0 if permission is granted.
345 * @inode_rmdir: 345 * @inode_rmdir:
346 * Check the permission to remove a directory. 346 * Check the permission to remove a directory.
347 * @dir contains the inode structure of parent of the directory to be removed. 347 * @dir contains the inode structure of parent of the directory to be removed.
348 * @dentry contains the dentry structure of directory to be removed. 348 * @dentry contains the dentry structure of directory to be removed.
349 * Return 0 if permission is granted. 349 * Return 0 if permission is granted.
350 * @inode_mknod: 350 * @inode_mknod:
351 * Check permissions when creating a special file (or a socket or a fifo 351 * Check permissions when creating a special file (or a socket or a fifo
352 * file created via the mknod system call). Note that if mknod operation 352 * file created via the mknod system call). Note that if mknod operation
353 * is being done for a regular file, then the create hook will be called 353 * is being done for a regular file, then the create hook will be called
354 * and not this hook. 354 * and not this hook.
355 * @dir contains the inode structure of parent of the new file. 355 * @dir contains the inode structure of parent of the new file.
356 * @dentry contains the dentry structure of the new file. 356 * @dentry contains the dentry structure of the new file.
357 * @mode contains the mode of the new file. 357 * @mode contains the mode of the new file.
358 * @dev contains the device number. 358 * @dev contains the device number.
359 * Return 0 if permission is granted. 359 * Return 0 if permission is granted.
360 * @inode_rename: 360 * @inode_rename:
361 * Check for permission to rename a file or directory. 361 * Check for permission to rename a file or directory.
362 * @old_dir contains the inode structure for parent of the old link. 362 * @old_dir contains the inode structure for parent of the old link.
363 * @old_dentry contains the dentry structure of the old link. 363 * @old_dentry contains the dentry structure of the old link.
364 * @new_dir contains the inode structure for parent of the new link. 364 * @new_dir contains the inode structure for parent of the new link.
365 * @new_dentry contains the dentry structure of the new link. 365 * @new_dentry contains the dentry structure of the new link.
366 * Return 0 if permission is granted. 366 * Return 0 if permission is granted.
367 * @inode_readlink: 367 * @inode_readlink:
368 * Check the permission to read the symbolic link. 368 * Check the permission to read the symbolic link.
369 * @dentry contains the dentry structure for the file link. 369 * @dentry contains the dentry structure for the file link.
370 * Return 0 if permission is granted. 370 * Return 0 if permission is granted.
371 * @inode_follow_link: 371 * @inode_follow_link:
372 * Check permission to follow a symbolic link when looking up a pathname. 372 * Check permission to follow a symbolic link when looking up a pathname.
373 * @dentry contains the dentry structure for the link. 373 * @dentry contains the dentry structure for the link.
374 * @nd contains the nameidata structure for the parent directory. 374 * @nd contains the nameidata structure for the parent directory.
375 * Return 0 if permission is granted. 375 * Return 0 if permission is granted.
376 * @inode_permission: 376 * @inode_permission:
377 * Check permission before accessing an inode. This hook is called by the 377 * Check permission before accessing an inode. This hook is called by the
378 * existing Linux permission function, so a security module can use it to 378 * existing Linux permission function, so a security module can use it to
379 * provide additional checking for existing Linux permission checks. 379 * provide additional checking for existing Linux permission checks.
380 * Notice that this hook is called when a file is opened (as well as many 380 * Notice that this hook is called when a file is opened (as well as many
381 * other operations), whereas the file_security_ops permission hook is 381 * other operations), whereas the file_security_ops permission hook is
382 * called when the actual read/write operations are performed. 382 * called when the actual read/write operations are performed.
383 * @inode contains the inode structure to check. 383 * @inode contains the inode structure to check.
384 * @mask contains the permission mask. 384 * @mask contains the permission mask.
385 * @nd contains the nameidata (may be NULL). 385 * @nd contains the nameidata (may be NULL).
386 * Return 0 if permission is granted. 386 * Return 0 if permission is granted.
387 * @inode_setattr: 387 * @inode_setattr:
388 * Check permission before setting file attributes. Note that the kernel 388 * Check permission before setting file attributes. Note that the kernel
389 * call to notify_change is performed from several locations, whenever 389 * call to notify_change is performed from several locations, whenever
390 * file attributes change (such as when a file is truncated, chown/chmod 390 * file attributes change (such as when a file is truncated, chown/chmod
391 * operations, transferring disk quotas, etc). 391 * operations, transferring disk quotas, etc).
392 * @dentry contains the dentry structure for the file. 392 * @dentry contains the dentry structure for the file.
393 * @attr is the iattr structure containing the new file attributes. 393 * @attr is the iattr structure containing the new file attributes.
394 * Return 0 if permission is granted. 394 * Return 0 if permission is granted.
395 * @inode_getattr: 395 * @inode_getattr:
396 * Check permission before obtaining file attributes. 396 * Check permission before obtaining file attributes.
397 * @mnt is the vfsmount where the dentry was looked up 397 * @mnt is the vfsmount where the dentry was looked up
398 * @dentry contains the dentry structure for the file. 398 * @dentry contains the dentry structure for the file.
399 * Return 0 if permission is granted. 399 * Return 0 if permission is granted.
400 * @inode_delete: 400 * @inode_delete:
401 * @inode contains the inode structure for deleted inode. 401 * @inode contains the inode structure for deleted inode.
402 * This hook is called when a deleted inode is released (i.e. an inode 402 * This hook is called when a deleted inode is released (i.e. an inode
403 * with no hard links has its use count drop to zero). A security module 403 * with no hard links has its use count drop to zero). A security module
404 * can use this hook to release any persistent label associated with the 404 * can use this hook to release any persistent label associated with the
405 * inode. 405 * inode.
406 * @inode_setxattr: 406 * @inode_setxattr:
407 * Check permission before setting the extended attributes 407 * Check permission before setting the extended attributes
408 * @value identified by @name for @dentry. 408 * @value identified by @name for @dentry.
409 * Return 0 if permission is granted. 409 * Return 0 if permission is granted.
410 * @inode_post_setxattr: 410 * @inode_post_setxattr:
411 * Update inode security field after successful setxattr operation. 411 * Update inode security field after successful setxattr operation.
412 * @value identified by @name for @dentry. 412 * @value identified by @name for @dentry.
413 * @inode_getxattr: 413 * @inode_getxattr:
414 * Check permission before obtaining the extended attributes 414 * Check permission before obtaining the extended attributes
415 * identified by @name for @dentry. 415 * identified by @name for @dentry.
416 * Return 0 if permission is granted. 416 * Return 0 if permission is granted.
417 * @inode_listxattr: 417 * @inode_listxattr:
418 * Check permission before obtaining the list of extended attribute 418 * Check permission before obtaining the list of extended attribute
419 * names for @dentry. 419 * names for @dentry.
420 * Return 0 if permission is granted. 420 * Return 0 if permission is granted.
421 * @inode_removexattr: 421 * @inode_removexattr:
422 * Check permission before removing the extended attribute 422 * Check permission before removing the extended attribute
423 * identified by @name for @dentry. 423 * identified by @name for @dentry.
424 * Return 0 if permission is granted. 424 * Return 0 if permission is granted.
425 * @inode_getsecurity: 425 * @inode_getsecurity:
426 * Copy the extended attribute representation of the security label 426 * Copy the extended attribute representation of the security label
427 * associated with @name for @inode into @buffer. @buffer may be 427 * associated with @name for @inode into @buffer. @buffer may be
428 * NULL to request the size of the buffer required. @size indicates 428 * NULL to request the size of the buffer required. @size indicates
429 * the size of @buffer in bytes. Note that @name is the remainder 429 * the size of @buffer in bytes. Note that @name is the remainder
430 * of the attribute name after the security. prefix has been removed. 430 * of the attribute name after the security. prefix has been removed.
431 * @err is the return value from the preceding fs getxattr call, 431 * @err is the return value from the preceding fs getxattr call,
432 * and can be used by the security module to determine whether it 432 * and can be used by the security module to determine whether it
433 * should try and canonicalize the attribute value. 433 * should try and canonicalize the attribute value.
434 * Return number of bytes used/required on success. 434 * Return number of bytes used/required on success.
435 * @inode_setsecurity: 435 * @inode_setsecurity:
436 * Set the security label associated with @name for @inode from the 436 * Set the security label associated with @name for @inode from the
437 * extended attribute value @value. @size indicates the size of the 437 * extended attribute value @value. @size indicates the size of the
438 * @value in bytes. @flags may be XATTR_CREATE, XATTR_REPLACE, or 0. 438 * @value in bytes. @flags may be XATTR_CREATE, XATTR_REPLACE, or 0.
439 * Note that @name is the remainder of the attribute name after the 439 * Note that @name is the remainder of the attribute name after the
440 * security. prefix has been removed. 440 * security. prefix has been removed.
441 * Return 0 on success. 441 * Return 0 on success.
442 * @inode_listsecurity: 442 * @inode_listsecurity:
443 * Copy the extended attribute names for the security labels 443 * Copy the extended attribute names for the security labels
444 * associated with @inode into @buffer. The maximum size of @buffer 444 * associated with @inode into @buffer. The maximum size of @buffer
445 * is specified by @buffer_size. @buffer may be NULL to request 445 * is specified by @buffer_size. @buffer may be NULL to request
446 * the size of the buffer required. 446 * the size of the buffer required.
447 * Returns number of bytes used/required on success. 447 * Returns number of bytes used/required on success.
448 * @inode_need_killpriv: 448 * @inode_need_killpriv:
449 * Called when an inode has been changed. 449 * Called when an inode has been changed.
450 * @dentry is the dentry being changed. 450 * @dentry is the dentry being changed.
451 * Return <0 on error to abort the inode change operation. 451 * Return <0 on error to abort the inode change operation.
452 * Return 0 if inode_killpriv does not need to be called. 452 * Return 0 if inode_killpriv does not need to be called.
453 * Return >0 if inode_killpriv does need to be called. 453 * Return >0 if inode_killpriv does need to be called.
454 * @inode_killpriv: 454 * @inode_killpriv:
455 * The setuid bit is being removed. Remove similar security labels. 455 * The setuid bit is being removed. Remove similar security labels.
456 * Called with the dentry->d_inode->i_mutex held. 456 * Called with the dentry->d_inode->i_mutex held.
457 * @dentry is the dentry being changed. 457 * @dentry is the dentry being changed.
458 * Return 0 on success. If error is returned, then the operation 458 * Return 0 on success. If error is returned, then the operation
459 * causing setuid bit removal is failed. 459 * causing setuid bit removal is failed.
460 * 460 *
461 * Security hooks for file operations 461 * Security hooks for file operations
462 * 462 *
463 * @file_permission: 463 * @file_permission:
464 * Check file permissions before accessing an open file. This hook is 464 * Check file permissions before accessing an open file. This hook is
465 * called by various operations that read or write files. A security 465 * called by various operations that read or write files. A security
466 * module can use this hook to perform additional checking on these 466 * module can use this hook to perform additional checking on these
467 * operations, e.g. to revalidate permissions on use to support privilege 467 * operations, e.g. to revalidate permissions on use to support privilege
468 * bracketing or policy changes. Notice that this hook is used when the 468 * bracketing or policy changes. Notice that this hook is used when the
469 * actual read/write operations are performed, whereas the 469 * actual read/write operations are performed, whereas the
470 * inode_security_ops hook is called when a file is opened (as well as 470 * inode_security_ops hook is called when a file is opened (as well as
471 * many other operations). 471 * many other operations).
472 * Caveat: Although this hook can be used to revalidate permissions for 472 * Caveat: Although this hook can be used to revalidate permissions for
473 * various system call operations that read or write files, it does not 473 * various system call operations that read or write files, it does not
474 * address the revalidation of permissions for memory-mapped files. 474 * address the revalidation of permissions for memory-mapped files.
475 * Security modules must handle this separately if they need such 475 * Security modules must handle this separately if they need such
476 * revalidation. 476 * revalidation.
477 * @file contains the file structure being accessed. 477 * @file contains the file structure being accessed.
478 * @mask contains the requested permissions. 478 * @mask contains the requested permissions.
479 * Return 0 if permission is granted. 479 * Return 0 if permission is granted.
480 * @file_alloc_security: 480 * @file_alloc_security:
481 * Allocate and attach a security structure to the file->f_security field. 481 * Allocate and attach a security structure to the file->f_security field.
482 * The security field is initialized to NULL when the structure is first 482 * The security field is initialized to NULL when the structure is first
483 * created. 483 * created.
484 * @file contains the file structure to secure. 484 * @file contains the file structure to secure.
485 * Return 0 if the hook is successful and permission is granted. 485 * Return 0 if the hook is successful and permission is granted.
486 * @file_free_security: 486 * @file_free_security:
487 * Deallocate and free any security structures stored in file->f_security. 487 * Deallocate and free any security structures stored in file->f_security.
488 * @file contains the file structure being modified. 488 * @file contains the file structure being modified.
489 * @file_ioctl: 489 * @file_ioctl:
490 * @file contains the file structure. 490 * @file contains the file structure.
491 * @cmd contains the operation to perform. 491 * @cmd contains the operation to perform.
492 * @arg contains the operational arguments. 492 * @arg contains the operational arguments.
493 * Check permission for an ioctl operation on @file. Note that @arg can 493 * Check permission for an ioctl operation on @file. Note that @arg can
494 * sometimes represents a user space pointer; in other cases, it may be a 494 * sometimes represents a user space pointer; in other cases, it may be a
495 * simple integer value. When @arg represents a user space pointer, it 495 * simple integer value. When @arg represents a user space pointer, it
496 * should never be used by the security module. 496 * should never be used by the security module.
497 * Return 0 if permission is granted. 497 * Return 0 if permission is granted.
498 * @file_mmap : 498 * @file_mmap :
499 * Check permissions for a mmap operation. The @file may be NULL, e.g. 499 * Check permissions for a mmap operation. The @file may be NULL, e.g.
500 * if mapping anonymous memory. 500 * if mapping anonymous memory.
501 * @file contains the file structure for file to map (may be NULL). 501 * @file contains the file structure for file to map (may be NULL).
502 * @reqprot contains the protection requested by the application. 502 * @reqprot contains the protection requested by the application.
503 * @prot contains the protection that will be applied by the kernel. 503 * @prot contains the protection that will be applied by the kernel.
504 * @flags contains the operational flags. 504 * @flags contains the operational flags.
505 * Return 0 if permission is granted. 505 * Return 0 if permission is granted.
506 * @file_mprotect: 506 * @file_mprotect:
507 * Check permissions before changing memory access permissions. 507 * Check permissions before changing memory access permissions.
508 * @vma contains the memory region to modify. 508 * @vma contains the memory region to modify.
509 * @reqprot contains the protection requested by the application. 509 * @reqprot contains the protection requested by the application.
510 * @prot contains the protection that will be applied by the kernel. 510 * @prot contains the protection that will be applied by the kernel.
511 * Return 0 if permission is granted. 511 * Return 0 if permission is granted.
512 * @file_lock: 512 * @file_lock:
513 * Check permission before performing file locking operations. 513 * Check permission before performing file locking operations.
514 * Note: this hook mediates both flock and fcntl style locks. 514 * Note: this hook mediates both flock and fcntl style locks.
515 * @file contains the file structure. 515 * @file contains the file structure.
516 * @cmd contains the posix-translated lock operation to perform 516 * @cmd contains the posix-translated lock operation to perform
517 * (e.g. F_RDLCK, F_WRLCK). 517 * (e.g. F_RDLCK, F_WRLCK).
518 * Return 0 if permission is granted. 518 * Return 0 if permission is granted.
519 * @file_fcntl: 519 * @file_fcntl:
520 * Check permission before allowing the file operation specified by @cmd 520 * Check permission before allowing the file operation specified by @cmd
521 * from being performed on the file @file. Note that @arg can sometimes 521 * from being performed on the file @file. Note that @arg can sometimes
522 * represents a user space pointer; in other cases, it may be a simple 522 * represents a user space pointer; in other cases, it may be a simple
523 * integer value. When @arg represents a user space pointer, it should 523 * integer value. When @arg represents a user space pointer, it should
524 * never be used by the security module. 524 * never be used by the security module.
525 * @file contains the file structure. 525 * @file contains the file structure.
526 * @cmd contains the operation to be performed. 526 * @cmd contains the operation to be performed.
527 * @arg contains the operational arguments. 527 * @arg contains the operational arguments.
528 * Return 0 if permission is granted. 528 * Return 0 if permission is granted.
529 * @file_set_fowner: 529 * @file_set_fowner:
530 * Save owner security information (typically from current->security) in 530 * Save owner security information (typically from current->security) in
531 * file->f_security for later use by the send_sigiotask hook. 531 * file->f_security for later use by the send_sigiotask hook.
532 * @file contains the file structure to update. 532 * @file contains the file structure to update.
533 * Return 0 on success. 533 * Return 0 on success.
534 * @file_send_sigiotask: 534 * @file_send_sigiotask:
535 * Check permission for the file owner @fown to send SIGIO or SIGURG to the 535 * Check permission for the file owner @fown to send SIGIO or SIGURG to the
536 * process @tsk. Note that this hook is sometimes called from interrupt. 536 * process @tsk. Note that this hook is sometimes called from interrupt.
537 * Note that the fown_struct, @fown, is never outside the context of a 537 * Note that the fown_struct, @fown, is never outside the context of a
538 * struct file, so the file structure (and associated security information) 538 * struct file, so the file structure (and associated security information)
539 * can always be obtained: 539 * can always be obtained:
540 * container_of(fown, struct file, f_owner) 540 * container_of(fown, struct file, f_owner)
541 * @tsk contains the structure of task receiving signal. 541 * @tsk contains the structure of task receiving signal.
542 * @fown contains the file owner information. 542 * @fown contains the file owner information.
543 * @sig is the signal that will be sent. When 0, kernel sends SIGIO. 543 * @sig is the signal that will be sent. When 0, kernel sends SIGIO.
544 * Return 0 if permission is granted. 544 * Return 0 if permission is granted.
545 * @file_receive: 545 * @file_receive:
546 * This hook allows security modules to control the ability of a process 546 * This hook allows security modules to control the ability of a process
547 * to receive an open file descriptor via socket IPC. 547 * to receive an open file descriptor via socket IPC.
548 * @file contains the file structure being received. 548 * @file contains the file structure being received.
549 * Return 0 if permission is granted. 549 * Return 0 if permission is granted.
550 * 550 *
551 * Security hook for dentry 551 * Security hook for dentry
552 * 552 *
553 * @dentry_open 553 * @dentry_open
554 * Save open-time permission checking state for later use upon 554 * Save open-time permission checking state for later use upon
555 * file_permission, and recheck access if anything has changed 555 * file_permission, and recheck access if anything has changed
556 * since inode_permission. 556 * since inode_permission.
557 * 557 *
558 * Security hooks for task operations. 558 * Security hooks for task operations.
559 * 559 *
560 * @task_create: 560 * @task_create:
561 * Check permission before creating a child process. See the clone(2) 561 * Check permission before creating a child process. See the clone(2)
562 * manual page for definitions of the @clone_flags. 562 * manual page for definitions of the @clone_flags.
563 * @clone_flags contains the flags indicating what should be shared. 563 * @clone_flags contains the flags indicating what should be shared.
564 * Return 0 if permission is granted. 564 * Return 0 if permission is granted.
565 * @task_alloc_security: 565 * @task_alloc_security:
566 * @p contains the task_struct for child process. 566 * @p contains the task_struct for child process.
567 * Allocate and attach a security structure to the p->security field. The 567 * Allocate and attach a security structure to the p->security field. The
568 * security field is initialized to NULL when the task structure is 568 * security field is initialized to NULL when the task structure is
569 * allocated. 569 * allocated.
570 * Return 0 if operation was successful. 570 * Return 0 if operation was successful.
571 * @task_free_security: 571 * @task_free_security:
572 * @p contains the task_struct for process. 572 * @p contains the task_struct for process.
573 * Deallocate and clear the p->security field. 573 * Deallocate and clear the p->security field.
574 * @task_setuid: 574 * @task_setuid:
575 * Check permission before setting one or more of the user identity 575 * Check permission before setting one or more of the user identity
576 * attributes of the current process. The @flags parameter indicates 576 * attributes of the current process. The @flags parameter indicates
577 * which of the set*uid system calls invoked this hook and how to 577 * which of the set*uid system calls invoked this hook and how to
578 * interpret the @id0, @id1, and @id2 parameters. See the LSM_SETID 578 * interpret the @id0, @id1, and @id2 parameters. See the LSM_SETID
579 * definitions at the beginning of this file for the @flags values and 579 * definitions at the beginning of this file for the @flags values and
580 * their meanings. 580 * their meanings.
581 * @id0 contains a uid. 581 * @id0 contains a uid.
582 * @id1 contains a uid. 582 * @id1 contains a uid.
583 * @id2 contains a uid. 583 * @id2 contains a uid.
584 * @flags contains one of the LSM_SETID_* values. 584 * @flags contains one of the LSM_SETID_* values.
585 * Return 0 if permission is granted. 585 * Return 0 if permission is granted.
586 * @task_post_setuid: 586 * @task_post_setuid:
587 * Update the module's state after setting one or more of the user 587 * Update the module's state after setting one or more of the user
588 * identity attributes of the current process. The @flags parameter 588 * identity attributes of the current process. The @flags parameter
589 * indicates which of the set*uid system calls invoked this hook. If 589 * indicates which of the set*uid system calls invoked this hook. If
590 * @flags is LSM_SETID_FS, then @old_ruid is the old fs uid and the other 590 * @flags is LSM_SETID_FS, then @old_ruid is the old fs uid and the other
591 * parameters are not used. 591 * parameters are not used.
592 * @old_ruid contains the old real uid (or fs uid if LSM_SETID_FS). 592 * @old_ruid contains the old real uid (or fs uid if LSM_SETID_FS).
593 * @old_euid contains the old effective uid (or -1 if LSM_SETID_FS). 593 * @old_euid contains the old effective uid (or -1 if LSM_SETID_FS).
594 * @old_suid contains the old saved uid (or -1 if LSM_SETID_FS). 594 * @old_suid contains the old saved uid (or -1 if LSM_SETID_FS).
595 * @flags contains one of the LSM_SETID_* values. 595 * @flags contains one of the LSM_SETID_* values.
596 * Return 0 on success. 596 * Return 0 on success.
597 * @task_setgid: 597 * @task_setgid:
598 * Check permission before setting one or more of the group identity 598 * Check permission before setting one or more of the group identity
599 * attributes of the current process. The @flags parameter indicates 599 * attributes of the current process. The @flags parameter indicates
600 * which of the set*gid system calls invoked this hook and how to 600 * which of the set*gid system calls invoked this hook and how to
601 * interpret the @id0, @id1, and @id2 parameters. See the LSM_SETID 601 * interpret the @id0, @id1, and @id2 parameters. See the LSM_SETID
602 * definitions at the beginning of this file for the @flags values and 602 * definitions at the beginning of this file for the @flags values and
603 * their meanings. 603 * their meanings.
604 * @id0 contains a gid. 604 * @id0 contains a gid.
605 * @id1 contains a gid. 605 * @id1 contains a gid.
606 * @id2 contains a gid. 606 * @id2 contains a gid.
607 * @flags contains one of the LSM_SETID_* values. 607 * @flags contains one of the LSM_SETID_* values.
608 * Return 0 if permission is granted. 608 * Return 0 if permission is granted.
609 * @task_setpgid: 609 * @task_setpgid:
610 * Check permission before setting the process group identifier of the 610 * Check permission before setting the process group identifier of the
611 * process @p to @pgid. 611 * process @p to @pgid.
612 * @p contains the task_struct for process being modified. 612 * @p contains the task_struct for process being modified.
613 * @pgid contains the new pgid. 613 * @pgid contains the new pgid.
614 * Return 0 if permission is granted. 614 * Return 0 if permission is granted.
615 * @task_getpgid: 615 * @task_getpgid:
616 * Check permission before getting the process group identifier of the 616 * Check permission before getting the process group identifier of the
617 * process @p. 617 * process @p.
618 * @p contains the task_struct for the process. 618 * @p contains the task_struct for the process.
619 * Return 0 if permission is granted. 619 * Return 0 if permission is granted.
620 * @task_getsid: 620 * @task_getsid:
621 * Check permission before getting the session identifier of the process 621 * Check permission before getting the session identifier of the process
622 * @p. 622 * @p.
623 * @p contains the task_struct for the process. 623 * @p contains the task_struct for the process.
624 * Return 0 if permission is granted. 624 * Return 0 if permission is granted.
625 * @task_getsecid: 625 * @task_getsecid:
626 * Retrieve the security identifier of the process @p. 626 * Retrieve the security identifier of the process @p.
627 * @p contains the task_struct for the process and place is into @secid. 627 * @p contains the task_struct for the process and place is into @secid.
628 * @task_setgroups: 628 * @task_setgroups:
629 * Check permission before setting the supplementary group set of the 629 * Check permission before setting the supplementary group set of the
630 * current process. 630 * current process.
631 * @group_info contains the new group information. 631 * @group_info contains the new group information.
632 * Return 0 if permission is granted. 632 * Return 0 if permission is granted.
633 * @task_setnice: 633 * @task_setnice:
634 * Check permission before setting the nice value of @p to @nice. 634 * Check permission before setting the nice value of @p to @nice.
635 * @p contains the task_struct of process. 635 * @p contains the task_struct of process.
636 * @nice contains the new nice value. 636 * @nice contains the new nice value.
637 * Return 0 if permission is granted. 637 * Return 0 if permission is granted.
638 * @task_setioprio 638 * @task_setioprio
639 * Check permission before setting the ioprio value of @p to @ioprio. 639 * Check permission before setting the ioprio value of @p to @ioprio.
640 * @p contains the task_struct of process. 640 * @p contains the task_struct of process.
641 * @ioprio contains the new ioprio value 641 * @ioprio contains the new ioprio value
642 * Return 0 if permission is granted. 642 * Return 0 if permission is granted.
643 * @task_getioprio 643 * @task_getioprio
644 * Check permission before getting the ioprio value of @p. 644 * Check permission before getting the ioprio value of @p.
645 * @p contains the task_struct of process. 645 * @p contains the task_struct of process.
646 * Return 0 if permission is granted. 646 * Return 0 if permission is granted.
647 * @task_setrlimit: 647 * @task_setrlimit:
648 * Check permission before setting the resource limits of the current 648 * Check permission before setting the resource limits of the current
649 * process for @resource to @new_rlim. The old resource limit values can 649 * process for @resource to @new_rlim. The old resource limit values can
650 * be examined by dereferencing (current->signal->rlim + resource). 650 * be examined by dereferencing (current->signal->rlim + resource).
651 * @resource contains the resource whose limit is being set. 651 * @resource contains the resource whose limit is being set.
652 * @new_rlim contains the new limits for @resource. 652 * @new_rlim contains the new limits for @resource.
653 * Return 0 if permission is granted. 653 * Return 0 if permission is granted.
654 * @task_setscheduler: 654 * @task_setscheduler:
655 * Check permission before setting scheduling policy and/or parameters of 655 * Check permission before setting scheduling policy and/or parameters of
656 * process @p based on @policy and @lp. 656 * process @p based on @policy and @lp.
657 * @p contains the task_struct for process. 657 * @p contains the task_struct for process.
658 * @policy contains the scheduling policy. 658 * @policy contains the scheduling policy.
659 * @lp contains the scheduling parameters. 659 * @lp contains the scheduling parameters.
660 * Return 0 if permission is granted. 660 * Return 0 if permission is granted.
661 * @task_getscheduler: 661 * @task_getscheduler:
662 * Check permission before obtaining scheduling information for process 662 * Check permission before obtaining scheduling information for process
663 * @p. 663 * @p.
664 * @p contains the task_struct for process. 664 * @p contains the task_struct for process.
665 * Return 0 if permission is granted. 665 * Return 0 if permission is granted.
666 * @task_movememory 666 * @task_movememory
667 * Check permission before moving memory owned by process @p. 667 * Check permission before moving memory owned by process @p.
668 * @p contains the task_struct for process. 668 * @p contains the task_struct for process.
669 * Return 0 if permission is granted. 669 * Return 0 if permission is granted.
670 * @task_kill: 670 * @task_kill:
671 * Check permission before sending signal @sig to @p. @info can be NULL, 671 * Check permission before sending signal @sig to @p. @info can be NULL,
672 * the constant 1, or a pointer to a siginfo structure. If @info is 1 or 672 * the constant 1, or a pointer to a siginfo structure. If @info is 1 or
673 * SI_FROMKERNEL(info) is true, then the signal should be viewed as coming 673 * SI_FROMKERNEL(info) is true, then the signal should be viewed as coming
674 * from the kernel and should typically be permitted. 674 * from the kernel and should typically be permitted.
675 * SIGIO signals are handled separately by the send_sigiotask hook in 675 * SIGIO signals are handled separately by the send_sigiotask hook in
676 * file_security_ops. 676 * file_security_ops.
677 * @p contains the task_struct for process. 677 * @p contains the task_struct for process.
678 * @info contains the signal information. 678 * @info contains the signal information.
679 * @sig contains the signal value. 679 * @sig contains the signal value.
680 * @secid contains the sid of the process where the signal originated 680 * @secid contains the sid of the process where the signal originated
681 * Return 0 if permission is granted. 681 * Return 0 if permission is granted.
682 * @task_wait: 682 * @task_wait:
683 * Check permission before allowing a process to reap a child process @p 683 * Check permission before allowing a process to reap a child process @p
684 * and collect its status information. 684 * and collect its status information.
685 * @p contains the task_struct for process. 685 * @p contains the task_struct for process.
686 * Return 0 if permission is granted. 686 * Return 0 if permission is granted.
687 * @task_prctl: 687 * @task_prctl:
688 * Check permission before performing a process control operation on the 688 * Check permission before performing a process control operation on the
689 * current process. 689 * current process.
690 * @option contains the operation. 690 * @option contains the operation.
691 * @arg2 contains a argument. 691 * @arg2 contains a argument.
692 * @arg3 contains a argument. 692 * @arg3 contains a argument.
693 * @arg4 contains a argument. 693 * @arg4 contains a argument.
694 * @arg5 contains a argument. 694 * @arg5 contains a argument.
695 * Return 0 if permission is granted. 695 * Return 0 if permission is granted.
696 * @task_reparent_to_init: 696 * @task_reparent_to_init:
697 * Set the security attributes in @p->security for a kernel thread that 697 * Set the security attributes in @p->security for a kernel thread that
698 * is being reparented to the init task. 698 * is being reparented to the init task.
699 * @p contains the task_struct for the kernel thread. 699 * @p contains the task_struct for the kernel thread.
700 * @task_to_inode: 700 * @task_to_inode:
701 * Set the security attributes for an inode based on an associated task's 701 * Set the security attributes for an inode based on an associated task's
702 * security attributes, e.g. for /proc/pid inodes. 702 * security attributes, e.g. for /proc/pid inodes.
703 * @p contains the task_struct for the task. 703 * @p contains the task_struct for the task.
704 * @inode contains the inode structure for the inode. 704 * @inode contains the inode structure for the inode.
705 * 705 *
706 * Security hooks for Netlink messaging. 706 * Security hooks for Netlink messaging.
707 * 707 *
708 * @netlink_send: 708 * @netlink_send:
709 * Save security information for a netlink message so that permission 709 * Save security information for a netlink message so that permission
710 * checking can be performed when the message is processed. The security 710 * checking can be performed when the message is processed. The security
711 * information can be saved using the eff_cap field of the 711 * information can be saved using the eff_cap field of the
712 * netlink_skb_parms structure. Also may be used to provide fine 712 * netlink_skb_parms structure. Also may be used to provide fine
713 * grained control over message transmission. 713 * grained control over message transmission.
714 * @sk associated sock of task sending the message., 714 * @sk associated sock of task sending the message.,
715 * @skb contains the sk_buff structure for the netlink message. 715 * @skb contains the sk_buff structure for the netlink message.
716 * Return 0 if the information was successfully saved and message 716 * Return 0 if the information was successfully saved and message
717 * is allowed to be transmitted. 717 * is allowed to be transmitted.
718 * @netlink_recv: 718 * @netlink_recv:
719 * Check permission before processing the received netlink message in 719 * Check permission before processing the received netlink message in
720 * @skb. 720 * @skb.
721 * @skb contains the sk_buff structure for the netlink message. 721 * @skb contains the sk_buff structure for the netlink message.
722 * @cap indicates the capability required 722 * @cap indicates the capability required
723 * Return 0 if permission is granted. 723 * Return 0 if permission is granted.
724 * 724 *
725 * Security hooks for Unix domain networking. 725 * Security hooks for Unix domain networking.
726 * 726 *
727 * @unix_stream_connect: 727 * @unix_stream_connect:
728 * Check permissions before establishing a Unix domain stream connection 728 * Check permissions before establishing a Unix domain stream connection
729 * between @sock and @other. 729 * between @sock and @other.
730 * @sock contains the socket structure. 730 * @sock contains the socket structure.
731 * @other contains the peer socket structure. 731 * @other contains the peer socket structure.
732 * Return 0 if permission is granted. 732 * Return 0 if permission is granted.
733 * @unix_may_send: 733 * @unix_may_send:
734 * Check permissions before connecting or sending datagrams from @sock to 734 * Check permissions before connecting or sending datagrams from @sock to
735 * @other. 735 * @other.
736 * @sock contains the socket structure. 736 * @sock contains the socket structure.
737 * @sock contains the peer socket structure. 737 * @sock contains the peer socket structure.
738 * Return 0 if permission is granted. 738 * Return 0 if permission is granted.
739 * 739 *
740 * The @unix_stream_connect and @unix_may_send hooks were necessary because 740 * The @unix_stream_connect and @unix_may_send hooks were necessary because
741 * Linux provides an alternative to the conventional file name space for Unix 741 * Linux provides an alternative to the conventional file name space for Unix
742 * domain sockets. Whereas binding and connecting to sockets in the file name 742 * domain sockets. Whereas binding and connecting to sockets in the file name
743 * space is mediated by the typical file permissions (and caught by the mknod 743 * space is mediated by the typical file permissions (and caught by the mknod
744 * and permission hooks in inode_security_ops), binding and connecting to 744 * and permission hooks in inode_security_ops), binding and connecting to
745 * sockets in the abstract name space is completely unmediated. Sufficient 745 * sockets in the abstract name space is completely unmediated. Sufficient
746 * control of Unix domain sockets in the abstract name space isn't possible 746 * control of Unix domain sockets in the abstract name space isn't possible
747 * using only the socket layer hooks, since we need to know the actual target 747 * using only the socket layer hooks, since we need to know the actual target
748 * socket, which is not looked up until we are inside the af_unix code. 748 * socket, which is not looked up until we are inside the af_unix code.
749 * 749 *
750 * Security hooks for socket operations. 750 * Security hooks for socket operations.
751 * 751 *
752 * @socket_create: 752 * @socket_create:
753 * Check permissions prior to creating a new socket. 753 * Check permissions prior to creating a new socket.
754 * @family contains the requested protocol family. 754 * @family contains the requested protocol family.
755 * @type contains the requested communications type. 755 * @type contains the requested communications type.
756 * @protocol contains the requested protocol. 756 * @protocol contains the requested protocol.
757 * @kern set to 1 if a kernel socket. 757 * @kern set to 1 if a kernel socket.
758 * Return 0 if permission is granted. 758 * Return 0 if permission is granted.
759 * @socket_post_create: 759 * @socket_post_create:
760 * This hook allows a module to update or allocate a per-socket security 760 * This hook allows a module to update or allocate a per-socket security
761 * structure. Note that the security field was not added directly to the 761 * structure. Note that the security field was not added directly to the
762 * socket structure, but rather, the socket security information is stored 762 * socket structure, but rather, the socket security information is stored
763 * in the associated inode. Typically, the inode alloc_security hook will 763 * in the associated inode. Typically, the inode alloc_security hook will
764 * allocate and and attach security information to 764 * allocate and and attach security information to
765 * sock->inode->i_security. This hook may be used to update the 765 * sock->inode->i_security. This hook may be used to update the
766 * sock->inode->i_security field with additional information that wasn't 766 * sock->inode->i_security field with additional information that wasn't
767 * available when the inode was allocated. 767 * available when the inode was allocated.
768 * @sock contains the newly created socket structure. 768 * @sock contains the newly created socket structure.
769 * @family contains the requested protocol family. 769 * @family contains the requested protocol family.
770 * @type contains the requested communications type. 770 * @type contains the requested communications type.
771 * @protocol contains the requested protocol. 771 * @protocol contains the requested protocol.
772 * @kern set to 1 if a kernel socket. 772 * @kern set to 1 if a kernel socket.
773 * @socket_bind: 773 * @socket_bind:
774 * Check permission before socket protocol layer bind operation is 774 * Check permission before socket protocol layer bind operation is
775 * performed and the socket @sock is bound to the address specified in the 775 * performed and the socket @sock is bound to the address specified in the
776 * @address parameter. 776 * @address parameter.
777 * @sock contains the socket structure. 777 * @sock contains the socket structure.
778 * @address contains the address to bind to. 778 * @address contains the address to bind to.
779 * @addrlen contains the length of address. 779 * @addrlen contains the length of address.
780 * Return 0 if permission is granted. 780 * Return 0 if permission is granted.
781 * @socket_connect: 781 * @socket_connect:
782 * Check permission before socket protocol layer connect operation 782 * Check permission before socket protocol layer connect operation
783 * attempts to connect socket @sock to a remote address, @address. 783 * attempts to connect socket @sock to a remote address, @address.
784 * @sock contains the socket structure. 784 * @sock contains the socket structure.
785 * @address contains the address of remote endpoint. 785 * @address contains the address of remote endpoint.
