Gitiles
Code Review Sign In
gerrit.openfyde.cn / github.com / raspberrypi / raspberrypi-kernel / 3c4ed7bdf5997d8020cbb8d4abbef2fcfb9f1284 / . / include / linux / lsm_hooks.h
blob: c60f81b2d18cf513fb5b0e8aeecbf18bd8168a5b [file] [log] [blame]
Casey Schaufler3c4ed7b2015-05-02 15:10:46 -0700[diff] [blame^]1/*
2 * Linux Security Module interfaces
3 *
4 * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com>
5 * Copyright (C) 2001 Greg Kroah-Hartman <greg@kroah.com>
6 * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com>
7 * Copyright (C) 2001 James Morris <jmorris@intercode.com.au>
8 * Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group)
9 * Copyright (C) 2015 Intel Corporation.
10 * Copyright (C) 2015 Casey Schaufler <casey@schaufler-ca.com>
11 *
12 * This program is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
16 *
17 * Due to this file being licensed under the GPL there is controversy over
18 * whether this permits you to write a module that #includes this file
19 * without placing your module under the GPL. Please consult a lawyer for
20 * advice before doing this.
21 *
22 */
23
24#ifndef __LINUX_LSM_HOOKS_H
25#define __LINUX_LSM_HOOKS_H
26
27#include <linux/security.h>
28
29/* Maximum number of letters for an LSM name string */
30#define SECURITY_NAME_MAX 10
31
32#ifdef CONFIG_SECURITY
33
34struct security_operations {
35 char name[SECURITY_NAME_MAX + 1];
36
37 int (*binder_set_context_mgr)(struct task_struct *mgr);
38 int (*binder_transaction)(struct task_struct *from,
39 struct task_struct *to);
40 int (*binder_transfer_binder)(struct task_struct *from,
41 struct task_struct *to);
42 int (*binder_transfer_file)(struct task_struct *from,
43 struct task_struct *to,
44 struct file *file);
45
46 int (*ptrace_access_check)(struct task_struct *child,
47 unsigned int mode);
48 int (*ptrace_traceme)(struct task_struct *parent);
49 int (*capget)(struct task_struct *target, kernel_cap_t *effective,
50 kernel_cap_t *inheritable, kernel_cap_t *permitted);
51 int (*capset)(struct cred *new, const struct cred *old,
52 const kernel_cap_t *effective,
53 const kernel_cap_t *inheritable,
54 const kernel_cap_t *permitted);
55 int (*capable)(const struct cred *cred, struct user_namespace *ns,
56 int cap, int audit);
57 int (*quotactl)(int cmds, int type, int id, struct super_block *sb);
58 int (*quota_on)(struct dentry *dentry);
59 int (*syslog)(int type);
60 int (*settime)(const struct timespec *ts, const struct timezone *tz);
61 int (*vm_enough_memory)(struct mm_struct *mm, long pages);
62
63 int (*bprm_set_creds)(struct linux_binprm *bprm);
64 int (*bprm_check_security)(struct linux_binprm *bprm);
65 int (*bprm_secureexec)(struct linux_binprm *bprm);
66 void (*bprm_committing_creds)(struct linux_binprm *bprm);
67 void (*bprm_committed_creds)(struct linux_binprm *bprm);
68
69 int (*sb_alloc_security)(struct super_block *sb);
70 void (*sb_free_security)(struct super_block *sb);
71 int (*sb_copy_data)(char *orig, char *copy);
72 int (*sb_remount)(struct super_block *sb, void *data);
73 int (*sb_kern_mount)(struct super_block *sb, int flags, void *data);
74 int (*sb_show_options)(struct seq_file *m, struct super_block *sb);
75 int (*sb_statfs)(struct dentry *dentry);
76 int (*sb_mount)(const char *dev_name, struct path *path,
