]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/blame_incremental - include/linux/security.h
projects / mirror_ubuntu-jammy-kernel.git / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
UBUNTU: Ubuntu-5.15.0-39.42
[mirror_ubuntu-jammy-kernel.git] / include / linux / security.h
... / ...
CommitLineData
1/*
2 * Linux Security plug
3 *
4 * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com>
5 * Copyright (C) 2001 Greg Kroah-Hartman <greg@kroah.com>
6 * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com>
7 * Copyright (C) 2001 James Morris <jmorris@intercode.com.au>
8 * Copyright (C) 2001 Silicon Graphics, Inc. (Trust Technology Group)
9 * Copyright (C) 2016 Mellanox Techonologies
10 *
11 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * Due to this file being licensed under the GPL there is controversy over
17 * whether this permits you to write a module that #includes this file
18 * without placing your module under the GPL. Please consult a lawyer for
19 * advice before doing this.
20 *
21 */
22
23#ifndef __LINUX_SECURITY_H
24#define __LINUX_SECURITY_H
25
26#include <linux/kernel_read_file.h>
27#include <linux/key.h>
28#include <linux/capability.h>
29#include <linux/fs.h>
30#include <linux/slab.h>
31#include <linux/err.h>
32#include <linux/string.h>
33#include <linux/mm.h>
34
35struct linux_binprm;
36struct cred;
37struct rlimit;
38struct kernel_siginfo;
39struct sembuf;
40struct kern_ipc_perm;
41struct audit_context;
42struct super_block;
43struct inode;
44struct dentry;
45struct file;
46struct vfsmount;
47struct path;
48struct qstr;
49struct iattr;
50struct fown_struct;
51struct file_operations;
52struct msg_msg;
53struct xattr;
54struct kernfs_node;
55struct xfrm_sec_ctx;
56struct mm_struct;
57struct fs_context;
58struct fs_parameter;
59enum fs_value_type;
60struct watch;
61struct watch_notification;
62
63/* Default (no) options for the capable function */
64#define CAP_OPT_NONE 0x0
65/* If capable should audit the security request */
66#define CAP_OPT_NOAUDIT BIT(1)
67/* If capable is being called by a setid function */
68#define CAP_OPT_INSETID BIT(2)
69
70/* LSM Agnostic defines for fs_context::lsm_flags */
71#define SECURITY_LSM_NATIVE_LABELS 1
72
73struct ctl_table;
74struct audit_krule;
75struct user_namespace;
76struct timezone;
77
78enum lsm_event {
79 LSM_POLICY_CHANGE,
80};
81
82/*
83 * These are reasons that can be passed to the security_locked_down()
84 * LSM hook. Lockdown reasons that protect kernel integrity (ie, the
85 * ability for userland to modify kernel code) are placed before
86 * LOCKDOWN_INTEGRITY_MAX. Lockdown reasons that protect kernel
87 * confidentiality (ie, the ability for userland to extract
88 * information from the running kernel that would otherwise be
89 * restricted) are placed before LOCKDOWN_CONFIDENTIALITY_MAX.
90 *
91 * LSM authors should note that the semantics of any given lockdown
92 * reason are not guaranteed to be stable - the same reason may block
93 * one set of features in one kernel release, and a slightly different
94 * set of features in a later kernel release. LSMs that seek to expose
95 * lockdown policy at any level of granularity other than "none",
96 * "integrity" or "confidentiality" are responsible for either
97 * ensuring that they expose a consistent level of functionality to
98 * userland, or ensuring that userland is aware that this is
99 * potentially a moving target. It is easy to misuse this information
100 * in a way that could break userspace. Please be careful not to do
101 * so.
102 *
103 * If you add to this, remember to extend lockdown_reasons in
104 * security/lockdown/lockdown.c.
105 */
106enum lockdown_reason {
107 LOCKDOWN_NONE,
108 LOCKDOWN_MODULE_SIGNATURE,
109 LOCKDOWN_DEV_MEM,
110 LOCKDOWN_EFI_TEST,
111 LOCKDOWN_KEXEC,
112 LOCKDOWN_HIBERNATION,
113 LOCKDOWN_PCI_ACCESS,
114 LOCKDOWN_IOPORT,
115 LOCKDOWN_MSR,
116 LOCKDOWN_ACPI_TABLES,
117 LOCKDOWN_PCMCIA_CIS,
118 LOCKDOWN_TIOCSSERIAL,
119 LOCKDOWN_MODULE_PARAMETERS,
120 LOCKDOWN_MMIOTRACE,
121 LOCKDOWN_DEBUGFS,
122 LOCKDOWN_XMON_WR,
123 LOCKDOWN_BPF_WRITE_USER,
124 LOCKDOWN_KGDB,
125 LOCKDOWN_INTEGRITY_MAX,
126 LOCKDOWN_KCORE,
127 LOCKDOWN_KPROBES,
128 LOCKDOWN_BPF_READ_KERNEL,
129 LOCKDOWN_PERF,
130 LOCKDOWN_TRACEFS,
131 LOCKDOWN_XMON_RW,
132 LOCKDOWN_XFRM_SECRET,
133 LOCKDOWN_CONFIDENTIALITY_MAX,
134};
135
136extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1];
137
138/*
139 * A "security context" is the text representation of
140 * the information used by LSMs.
141 * This structure contains the string, its length, and which LSM
142 * it is useful for.
143 */
144struct lsmcontext {
145 char *context; /* Provided by the module */
146 u32 len;
147 int slot; /* Identifies the module */
148};
149
150/**
151 * lsmcontext_init - initialize an lsmcontext structure.
152 * @cp: Pointer to the context to initialize
153 * @context: Initial context, or NULL
154 * @size: Size of context, or 0
155 * @slot: Which LSM provided the context
156 *
157 * Fill in the lsmcontext from the provided information.
158 * This is a scaffolding function that will be removed when
159 * lsmcontext integration is complete.
160 */
161static inline void lsmcontext_init(struct lsmcontext *cp, char *context,
162 u32 size, int slot)
163{
164 cp->slot = slot;
165 cp->context = context;
166 cp->len = size;
167}
168
169/*
170 * Data exported by the security modules
171 *
172 * Any LSM that provides secid or secctx based hooks must be included.
173 */
174#define LSMBLOB_ENTRIES ( \
175 (IS_ENABLED(CONFIG_SECURITY_SELINUX) ? 1 : 0) + \
176 (IS_ENABLED(CONFIG_SECURITY_SMACK) ? 1 : 0) + \
177 (IS_ENABLED(CONFIG_SECURITY_APPARMOR) ? 1 : 0) + \
178 (IS_ENABLED(CONFIG_BPF_LSM) ? 1 : 0))
179
180struct lsmblob {
181 u32 secid[LSMBLOB_ENTRIES];
182};
183
184#define LSMBLOB_INVALID -1 /* Not a valid LSM slot number */
185#define LSMBLOB_NEEDED -2 /* Slot requested on initialization */
186#define LSMBLOB_NOT_NEEDED -3 /* Slot not requested */
187#define LSMBLOB_DISPLAY -4 /* Use the "display" slot */
188#define LSMBLOB_FIRST -5 /* Use the default "display" slot */
189
190/**
191 * lsmblob_init - initialize an lsmblob structure.
192 * @blob: Pointer to the data to initialize
193 * @secid: The initial secid value
194 *
195 * Set all secid for all modules to the specified value.