786 * @addrlen contains the length of address. 786 * @addrlen contains the length of address.
787 * Return 0 if permission is granted. 787 * Return 0 if permission is granted.
788 * @socket_listen: 788 * @socket_listen:
789 * Check permission before socket protocol layer listen operation. 789 * Check permission before socket protocol layer listen operation.
790 * @sock contains the socket structure. 790 * @sock contains the socket structure.
791 * @backlog contains the maximum length for the pending connection queue. 791 * @backlog contains the maximum length for the pending connection queue.
792 * Return 0 if permission is granted. 792 * Return 0 if permission is granted.
793 * @socket_accept: 793 * @socket_accept:
794 * Check permission before accepting a new connection. Note that the new 794 * Check permission before accepting a new connection. Note that the new
795 * socket, @newsock, has been created and some information copied to it, 795 * socket, @newsock, has been created and some information copied to it,
796 * but the accept operation has not actually been performed. 796 * but the accept operation has not actually been performed.
797 * @sock contains the listening socket structure. 797 * @sock contains the listening socket structure.
798 * @newsock contains the newly created server socket for connection. 798 * @newsock contains the newly created server socket for connection.
799 * Return 0 if permission is granted. 799 * Return 0 if permission is granted.
800 * @socket_post_accept: 800 * @socket_post_accept:
801 * This hook allows a security module to copy security 801 * This hook allows a security module to copy security
802 * information into the newly created socket's inode. 802 * information into the newly created socket's inode.
803 * @sock contains the listening socket structure. 803 * @sock contains the listening socket structure.
804 * @newsock contains the newly created server socket for connection. 804 * @newsock contains the newly created server socket for connection.
805 * @socket_sendmsg: 805 * @socket_sendmsg:
806 * Check permission before transmitting a message to another socket. 806 * Check permission before transmitting a message to another socket.
807 * @sock contains the socket structure. 807 * @sock contains the socket structure.
808 * @msg contains the message to be transmitted. 808 * @msg contains the message to be transmitted.
809 * @size contains the size of message. 809 * @size contains the size of message.
810 * Return 0 if permission is granted. 810 * Return 0 if permission is granted.
811 * @socket_recvmsg: 811 * @socket_recvmsg:
812 * Check permission before receiving a message from a socket. 812 * Check permission before receiving a message from a socket.
813 * @sock contains the socket structure. 813 * @sock contains the socket structure.
814 * @msg contains the message structure. 814 * @msg contains the message structure.
815 * @size contains the size of message structure. 815 * @size contains the size of message structure.
816 * @flags contains the operational flags. 816 * @flags contains the operational flags.
817 * Return 0 if permission is granted. 817 * Return 0 if permission is granted.
818 * @socket_getsockname: 818 * @socket_getsockname:
819 * Check permission before the local address (name) of the socket object 819 * Check permission before the local address (name) of the socket object
820 * @sock is retrieved. 820 * @sock is retrieved.
821 * @sock contains the socket structure. 821 * @sock contains the socket structure.
822 * Return 0 if permission is granted. 822 * Return 0 if permission is granted.
823 * @socket_getpeername: 823 * @socket_getpeername:
824 * Check permission before the remote address (name) of a socket object 824 * Check permission before the remote address (name) of a socket object
825 * @sock is retrieved. 825 * @sock is retrieved.
826 * @sock contains the socket structure. 826 * @sock contains the socket structure.
827 * Return 0 if permission is granted. 827 * Return 0 if permission is granted.
828 * @socket_getsockopt: 828 * @socket_getsockopt:
829 * Check permissions before retrieving the options associated with socket 829 * Check permissions before retrieving the options associated with socket
830 * @sock. 830 * @sock.
831 * @sock contains the socket structure. 831 * @sock contains the socket structure.
832 * @level contains the protocol level to retrieve option from. 832 * @level contains the protocol level to retrieve option from.
833 * @optname contains the name of option to retrieve. 833 * @optname contains the name of option to retrieve.
834 * Return 0 if permission is granted. 834 * Return 0 if permission is granted.
835 * @socket_setsockopt: 835 * @socket_setsockopt:
836 * Check permissions before setting the options associated with socket 836 * Check permissions before setting the options associated with socket
837 * @sock. 837 * @sock.
838 * @sock contains the socket structure. 838 * @sock contains the socket structure.
839 * @level contains the protocol level to set options for. 839 * @level contains the protocol level to set options for.
840 * @optname contains the name of the option to set. 840 * @optname contains the name of the option to set.
841 * Return 0 if permission is granted. 841 * Return 0 if permission is granted.
842 * @socket_shutdown: 842 * @socket_shutdown:
843 * Checks permission before all or part of a connection on the socket 843 * Checks permission before all or part of a connection on the socket
844 * @sock is shut down. 844 * @sock is shut down.
845 * @sock contains the socket structure. 845 * @sock contains the socket structure.
846 * @how contains the flag indicating how future sends and receives are handled. 846 * @how contains the flag indicating how future sends and receives are handled.
847 * Return 0 if permission is granted. 847 * Return 0 if permission is granted.
848 * @socket_sock_rcv_skb: 848 * @socket_sock_rcv_skb:
849 * Check permissions on incoming network packets. This hook is distinct 849 * Check permissions on incoming network packets. This hook is distinct
850 * from Netfilter's IP input hooks since it is the first time that the 850 * from Netfilter's IP input hooks since it is the first time that the
851 * incoming sk_buff @skb has been associated with a particular socket, @sk. 851 * incoming sk_buff @skb has been associated with a particular socket, @sk.
852 * @sk contains the sock (not socket) associated with the incoming sk_buff. 852 * @sk contains the sock (not socket) associated with the incoming sk_buff.
853 * @skb contains the incoming network data. 853 * @skb contains the incoming network data.
854 * @socket_getpeersec_stream: 854 * @socket_getpeersec_stream:
855 * This hook allows the security module to provide peer socket security 855 * This hook allows the security module to provide peer socket security
856 * state for unix or connected tcp sockets to userspace via getsockopt 856 * state for unix or connected tcp sockets to userspace via getsockopt
857 * SO_GETPEERSEC. For tcp sockets this can be meaningful if the 857 * SO_GETPEERSEC. For tcp sockets this can be meaningful if the
858 * socket is associated with an ipsec SA. 858 * socket is associated with an ipsec SA.
859 * @sock is the local socket. 859 * @sock is the local socket.
860 * @optval userspace memory where the security state is to be copied. 860 * @optval userspace memory where the security state is to be copied.
861 * @optlen userspace int where the module should copy the actual length 861 * @optlen userspace int where the module should copy the actual length
862 * of the security state. 862 * of the security state.
863 * @len as input is the maximum length to copy to userspace provided 863 * @len as input is the maximum length to copy to userspace provided
864 * by the caller. 864 * by the caller.
865 * Return 0 if all is well, otherwise, typical getsockopt return 865 * Return 0 if all is well, otherwise, typical getsockopt return
866 * values. 866 * values.
867 * @socket_getpeersec_dgram: 867 * @socket_getpeersec_dgram:
868 * This hook allows the security module to provide peer socket security 868 * This hook allows the security module to provide peer socket security
869 * state for udp sockets on a per-packet basis to userspace via 869 * state for udp sockets on a per-packet basis to userspace via
870 * getsockopt SO_GETPEERSEC. The application must first have indicated 870 * getsockopt SO_GETPEERSEC. The application must first have indicated
871 * the IP_PASSSEC option via getsockopt. It can then retrieve the 871 * the IP_PASSSEC option via getsockopt. It can then retrieve the
872 * security state returned by this hook for a packet via the SCM_SECURITY 872 * security state returned by this hook for a packet via the SCM_SECURITY
873 * ancillary message type. 873 * ancillary message type.
874 * @skb is the skbuff for the packet being queried 874 * @skb is the skbuff for the packet being queried
875 * @secdata is a pointer to a buffer in which to copy the security data 875 * @secdata is a pointer to a buffer in which to copy the security data
876 * @seclen is the maximum length for @secdata 876 * @seclen is the maximum length for @secdata
877 * Return 0 on success, error on failure. 877 * Return 0 on success, error on failure.
878 * @sk_alloc_security: 878 * @sk_alloc_security:
879 * Allocate and attach a security structure to the sk->sk_security field, 879 * Allocate and attach a security structure to the sk->sk_security field,
880 * which is used to copy security attributes between local stream sockets. 880 * which is used to copy security attributes between local stream sockets.
881 * @sk_free_security: 881 * @sk_free_security:
882 * Deallocate security structure. 882 * Deallocate security structure.
883 * @sk_clone_security: 883 * @sk_clone_security:
884 * Clone/copy security structure. 884 * Clone/copy security structure.
885 * @sk_getsecid: 885 * @sk_getsecid:
886 * Retrieve the LSM-specific secid for the sock to enable caching of network 886 * Retrieve the LSM-specific secid for the sock to enable caching of network
887 * authorizations. 887 * authorizations.
888 * @sock_graft: 888 * @sock_graft:
889 * Sets the socket's isec sid to the sock's sid. 889 * Sets the socket's isec sid to the sock's sid.
890 * @inet_conn_request: 890 * @inet_conn_request:
891 * Sets the openreq's sid to socket's sid with MLS portion taken from peer sid. 891 * Sets the openreq's sid to socket's sid with MLS portion taken from peer sid.
892 * @inet_csk_clone: 892 * @inet_csk_clone:
893 * Sets the new child socket's sid to the openreq sid. 893 * Sets the new child socket's sid to the openreq sid.
894 * @inet_conn_established: 894 * @inet_conn_established:
895 * Sets the connection's peersid to the secmark on skb. 895 * Sets the connection's peersid to the secmark on skb.
896 * @req_classify_flow: 896 * @req_classify_flow:
897 * Sets the flow's sid to the openreq sid. 897 * Sets the flow's sid to the openreq sid.
898 * 898 *
899 * Security hooks for XFRM operations. 899 * Security hooks for XFRM operations.
900 * 900 *
901 * @xfrm_policy_alloc_security: 901 * @xfrm_policy_alloc_security:
902 * @xp contains the xfrm_policy being added to Security Policy Database 902 * @xp contains the xfrm_policy being added to Security Policy Database
903 * used by the XFRM system. 903 * used by the XFRM system.
904 * @sec_ctx contains the security context information being provided by 904 * @sec_ctx contains the security context information being provided by
905 * the user-level policy update program (e.g., setkey). 905 * the user-level policy update program (e.g., setkey).
906 * Allocate a security structure to the xp->security field; the security 906 * Allocate a security structure to the xp->security field; the security
907 * field is initialized to NULL when the xfrm_policy is allocated. 907 * field is initialized to NULL when the xfrm_policy is allocated.
908 * Return 0 if operation was successful (memory to allocate, legal context) 908 * Return 0 if operation was successful (memory to allocate, legal context)
909 * @xfrm_policy_clone_security: 909 * @xfrm_policy_clone_security:
910 * @old contains an existing xfrm_policy in the SPD. 910 * @old contains an existing xfrm_policy in the SPD.
911 * @new contains a new xfrm_policy being cloned from old. 911 * @new contains a new xfrm_policy being cloned from old.
912 * Allocate a security structure to the new->security field 912 * Allocate a security structure to the new->security field
913 * that contains the information from the old->security field. 913 * that contains the information from the old->security field.
914 * Return 0 if operation was successful (memory to allocate). 914 * Return 0 if operation was successful (memory to allocate).
915 * @xfrm_policy_free_security: 915 * @xfrm_policy_free_security:
916 * @xp contains the xfrm_policy 916 * @xp contains the xfrm_policy
917 * Deallocate xp->security. 917 * Deallocate xp->security.
918 * @xfrm_policy_delete_security: 918 * @xfrm_policy_delete_security:
919 * @xp contains the xfrm_policy. 919 * @xp contains the xfrm_policy.
920 * Authorize deletion of xp->security. 920 * Authorize deletion of xp->security.
921 * @xfrm_state_alloc_security: 921 * @xfrm_state_alloc_security:
922 * @x contains the xfrm_state being added to the Security Association 922 * @x contains the xfrm_state being added to the Security Association
923 * Database by the XFRM system. 923 * Database by the XFRM system.
924 * @sec_ctx contains the security context information being provided by 924 * @sec_ctx contains the security context information being provided by
925 * the user-level SA generation program (e.g., setkey or racoon). 925 * the user-level SA generation program (e.g., setkey or racoon).
926 * @secid contains the secid from which to take the mls portion of the context. 926 * @secid contains the secid from which to take the mls portion of the context.
927 * Allocate a security structure to the x->security field; the security 927 * Allocate a security structure to the x->security field; the security
928 * field is initialized to NULL when the xfrm_state is allocated. Set the 928 * field is initialized to NULL when the xfrm_state is allocated. Set the
929 * context to correspond to either sec_ctx or polsec, with the mls portion 929 * context to correspond to either sec_ctx or polsec, with the mls portion
930 * taken from secid in the latter case. 930 * taken from secid in the latter case.
931 * Return 0 if operation was successful (memory to allocate, legal context). 931 * Return 0 if operation was successful (memory to allocate, legal context).
932 * @xfrm_state_free_security: 932 * @xfrm_state_free_security:
933 * @x contains the xfrm_state. 933 * @x contains the xfrm_state.
934 * Deallocate x->security. 934 * Deallocate x->security.
935 * @xfrm_state_delete_security: 935 * @xfrm_state_delete_security:
936 * @x contains the xfrm_state. 936 * @x contains the xfrm_state.
937 * Authorize deletion of x->security. 937 * Authorize deletion of x->security.
938 * @xfrm_policy_lookup: 938 * @xfrm_policy_lookup:
939 * @xp contains the xfrm_policy for which the access control is being 939 * @xp contains the xfrm_policy for which the access control is being
940 * checked. 940 * checked.
941 * @fl_secid contains the flow security label that is used to authorize 941 * @fl_secid contains the flow security label that is used to authorize
942 * access to the policy xp. 942 * access to the policy xp.
943 * @dir contains the direction of the flow (input or output). 943 * @dir contains the direction of the flow (input or output).
944 * Check permission when a flow selects a xfrm_policy for processing 944 * Check permission when a flow selects a xfrm_policy for processing
945 * XFRMs on a packet. The hook is called when selecting either a 945 * XFRMs on a packet. The hook is called when selecting either a
946 * per-socket policy or a generic xfrm policy. 946 * per-socket policy or a generic xfrm policy.
947 * Return 0 if permission is granted, -ESRCH otherwise, or -errno 947 * Return 0 if permission is granted, -ESRCH otherwise, or -errno
948 * on other errors. 948 * on other errors.
949 * @xfrm_state_pol_flow_match: 949 * @xfrm_state_pol_flow_match:
950 * @x contains the state to match. 950 * @x contains the state to match.
951 * @xp contains the policy to check for a match. 951 * @xp contains the policy to check for a match.
952 * @fl contains the flow to check for a match. 952 * @fl contains the flow to check for a match.
953 * Return 1 if there is a match. 953 * Return 1 if there is a match.
954 * @xfrm_decode_session: 954 * @xfrm_decode_session:
955 * @skb points to skb to decode. 955 * @skb points to skb to decode.
956 * @secid points to the flow key secid to set. 956 * @secid points to the flow key secid to set.
957 * @ckall says if all xfrms used should be checked for same secid. 957 * @ckall says if all xfrms used should be checked for same secid.
958 * Return 0 if ckall is zero or all xfrms used have the same secid. 958 * Return 0 if ckall is zero or all xfrms used have the same secid.
959 * 959 *
960 * Security hooks affecting all Key Management operations 960 * Security hooks affecting all Key Management operations
961 * 961 *
962 * @key_alloc: 962 * @key_alloc:
963 * Permit allocation of a key and assign security data. Note that key does 963 * Permit allocation of a key and assign security data. Note that key does
964 * not have a serial number assigned at this point. 964 * not have a serial number assigned at this point.
965 * @key points to the key. 965 * @key points to the key.
966 * @flags is the allocation flags 966 * @flags is the allocation flags
967 * Return 0 if permission is granted, -ve error otherwise. 967 * Return 0 if permission is granted, -ve error otherwise.
968 * @key_free: 968 * @key_free:
969 * Notification of destruction; free security data. 969 * Notification of destruction; free security data.
970 * @key points to the key. 970 * @key points to the key.
971 * No return value. 971 * No return value.
972 * @key_permission: 972 * @key_permission:
973 * See whether a specific operational right is granted to a process on a 973 * See whether a specific operational right is granted to a process on a
974 * key. 974 * key.
975 * @key_ref refers to the key (key pointer + possession attribute bit). 975 * @key_ref refers to the key (key pointer + possession attribute bit).
976 * @context points to the process to provide the context against which to 976 * @context points to the process to provide the context against which to
977 * evaluate the security data on the key. 977 * evaluate the security data on the key.
978 * @perm describes the combination of permissions required of this key. 978 * @perm describes the combination of permissions required of this key.
979 * Return 1 if permission granted, 0 if permission denied and -ve it the 979 * Return 1 if permission granted, 0 if permission denied and -ve it the
980 * normal permissions model should be effected. 980 * normal permissions model should be effected.
981 * 981 *
982 * Security hooks affecting all System V IPC operations. 982 * Security hooks affecting all System V IPC operations.
983 * 983 *
984 * @ipc_permission: 984 * @ipc_permission:
985 * Check permissions for access to IPC 985 * Check permissions for access to IPC
986 * @ipcp contains the kernel IPC permission structure 986 * @ipcp contains the kernel IPC permission structure
987 * @flag contains the desired (requested) permission set 987 * @flag contains the desired (requested) permission set
988 * Return 0 if permission is granted. 988 * Return 0 if permission is granted.
989 * 989 *
990 * Security hooks for individual messages held in System V IPC message queues 990 * Security hooks for individual messages held in System V IPC message queues
991 * @msg_msg_alloc_security: 991 * @msg_msg_alloc_security:
992 * Allocate and attach a security structure to the msg->security field. 992 * Allocate and attach a security structure to the msg->security field.
993 * The security field is initialized to NULL when the structure is first 993 * The security field is initialized to NULL when the structure is first
994 * created. 994 * created.
995 * @msg contains the message structure to be modified. 995 * @msg contains the message structure to be modified.
996 * Return 0 if operation was successful and permission is granted. 996 * Return 0 if operation was successful and permission is granted.
997 * @msg_msg_free_security: 997 * @msg_msg_free_security:
998 * Deallocate the security structure for this message. 998 * Deallocate the security structure for this message.
999 * @msg contains the message structure to be modified. 999 * @msg contains the message structure to be modified.
1000 * 1000 *
1001 * Security hooks for System V IPC Message Queues 1001 * Security hooks for System V IPC Message Queues
1002 * 1002 *
1003 * @msg_queue_alloc_security: 1003 * @msg_queue_alloc_security:
1004 * Allocate and attach a security structure to the 1004 * Allocate and attach a security structure to the
1005 * msq->q_perm.security field. The security field is initialized to 1005 * msq->q_perm.security field. The security field is initialized to
1006 * NULL when the structure is first created. 1006 * NULL when the structure is first created.
1007 * @msq contains the message queue structure to be modified. 1007 * @msq contains the message queue structure to be modified.
1008 * Return 0 if operation was successful and permission is granted. 1008 * Return 0 if operation was successful and permission is granted.
1009 * @msg_queue_free_security: 1009 * @msg_queue_free_security:
1010 * Deallocate security structure for this message queue. 1010 * Deallocate security structure for this message queue.
1011 * @msq contains the message queue structure to be modified. 1011 * @msq contains the message queue structure to be modified.
1012 * @msg_queue_associate: 1012 * @msg_queue_associate:
1013 * Check permission when a message queue is requested through the 1013 * Check permission when a message queue is requested through the
1014 * msgget system call. This hook is only called when returning the 1014 * msgget system call. This hook is only called when returning the
1015 * message queue identifier for an existing message queue, not when a 1015 * message queue identifier for an existing message queue, not when a
1016 * new message queue is created. 1016 * new message queue is created.
1017 * @msq contains the message queue to act upon. 1017 * @msq contains the message queue to act upon.
1018 * @msqflg contains the operation control flags. 1018 * @msqflg contains the operation control flags.
1019 * Return 0 if permission is granted. 1019 * Return 0 if permission is granted.
1020 * @msg_queue_msgctl: 1020 * @msg_queue_msgctl:
1021 * Check permission when a message control operation specified by @cmd 1021 * Check permission when a message control operation specified by @cmd
1022 * is to be performed on the message queue @msq. 1022 * is to be performed on the message queue @msq.
1023 * The @msq may be NULL, e.g. for IPC_INFO or MSG_INFO. 1023 * The @msq may be NULL, e.g. for IPC_INFO or MSG_INFO.
1024 * @msq contains the message queue to act upon. May be NULL. 1024 * @msq contains the message queue to act upon. May be NULL.
1025 * @cmd contains the operation to be performed. 1025 * @cmd contains the operation to be performed.
1026 * Return 0 if permission is granted. 1026 * Return 0 if permission is granted.
1027 * @msg_queue_msgsnd: 1027 * @msg_queue_msgsnd:
1028 * Check permission before a message, @msg, is enqueued on the message 1028 * Check permission before a message, @msg, is enqueued on the message
1029 * queue, @msq. 1029 * queue, @msq.
1030 * @msq contains the message queue to send message to. 1030 * @msq contains the message queue to send message to.
1031 * @msg contains the message to be enqueued. 1031 * @msg contains the message to be enqueued.
1032 * @msqflg contains operational flags. 1032 * @msqflg contains operational flags.
1033 * Return 0 if permission is granted. 1033 * Return 0 if permission is granted.
1034 * @msg_queue_msgrcv: 1034 * @msg_queue_msgrcv:
1035 * Check permission before a message, @msg, is removed from the message 1035 * Check permission before a message, @msg, is removed from the message
1036 * queue, @msq. The @target task structure contains a pointer to the 1036 * queue, @msq. The @target task structure contains a pointer to the
1037 * process that will be receiving the message (not equal to the current 1037 * process that will be receiving the message (not equal to the current
1038 * process when inline receives are being performed). 1038 * process when inline receives are being performed).
1039 * @msq contains the message queue to retrieve message from. 1039 * @msq contains the message queue to retrieve message from.
1040 * @msg contains the message destination. 1040 * @msg contains the message destination.
1041 * @target contains the task structure for recipient process. 1041 * @target contains the task structure for recipient process.
1042 * @type contains the type of message requested. 1042 * @type contains the type of message requested.
1043 * @mode contains the operational flags. 1043 * @mode contains the operational flags.
1044 * Return 0 if permission is granted. 1044 * Return 0 if permission is granted.
1045 * 1045 *
1046 * Security hooks for System V Shared Memory Segments 1046 * Security hooks for System V Shared Memory Segments
1047 * 1047 *
1048 * @shm_alloc_security: 1048 * @shm_alloc_security:
1049 * Allocate and attach a security structure to the shp->shm_perm.security 1049 * Allocate and attach a security structure to the shp->shm_perm.security
1050 * field. The security field is initialized to NULL when the structure is 1050 * field. The security field is initialized to NULL when the structure is
1051 * first created. 1051 * first created.
1052 * @shp contains the shared memory structure to be modified. 1052 * @shp contains the shared memory structure to be modified.
1053 * Return 0 if operation was successful and permission is granted. 1053 * Return 0 if operation was successful and permission is granted.
1054 * @shm_free_security: 1054 * @shm_free_security:
1055 * Deallocate the security struct for this memory segment. 1055 * Deallocate the security struct for this memory segment.
1056 * @shp contains the shared memory structure to be modified. 1056 * @shp contains the shared memory structure to be modified.
1057 * @shm_associate: 1057 * @shm_associate:
1058 * Check permission when a shared memory region is requested through the 1058 * Check permission when a shared memory region is requested through the
1059 * shmget system call. This hook is only called when returning the shared 1059 * shmget system call. This hook is only called when returning the shared
1060 * memory region identifier for an existing region, not when a new shared 1060 * memory region identifier for an existing region, not when a new shared
1061 * memory region is created. 1061 * memory region is created.
1062 * @shp contains the shared memory structure to be modified. 1062 * @shp contains the shared memory structure to be modified.
1063 * @shmflg contains the operation control flags. 1063 * @shmflg contains the operation control flags.
1064 * Return 0 if permission is granted. 1064 * Return 0 if permission is granted.
1065 * @shm_shmctl: 1065 * @shm_shmctl:
1066 * Check permission when a shared memory control operation specified by 1066 * Check permission when a shared memory control operation specified by
1067 * @cmd is to be performed on the shared memory region @shp. 1067 * @cmd is to be performed on the shared memory region @shp.
1068 * The @shp may be NULL, e.g. for IPC_INFO or SHM_INFO. 1068 * The @shp may be NULL, e.g. for IPC_INFO or SHM_INFO.
1069 * @shp contains shared memory structure to be modified. 1069 * @shp contains shared memory structure to be modified.
1070 * @cmd contains the operation to be performed. 1070 * @cmd contains the operation to be performed.
1071 * Return 0 if permission is granted. 1071 * Return 0 if permission is granted.
1072 * @shm_shmat: 1072 * @shm_shmat:
1073 * Check permissions prior to allowing the shmat system call to attach the 1073 * Check permissions prior to allowing the shmat system call to attach the
1074 * shared memory segment @shp to the data segment of the calling process. 1074 * shared memory segment @shp to the data segment of the calling process.
1075 * The attaching address is specified by @shmaddr. 1075 * The attaching address is specified by @shmaddr.
1076 * @shp contains the shared memory structure to be modified. 1076 * @shp contains the shared memory structure to be modified.
1077 * @shmaddr contains the address to attach memory region to. 1077 * @shmaddr contains the address to attach memory region to.
1078 * @shmflg contains the operational flags. 1078 * @shmflg contains the operational flags.
1079 * Return 0 if permission is granted. 1079 * Return 0 if permission is granted.
1080 * 1080 *
1081 * Security hooks for System V Semaphores 1081 * Security hooks for System V Semaphores
1082 * 1082 *
1083 * @sem_alloc_security: 1083 * @sem_alloc_security:
1084 * Allocate and attach a security structure to the sma->sem_perm.security 1084 * Allocate and attach a security structure to the sma->sem_perm.security
1085 * field. The security field is initialized to NULL when the structure is 1085 * field. The security field is initialized to NULL when the structure is
1086 * first created. 1086 * first created.
1087 * @sma contains the semaphore structure 1087 * @sma contains the semaphore structure
1088 * Return 0 if operation was successful and permission is granted. 1088 * Return 0 if operation was successful and permission is granted.
1089 * @sem_free_security: 1089 * @sem_free_security:
1090 * deallocate security struct for this semaphore 1090 * deallocate security struct for this semaphore
1091 * @sma contains the semaphore structure. 1091 * @sma contains the semaphore structure.
1092 * @sem_associate: 1092 * @sem_associate:
1093 * Check permission when a semaphore is requested through the semget 1093 * Check permission when a semaphore is requested through the semget
1094 * system call. This hook is only called when returning the semaphore 1094 * system call. This hook is only called when returning the semaphore
1095 * identifier for an existing semaphore, not when a new one must be 1095 * identifier for an existing semaphore, not when a new one must be
1096 * created. 1096 * created.
1097 * @sma contains the semaphore structure. 1097 * @sma contains the semaphore structure.
1098 * @semflg contains the operation control flags. 1098 * @semflg contains the operation control flags.
1099 * Return 0 if permission is granted. 1099 * Return 0 if permission is granted.
1100 * @sem_semctl: 1100 * @sem_semctl:
1101 * Check permission when a semaphore operation specified by @cmd is to be 1101 * Check permission when a semaphore operation specified by @cmd is to be
1102 * performed on the semaphore @sma. The @sma may be NULL, e.g. for 1102 * performed on the semaphore @sma. The @sma may be NULL, e.g. for
1103 * IPC_INFO or SEM_INFO. 1103 * IPC_INFO or SEM_INFO.
1104 * @sma contains the semaphore structure. May be NULL. 1104 * @sma contains the semaphore structure. May be NULL.
1105 * @cmd contains the operation to be performed. 1105 * @cmd contains the operation to be performed.
1106 * Return 0 if permission is granted. 1106 * Return 0 if permission is granted.
1107 * @sem_semop 1107 * @sem_semop
1108 * Check permissions before performing operations on members of the 1108 * Check permissions before performing operations on members of the
1109 * semaphore set @sma. If the @alter flag is nonzero, the semaphore set 1109 * semaphore set @sma. If the @alter flag is nonzero, the semaphore set
1110 * may be modified. 1110 * may be modified.
1111 * @sma contains the semaphore structure. 1111 * @sma contains the semaphore structure.
1112 * @sops contains the operations to perform. 1112 * @sops contains the operations to perform.
1113 * @nsops contains the number of operations to perform. 1113 * @nsops contains the number of operations to perform.
1114 * @alter contains the flag indicating whether changes are to be made. 1114 * @alter contains the flag indicating whether changes are to be made.
1115 * Return 0 if permission is granted. 1115 * Return 0 if permission is granted.
1116 * 1116 *
1117 * @ptrace: 1117 * @ptrace:
1118 * Check permission before allowing the @parent process to trace the 1118 * Check permission before allowing the @parent process to trace the
1119 * @child process. 1119 * @child process.
1120 * Security modules may also want to perform a process tracing check 1120 * Security modules may also want to perform a process tracing check
1121 * during an execve in the set_security or apply_creds hooks of 1121 * during an execve in the set_security or apply_creds hooks of
1122 * binprm_security_ops if the process is being traced and its security 1122 * binprm_security_ops if the process is being traced and its security
1123 * attributes would be changed by the execve. 1123 * attributes would be changed by the execve.
1124 * @parent contains the task_struct structure for parent process. 1124 * @parent contains the task_struct structure for parent process.
1125 * @child contains the task_struct structure for child process. 1125 * @child contains the task_struct structure for child process.
1126 * Return 0 if permission is granted. 1126 * Return 0 if permission is granted.
1127 * @capget: 1127 * @capget:
1128 * Get the @effective, @inheritable, and @permitted capability sets for 1128 * Get the @effective, @inheritable, and @permitted capability sets for
1129 * the @target process. The hook may also perform permission checking to 1129 * the @target process. The hook may also perform permission checking to
1130 * determine if the current process is allowed to see the capability sets 1130 * determine if the current process is allowed to see the capability sets
1131 * of the @target process. 1131 * of the @target process.
1132 * @target contains the task_struct structure for target process. 1132 * @target contains the task_struct structure for target process.
1133 * @effective contains the effective capability set. 1133 * @effective contains the effective capability set.
1134 * @inheritable contains the inheritable capability set. 1134 * @inheritable contains the inheritable capability set.
1135 * @permitted contains the permitted capability set. 1135 * @permitted contains the permitted capability set.
1136 * Return 0 if the capability sets were successfully obtained. 1136 * Return 0 if the capability sets were successfully obtained.
1137 * @capset_check: 1137 * @capset_check:
1138 * Check permission before setting the @effective, @inheritable, and 1138 * Check permission before setting the @effective, @inheritable, and
1139 * @permitted capability sets for the @target process. 1139 * @permitted capability sets for the @target process.
1140 * Caveat: @target is also set to current if a set of processes is 1140 * Caveat: @target is also set to current if a set of processes is
1141 * specified (i.e. all processes other than current and init or a 1141 * specified (i.e. all processes other than current and init or a
1142 * particular process group). Hence, the capset_set hook may need to 1142 * particular process group). Hence, the capset_set hook may need to
1143 * revalidate permission to the actual target process. 1143 * revalidate permission to the actual target process.
1144 * @target contains the task_struct structure for target process. 1144 * @target contains the task_struct structure for target process.
1145 * @effective contains the effective capability set. 1145 * @effective contains the effective capability set.
1146 * @inheritable contains the inheritable capability set. 1146 * @inheritable contains the inheritable capability set.
1147 * @permitted contains the permitted capability set. 1147 * @permitted contains the permitted capability set.
1148 * Return 0 if permission is granted. 1148 * Return 0 if permission is granted.
1149 * @capset_set: 1149 * @capset_set:
1150 * Set the @effective, @inheritable, and @permitted capability sets for 1150 * Set the @effective, @inheritable, and @permitted capability sets for
1151 * the @target process. Since capset_check cannot always check permission 1151 * the @target process. Since capset_check cannot always check permission
1152 * to the real @target process, this hook may also perform permission 1152 * to the real @target process, this hook may also perform permission
1153 * checking to determine if the current process is allowed to set the 1153 * checking to determine if the current process is allowed to set the
1154 * capability sets of the @target process. However, this hook has no way 1154 * capability sets of the @target process. However, this hook has no way
1155 * of returning an error due to the structure of the sys_capset code. 1155 * of returning an error due to the structure of the sys_capset code.
1156 * @target contains the task_struct structure for target process. 1156 * @target contains the task_struct structure for target process.
1157 * @effective contains the effective capability set. 1157 * @effective contains the effective capability set.
1158 * @inheritable contains the inheritable capability set. 1158 * @inheritable contains the inheritable capability set.
1159 * @permitted contains the permitted capability set. 1159 * @permitted contains the permitted capability set.
1160 * @capable: 1160 * @capable:
1161 * Check whether the @tsk process has the @cap capability. 1161 * Check whether the @tsk process has the @cap capability.
1162 * @tsk contains the task_struct for the process. 1162 * @tsk contains the task_struct for the process.
1163 * @cap contains the capability <include/linux/capability.h>. 1163 * @cap contains the capability <include/linux/capability.h>.
1164 * Return 0 if the capability is granted for @tsk. 1164 * Return 0 if the capability is granted for @tsk.
1165 * @acct: 1165 * @acct:
1166 * Check permission before enabling or disabling process accounting. If 1166 * Check permission before enabling or disabling process accounting. If
1167 * accounting is being enabled, then @file refers to the open file used to 1167 * accounting is being enabled, then @file refers to the open file used to
1168 * store accounting records. If accounting is being disabled, then @file 1168 * store accounting records. If accounting is being disabled, then @file
1169 * is NULL. 1169 * is NULL.
1170 * @file contains the file structure for the accounting file (may be NULL). 1170 * @file contains the file structure for the accounting file (may be NULL).
1171 * Return 0 if permission is granted. 1171 * Return 0 if permission is granted.
1172 * @sysctl: 1172 * @sysctl:
1173 * Check permission before accessing the @table sysctl variable in the 1173 * Check permission before accessing the @table sysctl variable in the
1174 * manner specified by @op. 1174 * manner specified by @op.
1175 * @table contains the ctl_table structure for the sysctl variable. 1175 * @table contains the ctl_table structure for the sysctl variable.
1176 * @op contains the operation (001 = search, 002 = write, 004 = read). 1176 * @op contains the operation (001 = search, 002 = write, 004 = read).
1177 * Return 0 if permission is granted. 1177 * Return 0 if permission is granted.
1178 * @syslog: 1178 * @syslog:
1179 * Check permission before accessing the kernel message ring or changing 1179 * Check permission before accessing the kernel message ring or changing
1180 * logging to the console. 1180 * logging to the console.
1181 * See the syslog(2) manual page for an explanation of the @type values. 1181 * See the syslog(2) manual page for an explanation of the @type values.
1182 * @type contains the type of action. 1182 * @type contains the type of action.
1183 * Return 0 if permission is granted. 1183 * Return 0 if permission is granted.
1184 * @settime: 1184 * @settime:
1185 * Check permission to change the system time. 1185 * Check permission to change the system time.
1186 * struct timespec and timezone are defined in include/linux/time.h 1186 * struct timespec and timezone are defined in include/linux/time.h
1187 * @ts contains new time 1187 * @ts contains new time
1188 * @tz contains new timezone 1188 * @tz contains new timezone
1189 * Return 0 if permission is granted. 1189 * Return 0 if permission is granted.
1190 * @vm_enough_memory: 1190 * @vm_enough_memory:
1191 * Check permissions for allocating a new virtual mapping. 1191 * Check permissions for allocating a new virtual mapping.
1192 * @mm contains the mm struct it is being added to. 1192 * @mm contains the mm struct it is being added to.
1193 * @pages contains the number of pages. 1193 * @pages contains the number of pages.
1194 * Return 0 if permission is granted. 1194 * Return 0 if permission is granted.
1195 * 1195 *
1196 * @register_security: 1196 * @register_security:
1197 * allow module stacking. 1197 * allow module stacking.
1198 * @name contains the name of the security module being stacked. 1198 * @name contains the name of the security module being stacked.
1199 * @ops contains a pointer to the struct security_operations of the module to stack. 1199 * @ops contains a pointer to the struct security_operations of the module to stack.
1200 * 1200 *
1201 * @secid_to_secctx: 1201 * @secid_to_secctx:
1202 * Convert secid to security context. 1202 * Convert secid to security context.
1203 * @secid contains the security ID. 1203 * @secid contains the security ID.
1204 * @secdata contains the pointer that stores the converted security context. 1204 * @secdata contains the pointer that stores the converted security context.
1205 * @secctx_to_secid: 1205 * @secctx_to_secid:
1206 * Convert security context to secid. 1206 * Convert security context to secid.
1207 * @secid contains the pointer to the generated security ID. 1207 * @secid contains the pointer to the generated security ID.
1208 * @secdata contains the security context. 1208 * @secdata contains the security context.
1209 * 1209 *
1210 * @release_secctx: 1210 * @release_secctx:
1211 * Release the security context. 1211 * Release the security context.
1212 * @secdata contains the security context. 1212 * @secdata contains the security context.
1213 * @seclen contains the length of the security context. 1213 * @seclen contains the length of the security context.
1214 * 1214 *
1215 * This is the main security structure. 1215 * This is the main security structure.