77 const char *type, unsigned long flags, void *data);
78 int (*sb_umount)(struct vfsmount *mnt, int flags);
79 int (*sb_pivotroot)(struct path *old_path, struct path *new_path);
80 int (*sb_set_mnt_opts)(struct super_block *sb,
81 struct security_mnt_opts *opts,
82 unsigned long kern_flags,
83 unsigned long *set_kern_flags);
84 int (*sb_clone_mnt_opts)(const struct super_block *oldsb,
85 struct super_block *newsb);
86 int (*sb_parse_opts_str)(char *options, struct security_mnt_opts *opts);
87 int (*dentry_init_security)(struct dentry *dentry, int mode,
88 struct qstr *name, void **ctx,
89 u32 *ctxlen);
90
91
92#ifdef CONFIG_SECURITY_PATH
93 int (*path_unlink)(struct path *dir, struct dentry *dentry);
94 int (*path_mkdir)(struct path *dir, struct dentry *dentry,
95 umode_t mode);
96 int (*path_rmdir)(struct path *dir, struct dentry *dentry);
97 int (*path_mknod)(struct path *dir, struct dentry *dentry,
98 umode_t mode, unsigned int dev);
99 int (*path_truncate)(struct path *path);
100 int (*path_symlink)(struct path *dir, struct dentry *dentry,
101 const char *old_name);
102 int (*path_link)(struct dentry *old_dentry, struct path *new_dir,
103 struct dentry *new_dentry);
104 int (*path_rename)(struct path *old_dir, struct dentry *old_dentry,
105 struct path *new_dir,
106 struct dentry *new_dentry);
107 int (*path_chmod)(struct path *path, umode_t mode);
108 int (*path_chown)(struct path *path, kuid_t uid, kgid_t gid);
109 int (*path_chroot)(struct path *path);
110#endif
111
112 int (*inode_alloc_security)(struct inode *inode);
113 void (*inode_free_security)(struct inode *inode);
114 int (*inode_init_security)(struct inode *inode, struct inode *dir,
115 const struct qstr *qstr,
116 const char **name, void **value,
117 size_t *len);
118 int (*inode_create)(struct inode *dir, struct dentry *dentry,
119 umode_t mode);
120 int (*inode_link)(struct dentry *old_dentry, struct inode *dir,
121 struct dentry *new_dentry);
122 int (*inode_unlink)(struct inode *dir, struct dentry *dentry);
123 int (*inode_symlink)(struct inode *dir, struct dentry *dentry,
124 const char *old_name);
125 int (*inode_mkdir)(struct inode *dir, struct dentry *dentry,
126 umode_t mode);
127 int (*inode_rmdir)(struct inode *dir, struct dentry *dentry);
128 int (*inode_mknod)(struct inode *dir, struct dentry *dentry,
129 umode_t mode, dev_t dev);
130 int (*inode_rename)(struct inode *old_dir, struct dentry *old_dentry,
131 struct inode *new_dir,
132 struct dentry *new_dentry);
133 int (*inode_readlink)(struct dentry *dentry);
134 int (*inode_follow_link)(struct dentry *dentry, struct nameidata *nd);
135 int (*inode_permission)(struct inode *inode, int mask);
136 int (*inode_setattr)(struct dentry *dentry, struct iattr *attr);
137 int (*inode_getattr)(const struct path *path);
138 int (*inode_setxattr)(struct dentry *dentry, const char *name,
139 const void *value, size_t size, int flags);
140 void (*inode_post_setxattr)(struct dentry *dentry, const char *name,
141 const void *value, size_t size,
142 int flags);
143 int (*inode_getxattr)(struct dentry *dentry, const char *name);
144 int (*inode_listxattr)(struct dentry *dentry);
145 int (*inode_removexattr)(struct dentry *dentry, const char *name);
146 int (*inode_need_killpriv)(struct dentry *dentry);