196 */
197static inline void lsmblob_init(struct lsmblob *blob, u32 secid)
198{
199 int i;
200
201 for (i = 0; i < LSMBLOB_ENTRIES; i++)
202 blob->secid[i] = secid;
203}
204
205/**
206 * lsmblob_is_set - report if there is an value in the lsmblob
207 * @blob: Pointer to the exported LSM data
208 *
209 * Returns true if there is a secid set, false otherwise
210 */
211static inline bool lsmblob_is_set(struct lsmblob *blob)
212{
213 struct lsmblob empty = {};
214
215 return !!memcmp(blob, &empty, sizeof(*blob));
216}
217
218/**
219 * lsmblob_equal - report if the two lsmblob's are equal
220 * @bloba: Pointer to one LSM data
221 * @blobb: Pointer to the other LSM data
222 *
223 * Returns true if all entries in the two are equal, false otherwise
224 */
225static inline bool lsmblob_equal(struct lsmblob *bloba, struct lsmblob *blobb)
226{
227 return !memcmp(bloba, blobb, sizeof(*bloba));
228}
229
230/**
231 * lsmblob_value - find the first non-zero value in an lsmblob structure.
232 * @blob: Pointer to the data
233 *
234 * This needs to be used with extreme caution, as the cases where
235 * it is appropriate are rare.
236 *
237 * Return the first secid value set in the lsmblob.
238 * There should only be one.
239 */
240static inline u32 lsmblob_value(const struct lsmblob *blob)
241{
242 int i;
243
244 for (i = 0; i < LSMBLOB_ENTRIES; i++)
245 if (blob->secid[i])
246 return blob->secid[i];
247
248 return 0;
249}
250
251const char *security_lsm_slot_name(int slot);
252
253static inline bool lsm_multiple_contexts(void)
254{
255#ifdef CONFIG_SECURITY
256 return security_lsm_slot_name(1) != NULL;
257#else
258 return false;
259#endif
260}
261
262/* These functions are in security/commoncap.c */
263extern int cap_capable(const struct cred *cred, struct user_namespace *ns,
264 int cap, unsigned int opts);
265extern int cap_settime(const struct timespec64 *ts, const struct timezone *tz);
266extern int cap_ptrace_access_check(struct task_struct *child, unsigned int mode);
267extern int cap_ptrace_traceme(struct task_struct *parent);
268extern int cap_capget(struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted);
269extern int cap_capset(struct cred *new, const struct cred *old,
270 const kernel_cap_t *effective,
271 const kernel_cap_t *inheritable,
272 const kernel_cap_t *permitted);
273extern int cap_bprm_creds_from_file(struct linux_binprm *bprm, struct file *file);
274int cap_inode_setxattr(struct dentry *dentry, const char *name,
275 const void *value, size_t size, int flags);
276int cap_inode_removexattr(struct user_namespace *mnt_userns,
277 struct dentry *dentry, const char *name);
278int cap_inode_need_killpriv(struct dentry *dentry);
279int cap_inode_killpriv(struct user_namespace *mnt_userns,
280 struct dentry *dentry);
281int cap_inode_getsecurity(struct user_namespace *mnt_userns,
282 struct inode *inode, const char *name, void **buffer,
283 bool alloc);
284extern int cap_mmap_addr(unsigned long addr);
285extern int cap_mmap_file(struct file *file, unsigned long reqprot,
286 unsigned long prot, unsigned long flags);
287extern int cap_task_fix_setuid(struct cred *new, const struct cred *old, int flags);
288extern int cap_task_prctl(int option, unsigned long arg2, unsigned long arg3,
289 unsigned long arg4, unsigned long arg5);
290extern int cap_task_setscheduler(struct task_struct *p);
291extern int cap_task_setioprio(struct task_struct *p, int ioprio);
292extern int cap_task_setnice(struct task_struct *p, int nice);
293extern int cap_vm_enough_memory(struct mm_struct *mm, long pages);
294
295struct msghdr;
296struct sk_buff;
297struct sock;
298struct sockaddr;
299struct socket;
300struct flowi_common;
301struct dst_entry;
302struct xfrm_selector;
303struct xfrm_policy;
304struct xfrm_state;
305struct xfrm_user_sec_ctx;
306struct seq_file;
307struct sctp_endpoint;
308
309#ifdef CONFIG_MMU
310extern unsigned long mmap_min_addr;
311extern unsigned long dac_mmap_min_addr;
312#else
313#define mmap_min_addr 0UL
314#define dac_mmap_min_addr 0UL
315#endif
316
317/*
318 * Values used in the task_security_ops calls
319 */
320/* setuid or setgid, id0 == uid or gid */
321#define LSM_SETID_ID 1
322
323/* setreuid or setregid, id0 == real, id1 == eff */
324#define LSM_SETID_RE 2
325
326/* setresuid or setresgid, id0 == real, id1 == eff, uid2 == saved */
327#define LSM_SETID_RES 4
328
329/* setfsuid or setfsgid, id0 == fsuid or fsgid */
330#define LSM_SETID_FS 8
331
332/* Flags for security_task_prlimit(). */
333#define LSM_PRLIMIT_READ 1
334#define LSM_PRLIMIT_WRITE 2
335
336/* forward declares to avoid warnings */
337struct sched_param;
338struct request_sock;
339
340/* bprm->unsafe reasons */
341#define LSM_UNSAFE_SHARE 1
342#define LSM_UNSAFE_PTRACE 2
343#define LSM_UNSAFE_NO_NEW_PRIVS 4
344
345#ifdef CONFIG_MMU
346extern int mmap_min_addr_handler(struct ctl_table *table, int write,
347 void *buffer, size_t *lenp, loff_t *ppos);
348#endif
349
350/* security_inode_init_security callback function to write xattrs */
351typedef int (*initxattrs) (struct inode *inode,
352 const struct xattr *xattr_array, void *fs_data);
353
354
355/* Keep the kernel_load_data_id enum in sync with kernel_read_file_id */
356#define __data_id_enumify(ENUM, dummy) LOADING_ ## ENUM,
357#define __data_id_stringify(dummy, str) #str,
358
359enum kernel_load_data_id {
360 __kernel_read_file_id(__data_id_enumify)
361};
362
363static const char * const kernel_load_data_str[] = {
364 __kernel_read_file_id(__data_id_stringify)
365};
366
367static inline const char *kernel_load_data_id_str(enum kernel_load_data_id id)
368{
369 if ((unsigned)id >= LOADING_MAX_ID)
370 return kernel_load_data_str[LOADING_UNKNOWN];
371
372 return kernel_load_data_str[id];
373}
374
375#ifdef CONFIG_SECURITY
376
377int call_blocking_lsm_notifier(enum lsm_event event, void *data);
378int register_blocking_lsm_notifier(struct notifier_block *nb);
379int unregister_blocking_lsm_notifier(struct notifier_block *nb);
380
381/* prototypes */
382extern int security_init(void);
383extern int early_security_init(void);
384
385/* Security operations */
386int security_binder_set_context_mgr(const struct cred *mgr);
387int security_binder_transaction(const struct cred *from,
388 const struct cred *to);
389int security_binder_transfer_binder(const struct cred *from,
390 const struct cred *to);
391int security_binder_transfer_file(const struct cred *from,
392 const struct cred *to, struct file *file);
393int security_ptrace_access_check(struct task_struct *child, unsigned int mode);
394int security_ptrace_traceme(struct task_struct *parent);
395int security_capget(struct task_struct *target,
396 kernel_cap_t *effective,
397 kernel_cap_t *inheritable,
398 kernel_cap_t *permitted);
399int security_capset(struct cred *new, const struct cred *old,
400 const kernel_cap_t *effective,
401 const kernel_cap_t *inheritable,
402 const kernel_cap_t *permitted);
403int security_capable(const struct cred *cred,
404 struct user_namespace *ns,
405 int cap,
406 unsigned int opts);
407int security_quotactl(int cmds, int type, int id, struct super_block *sb);