1216 */ 1216 */
1217 struct security_operations { 1217 struct security_operations {
1218 int (*ptrace) (struct task_struct * parent, struct task_struct * child); 1218 int (*ptrace) (struct task_struct * parent, struct task_struct * child);
1219 int (*capget) (struct task_struct * target, 1219 int (*capget) (struct task_struct * target,
1220 kernel_cap_t * effective, 1220 kernel_cap_t * effective,
1221 kernel_cap_t * inheritable, kernel_cap_t * permitted); 1221 kernel_cap_t * inheritable, kernel_cap_t * permitted);
1222 int (*capset_check) (struct task_struct * target, 1222 int (*capset_check) (struct task_struct * target,
1223 kernel_cap_t * effective, 1223 kernel_cap_t * effective,
1224 kernel_cap_t * inheritable, 1224 kernel_cap_t * inheritable,
1225 kernel_cap_t * permitted); 1225 kernel_cap_t * permitted);
1226 void (*capset_set) (struct task_struct * target, 1226 void (*capset_set) (struct task_struct * target,
1227 kernel_cap_t * effective, 1227 kernel_cap_t * effective,
1228 kernel_cap_t * inheritable, 1228 kernel_cap_t * inheritable,
1229 kernel_cap_t * permitted); 1229 kernel_cap_t * permitted);
1230 int (*capable) (struct task_struct * tsk, int cap); 1230 int (*capable) (struct task_struct * tsk, int cap);
1231 int (*acct) (struct file * file); 1231 int (*acct) (struct file * file);
1232 int (*sysctl) (struct ctl_table * table, int op); 1232 int (*sysctl) (struct ctl_table * table, int op);
1233 int (*quotactl) (int cmds, int type, int id, struct super_block * sb); 1233 int (*quotactl) (int cmds, int type, int id, struct super_block * sb);
1234 int (*quota_on) (struct dentry * dentry); 1234 int (*quota_on) (struct dentry * dentry);
1235 int (*syslog) (int type); 1235 int (*syslog) (int type);
1236 int (*settime) (struct timespec *ts, struct timezone *tz); 1236 int (*settime) (struct timespec *ts, struct timezone *tz);
1237 int (*vm_enough_memory) (struct mm_struct *mm, long pages); 1237 int (*vm_enough_memory) (struct mm_struct *mm, long pages);
1238 1238
1239 int (*bprm_alloc_security) (struct linux_binprm * bprm); 1239 int (*bprm_alloc_security) (struct linux_binprm * bprm);
1240 void (*bprm_free_security) (struct linux_binprm * bprm); 1240 void (*bprm_free_security) (struct linux_binprm * bprm);
1241 void (*bprm_apply_creds) (struct linux_binprm * bprm, int unsafe); 1241 void (*bprm_apply_creds) (struct linux_binprm * bprm, int unsafe);
1242 void (*bprm_post_apply_creds) (struct linux_binprm * bprm); 1242 void (*bprm_post_apply_creds) (struct linux_binprm * bprm);
1243 int (*bprm_set_security) (struct linux_binprm * bprm); 1243 int (*bprm_set_security) (struct linux_binprm * bprm);
1244 int (*bprm_check_security) (struct linux_binprm * bprm); 1244 int (*bprm_check_security) (struct linux_binprm * bprm);
1245 int (*bprm_secureexec) (struct linux_binprm * bprm); 1245 int (*bprm_secureexec) (struct linux_binprm * bprm);
1246 1246
1247 int (*sb_alloc_security) (struct super_block * sb); 1247 int (*sb_alloc_security) (struct super_block * sb);
1248 void (*sb_free_security) (struct super_block * sb); 1248 void (*sb_free_security) (struct super_block * sb);
1249 int (*sb_copy_data)(struct file_system_type *type, 1249 int (*sb_copy_data)(struct file_system_type *type,
1250 void *orig, void *copy); 1250 void *orig, void *copy);
1251 int (*sb_kern_mount) (struct super_block *sb, void *data); 1251 int (*sb_kern_mount) (struct super_block *sb, void *data);
1252 int (*sb_statfs) (struct dentry *dentry); 1252 int (*sb_statfs) (struct dentry *dentry);
1253 int (*sb_mount) (char *dev_name, struct nameidata * nd, 1253 int (*sb_mount) (char *dev_name, struct nameidata * nd,
1254 char *type, unsigned long flags, void *data); 1254 char *type, unsigned long flags, void *data);
1255 int (*sb_check_sb) (struct vfsmount * mnt, struct nameidata * nd); 1255 int (*sb_check_sb) (struct vfsmount * mnt, struct nameidata * nd);
1256 int (*sb_umount) (struct vfsmount * mnt, int flags); 1256 int (*sb_umount) (struct vfsmount * mnt, int flags);
1257 void (*sb_umount_close) (struct vfsmount * mnt); 1257 void (*sb_umount_close) (struct vfsmount * mnt);
1258 void (*sb_umount_busy) (struct vfsmount * mnt); 1258 void (*sb_umount_busy) (struct vfsmount * mnt);
1259 void (*sb_post_remount) (struct vfsmount * mnt, 1259 void (*sb_post_remount) (struct vfsmount * mnt,
1260 unsigned long flags, void *data); 1260 unsigned long flags, void *data);
1261 void (*sb_post_addmount) (struct vfsmount * mnt, 1261 void (*sb_post_addmount) (struct vfsmount * mnt,
1262 struct nameidata * mountpoint_nd); 1262 struct nameidata * mountpoint_nd);
1263 int (*sb_pivotroot) (struct nameidata * old_nd, 1263 int (*sb_pivotroot) (struct nameidata * old_nd,
1264 struct nameidata * new_nd); 1264 struct nameidata * new_nd);
1265 void (*sb_post_pivotroot) (struct nameidata * old_nd, 1265 void (*sb_post_pivotroot) (struct nameidata * old_nd,
1266 struct nameidata * new_nd); 1266 struct nameidata * new_nd);
1267 int (*sb_get_mnt_opts) (const struct super_block *sb, 1267 int (*sb_get_mnt_opts) (const struct super_block *sb,
1268 char ***mount_options, int **flags, 1268 char ***mount_options, int **flags,
1269 int *num_opts); 1269 int *num_opts);
1270 int (*sb_set_mnt_opts) (struct super_block *sb, char **mount_options, 1270 int (*sb_set_mnt_opts) (struct super_block *sb, char **mount_options,
1271 int *flags, int num_opts); 1271 int *flags, int num_opts);
1272 void (*sb_clone_mnt_opts) (const struct super_block *oldsb, 1272 void (*sb_clone_mnt_opts) (const struct super_block *oldsb,
1273 struct super_block *newsb); 1273 struct super_block *newsb);
1274 1274
1275 int (*inode_alloc_security) (struct inode *inode); 1275 int (*inode_alloc_security) (struct inode *inode);
1276 void (*inode_free_security) (struct inode *inode); 1276 void (*inode_free_security) (struct inode *inode);
1277 int (*inode_init_security) (struct inode *inode, struct inode *dir, 1277 int (*inode_init_security) (struct inode *inode, struct inode *dir,
1278 char **name, void **value, size_t *len); 1278 char **name, void **value, size_t *len);
1279 int (*inode_create) (struct inode *dir, 1279 int (*inode_create) (struct inode *dir,
1280 struct dentry *dentry, int mode); 1280 struct dentry *dentry, int mode);
1281 int (*inode_link) (struct dentry *old_dentry, 1281 int (*inode_link) (struct dentry *old_dentry,
1282 struct inode *dir, struct dentry *new_dentry); 1282 struct inode *dir, struct dentry *new_dentry);
1283 int (*inode_unlink) (struct inode *dir, struct dentry *dentry); 1283 int (*inode_unlink) (struct inode *dir, struct dentry *dentry);
1284 int (*inode_symlink) (struct inode *dir, 1284 int (*inode_symlink) (struct inode *dir,
1285 struct dentry *dentry, const char *old_name); 1285 struct dentry *dentry, const char *old_name);
1286 int (*inode_mkdir) (struct inode *dir, struct dentry *dentry, int mode); 1286 int (*inode_mkdir) (struct inode *dir, struct dentry *dentry, int mode);
1287 int (*inode_rmdir) (struct inode *dir, struct dentry *dentry); 1287 int (*inode_rmdir) (struct inode *dir, struct dentry *dentry);
1288 int (*inode_mknod) (struct inode *dir, struct dentry *dentry, 1288 int (*inode_mknod) (struct inode *dir, struct dentry *dentry,
1289 int mode, dev_t dev); 1289 int mode, dev_t dev);
1290 int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry, 1290 int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry,
1291 struct inode *new_dir, struct dentry *new_dentry); 1291 struct inode *new_dir, struct dentry *new_dentry);
1292 int (*inode_readlink) (struct dentry *dentry); 1292 int (*inode_readlink) (struct dentry *dentry);
1293 int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd); 1293 int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd);
1294 int (*inode_permission) (struct inode *inode, int mask, struct nameidata *nd); 1294 int (*inode_permission) (struct inode *inode, int mask, struct nameidata *nd);
1295 int (*inode_setattr) (struct dentry *dentry, struct iattr *attr); 1295 int (*inode_setattr) (struct dentry *dentry, struct iattr *attr);
1296 int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry); 1296 int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry);
1297 void (*inode_delete) (struct inode *inode); 1297 void (*inode_delete) (struct inode *inode);
1298 int (*inode_setxattr) (struct dentry *dentry, char *name, void *value, 1298 int (*inode_setxattr) (struct dentry *dentry, char *name, void *value,
1299 size_t size, int flags); 1299 size_t size, int flags);
1300 void (*inode_post_setxattr) (struct dentry *dentry, char *name, void *value, 1300 void (*inode_post_setxattr) (struct dentry *dentry, char *name, void *value,
1301 size_t size, int flags); 1301 size_t size, int flags);
1302 int (*inode_getxattr) (struct dentry *dentry, char *name); 1302 int (*inode_getxattr) (struct dentry *dentry, char *name);
1303 int (*inode_listxattr) (struct dentry *dentry); 1303 int (*inode_listxattr) (struct dentry *dentry);
1304 int (*inode_removexattr) (struct dentry *dentry, char *name); 1304 int (*inode_removexattr) (struct dentry *dentry, char *name);
1305 int (*inode_need_killpriv) (struct dentry *dentry); 1305 int (*inode_need_killpriv) (struct dentry *dentry);
1306 int (*inode_killpriv) (struct dentry *dentry); 1306 int (*inode_killpriv) (struct dentry *dentry);
1307 int (*inode_getsecurity)(const struct inode *inode, const char *name, void *buffer, size_t size, int err); 1307 int (*inode_getsecurity)(const struct inode *inode, const char *name, void *buffer, size_t size, int err);
1308 int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags); 1308 int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags);
1309 int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size); 1309 int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size);
1310 1310
1311 int (*file_permission) (struct file * file, int mask); 1311 int (*file_permission) (struct file * file, int mask);
1312 int (*file_alloc_security) (struct file * file); 1312 int (*file_alloc_security) (struct file * file);
1313 void (*file_free_security) (struct file * file); 1313 void (*file_free_security) (struct file * file);
1314 int (*file_ioctl) (struct file * file, unsigned int cmd, 1314 int (*file_ioctl) (struct file * file, unsigned int cmd,
1315 unsigned long arg); 1315 unsigned long arg);
1316 int (*file_mmap) (struct file * file, 1316 int (*file_mmap) (struct file * file,
1317 unsigned long reqprot, unsigned long prot, 1317 unsigned long reqprot, unsigned long prot,
1318 unsigned long flags, unsigned long addr, 1318 unsigned long flags, unsigned long addr,
1319 unsigned long addr_only); 1319 unsigned long addr_only);
1320 int (*file_mprotect) (struct vm_area_struct * vma, 1320 int (*file_mprotect) (struct vm_area_struct * vma,
1321 unsigned long reqprot, 1321 unsigned long reqprot,
1322 unsigned long prot); 1322 unsigned long prot);
1323 int (*file_lock) (struct file * file, unsigned int cmd); 1323 int (*file_lock) (struct file * file, unsigned int cmd);
1324 int (*file_fcntl) (struct file * file, unsigned int cmd, 1324 int (*file_fcntl) (struct file * file, unsigned int cmd,
1325 unsigned long arg); 1325 unsigned long arg);
1326 int (*file_set_fowner) (struct file * file); 1326 int (*file_set_fowner) (struct file * file);
1327 int (*file_send_sigiotask) (struct task_struct * tsk, 1327 int (*file_send_sigiotask) (struct task_struct * tsk,
1328 struct fown_struct * fown, int sig); 1328 struct fown_struct * fown, int sig);
1329 int (*file_receive) (struct file * file); 1329 int (*file_receive) (struct file * file);
1330 int (*dentry_open) (struct file *file); 1330 int (*dentry_open) (struct file *file);
1331 1331
1332 int (*task_create) (unsigned long clone_flags); 1332 int (*task_create) (unsigned long clone_flags);
1333 int (*task_alloc_security) (struct task_struct * p); 1333 int (*task_alloc_security) (struct task_struct * p);
1334 void (*task_free_security) (struct task_struct * p); 1334 void (*task_free_security) (struct task_struct * p);
1335 int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags); 1335 int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags);
1336 int (*task_post_setuid) (uid_t old_ruid /* or fsuid */ , 1336 int (*task_post_setuid) (uid_t old_ruid /* or fsuid */ ,
1337 uid_t old_euid, uid_t old_suid, int flags); 1337 uid_t old_euid, uid_t old_suid, int flags);
1338 int (*task_setgid) (gid_t id0, gid_t id1, gid_t id2, int flags); 1338 int (*task_setgid) (gid_t id0, gid_t id1, gid_t id2, int flags);
1339 int (*task_setpgid) (struct task_struct * p, pid_t pgid); 1339 int (*task_setpgid) (struct task_struct * p, pid_t pgid);
1340 int (*task_getpgid) (struct task_struct * p); 1340 int (*task_getpgid) (struct task_struct * p);
1341 int (*task_getsid) (struct task_struct * p); 1341 int (*task_getsid) (struct task_struct * p);
1342 void (*task_getsecid) (struct task_struct * p, u32 * secid); 1342 void (*task_getsecid) (struct task_struct * p, u32 * secid);
1343 int (*task_setgroups) (struct group_info *group_info); 1343 int (*task_setgroups) (struct group_info *group_info);
1344 int (*task_setnice) (struct task_struct * p, int nice); 1344 int (*task_setnice) (struct task_struct * p, int nice);
1345 int (*task_setioprio) (struct task_struct * p, int ioprio); 1345 int (*task_setioprio) (struct task_struct * p, int ioprio);
1346 int (*task_getioprio) (struct task_struct * p); 1346 int (*task_getioprio) (struct task_struct * p);
1347 int (*task_setrlimit) (unsigned int resource, struct rlimit * new_rlim); 1347 int (*task_setrlimit) (unsigned int resource, struct rlimit * new_rlim);
1348 int (*task_setscheduler) (struct task_struct * p, int policy, 1348 int (*task_setscheduler) (struct task_struct * p, int policy,
1349 struct sched_param * lp); 1349 struct sched_param * lp);
1350 int (*task_getscheduler) (struct task_struct * p); 1350 int (*task_getscheduler) (struct task_struct * p);
1351 int (*task_movememory) (struct task_struct * p); 1351 int (*task_movememory) (struct task_struct * p);
1352 int (*task_kill) (struct task_struct * p, 1352 int (*task_kill) (struct task_struct * p,
1353 struct siginfo * info, int sig, u32 secid); 1353 struct siginfo * info, int sig, u32 secid);
1354 int (*task_wait) (struct task_struct * p); 1354 int (*task_wait) (struct task_struct * p);
1355 int (*task_prctl) (int option, unsigned long arg2, 1355 int (*task_prctl) (int option, unsigned long arg2,
1356 unsigned long arg3, unsigned long arg4, 1356 unsigned long arg3, unsigned long arg4,
1357 unsigned long arg5); 1357 unsigned long arg5);
1358 void (*task_reparent_to_init) (struct task_struct * p); 1358 void (*task_reparent_to_init) (struct task_struct * p);
1359 void (*task_to_inode)(struct task_struct *p, struct inode *inode); 1359 void (*task_to_inode)(struct task_struct *p, struct inode *inode);
1360 1360
1361 int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag); 1361 int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag);
1362 1362
1363 int (*msg_msg_alloc_security) (struct msg_msg * msg); 1363 int (*msg_msg_alloc_security) (struct msg_msg * msg);
1364 void (*msg_msg_free_security) (struct msg_msg * msg); 1364 void (*msg_msg_free_security) (struct msg_msg * msg);
1365 1365
1366 int (*msg_queue_alloc_security) (struct msg_queue * msq); 1366 int (*msg_queue_alloc_security) (struct msg_queue * msq);
1367 void (*msg_queue_free_security) (struct msg_queue * msq); 1367 void (*msg_queue_free_security) (struct msg_queue * msq);
1368 int (*msg_queue_associate) (struct msg_queue * msq, int msqflg); 1368 int (*msg_queue_associate) (struct msg_queue * msq, int msqflg);
1369 int (*msg_queue_msgctl) (struct msg_queue * msq, int cmd); 1369 int (*msg_queue_msgctl) (struct msg_queue * msq, int cmd);
1370 int (*msg_queue_msgsnd) (struct msg_queue * msq, 1370 int (*msg_queue_msgsnd) (struct msg_queue * msq,
1371 struct msg_msg * msg, int msqflg); 1371 struct msg_msg * msg, int msqflg);
1372 int (*msg_queue_msgrcv) (struct msg_queue * msq, 1372 int (*msg_queue_msgrcv) (struct msg_queue * msq,
1373 struct msg_msg * msg, 1373 struct msg_msg * msg,
1374 struct task_struct * target, 1374 struct task_struct * target,
1375 long type, int mode); 1375 long type, int mode);
1376 1376
1377 int (*shm_alloc_security) (struct shmid_kernel * shp); 1377 int (*shm_alloc_security) (struct shmid_kernel * shp);
1378 void (*shm_free_security) (struct shmid_kernel * shp); 1378 void (*shm_free_security) (struct shmid_kernel * shp);
1379 int (*shm_associate) (struct shmid_kernel * shp, int shmflg); 1379 int (*shm_associate) (struct shmid_kernel * shp, int shmflg);
1380 int (*shm_shmctl) (struct shmid_kernel * shp, int cmd); 1380 int (*shm_shmctl) (struct shmid_kernel * shp, int cmd);
1381 int (*shm_shmat) (struct shmid_kernel * shp, 1381 int (*shm_shmat) (struct shmid_kernel * shp,
1382 char __user *shmaddr, int shmflg); 1382 char __user *shmaddr, int shmflg);
1383 1383
1384 int (*sem_alloc_security) (struct sem_array * sma); 1384 int (*sem_alloc_security) (struct sem_array * sma);
1385 void (*sem_free_security) (struct sem_array * sma); 1385 void (*sem_free_security) (struct sem_array * sma);
1386 int (*sem_associate) (struct sem_array * sma, int semflg); 1386 int (*sem_associate) (struct sem_array * sma, int semflg);
1387 int (*sem_semctl) (struct sem_array * sma, int cmd); 1387 int (*sem_semctl) (struct sem_array * sma, int cmd);
1388 int (*sem_semop) (struct sem_array * sma, 1388 int (*sem_semop) (struct sem_array * sma,
1389 struct sembuf * sops, unsigned nsops, int alter); 1389 struct sembuf * sops, unsigned nsops, int alter);
1390 1390
1391 int (*netlink_send) (struct sock * sk, struct sk_buff * skb); 1391 int (*netlink_send) (struct sock * sk, struct sk_buff * skb);
1392 int (*netlink_recv) (struct sk_buff * skb, int cap); 1392 int (*netlink_recv) (struct sk_buff * skb, int cap);
1393 1393
1394 /* allow module stacking */ 1394 /* allow module stacking */
1395 int (*register_security) (const char *name, 1395 int (*register_security) (const char *name,
1396 struct security_operations *ops); 1396 struct security_operations *ops);
1397 1397
1398 void (*d_instantiate) (struct dentry *dentry, struct inode *inode); 1398 void (*d_instantiate) (struct dentry *dentry, struct inode *inode);
1399 1399
1400 int (*getprocattr)(struct task_struct *p, char *name, char **value); 1400 int (*getprocattr)(struct task_struct *p, char *name, char **value);
1401 int (*setprocattr)(struct task_struct *p, char *name, void *value, size_t size); 1401 int (*setprocattr)(struct task_struct *p, char *name, void *value, size_t size);
1402 int (*secid_to_secctx)(u32 secid, char **secdata, u32 *seclen); 1402 int (*secid_to_secctx)(u32 secid, char **secdata, u32 *seclen);
1403 int (*secctx_to_secid)(char *secdata, u32 seclen, u32 *secid); 1403 int (*secctx_to_secid)(char *secdata, u32 seclen, u32 *secid);
1404 void (*release_secctx)(char *secdata, u32 seclen); 1404 void (*release_secctx)(char *secdata, u32 seclen);
1405 1405
1406 #ifdef CONFIG_SECURITY_NETWORK 1406 #ifdef CONFIG_SECURITY_NETWORK
1407 int (*unix_stream_connect) (struct socket * sock, 1407 int (*unix_stream_connect) (struct socket * sock,
1408 struct socket * other, struct sock * newsk); 1408 struct socket * other, struct sock * newsk);
1409 int (*unix_may_send) (struct socket * sock, struct socket * other); 1409 int (*unix_may_send) (struct socket * sock, struct socket * other);
1410 1410
1411 int (*socket_create) (int family, int type, int protocol, int kern); 1411 int (*socket_create) (int family, int type, int protocol, int kern);
1412 int (*socket_post_create) (struct socket * sock, int family, 1412 int (*socket_post_create) (struct socket * sock, int family,
1413 int type, int protocol, int kern); 1413 int type, int protocol, int kern);
1414 int (*socket_bind) (struct socket * sock, 1414 int (*socket_bind) (struct socket * sock,
1415 struct sockaddr * address, int addrlen); 1415 struct sockaddr * address, int addrlen);
1416 int (*socket_connect) (struct socket * sock, 1416 int (*socket_connect) (struct socket * sock,
1417 struct sockaddr * address, int addrlen); 1417 struct sockaddr * address, int addrlen);
1418 int (*socket_listen) (struct socket * sock, int backlog); 1418 int (*socket_listen) (struct socket * sock, int backlog);
1419 int (*socket_accept) (struct socket * sock, struct socket * newsock); 1419 int (*socket_accept) (struct socket * sock, struct socket * newsock);
1420 void (*socket_post_accept) (struct socket * sock, 1420 void (*socket_post_accept) (struct socket * sock,
1421 struct socket * newsock); 1421 struct socket * newsock);
1422 int (*socket_sendmsg) (struct socket * sock, 1422 int (*socket_sendmsg) (struct socket * sock,
1423 struct msghdr * msg, int size); 1423 struct msghdr * msg, int size);
1424 int (*socket_recvmsg) (struct socket * sock, 1424 int (*socket_recvmsg) (struct socket * sock,
1425 struct msghdr * msg, int size, int flags); 1425 struct msghdr * msg, int size, int flags);
1426 int (*socket_getsockname) (struct socket * sock); 1426 int (*socket_getsockname) (struct socket * sock);
1427 int (*socket_getpeername) (struct socket * sock); 1427 int (*socket_getpeername) (struct socket * sock);
1428 int (*socket_getsockopt) (struct socket * sock, int level, int optname); 1428 int (*socket_getsockopt) (struct socket * sock, int level, int optname);
1429 int (*socket_setsockopt) (struct socket * sock, int level, int optname); 1429 int (*socket_setsockopt) (struct socket * sock, int level, int optname);
1430 int (*socket_shutdown) (struct socket * sock, int how); 1430 int (*socket_shutdown) (struct socket * sock, int how);
1431 int (*socket_sock_rcv_skb) (struct sock * sk, struct sk_buff * skb); 1431 int (*socket_sock_rcv_skb) (struct sock * sk, struct sk_buff * skb);
1432 int (*socket_getpeersec_stream) (struct socket *sock, char __user *optval, int __user *optlen, unsigned len); 1432 int (*socket_getpeersec_stream) (struct socket *sock, char __user *optval, int __user *optlen, unsigned len);
1433 int (*socket_getpeersec_dgram) (struct socket *sock, struct sk_buff *skb, u32 *secid); 1433 int (*socket_getpeersec_dgram) (struct socket *sock, struct sk_buff *skb, u32 *secid);
1434 int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority); 1434 int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority);
1435 void (*sk_free_security) (struct sock *sk); 1435 void (*sk_free_security) (struct sock *sk);
1436 void (*sk_clone_security) (const struct sock *sk, struct sock *newsk); 1436 void (*sk_clone_security) (const struct sock *sk, struct sock *newsk);
1437 void (*sk_getsecid) (struct sock *sk, u32 *secid); 1437 void (*sk_getsecid) (struct sock *sk, u32 *secid);
1438 void (*sock_graft)(struct sock* sk, struct socket *parent); 1438 void (*sock_graft)(struct sock* sk, struct socket *parent);
1439 int (*inet_conn_request)(struct sock *sk, struct sk_buff *skb, 1439 int (*inet_conn_request)(struct sock *sk, struct sk_buff *skb,
1440 struct request_sock *req); 1440 struct request_sock *req);
1441 void (*inet_csk_clone)(struct sock *newsk, const struct request_sock *req); 1441 void (*inet_csk_clone)(struct sock *newsk, const struct request_sock *req);
1442 void (*inet_conn_established)(struct sock *sk, struct sk_buff *skb); 1442 void (*inet_conn_established)(struct sock *sk, struct sk_buff *skb);
1443 void (*req_classify_flow)(const struct request_sock *req, struct flowi *fl); 1443 void (*req_classify_flow)(const struct request_sock *req, struct flowi *fl);
1444 #endif /* CONFIG_SECURITY_NETWORK */ 1444 #endif /* CONFIG_SECURITY_NETWORK */
1445 1445
1446 #ifdef CONFIG_SECURITY_NETWORK_XFRM 1446 #ifdef CONFIG_SECURITY_NETWORK_XFRM
1447 int (*xfrm_policy_alloc_security) (struct xfrm_policy *xp, 1447 int (*xfrm_policy_alloc_security) (struct xfrm_policy *xp,
1448 struct xfrm_user_sec_ctx *sec_ctx); 1448 struct xfrm_user_sec_ctx *sec_ctx);
1449 int (*xfrm_policy_clone_security) (struct xfrm_policy *old, struct xfrm_policy *new); 1449 int (*xfrm_policy_clone_security) (struct xfrm_policy *old, struct xfrm_policy *new);
1450 void (*xfrm_policy_free_security) (struct xfrm_policy *xp); 1450 void (*xfrm_policy_free_security) (struct xfrm_policy *xp);
1451 int (*xfrm_policy_delete_security) (struct xfrm_policy *xp); 1451 int (*xfrm_policy_delete_security) (struct xfrm_policy *xp);
1452 int (*xfrm_state_alloc_security) (struct xfrm_state *x, 1452 int (*xfrm_state_alloc_security) (struct xfrm_state *x,
1453 struct xfrm_user_sec_ctx *sec_ctx, 1453 struct xfrm_user_sec_ctx *sec_ctx,
1454 u32 secid); 1454 u32 secid);
1455 void (*xfrm_state_free_security) (struct xfrm_state *x); 1455 void (*xfrm_state_free_security) (struct xfrm_state *x);
1456 int (*xfrm_state_delete_security) (struct xfrm_state *x); 1456 int (*xfrm_state_delete_security) (struct xfrm_state *x);
1457 int (*xfrm_policy_lookup)(struct xfrm_policy *xp, u32 fl_secid, u8 dir); 1457 int (*xfrm_policy_lookup)(struct xfrm_policy *xp, u32 fl_secid, u8 dir);
1458 int (*xfrm_state_pol_flow_match)(struct xfrm_state *x, 1458 int (*xfrm_state_pol_flow_match)(struct xfrm_state *x,
1459 struct xfrm_policy *xp, struct flowi *fl); 1459 struct xfrm_policy *xp, struct flowi *fl);
1460 int (*xfrm_decode_session)(struct sk_buff *skb, u32 *secid, int ckall); 1460 int (*xfrm_decode_session)(struct sk_buff *skb, u32 *secid, int ckall);
1461 #endif /* CONFIG_SECURITY_NETWORK_XFRM */ 1461 #endif /* CONFIG_SECURITY_NETWORK_XFRM */
1462 1462
1463 /* key management security hooks */ 1463 /* key management security hooks */
1464 #ifdef CONFIG_KEYS 1464 #ifdef CONFIG_KEYS
1465 int (*key_alloc)(struct key *key, struct task_struct *tsk, unsigned long flags); 1465 int (*key_alloc)(struct key *key, struct task_struct *tsk, unsigned long flags);
1466 void (*key_free)(struct key *key); 1466 void (*key_free)(struct key *key);
1467 int (*key_permission)(key_ref_t key_ref, 1467 int (*key_permission)(key_ref_t key_ref,
1468 struct task_struct *context, 1468 struct task_struct *context,
1469 key_perm_t perm); 1469 key_perm_t perm);
1470 1470
1471 #endif /* CONFIG_KEYS */ 1471 #endif /* CONFIG_KEYS */
1472 1472
1473 }; 1473 };
1474 1474
1475 /* prototypes */ 1475 /* prototypes */
1476 extern int security_init (void); 1476 extern int security_init (void);
1477 extern int register_security (struct security_operations *ops); 1477 extern int register_security (struct security_operations *ops);
1478 extern int mod_reg_security (const char *name, struct security_operations *ops); 1478 extern int mod_reg_security (const char *name, struct security_operations *ops);
1479 extern struct dentry *securityfs_create_file(const char *name, mode_t mode, 1479 extern struct dentry *securityfs_create_file(const char *name, mode_t mode,
1480 struct dentry *parent, void *data, 1480 struct dentry *parent, void *data,
1481 const struct file_operations *fops); 1481 const struct file_operations *fops);
1482 extern struct dentry *securityfs_create_dir(const char *name, struct dentry *parent); 1482 extern struct dentry *securityfs_create_dir(const char *name, struct dentry *parent);
1483 extern void securityfs_remove(struct dentry *dentry); 1483 extern void securityfs_remove(struct dentry *dentry);
1484 1484
1485 1485
1486 /* Security operations */ 1486 /* Security operations */
1487 int security_ptrace(struct task_struct *parent, struct task_struct *child); 1487 int security_ptrace(struct task_struct *parent, struct task_struct *child);
1488 int security_capget(struct task_struct *target, 1488 int security_capget(struct task_struct *target,
1489 kernel_cap_t *effective, 1489 kernel_cap_t *effective,
1490 kernel_cap_t *inheritable, 1490 kernel_cap_t *inheritable,
1491 kernel_cap_t *permitted); 1491 kernel_cap_t *permitted);
1492 int security_capset_check(struct task_struct *target, 1492 int security_capset_check(struct task_struct *target,
1493 kernel_cap_t *effective, 1493 kernel_cap_t *effective,
1494 kernel_cap_t *inheritable, 1494 kernel_cap_t *inheritable,
1495 kernel_cap_t *permitted); 1495 kernel_cap_t *permitted);
1496 void security_capset_set(struct task_struct *target, 1496 void security_capset_set(struct task_struct *target,
1497 kernel_cap_t *effective, 1497 kernel_cap_t *effective,
1498 kernel_cap_t *inheritable, 1498 kernel_cap_t *inheritable,
1499 kernel_cap_t *permitted); 1499 kernel_cap_t *permitted);
1500 int security_capable(struct task_struct *tsk, int cap); 1500 int security_capable(struct task_struct *tsk, int cap);
1501 int security_acct(struct file *file); 1501 int security_acct(struct file *file);
1502 int security_sysctl(struct ctl_table *table, int op); 1502 int security_sysctl(struct ctl_table *table, int op);
1503 int security_quotactl(int cmds, int type, int id, struct super_block *sb); 1503 int security_quotactl(int cmds, int type, int id, struct super_block *sb);
1504 int security_quota_on(struct dentry *dentry); 1504 int security_quota_on(struct dentry *dentry);
1505 int security_syslog(int type); 1505 int security_syslog(int type);
1506 int security_settime(struct timespec *ts, struct timezone *tz); 1506 int security_settime(struct timespec *ts, struct timezone *tz);
1507 int security_vm_enough_memory(long pages); 1507 int security_vm_enough_memory(long pages);
1508 int security_vm_enough_memory_mm(struct mm_struct *mm, long pages); 1508 int security_vm_enough_memory_mm(struct mm_struct *mm, long pages);
1509 int security_bprm_alloc(struct linux_binprm *bprm); 1509 int security_bprm_alloc(struct linux_binprm *bprm);
1510 void security_bprm_free(struct linux_binprm *bprm); 1510 void security_bprm_free(struct linux_binprm *bprm);
1511 void security_bprm_apply_creds(struct linux_binprm *bprm, int unsafe); 1511 void security_bprm_apply_creds(struct linux_binprm *bprm, int unsafe);
1512 void security_bprm_post_apply_creds(struct linux_binprm *bprm); 1512 void security_bprm_post_apply_creds(struct linux_binprm *bprm);
1513 int security_bprm_set(struct linux_binprm *bprm); 1513 int security_bprm_set(struct linux_binprm *bprm);
1514 int security_bprm_check(struct linux_binprm *bprm); 1514 int security_bprm_check(struct linux_binprm *bprm);
1515 int security_bprm_secureexec(struct linux_binprm *bprm); 1515 int security_bprm_secureexec(struct linux_binprm *bprm);
1516 int security_sb_alloc(struct super_block *sb); 1516 int security_sb_alloc(struct super_block *sb);
1517 void security_sb_free(struct super_block *sb); 1517 void security_sb_free(struct super_block *sb);
1518 int security_sb_copy_data(struct file_system_type *type, void *orig, void *copy); 1518 int security_sb_copy_data(struct file_system_type *type, void *orig, void *copy);
1519 int security_sb_kern_mount(struct super_block *sb, void *data); 1519 int security_sb_kern_mount(struct super_block *sb, void *data);
1520 int security_sb_statfs(struct dentry *dentry); 1520 int security_sb_statfs(struct dentry *dentry);
1521 int security_sb_mount(char *dev_name, struct nameidata *nd, 1521 int security_sb_mount(char *dev_name, struct nameidata *nd,
1522 char *type, unsigned long flags, void *data); 1522 char *type, unsigned long flags, void *data);
1523 int security_sb_check_sb(struct vfsmount *mnt, struct nameidata *nd); 1523 int security_sb_check_sb(struct vfsmount *mnt, struct nameidata *nd);
1524 int security_sb_umount(struct vfsmount *mnt, int flags); 1524 int security_sb_umount(struct vfsmount *mnt, int flags);
1525 void security_sb_umount_close(struct vfsmount *mnt); 1525 void security_sb_umount_close(struct vfsmount *mnt);
1526 void security_sb_umount_busy(struct vfsmount *mnt); 1526 void security_sb_umount_busy(struct vfsmount *mnt);
1527 void security_sb_post_remount(struct vfsmount *mnt, unsigned long flags, void *data); 1527 void security_sb_post_remount(struct vfsmount *mnt, unsigned long flags, void *data);
1528 void security_sb_post_addmount(struct vfsmount *mnt, struct nameidata *mountpoint_nd); 1528 void security_sb_post_addmount(struct vfsmount *mnt, struct nameidata *mountpoint_nd);
1529 int security_sb_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd); 1529 int security_sb_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd);
1530 void security_sb_post_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd); 1530 void security_sb_post_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd);
1531 int security_sb_get_mnt_opts(const struct super_block *sb, char ***mount_options, 1531 int security_sb_get_mnt_opts(const struct super_block *sb, char ***mount_options,
1532 int **flags, int *num_opts); 1532 int **flags, int *num_opts);
1533 int security_sb_set_mnt_opts(struct super_block *sb, char **mount_options, 1533 int security_sb_set_mnt_opts(struct super_block *sb, char **mount_options,
1534 int *flags, int num_opts); 1534 int *flags, int num_opts);
1535 void security_sb_clone_mnt_opts(const struct super_block *oldsb, 1535 void security_sb_clone_mnt_opts(const struct super_block *oldsb,
1536 struct super_block *newsb); 1536 struct super_block *newsb);
1537 1537
1538 int security_inode_alloc(struct inode *inode); 1538 int security_inode_alloc(struct inode *inode);
1539 void security_inode_free(struct inode *inode); 1539 void security_inode_free(struct inode *inode);
1540 int security_inode_init_security(struct inode *inode, struct inode *dir, 1540 int security_inode_init_security(struct inode *inode, struct inode *dir,
1541 char **name, void **value, size_t *len); 1541 char **name, void **value, size_t *len);
1542 int security_inode_create(struct inode *dir, struct dentry *dentry, int mode); 1542 int security_inode_create(struct inode *dir, struct dentry *dentry, int mode);
1543 int security_inode_link(struct dentry *old_dentry, struct inode *dir, 1543 int security_inode_link(struct dentry *old_dentry, struct inode *dir,
1544 struct dentry *new_dentry); 1544 struct dentry *new_dentry);
1545 int security_inode_unlink(struct inode *dir, struct dentry *dentry); 1545 int security_inode_unlink(struct inode *dir, struct dentry *dentry);
1546 int security_inode_symlink(struct inode *dir, struct dentry *dentry, 1546 int security_inode_symlink(struct inode *dir, struct dentry *dentry,
1547 const char *old_name); 1547 const char *old_name);
1548 int security_inode_mkdir(struct inode *dir, struct dentry *dentry, int mode); 1548 int security_inode_mkdir(struct inode *dir, struct dentry *dentry, int mode);
1549 int security_inode_rmdir(struct inode *dir, struct dentry *dentry); 1549 int security_inode_rmdir(struct inode *dir, struct dentry *dentry);
1550 int security_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev); 1550 int security_inode_mknod(struct inode *dir, struct dentry *dentry, int mode, dev_t dev);
1551 int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry, 1551 int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
1552 struct inode *new_dir, struct dentry *new_dentry); 1552 struct inode *new_dir, struct dentry *new_dentry);
1553 int security_inode_readlink(struct dentry *dentry); 1553 int security_inode_readlink(struct dentry *dentry);
1554 int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd); 1554 int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd);
1555 int security_inode_permission(struct inode *inode, int mask, struct nameidata *nd); 1555 int security_inode_permission(struct inode *inode, int mask, struct nameidata *nd);
1556 int security_inode_setattr(struct dentry *dentry, struct iattr *attr); 1556 int security_inode_setattr(struct dentry *dentry, struct iattr *attr);
1557 int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry); 1557 int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry);
1558 void security_inode_delete(struct inode *inode); 1558 void security_inode_delete(struct inode *inode);
1559 int security_inode_setxattr(struct dentry *dentry, char *name, 1559 int security_inode_setxattr(struct dentry *dentry, char *name,
1560 void *value, size_t size, int flags); 1560 void *value, size_t size, int flags);
1561 void security_inode_post_setxattr(struct dentry *dentry, char *name, 1561 void security_inode_post_setxattr(struct dentry *dentry, char *name,
1562 void *value, size_t size, int flags); 1562 void *value, size_t size, int flags);
1563 int security_inode_getxattr(struct dentry *dentry, char *name); 1563 int security_inode_getxattr(struct dentry *dentry, char *name);
1564 int security_inode_listxattr(struct dentry *dentry); 1564 int security_inode_listxattr(struct dentry *dentry);
1565 int security_inode_removexattr(struct dentry *dentry, char *name); 1565 int security_inode_removexattr(struct dentry *dentry, char *name);
1566 int security_inode_need_killpriv(struct dentry *dentry); 1566 int security_inode_need_killpriv(struct dentry *dentry);
1567 int security_inode_killpriv(struct dentry *dentry); 1567 int security_inode_killpriv(struct dentry *dentry);
1568 int security_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err); 1568 int security_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err);
1569 int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags); 1569 int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags);
1570 int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size); 1570 int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
1571 int security_file_permission(struct file *file, int mask); 1571 int security_file_permission(struct file *file, int mask);
1572 int security_file_alloc(struct file *file); 1572 int security_file_alloc(struct file *file);
1573 void security_file_free(struct file *file); 1573 void security_file_free(struct file *file);
1574 int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg); 1574 int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
1575 int security_file_mmap(struct file *file, unsigned long reqprot, 1575 int security_file_mmap(struct file *file, unsigned long reqprot,
1576 unsigned long prot, unsigned long flags, 1576 unsigned long prot, unsigned long flags,
1577 unsigned long addr, unsigned long addr_only); 1577 unsigned long addr, unsigned long addr_only);
1578 int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, 1578 int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
1579 unsigned long prot); 1579 unsigned long prot);
1580 int security_file_lock(struct file *file, unsigned int cmd); 1580 int security_file_lock(struct file *file, unsigned int cmd);
1581 int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg); 1581 int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg);
1582 int security_file_set_fowner(struct file *file); 1582 int security_file_set_fowner(struct file *file);
1583 int security_file_send_sigiotask(struct task_struct *tsk, 1583 int security_file_send_sigiotask(struct task_struct *tsk,
1584 struct fown_struct *fown, int sig); 1584 struct fown_struct *fown, int sig);
1585 int security_file_receive(struct file *file); 1585 int security_file_receive(struct file *file);
1586 int security_dentry_open(struct file *file); 1586 int security_dentry_open(struct file *file);
1587 int security_task_create(unsigned long clone_flags); 1587 int security_task_create(unsigned long clone_flags);
1588 int security_task_alloc(struct task_struct *p); 1588 int security_task_alloc(struct task_struct *p);
1589 void security_task_free(struct task_struct *p); 1589 void security_task_free(struct task_struct *p);
1590 int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags); 1590 int security_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags);
1591 int security_task_post_setuid(uid_t old_ruid, uid_t old_euid, 1591 int security_task_post_setuid(uid_t old_ruid, uid_t old_euid,
1592 uid_t old_suid, int flags); 1592 uid_t old_suid, int flags);
1593 int security_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags); 1593 int security_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags);
1594 int security_task_setpgid(struct task_struct *p, pid_t pgid); 1594 int security_task_setpgid(struct task_struct *p, pid_t pgid);
1595 int security_task_getpgid(struct task_struct *p); 1595 int security_task_getpgid(struct task_struct *p);
1596 int security_task_getsid(struct task_struct *p); 1596 int security_task_getsid(struct task_struct *p);
1597 void security_task_getsecid(struct task_struct *p, u32 *secid); 1597 void security_task_getsecid(struct task_struct *p, u32 *secid);
1598 int security_task_setgroups(struct group_info *group_info); 1598 int security_task_setgroups(struct group_info *group_info);
1599 int security_task_setnice(struct task_struct *p, int nice); 1599 int security_task_setnice(struct task_struct *p, int nice);
1600 int security_task_setioprio(struct task_struct *p, int ioprio); 1600 int security_task_setioprio(struct task_struct *p, int ioprio);
1601 int security_task_getioprio(struct task_struct *p); 1601 int security_task_getioprio(struct task_struct *p);
1602 int security_task_setrlimit(unsigned int resource, struct rlimit *new_rlim); 1602 int security_task_setrlimit(unsigned int resource, struct rlimit *new_rlim);
1603 int security_task_setscheduler(struct task_struct *p, 1603 int security_task_setscheduler(struct task_struct *p,
1604 int policy, struct sched_param *lp); 1604 int policy, struct sched_param *lp);
1605 int security_task_getscheduler(struct task_struct *p); 1605 int security_task_getscheduler(struct task_struct *p);
1606 int security_task_movememory(struct task_struct *p); 1606 int security_task_movememory(struct task_struct *p);
1607 int security_task_kill(struct task_struct *p, struct siginfo *info, 1607 int security_task_kill(struct task_struct *p, struct siginfo *info,
1608 int sig, u32 secid); 1608 int sig, u32 secid);
1609 int security_task_wait(struct task_struct *p); 1609 int security_task_wait(struct task_struct *p);
1610 int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, 1610 int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
1611 unsigned long arg4, unsigned long arg5); 1611 unsigned long arg4, unsigned long arg5);
1612 void security_task_reparent_to_init(struct task_struct *p); 1612 void security_task_reparent_to_init(struct task_struct *p);
1613 void security_task_to_inode(struct task_struct *p, struct inode *inode); 1613 void security_task_to_inode(struct task_struct *p, struct inode *inode);
1614 int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag); 1614 int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag);
1615 int security_msg_msg_alloc(struct msg_msg *msg); 1615 int security_msg_msg_alloc(struct msg_msg *msg);
1616 void security_msg_msg_free(struct msg_msg *msg); 1616 void security_msg_msg_free(struct msg_msg *msg);
1617 int security_msg_queue_alloc(struct msg_queue *msq); 1617 int security_msg_queue_alloc(struct msg_queue *msq);
1618 void security_msg_queue_free(struct msg_queue *msq); 1618 void security_msg_queue_free(struct msg_queue *msq);
1619 int security_msg_queue_associate(struct msg_queue *msq, int msqflg); 1619 int security_msg_queue_associate(struct msg_queue *msq, int msqflg);
1620 int security_msg_queue_msgctl(struct msg_queue *msq, int cmd); 1620 int security_msg_queue_msgctl(struct msg_queue *msq, int cmd);
1621 int security_msg_queue_msgsnd(struct msg_queue *msq, 1621 int security_msg_queue_msgsnd(struct msg_queue *msq,
1622 struct msg_msg *msg, int msqflg); 1622 struct msg_msg *msg, int msqflg);
1623 int security_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, 1623 int security_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
1624 struct task_struct *target, long type, int mode); 1624 struct task_struct *target, long type, int mode);
1625 int security_shm_alloc(struct shmid_kernel *shp); 1625 int security_shm_alloc(struct shmid_kernel *shp);
1626 void security_shm_free(struct shmid_kernel *shp); 1626 void security_shm_free(struct shmid_kernel *shp);
1627 int security_shm_associate(struct shmid_kernel *shp, int shmflg); 1627 int security_shm_associate(struct shmid_kernel *shp, int shmflg);
1628 int security_shm_shmctl(struct shmid_kernel *shp, int cmd); 1628 int security_shm_shmctl(struct shmid_kernel *shp, int cmd);
1629 int security_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, int shmflg); 1629 int security_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, int shmflg);
1630 int security_sem_alloc(struct sem_array *sma); 1630 int security_sem_alloc(struct sem_array *sma);
1631 void security_sem_free(struct sem_array *sma); 1631 void security_sem_free(struct sem_array *sma);
1632 int security_sem_associate(struct sem_array *sma, int semflg); 1632 int security_sem_associate(struct sem_array *sma, int semflg);
1633 int security_sem_semctl(struct sem_array *sma, int cmd); 1633 int security_sem_semctl(struct sem_array *sma, int cmd);
1634 int security_sem_semop(struct sem_array *sma, struct sembuf *sops, 1634 int security_sem_semop(struct sem_array *sma, struct sembuf *sops,
1635 unsigned nsops, int alter); 1635 unsigned nsops, int alter);
1636 void security_d_instantiate (struct dentry *dentry, struct inode *inode); 1636 void security_d_instantiate (struct dentry *dentry, struct inode *inode);
1637 int security_getprocattr(struct task_struct *p, char *name, char **value); 1637 int security_getprocattr(struct task_struct *p, char *name, char **value);
1638 int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size); 1638 int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size);
1639 int security_netlink_send(struct sock *sk, struct sk_buff *skb); 1639 int security_netlink_send(struct sock *sk, struct sk_buff *skb);
1640 int security_netlink_recv(struct sk_buff *skb, int cap); 1640 int security_netlink_recv(struct sk_buff *skb, int cap);
1641 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen); 1641 int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
1642 int security_secctx_to_secid(char *secdata, u32 seclen, u32 *secid); 1642 int security_secctx_to_secid(char *secdata, u32 seclen, u32 *secid);
1643 void security_release_secctx(char *secdata, u32 seclen); 1643 void security_release_secctx(char *secdata, u32 seclen);
1644 1644
1645 #else /* CONFIG_SECURITY */ 1645 #else /* CONFIG_SECURITY */
1646 1646
1647 /* 1647 /*
1648 * This is the default capabilities functionality. Most of these functions 1648 * This is the default capabilities functionality. Most of these functions
1649 * are just stubbed out, but a few must call the proper capable code. 1649 * are just stubbed out, but a few must call the proper capable code.