147 int (*inode_killpriv)(struct dentry *dentry);
148 int (*inode_getsecurity)(const struct inode *inode, const char *name,
149 void **buffer, bool alloc);
150 int (*inode_setsecurity)(struct inode *inode, const char *name,
151 const void *value, size_t size,
152 int flags);
153 int (*inode_listsecurity)(struct inode *inode, char *buffer,
154 size_t buffer_size);
155 void (*inode_getsecid)(const struct inode *inode, u32 *secid);
156
157 int (*file_permission)(struct file *file, int mask);
158 int (*file_alloc_security)(struct file *file);
159 void (*file_free_security)(struct file *file);
160 int (*file_ioctl)(struct file *file, unsigned int cmd,
161 unsigned long arg);
162 int (*mmap_addr)(unsigned long addr);
163 int (*mmap_file)(struct file *file, unsigned long reqprot,
164 unsigned long prot, unsigned long flags);
165 int (*file_mprotect)(struct vm_area_struct *vma, unsigned long reqprot,
166 unsigned long prot);
167 int (*file_lock)(struct file *file, unsigned int cmd);
168 int (*file_fcntl)(struct file *file, unsigned int cmd,
169 unsigned long arg);
170 void (*file_set_fowner)(struct file *file);
171 int (*file_send_sigiotask)(struct task_struct *tsk,
172 struct fown_struct *fown, int sig);
173 int (*file_receive)(struct file *file);
174 int (*file_open)(struct file *file, const struct cred *cred);
175
176 int (*task_create)(unsigned long clone_flags);
177 void (*task_free)(struct task_struct *task);
178 int (*cred_alloc_blank)(struct cred *cred, gfp_t gfp);
179 void (*cred_free)(struct cred *cred);
180 int (*cred_prepare)(struct cred *new, const struct cred *old,
181 gfp_t gfp);
182 void (*cred_transfer)(struct cred *new, const struct cred *old);
183 int (*kernel_act_as)(struct cred *new, u32 secid);
184 int (*kernel_create_files_as)(struct cred *new, struct inode *inode);
185 int (*kernel_fw_from_file)(struct file *file, char *buf, size_t size);
186 int (*kernel_module_request)(char *kmod_name);
187 int (*kernel_module_from_file)(struct file *file);
188 int (*task_fix_setuid)(struct cred *new, const struct cred *old,
189 int flags);
190 int (*task_setpgid)(struct task_struct *p, pid_t pgid);
191 int (*task_getpgid)(struct task_struct *p);
192 int (*task_getsid)(struct task_struct *p);
193 void (*task_getsecid)(struct task_struct *p, u32 *secid);
194 int (*task_setnice)(struct task_struct *p, int nice);
195 int (*task_setioprio)(struct task_struct *p, int ioprio);
196 int (*task_getioprio)(struct task_struct *p);
197 int (*task_setrlimit)(struct task_struct *p, unsigned int resource,
198 struct rlimit *new_rlim);
199 int (*task_setscheduler)(struct task_struct *p);
200 int (*task_getscheduler)(struct task_struct *p);
201 int (*task_movememory)(struct task_struct *p);
202 int (*task_kill)(struct task_struct *p, struct siginfo *info,
203 int sig, u32 secid);
204 int (*task_wait)(struct task_struct *p);
205 int (*task_prctl)(int option, unsigned long arg2, unsigned long arg3,
206 unsigned long arg4, unsigned long arg5);
207 void (*task_to_inode)(struct task_struct *p, struct inode *inode);
208
209 int (*ipc_permission)(struct kern_ipc_perm *ipcp, short flag);
210 void (*ipc_getsecid)(struct kern_ipc_perm *ipcp, u32 *secid);
211
212 int (*msg_msg_alloc_security)(struct msg_msg *msg);
213 void (*msg_msg_free_security)(struct msg_msg *msg);