408int security_quota_on(struct dentry *dentry);
409int security_syslog(int type);
410int security_settime64(const struct timespec64 *ts, const struct timezone *tz);
411int security_vm_enough_memory_mm(struct mm_struct *mm, long pages);
412int security_bprm_creds_for_exec(struct linux_binprm *bprm);
413int security_bprm_creds_from_file(struct linux_binprm *bprm, struct file *file);
414int security_bprm_check(struct linux_binprm *bprm);
415void security_bprm_committing_creds(struct linux_binprm *bprm);
416void security_bprm_committed_creds(struct linux_binprm *bprm);
417int security_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc);
418int security_fs_context_parse_param(struct fs_context *fc, struct fs_parameter *param);
419int security_sb_alloc(struct super_block *sb);
420void security_sb_delete(struct super_block *sb);
421void security_sb_free(struct super_block *sb);
422void security_free_mnt_opts(void **mnt_opts);
423int security_sb_eat_lsm_opts(char *options, void **mnt_opts);
424int security_sb_mnt_opts_compat(struct super_block *sb, void *mnt_opts);
425int security_sb_remount(struct super_block *sb, void *mnt_opts);
426int security_sb_kern_mount(struct super_block *sb);
427int security_sb_show_options(struct seq_file *m, struct super_block *sb);
428int security_sb_statfs(struct dentry *dentry);
429int security_sb_mount(const char *dev_name, const struct path *path,
430 const char *type, unsigned long flags, void *data);
431int security_sb_umount(struct vfsmount *mnt, int flags);
432int security_sb_pivotroot(const struct path *old_path, const struct path *new_path);
433int security_sb_set_mnt_opts(struct super_block *sb,
434 void *mnt_opts,
435 unsigned long kern_flags,
436 unsigned long *set_kern_flags);
437int security_sb_clone_mnt_opts(const struct super_block *oldsb,
438 struct super_block *newsb,
439 unsigned long kern_flags,
440 unsigned long *set_kern_flags);
441int security_add_mnt_opt(const char *option, const char *val,
442 int len, void **mnt_opts);
443int security_move_mount(const struct path *from_path, const struct path *to_path);
444int security_dentry_init_security(struct dentry *dentry, int mode,
445 const struct qstr *name, void **ctx,
446 u32 *ctxlen);
447int security_dentry_create_files_as(struct dentry *dentry, int mode,
448 struct qstr *name,
449 const struct cred *old,
450 struct cred *new);
451int security_path_notify(const struct path *path, u64 mask,
452 unsigned int obj_type);
453int security_inode_alloc(struct inode *inode);
454void security_inode_free(struct inode *inode);
455int security_inode_init_security(struct inode *inode, struct inode *dir,
456 const struct qstr *qstr,
457 initxattrs initxattrs, void *fs_data);
458int security_inode_init_security_anon(struct inode *inode,
459 const struct qstr *name,
460 const struct inode *context_inode);
461int security_old_inode_init_security(struct inode *inode, struct inode *dir,
462 const struct qstr *qstr, const char **name,
463 void **value, size_t *len);
464int security_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode);
465int security_inode_link(struct dentry *old_dentry, struct inode *dir,
466 struct dentry *new_dentry);
467int security_inode_unlink(struct inode *dir, struct dentry *dentry);
468int security_inode_symlink(struct inode *dir, struct dentry *dentry,
469 const char *old_name);
470int security_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode);
471int security_inode_rmdir(struct inode *dir, struct dentry *dentry);
472int security_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev);
473int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
474 struct inode *new_dir, struct dentry *new_dentry,
475 unsigned int flags);
476int security_inode_readlink(struct dentry *dentry);
477int security_inode_follow_link(struct dentry *dentry, struct inode *inode,
478 bool rcu);
479int security_inode_permission(struct inode *inode, int mask);
480int security_inode_setattr(struct dentry *dentry, struct iattr *attr);
481int security_inode_getattr(const struct path *path);
482int security_inode_setxattr(struct user_namespace *mnt_userns,
483 struct dentry *dentry, const char *name,
484 const void *value, size_t size, int flags);
485void security_inode_post_setxattr(struct dentry *dentry, const char *name,
486 const void *value, size_t size, int flags);
487int security_inode_getxattr(struct dentry *dentry, const char *name);
488int security_inode_listxattr(struct dentry *dentry);
489int security_inode_removexattr(struct user_namespace *mnt_userns,
490 struct dentry *dentry, const char *name);
491int security_inode_need_killpriv(struct dentry *dentry);
492int security_inode_killpriv(struct user_namespace *mnt_userns,
493 struct dentry *dentry);
494int security_inode_getsecurity(struct user_namespace *mnt_userns,
495 struct inode *inode, const char *name,
496 void **buffer, bool alloc);
497int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags);
498int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size);
499void security_inode_getsecid(struct inode *inode, struct lsmblob *blob);
500int security_inode_copy_up(struct dentry *src, struct cred **new);
501int security_inode_copy_up_xattr(const char *name);
502int security_kernfs_init_security(struct kernfs_node *kn_dir,
503 struct kernfs_node *kn);
504int security_file_permission(struct file *file, int mask);
505int security_file_alloc(struct file *file);
506void security_file_free(struct file *file);
507int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg);
508int security_mmap_file(struct file *file, unsigned long prot,
509 unsigned long flags);
510int security_mmap_addr(unsigned long addr);
511int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
512 unsigned long prot);
513int security_file_lock(struct file *file, unsigned int cmd);
514int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg);
515void security_file_set_fowner(struct file *file);
516int security_file_send_sigiotask(struct task_struct *tsk,
517 struct fown_struct *fown, int sig);
518int security_file_receive(struct file *file);
519int security_file_open(struct file *file);
520int security_task_alloc(struct task_struct *task, unsigned long clone_flags);
521void security_task_free(struct task_struct *task);
522int security_cred_alloc_blank(struct cred *cred, gfp_t gfp);
523void security_cred_free(struct cred *cred);
524int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp);
525void security_transfer_creds(struct cred *new, const struct cred *old);
526void security_cred_getsecid(const struct cred *c, struct lsmblob *blob);
527int security_kernel_act_as(struct cred *new, struct lsmblob *blob);
528int security_kernel_create_files_as(struct cred *new, struct inode *inode);
529int security_kernel_module_request(char *kmod_name);
530int security_kernel_load_data(enum kernel_load_data_id id, bool contents);
531int security_kernel_post_load_data(char *buf, loff_t size,
532 enum kernel_load_data_id id,
533 char *description);
534int security_kernel_read_file(struct file *file, enum kernel_read_file_id id,
535 bool contents);
536int security_kernel_post_read_file(struct file *file, char *buf, loff_t size,