1650 */ 1650 */
1651 1651
1652 static inline int security_init(void) 1652 static inline int security_init(void)
1653 { 1653 {
1654 return 0; 1654 return 0;
1655 } 1655 }
1656 1656
1657 static inline int security_ptrace (struct task_struct *parent, struct task_struct * child) 1657 static inline int security_ptrace (struct task_struct *parent, struct task_struct * child)
1658 { 1658 {
1659 return cap_ptrace (parent, child); 1659 return cap_ptrace (parent, child);
1660 } 1660 }
1661 1661
1662 static inline int security_capget (struct task_struct *target, 1662 static inline int security_capget (struct task_struct *target,
1663 kernel_cap_t *effective, 1663 kernel_cap_t *effective,
1664 kernel_cap_t *inheritable, 1664 kernel_cap_t *inheritable,
1665 kernel_cap_t *permitted) 1665 kernel_cap_t *permitted)
1666 { 1666 {
1667 return cap_capget (target, effective, inheritable, permitted); 1667 return cap_capget (target, effective, inheritable, permitted);
1668 } 1668 }
1669 1669
1670 static inline int security_capset_check (struct task_struct *target, 1670 static inline int security_capset_check (struct task_struct *target,
1671 kernel_cap_t *effective, 1671 kernel_cap_t *effective,
1672 kernel_cap_t *inheritable, 1672 kernel_cap_t *inheritable,
1673 kernel_cap_t *permitted) 1673 kernel_cap_t *permitted)
1674 { 1674 {
1675 return cap_capset_check (target, effective, inheritable, permitted); 1675 return cap_capset_check (target, effective, inheritable, permitted);
1676 } 1676 }
1677 1677
1678 static inline void security_capset_set (struct task_struct *target, 1678 static inline void security_capset_set (struct task_struct *target,
1679 kernel_cap_t *effective, 1679 kernel_cap_t *effective,
1680 kernel_cap_t *inheritable, 1680 kernel_cap_t *inheritable,
1681 kernel_cap_t *permitted) 1681 kernel_cap_t *permitted)
1682 { 1682 {
1683 cap_capset_set (target, effective, inheritable, permitted); 1683 cap_capset_set (target, effective, inheritable, permitted);
1684 } 1684 }
1685 1685
1686 static inline int security_capable(struct task_struct *tsk, int cap) 1686 static inline int security_capable(struct task_struct *tsk, int cap)
1687 { 1687 {
1688 return cap_capable(tsk, cap); 1688 return cap_capable(tsk, cap);
1689 } 1689 }
1690 1690
1691 static inline int security_acct (struct file *file) 1691 static inline int security_acct (struct file *file)
1692 { 1692 {
1693 return 0; 1693 return 0;
1694 } 1694 }
1695 1695
1696 static inline int security_sysctl(struct ctl_table *table, int op) 1696 static inline int security_sysctl(struct ctl_table *table, int op)
1697 { 1697 {
1698 return 0; 1698 return 0;
1699 } 1699 }
1700 1700
1701 static inline int security_quotactl (int cmds, int type, int id, 1701 static inline int security_quotactl (int cmds, int type, int id,
1702 struct super_block * sb) 1702 struct super_block * sb)
1703 { 1703 {
1704 return 0; 1704 return 0;
1705 } 1705 }
1706 1706
1707 static inline int security_quota_on (struct dentry * dentry) 1707 static inline int security_quota_on (struct dentry * dentry)
1708 { 1708 {
1709 return 0; 1709 return 0;
1710 } 1710 }
1711 1711
1712 static inline int security_syslog(int type) 1712 static inline int security_syslog(int type)
1713 { 1713 {
1714 return cap_syslog(type); 1714 return cap_syslog(type);
1715 } 1715 }
1716 1716
1717 static inline int security_settime(struct timespec *ts, struct timezone *tz) 1717 static inline int security_settime(struct timespec *ts, struct timezone *tz)
1718 { 1718 {
1719 return cap_settime(ts, tz); 1719 return cap_settime(ts, tz);
1720 } 1720 }
1721 1721
1722 static inline int security_vm_enough_memory(long pages) 1722 static inline int security_vm_enough_memory(long pages)
1723 { 1723 {
1724 return cap_vm_enough_memory(current->mm, pages); 1724 return cap_vm_enough_memory(current->mm, pages);
1725 } 1725 }
1726 1726
1727 static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages) 1727 static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
1728 { 1728 {
1729 return cap_vm_enough_memory(mm, pages); 1729 return cap_vm_enough_memory(mm, pages);
1730 } 1730 }
1731 1731
1732 static inline int security_bprm_alloc (struct linux_binprm *bprm) 1732 static inline int security_bprm_alloc (struct linux_binprm *bprm)
1733 { 1733 {
1734 return 0; 1734 return 0;
1735 } 1735 }
1736 1736
1737 static inline void security_bprm_free (struct linux_binprm *bprm) 1737 static inline void security_bprm_free (struct linux_binprm *bprm)
1738 { } 1738 { }
1739 1739
1740 static inline void security_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) 1740 static inline void security_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
1741 { 1741 {
1742 cap_bprm_apply_creds (bprm, unsafe); 1742 cap_bprm_apply_creds (bprm, unsafe);
1743 } 1743 }
1744 1744
1745 static inline void security_bprm_post_apply_creds (struct linux_binprm *bprm) 1745 static inline void security_bprm_post_apply_creds (struct linux_binprm *bprm)
1746 { 1746 {
1747 return; 1747 return;
1748 } 1748 }
1749 1749
1750 static inline int security_bprm_set (struct linux_binprm *bprm) 1750 static inline int security_bprm_set (struct linux_binprm *bprm)
1751 { 1751 {
1752 return cap_bprm_set_security (bprm); 1752 return cap_bprm_set_security (bprm);
1753 } 1753 }
1754 1754
1755 static inline int security_bprm_check (struct linux_binprm *bprm) 1755 static inline int security_bprm_check (struct linux_binprm *bprm)
1756 { 1756 {
1757 return 0; 1757 return 0;
1758 } 1758 }
1759 1759
1760 static inline int security_bprm_secureexec (struct linux_binprm *bprm) 1760 static inline int security_bprm_secureexec (struct linux_binprm *bprm)
1761 { 1761 {
1762 return cap_bprm_secureexec(bprm); 1762 return cap_bprm_secureexec(bprm);
1763 } 1763 }
1764 1764
1765 static inline int security_sb_alloc (struct super_block *sb) 1765 static inline int security_sb_alloc (struct super_block *sb)
1766 { 1766 {
1767 return 0; 1767 return 0;
1768 } 1768 }
1769 1769
1770 static inline void security_sb_free (struct super_block *sb) 1770 static inline void security_sb_free (struct super_block *sb)
1771 { } 1771 { }
1772 1772
1773 static inline int security_sb_copy_data (struct file_system_type *type, 1773 static inline int security_sb_copy_data (struct file_system_type *type,
1774 void *orig, void *copy) 1774 void *orig, void *copy)
1775 { 1775 {
1776 return 0; 1776 return 0;
1777 } 1777 }
1778 1778
1779 static inline int security_sb_kern_mount (struct super_block *sb, void *data) 1779 static inline int security_sb_kern_mount (struct super_block *sb, void *data)
1780 { 1780 {
1781 return 0; 1781 return 0;
1782 } 1782 }
1783 1783
1784 static inline int security_sb_statfs (struct dentry *dentry) 1784 static inline int security_sb_statfs (struct dentry *dentry)
1785 { 1785 {
1786 return 0; 1786 return 0;
1787 } 1787 }
1788 1788
1789 static inline int security_sb_mount (char *dev_name, struct nameidata *nd, 1789 static inline int security_sb_mount (char *dev_name, struct nameidata *nd,
1790 char *type, unsigned long flags, 1790 char *type, unsigned long flags,
1791 void *data) 1791 void *data)
1792 { 1792 {
1793 return 0; 1793 return 0;
1794 } 1794 }
1795 1795
1796 static inline int security_sb_check_sb (struct vfsmount *mnt, 1796 static inline int security_sb_check_sb (struct vfsmount *mnt,
1797 struct nameidata *nd) 1797 struct nameidata *nd)
1798 { 1798 {
1799 return 0; 1799 return 0;
1800 } 1800 }
1801 1801
1802 static inline int security_sb_umount (struct vfsmount *mnt, int flags) 1802 static inline int security_sb_umount (struct vfsmount *mnt, int flags)
1803 { 1803 {
1804 return 0; 1804 return 0;
1805 } 1805 }
1806 1806
1807 static inline void security_sb_umount_close (struct vfsmount *mnt) 1807 static inline void security_sb_umount_close (struct vfsmount *mnt)
1808 { } 1808 { }
1809 1809
1810 static inline void security_sb_umount_busy (struct vfsmount *mnt) 1810 static inline void security_sb_umount_busy (struct vfsmount *mnt)
1811 { } 1811 { }
1812 1812
1813 static inline void security_sb_post_remount (struct vfsmount *mnt, 1813 static inline void security_sb_post_remount (struct vfsmount *mnt,
1814 unsigned long flags, void *data) 1814 unsigned long flags, void *data)
1815 { } 1815 { }
1816 1816
1817 static inline void security_sb_post_addmount (struct vfsmount *mnt, 1817 static inline void security_sb_post_addmount (struct vfsmount *mnt,
1818 struct nameidata *mountpoint_nd) 1818 struct nameidata *mountpoint_nd)
1819 { } 1819 { }
1820 1820
1821 static inline int security_sb_pivotroot (struct nameidata *old_nd, 1821 static inline int security_sb_pivotroot (struct nameidata *old_nd,
1822 struct nameidata *new_nd) 1822 struct nameidata *new_nd)
1823 { 1823 {
1824 return 0; 1824 return 0;
1825 } 1825 }
1826 1826
1827 static inline void security_sb_post_pivotroot (struct nameidata *old_nd, 1827 static inline void security_sb_post_pivotroot (struct nameidata *old_nd,
1828 struct nameidata *new_nd) 1828 struct nameidata *new_nd)
1829 { } 1829 { }
1830 1830
1831 static inline int security_inode_alloc (struct inode *inode) 1831 static inline int security_inode_alloc (struct inode *inode)
1832 { 1832 {
1833 return 0; 1833 return 0;
1834 } 1834 }
1835 1835
1836 static inline void security_inode_free (struct inode *inode) 1836 static inline void security_inode_free (struct inode *inode)
1837 { } 1837 { }
1838 1838
1839 static inline int security_inode_init_security (struct inode *inode, 1839 static inline int security_inode_init_security (struct inode *inode,
1840 struct inode *dir, 1840 struct inode *dir,
1841 char **name, 1841 char **name,
1842 void **value, 1842 void **value,
1843 size_t *len) 1843 size_t *len)
1844 { 1844 {
1845 return -EOPNOTSUPP; 1845 return -EOPNOTSUPP;
1846 } 1846 }
1847 1847
1848 static inline int security_inode_create (struct inode *dir, 1848 static inline int security_inode_create (struct inode *dir,
1849 struct dentry *dentry, 1849 struct dentry *dentry,
1850 int mode) 1850 int mode)
1851 { 1851 {
1852 return 0; 1852 return 0;
1853 } 1853 }
1854 1854
1855 static inline int security_inode_link (struct dentry *old_dentry, 1855 static inline int security_inode_link (struct dentry *old_dentry,
1856 struct inode *dir, 1856 struct inode *dir,
1857 struct dentry *new_dentry) 1857 struct dentry *new_dentry)
1858 { 1858 {
1859 return 0; 1859 return 0;
1860 } 1860 }
1861 1861
1862 static inline int security_inode_unlink (struct inode *dir, 1862 static inline int security_inode_unlink (struct inode *dir,
1863 struct dentry *dentry) 1863 struct dentry *dentry)
1864 { 1864 {
1865 return 0; 1865 return 0;
1866 } 1866 }
1867 1867
1868 static inline int security_inode_symlink (struct inode *dir, 1868 static inline int security_inode_symlink (struct inode *dir,
1869 struct dentry *dentry, 1869 struct dentry *dentry,
1870 const char *old_name) 1870 const char *old_name)
1871 { 1871 {
1872 return 0; 1872 return 0;
1873 } 1873 }
1874 1874
1875 static inline int security_inode_mkdir (struct inode *dir, 1875 static inline int security_inode_mkdir (struct inode *dir,
1876 struct dentry *dentry, 1876 struct dentry *dentry,
1877 int mode) 1877 int mode)
1878 { 1878 {
1879 return 0; 1879 return 0;
1880 } 1880 }
1881 1881
1882 static inline int security_inode_rmdir (struct inode *dir, 1882 static inline int security_inode_rmdir (struct inode *dir,
1883 struct dentry *dentry) 1883 struct dentry *dentry)
1884 { 1884 {
1885 return 0; 1885 return 0;
1886 } 1886 }
1887 1887
1888 static inline int security_inode_mknod (struct inode *dir, 1888 static inline int security_inode_mknod (struct inode *dir,
1889 struct dentry *dentry, 1889 struct dentry *dentry,
1890 int mode, dev_t dev) 1890 int mode, dev_t dev)
1891 { 1891 {
1892 return 0; 1892 return 0;
1893 } 1893 }
1894 1894
1895 static inline int security_inode_rename (struct inode *old_dir, 1895 static inline int security_inode_rename (struct inode *old_dir,
1896 struct dentry *old_dentry, 1896 struct dentry *old_dentry,
1897 struct inode *new_dir, 1897 struct inode *new_dir,
1898 struct dentry *new_dentry) 1898 struct dentry *new_dentry)
1899 { 1899 {
1900 return 0; 1900 return 0;
1901 } 1901 }
1902 1902
1903 static inline int security_inode_readlink (struct dentry *dentry) 1903 static inline int security_inode_readlink (struct dentry *dentry)
1904 { 1904 {
1905 return 0; 1905 return 0;
1906 } 1906 }
1907 1907
1908 static inline int security_inode_follow_link (struct dentry *dentry, 1908 static inline int security_inode_follow_link (struct dentry *dentry,
1909 struct nameidata *nd) 1909 struct nameidata *nd)
1910 { 1910 {
1911 return 0; 1911 return 0;
1912 } 1912 }
1913 1913
1914 static inline int security_inode_permission (struct inode *inode, int mask, 1914 static inline int security_inode_permission (struct inode *inode, int mask,
1915 struct nameidata *nd) 1915 struct nameidata *nd)
1916 { 1916 {
1917 return 0; 1917 return 0;
1918 } 1918 }
1919 1919
1920 static inline int security_inode_setattr (struct dentry *dentry, 1920 static inline int security_inode_setattr (struct dentry *dentry,
1921 struct iattr *attr) 1921 struct iattr *attr)
1922 { 1922 {
1923 return 0; 1923 return 0;
1924 } 1924 }
1925 1925
1926 static inline int security_inode_getattr (struct vfsmount *mnt, 1926 static inline int security_inode_getattr (struct vfsmount *mnt,
1927 struct dentry *dentry) 1927 struct dentry *dentry)
1928 { 1928 {
1929 return 0; 1929 return 0;
1930 } 1930 }
1931 1931
1932 static inline void security_inode_delete (struct inode *inode) 1932 static inline void security_inode_delete (struct inode *inode)
1933 { } 1933 { }
1934 1934
1935 static inline int security_inode_setxattr (struct dentry *dentry, char *name, 1935 static inline int security_inode_setxattr (struct dentry *dentry, char *name,
1936 void *value, size_t size, int flags) 1936 void *value, size_t size, int flags)
1937 { 1937 {
1938 return cap_inode_setxattr(dentry, name, value, size, flags); 1938 return cap_inode_setxattr(dentry, name, value, size, flags);
1939 } 1939 }
1940 1940
1941 static inline void security_inode_post_setxattr (struct dentry *dentry, char *name, 1941 static inline void security_inode_post_setxattr (struct dentry *dentry, char *name,
1942 void *value, size_t size, int flags) 1942 void *value, size_t size, int flags)
1943 { } 1943 { }
1944 1944
1945 static inline int security_inode_getxattr (struct dentry *dentry, char *name) 1945 static inline int security_inode_getxattr (struct dentry *dentry, char *name)
1946 { 1946 {
1947 return 0; 1947 return 0;
1948 } 1948 }
1949 1949
1950 static inline int security_inode_listxattr (struct dentry *dentry) 1950 static inline int security_inode_listxattr (struct dentry *dentry)
1951 { 1951 {
1952 return 0; 1952 return 0;
1953 } 1953 }
1954 1954
1955 static inline int security_inode_removexattr (struct dentry *dentry, char *name) 1955 static inline int security_inode_removexattr (struct dentry *dentry, char *name)
1956 { 1956 {
1957 return cap_inode_removexattr(dentry, name); 1957 return cap_inode_removexattr(dentry, name);
1958 } 1958 }
1959 1959
1960 static inline int security_inode_need_killpriv(struct dentry *dentry) 1960 static inline int security_inode_need_killpriv(struct dentry *dentry)
1961 { 1961 {
1962 return cap_inode_need_killpriv(dentry); 1962 return cap_inode_need_killpriv(dentry);
1963 } 1963 }
1964 1964
1965 static inline int security_inode_killpriv(struct dentry *dentry) 1965 static inline int security_inode_killpriv(struct dentry *dentry)
1966 { 1966 {
1967 return cap_inode_killpriv(dentry); 1967 return cap_inode_killpriv(dentry);
1968 } 1968 }
1969 1969
1970 static inline int security_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err) 1970 static inline int security_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err)
1971 { 1971 {
1972 return -EOPNOTSUPP; 1972 return -EOPNOTSUPP;
1973 } 1973 }
1974 1974
1975 static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) 1975 static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
1976 { 1976 {
1977 return -EOPNOTSUPP; 1977 return -EOPNOTSUPP;
1978 } 1978 }
1979 1979
1980 static inline int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) 1980 static inline int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
1981 { 1981 {
1982 return 0; 1982 return 0;
1983 } 1983 }
1984 1984
1985 static inline int security_file_permission (struct file *file, int mask) 1985 static inline int security_file_permission (struct file *file, int mask)
1986 { 1986 {
1987 return 0; 1987 return 0;
1988 } 1988 }
1989 1989
1990 static inline int security_file_alloc (struct file *file) 1990 static inline int security_file_alloc (struct file *file)
1991 { 1991 {
1992 return 0; 1992 return 0;
1993 } 1993 }
1994 1994
1995 static inline void security_file_free (struct file *file) 1995 static inline void security_file_free (struct file *file)
1996 { } 1996 { }
1997 1997
1998 static inline int security_file_ioctl (struct file *file, unsigned int cmd, 1998 static inline int security_file_ioctl (struct file *file, unsigned int cmd,
1999 unsigned long arg) 1999 unsigned long arg)
2000 { 2000 {
2001 return 0; 2001 return 0;
2002 } 2002 }
2003 2003
2004 static inline int security_file_mmap (struct file *file, unsigned long reqprot, 2004 static inline int security_file_mmap (struct file *file, unsigned long reqprot,
2005 unsigned long prot, 2005 unsigned long prot,
2006 unsigned long flags, 2006 unsigned long flags,
2007 unsigned long addr, 2007 unsigned long addr,
2008 unsigned long addr_only) 2008 unsigned long addr_only)
2009 { 2009 {
2010 return 0; 2010 return 0;
2011 } 2011 }
2012 2012
2013 static inline int security_file_mprotect (struct vm_area_struct *vma, 2013 static inline int security_file_mprotect (struct vm_area_struct *vma,
2014 unsigned long reqprot, 2014 unsigned long reqprot,
2015 unsigned long prot) 2015 unsigned long prot)
2016 { 2016 {
2017 return 0; 2017 return 0;
2018 } 2018 }
2019 2019
2020 static inline int security_file_lock (struct file *file, unsigned int cmd) 2020 static inline int security_file_lock (struct file *file, unsigned int cmd)
2021 { 2021 {
2022 return 0; 2022 return 0;
2023 } 2023 }
2024 2024
2025 static inline int security_file_fcntl (struct file *file, unsigned int cmd, 2025 static inline int security_file_fcntl (struct file *file, unsigned int cmd,
2026 unsigned long arg) 2026 unsigned long arg)
2027 { 2027 {
2028 return 0; 2028 return 0;
2029 } 2029 }
2030 2030
2031 static inline int security_file_set_fowner (struct file *file) 2031 static inline int security_file_set_fowner (struct file *file)
2032 { 2032 {
2033 return 0; 2033 return 0;
2034 } 2034 }
2035 2035
2036 static inline int security_file_send_sigiotask (struct task_struct *tsk, 2036 static inline int security_file_send_sigiotask (struct task_struct *tsk,
2037 struct fown_struct *fown, 2037 struct fown_struct *fown,
2038 int sig) 2038 int sig)
2039 { 2039 {
2040 return 0; 2040 return 0;
2041 } 2041 }
2042 2042
2043 static inline int security_file_receive (struct file *file) 2043 static inline int security_file_receive (struct file *file)
2044 { 2044 {
2045 return 0; 2045 return 0;
2046 } 2046 }
2047 2047
2048 static inline int security_dentry_open (struct file *file) 2048 static inline int security_dentry_open (struct file *file)
2049 { 2049 {
2050 return 0; 2050 return 0;
2051 } 2051 }
2052 2052
2053 static inline int security_task_create (unsigned long clone_flags) 2053 static inline int security_task_create (unsigned long clone_flags)
2054 { 2054 {
2055 return 0; 2055 return 0;
2056 } 2056 }
2057 2057
2058 static inline int security_task_alloc (struct task_struct *p) 2058 static inline int security_task_alloc (struct task_struct *p)
2059 { 2059 {
2060 return 0; 2060 return 0;
2061 } 2061 }
2062 2062
2063 static inline void security_task_free (struct task_struct *p) 2063 static inline void security_task_free (struct task_struct *p)
2064 { } 2064 { }
2065 2065
2066 static inline int security_task_setuid (uid_t id0, uid_t id1, uid_t id2, 2066 static inline int security_task_setuid (uid_t id0, uid_t id1, uid_t id2,
2067 int flags) 2067 int flags)
2068 { 2068 {
2069 return 0; 2069 return 0;
2070 } 2070 }
2071 2071
2072 static inline int security_task_post_setuid (uid_t old_ruid, uid_t old_euid, 2072 static inline int security_task_post_setuid (uid_t old_ruid, uid_t old_euid,
2073 uid_t old_suid, int flags) 2073 uid_t old_suid, int flags)
2074 { 2074 {
2075 return cap_task_post_setuid (old_ruid, old_euid, old_suid, flags); 2075 return cap_task_post_setuid (old_ruid, old_euid, old_suid, flags);
2076 } 2076 }
2077 2077
2078 static inline int security_task_setgid (gid_t id0, gid_t id1, gid_t id2, 2078 static inline int security_task_setgid (gid_t id0, gid_t id1, gid_t id2,
2079 int flags) 2079 int flags)
2080 { 2080 {
2081 return 0; 2081 return 0;
2082 } 2082 }
2083 2083
2084 static inline int security_task_setpgid (struct task_struct *p, pid_t pgid) 2084 static inline int security_task_setpgid (struct task_struct *p, pid_t pgid)
2085 { 2085 {
2086 return 0; 2086 return 0;
2087 } 2087 }
2088 2088
2089 static inline int security_task_getpgid (struct task_struct *p) 2089 static inline int security_task_getpgid (struct task_struct *p)
2090 { 2090 {
2091 return 0; 2091 return 0;
2092 } 2092 }
2093 2093
2094 static inline int security_task_getsid (struct task_struct *p) 2094 static inline int security_task_getsid (struct task_struct *p)
2095 { 2095 {
2096 return 0; 2096 return 0;
2097 } 2097 }
2098 2098
2099 static inline void security_task_getsecid (struct task_struct *p, u32 *secid) 2099 static inline void security_task_getsecid (struct task_struct *p, u32 *secid)
2100 { } 2100 { }
2101 2101
2102 static inline int security_task_setgroups (struct group_info *group_info) 2102 static inline int security_task_setgroups (struct group_info *group_info)
2103 { 2103 {
2104 return 0; 2104 return 0;
2105 } 2105 }
2106 2106
2107 static inline int security_task_setnice (struct task_struct *p, int nice) 2107 static inline int security_task_setnice (struct task_struct *p, int nice)
2108 { 2108 {
2109 return cap_task_setnice(p, nice); 2109 return cap_task_setnice(p, nice);
2110 } 2110 }
2111 2111
2112 static inline int security_task_setioprio (struct task_struct *p, int ioprio) 2112 static inline int security_task_setioprio (struct task_struct *p, int ioprio)
2113 { 2113 {
2114 return cap_task_setioprio(p, ioprio); 2114 return cap_task_setioprio(p, ioprio);
2115 } 2115 }
2116 2116
2117 static inline int security_task_getioprio (struct task_struct *p) 2117 static inline int security_task_getioprio (struct task_struct *p)
2118 { 2118 {
2119 return 0; 2119 return 0;
2120 } 2120 }
2121 2121
2122 static inline int security_task_setrlimit (unsigned int resource, 2122 static inline int security_task_setrlimit (unsigned int resource,
2123 struct rlimit *new_rlim) 2123 struct rlimit *new_rlim)
2124 { 2124 {
2125 return 0; 2125 return 0;
2126 } 2126 }
2127 2127
2128 static inline int security_task_setscheduler (struct task_struct *p, 2128 static inline int security_task_setscheduler (struct task_struct *p,
2129 int policy, 2129 int policy,
2130 struct sched_param *lp) 2130 struct sched_param *lp)
2131 { 2131 {
2132 return cap_task_setscheduler(p, policy, lp); 2132 return cap_task_setscheduler(p, policy, lp);
2133 } 2133 }
2134 2134
2135 static inline int security_task_getscheduler (struct task_struct *p) 2135 static inline int security_task_getscheduler (struct task_struct *p)
2136 { 2136 {
2137 return 0; 2137 return 0;
2138 } 2138 }
2139 2139
2140 static inline int security_task_movememory (struct task_struct *p) 2140 static inline int security_task_movememory (struct task_struct *p)
2141 { 2141 {
2142 return 0; 2142 return 0;
2143 } 2143 }
2144 2144
2145 static inline int security_task_kill (struct task_struct *p, 2145 static inline int security_task_kill (struct task_struct *p,
2146 struct siginfo *info, int sig, 2146 struct siginfo *info, int sig,
2147 u32 secid) 2147 u32 secid)
2148 { 2148 {
2149 return cap_task_kill(p, info, sig, secid); 2149 return cap_task_kill(p, info, sig, secid);
2150 } 2150 }
2151 2151
2152 static inline int security_task_wait (struct task_struct *p) 2152 static inline int security_task_wait (struct task_struct *p)
2153 { 2153 {
2154 return 0; 2154 return 0;
2155 } 2155 }
2156 2156
2157 static inline int security_task_prctl (int option, unsigned long arg2, 2157 static inline int security_task_prctl (int option, unsigned long arg2,
2158 unsigned long arg3, 2158 unsigned long arg3,
2159 unsigned long arg4, 2159 unsigned long arg4,
2160 unsigned long arg5) 2160 unsigned long arg5)
2161 { 2161 {
2162 return 0; 2162 return 0;
2163 } 2163 }
2164 2164
2165 static inline void security_task_reparent_to_init (struct task_struct *p) 2165 static inline void security_task_reparent_to_init (struct task_struct *p)
2166 { 2166 {
2167 cap_task_reparent_to_init (p); 2167 cap_task_reparent_to_init (p);
2168 } 2168 }
2169 2169
2170 static inline void security_task_to_inode(struct task_struct *p, struct inode *inode) 2170 static inline void security_task_to_inode(struct task_struct *p, struct inode *inode)
2171 { } 2171 { }
2172 2172
2173 static inline int security_ipc_permission (struct kern_ipc_perm *ipcp, 2173 static inline int security_ipc_permission (struct kern_ipc_perm *ipcp,
2174 short flag) 2174 short flag)
2175 { 2175 {
2176 return 0; 2176 return 0;
2177 } 2177 }
2178 2178
2179 static inline int security_msg_msg_alloc (struct msg_msg * msg) 2179 static inline int security_msg_msg_alloc (struct msg_msg * msg)
2180 { 2180 {
2181 return 0; 2181 return 0;
2182 } 2182 }
2183 2183
2184 static inline void security_msg_msg_free (struct msg_msg * msg) 2184 static inline void security_msg_msg_free (struct msg_msg * msg)
2185 { } 2185 { }
2186 2186
2187 static inline int security_msg_queue_alloc (struct msg_queue *msq) 2187 static inline int security_msg_queue_alloc (struct msg_queue *msq)
2188 { 2188 {
2189 return 0; 2189 return 0;
2190 } 2190 }
2191 2191
2192 static inline void security_msg_queue_free (struct msg_queue *msq) 2192 static inline void security_msg_queue_free (struct msg_queue *msq)
2193 { } 2193 { }
2194 2194
2195 static inline int security_msg_queue_associate (struct msg_queue * msq, 2195 static inline int security_msg_queue_associate (struct msg_queue * msq,
2196 int msqflg) 2196 int msqflg)
2197 { 2197 {
2198 return 0; 2198 return 0;
2199 } 2199 }
2200 2200
2201 static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd) 2201 static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd)
2202 { 2202 {
2203 return 0; 2203 return 0;
2204 } 2204 }
2205 2205
2206 static inline int security_msg_queue_msgsnd (struct msg_queue * msq, 2206 static inline int security_msg_queue_msgsnd (struct msg_queue * msq,
2207 struct msg_msg * msg, int msqflg) 2207 struct msg_msg * msg, int msqflg)
2208 { 2208 {
2209 return 0; 2209 return 0;
2210 } 2210 }
2211 2211
2212 static inline int security_msg_queue_msgrcv (struct msg_queue * msq, 2212 static inline int security_msg_queue_msgrcv (struct msg_queue * msq,
2213 struct msg_msg * msg, 2213 struct msg_msg * msg,
2214 struct task_struct * target, 2214 struct task_struct * target,
2215 long type, int mode) 2215 long type, int mode)
2216 { 2216 {
2217 return 0; 2217 return 0;
2218 } 2218 }
2219 2219
2220 static inline int security_shm_alloc (struct shmid_kernel *shp) 2220 static inline int security_shm_alloc (struct shmid_kernel *shp)
2221 { 2221 {
2222 return 0; 2222 return 0;
2223 } 2223 }
2224 2224
2225 static inline void security_shm_free (struct shmid_kernel *shp) 2225 static inline void security_shm_free (struct shmid_kernel *shp)
2226 { } 2226 { }
2227 2227
2228 static inline int security_shm_associate (struct shmid_kernel * shp, 2228 static inline int security_shm_associate (struct shmid_kernel * shp,
2229 int shmflg) 2229 int shmflg)
2230 { 2230 {
2231 return 0; 2231 return 0;
2232 } 2232 }
2233 2233
2234 static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd) 2234 static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd)
2235 { 2235 {
2236 return 0; 2236 return 0;
2237 } 2237 }
2238 2238
2239 static inline int security_shm_shmat (struct shmid_kernel * shp, 2239 static inline int security_shm_shmat (struct shmid_kernel * shp,
2240 char __user *shmaddr, int shmflg) 2240 char __user *shmaddr, int shmflg)
2241 { 2241 {
2242 return 0; 2242 return 0;
2243 } 2243 }
2244 2244
2245 static inline int security_sem_alloc (struct sem_array *sma) 2245 static inline int security_sem_alloc (struct sem_array *sma)
2246 { 2246 {
2247 return 0; 2247 return 0;
2248 } 2248 }
2249 2249
2250 static inline void security_sem_free (struct sem_array *sma) 2250 static inline void security_sem_free (struct sem_array *sma)
2251 { } 2251 { }
2252 2252
2253 static inline int security_sem_associate (struct sem_array * sma, int semflg) 2253 static inline int security_sem_associate (struct sem_array * sma, int semflg)
2254 { 2254 {
2255 return 0; 2255 return 0;
2256 } 2256 }
2257 2257
2258 static inline int security_sem_semctl (struct sem_array * sma, int cmd) 2258 static inline int security_sem_semctl (struct sem_array * sma, int cmd)
2259 { 2259 {
2260 return 0; 2260 return 0;
2261 } 2261 }
2262 2262
2263 static inline int security_sem_semop (struct sem_array * sma, 2263 static inline int security_sem_semop (struct sem_array * sma,
2264 struct sembuf * sops, unsigned nsops, 2264 struct sembuf * sops, unsigned nsops,
2265 int alter) 2265 int alter)
2266 { 2266 {
2267 return 0; 2267 return 0;
2268 } 2268 }
2269 2269
2270 static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode) 2270 static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode)
2271 { } 2271 { }
2272 2272
2273 static inline int security_getprocattr(struct task_struct *p, char *name, char **value) 2273 static inline int security_getprocattr(struct task_struct *p, char *name, char **value)
2274 { 2274 {
2275 return -EINVAL; 2275 return -EINVAL;
2276 } 2276 }
2277 2277
2278 static inline int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size) 2278 static inline int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size)
2279 { 2279 {
2280 return -EINVAL; 2280 return -EINVAL;
2281 } 2281 }
2282 2282
2283 static inline int security_netlink_send (struct sock *sk, struct sk_buff *skb) 2283 static inline int security_netlink_send (struct sock *sk, struct sk_buff *skb)
2284 { 2284 {
2285 return cap_netlink_send (sk, skb); 2285 return cap_netlink_send (sk, skb);
2286 } 2286 }
2287 2287
2288 static inline int security_netlink_recv (struct sk_buff *skb, int cap) 2288 static inline int security_netlink_recv (struct sk_buff *skb, int cap)
2289 { 2289 {
2290 return cap_netlink_recv (skb, cap); 2290 return cap_netlink_recv (skb, cap);
2291 } 2291 }
2292 2292
2293 static inline struct dentry *securityfs_create_dir(const char *name, 2293 static inline struct dentry *securityfs_create_dir(const char *name,
2294 struct dentry *parent) 2294 struct dentry *parent)
2295 { 2295 {
2296 return ERR_PTR(-ENODEV); 2296 return ERR_PTR(-ENODEV);
2297 } 2297 }
2298 2298
2299 static inline struct dentry *securityfs_create_file(const char *name, 2299 static inline struct dentry *securityfs_create_file(const char *name,
2300 mode_t mode, 2300 mode_t mode,
2301 struct dentry *parent, 2301 struct dentry *parent,
2302 void *data, 2302 void *data,
2303 struct file_operations *fops) 2303 const struct file_operations *fops)
2304 { 2304 {
2305 return ERR_PTR(-ENODEV); 2305 return ERR_PTR(-ENODEV);
2306 } 2306 }
2307 2307
2308 static inline void securityfs_remove(struct dentry *dentry) 2308 static inline void securityfs_remove(struct dentry *dentry)
2309 { 2309 {
2310 } 2310 }
2311 2311
2312 static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) 2312 static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
2313 { 2313 {
2314 return -EOPNOTSUPP; 2314 return -EOPNOTSUPP;
2315 } 2315 }
2316 2316
2317 static inline int security_secctx_to_secid(char *secdata, 2317 static inline int security_secctx_to_secid(char *secdata,
2318 u32 seclen, 2318 u32 seclen,
2319 u32 *secid) 2319 u32 *secid)
2320 { 2320 {
2321 return -EOPNOTSUPP; 2321 return -EOPNOTSUPP;
2322 } 2322 }
2323 2323
2324 static inline void security_release_secctx(char *secdata, u32 seclen) 2324 static inline void security_release_secctx(char *secdata, u32 seclen)
2325 { 2325 {
2326 } 2326 }
2327 #endif /* CONFIG_SECURITY */ 2327 #endif /* CONFIG_SECURITY */
2328 2328
2329 #ifdef CONFIG_SECURITY_NETWORK 2329 #ifdef CONFIG_SECURITY_NETWORK