214
215 int (*msg_queue_alloc_security)(struct msg_queue *msq);
216 void (*msg_queue_free_security)(struct msg_queue *msq);
217 int (*msg_queue_associate)(struct msg_queue *msq, int msqflg);
218 int (*msg_queue_msgctl)(struct msg_queue *msq, int cmd);
219 int (*msg_queue_msgsnd)(struct msg_queue *msq, struct msg_msg *msg,
220 int msqflg);
221 int (*msg_queue_msgrcv)(struct msg_queue *msq, struct msg_msg *msg,
222 struct task_struct *target, long type,
223 int mode);
224
225 int (*shm_alloc_security)(struct shmid_kernel *shp);
226 void (*shm_free_security)(struct shmid_kernel *shp);
227 int (*shm_associate)(struct shmid_kernel *shp, int shmflg);
228 int (*shm_shmctl)(struct shmid_kernel *shp, int cmd);
229 int (*shm_shmat)(struct shmid_kernel *shp, char __user *shmaddr,
230 int shmflg);
231
232 int (*sem_alloc_security)(struct sem_array *sma);
233 void (*sem_free_security)(struct sem_array *sma);
234 int (*sem_associate)(struct sem_array *sma, int semflg);
235 int (*sem_semctl)(struct sem_array *sma, int cmd);
236 int (*sem_semop)(struct sem_array *sma, struct sembuf *sops,
237 unsigned nsops, int alter);
238
239 int (*netlink_send)(struct sock *sk, struct sk_buff *skb);
240
241 void (*d_instantiate)(struct dentry *dentry, struct inode *inode);
242
243 int (*getprocattr)(struct task_struct *p, char *name, char **value);
244 int (*setprocattr)(struct task_struct *p, char *name, void *value,
245 size_t size);
246 int (*ismaclabel)(const char *name);
247 int (*secid_to_secctx)(u32 secid, char **secdata, u32 *seclen);
248 int (*secctx_to_secid)(const char *secdata, u32 seclen, u32 *secid);
249 void (*release_secctx)(char *secdata, u32 seclen);
250
251 int (*inode_notifysecctx)(struct inode *inode, void *ctx, u32 ctxlen);
252 int (*inode_setsecctx)(struct dentry *dentry, void *ctx, u32 ctxlen);
253 int (*inode_getsecctx)(struct inode *inode, void **ctx, u32 *ctxlen);
254
255#ifdef CONFIG_SECURITY_NETWORK
256 int (*unix_stream_connect)(struct sock *sock, struct sock *other,
257 struct sock *newsk);
258 int (*unix_may_send)(struct socket *sock, struct socket *other);
259
260 int (*socket_create)(int family, int type, int protocol, int kern);
261 int (*socket_post_create)(struct socket *sock, int family, int type,
262 int protocol, int kern);
263 int (*socket_bind)(struct socket *sock, struct sockaddr *address,
264 int addrlen);
265 int (*socket_connect)(struct socket *sock, struct sockaddr *address,
266 int addrlen);
267 int (*socket_listen)(struct socket *sock, int backlog);
268 int (*socket_accept)(struct socket *sock, struct socket *newsock);
269 int (*socket_sendmsg)(struct socket *sock, struct msghdr *msg,
270 int size);
271 int (*socket_recvmsg)(struct socket *sock, struct msghdr *msg,
272 int size, int flags);
273 int (*socket_getsockname)(struct socket *sock);
274 int (*socket_getpeername)(struct socket *sock);
275 int (*socket_getsockopt)(struct socket *sock, int level, int optname);
276 int (*socket_setsockopt)(struct socket *sock, int level, int optname);
277 int (*socket_shutdown)(struct socket *sock, int how);
278 int (*socket_sock_rcv_skb)(struct sock *sk, struct sk_buff *skb);
279 int (*socket_getpeersec_stream)(struct socket *sock,
280 char __user *optval,
281 int __user *optlen, unsigned len);