537 enum kernel_read_file_id id);
538int security_task_fix_setuid(struct cred *new, const struct cred *old,
539 int flags);
540int security_task_fix_setgid(struct cred *new, const struct cred *old,
541 int flags);
542int security_task_setpgid(struct task_struct *p, pid_t pgid);
543int security_task_getpgid(struct task_struct *p);
544int security_task_getsid(struct task_struct *p);
545void security_task_getsecid_subj(struct task_struct *p, struct lsmblob *blob);
546void security_task_getsecid_obj(struct task_struct *p, struct lsmblob *blob);
547int security_task_setnice(struct task_struct *p, int nice);
548int security_task_setioprio(struct task_struct *p, int ioprio);
549int security_task_getioprio(struct task_struct *p);
550int security_task_prlimit(const struct cred *cred, const struct cred *tcred,
551 unsigned int flags);
552int security_task_setrlimit(struct task_struct *p, unsigned int resource,
553 struct rlimit *new_rlim);
554int security_task_setscheduler(struct task_struct *p);
555int security_task_getscheduler(struct task_struct *p);
556int security_task_movememory(struct task_struct *p);
557int security_task_kill(struct task_struct *p, struct kernel_siginfo *info,
558 int sig, const struct cred *cred);
559int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
560 unsigned long arg4, unsigned long arg5);
561void security_task_to_inode(struct task_struct *p, struct inode *inode);
562int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag);
563void security_ipc_getsecid(struct kern_ipc_perm *ipcp, struct lsmblob *blob);
564int security_msg_msg_alloc(struct msg_msg *msg);
565void security_msg_msg_free(struct msg_msg *msg);
566int security_msg_queue_alloc(struct kern_ipc_perm *msq);
567void security_msg_queue_free(struct kern_ipc_perm *msq);
568int security_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg);
569int security_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd);
570int security_msg_queue_msgsnd(struct kern_ipc_perm *msq,
571 struct msg_msg *msg, int msqflg);
572int security_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
573 struct task_struct *target, long type, int mode);
574int security_shm_alloc(struct kern_ipc_perm *shp);
575void security_shm_free(struct kern_ipc_perm *shp);
576int security_shm_associate(struct kern_ipc_perm *shp, int shmflg);
577int security_shm_shmctl(struct kern_ipc_perm *shp, int cmd);
578int security_shm_shmat(struct kern_ipc_perm *shp, char __user *shmaddr, int shmflg);
579int security_sem_alloc(struct kern_ipc_perm *sma);
580void security_sem_free(struct kern_ipc_perm *sma);
581int security_sem_associate(struct kern_ipc_perm *sma, int semflg);
582int security_sem_semctl(struct kern_ipc_perm *sma, int cmd);
583int security_sem_semop(struct kern_ipc_perm *sma, struct sembuf *sops,
584 unsigned nsops, int alter);
585void security_d_instantiate(struct dentry *dentry, struct inode *inode);
586int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
587 char **value);
588int security_setprocattr(const char *lsm, const char *name, void *value,
589 size_t size);
590int security_netlink_send(struct sock *sk, struct sk_buff *skb);
591int security_ismaclabel(const char *name);
592int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp,
593 int display);
594int security_secctx_to_secid(const char *secdata, u32 seclen,
595 struct lsmblob *blob);
596void security_release_secctx(struct lsmcontext *cp);
597void security_inode_invalidate_secctx(struct inode *inode);
598int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
599int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
600int security_inode_getsecctx(struct inode *inode, struct lsmcontext *cp);
601int security_locked_down(enum lockdown_reason what);
602int security_lock_kernel_down(const char *where, enum lockdown_reason level);
603#else /* CONFIG_SECURITY */
604
605static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
606{
607 return 0;
608}
609
610static inline int register_blocking_lsm_notifier(struct notifier_block *nb)
611{
612 return 0;
613}
614
615static inline int unregister_blocking_lsm_notifier(struct notifier_block *nb)
616{
617 return 0;
618}
619
620static inline void security_free_mnt_opts(void **mnt_opts)
621{
622}
623
624/*
625 * This is the default capabilities functionality. Most of these functions
626 * are just stubbed out, but a few must call the proper capable code.
627 */
628
629static inline int security_init(void)
630{
631 return 0;
632}
633
634static inline int early_security_init(void)
635{
636 return 0;
637}
638
639static inline int security_binder_set_context_mgr(const struct cred *mgr)
640{
641 return 0;
642}
643
644static inline int security_binder_transaction(const struct cred *from,
645 const struct cred *to)
646{
647 return 0;
648}
649
650static inline int security_binder_transfer_binder(const struct cred *from,
651 const struct cred *to)
652{
653 return 0;
654}
655
656static inline int security_binder_transfer_file(const struct cred *from,
657 const struct cred *to,
658 struct file *file)
659{
660 return 0;
661}
662
663static inline int security_ptrace_access_check(struct task_struct *child,
664 unsigned int mode)
665{
666 return cap_ptrace_access_check(child, mode);
667}
668
669static inline int security_ptrace_traceme(struct task_struct *parent)
670{
671 return cap_ptrace_traceme(parent);
672}
673
674static inline int security_capget(struct task_struct *target,
675 kernel_cap_t *effective,
676 kernel_cap_t *inheritable,
677 kernel_cap_t *permitted)
678{
679 return cap_capget(target, effective, inheritable, permitted);
680}
681
682static inline int security_capset(struct cred *new,
683 const struct cred *old,
684 const kernel_cap_t *effective,
685 const kernel_cap_t *inheritable,
686 const kernel_cap_t *permitted)
687{
688 return cap_capset(new, old, effective, inheritable, permitted);
689}
690
691static inline int security_capable(const struct cred *cred,
692 struct user_namespace *ns,
693 int cap,
694 unsigned int opts)
695{
696 return cap_capable(cred, ns, cap, opts);
697}
698
699static inline int security_quotactl(int cmds, int type, int id,
700 struct super_block *sb)
701{
702 return 0;
703}
704
705static inline int security_quota_on(struct dentry *dentry)
706{
707 return 0;
708}
709
710static inline int security_syslog(int type)
711{
712 return 0;
713}
714
715static inline int security_settime64(const struct timespec64 *ts,
716 const struct timezone *tz)
717{
718 return cap_settime(ts, tz);
719}
720
721static inline int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
722{
723 return __vm_enough_memory(mm, pages, cap_vm_enough_memory(mm, pages));
724}
725
726static inline int security_bprm_creds_for_exec(struct linux_binprm *bprm)
727{
728 return 0;
729}
730
731static inline int security_bprm_creds_from_file(struct linux_binprm *bprm,
732 struct file *file)
733{
734 return cap_bprm_creds_from_file(bprm, file);
735}
736
737static inline int security_bprm_check(struct linux_binprm *bprm)
738{
739 return 0;
740}
741
742static inline void security_bprm_committing_creds(struct linux_binprm *bprm)
743{