2330 2330
2331 int security_unix_stream_connect(struct socket *sock, struct socket *other, 2331 int security_unix_stream_connect(struct socket *sock, struct socket *other,
2332 struct sock *newsk); 2332 struct sock *newsk);
2333 int security_unix_may_send(struct socket *sock, struct socket *other); 2333 int security_unix_may_send(struct socket *sock, struct socket *other);
2334 int security_socket_create(int family, int type, int protocol, int kern); 2334 int security_socket_create(int family, int type, int protocol, int kern);
2335 int security_socket_post_create(struct socket *sock, int family, 2335 int security_socket_post_create(struct socket *sock, int family,
2336 int type, int protocol, int kern); 2336 int type, int protocol, int kern);
2337 int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen); 2337 int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen);
2338 int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen); 2338 int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen);
2339 int security_socket_listen(struct socket *sock, int backlog); 2339 int security_socket_listen(struct socket *sock, int backlog);
2340 int security_socket_accept(struct socket *sock, struct socket *newsock); 2340 int security_socket_accept(struct socket *sock, struct socket *newsock);
2341 void security_socket_post_accept(struct socket *sock, struct socket *newsock); 2341 void security_socket_post_accept(struct socket *sock, struct socket *newsock);
2342 int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size); 2342 int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size);
2343 int security_socket_recvmsg(struct socket *sock, struct msghdr *msg, 2343 int security_socket_recvmsg(struct socket *sock, struct msghdr *msg,
2344 int size, int flags); 2344 int size, int flags);
2345 int security_socket_getsockname(struct socket *sock); 2345 int security_socket_getsockname(struct socket *sock);
2346 int security_socket_getpeername(struct socket *sock); 2346 int security_socket_getpeername(struct socket *sock);
2347 int security_socket_getsockopt(struct socket *sock, int level, int optname); 2347 int security_socket_getsockopt(struct socket *sock, int level, int optname);
2348 int security_socket_setsockopt(struct socket *sock, int level, int optname); 2348 int security_socket_setsockopt(struct socket *sock, int level, int optname);
2349 int security_socket_shutdown(struct socket *sock, int how); 2349 int security_socket_shutdown(struct socket *sock, int how);
2350 int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb); 2350 int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb);
2351 int security_socket_getpeersec_stream(struct socket *sock, char __user *optval, 2351 int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
2352 int __user *optlen, unsigned len); 2352 int __user *optlen, unsigned len);
2353 int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid); 2353 int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid);
2354 int security_sk_alloc(struct sock *sk, int family, gfp_t priority); 2354 int security_sk_alloc(struct sock *sk, int family, gfp_t priority);
2355 void security_sk_free(struct sock *sk); 2355 void security_sk_free(struct sock *sk);
2356 void security_sk_clone(const struct sock *sk, struct sock *newsk); 2356 void security_sk_clone(const struct sock *sk, struct sock *newsk);
2357 void security_sk_classify_flow(struct sock *sk, struct flowi *fl); 2357 void security_sk_classify_flow(struct sock *sk, struct flowi *fl);
2358 void security_req_classify_flow(const struct request_sock *req, struct flowi *fl); 2358 void security_req_classify_flow(const struct request_sock *req, struct flowi *fl);
2359 void security_sock_graft(struct sock*sk, struct socket *parent); 2359 void security_sock_graft(struct sock*sk, struct socket *parent);
2360 int security_inet_conn_request(struct sock *sk, 2360 int security_inet_conn_request(struct sock *sk,
2361 struct sk_buff *skb, struct request_sock *req); 2361 struct sk_buff *skb, struct request_sock *req);
2362 void security_inet_csk_clone(struct sock *newsk, 2362 void security_inet_csk_clone(struct sock *newsk,
2363 const struct request_sock *req); 2363 const struct request_sock *req);
2364 void security_inet_conn_established(struct sock *sk, 2364 void security_inet_conn_established(struct sock *sk,
2365 struct sk_buff *skb); 2365 struct sk_buff *skb);
2366 2366
2367 #else /* CONFIG_SECURITY_NETWORK */ 2367 #else /* CONFIG_SECURITY_NETWORK */
2368 static inline int security_unix_stream_connect(struct socket * sock, 2368 static inline int security_unix_stream_connect(struct socket * sock,
2369 struct socket * other, 2369 struct socket * other,
2370 struct sock * newsk) 2370 struct sock * newsk)
2371 { 2371 {
2372 return 0; 2372 return 0;
2373 } 2373 }
2374 2374
2375 static inline int security_unix_may_send(struct socket * sock, 2375 static inline int security_unix_may_send(struct socket * sock,
2376 struct socket * other) 2376 struct socket * other)
2377 { 2377 {
2378 return 0; 2378 return 0;
2379 } 2379 }
2380 2380
2381 static inline int security_socket_create (int family, int type, 2381 static inline int security_socket_create (int family, int type,
2382 int protocol, int kern) 2382 int protocol, int kern)
2383 { 2383 {
2384 return 0; 2384 return 0;
2385 } 2385 }
2386 2386
2387 static inline int security_socket_post_create(struct socket * sock, 2387 static inline int security_socket_post_create(struct socket * sock,
2388 int family, 2388 int family,
2389 int type, 2389 int type,
2390 int protocol, int kern) 2390 int protocol, int kern)
2391 { 2391 {
2392 return 0; 2392 return 0;
2393 } 2393 }
2394 2394
2395 static inline int security_socket_bind(struct socket * sock, 2395 static inline int security_socket_bind(struct socket * sock,
2396 struct sockaddr * address, 2396 struct sockaddr * address,
2397 int addrlen) 2397 int addrlen)
2398 { 2398 {
2399 return 0; 2399 return 0;
2400 } 2400 }
2401 2401
2402 static inline int security_socket_connect(struct socket * sock, 2402 static inline int security_socket_connect(struct socket * sock,
2403 struct sockaddr * address, 2403 struct sockaddr * address,
2404 int addrlen) 2404 int addrlen)
2405 { 2405 {
2406 return 0; 2406 return 0;
2407 } 2407 }
2408 2408
2409 static inline int security_socket_listen(struct socket * sock, int backlog) 2409 static inline int security_socket_listen(struct socket * sock, int backlog)
2410 { 2410 {
2411 return 0; 2411 return 0;
2412 } 2412 }
2413 2413
2414 static inline int security_socket_accept(struct socket * sock, 2414 static inline int security_socket_accept(struct socket * sock,
2415 struct socket * newsock) 2415 struct socket * newsock)
2416 { 2416 {
2417 return 0; 2417 return 0;
2418 } 2418 }
2419 2419
2420 static inline void security_socket_post_accept(struct socket * sock, 2420 static inline void security_socket_post_accept(struct socket * sock,
2421 struct socket * newsock) 2421 struct socket * newsock)
2422 { 2422 {
2423 } 2423 }
2424 2424
2425 static inline int security_socket_sendmsg(struct socket * sock, 2425 static inline int security_socket_sendmsg(struct socket * sock,
2426 struct msghdr * msg, int size) 2426 struct msghdr * msg, int size)
2427 { 2427 {
2428 return 0; 2428 return 0;
2429 } 2429 }
2430 2430
2431 static inline int security_socket_recvmsg(struct socket * sock, 2431 static inline int security_socket_recvmsg(struct socket * sock,
2432 struct msghdr * msg, int size, 2432 struct msghdr * msg, int size,
2433 int flags) 2433 int flags)
2434 { 2434 {
2435 return 0; 2435 return 0;
2436 } 2436 }
2437 2437
2438 static inline int security_socket_getsockname(struct socket * sock) 2438 static inline int security_socket_getsockname(struct socket * sock)
2439 { 2439 {
2440 return 0; 2440 return 0;
2441 } 2441 }
2442 2442
2443 static inline int security_socket_getpeername(struct socket * sock) 2443 static inline int security_socket_getpeername(struct socket * sock)
2444 { 2444 {
2445 return 0; 2445 return 0;
2446 } 2446 }
2447 2447
2448 static inline int security_socket_getsockopt(struct socket * sock, 2448 static inline int security_socket_getsockopt(struct socket * sock,
2449 int level, int optname) 2449 int level, int optname)
2450 { 2450 {
2451 return 0; 2451 return 0;
2452 } 2452 }
2453 2453
2454 static inline int security_socket_setsockopt(struct socket * sock, 2454 static inline int security_socket_setsockopt(struct socket * sock,
2455 int level, int optname) 2455 int level, int optname)
2456 { 2456 {
2457 return 0; 2457 return 0;
2458 } 2458 }
2459 2459
2460 static inline int security_socket_shutdown(struct socket * sock, int how) 2460 static inline int security_socket_shutdown(struct socket * sock, int how)
2461 { 2461 {
2462 return 0; 2462 return 0;
2463 } 2463 }
2464 static inline int security_sock_rcv_skb (struct sock * sk, 2464 static inline int security_sock_rcv_skb (struct sock * sk,
2465 struct sk_buff * skb) 2465 struct sk_buff * skb)
2466 { 2466 {
2467 return 0; 2467 return 0;
2468 } 2468 }
2469 2469
2470 static inline int security_socket_getpeersec_stream(struct socket *sock, char __user *optval, 2470 static inline int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
2471 int __user *optlen, unsigned len) 2471 int __user *optlen, unsigned len)
2472 { 2472 {
2473 return -ENOPROTOOPT; 2473 return -ENOPROTOOPT;
2474 } 2474 }
2475 2475
2476 static inline int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) 2476 static inline int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
2477 { 2477 {
2478 return -ENOPROTOOPT; 2478 return -ENOPROTOOPT;
2479 } 2479 }
2480 2480
2481 static inline int security_sk_alloc(struct sock *sk, int family, gfp_t priority) 2481 static inline int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
2482 { 2482 {
2483 return 0; 2483 return 0;
2484 } 2484 }
2485 2485
2486 static inline void security_sk_free(struct sock *sk) 2486 static inline void security_sk_free(struct sock *sk)
2487 { 2487 {
2488 } 2488 }
2489 2489
2490 static inline void security_sk_clone(const struct sock *sk, struct sock *newsk) 2490 static inline void security_sk_clone(const struct sock *sk, struct sock *newsk)
2491 { 2491 {
2492 } 2492 }
2493 2493
2494 static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl) 2494 static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
2495 { 2495 {
2496 } 2496 }
2497 2497
2498 static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl) 2498 static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
2499 { 2499 {
2500 } 2500 }
2501 2501
2502 static inline void security_sock_graft(struct sock* sk, struct socket *parent) 2502 static inline void security_sock_graft(struct sock* sk, struct socket *parent)
2503 { 2503 {
2504 } 2504 }
2505 2505
2506 static inline int security_inet_conn_request(struct sock *sk, 2506 static inline int security_inet_conn_request(struct sock *sk,
2507 struct sk_buff *skb, struct request_sock *req) 2507 struct sk_buff *skb, struct request_sock *req)
2508 { 2508 {
2509 return 0; 2509 return 0;
2510 } 2510 }
2511 2511
2512 static inline void security_inet_csk_clone(struct sock *newsk, 2512 static inline void security_inet_csk_clone(struct sock *newsk,
2513 const struct request_sock *req) 2513 const struct request_sock *req)
2514 { 2514 {
2515 } 2515 }
2516 2516
2517 static inline void security_inet_conn_established(struct sock *sk, 2517 static inline void security_inet_conn_established(struct sock *sk,
2518 struct sk_buff *skb) 2518 struct sk_buff *skb)
2519 { 2519 {
2520 } 2520 }
2521 #endif /* CONFIG_SECURITY_NETWORK */ 2521 #endif /* CONFIG_SECURITY_NETWORK */
2522 2522
2523 #ifdef CONFIG_SECURITY_NETWORK_XFRM 2523 #ifdef CONFIG_SECURITY_NETWORK_XFRM
2524 2524
2525 int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx); 2525 int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx);
2526 int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new); 2526 int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new);
2527 void security_xfrm_policy_free(struct xfrm_policy *xp); 2527 void security_xfrm_policy_free(struct xfrm_policy *xp);
2528 int security_xfrm_policy_delete(struct xfrm_policy *xp); 2528 int security_xfrm_policy_delete(struct xfrm_policy *xp);
2529 int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx); 2529 int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx);
2530 int security_xfrm_state_alloc_acquire(struct xfrm_state *x, 2530 int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
2531 struct xfrm_sec_ctx *polsec, u32 secid); 2531 struct xfrm_sec_ctx *polsec, u32 secid);
2532 int security_xfrm_state_delete(struct xfrm_state *x); 2532 int security_xfrm_state_delete(struct xfrm_state *x);
2533 void security_xfrm_state_free(struct xfrm_state *x); 2533 void security_xfrm_state_free(struct xfrm_state *x);
2534 int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir); 2534 int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir);
2535 int security_xfrm_state_pol_flow_match(struct xfrm_state *x, 2535 int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
2536 struct xfrm_policy *xp, struct flowi *fl); 2536 struct xfrm_policy *xp, struct flowi *fl);
2537 int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid); 2537 int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid);
2538 void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl); 2538 void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl);
2539 2539
2540 #else /* CONFIG_SECURITY_NETWORK_XFRM */ 2540 #else /* CONFIG_SECURITY_NETWORK_XFRM */
2541 2541
2542 static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx) 2542 static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx)
2543 { 2543 {
2544 return 0; 2544 return 0;
2545 } 2545 }
2546 2546
2547 static inline int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new) 2547 static inline int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new)
2548 { 2548 {
2549 return 0; 2549 return 0;
2550 } 2550 }
2551 2551
2552 static inline void security_xfrm_policy_free(struct xfrm_policy *xp) 2552 static inline void security_xfrm_policy_free(struct xfrm_policy *xp)
2553 { 2553 {
2554 } 2554 }
2555 2555
2556 static inline int security_xfrm_policy_delete(struct xfrm_policy *xp) 2556 static inline int security_xfrm_policy_delete(struct xfrm_policy *xp)
2557 { 2557 {
2558 return 0; 2558 return 0;
2559 } 2559 }
2560 2560
2561 static inline int security_xfrm_state_alloc(struct xfrm_state *x, 2561 static inline int security_xfrm_state_alloc(struct xfrm_state *x,
2562 struct xfrm_user_sec_ctx *sec_ctx) 2562 struct xfrm_user_sec_ctx *sec_ctx)
2563 { 2563 {
2564 return 0; 2564 return 0;
2565 } 2565 }
2566 2566
2567 static inline int security_xfrm_state_alloc_acquire(struct xfrm_state *x, 2567 static inline int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
2568 struct xfrm_sec_ctx *polsec, u32 secid) 2568 struct xfrm_sec_ctx *polsec, u32 secid)
2569 { 2569 {
2570 return 0; 2570 return 0;
2571 } 2571 }
2572 2572
2573 static inline void security_xfrm_state_free(struct xfrm_state *x) 2573 static inline void security_xfrm_state_free(struct xfrm_state *x)
2574 { 2574 {
2575 } 2575 }
2576 2576
2577 static inline int security_xfrm_state_delete(struct xfrm_state *x) 2577 static inline int security_xfrm_state_delete(struct xfrm_state *x)
2578 { 2578 {
2579 return 0; 2579 return 0;
2580 } 2580 }
2581 2581
2582 static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir) 2582 static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir)
2583 { 2583 {
2584 return 0; 2584 return 0;
2585 } 2585 }
2586 2586
2587 static inline int security_xfrm_state_pol_flow_match(struct xfrm_state *x, 2587 static inline int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
2588 struct xfrm_policy *xp, struct flowi *fl) 2588 struct xfrm_policy *xp, struct flowi *fl)
2589 { 2589 {
2590 return 1; 2590 return 1;
2591 } 2591 }
2592 2592
2593 static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid) 2593 static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
2594 { 2594 {
2595 return 0; 2595 return 0;
2596 } 2596 }
2597 2597
2598 static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl) 2598 static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
2599 { 2599 {
2600 } 2600 }
2601 2601
2602 #endif /* CONFIG_SECURITY_NETWORK_XFRM */ 2602 #endif /* CONFIG_SECURITY_NETWORK_XFRM */
2603 2603
2604 #ifdef CONFIG_KEYS 2604 #ifdef CONFIG_KEYS
2605 #ifdef CONFIG_SECURITY 2605 #ifdef CONFIG_SECURITY
2606 2606
2607 int security_key_alloc(struct key *key, struct task_struct *tsk, unsigned long flags); 2607 int security_key_alloc(struct key *key, struct task_struct *tsk, unsigned long flags);
2608 void security_key_free(struct key *key); 2608 void security_key_free(struct key *key);
2609 int security_key_permission(key_ref_t key_ref, 2609 int security_key_permission(key_ref_t key_ref,
2610 struct task_struct *context, key_perm_t perm); 2610 struct task_struct *context, key_perm_t perm);
2611 2611
2612 #else 2612 #else
2613 2613
2614 static inline int security_key_alloc(struct key *key, 2614 static inline int security_key_alloc(struct key *key,
2615 struct task_struct *tsk, 2615 struct task_struct *tsk,
2616 unsigned long flags) 2616 unsigned long flags)
2617 { 2617 {
2618 return 0; 2618 return 0;
2619 } 2619 }
2620 2620
2621 static inline void security_key_free(struct key *key) 2621 static inline void security_key_free(struct key *key)
2622 { 2622 {
2623 } 2623 }
2624 2624
2625 static inline int security_key_permission(key_ref_t key_ref, 2625 static inline int security_key_permission(key_ref_t key_ref,
2626 struct task_struct *context, 2626 struct task_struct *context,
2627 key_perm_t perm) 2627 key_perm_t perm)
2628 { 2628 {
2629 return 0; 2629 return 0;
2630 } 2630 }
2631 2631
2632 #endif 2632 #endif
2633 #endif /* CONFIG_KEYS */ 2633 #endif /* CONFIG_KEYS */
2634 2634
2635 #endif /* ! __LINUX_SECURITY_H */ 2635 #endif /* ! __LINUX_SECURITY_H */
2636 2636
2637 2637
security/keys/proc.c
Diff comments   View file @ 1996a10
1 /* proc.c: proc files for key database enumeration 1 /* proc.c: proc files for key database enumeration
2 * 2 *
3 * Copyright (C) 2004 Red Hat, Inc. All Rights Reserved. 3 * Copyright (C) 2004 Red Hat, Inc. All Rights Reserved.
4 * Written by David Howells (dhowells@redhat.com) 4 * Written by David Howells (dhowells@redhat.com)
5 * 5 *
6 * This program is free software; you can redistribute it and/or 6 * This program is free software; you can redistribute it and/or
7 * modify it under the terms of the GNU General Public License 7 * modify it under the terms of the GNU General Public License
8 * as published by the Free Software Foundation; either version 8 * as published by the Free Software Foundation; either version
9 * 2 of the License, or (at your option) any later version. 9 * 2 of the License, or (at your option) any later version.
10 */ 10 */
11 11
12 #include <linux/module.h> 12 #include <linux/module.h>
13 #include <linux/init.h> 13 #include <linux/init.h>
14 #include <linux/sched.h> 14 #include <linux/sched.h>
15 #include <linux/slab.h> 15 #include <linux/slab.h>
16 #include <linux/fs.h> 16 #include <linux/fs.h>
17 #include <linux/proc_fs.h> 17 #include <linux/proc_fs.h>
18 #include <linux/seq_file.h> 18 #include <linux/seq_file.h>
19 #include <asm/errno.h> 19 #include <asm/errno.h>
20 #include "internal.h" 20 #include "internal.h"
21 21
22 #ifdef CONFIG_KEYS_DEBUG_PROC_KEYS 22 #ifdef CONFIG_KEYS_DEBUG_PROC_KEYS
23 static int proc_keys_open(struct inode *inode, struct file *file); 23 static int proc_keys_open(struct inode *inode, struct file *file);
24 static void *proc_keys_start(struct seq_file *p, loff_t *_pos); 24 static void *proc_keys_start(struct seq_file *p, loff_t *_pos);
25 static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos); 25 static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos);
26 static void proc_keys_stop(struct seq_file *p, void *v); 26 static void proc_keys_stop(struct seq_file *p, void *v);
27 static int proc_keys_show(struct seq_file *m, void *v); 27 static int proc_keys_show(struct seq_file *m, void *v);
28 28
29 static struct seq_operations proc_keys_ops = { 29 static const struct seq_operations proc_keys_ops = {
30 .start = proc_keys_start, 30 .start = proc_keys_start,
31 .next = proc_keys_next, 31 .next = proc_keys_next,
32 .stop = proc_keys_stop, 32 .stop = proc_keys_stop,
33 .show = proc_keys_show, 33 .show = proc_keys_show,
34 }; 34 };
35 35
36 static const struct file_operations proc_keys_fops = { 36 static const struct file_operations proc_keys_fops = {
37 .open = proc_keys_open, 37 .open = proc_keys_open,
38 .read = seq_read, 38 .read = seq_read,
39 .llseek = seq_lseek, 39 .llseek = seq_lseek,
40 .release = seq_release, 40 .release = seq_release,
41 }; 41 };
42 #endif 42 #endif
43 43
44 static int proc_key_users_open(struct inode *inode, struct file *file); 44 static int proc_key_users_open(struct inode *inode, struct file *file);
45 static void *proc_key_users_start(struct seq_file *p, loff_t *_pos); 45 static void *proc_key_users_start(struct seq_file *p, loff_t *_pos);
46 static void *proc_key_users_next(struct seq_file *p, void *v, loff_t *_pos); 46 static void *proc_key_users_next(struct seq_file *p, void *v, loff_t *_pos);
47 static void proc_key_users_stop(struct seq_file *p, void *v); 47 static void proc_key_users_stop(struct seq_file *p, void *v);
48 static int proc_key_users_show(struct seq_file *m, void *v); 48 static int proc_key_users_show(struct seq_file *m, void *v);
49 49
50 static struct seq_operations proc_key_users_ops = { 50 static const struct seq_operations proc_key_users_ops = {
51 .start = proc_key_users_start, 51 .start = proc_key_users_start,
52 .next = proc_key_users_next, 52 .next = proc_key_users_next,
53 .stop = proc_key_users_stop, 53 .stop = proc_key_users_stop,
54 .show = proc_key_users_show, 54 .show = proc_key_users_show,
55 }; 55 };
56 56
57 static const struct file_operations proc_key_users_fops = { 57 static const struct file_operations proc_key_users_fops = {
58 .open = proc_key_users_open, 58 .open = proc_key_users_open,
59 .read = seq_read, 59 .read = seq_read,
60 .llseek = seq_lseek, 60 .llseek = seq_lseek,
61 .release = seq_release, 61 .release = seq_release,
62 }; 62 };
63 63
64 /*****************************************************************************/ 64 /*****************************************************************************/
65 /* 65 /*
66 * declare the /proc files 66 * declare the /proc files
67 */ 67 */
68 static int __init key_proc_init(void) 68 static int __init key_proc_init(void)
69 { 69 {
70 struct proc_dir_entry *p; 70 struct proc_dir_entry *p;
71 71
72 #ifdef CONFIG_KEYS_DEBUG_PROC_KEYS 72 #ifdef CONFIG_KEYS_DEBUG_PROC_KEYS
73 p = create_proc_entry("keys", 0, NULL); 73 p = create_proc_entry("keys", 0, NULL);
74 if (!p) 74 if (!p)
75 panic("Cannot create /proc/keys\n"); 75 panic("Cannot create /proc/keys\n");
76 76
77 p->proc_fops = &proc_keys_fops; 77 p->proc_fops = &proc_keys_fops;
78 #endif 78 #endif
79 79
80 p = create_proc_entry("key-users", 0, NULL); 80 p = create_proc_entry("key-users", 0, NULL);
81 if (!p) 81 if (!p)
82 panic("Cannot create /proc/key-users\n"); 82 panic("Cannot create /proc/key-users\n");
83 83
84 p->proc_fops = &proc_key_users_fops; 84 p->proc_fops = &proc_key_users_fops;
85 85
86 return 0; 86 return 0;
87 87
88 } /* end key_proc_init() */ 88 } /* end key_proc_init() */
89 89
90 __initcall(key_proc_init); 90 __initcall(key_proc_init);
91 91
92 /*****************************************************************************/ 92 /*****************************************************************************/
93 /* 93 /*
94 * implement "/proc/keys" to provides a list of the keys on the system 94 * implement "/proc/keys" to provides a list of the keys on the system
95 */ 95 */
96 #ifdef CONFIG_KEYS_DEBUG_PROC_KEYS 96 #ifdef CONFIG_KEYS_DEBUG_PROC_KEYS
97 97
98 static int proc_keys_open(struct inode *inode, struct file *file) 98 static int proc_keys_open(struct inode *inode, struct file *file)
99 { 99 {
100 return seq_open(file, &proc_keys_ops); 100 return seq_open(file, &proc_keys_ops);
101 101
102 } 102 }
103 103
104 static void *proc_keys_start(struct seq_file *p, loff_t *_pos) 104 static void *proc_keys_start(struct seq_file *p, loff_t *_pos)
105 { 105 {
106 struct rb_node *_p; 106 struct rb_node *_p;
107 loff_t pos = *_pos; 107 loff_t pos = *_pos;
108 108
109 spin_lock(&key_serial_lock); 109 spin_lock(&key_serial_lock);
110 110
111 _p = rb_first(&key_serial_tree); 111 _p = rb_first(&key_serial_tree);
112 while (pos > 0 && _p) { 112 while (pos > 0 && _p) {
113 pos--; 113 pos--;
114 _p = rb_next(_p); 114 _p = rb_next(_p);
115 } 115 }
116 116
117 return _p; 117 return _p;
118 118
119 } 119 }
120 120
121 static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos) 121 static void *proc_keys_next(struct seq_file *p, void *v, loff_t *_pos)
122 { 122 {
123 (*_pos)++; 123 (*_pos)++;
124 return rb_next((struct rb_node *) v); 124 return rb_next((struct rb_node *) v);
125 125
126 } 126 }
127 127
128 static void proc_keys_stop(struct seq_file *p, void *v) 128 static void proc_keys_stop(struct seq_file *p, void *v)
129 { 129 {
130 spin_unlock(&key_serial_lock); 130 spin_unlock(&key_serial_lock);
131 } 131 }
132 132
133 static int proc_keys_show(struct seq_file *m, void *v) 133 static int proc_keys_show(struct seq_file *m, void *v)
134 { 134 {
135 struct rb_node *_p = v; 135 struct rb_node *_p = v;
136 struct key *key = rb_entry(_p, struct key, serial_node); 136 struct key *key = rb_entry(_p, struct key, serial_node);
137 struct timespec now; 137 struct timespec now;
138 unsigned long timo; 138 unsigned long timo;
139 char xbuf[12]; 139 char xbuf[12];
140 int rc; 140 int rc;
141 141
142 /* check whether the current task is allowed to view the key (assuming 142 /* check whether the current task is allowed to view the key (assuming
143 * non-possession) */ 143 * non-possession) */
144 rc = key_task_permission(make_key_ref(key, 0), current, KEY_VIEW); 144 rc = key_task_permission(make_key_ref(key, 0), current, KEY_VIEW);
145 if (rc < 0) 145 if (rc < 0)
146 return 0; 146 return 0;
147 147
148 now = current_kernel_time(); 148 now = current_kernel_time();
149 149
150 rcu_read_lock(); 150 rcu_read_lock();
151 151
152 /* come up with a suitable timeout value */ 152 /* come up with a suitable timeout value */
153 if (key->expiry == 0) { 153 if (key->expiry == 0) {
154 memcpy(xbuf, "perm", 5); 154 memcpy(xbuf, "perm", 5);
155 } 155 }
156 else if (now.tv_sec >= key->expiry) { 156 else if (now.tv_sec >= key->expiry) {
157 memcpy(xbuf, "expd", 5); 157 memcpy(xbuf, "expd", 5);
158 } 158 }
159 else { 159 else {
160 timo = key->expiry - now.tv_sec; 160 timo = key->expiry - now.tv_sec;
161 161
162 if (timo < 60) 162 if (timo < 60)
163 sprintf(xbuf, "%lus", timo); 163 sprintf(xbuf, "%lus", timo);
164 else if (timo < 60*60) 164 else if (timo < 60*60)
165 sprintf(xbuf, "%lum", timo / 60); 165 sprintf(xbuf, "%lum", timo / 60);
166 else if (timo < 60*60*24) 166 else if (timo < 60*60*24)
167 sprintf(xbuf, "%luh", timo / (60*60)); 167 sprintf(xbuf, "%luh", timo / (60*60));
168 else if (timo < 60*60*24*7) 168 else if (timo < 60*60*24*7)
169 sprintf(xbuf, "%lud", timo / (60*60*24)); 169 sprintf(xbuf, "%lud", timo / (60*60*24));
170 else 170 else
171 sprintf(xbuf, "%luw", timo / (60*60*24*7)); 171 sprintf(xbuf, "%luw", timo / (60*60*24*7));
172 } 172 }
173 173
174 #define showflag(KEY, LETTER, FLAG) \ 174 #define showflag(KEY, LETTER, FLAG) \
175 (test_bit(FLAG, &(KEY)->flags) ? LETTER : '-') 175 (test_bit(FLAG, &(KEY)->flags) ? LETTER : '-')
176 176
177 seq_printf(m, "%08x %c%c%c%c%c%c %5d %4s %08x %5d %5d %-9.9s ", 177 seq_printf(m, "%08x %c%c%c%c%c%c %5d %4s %08x %5d %5d %-9.9s ",
178 key->serial, 178 key->serial,
179 showflag(key, 'I', KEY_FLAG_INSTANTIATED), 179 showflag(key, 'I', KEY_FLAG_INSTANTIATED),
180 showflag(key, 'R', KEY_FLAG_REVOKED), 180 showflag(key, 'R', KEY_FLAG_REVOKED),
181 showflag(key, 'D', KEY_FLAG_DEAD), 181 showflag(key, 'D', KEY_FLAG_DEAD),
182 showflag(key, 'Q', KEY_FLAG_IN_QUOTA), 182 showflag(key, 'Q', KEY_FLAG_IN_QUOTA),
183 showflag(key, 'U', KEY_FLAG_USER_CONSTRUCT), 183 showflag(key, 'U', KEY_FLAG_USER_CONSTRUCT),
184 showflag(key, 'N', KEY_FLAG_NEGATIVE), 184 showflag(key, 'N', KEY_FLAG_NEGATIVE),
185 atomic_read(&key->usage), 185 atomic_read(&key->usage),
186 xbuf, 186 xbuf,
187 key->perm, 187 key->perm,
188 key->uid, 188 key->uid,
189 key->gid, 189 key->gid,
190 key->type->name); 190 key->type->name);
191 191
192 #undef showflag 192 #undef showflag
193 193
194 if (key->type->describe) 194 if (key->type->describe)
195 key->type->describe(key, m); 195 key->type->describe(key, m);
196 seq_putc(m, '\n'); 196 seq_putc(m, '\n');
197 197
198 rcu_read_unlock(); 198 rcu_read_unlock();
199 199
200 return 0; 200 return 0;
201 201
202 } 202 }
203 203
204 #endif /* CONFIG_KEYS_DEBUG_PROC_KEYS */ 204 #endif /* CONFIG_KEYS_DEBUG_PROC_KEYS */
205 205
206 /*****************************************************************************/ 206 /*****************************************************************************/
207 /* 207 /*
208 * implement "/proc/key-users" to provides a list of the key users 208 * implement "/proc/key-users" to provides a list of the key users
209 */ 209 */
210 static int proc_key_users_open(struct inode *inode, struct file *file) 210 static int proc_key_users_open(struct inode *inode, struct file *file)
211 { 211 {
212 return seq_open(file, &proc_key_users_ops); 212 return seq_open(file, &proc_key_users_ops);
213 213
214 } 214 }
215 215
216 static void *proc_key_users_start(struct seq_file *p, loff_t *_pos) 216 static void *proc_key_users_start(struct seq_file *p, loff_t *_pos)
217 { 217 {
218 struct rb_node *_p; 218 struct rb_node *_p;
219 loff_t pos = *_pos; 219 loff_t pos = *_pos;
220 220
221 spin_lock(&key_user_lock); 221 spin_lock(&key_user_lock);
222 222
223 _p = rb_first(&key_user_tree); 223 _p = rb_first(&key_user_tree);
224 while (pos > 0 && _p) { 224 while (pos > 0 && _p) {
225 pos--; 225 pos--;
226 _p = rb_next(_p); 226 _p = rb_next(_p);
227 } 227 }
228 228
229 return _p; 229 return _p;
230 230
231 } 231 }
232 232
233 static void *proc_key_users_next(struct seq_file *p, void *v, loff_t *_pos) 233 static void *proc_key_users_next(struct seq_file *p, void *v, loff_t *_pos)
234 { 234 {
235 (*_pos)++; 235 (*_pos)++;
236 return rb_next((struct rb_node *) v); 236 return rb_next((struct rb_node *) v);
237 237
238 } 238 }
239 239
240 static void proc_key_users_stop(struct seq_file *p, void *v) 240 static void proc_key_users_stop(struct seq_file *p, void *v)
241 { 241 {
242 spin_unlock(&key_user_lock); 242 spin_unlock(&key_user_lock);
243 } 243 }
244 244
245 static int proc_key_users_show(struct seq_file *m, void *v) 245 static int proc_key_users_show(struct seq_file *m, void *v)
246 { 246 {
247 struct rb_node *_p = v; 247 struct rb_node *_p = v;
248 struct key_user *user = rb_entry(_p, struct key_user, node); 248 struct key_user *user = rb_entry(_p, struct key_user, node);
249 249
250 seq_printf(m, "%5u: %5d %d/%d %d/%d %d/%d\n", 250 seq_printf(m, "%5u: %5d %d/%d %d/%d %d/%d\n",
251 user->uid, 251 user->uid,
252 atomic_read(&user->usage), 252 atomic_read(&user->usage),
253 atomic_read(&user->nkeys), 253 atomic_read(&user->nkeys),
254 atomic_read(&user->nikeys), 254 atomic_read(&user->nikeys),
255 user->qnkeys, 255 user->qnkeys,
256 KEYQUOTA_MAX_KEYS, 256 KEYQUOTA_MAX_KEYS,
257 user->qnbytes, 257 user->qnbytes,
258 KEYQUOTA_MAX_BYTES 258 KEYQUOTA_MAX_BYTES
259 ); 259 );
260 260
261 return 0; 261 return 0;
262 262
263 } 263 }
264 264
security/selinux/selinuxfs.c
Diff comments   View file @ 1996a10
1 /* Updated: Karl MacMillan <kmacmillan@tresys.com> 1 /* Updated: Karl MacMillan <kmacmillan@tresys.com>
2 * 2 *
3 * Added conditional policy language extensions 3 * Added conditional policy language extensions
4 * 4 *
5 * Copyright (C) 2003 - 2004 Tresys Technology, LLC 5 * Copyright (C) 2003 - 2004 Tresys Technology, LLC
6 * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com> 6 * Copyright (C) 2004 Red Hat, Inc., James Morris <jmorris@redhat.com>
7 * This program is free software; you can redistribute it and/or modify 7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License as published by 8 * it under the terms of the GNU General Public License as published by
9 * the Free Software Foundation, version 2. 9 * the Free Software Foundation, version 2.