282 int (*socket_getpeersec_dgram)(struct socket *sock,
283 struct sk_buff *skb, u32 *secid);
284 int (*sk_alloc_security)(struct sock *sk, int family, gfp_t priority);
285 void (*sk_free_security)(struct sock *sk);
286 void (*sk_clone_security)(const struct sock *sk, struct sock *newsk);
287 void (*sk_getsecid)(struct sock *sk, u32 *secid);
288 void (*sock_graft)(struct sock *sk, struct socket *parent);
289 int (*inet_conn_request)(struct sock *sk, struct sk_buff *skb,
290 struct request_sock *req);
291 void (*inet_csk_clone)(struct sock *newsk,
292 const struct request_sock *req);
293 void (*inet_conn_established)(struct sock *sk, struct sk_buff *skb);
294 int (*secmark_relabel_packet)(u32 secid);
295 void (*secmark_refcount_inc)(void);
296 void (*secmark_refcount_dec)(void);
297 void (*req_classify_flow)(const struct request_sock *req,
298 struct flowi *fl);
299 int (*tun_dev_alloc_security)(void **security);
300 void (*tun_dev_free_security)(void *security);
301 int (*tun_dev_create)(void);
302 int (*tun_dev_attach_queue)(void *security);
303 int (*tun_dev_attach)(struct sock *sk, void *security);
304 int (*tun_dev_open)(void *security);
305#endif /* CONFIG_SECURITY_NETWORK */
306
307#ifdef CONFIG_SECURITY_NETWORK_XFRM
308 int (*xfrm_policy_alloc_security)(struct xfrm_sec_ctx **ctxp,
309 struct xfrm_user_sec_ctx *sec_ctx,
310 gfp_t gfp);
311 int (*xfrm_policy_clone_security)(struct xfrm_sec_ctx *old_ctx,
312 struct xfrm_sec_ctx **new_ctx);
313 void (*xfrm_policy_free_security)(struct xfrm_sec_ctx *ctx);
314 int (*xfrm_policy_delete_security)(struct xfrm_sec_ctx *ctx);
315 int (*xfrm_state_alloc)(struct xfrm_state *x,
316 struct xfrm_user_sec_ctx *sec_ctx);
317 int (*xfrm_state_alloc_acquire)(struct xfrm_state *x,
318 struct xfrm_sec_ctx *polsec,
319 u32 secid);
320 void (*xfrm_state_free_security)(struct xfrm_state *x);
321 int (*xfrm_state_delete_security)(struct xfrm_state *x);
322 int (*xfrm_policy_lookup)(struct xfrm_sec_ctx *ctx, u32 fl_secid,
323 u8 dir);
324 int (*xfrm_state_pol_flow_match)(struct xfrm_state *x,
325 struct xfrm_policy *xp,
326 const struct flowi *fl);
327 int (*xfrm_decode_session)(struct sk_buff *skb, u32 *secid, int ckall);
328#endif /* CONFIG_SECURITY_NETWORK_XFRM */
329
330 /* key management security hooks */
331#ifdef CONFIG_KEYS
332 int (*key_alloc)(struct key *key, const struct cred *cred,
333 unsigned long flags);
334 void (*key_free)(struct key *key);
335 int (*key_permission)(key_ref_t key_ref, const struct cred *cred,
336 unsigned perm);
337 int (*key_getsecurity)(struct key *key, char **_buffer);
338#endif /* CONFIG_KEYS */
339
340#ifdef CONFIG_AUDIT
341 int (*audit_rule_init)(u32 field, u32 op, char *rulestr,
342 void **lsmrule);
343 int (*audit_rule_known)(struct audit_krule *krule);
344 int (*audit_rule_match)(u32 secid, u32 field, u32 op, void *lsmrule,
345 struct audit_context *actx);
346 void (*audit_rule_free)(void *lsmrule);
347#endif /* CONFIG_AUDIT */
348};
349
350/* prototypes */
351extern int security_module_enable(struct security_operations *ops);
352extern int register_security(struct security_operations *ops);
353extern void __init security_fixup_ops(struct security_operations *ops);
354extern void reset_security_ops(void);
355
356#endif /* CONFIG_SECURITY */
357
358#endif /* ! __LINUX_LSM_HOOKS_H */