744}
745
746static inline void security_bprm_committed_creds(struct linux_binprm *bprm)
747{
748}
749
750static inline int security_fs_context_dup(struct fs_context *fc,
751 struct fs_context *src_fc)
752{
753 return 0;
754}
755static inline int security_fs_context_parse_param(struct fs_context *fc,
756 struct fs_parameter *param)
757{
758 return -ENOPARAM;
759}
760
761static inline int security_sb_alloc(struct super_block *sb)
762{
763 return 0;
764}
765
766static inline void security_sb_delete(struct super_block *sb)
767{ }
768
769static inline void security_sb_free(struct super_block *sb)
770{ }
771
772static inline int security_sb_eat_lsm_opts(char *options,
773 void **mnt_opts)
774{
775 return 0;
776}
777
778static inline int security_sb_remount(struct super_block *sb,
779 void *mnt_opts)
780{
781 return 0;
782}
783
784static inline int security_sb_mnt_opts_compat(struct super_block *sb,
785 void *mnt_opts)
786{
787 return 0;
788}
789
790
791static inline int security_sb_kern_mount(struct super_block *sb)
792{
793 return 0;
794}
795
796static inline int security_sb_show_options(struct seq_file *m,
797 struct super_block *sb)
798{
799 return 0;
800}
801
802static inline int security_sb_statfs(struct dentry *dentry)
803{
804 return 0;
805}
806
807static inline int security_sb_mount(const char *dev_name, const struct path *path,
808 const char *type, unsigned long flags,
809 void *data)
810{
811 return 0;
812}
813
814static inline int security_sb_umount(struct vfsmount *mnt, int flags)
815{
816 return 0;
817}
818
819static inline int security_sb_pivotroot(const struct path *old_path,
820 const struct path *new_path)
821{
822 return 0;
823}
824
825static inline int security_sb_set_mnt_opts(struct super_block *sb,
826 void *mnt_opts,
827 unsigned long kern_flags,
828 unsigned long *set_kern_flags)
829{
830 return 0;
831}
832
833static inline int security_sb_clone_mnt_opts(const struct super_block *oldsb,
834 struct super_block *newsb,
835 unsigned long kern_flags,
836 unsigned long *set_kern_flags)
837{
838 return 0;
839}
840
841static inline int security_add_mnt_opt(const char *option, const char *val,
842 int len, void **mnt_opts)
843{
844 return 0;
845}
846
847static inline int security_move_mount(const struct path *from_path,
848 const struct path *to_path)
849{
850 return 0;
851}
852
853static inline int security_path_notify(const struct path *path, u64 mask,
854 unsigned int obj_type)
855{
856 return 0;
857}
858
859static inline int security_inode_alloc(struct inode *inode)
860{
861 return 0;
862}
863
864static inline void security_inode_free(struct inode *inode)
865{ }
866
867static inline int security_dentry_init_security(struct dentry *dentry,
868 int mode,
869 const struct qstr *name,
870 void **ctx,
871 u32 *ctxlen)
872{
873 return -EOPNOTSUPP;
874}
875
876static inline int security_dentry_create_files_as(struct dentry *dentry,
877 int mode, struct qstr *name,
878 const struct cred *old,
879 struct cred *new)
880{
881 return 0;
882}
883
884
885static inline int security_inode_init_security(struct inode *inode,
886 struct inode *dir,
887 const struct qstr *qstr,
888 const initxattrs xattrs,
889 void *fs_data)
890{
891 return 0;
892}
893
894static inline int security_inode_init_security_anon(struct inode *inode,
895 const struct qstr *name,
896 const struct inode *context_inode)
897{
898 return 0;
899}
900
901static inline int security_old_inode_init_security(struct inode *inode,
902 struct inode *dir,
903 const struct qstr *qstr,
904 const char **name,
905 void **value, size_t *len)
906{
907 return -EOPNOTSUPP;
908}
909
910static inline int security_inode_create(struct inode *dir,
911 struct dentry *dentry,
912 umode_t mode)
913{
914 return 0;
915}
916
917static inline int security_inode_link(struct dentry *old_dentry,
918 struct inode *dir,
919 struct dentry *new_dentry)
920{
921 return 0;
922}
923
924static inline int security_inode_unlink(struct inode *dir,
925 struct dentry *dentry)
926{
927 return 0;
928}
929
930static inline int security_inode_symlink(struct inode *dir,
931 struct dentry *dentry,
932 const char *old_name)
933{
934 return 0;
935}
936
937static inline int security_inode_mkdir(struct inode *dir,
938 struct dentry *dentry,
939 int mode)
940{
941 return 0;
942}
943
944static inline int security_inode_rmdir(struct inode *dir,
945 struct dentry *dentry)
946{
947 return 0;
948}
949
950static inline int security_inode_mknod(struct inode *dir,
951 struct dentry *dentry,
952 int mode, dev_t dev)
953{
954 return 0;
955}
956
957static inline int security_inode_rename(struct inode *old_dir,
958 struct dentry *old_dentry,
959 struct inode *new_dir,
960 struct dentry *new_dentry,
961 unsigned int flags)
962{
963 return 0;
964}
965
966static inline int security_inode_readlink(struct dentry *dentry)
967{
968 return 0;
969}
970
971static inline int security_inode_follow_link(struct dentry *dentry,
972 struct inode *inode,
973 bool rcu)
974{
975 return 0;
976}
977
978static inline int security_inode_permission(struct inode *inode, int mask)
979{
980 return 0;
981}
982
983static inline int security_inode_setattr(struct dentry *dentry,
984 struct iattr *attr)
985{
986 return 0;
987}
988
989static inline int security_inode_getattr(const struct path *path)
990{
991 return 0;
992}
993
994static inline int security_inode_setxattr(struct user_namespace *mnt_userns,
995 struct dentry *dentry, const char *name, const void *value,
996 size_t size, int flags)
997{
998 return cap_inode_setxattr(dentry, name, value, size, flags);
999}
1000
1001static inline void security_inode_post_setxattr(struct dentry *dentry,
1002 const char *name, const void *value, size_t size, int flags)
1003{ }
1004
1005static inline int security_inode_getxattr(struct dentry *dentry,
1006 const char *name)
1007{
1008 return 0;
1009}
1010
1011static inline int security_inode_listxattr(struct dentry *dentry)
1012{
1013 return 0;
1014}
1015
1016static inline int security_inode_removexattr(struct user_namespace *mnt_userns,
1017 struct dentry *dentry,
1018 const char *name)
1019{
1020 return cap_inode_removexattr(mnt_userns, dentry, name);
1021}
1022
1023static inline int security_inode_need_killpriv(struct dentry *dentry)
1024{
1025 return cap_inode_need_killpriv(dentry);
1026}
1027
1028static inline int security_inode_killpriv(struct user_namespace *mnt_userns,
1029 struct dentry *dentry)
1030{
1031 return cap_inode_killpriv(mnt_userns, dentry);
1032}
1033
1034static inline int security_inode_getsecurity(struct user_namespace *mnt_userns,
1035 struct inode *inode,
1036 const char *name, void **buffer,
1037 bool alloc)
1038{
1039 return cap_inode_getsecurity(mnt_userns, inode, name, buffer, alloc);
1040}
1041
1042static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
1043{
1044 return -EOPNOTSUPP;
1045}
1046
1047static inline int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
1048{
1049 return 0;
1050}
1051
1052static inline void security_inode_getsecid(struct inode *inode,
1053 struct lsmblob *blob)
1054{
1055 lsmblob_init(blob, 0);
1056}
1057
1058static inline int security_inode_copy_up(struct dentry *src, struct cred **new)