10 */ 10 */
11 11
12 #include <linux/kernel.h> 12 #include <linux/kernel.h>
13 #include <linux/pagemap.h> 13 #include <linux/pagemap.h>
14 #include <linux/slab.h> 14 #include <linux/slab.h>
15 #include <linux/vmalloc.h> 15 #include <linux/vmalloc.h>
16 #include <linux/fs.h> 16 #include <linux/fs.h>
17 #include <linux/mutex.h> 17 #include <linux/mutex.h>
18 #include <linux/init.h> 18 #include <linux/init.h>
19 #include <linux/string.h> 19 #include <linux/string.h>
20 #include <linux/security.h> 20 #include <linux/security.h>
21 #include <linux/major.h> 21 #include <linux/major.h>
22 #include <linux/seq_file.h> 22 #include <linux/seq_file.h>
23 #include <linux/percpu.h> 23 #include <linux/percpu.h>
24 #include <linux/audit.h> 24 #include <linux/audit.h>
25 #include <asm/uaccess.h> 25 #include <asm/uaccess.h>
26 #include <asm/semaphore.h> 26 #include <asm/semaphore.h>
27 27
28 /* selinuxfs pseudo filesystem for exporting the security policy API. 28 /* selinuxfs pseudo filesystem for exporting the security policy API.
29 Based on the proc code and the fs/nfsd/nfsctl.c code. */ 29 Based on the proc code and the fs/nfsd/nfsctl.c code. */
30 30
31 #include "flask.h" 31 #include "flask.h"
32 #include "avc.h" 32 #include "avc.h"
33 #include "avc_ss.h" 33 #include "avc_ss.h"
34 #include "security.h" 34 #include "security.h"
35 #include "objsec.h" 35 #include "objsec.h"
36 #include "conditional.h" 36 #include "conditional.h"
37 37
38 unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; 38 unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
39 39
40 #ifdef CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT 40 #ifdef CONFIG_SECURITY_SELINUX_ENABLE_SECMARK_DEFAULT
41 #define SELINUX_COMPAT_NET_VALUE 0 41 #define SELINUX_COMPAT_NET_VALUE 0
42 #else 42 #else
43 #define SELINUX_COMPAT_NET_VALUE 1 43 #define SELINUX_COMPAT_NET_VALUE 1
44 #endif 44 #endif
45 45
46 int selinux_compat_net = SELINUX_COMPAT_NET_VALUE; 46 int selinux_compat_net = SELINUX_COMPAT_NET_VALUE;
47 47
48 static int __init checkreqprot_setup(char *str) 48 static int __init checkreqprot_setup(char *str)
49 { 49 {
50 selinux_checkreqprot = simple_strtoul(str,NULL,0) ? 1 : 0; 50 selinux_checkreqprot = simple_strtoul(str,NULL,0) ? 1 : 0;
51 return 1; 51 return 1;
52 } 52 }
53 __setup("checkreqprot=", checkreqprot_setup); 53 __setup("checkreqprot=", checkreqprot_setup);
54 54
55 static int __init selinux_compat_net_setup(char *str) 55 static int __init selinux_compat_net_setup(char *str)
56 { 56 {
57 selinux_compat_net = simple_strtoul(str,NULL,0) ? 1 : 0; 57 selinux_compat_net = simple_strtoul(str,NULL,0) ? 1 : 0;
58 return 1; 58 return 1;
59 } 59 }
60 __setup("selinux_compat_net=", selinux_compat_net_setup); 60 __setup("selinux_compat_net=", selinux_compat_net_setup);
61 61
62 62
63 static DEFINE_MUTEX(sel_mutex); 63 static DEFINE_MUTEX(sel_mutex);
64 64
65 /* global data for booleans */ 65 /* global data for booleans */
66 static struct dentry *bool_dir = NULL; 66 static struct dentry *bool_dir = NULL;
67 static int bool_num = 0; 67 static int bool_num = 0;
68 static char **bool_pending_names; 68 static char **bool_pending_names;
69 static int *bool_pending_values = NULL; 69 static int *bool_pending_values = NULL;
70 70
71 /* global data for classes */ 71 /* global data for classes */
72 static struct dentry *class_dir = NULL; 72 static struct dentry *class_dir = NULL;
73 static unsigned long last_class_ino; 73 static unsigned long last_class_ino;
74 74
75 extern void selnl_notify_setenforce(int val); 75 extern void selnl_notify_setenforce(int val);
76 76
77 /* Check whether a task is allowed to use a security operation. */ 77 /* Check whether a task is allowed to use a security operation. */
78 static int task_has_security(struct task_struct *tsk, 78 static int task_has_security(struct task_struct *tsk,
79 u32 perms) 79 u32 perms)
80 { 80 {
81 struct task_security_struct *tsec; 81 struct task_security_struct *tsec;
82 82
83 tsec = tsk->security; 83 tsec = tsk->security;
84 if (!tsec) 84 if (!tsec)
85 return -EACCES; 85 return -EACCES;
86 86
87 return avc_has_perm(tsec->sid, SECINITSID_SECURITY, 87 return avc_has_perm(tsec->sid, SECINITSID_SECURITY,
88 SECCLASS_SECURITY, perms, NULL); 88 SECCLASS_SECURITY, perms, NULL);
89 } 89 }
90 90
91 enum sel_inos { 91 enum sel_inos {
92 SEL_ROOT_INO = 2, 92 SEL_ROOT_INO = 2,
93 SEL_LOAD, /* load policy */ 93 SEL_LOAD, /* load policy */
94 SEL_ENFORCE, /* get or set enforcing status */ 94 SEL_ENFORCE, /* get or set enforcing status */
95 SEL_CONTEXT, /* validate context */ 95 SEL_CONTEXT, /* validate context */
96 SEL_ACCESS, /* compute access decision */ 96 SEL_ACCESS, /* compute access decision */
97 SEL_CREATE, /* compute create labeling decision */ 97 SEL_CREATE, /* compute create labeling decision */
98 SEL_RELABEL, /* compute relabeling decision */ 98 SEL_RELABEL, /* compute relabeling decision */
99 SEL_USER, /* compute reachable user contexts */ 99 SEL_USER, /* compute reachable user contexts */
100 SEL_POLICYVERS, /* return policy version for this kernel */ 100 SEL_POLICYVERS, /* return policy version for this kernel */
101 SEL_COMMIT_BOOLS, /* commit new boolean values */ 101 SEL_COMMIT_BOOLS, /* commit new boolean values */
102 SEL_MLS, /* return if MLS policy is enabled */ 102 SEL_MLS, /* return if MLS policy is enabled */
103 SEL_DISABLE, /* disable SELinux until next reboot */ 103 SEL_DISABLE, /* disable SELinux until next reboot */
104 SEL_MEMBER, /* compute polyinstantiation membership decision */ 104 SEL_MEMBER, /* compute polyinstantiation membership decision */
105 SEL_CHECKREQPROT, /* check requested protection, not kernel-applied one */ 105 SEL_CHECKREQPROT, /* check requested protection, not kernel-applied one */
106 SEL_COMPAT_NET, /* whether to use old compat network packet controls */ 106 SEL_COMPAT_NET, /* whether to use old compat network packet controls */
107 SEL_REJECT_UNKNOWN, /* export unknown reject handling to userspace */ 107 SEL_REJECT_UNKNOWN, /* export unknown reject handling to userspace */
108 SEL_DENY_UNKNOWN, /* export unknown deny handling to userspace */ 108 SEL_DENY_UNKNOWN, /* export unknown deny handling to userspace */
109 SEL_INO_NEXT, /* The next inode number to use */ 109 SEL_INO_NEXT, /* The next inode number to use */
110 }; 110 };
111 111
112 static unsigned long sel_last_ino = SEL_INO_NEXT - 1; 112 static unsigned long sel_last_ino = SEL_INO_NEXT - 1;
113 113
114 #define SEL_INITCON_INO_OFFSET 0x01000000 114 #define SEL_INITCON_INO_OFFSET 0x01000000
115 #define SEL_BOOL_INO_OFFSET 0x02000000 115 #define SEL_BOOL_INO_OFFSET 0x02000000
116 #define SEL_CLASS_INO_OFFSET 0x04000000 116 #define SEL_CLASS_INO_OFFSET 0x04000000
117 #define SEL_INO_MASK 0x00ffffff 117 #define SEL_INO_MASK 0x00ffffff
118 118
119 #define TMPBUFLEN 12 119 #define TMPBUFLEN 12
120 static ssize_t sel_read_enforce(struct file *filp, char __user *buf, 120 static ssize_t sel_read_enforce(struct file *filp, char __user *buf,
121 size_t count, loff_t *ppos) 121 size_t count, loff_t *ppos)
122 { 122 {
123 char tmpbuf[TMPBUFLEN]; 123 char tmpbuf[TMPBUFLEN];
124 ssize_t length; 124 ssize_t length;
125 125
126 length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_enforcing); 126 length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_enforcing);
127 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); 127 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
128 } 128 }
129 129
130 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP 130 #ifdef CONFIG_SECURITY_SELINUX_DEVELOP
131 static ssize_t sel_write_enforce(struct file * file, const char __user * buf, 131 static ssize_t sel_write_enforce(struct file * file, const char __user * buf,
132 size_t count, loff_t *ppos) 132 size_t count, loff_t *ppos)
133 133
134 { 134 {
135 char *page; 135 char *page;
136 ssize_t length; 136 ssize_t length;
137 int new_value; 137 int new_value;
138 138
139 if (count >= PAGE_SIZE) 139 if (count >= PAGE_SIZE)
140 return -ENOMEM; 140 return -ENOMEM;
141 if (*ppos != 0) { 141 if (*ppos != 0) {
142 /* No partial writes. */ 142 /* No partial writes. */
143 return -EINVAL; 143 return -EINVAL;
144 } 144 }
145 page = (char*)get_zeroed_page(GFP_KERNEL); 145 page = (char*)get_zeroed_page(GFP_KERNEL);
146 if (!page) 146 if (!page)
147 return -ENOMEM; 147 return -ENOMEM;
148 length = -EFAULT; 148 length = -EFAULT;
149 if (copy_from_user(page, buf, count)) 149 if (copy_from_user(page, buf, count))
150 goto out; 150 goto out;
151 151
152 length = -EINVAL; 152 length = -EINVAL;
153 if (sscanf(page, "%d", &new_value) != 1) 153 if (sscanf(page, "%d", &new_value) != 1)
154 goto out; 154 goto out;
155 155
156 if (new_value != selinux_enforcing) { 156 if (new_value != selinux_enforcing) {
157 length = task_has_security(current, SECURITY__SETENFORCE); 157 length = task_has_security(current, SECURITY__SETENFORCE);
158 if (length) 158 if (length)
159 goto out; 159 goto out;
160 audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS, 160 audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
161 "enforcing=%d old_enforcing=%d auid=%u", new_value, 161 "enforcing=%d old_enforcing=%d auid=%u", new_value,
162 selinux_enforcing, 162 selinux_enforcing,
163 audit_get_loginuid(current->audit_context)); 163 audit_get_loginuid(current->audit_context));
164 selinux_enforcing = new_value; 164 selinux_enforcing = new_value;
165 if (selinux_enforcing) 165 if (selinux_enforcing)
166 avc_ss_reset(0); 166 avc_ss_reset(0);
167 selnl_notify_setenforce(selinux_enforcing); 167 selnl_notify_setenforce(selinux_enforcing);
168 } 168 }
169 length = count; 169 length = count;
170 out: 170 out:
171 free_page((unsigned long) page); 171 free_page((unsigned long) page);
172 return length; 172 return length;
173 } 173 }
174 #else 174 #else
175 #define sel_write_enforce NULL 175 #define sel_write_enforce NULL
176 #endif 176 #endif
177 177
178 static const struct file_operations sel_enforce_ops = { 178 static const struct file_operations sel_enforce_ops = {
179 .read = sel_read_enforce, 179 .read = sel_read_enforce,
180 .write = sel_write_enforce, 180 .write = sel_write_enforce,
181 }; 181 };
182 182
183 static ssize_t sel_read_handle_unknown(struct file *filp, char __user *buf, 183 static ssize_t sel_read_handle_unknown(struct file *filp, char __user *buf,
184 size_t count, loff_t *ppos) 184 size_t count, loff_t *ppos)
185 { 185 {
186 char tmpbuf[TMPBUFLEN]; 186 char tmpbuf[TMPBUFLEN];
187 ssize_t length; 187 ssize_t length;
188 ino_t ino = filp->f_path.dentry->d_inode->i_ino; 188 ino_t ino = filp->f_path.dentry->d_inode->i_ino;
189 int handle_unknown = (ino == SEL_REJECT_UNKNOWN) ? 189 int handle_unknown = (ino == SEL_REJECT_UNKNOWN) ?
190 security_get_reject_unknown() : !security_get_allow_unknown(); 190 security_get_reject_unknown() : !security_get_allow_unknown();
191 191
192 length = scnprintf(tmpbuf, TMPBUFLEN, "%d", handle_unknown); 192 length = scnprintf(tmpbuf, TMPBUFLEN, "%d", handle_unknown);
193 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); 193 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
194 } 194 }
195 195
196 static const struct file_operations sel_handle_unknown_ops = { 196 static const struct file_operations sel_handle_unknown_ops = {
197 .read = sel_read_handle_unknown, 197 .read = sel_read_handle_unknown,
198 }; 198 };
199 199
200 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 200 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
201 static ssize_t sel_write_disable(struct file * file, const char __user * buf, 201 static ssize_t sel_write_disable(struct file * file, const char __user * buf,
202 size_t count, loff_t *ppos) 202 size_t count, loff_t *ppos)
203 203
204 { 204 {
205 char *page; 205 char *page;
206 ssize_t length; 206 ssize_t length;
207 int new_value; 207 int new_value;
208 extern int selinux_disable(void); 208 extern int selinux_disable(void);
209 209
210 if (count >= PAGE_SIZE) 210 if (count >= PAGE_SIZE)
211 return -ENOMEM; 211 return -ENOMEM;
212 if (*ppos != 0) { 212 if (*ppos != 0) {
213 /* No partial writes. */ 213 /* No partial writes. */
214 return -EINVAL; 214 return -EINVAL;
215 } 215 }
216 page = (char*)get_zeroed_page(GFP_KERNEL); 216 page = (char*)get_zeroed_page(GFP_KERNEL);
217 if (!page) 217 if (!page)
218 return -ENOMEM; 218 return -ENOMEM;
219 length = -EFAULT; 219 length = -EFAULT;
220 if (copy_from_user(page, buf, count)) 220 if (copy_from_user(page, buf, count))
221 goto out; 221 goto out;
222 222
223 length = -EINVAL; 223 length = -EINVAL;
224 if (sscanf(page, "%d", &new_value) != 1) 224 if (sscanf(page, "%d", &new_value) != 1)
225 goto out; 225 goto out;
226 226
227 if (new_value) { 227 if (new_value) {
228 length = selinux_disable(); 228 length = selinux_disable();
229 if (length < 0) 229 if (length < 0)
230 goto out; 230 goto out;
231 audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS, 231 audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
232 "selinux=0 auid=%u", 232 "selinux=0 auid=%u",
233 audit_get_loginuid(current->audit_context)); 233 audit_get_loginuid(current->audit_context));
234 } 234 }
235 235
236 length = count; 236 length = count;
237 out: 237 out:
238 free_page((unsigned long) page); 238 free_page((unsigned long) page);
239 return length; 239 return length;
240 } 240 }
241 #else 241 #else
242 #define sel_write_disable NULL 242 #define sel_write_disable NULL
243 #endif 243 #endif
244 244
245 static const struct file_operations sel_disable_ops = { 245 static const struct file_operations sel_disable_ops = {
246 .write = sel_write_disable, 246 .write = sel_write_disable,
247 }; 247 };
248 248
249 static ssize_t sel_read_policyvers(struct file *filp, char __user *buf, 249 static ssize_t sel_read_policyvers(struct file *filp, char __user *buf,
250 size_t count, loff_t *ppos) 250 size_t count, loff_t *ppos)
251 { 251 {
252 char tmpbuf[TMPBUFLEN]; 252 char tmpbuf[TMPBUFLEN];
253 ssize_t length; 253 ssize_t length;
254 254
255 length = scnprintf(tmpbuf, TMPBUFLEN, "%u", POLICYDB_VERSION_MAX); 255 length = scnprintf(tmpbuf, TMPBUFLEN, "%u", POLICYDB_VERSION_MAX);
256 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); 256 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
257 } 257 }
258 258
259 static const struct file_operations sel_policyvers_ops = { 259 static const struct file_operations sel_policyvers_ops = {
260 .read = sel_read_policyvers, 260 .read = sel_read_policyvers,
261 }; 261 };
262 262
263 /* declaration for sel_write_load */ 263 /* declaration for sel_write_load */
264 static int sel_make_bools(void); 264 static int sel_make_bools(void);
265 static int sel_make_classes(void); 265 static int sel_make_classes(void);
266 266
267 /* declaration for sel_make_class_dirs */ 267 /* declaration for sel_make_class_dirs */
268 static int sel_make_dir(struct inode *dir, struct dentry *dentry, 268 static int sel_make_dir(struct inode *dir, struct dentry *dentry,
269 unsigned long *ino); 269 unsigned long *ino);
270 270
271 static ssize_t sel_read_mls(struct file *filp, char __user *buf, 271 static ssize_t sel_read_mls(struct file *filp, char __user *buf,
272 size_t count, loff_t *ppos) 272 size_t count, loff_t *ppos)
273 { 273 {
274 char tmpbuf[TMPBUFLEN]; 274 char tmpbuf[TMPBUFLEN];
275 ssize_t length; 275 ssize_t length;
276 276
277 length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_mls_enabled); 277 length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_mls_enabled);
278 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); 278 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
279 } 279 }
280 280
281 static const struct file_operations sel_mls_ops = { 281 static const struct file_operations sel_mls_ops = {
282 .read = sel_read_mls, 282 .read = sel_read_mls,
283 }; 283 };
284 284
285 static ssize_t sel_write_load(struct file * file, const char __user * buf, 285 static ssize_t sel_write_load(struct file * file, const char __user * buf,
286 size_t count, loff_t *ppos) 286 size_t count, loff_t *ppos)
287 287
288 { 288 {
289 int ret; 289 int ret;
290 ssize_t length; 290 ssize_t length;
291 void *data = NULL; 291 void *data = NULL;
292 292
293 mutex_lock(&sel_mutex); 293 mutex_lock(&sel_mutex);
294 294
295 length = task_has_security(current, SECURITY__LOAD_POLICY); 295 length = task_has_security(current, SECURITY__LOAD_POLICY);
296 if (length) 296 if (length)
297 goto out; 297 goto out;
298 298
299 if (*ppos != 0) { 299 if (*ppos != 0) {
300 /* No partial writes. */ 300 /* No partial writes. */
301 length = -EINVAL; 301 length = -EINVAL;
302 goto out; 302 goto out;
303 } 303 }
304 304
305 if ((count > 64 * 1024 * 1024) 305 if ((count > 64 * 1024 * 1024)
306 || (data = vmalloc(count)) == NULL) { 306 || (data = vmalloc(count)) == NULL) {
307 length = -ENOMEM; 307 length = -ENOMEM;
308 goto out; 308 goto out;
309 } 309 }
310 310
311 length = -EFAULT; 311 length = -EFAULT;
312 if (copy_from_user(data, buf, count) != 0) 312 if (copy_from_user(data, buf, count) != 0)
313 goto out; 313 goto out;
314 314
315 length = security_load_policy(data, count); 315 length = security_load_policy(data, count);
316 if (length) 316 if (length)
317 goto out; 317 goto out;
318 318
319 ret = sel_make_bools(); 319 ret = sel_make_bools();
320 if (ret) { 320 if (ret) {
321 length = ret; 321 length = ret;
322 goto out1; 322 goto out1;
323 } 323 }
324 324
325 ret = sel_make_classes(); 325 ret = sel_make_classes();
326 if (ret) 326 if (ret)
327 length = ret; 327 length = ret;
328 else 328 else
329 length = count; 329 length = count;
330 330
331 out1: 331 out1:
332 332
333 printk(KERN_INFO "SELinux: policy loaded with handle_unknown=%s\n", 333 printk(KERN_INFO "SELinux: policy loaded with handle_unknown=%s\n",
334 (security_get_reject_unknown() ? "reject" : 334 (security_get_reject_unknown() ? "reject" :
335 (security_get_allow_unknown() ? "allow" : "deny"))); 335 (security_get_allow_unknown() ? "allow" : "deny")));
336 336
337 audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD, 337 audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
338 "policy loaded auid=%u", 338 "policy loaded auid=%u",
339 audit_get_loginuid(current->audit_context)); 339 audit_get_loginuid(current->audit_context));
340 out: 340 out:
341 mutex_unlock(&sel_mutex); 341 mutex_unlock(&sel_mutex);
342 vfree(data); 342 vfree(data);
343 return length; 343 return length;
344 } 344 }
345 345
346 static const struct file_operations sel_load_ops = { 346 static const struct file_operations sel_load_ops = {
347 .write = sel_write_load, 347 .write = sel_write_load,
348 }; 348 };
349 349
350 static ssize_t sel_write_context(struct file * file, char *buf, size_t size) 350 static ssize_t sel_write_context(struct file * file, char *buf, size_t size)
351 { 351 {
352 char *canon; 352 char *canon;
353 u32 sid, len; 353 u32 sid, len;
354 ssize_t length; 354 ssize_t length;
355 355
356 length = task_has_security(current, SECURITY__CHECK_CONTEXT); 356 length = task_has_security(current, SECURITY__CHECK_CONTEXT);
357 if (length) 357 if (length)
358 return length; 358 return length;
359 359
360 length = security_context_to_sid(buf, size, &sid); 360 length = security_context_to_sid(buf, size, &sid);
361 if (length < 0) 361 if (length < 0)
362 return length; 362 return length;
363 363
364 length = security_sid_to_context(sid, &canon, &len); 364 length = security_sid_to_context(sid, &canon, &len);
365 if (length < 0) 365 if (length < 0)
366 return length; 366 return length;
367 367
368 if (len > SIMPLE_TRANSACTION_LIMIT) { 368 if (len > SIMPLE_TRANSACTION_LIMIT) {
369 printk(KERN_ERR "%s: context size (%u) exceeds payload " 369 printk(KERN_ERR "%s: context size (%u) exceeds payload "
370 "max\n", __FUNCTION__, len); 370 "max\n", __FUNCTION__, len);
371 length = -ERANGE; 371 length = -ERANGE;
372 goto out; 372 goto out;
373 } 373 }
374 374
375 memcpy(buf, canon, len); 375 memcpy(buf, canon, len);
376 length = len; 376 length = len;
377 out: 377 out:
378 kfree(canon); 378 kfree(canon);
379 return length; 379 return length;
380 } 380 }
381 381
382 static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf, 382 static ssize_t sel_read_checkreqprot(struct file *filp, char __user *buf,
383 size_t count, loff_t *ppos) 383 size_t count, loff_t *ppos)
384 { 384 {
385 char tmpbuf[TMPBUFLEN]; 385 char tmpbuf[TMPBUFLEN];
386 ssize_t length; 386 ssize_t length;
387 387
388 length = scnprintf(tmpbuf, TMPBUFLEN, "%u", selinux_checkreqprot); 388 length = scnprintf(tmpbuf, TMPBUFLEN, "%u", selinux_checkreqprot);
389 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); 389 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
390 } 390 }
391 391
392 static ssize_t sel_write_checkreqprot(struct file * file, const char __user * buf, 392 static ssize_t sel_write_checkreqprot(struct file * file, const char __user * buf,
393 size_t count, loff_t *ppos) 393 size_t count, loff_t *ppos)
394 { 394 {
395 char *page; 395 char *page;
396 ssize_t length; 396 ssize_t length;
397 unsigned int new_value; 397 unsigned int new_value;
398 398
399 length = task_has_security(current, SECURITY__SETCHECKREQPROT); 399 length = task_has_security(current, SECURITY__SETCHECKREQPROT);
400 if (length) 400 if (length)
401 return length; 401 return length;
402 402
403 if (count >= PAGE_SIZE) 403 if (count >= PAGE_SIZE)
404 return -ENOMEM; 404 return -ENOMEM;
405 if (*ppos != 0) { 405 if (*ppos != 0) {
406 /* No partial writes. */ 406 /* No partial writes. */
407 return -EINVAL; 407 return -EINVAL;
408 } 408 }
409 page = (char*)get_zeroed_page(GFP_KERNEL); 409 page = (char*)get_zeroed_page(GFP_KERNEL);
410 if (!page) 410 if (!page)
411 return -ENOMEM; 411 return -ENOMEM;
412 length = -EFAULT; 412 length = -EFAULT;
413 if (copy_from_user(page, buf, count)) 413 if (copy_from_user(page, buf, count))
414 goto out; 414 goto out;
415 415
416 length = -EINVAL; 416 length = -EINVAL;
417 if (sscanf(page, "%u", &new_value) != 1) 417 if (sscanf(page, "%u", &new_value) != 1)
418 goto out; 418 goto out;
419 419
420 selinux_checkreqprot = new_value ? 1 : 0; 420 selinux_checkreqprot = new_value ? 1 : 0;
421 length = count; 421 length = count;
422 out: 422 out:
423 free_page((unsigned long) page); 423 free_page((unsigned long) page);
424 return length; 424 return length;
425 } 425 }
426 static const struct file_operations sel_checkreqprot_ops = { 426 static const struct file_operations sel_checkreqprot_ops = {
427 .read = sel_read_checkreqprot, 427 .read = sel_read_checkreqprot,
428 .write = sel_write_checkreqprot, 428 .write = sel_write_checkreqprot,
429 }; 429 };
430 430
431 static ssize_t sel_read_compat_net(struct file *filp, char __user *buf, 431 static ssize_t sel_read_compat_net(struct file *filp, char __user *buf,
432 size_t count, loff_t *ppos) 432 size_t count, loff_t *ppos)
433 { 433 {
434 char tmpbuf[TMPBUFLEN]; 434 char tmpbuf[TMPBUFLEN];
435 ssize_t length; 435 ssize_t length;
436 436
437 length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_compat_net); 437 length = scnprintf(tmpbuf, TMPBUFLEN, "%d", selinux_compat_net);
438 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); 438 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
439 } 439 }
440 440
441 static ssize_t sel_write_compat_net(struct file * file, const char __user * buf, 441 static ssize_t sel_write_compat_net(struct file * file, const char __user * buf,
442 size_t count, loff_t *ppos) 442 size_t count, loff_t *ppos)
443 { 443 {
444 char *page; 444 char *page;
445 ssize_t length; 445 ssize_t length;
446 int new_value; 446 int new_value;
447 447
448 length = task_has_security(current, SECURITY__LOAD_POLICY); 448 length = task_has_security(current, SECURITY__LOAD_POLICY);
449 if (length) 449 if (length)
450 return length; 450 return length;
451 451
452 if (count >= PAGE_SIZE) 452 if (count >= PAGE_SIZE)
453 return -ENOMEM; 453 return -ENOMEM;
454 if (*ppos != 0) { 454 if (*ppos != 0) {
455 /* No partial writes. */ 455 /* No partial writes. */
456 return -EINVAL; 456 return -EINVAL;
457 } 457 }
458 page = (char*)get_zeroed_page(GFP_KERNEL); 458 page = (char*)get_zeroed_page(GFP_KERNEL);
459 if (!page) 459 if (!page)
460 return -ENOMEM; 460 return -ENOMEM;
461 length = -EFAULT; 461 length = -EFAULT;
462 if (copy_from_user(page, buf, count)) 462 if (copy_from_user(page, buf, count))
463 goto out; 463 goto out;
464 464
465 length = -EINVAL; 465 length = -EINVAL;
466 if (sscanf(page, "%d", &new_value) != 1) 466 if (sscanf(page, "%d", &new_value) != 1)
467 goto out; 467 goto out;
468 468
469 selinux_compat_net = new_value ? 1 : 0; 469 selinux_compat_net = new_value ? 1 : 0;
470 length = count; 470 length = count;
471 out: 471 out:
472 free_page((unsigned long) page); 472 free_page((unsigned long) page);
473 return length; 473 return length;
474 } 474 }
475 static const struct file_operations sel_compat_net_ops = { 475 static const struct file_operations sel_compat_net_ops = {
476 .read = sel_read_compat_net, 476 .read = sel_read_compat_net,
477 .write = sel_write_compat_net, 477 .write = sel_write_compat_net,
478 }; 478 };
479 479
480 /* 480 /*
481 * Remaining nodes use transaction based IO methods like nfsd/nfsctl.c 481 * Remaining nodes use transaction based IO methods like nfsd/nfsctl.c
482 */ 482 */
483 static ssize_t sel_write_access(struct file * file, char *buf, size_t size); 483 static ssize_t sel_write_access(struct file * file, char *buf, size_t size);
484 static ssize_t sel_write_create(struct file * file, char *buf, size_t size); 484 static ssize_t sel_write_create(struct file * file, char *buf, size_t size);
485 static ssize_t sel_write_relabel(struct file * file, char *buf, size_t size); 485 static ssize_t sel_write_relabel(struct file * file, char *buf, size_t size);
486 static ssize_t sel_write_user(struct file * file, char *buf, size_t size); 486 static ssize_t sel_write_user(struct file * file, char *buf, size_t size);
487 static ssize_t sel_write_member(struct file * file, char *buf, size_t size); 487 static ssize_t sel_write_member(struct file * file, char *buf, size_t size);
488 488
489 static ssize_t (*write_op[])(struct file *, char *, size_t) = { 489 static ssize_t (*write_op[])(struct file *, char *, size_t) = {
490 [SEL_ACCESS] = sel_write_access, 490 [SEL_ACCESS] = sel_write_access,
491 [SEL_CREATE] = sel_write_create, 491 [SEL_CREATE] = sel_write_create,
492 [SEL_RELABEL] = sel_write_relabel, 492 [SEL_RELABEL] = sel_write_relabel,
493 [SEL_USER] = sel_write_user, 493 [SEL_USER] = sel_write_user,
494 [SEL_MEMBER] = sel_write_member, 494 [SEL_MEMBER] = sel_write_member,
495 [SEL_CONTEXT] = sel_write_context, 495 [SEL_CONTEXT] = sel_write_context,
496 }; 496 };
497 497
498 static ssize_t selinux_transaction_write(struct file *file, const char __user *buf, size_t size, loff_t *pos) 498 static ssize_t selinux_transaction_write(struct file *file, const char __user *buf, size_t size, loff_t *pos)
499 { 499 {
500 ino_t ino = file->f_path.dentry->d_inode->i_ino; 500 ino_t ino = file->f_path.dentry->d_inode->i_ino;
501 char *data; 501 char *data;
502 ssize_t rv; 502 ssize_t rv;
503 503
504 if (ino >= ARRAY_SIZE(write_op) || !write_op[ino]) 504 if (ino >= ARRAY_SIZE(write_op) || !write_op[ino])
505 return -EINVAL; 505 return -EINVAL;
506 506
507 data = simple_transaction_get(file, buf, size); 507 data = simple_transaction_get(file, buf, size);
508 if (IS_ERR(data)) 508 if (IS_ERR(data))
509 return PTR_ERR(data); 509 return PTR_ERR(data);
510 510
511 rv = write_op[ino](file, data, size); 511 rv = write_op[ino](file, data, size);
512 if (rv>0) { 512 if (rv>0) {
513 simple_transaction_set(file, rv); 513 simple_transaction_set(file, rv);
514 rv = size; 514 rv = size;
515 } 515 }
516 return rv; 516 return rv;
517 } 517 }
518 518
519 static const struct file_operations transaction_ops = { 519 static const struct file_operations transaction_ops = {
520 .write = selinux_transaction_write, 520 .write = selinux_transaction_write,
521 .read = simple_transaction_read, 521 .read = simple_transaction_read,
522 .release = simple_transaction_release, 522 .release = simple_transaction_release,
523 }; 523 };
524 524
525 /* 525 /*
526 * payload - write methods 526 * payload - write methods
527 * If the method has a response, the response should be put in buf, 527 * If the method has a response, the response should be put in buf,
528 * and the length returned. Otherwise return 0 or and -error. 528 * and the length returned. Otherwise return 0 or and -error.