1059{
1060 return 0;
1061}
1062
1063static inline int security_kernfs_init_security(struct kernfs_node *kn_dir,
1064 struct kernfs_node *kn)
1065{
1066 return 0;
1067}
1068
1069static inline int security_inode_copy_up_xattr(const char *name)
1070{
1071 return -EOPNOTSUPP;
1072}
1073
1074static inline int security_file_permission(struct file *file, int mask)
1075{
1076 return 0;
1077}
1078
1079static inline int security_file_alloc(struct file *file)
1080{
1081 return 0;
1082}
1083
1084static inline void security_file_free(struct file *file)
1085{ }
1086
1087static inline int security_file_ioctl(struct file *file, unsigned int cmd,
1088 unsigned long arg)
1089{
1090 return 0;
1091}
1092
1093static inline int security_mmap_file(struct file *file, unsigned long prot,
1094 unsigned long flags)
1095{
1096 return 0;
1097}
1098
1099static inline int security_mmap_addr(unsigned long addr)
1100{
1101 return cap_mmap_addr(addr);
1102}
1103
1104static inline int security_file_mprotect(struct vm_area_struct *vma,
1105 unsigned long reqprot,
1106 unsigned long prot)
1107{
1108 return 0;
1109}
1110
1111static inline int security_file_lock(struct file *file, unsigned int cmd)
1112{
1113 return 0;
1114}
1115
1116static inline int security_file_fcntl(struct file *file, unsigned int cmd,
1117 unsigned long arg)
1118{
1119 return 0;
1120}
1121
1122static inline void security_file_set_fowner(struct file *file)
1123{
1124 return;
1125}
1126
1127static inline int security_file_send_sigiotask(struct task_struct *tsk,
1128 struct fown_struct *fown,
1129 int sig)
1130{
1131 return 0;
1132}
1133
1134static inline int security_file_receive(struct file *file)
1135{
1136 return 0;
1137}
1138
1139static inline int security_file_open(struct file *file)
1140{
1141 return 0;
1142}
1143
1144static inline int security_task_alloc(struct task_struct *task,
1145 unsigned long clone_flags)
1146{
1147 return 0;
1148}
1149
1150static inline void security_task_free(struct task_struct *task)
1151{ }
1152
1153static inline int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
1154{
1155 return 0;
1156}
1157
1158static inline void security_cred_free(struct cred *cred)
1159{ }
1160
1161static inline int security_prepare_creds(struct cred *new,
1162 const struct cred *old,
1163 gfp_t gfp)
1164{
1165 return 0;
1166}
1167
1168static inline void security_transfer_creds(struct cred *new,
1169 const struct cred *old)
1170{
1171}
1172
1173static inline void security_cred_getsecid(const struct cred *c, u32 *secid)
1174{
1175 *secid = 0;
1176}
1177
1178static inline int security_kernel_act_as(struct cred *cred,
1179 struct lsmblob *blob)
1180{
1181 return 0;
1182}
1183
1184static inline int security_kernel_create_files_as(struct cred *cred,
1185 struct inode *inode)
1186{
1187 return 0;
1188}
1189
1190static inline int security_kernel_module_request(char *kmod_name)
1191{
1192 return 0;
1193}
1194
1195static inline int security_kernel_load_data(enum kernel_load_data_id id, bool contents)
1196{
1197 return 0;
1198}
1199
1200static inline int security_kernel_post_load_data(char *buf, loff_t size,
1201 enum kernel_load_data_id id,
1202 char *description)
1203{
1204 return 0;
1205}
1206
1207static inline int security_kernel_read_file(struct file *file,
1208 enum kernel_read_file_id id,
1209 bool contents)
1210{
1211 return 0;
1212}
1213
1214static inline int security_kernel_post_read_file(struct file *file,
1215 char *buf, loff_t size,
1216 enum kernel_read_file_id id)
1217{
1218 return 0;
1219}
1220
1221static inline int security_task_fix_setuid(struct cred *new,
1222 const struct cred *old,
1223 int flags)
1224{
1225 return cap_task_fix_setuid(new, old, flags);
1226}
1227
1228static inline int security_task_fix_setgid(struct cred *new,
1229 const struct cred *old,
1230 int flags)
1231{
1232 return 0;
1233}
1234
1235static inline int security_task_setpgid(struct task_struct *p, pid_t pgid)
1236{
1237 return 0;
1238}
1239
1240static inline int security_task_getpgid(struct task_struct *p)
1241{
1242 return 0;
1243}
1244
1245static inline int security_task_getsid(struct task_struct *p)
1246{
1247 return 0;
1248}
1249
1250static inline void security_task_getsecid_subj(struct task_struct *p,
1251 struct lsmblob *blob)
1252{
1253 lsmblob_init(blob, 0);
1254}
1255
1256static inline void security_task_getsecid_obj(struct task_struct *p,
1257 struct lsmblob *blob)
1258{
1259 lsmblob_init(blob, 0);
1260}
1261
1262static inline int security_task_setnice(struct task_struct *p, int nice)
1263{
1264 return cap_task_setnice(p, nice);
1265}
1266
1267static inline int security_task_setioprio(struct task_struct *p, int ioprio)
1268{
1269 return cap_task_setioprio(p, ioprio);
1270}
1271
1272static inline int security_task_getioprio(struct task_struct *p)
1273{
1274 return 0;
1275}
1276
1277static inline int security_task_prlimit(const struct cred *cred,
1278 const struct cred *tcred,
1279 unsigned int flags)
1280{
1281 return 0;
1282}
1283
1284static inline int security_task_setrlimit(struct task_struct *p,
1285 unsigned int resource,
1286 struct rlimit *new_rlim)
1287{
1288 return 0;
1289}
1290
1291static inline int security_task_setscheduler(struct task_struct *p)
1292{
1293 return cap_task_setscheduler(p);
1294}
1295
1296static inline int security_task_getscheduler(struct task_struct *p)
1297{
1298 return 0;
1299}
1300
1301static inline int security_task_movememory(struct task_struct *p)
1302{
1303 return 0;
1304}
1305
1306static inline int security_task_kill(struct task_struct *p,
1307 struct kernel_siginfo *info, int sig,
1308 const struct cred *cred)
1309{
1310 return 0;
1311}
1312
1313static inline int security_task_prctl(int option, unsigned long arg2,
1314 unsigned long arg3,
1315 unsigned long arg4,
1316 unsigned long arg5)
1317{
1318 return cap_task_prctl(option, arg2, arg3, arg4, arg5);
1319}
1320
1321static inline void security_task_to_inode(struct task_struct *p, struct inode *inode)
1322{ }
1323
1324static inline int security_ipc_permission(struct kern_ipc_perm *ipcp,
1325 short flag)
1326{
1327 return 0;
1328}
1329
1330static inline void security_ipc_getsecid(struct kern_ipc_perm *ipcp,
1331 struct lsmblob *blob)
1332{
1333 lsmblob_init(blob, 0);
1334}
1335
1336static inline int security_msg_msg_alloc(struct msg_msg *msg)
1337{
1338 return 0;
1339}
1340
1341static inline void security_msg_msg_free(struct msg_msg *msg)
1342{ }
1343
1344static inline int security_msg_queue_alloc(struct kern_ipc_perm *msq)
1345{
1346 return 0;
1347}
1348
1349static inline void security_msg_queue_free(struct kern_ipc_perm *msq)
1350{ }
1351
1352static inline int security_msg_queue_associate(struct kern_ipc_perm *msq,
1353 int msqflg)
1354{
1355 return 0;
1356}
1357
1358static inline int security_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
1359{
1360 return 0;
1361}
1362
1363static inline int security_msg_queue_msgsnd(struct kern_ipc_perm *msq,
1364 struct msg_msg *msg, int msqflg)
1365{
1366 return 0;
1367}
1368
1369static inline int security_msg_queue_msgrcv(struct kern_ipc_perm *msq,
1370 struct msg_msg *msg,
1371 struct task_struct *target,
1372 long type, int mode)
1373{
1374 return 0;
1375}
1376
1377static inline int security_shm_alloc(struct kern_ipc_perm *shp)
1378{
1379 return 0;
1380}
1381
1382static inline void security_shm_free(struct kern_ipc_perm *shp)
1383{ }
1384
1385static inline int security_shm_associate(struct kern_ipc_perm *shp,
1386 int shmflg)
1387{
1388 return 0;
1389}
1390
1391static inline int security_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
1392{
1393 return 0;
1394}
1395
1396static inline int security_shm_shmat(struct kern_ipc_perm *shp,
1397 char __user *shmaddr, int shmflg)
1398{
1399 return 0;
1400}
1401
1402static inline int security_sem_alloc(struct kern_ipc_perm *sma)
1403{
1404 return 0;
1405}
1406
1407static inline void security_sem_free(struct kern_ipc_perm *sma)
1408{ }
1409
1410static inline int security_sem_associate(struct kern_ipc_perm *sma, int semflg)
1411{
1412 return 0;
1413}
1414
1415static inline int security_sem_semctl(struct kern_ipc_perm *sma, int cmd)
1416{
1417 return 0;
1418}
1419
1420static inline int security_sem_semop(struct kern_ipc_perm *sma,
1421 struct sembuf *sops, unsigned nsops,
1422 int alter)
1423{
1424 return 0;
1425}
1426
1427static inline void security_d_instantiate(struct dentry *dentry,
1428 struct inode *inode)
1429{ }
1430
1431static inline int security_getprocattr(struct task_struct *p, const char *lsm,
1432 char *name, char **value)
1433{
1434 return -EINVAL;
1435}
1436
1437static inline int security_setprocattr(const char *lsm, char *name,
1438 void *value, size_t size)
1439{
1440 return -EINVAL;
1441}
1442
1443static inline int security_netlink_send(struct sock *sk, struct sk_buff *skb)
1444{
1445 return 0;
1446}
1447
1448static inline int security_ismaclabel(const char *name)
1449{
1450 return 0;
1451}
1452
1453static inline int security_secid_to_secctx(struct lsmblob *blob,
1454 struct lsmcontext *cp, int display)
1455{
1456 return -EOPNOTSUPP;
1457}
1458
1459static inline int security_secctx_to_secid(const char *secdata,
1460 u32 seclen,
1461 struct lsmblob *blob)
1462{
1463 return -EOPNOTSUPP;
1464}
1465
1466static inline void security_release_secctx(struct lsmcontext *cp)
1467{
1468}
1469
1470static inline void security_inode_invalidate_secctx(struct inode *inode)
1471{
1472}
1473
1474static inline int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
1475{
1476 return -EOPNOTSUPP;
1477}
1478static inline int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
1479{
1480 return -EOPNOTSUPP;
1481}
1482static inline int security_inode_getsecctx(struct inode *inode,
1483 struct lsmcontext *cp)
1484{
1485 return -EOPNOTSUPP;
1486}
1487static inline int security_locked_down(enum lockdown_reason what)
1488{
1489 return 0;
1490}
1491static inline int security_lock_kernel_down(const char *where, enum lockdown_reason level)
1492{
1493 return 0;
1494}
1495#endif /* CONFIG_SECURITY */
1496
1497#if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE)
1498int security_post_notification(const struct cred *w_cred,
1499 const struct cred *cred,
1500 struct watch_notification *n);
1501#else
1502static inline int security_post_notification(const struct cred *w_cred,
1503 const struct cred *cred,
1504 struct watch_notification *n)
1505{
1506 return 0;
1507}
1508#endif
1509
1510#if defined(CONFIG_SECURITY) && defined(CONFIG_KEY_NOTIFICATIONS)
1511int security_watch_key(struct key *key);
1512#else
1513static inline int security_watch_key(struct key *key)
1514{
1515 return 0;
1516}
1517#endif
1518
1519#ifdef CONFIG_SECURITY_NETWORK
1520
1521int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk);
1522int security_unix_may_send(struct socket *sock, struct socket *other);
1523int security_socket_create(int family, int type, int protocol, int kern);
1524int security_socket_post_create(struct socket *sock, int family,
1525 int type, int protocol, int kern);
1526int security_socket_socketpair(struct socket *socka, struct socket *sockb);
1527int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen);
1528int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen);
1529int security_socket_listen(struct socket *sock, int backlog);
1530int security_socket_accept(struct socket *sock, struct socket *newsock);
1531int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size);
1532int security_socket_recvmsg(struct socket *sock, struct msghdr *msg,
1533 int size, int flags);
1534int security_socket_getsockname(struct socket *sock);
1535int security_socket_getpeername(struct socket *sock);
1536int security_socket_getsockopt(struct socket *sock, int level, int optname);
1537int security_socket_setsockopt(struct socket *sock, int level, int optname);
1538int security_socket_shutdown(struct socket *sock, int how);
1539int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb);
1540int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
1541 int __user *optlen, unsigned len);
1542int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb,
1543 struct lsmblob *blob);
1544int security_sk_alloc(struct sock *sk, int family, gfp_t priority);
1545void security_sk_free(struct sock *sk);
1546void security_sk_clone(const struct sock *sk, struct sock *newsk);
1547void security_sk_classify_flow(struct sock *sk, struct flowi_common *flic);
1548void security_req_classify_flow(const struct request_sock *req,
1549 struct flowi_common *flic);
1550void security_sock_graft(struct sock*sk, struct socket *parent);
1551int security_inet_conn_request(const struct sock *sk,
1552 struct sk_buff *skb, struct request_sock *req);
1553void security_inet_csk_clone(struct sock *newsk,
1554 const struct request_sock *req);
1555void security_inet_conn_established(struct sock *sk,
1556 struct sk_buff *skb);
1557int security_secmark_relabel_packet(struct lsmblob *blob);
1558void security_secmark_refcount_inc(void);
1559void security_secmark_refcount_dec(void);
1560int security_tun_dev_alloc_security(void **security);
1561void security_tun_dev_free_security(void *security);
1562int security_tun_dev_create(void);
1563int security_tun_dev_attach_queue(void *security);
1564int security_tun_dev_attach(struct sock *sk, void *security);
1565int security_tun_dev_open(void *security);
1566int security_sctp_assoc_request(struct sctp_endpoint *ep, struct sk_buff *skb);
1567int security_sctp_bind_connect(struct sock *sk, int optname,
1568 struct sockaddr *address, int addrlen);
1569void security_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
1570 struct sock *newsk);
1571
1572#else /* CONFIG_SECURITY_NETWORK */
1573static inline int security_unix_stream_connect(struct sock *sock,
1574 struct sock *other,
1575 struct sock *newsk)
1576{
1577 return 0;
1578}
1579
1580static inline int security_unix_may_send(struct socket *sock,
1581 struct socket *other)
1582{
1583 return 0;
1584}
1585
1586static inline int security_socket_create(int family, int type,
1587 int protocol, int kern)
1588{
1589 return 0;
1590}
1591
1592static inline int security_socket_post_create(struct socket *sock,
1593 int family,
1594 int type,
1595 int protocol, int kern)
1596{
1597 return 0;
1598}
1599