529 */ 529 */
530 530
531 static ssize_t sel_write_access(struct file * file, char *buf, size_t size) 531 static ssize_t sel_write_access(struct file * file, char *buf, size_t size)
532 { 532 {
533 char *scon, *tcon; 533 char *scon, *tcon;
534 u32 ssid, tsid; 534 u32 ssid, tsid;
535 u16 tclass; 535 u16 tclass;
536 u32 req; 536 u32 req;
537 struct av_decision avd; 537 struct av_decision avd;
538 ssize_t length; 538 ssize_t length;
539 539
540 length = task_has_security(current, SECURITY__COMPUTE_AV); 540 length = task_has_security(current, SECURITY__COMPUTE_AV);
541 if (length) 541 if (length)
542 return length; 542 return length;
543 543
544 length = -ENOMEM; 544 length = -ENOMEM;
545 scon = kzalloc(size+1, GFP_KERNEL); 545 scon = kzalloc(size+1, GFP_KERNEL);
546 if (!scon) 546 if (!scon)
547 return length; 547 return length;
548 548
549 tcon = kzalloc(size+1, GFP_KERNEL); 549 tcon = kzalloc(size+1, GFP_KERNEL);
550 if (!tcon) 550 if (!tcon)
551 goto out; 551 goto out;
552 552
553 length = -EINVAL; 553 length = -EINVAL;
554 if (sscanf(buf, "%s %s %hu %x", scon, tcon, &tclass, &req) != 4) 554 if (sscanf(buf, "%s %s %hu %x", scon, tcon, &tclass, &req) != 4)
555 goto out2; 555 goto out2;
556 556
557 length = security_context_to_sid(scon, strlen(scon)+1, &ssid); 557 length = security_context_to_sid(scon, strlen(scon)+1, &ssid);
558 if (length < 0) 558 if (length < 0)
559 goto out2; 559 goto out2;
560 length = security_context_to_sid(tcon, strlen(tcon)+1, &tsid); 560 length = security_context_to_sid(tcon, strlen(tcon)+1, &tsid);
561 if (length < 0) 561 if (length < 0)
562 goto out2; 562 goto out2;
563 563
564 length = security_compute_av(ssid, tsid, tclass, req, &avd); 564 length = security_compute_av(ssid, tsid, tclass, req, &avd);
565 if (length < 0) 565 if (length < 0)
566 goto out2; 566 goto out2;
567 567
568 length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT, 568 length = scnprintf(buf, SIMPLE_TRANSACTION_LIMIT,
569 "%x %x %x %x %u", 569 "%x %x %x %x %u",
570 avd.allowed, avd.decided, 570 avd.allowed, avd.decided,
571 avd.auditallow, avd.auditdeny, 571 avd.auditallow, avd.auditdeny,
572 avd.seqno); 572 avd.seqno);
573 out2: 573 out2:
574 kfree(tcon); 574 kfree(tcon);
575 out: 575 out:
576 kfree(scon); 576 kfree(scon);
577 return length; 577 return length;
578 } 578 }
579 579
580 static ssize_t sel_write_create(struct file * file, char *buf, size_t size) 580 static ssize_t sel_write_create(struct file * file, char *buf, size_t size)
581 { 581 {
582 char *scon, *tcon; 582 char *scon, *tcon;
583 u32 ssid, tsid, newsid; 583 u32 ssid, tsid, newsid;
584 u16 tclass; 584 u16 tclass;
585 ssize_t length; 585 ssize_t length;
586 char *newcon; 586 char *newcon;
587 u32 len; 587 u32 len;
588 588
589 length = task_has_security(current, SECURITY__COMPUTE_CREATE); 589 length = task_has_security(current, SECURITY__COMPUTE_CREATE);
590 if (length) 590 if (length)
591 return length; 591 return length;
592 592
593 length = -ENOMEM; 593 length = -ENOMEM;
594 scon = kzalloc(size+1, GFP_KERNEL); 594 scon = kzalloc(size+1, GFP_KERNEL);
595 if (!scon) 595 if (!scon)
596 return length; 596 return length;
597 597
598 tcon = kzalloc(size+1, GFP_KERNEL); 598 tcon = kzalloc(size+1, GFP_KERNEL);
599 if (!tcon) 599 if (!tcon)
600 goto out; 600 goto out;
601 601
602 length = -EINVAL; 602 length = -EINVAL;
603 if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3) 603 if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3)
604 goto out2; 604 goto out2;
605 605
606 length = security_context_to_sid(scon, strlen(scon)+1, &ssid); 606 length = security_context_to_sid(scon, strlen(scon)+1, &ssid);
607 if (length < 0) 607 if (length < 0)
608 goto out2; 608 goto out2;
609 length = security_context_to_sid(tcon, strlen(tcon)+1, &tsid); 609 length = security_context_to_sid(tcon, strlen(tcon)+1, &tsid);
610 if (length < 0) 610 if (length < 0)
611 goto out2; 611 goto out2;
612 612
613 length = security_transition_sid(ssid, tsid, tclass, &newsid); 613 length = security_transition_sid(ssid, tsid, tclass, &newsid);
614 if (length < 0) 614 if (length < 0)
615 goto out2; 615 goto out2;
616 616
617 length = security_sid_to_context(newsid, &newcon, &len); 617 length = security_sid_to_context(newsid, &newcon, &len);
618 if (length < 0) 618 if (length < 0)
619 goto out2; 619 goto out2;
620 620
621 if (len > SIMPLE_TRANSACTION_LIMIT) { 621 if (len > SIMPLE_TRANSACTION_LIMIT) {
622 printk(KERN_ERR "%s: context size (%u) exceeds payload " 622 printk(KERN_ERR "%s: context size (%u) exceeds payload "
623 "max\n", __FUNCTION__, len); 623 "max\n", __FUNCTION__, len);
624 length = -ERANGE; 624 length = -ERANGE;
625 goto out3; 625 goto out3;
626 } 626 }
627 627
628 memcpy(buf, newcon, len); 628 memcpy(buf, newcon, len);
629 length = len; 629 length = len;
630 out3: 630 out3:
631 kfree(newcon); 631 kfree(newcon);
632 out2: 632 out2:
633 kfree(tcon); 633 kfree(tcon);
634 out: 634 out:
635 kfree(scon); 635 kfree(scon);
636 return length; 636 return length;
637 } 637 }
638 638
639 static ssize_t sel_write_relabel(struct file * file, char *buf, size_t size) 639 static ssize_t sel_write_relabel(struct file * file, char *buf, size_t size)
640 { 640 {
641 char *scon, *tcon; 641 char *scon, *tcon;
642 u32 ssid, tsid, newsid; 642 u32 ssid, tsid, newsid;
643 u16 tclass; 643 u16 tclass;
644 ssize_t length; 644 ssize_t length;
645 char *newcon; 645 char *newcon;
646 u32 len; 646 u32 len;
647 647
648 length = task_has_security(current, SECURITY__COMPUTE_RELABEL); 648 length = task_has_security(current, SECURITY__COMPUTE_RELABEL);
649 if (length) 649 if (length)
650 return length; 650 return length;
651 651
652 length = -ENOMEM; 652 length = -ENOMEM;
653 scon = kzalloc(size+1, GFP_KERNEL); 653 scon = kzalloc(size+1, GFP_KERNEL);
654 if (!scon) 654 if (!scon)
655 return length; 655 return length;
656 656
657 tcon = kzalloc(size+1, GFP_KERNEL); 657 tcon = kzalloc(size+1, GFP_KERNEL);
658 if (!tcon) 658 if (!tcon)
659 goto out; 659 goto out;
660 660
661 length = -EINVAL; 661 length = -EINVAL;
662 if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3) 662 if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3)
663 goto out2; 663 goto out2;
664 664
665 length = security_context_to_sid(scon, strlen(scon)+1, &ssid); 665 length = security_context_to_sid(scon, strlen(scon)+1, &ssid);
666 if (length < 0) 666 if (length < 0)
667 goto out2; 667 goto out2;
668 length = security_context_to_sid(tcon, strlen(tcon)+1, &tsid); 668 length = security_context_to_sid(tcon, strlen(tcon)+1, &tsid);
669 if (length < 0) 669 if (length < 0)
670 goto out2; 670 goto out2;
671 671
672 length = security_change_sid(ssid, tsid, tclass, &newsid); 672 length = security_change_sid(ssid, tsid, tclass, &newsid);
673 if (length < 0) 673 if (length < 0)
674 goto out2; 674 goto out2;
675 675
676 length = security_sid_to_context(newsid, &newcon, &len); 676 length = security_sid_to_context(newsid, &newcon, &len);
677 if (length < 0) 677 if (length < 0)
678 goto out2; 678 goto out2;
679 679
680 if (len > SIMPLE_TRANSACTION_LIMIT) { 680 if (len > SIMPLE_TRANSACTION_LIMIT) {
681 length = -ERANGE; 681 length = -ERANGE;
682 goto out3; 682 goto out3;
683 } 683 }
684 684
685 memcpy(buf, newcon, len); 685 memcpy(buf, newcon, len);
686 length = len; 686 length = len;
687 out3: 687 out3:
688 kfree(newcon); 688 kfree(newcon);
689 out2: 689 out2:
690 kfree(tcon); 690 kfree(tcon);
691 out: 691 out:
692 kfree(scon); 692 kfree(scon);
693 return length; 693 return length;
694 } 694 }
695 695
696 static ssize_t sel_write_user(struct file * file, char *buf, size_t size) 696 static ssize_t sel_write_user(struct file * file, char *buf, size_t size)
697 { 697 {
698 char *con, *user, *ptr; 698 char *con, *user, *ptr;
699 u32 sid, *sids; 699 u32 sid, *sids;
700 ssize_t length; 700 ssize_t length;
701 char *newcon; 701 char *newcon;
702 int i, rc; 702 int i, rc;
703 u32 len, nsids; 703 u32 len, nsids;
704 704
705 length = task_has_security(current, SECURITY__COMPUTE_USER); 705 length = task_has_security(current, SECURITY__COMPUTE_USER);
706 if (length) 706 if (length)
707 return length; 707 return length;
708 708
709 length = -ENOMEM; 709 length = -ENOMEM;
710 con = kzalloc(size+1, GFP_KERNEL); 710 con = kzalloc(size+1, GFP_KERNEL);
711 if (!con) 711 if (!con)
712 return length; 712 return length;
713 713
714 user = kzalloc(size+1, GFP_KERNEL); 714 user = kzalloc(size+1, GFP_KERNEL);
715 if (!user) 715 if (!user)
716 goto out; 716 goto out;
717 717
718 length = -EINVAL; 718 length = -EINVAL;
719 if (sscanf(buf, "%s %s", con, user) != 2) 719 if (sscanf(buf, "%s %s", con, user) != 2)
720 goto out2; 720 goto out2;
721 721
722 length = security_context_to_sid(con, strlen(con)+1, &sid); 722 length = security_context_to_sid(con, strlen(con)+1, &sid);
723 if (length < 0) 723 if (length < 0)
724 goto out2; 724 goto out2;
725 725
726 length = security_get_user_sids(sid, user, &sids, &nsids); 726 length = security_get_user_sids(sid, user, &sids, &nsids);
727 if (length < 0) 727 if (length < 0)
728 goto out2; 728 goto out2;
729 729
730 length = sprintf(buf, "%u", nsids) + 1; 730 length = sprintf(buf, "%u", nsids) + 1;
731 ptr = buf + length; 731 ptr = buf + length;
732 for (i = 0; i < nsids; i++) { 732 for (i = 0; i < nsids; i++) {
733 rc = security_sid_to_context(sids[i], &newcon, &len); 733 rc = security_sid_to_context(sids[i], &newcon, &len);
734 if (rc) { 734 if (rc) {
735 length = rc; 735 length = rc;
736 goto out3; 736 goto out3;
737 } 737 }
738 if ((length + len) >= SIMPLE_TRANSACTION_LIMIT) { 738 if ((length + len) >= SIMPLE_TRANSACTION_LIMIT) {
739 kfree(newcon); 739 kfree(newcon);
740 length = -ERANGE; 740 length = -ERANGE;
741 goto out3; 741 goto out3;
742 } 742 }
743 memcpy(ptr, newcon, len); 743 memcpy(ptr, newcon, len);
744 kfree(newcon); 744 kfree(newcon);
745 ptr += len; 745 ptr += len;
746 length += len; 746 length += len;
747 } 747 }
748 out3: 748 out3:
749 kfree(sids); 749 kfree(sids);
750 out2: 750 out2:
751 kfree(user); 751 kfree(user);
752 out: 752 out:
753 kfree(con); 753 kfree(con);
754 return length; 754 return length;
755 } 755 }
756 756
757 static ssize_t sel_write_member(struct file * file, char *buf, size_t size) 757 static ssize_t sel_write_member(struct file * file, char *buf, size_t size)
758 { 758 {
759 char *scon, *tcon; 759 char *scon, *tcon;
760 u32 ssid, tsid, newsid; 760 u32 ssid, tsid, newsid;
761 u16 tclass; 761 u16 tclass;
762 ssize_t length; 762 ssize_t length;
763 char *newcon; 763 char *newcon;
764 u32 len; 764 u32 len;
765 765
766 length = task_has_security(current, SECURITY__COMPUTE_MEMBER); 766 length = task_has_security(current, SECURITY__COMPUTE_MEMBER);
767 if (length) 767 if (length)
768 return length; 768 return length;
769 769
770 length = -ENOMEM; 770 length = -ENOMEM;
771 scon = kzalloc(size+1, GFP_KERNEL); 771 scon = kzalloc(size+1, GFP_KERNEL);
772 if (!scon) 772 if (!scon)
773 return length; 773 return length;
774 774
775 tcon = kzalloc(size+1, GFP_KERNEL); 775 tcon = kzalloc(size+1, GFP_KERNEL);
776 if (!tcon) 776 if (!tcon)
777 goto out; 777 goto out;
778 778
779 length = -EINVAL; 779 length = -EINVAL;
780 if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3) 780 if (sscanf(buf, "%s %s %hu", scon, tcon, &tclass) != 3)
781 goto out2; 781 goto out2;
782 782
783 length = security_context_to_sid(scon, strlen(scon)+1, &ssid); 783 length = security_context_to_sid(scon, strlen(scon)+1, &ssid);
784 if (length < 0) 784 if (length < 0)
785 goto out2; 785 goto out2;
786 length = security_context_to_sid(tcon, strlen(tcon)+1, &tsid); 786 length = security_context_to_sid(tcon, strlen(tcon)+1, &tsid);
787 if (length < 0) 787 if (length < 0)
788 goto out2; 788 goto out2;
789 789
790 length = security_member_sid(ssid, tsid, tclass, &newsid); 790 length = security_member_sid(ssid, tsid, tclass, &newsid);
791 if (length < 0) 791 if (length < 0)
792 goto out2; 792 goto out2;
793 793
794 length = security_sid_to_context(newsid, &newcon, &len); 794 length = security_sid_to_context(newsid, &newcon, &len);
795 if (length < 0) 795 if (length < 0)
796 goto out2; 796 goto out2;
797 797
798 if (len > SIMPLE_TRANSACTION_LIMIT) { 798 if (len > SIMPLE_TRANSACTION_LIMIT) {
799 printk(KERN_ERR "%s: context size (%u) exceeds payload " 799 printk(KERN_ERR "%s: context size (%u) exceeds payload "
800 "max\n", __FUNCTION__, len); 800 "max\n", __FUNCTION__, len);
801 length = -ERANGE; 801 length = -ERANGE;
802 goto out3; 802 goto out3;
803 } 803 }
804 804
805 memcpy(buf, newcon, len); 805 memcpy(buf, newcon, len);
806 length = len; 806 length = len;
807 out3: 807 out3:
808 kfree(newcon); 808 kfree(newcon);
809 out2: 809 out2:
810 kfree(tcon); 810 kfree(tcon);
811 out: 811 out:
812 kfree(scon); 812 kfree(scon);
813 return length; 813 return length;
814 } 814 }
815 815
816 static struct inode *sel_make_inode(struct super_block *sb, int mode) 816 static struct inode *sel_make_inode(struct super_block *sb, int mode)
817 { 817 {
818 struct inode *ret = new_inode(sb); 818 struct inode *ret = new_inode(sb);
819 819
820 if (ret) { 820 if (ret) {
821 ret->i_mode = mode; 821 ret->i_mode = mode;
822 ret->i_uid = ret->i_gid = 0; 822 ret->i_uid = ret->i_gid = 0;
823 ret->i_blocks = 0; 823 ret->i_blocks = 0;
824 ret->i_atime = ret->i_mtime = ret->i_ctime = CURRENT_TIME; 824 ret->i_atime = ret->i_mtime = ret->i_ctime = CURRENT_TIME;
825 } 825 }
826 return ret; 826 return ret;
827 } 827 }
828 828
829 static ssize_t sel_read_bool(struct file *filep, char __user *buf, 829 static ssize_t sel_read_bool(struct file *filep, char __user *buf,
830 size_t count, loff_t *ppos) 830 size_t count, loff_t *ppos)
831 { 831 {
832 char *page = NULL; 832 char *page = NULL;
833 ssize_t length; 833 ssize_t length;
834 ssize_t ret; 834 ssize_t ret;
835 int cur_enforcing; 835 int cur_enforcing;
836 struct inode *inode = filep->f_path.dentry->d_inode; 836 struct inode *inode = filep->f_path.dentry->d_inode;
837 unsigned index = inode->i_ino & SEL_INO_MASK; 837 unsigned index = inode->i_ino & SEL_INO_MASK;
838 const char *name = filep->f_path.dentry->d_name.name; 838 const char *name = filep->f_path.dentry->d_name.name;
839 839
840 mutex_lock(&sel_mutex); 840 mutex_lock(&sel_mutex);
841 841
842 if (index >= bool_num || strcmp(name, bool_pending_names[index])) { 842 if (index >= bool_num || strcmp(name, bool_pending_names[index])) {
843 ret = -EINVAL; 843 ret = -EINVAL;
844 goto out; 844 goto out;
845 } 845 }
846 846
847 if (count > PAGE_SIZE) { 847 if (count > PAGE_SIZE) {
848 ret = -EINVAL; 848 ret = -EINVAL;
849 goto out; 849 goto out;
850 } 850 }
851 if (!(page = (char*)get_zeroed_page(GFP_KERNEL))) { 851 if (!(page = (char*)get_zeroed_page(GFP_KERNEL))) {
852 ret = -ENOMEM; 852 ret = -ENOMEM;
853 goto out; 853 goto out;
854 } 854 }
855 855
856 cur_enforcing = security_get_bool_value(index); 856 cur_enforcing = security_get_bool_value(index);
857 if (cur_enforcing < 0) { 857 if (cur_enforcing < 0) {
858 ret = cur_enforcing; 858 ret = cur_enforcing;
859 goto out; 859 goto out;
860 } 860 }
861 length = scnprintf(page, PAGE_SIZE, "%d %d", cur_enforcing, 861 length = scnprintf(page, PAGE_SIZE, "%d %d", cur_enforcing,
862 bool_pending_values[index]); 862 bool_pending_values[index]);
863 ret = simple_read_from_buffer(buf, count, ppos, page, length); 863 ret = simple_read_from_buffer(buf, count, ppos, page, length);
864 out: 864 out:
865 mutex_unlock(&sel_mutex); 865 mutex_unlock(&sel_mutex);
866 if (page) 866 if (page)
867 free_page((unsigned long)page); 867 free_page((unsigned long)page);
868 return ret; 868 return ret;
869 } 869 }
870 870
871 static ssize_t sel_write_bool(struct file *filep, const char __user *buf, 871 static ssize_t sel_write_bool(struct file *filep, const char __user *buf,
872 size_t count, loff_t *ppos) 872 size_t count, loff_t *ppos)
873 { 873 {
874 char *page = NULL; 874 char *page = NULL;
875 ssize_t length; 875 ssize_t length;
876 int new_value; 876 int new_value;
877 struct inode *inode = filep->f_path.dentry->d_inode; 877 struct inode *inode = filep->f_path.dentry->d_inode;
878 unsigned index = inode->i_ino & SEL_INO_MASK; 878 unsigned index = inode->i_ino & SEL_INO_MASK;
879 const char *name = filep->f_path.dentry->d_name.name; 879 const char *name = filep->f_path.dentry->d_name.name;
880 880
881 mutex_lock(&sel_mutex); 881 mutex_lock(&sel_mutex);
882 882
883 length = task_has_security(current, SECURITY__SETBOOL); 883 length = task_has_security(current, SECURITY__SETBOOL);
884 if (length) 884 if (length)
885 goto out; 885 goto out;
886 886
887 if (index >= bool_num || strcmp(name, bool_pending_names[index])) { 887 if (index >= bool_num || strcmp(name, bool_pending_names[index])) {
888 length = -EINVAL; 888 length = -EINVAL;
889 goto out; 889 goto out;
890 } 890 }
891 891
892 if (count >= PAGE_SIZE) { 892 if (count >= PAGE_SIZE) {
893 length = -ENOMEM; 893 length = -ENOMEM;
894 goto out; 894 goto out;
895 } 895 }
896 896
897 if (*ppos != 0) { 897 if (*ppos != 0) {
898 /* No partial writes. */ 898 /* No partial writes. */
899 length = -EINVAL; 899 length = -EINVAL;
900 goto out; 900 goto out;
901 } 901 }
902 page = (char*)get_zeroed_page(GFP_KERNEL); 902 page = (char*)get_zeroed_page(GFP_KERNEL);
903 if (!page) { 903 if (!page) {
904 length = -ENOMEM; 904 length = -ENOMEM;
905 goto out; 905 goto out;
906 } 906 }
907 907
908 length = -EFAULT; 908 length = -EFAULT;
909 if (copy_from_user(page, buf, count)) 909 if (copy_from_user(page, buf, count))
910 goto out; 910 goto out;
911 911
912 length = -EINVAL; 912 length = -EINVAL;
913 if (sscanf(page, "%d", &new_value) != 1) 913 if (sscanf(page, "%d", &new_value) != 1)
914 goto out; 914 goto out;
915 915
916 if (new_value) 916 if (new_value)
917 new_value = 1; 917 new_value = 1;
918 918
919 bool_pending_values[index] = new_value; 919 bool_pending_values[index] = new_value;
920 length = count; 920 length = count;
921 921
922 out: 922 out:
923 mutex_unlock(&sel_mutex); 923 mutex_unlock(&sel_mutex);
924 if (page) 924 if (page)
925 free_page((unsigned long) page); 925 free_page((unsigned long) page);
926 return length; 926 return length;
927 } 927 }
928 928
929 static const struct file_operations sel_bool_ops = { 929 static const struct file_operations sel_bool_ops = {
930 .read = sel_read_bool, 930 .read = sel_read_bool,
931 .write = sel_write_bool, 931 .write = sel_write_bool,
932 }; 932 };
933 933
934 static ssize_t sel_commit_bools_write(struct file *filep, 934 static ssize_t sel_commit_bools_write(struct file *filep,
935 const char __user *buf, 935 const char __user *buf,
936 size_t count, loff_t *ppos) 936 size_t count, loff_t *ppos)
937 { 937 {
938 char *page = NULL; 938 char *page = NULL;
939 ssize_t length; 939 ssize_t length;
940 int new_value; 940 int new_value;
941 941
942 mutex_lock(&sel_mutex); 942 mutex_lock(&sel_mutex);
943 943
944 length = task_has_security(current, SECURITY__SETBOOL); 944 length = task_has_security(current, SECURITY__SETBOOL);
945 if (length) 945 if (length)
946 goto out; 946 goto out;
947 947
948 if (count >= PAGE_SIZE) { 948 if (count >= PAGE_SIZE) {
949 length = -ENOMEM; 949 length = -ENOMEM;
950 goto out; 950 goto out;
951 } 951 }
952 if (*ppos != 0) { 952 if (*ppos != 0) {
953 /* No partial writes. */ 953 /* No partial writes. */
954 goto out; 954 goto out;
955 } 955 }
956 page = (char*)get_zeroed_page(GFP_KERNEL); 956 page = (char*)get_zeroed_page(GFP_KERNEL);
957 if (!page) { 957 if (!page) {
958 length = -ENOMEM; 958 length = -ENOMEM;
959 goto out; 959 goto out;
960 } 960 }
961 961
962 length = -EFAULT; 962 length = -EFAULT;
963 if (copy_from_user(page, buf, count)) 963 if (copy_from_user(page, buf, count))
964 goto out; 964 goto out;
965 965
966 length = -EINVAL; 966 length = -EINVAL;
967 if (sscanf(page, "%d", &new_value) != 1) 967 if (sscanf(page, "%d", &new_value) != 1)
968 goto out; 968 goto out;
969 969
970 if (new_value && bool_pending_values) { 970 if (new_value && bool_pending_values) {
971 security_set_bools(bool_num, bool_pending_values); 971 security_set_bools(bool_num, bool_pending_values);
972 } 972 }
973 973
974 length = count; 974 length = count;
975 975
976 out: 976 out:
977 mutex_unlock(&sel_mutex); 977 mutex_unlock(&sel_mutex);
978 if (page) 978 if (page)
979 free_page((unsigned long) page); 979 free_page((unsigned long) page);
980 return length; 980 return length;
981 } 981 }
982 982
983 static const struct file_operations sel_commit_bools_ops = { 983 static const struct file_operations sel_commit_bools_ops = {
984 .write = sel_commit_bools_write, 984 .write = sel_commit_bools_write,
985 }; 985 };
986 986
987 static void sel_remove_entries(struct dentry *de) 987 static void sel_remove_entries(struct dentry *de)
988 { 988 {
989 struct list_head *node; 989 struct list_head *node;
990 990
991 spin_lock(&dcache_lock); 991 spin_lock(&dcache_lock);
992 node = de->d_subdirs.next; 992 node = de->d_subdirs.next;
993 while (node != &de->d_subdirs) { 993 while (node != &de->d_subdirs) {
994 struct dentry *d = list_entry(node, struct dentry, d_u.d_child); 994 struct dentry *d = list_entry(node, struct dentry, d_u.d_child);
995 list_del_init(node); 995 list_del_init(node);
996 996
997 if (d->d_inode) { 997 if (d->d_inode) {
998 d = dget_locked(d); 998 d = dget_locked(d);
999 spin_unlock(&dcache_lock); 999 spin_unlock(&dcache_lock);
1000 d_delete(d); 1000 d_delete(d);
1001 simple_unlink(de->d_inode, d); 1001 simple_unlink(de->d_inode, d);
1002 dput(d); 1002 dput(d);
1003 spin_lock(&dcache_lock); 1003 spin_lock(&dcache_lock);
1004 } 1004 }
1005 node = de->d_subdirs.next; 1005 node = de->d_subdirs.next;
1006 } 1006 }
1007 1007
1008 spin_unlock(&dcache_lock); 1008 spin_unlock(&dcache_lock);
1009 } 1009 }
1010 1010
1011 #define BOOL_DIR_NAME "booleans" 1011 #define BOOL_DIR_NAME "booleans"
1012 1012
1013 static int sel_make_bools(void) 1013 static int sel_make_bools(void)
1014 { 1014 {
1015 int i, ret = 0; 1015 int i, ret = 0;
1016 ssize_t len; 1016 ssize_t len;
1017 struct dentry *dentry = NULL; 1017 struct dentry *dentry = NULL;
1018 struct dentry *dir = bool_dir; 1018 struct dentry *dir = bool_dir;
1019 struct inode *inode = NULL; 1019 struct inode *inode = NULL;
1020 struct inode_security_struct *isec; 1020 struct inode_security_struct *isec;
1021 char **names = NULL, *page; 1021 char **names = NULL, *page;
1022 int num; 1022 int num;
1023 int *values = NULL; 1023 int *values = NULL;
1024 u32 sid; 1024 u32 sid;
1025 1025
1026 /* remove any existing files */ 1026 /* remove any existing files */
1027 kfree(bool_pending_names); 1027 kfree(bool_pending_names);
1028 kfree(bool_pending_values); 1028 kfree(bool_pending_values);
1029 bool_pending_names = NULL; 1029 bool_pending_names = NULL;
1030 bool_pending_values = NULL; 1030 bool_pending_values = NULL;
1031 1031
1032 sel_remove_entries(dir); 1032 sel_remove_entries(dir);
1033 1033
1034 if (!(page = (char*)get_zeroed_page(GFP_KERNEL))) 1034 if (!(page = (char*)get_zeroed_page(GFP_KERNEL)))
1035 return -ENOMEM; 1035 return -ENOMEM;
1036 1036
1037 ret = security_get_bools(&num, &names, &values); 1037 ret = security_get_bools(&num, &names, &values);
1038 if (ret != 0) 1038 if (ret != 0)
1039 goto out; 1039 goto out;
1040 1040
1041 for (i = 0; i < num; i++) { 1041 for (i = 0; i < num; i++) {
1042 dentry = d_alloc_name(dir, names[i]); 1042 dentry = d_alloc_name(dir, names[i]);
1043 if (!dentry) { 1043 if (!dentry) {
1044 ret = -ENOMEM; 1044 ret = -ENOMEM;
1045 goto err; 1045 goto err;
1046 } 1046 }
1047 inode = sel_make_inode(dir->d_sb, S_IFREG | S_IRUGO | S_IWUSR); 1047 inode = sel_make_inode(dir->d_sb, S_IFREG | S_IRUGO | S_IWUSR);
1048 if (!inode) { 1048 if (!inode) {
1049 ret = -ENOMEM; 1049 ret = -ENOMEM;
1050 goto err; 1050 goto err;
1051 } 1051 }
1052 1052
1053 len = snprintf(page, PAGE_SIZE, "/%s/%s", BOOL_DIR_NAME, names[i]); 1053 len = snprintf(page, PAGE_SIZE, "/%s/%s", BOOL_DIR_NAME, names[i]);
1054 if (len < 0) { 1054 if (len < 0) {
1055 ret = -EINVAL; 1055 ret = -EINVAL;
1056 goto err; 1056 goto err;
1057 } else if (len >= PAGE_SIZE) { 1057 } else if (len >= PAGE_SIZE) {
1058 ret = -ENAMETOOLONG; 1058 ret = -ENAMETOOLONG;
1059 goto err; 1059 goto err;
1060 } 1060 }
1061 isec = (struct inode_security_struct*)inode->i_security; 1061 isec = (struct inode_security_struct*)inode->i_security;
1062 if ((ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid))) 1062 if ((ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid)))
1063 goto err; 1063 goto err;
1064 isec->sid = sid; 1064 isec->sid = sid;
1065 isec->initialized = 1; 1065 isec->initialized = 1;
1066 inode->i_fop = &sel_bool_ops; 1066 inode->i_fop = &sel_bool_ops;
1067 inode->i_ino = i|SEL_BOOL_INO_OFFSET; 1067 inode->i_ino = i|SEL_BOOL_INO_OFFSET;
1068 d_add(dentry, inode); 1068 d_add(dentry, inode);
1069 } 1069 }
1070 bool_num = num; 1070 bool_num = num;
1071 bool_pending_names = names; 1071 bool_pending_names = names;
1072 bool_pending_values = values; 1072 bool_pending_values = values;
1073 out: 1073 out:
1074 free_page((unsigned long)page); 1074 free_page((unsigned long)page);
1075 return ret; 1075 return ret;
1076 err: 1076 err:
1077 if (names) { 1077 if (names) {
1078 for (i = 0; i < num; i++) 1078 for (i = 0; i < num; i++)
1079 kfree(names[i]); 1079 kfree(names[i]);
1080 kfree(names); 1080 kfree(names);
1081 } 1081 }
1082 kfree(values); 1082 kfree(values);
1083 sel_remove_entries(dir); 1083 sel_remove_entries(dir);
1084 ret = -ENOMEM; 1084 ret = -ENOMEM;
1085 goto out; 1085 goto out;
1086 } 1086 }
1087 1087
1088 #define NULL_FILE_NAME "null" 1088 #define NULL_FILE_NAME "null"
1089 1089
1090 struct dentry *selinux_null = NULL; 1090 struct dentry *selinux_null = NULL;
1091 1091
1092 static ssize_t sel_read_avc_cache_threshold(struct file *filp, char __user *buf, 1092 static ssize_t sel_read_avc_cache_threshold(struct file *filp, char __user *buf,
1093 size_t count, loff_t *ppos) 1093 size_t count, loff_t *ppos)
1094 { 1094 {
1095 char tmpbuf[TMPBUFLEN]; 1095 char tmpbuf[TMPBUFLEN];
1096 ssize_t length; 1096 ssize_t length;
1097 1097
1098 length = scnprintf(tmpbuf, TMPBUFLEN, "%u", avc_cache_threshold); 1098 length = scnprintf(tmpbuf, TMPBUFLEN, "%u", avc_cache_threshold);
1099 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length); 1099 return simple_read_from_buffer(buf, count, ppos, tmpbuf, length);
1100 } 1100 }
1101 1101
1102 static ssize_t sel_write_avc_cache_threshold(struct file * file, 1102 static ssize_t sel_write_avc_cache_threshold(struct file * file,
1103 const char __user * buf, 1103 const char __user * buf,
1104 size_t count, loff_t *ppos) 1104 size_t count, loff_t *ppos)
1105 1105
1106 { 1106 {
1107 char *page; 1107 char *page;
1108 ssize_t ret; 1108 ssize_t ret;
1109 int new_value; 1109 int new_value;
1110 1110
1111 if (count >= PAGE_SIZE) { 1111 if (count >= PAGE_SIZE) {
1112 ret = -ENOMEM; 1112 ret = -ENOMEM;
1113 goto out; 1113 goto out;
1114 } 1114 }
1115 1115
1116 if (*ppos != 0) { 1116 if (*ppos != 0) {
1117 /* No partial writes. */ 1117 /* No partial writes. */
1118 ret = -EINVAL; 1118 ret = -EINVAL;
1119 goto out; 1119 goto out;
1120 } 1120 }
1121 1121
1122 page = (char*)get_zeroed_page(GFP_KERNEL); 1122 page = (char*)get_zeroed_page(GFP_KERNEL);
1123 if (!page) { 1123 if (!page) {
1124 ret = -ENOMEM; 1124 ret = -ENOMEM;
1125 goto out; 1125 goto out;
1126 } 1126 }
1127 1127
1128 if (copy_from_user(page, buf, count)) { 1128 if (copy_from_user(page, buf, count)) {
1129 ret = -EFAULT; 1129 ret = -EFAULT;
1130 goto out_free; 1130 goto out_free;
1131 } 1131 }
1132 1132
1133 if (sscanf(page, "%u", &new_value) != 1) { 1133 if (sscanf(page, "%u", &new_value) != 1) {
1134 ret = -EINVAL; 1134 ret = -EINVAL;
1135 goto out; 1135 goto out;
1136 } 1136 }
1137 1137
1138 if (new_value != avc_cache_threshold) { 1138 if (new_value != avc_cache_threshold) {
1139 ret = task_has_security(current, SECURITY__SETSECPARAM); 1139 ret = task_has_security(current, SECURITY__SETSECPARAM);
1140 if (ret) 1140 if (ret)
1141 goto out_free; 1141 goto out_free;
1142 avc_cache_threshold = new_value; 1142 avc_cache_threshold = new_value;
1143 } 1143 }
1144 ret = count; 1144 ret = count;
1145 out_free: 1145 out_free:
1146 free_page((unsigned long)page); 1146 free_page((unsigned long)page);
1147 out: 1147 out:
1148 return ret; 1148 return ret;
1149 } 1149 }
1150 1150
1151 static ssize_t sel_read_avc_hash_stats(struct file *filp, char __user *buf, 1151 static ssize_t sel_read_avc_hash_stats(struct file *filp, char __user *buf,
1152 size_t count, loff_t *ppos) 1152 size_t count, loff_t *ppos)
1153 { 1153 {
1154 char *page; 1154 char *page;
1155 ssize_t ret = 0; 1155 ssize_t ret = 0;
1156 1156
1157 page = (char *)__get_free_page(GFP_KERNEL); 1157 page = (char *)__get_free_page(GFP_KERNEL);
1158 if (!page) { 1158 if (!page) {
1159 ret = -ENOMEM; 1159 ret = -ENOMEM;
1160 goto out; 1160 goto out;
1161 } 1161 }
1162 ret = avc_get_hash_stats(page); 1162 ret = avc_get_hash_stats(page);
1163 if (ret >= 0) 1163 if (ret >= 0)
1164 ret = simple_read_from_buffer(buf, count, ppos, page, ret); 1164 ret = simple_read_from_buffer(buf, count, ppos, page, ret);
1165 free_page((unsigned long)page); 1165 free_page((unsigned long)page);
1166 out: 1166 out:
1167 return ret; 1167 return ret;
1168 } 1168 }
1169 1169
1170 static const struct file_operations sel_avc_cache_threshold_ops = { 1170 static const struct file_operations sel_avc_cache_threshold_ops = {
1171 .read = sel_read_avc_cache_threshold, 1171 .read = sel_read_avc_cache_threshold,
1172 .write = sel_write_avc_cache_threshold, 1172 .write = sel_write_avc_cache_threshold,
1173 }; 1173 };
1174 1174
1175 static const struct file_operations sel_avc_hash_stats_ops = { 1175 static const struct file_operations sel_avc_hash_stats_ops = {
1176 .read = sel_read_avc_hash_stats, 1176 .read = sel_read_avc_hash_stats,
1177 }; 1177 };
1178 1178
1179 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS 1179 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
1180 static struct avc_cache_stats *sel_avc_get_stat_idx(loff_t *idx) 1180 static struct avc_cache_stats *sel_avc_get_stat_idx(loff_t *idx)
1181 { 1181 {
1182 int cpu; 1182 int cpu;
1183 1183
1184 for (cpu = *idx; cpu < NR_CPUS; ++cpu) { 1184 for (cpu = *idx; cpu < NR_CPUS; ++cpu) {
1185 if (!cpu_possible(cpu)) 1185 if (!cpu_possible(cpu))
1186 continue; 1186 continue;
1187 *idx = cpu + 1; 1187 *idx = cpu + 1;
1188 return &per_cpu(avc_cache_stats, cpu); 1188 return &per_cpu(avc_cache_stats, cpu);
1189 } 1189 }
1190 return NULL; 1190 return NULL;
1191 } 1191 }
1192 1192
1193 static void *sel_avc_stats_seq_start(struct seq_file *seq, loff_t *pos) 1193 static void *sel_avc_stats_seq_start(struct seq_file *seq, loff_t *pos)
1194 { 1194 {
1195 loff_t n = *pos - 1; 1195 loff_t n = *pos - 1;
1196 1196
1197 if (*pos == 0) 1197 if (*pos == 0)
1198 return SEQ_START_TOKEN; 1198 return SEQ_START_TOKEN;
1199 1199
1200 return sel_avc_get_stat_idx(&n); 1200 return sel_avc_get_stat_idx(&n);
1201 } 1201 }
1202 1202
1203 static void *sel_avc_stats_seq_next(struct seq_file *seq, void *v, loff_t *pos) 1203 static void *sel_avc_stats_seq_next(struct seq_file *seq, void *v, loff_t *pos)
1204 { 1204 {
1205 return sel_avc_get_stat_idx(pos); 1205 return sel_avc_get_stat_idx(pos);
1206 } 1206 }
1207 1207
1208 static int sel_avc_stats_seq_show(struct seq_file *seq, void *v) 1208 static int sel_avc_stats_seq_show(struct seq_file *seq, void *v)
1209 { 1209 {
1210 struct avc_cache_stats *st = v; 1210 struct avc_cache_stats *st = v;
1211 1211
1212 if (v == SEQ_START_TOKEN) 1212 if (v == SEQ_START_TOKEN)
1213 seq_printf(seq, "lookups hits misses allocations reclaims " 1213 seq_printf(seq, "lookups hits misses allocations reclaims "
1214 "frees\n"); 1214 "frees\n");
1215 else 1215 else
1216 seq_printf(seq, "%u %u %u %u %u %u\n", st->lookups, 1216 seq_printf(seq, "%u %u %u %u %u %u\n", st->lookups,
1217 st->hits, st->misses, st->allocations, 1217 st->hits, st->misses, st->allocations,
1218 st->reclaims, st->frees); 1218 st->reclaims, st->frees);
1219 return 0; 1219 return 0;
1220 } 1220 }
1221 1221
1222 static void sel_avc_stats_seq_stop(struct seq_file *seq, void *v) 1222 static void sel_avc_stats_seq_stop(struct seq_file *seq, void *v)
1223 { } 1223 { }
1224 1224
1225 static struct seq_operations sel_avc_cache_stats_seq_ops = { 1225 static const struct seq_operations sel_avc_cache_stats_seq_ops = {
1226 .start = sel_avc_stats_seq_start, 1226 .start = sel_avc_stats_seq_start,
1227 .next = sel_avc_stats_seq_next, 1227 .next = sel_avc_stats_seq_next,
1228 .show = sel_avc_stats_seq_show, 1228 .show = sel_avc_stats_seq_show,
1229 .stop = sel_avc_stats_seq_stop, 1229 .stop = sel_avc_stats_seq_stop,
1230 }; 1230 };
1231 1231
1232 static int sel_open_avc_cache_stats(struct inode *inode, struct file *file) 1232 static int sel_open_avc_cache_stats(struct inode *inode, struct file *file)
1233 { 1233 {
1234 return seq_open(file, &sel_avc_cache_stats_seq_ops); 1234 return seq_open(file, &sel_avc_cache_stats_seq_ops);
1235 } 1235 }
1236 1236
1237 static const struct file_operations sel_avc_cache_stats_ops = { 1237 static const struct file_operations sel_avc_cache_stats_ops = {
1238 .open = sel_open_avc_cache_stats, 1238 .open = sel_open_avc_cache_stats,
1239 .read = seq_read, 1239 .read = seq_read,
1240 .llseek = seq_lseek, 1240 .llseek = seq_lseek,
1241 .release = seq_release, 1241 .release = seq_release,
1242 }; 1242 };
1243 #endif 1243 #endif
1244 1244
1245 static int sel_make_avc_files(struct dentry *dir) 1245 static int sel_make_avc_files(struct dentry *dir)
1246 { 1246 {
1247 int i, ret = 0; 1247 int i, ret = 0;
1248 static struct tree_descr files[] = { 1248 static struct tree_descr files[] = {
1249 { "cache_threshold", 1249 { "cache_threshold",
1250 &sel_avc_cache_threshold_ops, S_IRUGO|S_IWUSR }, 1250 &sel_avc_cache_threshold_ops, S_IRUGO|S_IWUSR },
1251 { "hash_stats", &sel_avc_hash_stats_ops, S_IRUGO }, 1251 { "hash_stats", &sel_avc_hash_stats_ops, S_IRUGO },
1252 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS 1252 #ifdef CONFIG_SECURITY_SELINUX_AVC_STATS
1253 { "cache_stats", &sel_avc_cache_stats_ops, S_IRUGO }, 1253 { "cache_stats", &sel_avc_cache_stats_ops, S_IRUGO },
1254 #endif 1254 #endif
1255 }; 1255 };
1256 1256
1257 for (i = 0; i < ARRAY_SIZE(files); i++) { 1257 for (i = 0; i < ARRAY_SIZE(files); i++) {
1258 struct inode *inode; 1258 struct inode *inode;
1259 struct dentry *dentry; 1259 struct dentry *dentry;
1260 1260
1261 dentry = d_alloc_name(dir, files[i].name); 1261 dentry = d_alloc_name(dir, files[i].name);
1262 if (!dentry) { 1262 if (!dentry) {
1263 ret = -ENOMEM; 1263 ret = -ENOMEM;
1264 goto out; 1264 goto out;
1265 } 1265 }
1266 1266
1267 inode = sel_make_inode(dir->d_sb, S_IFREG|files[i].mode); 1267 inode = sel_make_inode(dir->d_sb, S_IFREG|files[i].mode);
1268 if (!inode) { 1268 if (!inode) {
1269 ret = -ENOMEM; 1269 ret = -ENOMEM;
1270 goto out; 1270 goto out;
1271 } 1271 }
1272 inode->i_fop = files[i].ops; 1272 inode->i_fop = files[i].ops;
1273 inode->i_ino = ++sel_last_ino; 1273 inode->i_ino = ++sel_last_ino;
1274 d_add(dentry, inode); 1274 d_add(dentry, inode);
1275 } 1275 }
1276 out: 1276 out:
1277 return ret; 1277 return ret;
1278 } 1278 }
1279 1279
1280 static ssize_t sel_read_initcon(struct file * file, char __user *buf, 1280 static ssize_t sel_read_initcon(struct file * file, char __user *buf,
1281 size_t count, loff_t *ppos) 1281 size_t count, loff_t *ppos)
1282 { 1282 {
1283 struct inode *inode; 1283 struct inode *inode;
1284 char *con; 1284 char *con;
1285 u32 sid, len; 1285 u32 sid, len;
1286 ssize_t ret; 1286 ssize_t ret;
1287 1287
1288 inode = file->f_path.dentry->d_inode; 1288 inode = file->f_path.dentry->d_inode;
1289 sid = inode->i_ino&SEL_INO_MASK; 1289 sid = inode->i_ino&SEL_INO_MASK;
1290 ret = security_sid_to_context(sid, &con, &len); 1290 ret = security_sid_to_context(sid, &con, &len);
1291 if (ret < 0) 1291 if (ret < 0)
1292 return ret; 1292 return ret;
1293 1293
1294 ret = simple_read_from_buffer(buf, count, ppos, con, len); 1294 ret = simple_read_from_buffer(buf, count, ppos, con, len);
1295 kfree(con); 1295 kfree(con);
1296 return ret; 1296 return ret;
1297 } 1297 }
1298 1298
1299 static const struct file_operations sel_initcon_ops = { 1299 static const struct file_operations sel_initcon_ops = {
1300 .read = sel_read_initcon, 1300 .read = sel_read_initcon,
1301 }; 1301 };
1302 1302
1303 static int sel_make_initcon_files(struct dentry *dir) 1303 static int sel_make_initcon_files(struct dentry *dir)
1304 { 1304 {
1305 int i, ret = 0; 1305 int i, ret = 0;
1306 1306
1307 for (i = 1; i <= SECINITSID_NUM; i++) { 1307 for (i = 1; i <= SECINITSID_NUM; i++) {
1308 struct inode *inode; 1308 struct inode *inode;
1309 struct dentry *dentry; 1309 struct dentry *dentry;
1310 dentry = d_alloc_name(dir, security_get_initial_sid_context(i)); 1310 dentry = d_alloc_name(dir, security_get_initial_sid_context(i));
1311 if (!dentry) { 1311 if (!dentry) {
1312 ret = -ENOMEM; 1312 ret = -ENOMEM;
1313 goto out; 1313 goto out;
1314 } 1314 }
1315 1315
1316 inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO); 1316 inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO);
1317 if (!inode) { 1317 if (!inode) {
1318 ret = -ENOMEM; 1318 ret = -ENOMEM;
1319 goto out; 1319 goto out;
1320 } 1320 }
1321 inode->i_fop = &sel_initcon_ops; 1321 inode->i_fop = &sel_initcon_ops;
1322 inode->i_ino = i|SEL_INITCON_INO_OFFSET; 1322 inode->i_ino = i|SEL_INITCON_INO_OFFSET;
1323 d_add(dentry, inode); 1323 d_add(dentry, inode);
1324 } 1324 }
1325 out: 1325 out:
1326 return ret; 1326 return ret;
1327 } 1327 }
1328 1328
1329 static inline unsigned int sel_div(unsigned long a, unsigned long b) 1329 static inline unsigned int sel_div(unsigned long a, unsigned long b)
1330 { 1330 {
1331 return a / b - (a % b < 0); 1331 return a / b - (a % b < 0);
1332 } 1332 }
1333 1333
1334 static inline unsigned long sel_class_to_ino(u16 class) 1334 static inline unsigned long sel_class_to_ino(u16 class)
1335 { 1335 {
1336 return (class * (SEL_VEC_MAX + 1)) | SEL_CLASS_INO_OFFSET; 1336 return (class * (SEL_VEC_MAX + 1)) | SEL_CLASS_INO_OFFSET;
1337 } 1337 }
1338 1338
1339 static inline u16 sel_ino_to_class(unsigned long ino) 1339 static inline u16 sel_ino_to_class(unsigned long ino)
1340 { 1340 {
1341 return sel_div(ino & SEL_INO_MASK, SEL_VEC_MAX + 1); 1341 return sel_div(ino & SEL_INO_MASK, SEL_VEC_MAX + 1);
1342 } 1342 }
1343 1343
1344 static inline unsigned long sel_perm_to_ino(u16 class, u32 perm) 1344 static inline unsigned long sel_perm_to_ino(u16 class, u32 perm)
1345 { 1345 {
1346 return (class * (SEL_VEC_MAX + 1) + perm) | SEL_CLASS_INO_OFFSET; 1346 return (class * (SEL_VEC_MAX + 1) + perm) | SEL_CLASS_INO_OFFSET;
1347 } 1347 }
1348 1348
1349 static inline u32 sel_ino_to_perm(unsigned long ino) 1349 static inline u32 sel_ino_to_perm(unsigned long ino)
1350 { 1350 {
1351 return (ino & SEL_INO_MASK) % (SEL_VEC_MAX + 1); 1351 return (ino & SEL_INO_MASK) % (SEL_VEC_MAX + 1);
1352 } 1352 }
1353 1353
1354 static ssize_t sel_read_class(struct file * file, char __user *buf, 1354 static ssize_t sel_read_class(struct file * file, char __user *buf,
1355 size_t count, loff_t *ppos) 1355 size_t count, loff_t *ppos)
1356 { 1356 {
1357 ssize_t rc, len; 1357 ssize_t rc, len;
1358 char *page; 1358 char *page;
1359 unsigned long ino = file->f_path.dentry->d_inode->i_ino; 1359 unsigned long ino = file->f_path.dentry->d_inode->i_ino;
1360 1360
1361 page = (char *)__get_free_page(GFP_KERNEL); 1361 page = (char *)__get_free_page(GFP_KERNEL);
1362 if (!page) { 1362 if (!page) {
1363 rc = -ENOMEM; 1363 rc = -ENOMEM;
1364 goto out; 1364 goto out;
1365 } 1365 }
1366 1366
1367 len = snprintf(page, PAGE_SIZE, "%d", sel_ino_to_class(ino)); 1367 len = snprintf(page, PAGE_SIZE, "%d", sel_ino_to_class(ino));
1368 rc = simple_read_from_buffer(buf, count, ppos, page, len); 1368 rc = simple_read_from_buffer(buf, count, ppos, page, len);
1369 free_page((unsigned long)page); 1369 free_page((unsigned long)page);
1370 out: 1370 out:
1371 return rc; 1371 return rc;
1372 } 1372 }
1373 1373
1374 static const struct file_operations sel_class_ops = { 1374 static const struct file_operations sel_class_ops = {
1375 .read = sel_read_class, 1375 .read = sel_read_class,
1376 }; 1376 };
1377 1377
1378 static ssize_t sel_read_perm(struct file * file, char __user *buf, 1378 static ssize_t sel_read_perm(struct file * file, char __user *buf,
1379 size_t count, loff_t *ppos) 1379 size_t count, loff_t *ppos)
1380 { 1380 {
1381 ssize_t rc, len; 1381 ssize_t rc, len;
1382 char *page; 1382 char *page;
1383 unsigned long ino = file->f_path.dentry->d_inode->i_ino; 1383 unsigned long ino = file->f_path.dentry->d_inode->i_ino;
1384 1384
1385 page = (char *)__get_free_page(GFP_KERNEL); 1385 page = (char *)__get_free_page(GFP_KERNEL);
1386 if (!page) { 1386 if (!page) {
1387 rc = -ENOMEM; 1387 rc = -ENOMEM;
1388 goto out; 1388 goto out;
1389 } 1389 }
1390 1390
1391 len = snprintf(page, PAGE_SIZE,"%d", sel_ino_to_perm(ino)); 1391 len = snprintf(page, PAGE_SIZE,"%d", sel_ino_to_perm(ino));
1392 rc = simple_read_from_buffer(buf, count, ppos, page, len); 1392 rc = simple_read_from_buffer(buf, count, ppos, page, len);
1393 free_page((unsigned long)page); 1393 free_page((unsigned long)page);
1394 out: 1394 out:
1395 return rc; 1395 return rc;
1396 } 1396 }
1397 1397
1398 static const struct file_operations sel_perm_ops = { 1398 static const struct file_operations sel_perm_ops = {
1399 .read = sel_read_perm, 1399 .read = sel_read_perm,
1400 }; 1400 };
1401 1401
1402 static int sel_make_perm_files(char *objclass, int classvalue, 1402 static int sel_make_perm_files(char *objclass, int classvalue,
1403 struct dentry *dir) 1403 struct dentry *dir)
1404 { 1404 {
1405 int i, rc = 0, nperms; 1405 int i, rc = 0, nperms;
1406 char **perms; 1406 char **perms;
1407 1407
1408 rc = security_get_permissions(objclass, &perms, &nperms); 1408 rc = security_get_permissions(objclass, &perms, &nperms);
1409 if (rc) 1409 if (rc)
1410 goto out; 1410 goto out;
1411 1411
1412 for (i = 0; i < nperms; i++) { 1412 for (i = 0; i < nperms; i++) {
1413 struct inode *inode; 1413 struct inode *inode;
1414 struct dentry *dentry; 1414 struct dentry *dentry;
1415 1415
1416 dentry = d_alloc_name(dir, perms[i]); 1416 dentry = d_alloc_name(dir, perms[i]);
1417 if (!dentry) { 1417 if (!dentry) {
1418 rc = -ENOMEM; 1418 rc = -ENOMEM;
1419 goto out1; 1419 goto out1;
1420 } 1420 }
1421 1421
1422 inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO); 1422 inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO);
1423 if (!inode) { 1423 if (!inode) {
1424 rc = -ENOMEM; 1424 rc = -ENOMEM;
1425 goto out1; 1425 goto out1;
1426 } 1426 }
1427 inode->i_fop = &sel_perm_ops; 1427 inode->i_fop = &sel_perm_ops;
1428 /* i+1 since perm values are 1-indexed */ 1428 /* i+1 since perm values are 1-indexed */
1429 inode->i_ino = sel_perm_to_ino(classvalue, i+1); 1429 inode->i_ino = sel_perm_to_ino(classvalue, i+1);
1430 d_add(dentry, inode); 1430 d_add(dentry, inode);
1431 } 1431 }
1432 1432
1433 out1: 1433 out1:
1434 for (i = 0; i < nperms; i++) 1434 for (i = 0; i < nperms; i++)
1435 kfree(perms[i]); 1435 kfree(perms[i]);
1436 kfree(perms); 1436 kfree(perms);
1437 out: 1437 out:
1438 return rc; 1438 return rc;
1439 } 1439 }
1440 1440
1441 static int sel_make_class_dir_entries(char *classname, int index, 1441 static int sel_make_class_dir_entries(char *classname, int index,
1442 struct dentry *dir) 1442 struct dentry *dir)
1443 { 1443 {
1444 struct dentry *dentry = NULL; 1444 struct dentry *dentry = NULL;
1445 struct inode *inode = NULL; 1445 struct inode *inode = NULL;
1446 int rc; 1446 int rc;
1447 1447
1448 dentry = d_alloc_name(dir, "index"); 1448 dentry = d_alloc_name(dir, "index");
1449 if (!dentry) { 1449 if (!dentry) {
1450 rc = -ENOMEM; 1450 rc = -ENOMEM;
1451 goto out; 1451 goto out;
1452 } 1452 }
1453 1453
1454 inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO); 1454 inode = sel_make_inode(dir->d_sb, S_IFREG|S_IRUGO);
1455 if (!inode) { 1455 if (!inode) {
1456 rc = -ENOMEM; 1456 rc = -ENOMEM;
1457 goto out; 1457 goto out;
1458 } 1458 }
1459 1459
1460 inode->i_fop = &sel_class_ops; 1460 inode->i_fop = &sel_class_ops;
1461 inode->i_ino = sel_class_to_ino(index); 1461 inode->i_ino = sel_class_to_ino(index);
1462 d_add(dentry, inode); 1462 d_add(dentry, inode);
1463 1463
1464 dentry = d_alloc_name(dir, "perms"); 1464 dentry = d_alloc_name(dir, "perms");
1465 if (!dentry) { 1465 if (!dentry) {
1466 rc = -ENOMEM; 1466 rc = -ENOMEM;
1467 goto out; 1467 goto out;
1468 } 1468 }
1469 1469
1470 rc = sel_make_dir(dir->d_inode, dentry, &last_class_ino); 1470 rc = sel_make_dir(dir->d_inode, dentry, &last_class_ino);
1471 if (rc) 1471 if (rc)
1472 goto out; 1472 goto out;
1473 1473
1474 rc = sel_make_perm_files(classname, index, dentry); 1474 rc = sel_make_perm_files(classname, index, dentry);
1475 1475
1476 out: 1476 out:
1477 return rc; 1477 return rc;
1478 } 1478 }
1479 1479
1480 static void sel_remove_classes(void) 1480 static void sel_remove_classes(void)
1481 { 1481 {
1482 struct list_head *class_node; 1482 struct list_head *class_node;
1483 1483
1484 list_for_each(class_node, &class_dir->d_subdirs) { 1484 list_for_each(class_node, &class_dir->d_subdirs) {
1485 struct dentry *class_subdir = list_entry(class_node, 1485 struct dentry *class_subdir = list_entry(class_node,
1486 struct dentry, d_u.d_child); 1486 struct dentry, d_u.d_child);
1487 struct list_head *class_subdir_node; 1487 struct list_head *class_subdir_node;
1488 1488
1489 list_for_each(class_subdir_node, &class_subdir->d_subdirs) { 1489 list_for_each(class_subdir_node, &class_subdir->d_subdirs) {
1490 struct dentry *d = list_entry(class_subdir_node, 1490 struct dentry *d = list_entry(class_subdir_node,
1491 struct dentry, d_u.d_child); 1491 struct dentry, d_u.d_child);
1492 1492
1493 if (d->d_inode) 1493 if (d->d_inode)
1494 if (d->d_inode->i_mode & S_IFDIR) 1494 if (d->d_inode->i_mode & S_IFDIR)
1495 sel_remove_entries(d); 1495 sel_remove_entries(d);
1496 } 1496 }
1497 1497
1498 sel_remove_entries(class_subdir); 1498 sel_remove_entries(class_subdir);
1499 } 1499 }
1500 1500
1501 sel_remove_entries(class_dir); 1501 sel_remove_entries(class_dir);
1502 } 1502 }
1503 1503
1504 static int sel_make_classes(void) 1504 static int sel_make_classes(void)
1505 { 1505 {
1506 int rc = 0, nclasses, i; 1506 int rc = 0, nclasses, i;
1507 char **classes; 1507 char **classes;
1508 1508
1509 /* delete any existing entries */ 1509 /* delete any existing entries */
1510 sel_remove_classes(); 1510 sel_remove_classes();
1511 1511
1512 rc = security_get_classes(&classes, &nclasses); 1512 rc = security_get_classes(&classes, &nclasses);
1513 if (rc < 0) 1513 if (rc < 0)
1514 goto out; 1514 goto out;
1515 1515
1516 /* +2 since classes are 1-indexed */ 1516 /* +2 since classes are 1-indexed */
1517 last_class_ino = sel_class_to_ino(nclasses+2); 1517 last_class_ino = sel_class_to_ino(nclasses+2);
1518 1518
1519 for (i = 0; i < nclasses; i++) { 1519 for (i = 0; i < nclasses; i++) {
1520 struct dentry *class_name_dir; 1520 struct dentry *class_name_dir;
1521 1521
1522 class_name_dir = d_alloc_name(class_dir, classes[i]); 1522 class_name_dir = d_alloc_name(class_dir, classes[i]);
1523 if (!class_name_dir) { 1523 if (!class_name_dir) {
1524 rc = -ENOMEM; 1524 rc = -ENOMEM;
1525 goto out1; 1525 goto out1;
1526 } 1526 }
1527 1527
1528 rc = sel_make_dir(class_dir->d_inode, class_name_dir, 1528 rc = sel_make_dir(class_dir->d_inode, class_name_dir,
1529 &last_class_ino); 1529 &last_class_ino);
1530 if (rc) 1530 if (rc)
1531 goto out1; 1531 goto out1;
1532 1532
1533 /* i+1 since class values are 1-indexed */ 1533 /* i+1 since class values are 1-indexed */
1534 rc = sel_make_class_dir_entries(classes[i], i+1, 1534 rc = sel_make_class_dir_entries(classes[i], i+1,
1535 class_name_dir); 1535 class_name_dir);
1536 if (rc) 1536 if (rc)
1537 goto out1; 1537 goto out1;
1538 } 1538 }
1539 1539
1540 out1: 1540 out1:
1541 for (i = 0; i < nclasses; i++) 1541 for (i = 0; i < nclasses; i++)
1542 kfree(classes[i]); 1542 kfree(classes[i]);
1543 kfree(classes); 1543 kfree(classes);
1544 out: 1544 out:
1545 return rc; 1545 return rc;
1546 } 1546 }
1547 1547
1548 static int sel_make_dir(struct inode *dir, struct dentry *dentry, 1548 static int sel_make_dir(struct inode *dir, struct dentry *dentry,
1549 unsigned long *ino) 1549 unsigned long *ino)
1550 { 1550 {
1551 int ret = 0; 1551 int ret = 0;
1552 struct inode *inode; 1552 struct inode *inode;
1553 1553
1554 inode = sel_make_inode(dir->i_sb, S_IFDIR | S_IRUGO | S_IXUGO); 1554 inode = sel_make_inode(dir->i_sb, S_IFDIR | S_IRUGO | S_IXUGO);
1555 if (!inode) { 1555 if (!inode) {
1556 ret = -ENOMEM; 1556 ret = -ENOMEM;
1557 goto out; 1557 goto out;
1558 } 1558 }
1559 inode->i_op = &simple_dir_inode_operations; 1559 inode->i_op = &simple_dir_inode_operations;
1560 inode->i_fop = &simple_dir_operations; 1560 inode->i_fop = &simple_dir_operations;
1561 inode->i_ino = ++(*ino); 1561 inode->i_ino = ++(*ino);
1562 /* directory inodes start off with i_nlink == 2 (for "." entry) */ 1562 /* directory inodes start off with i_nlink == 2 (for "." entry) */
1563 inc_nlink(inode); 1563 inc_nlink(inode);
1564 d_add(dentry, inode); 1564 d_add(dentry, inode);
1565 /* bump link count on parent directory, too */ 1565 /* bump link count on parent directory, too */
1566 inc_nlink(dir); 1566 inc_nlink(dir);
1567 out: 1567 out:
1568 return ret; 1568 return ret;
1569 } 1569 }
1570 1570
1571 static int sel_fill_super(struct super_block * sb, void * data, int silent) 1571 static int sel_fill_super(struct super_block * sb, void * data, int silent)
1572 { 1572 {
1573 int ret; 1573 int ret;
1574 struct dentry *dentry; 1574 struct dentry *dentry;
1575 struct inode *inode, *root_inode; 1575 struct inode *inode, *root_inode;
1576 struct inode_security_struct *isec; 1576 struct inode_security_struct *isec;
1577 1577
1578 static struct tree_descr selinux_files[] = { 1578 static struct tree_descr selinux_files[] = {
1579 [SEL_LOAD] = {"load", &sel_load_ops, S_IRUSR|S_IWUSR}, 1579 [SEL_LOAD] = {"load", &sel_load_ops, S_IRUSR|S_IWUSR},
1580 [SEL_ENFORCE] = {"enforce", &sel_enforce_ops, S_IRUGO|S_IWUSR}, 1580 [SEL_ENFORCE] = {"enforce", &sel_enforce_ops, S_IRUGO|S_IWUSR},
1581 [SEL_CONTEXT] = {"context", &transaction_ops, S_IRUGO|S_IWUGO}, 1581 [SEL_CONTEXT] = {"context", &transaction_ops, S_IRUGO|S_IWUGO},
1582 [SEL_ACCESS] = {"access", &transaction_ops, S_IRUGO|S_IWUGO}, 1582 [SEL_ACCESS] = {"access", &transaction_ops, S_IRUGO|S_IWUGO},
1583 [SEL_CREATE] = {"create", &transaction_ops, S_IRUGO|S_IWUGO}, 1583 [SEL_CREATE] = {"create", &transaction_ops, S_IRUGO|S_IWUGO},
1584 [SEL_RELABEL] = {"relabel", &transaction_ops, S_IRUGO|S_IWUGO}, 1584 [SEL_RELABEL] = {"relabel", &transaction_ops, S_IRUGO|S_IWUGO},
1585 [SEL_USER] = {"user", &transaction_ops, S_IRUGO|S_IWUGO}, 1585 [SEL_USER] = {"user", &transaction_ops, S_IRUGO|S_IWUGO},
1586 [SEL_POLICYVERS] = {"policyvers", &sel_policyvers_ops, S_IRUGO}, 1586 [SEL_POLICYVERS] = {"policyvers", &sel_policyvers_ops, S_IRUGO},
1587 [SEL_COMMIT_BOOLS] = {"commit_pending_bools", &sel_commit_bools_ops, S_IWUSR}, 1587 [SEL_COMMIT_BOOLS] = {"commit_pending_bools", &sel_commit_bools_ops, S_IWUSR},
1588 [SEL_MLS] = {"mls", &sel_mls_ops, S_IRUGO}, 1588 [SEL_MLS] = {"mls", &sel_mls_ops, S_IRUGO},
1589 [SEL_DISABLE] = {"disable", &sel_disable_ops, S_IWUSR}, 1589 [SEL_DISABLE] = {"disable", &sel_disable_ops, S_IWUSR},
1590 [SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO|S_IWUGO}, 1590 [SEL_MEMBER] = {"member", &transaction_ops, S_IRUGO|S_IWUGO},
1591 [SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO|S_IWUSR}, 1591 [SEL_CHECKREQPROT] = {"checkreqprot", &sel_checkreqprot_ops, S_IRUGO|S_IWUSR},
1592 [SEL_COMPAT_NET] = {"compat_net", &sel_compat_net_ops, S_IRUGO|S_IWUSR}, 1592 [SEL_COMPAT_NET] = {"compat_net", &sel_compat_net_ops, S_IRUGO|S_IWUSR},
1593 [SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO}, 1593 [SEL_REJECT_UNKNOWN] = {"reject_unknown", &sel_handle_unknown_ops, S_IRUGO},
1594 [SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO}, 1594 [SEL_DENY_UNKNOWN] = {"deny_unknown", &sel_handle_unknown_ops, S_IRUGO},
1595 /* last one */ {""} 1595 /* last one */ {""}
1596 }; 1596 };
1597 ret = simple_fill_super(sb, SELINUX_MAGIC, selinux_files); 1597 ret = simple_fill_super(sb, SELINUX_MAGIC, selinux_files);
1598 if (ret) 1598 if (ret)
1599 goto err; 1599 goto err;
1600 1600
1601 root_inode = sb->s_root->d_inode; 1601 root_inode = sb->s_root->d_inode;
1602 1602
1603 dentry = d_alloc_name(sb->s_root, BOOL_DIR_NAME); 1603 dentry = d_alloc_name(sb->s_root, BOOL_DIR_NAME);
1604 if (!dentry) { 1604 if (!dentry) {
1605 ret = -ENOMEM; 1605 ret = -ENOMEM;
1606 goto err; 1606 goto err;
1607 } 1607 }
1608 1608
1609 ret = sel_make_dir(root_inode, dentry, &sel_last_ino); 1609 ret = sel_make_dir(root_inode, dentry, &sel_last_ino);
1610 if (ret) 1610 if (ret)
1611 goto err; 1611 goto err;
1612 1612
1613 bool_dir = dentry; 1613 bool_dir = dentry;
1614 1614
1615 dentry = d_alloc_name(sb->s_root, NULL_FILE_NAME); 1615 dentry = d_alloc_name(sb->s_root, NULL_FILE_NAME);
1616 if (!dentry) { 1616 if (!dentry) {
1617 ret = -ENOMEM; 1617 ret = -ENOMEM;
1618 goto err; 1618 goto err;
1619 } 1619 }
1620 1620
1621 inode = sel_make_inode(sb, S_IFCHR | S_IRUGO | S_IWUGO); 1621 inode = sel_make_inode(sb, S_IFCHR | S_IRUGO | S_IWUGO);
1622 if (!inode) { 1622 if (!inode) {
1623 ret = -ENOMEM; 1623 ret = -ENOMEM;
1624 goto err; 1624 goto err;
1625 } 1625 }
1626 inode->i_ino = ++sel_last_ino; 1626 inode->i_ino = ++sel_last_ino;
1627 isec = (struct inode_security_struct*)inode->i_security; 1627 isec = (struct inode_security_struct*)inode->i_security;
1628 isec->sid = SECINITSID_DEVNULL; 1628 isec->sid = SECINITSID_DEVNULL;
1629 isec->sclass = SECCLASS_CHR_FILE; 1629 isec->sclass = SECCLASS_CHR_FILE;
1630 isec->initialized = 1; 1630 isec->initialized = 1;
1631 1631
1632 init_special_inode(inode, S_IFCHR | S_IRUGO | S_IWUGO, MKDEV(MEM_MAJOR, 3)); 1632 init_special_inode(inode, S_IFCHR | S_IRUGO | S_IWUGO, MKDEV(MEM_MAJOR, 3));
1633 d_add(dentry, inode); 1633 d_add(dentry, inode);
1634 selinux_null = dentry; 1634 selinux_null = dentry;
1635 1635
1636 dentry = d_alloc_name(sb->s_root, "avc"); 1636 dentry = d_alloc_name(sb->s_root, "avc");
1637 if (!dentry) { 1637 if (!dentry) {
1638 ret = -ENOMEM; 1638 ret = -ENOMEM;
1639 goto err; 1639 goto err;
1640 } 1640 }
1641 1641
1642 ret = sel_make_dir(root_inode, dentry, &sel_last_ino); 1642 ret = sel_make_dir(root_inode, dentry, &sel_last_ino);
1643 if (ret) 1643 if (ret)
1644 goto err; 1644 goto err;
1645 1645
1646 ret = sel_make_avc_files(dentry); 1646 ret = sel_make_avc_files(dentry);
1647 if (ret) 1647 if (ret)
1648 goto err; 1648 goto err;
1649 1649
1650 dentry = d_alloc_name(sb->s_root, "initial_contexts"); 1650 dentry = d_alloc_name(sb->s_root, "initial_contexts");
1651 if (!dentry) { 1651 if (!dentry) {
1652 ret = -ENOMEM; 1652 ret = -ENOMEM;
1653 goto err; 1653 goto err;
1654 } 1654 }
1655 1655
1656 ret = sel_make_dir(root_inode, dentry, &sel_last_ino); 1656 ret = sel_make_dir(root_inode, dentry, &sel_last_ino);
1657 if (ret) 1657 if (ret)
1658 goto err; 1658 goto err;
1659 1659
1660 ret = sel_make_initcon_files(dentry); 1660 ret = sel_make_initcon_files(dentry);
1661 if (ret) 1661 if (ret)
1662 goto err; 1662 goto err;
1663 1663
1664 dentry = d_alloc_name(sb->s_root, "class"); 1664 dentry = d_alloc_name(sb->s_root, "class");
1665 if (!dentry) { 1665 if (!dentry) {
1666 ret = -ENOMEM; 1666 ret = -ENOMEM;
1667 goto err; 1667 goto err;
1668 } 1668 }
1669 1669
1670 ret = sel_make_dir(root_inode, dentry, &sel_last_ino); 1670 ret = sel_make_dir(root_inode, dentry, &sel_last_ino);
1671 if (ret) 1671 if (ret)
1672 goto err; 1672 goto err;
1673 1673
1674 class_dir = dentry; 1674 class_dir = dentry;
1675 1675
1676 out: 1676 out:
1677 return ret; 1677 return ret;
1678 err: 1678 err:
1679 printk(KERN_ERR "%s: failed while creating inodes\n", __FUNCTION__); 1679 printk(KERN_ERR "%s: failed while creating inodes\n", __FUNCTION__);
1680 goto out; 1680 goto out;
1681 } 1681 }
1682 1682
1683 static int sel_get_sb(struct file_system_type *fs_type, 1683 static int sel_get_sb(struct file_system_type *fs_type,
1684 int flags, const char *dev_name, void *data, 1684 int flags, const char *dev_name, void *data,
1685 struct vfsmount *mnt) 1685 struct vfsmount *mnt)
1686 { 1686 {
1687 return get_sb_single(fs_type, flags, data, sel_fill_super, mnt); 1687 return get_sb_single(fs_type, flags, data, sel_fill_super, mnt);
1688 } 1688 }
1689 1689
1690 static struct file_system_type sel_fs_type = { 1690 static struct file_system_type sel_fs_type = {
1691 .name = "selinuxfs", 1691 .name = "selinuxfs",
1692 .get_sb = sel_get_sb, 1692 .get_sb = sel_get_sb,
1693 .kill_sb = kill_litter_super, 1693 .kill_sb = kill_litter_super,
1694 }; 1694 };
1695 1695
1696 struct vfsmount *selinuxfs_mount; 1696 struct vfsmount *selinuxfs_mount;
1697 1697
1698 static int __init init_sel_fs(void) 1698 static int __init init_sel_fs(void)
1699 { 1699 {
1700 int err; 1700 int err;
1701 1701
1702 if (!selinux_enabled) 1702 if (!selinux_enabled)
1703 return 0; 1703 return 0;
1704 err = register_filesystem(&sel_fs_type); 1704 err = register_filesystem(&sel_fs_type);
1705 if (!err) { 1705 if (!err) {
1706 selinuxfs_mount = kern_mount(&sel_fs_type); 1706 selinuxfs_mount = kern_mount(&sel_fs_type);
1707 if (IS_ERR(selinuxfs_mount)) { 1707 if (IS_ERR(selinuxfs_mount)) {
1708 printk(KERN_ERR "selinuxfs: could not mount!\n"); 1708 printk(KERN_ERR "selinuxfs: could not mount!\n");
1709 err = PTR_ERR(selinuxfs_mount); 1709 err = PTR_ERR(selinuxfs_mount);
1710 selinuxfs_mount = NULL; 1710 selinuxfs_mount = NULL;
1711 } 1711 }
1712 } 1712 }
1713 return err; 1713 return err;
1714 } 1714 }
1715 1715
1716 __initcall(init_sel_fs); 1716 __initcall(init_sel_fs);
1717 1717
1718 #ifdef CONFIG_SECURITY_SELINUX_DISABLE 1718 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
1719 void exit_sel_fs(void) 1719 void exit_sel_fs(void)
1720 { 1720 {
1721 unregister_filesystem(&sel_fs_type); 1721 unregister_filesystem(&sel_fs_type);
1722 } 1722 }
1723 #endif 1723 #endif
1724 1724