1600static inline int security_socket_socketpair(struct socket *socka,
1601 struct socket *sockb)
1602{
1603 return 0;
1604}
1605
1606static inline int security_socket_bind(struct socket *sock,
1607 struct sockaddr *address,
1608 int addrlen)
1609{
1610 return 0;
1611}
1612
1613static inline int security_socket_connect(struct socket *sock,
1614 struct sockaddr *address,
1615 int addrlen)
1616{
1617 return 0;
1618}
1619
1620static inline int security_socket_listen(struct socket *sock, int backlog)
1621{
1622 return 0;
1623}
1624
1625static inline int security_socket_accept(struct socket *sock,
1626 struct socket *newsock)
1627{
1628 return 0;
1629}
1630
1631static inline int security_socket_sendmsg(struct socket *sock,
1632 struct msghdr *msg, int size)
1633{
1634 return 0;
1635}
1636
1637static inline int security_socket_recvmsg(struct socket *sock,
1638 struct msghdr *msg, int size,
1639 int flags)
1640{
1641 return 0;
1642}
1643
1644static inline int security_socket_getsockname(struct socket *sock)
1645{
1646 return 0;
1647}
1648
1649static inline int security_socket_getpeername(struct socket *sock)
1650{
1651 return 0;
1652}
1653
1654static inline int security_socket_getsockopt(struct socket *sock,
1655 int level, int optname)
1656{
1657 return 0;
1658}
1659
1660static inline int security_socket_setsockopt(struct socket *sock,
1661 int level, int optname)
1662{
1663 return 0;
1664}
1665
1666static inline int security_socket_shutdown(struct socket *sock, int how)
1667{
1668 return 0;
1669}
1670static inline int security_sock_rcv_skb(struct sock *sk,
1671 struct sk_buff *skb)
1672{
1673 return 0;
1674}
1675
1676static inline int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
1677 int __user *optlen, unsigned len)
1678{
1679 return -ENOPROTOOPT;
1680}
1681
1682static inline int security_socket_getpeersec_dgram(struct socket *sock,
1683 struct sk_buff *skb,
1684 struct lsmblob *blob)
1685{
1686 return -ENOPROTOOPT;
1687}
1688
1689static inline int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
1690{
1691 return 0;
1692}
1693
1694static inline void security_sk_free(struct sock *sk)
1695{
1696}
1697
1698static inline void security_sk_clone(const struct sock *sk, struct sock *newsk)
1699{
1700}
1701
1702static inline void security_sk_classify_flow(struct sock *sk,
1703 struct flowi_common *flic)
1704{
1705}
1706
1707static inline void security_req_classify_flow(const struct request_sock *req,
1708 struct flowi_common *flic)
1709{
1710}
1711
1712static inline void security_sock_graft(struct sock *sk, struct socket *parent)
1713{
1714}
1715
1716static inline int security_inet_conn_request(const struct sock *sk,
1717 struct sk_buff *skb, struct request_sock *req)
1718{
1719 return 0;
1720}
1721
1722static inline void security_inet_csk_clone(struct sock *newsk,
1723 const struct request_sock *req)
1724{
1725}
1726
1727static inline void security_inet_conn_established(struct sock *sk,
1728 struct sk_buff *skb)
1729{
1730}
1731
1732static inline int security_secmark_relabel_packet(struct lsmblob *blob)
1733{
1734 return 0;
1735}
1736
1737static inline void security_secmark_refcount_inc(void)
1738{
1739}
1740
1741static inline void security_secmark_refcount_dec(void)
1742{
1743}
1744
1745static inline int security_tun_dev_alloc_security(void **security)
1746{
1747 return 0;
1748}
1749
1750static inline void security_tun_dev_free_security(void *security)
1751{
1752}
1753
1754static inline int security_tun_dev_create(void)
1755{
1756 return 0;
1757}
1758
1759static inline int security_tun_dev_attach_queue(void *security)
1760{
1761 return 0;
1762}
1763
1764static inline int security_tun_dev_attach(struct sock *sk, void *security)
1765{
1766 return 0;
1767}
1768
1769static inline int security_tun_dev_open(void *security)
1770{
1771 return 0;
1772}
1773
1774static inline int security_sctp_assoc_request(struct sctp_endpoint *ep,
1775 struct sk_buff *skb)
1776{
1777 return 0;
1778}
1779
1780static inline int security_sctp_bind_connect(struct sock *sk, int optname,
1781 struct sockaddr *address,
1782 int addrlen)
1783{
1784 return 0;
1785}
1786
1787static inline void security_sctp_sk_clone(struct sctp_endpoint *ep,
1788 struct sock *sk,
1789 struct sock *newsk)
1790{
1791}
1792#endif /* CONFIG_SECURITY_NETWORK */
1793
1794#ifdef CONFIG_SECURITY_INFINIBAND
1795int security_ib_pkey_access(void *sec, u64 subnet_prefix, u16 pkey);
1796int security_ib_endport_manage_subnet(void *sec, const char *name, u8 port_num);
1797int security_ib_alloc_security(void **sec);
1798void security_ib_free_security(void *sec);
1799#else /* CONFIG_SECURITY_INFINIBAND */
1800static inline int security_ib_pkey_access(void *sec, u64 subnet_prefix, u16 pkey)
1801{
1802 return 0;
1803}
1804
1805static inline int security_ib_endport_manage_subnet(void *sec, const char *dev_name, u8 port_num)
1806{
1807 return 0;
1808}
1809
1810static inline int security_ib_alloc_security(void **sec)
1811{
1812 return 0;
1813}
1814
1815static inline void security_ib_free_security(void *sec)
1816{
1817}
1818#endif /* CONFIG_SECURITY_INFINIBAND */
1819
1820#ifdef CONFIG_SECURITY_NETWORK_XFRM
1821
1822int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
1823 struct xfrm_user_sec_ctx *sec_ctx, gfp_t gfp);
1824int security_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, struct xfrm_sec_ctx **new_ctxp);
1825void security_xfrm_policy_free(struct xfrm_sec_ctx *ctx);
1826int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx);
1827int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx);
1828int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
1829 struct xfrm_sec_ctx *polsec, u32 secid);
1830int security_xfrm_state_delete(struct xfrm_state *x);
1831void security_xfrm_state_free(struct xfrm_state *x);
1832int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid);
1833int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
1834 struct xfrm_policy *xp,
1835 const struct flowi_common *flic);
1836int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid);
1837void security_skb_classify_flow(struct sk_buff *skb, struct flowi_common *flic);
1838
1839#else /* CONFIG_SECURITY_NETWORK_XFRM */
1840
1841static inline int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
1842 struct xfrm_user_sec_ctx *sec_ctx,
1843 gfp_t gfp)
1844{
1845 return 0;
1846}
1847
1848static inline int security_xfrm_policy_clone(struct xfrm_sec_ctx *old, struct xfrm_sec_ctx **new_ctxp)
1849{
1850 return 0;
1851}
1852
1853static inline void security_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
1854{
1855}
1856
1857static inline int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
1858{
1859 return 0;
1860}
1861
1862static inline int security_xfrm_state_alloc(struct xfrm_state *x,
1863 struct xfrm_user_sec_ctx *sec_ctx)
1864{
1865 return 0;
1866}
1867
1868static inline int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
1869 struct xfrm_sec_ctx *polsec, u32 secid)
1870{
1871 return 0;
1872}
1873
1874static inline void security_xfrm_state_free(struct xfrm_state *x)
1875{
1876}
1877
1878static inline int security_xfrm_state_delete(struct xfrm_state *x)
1879{
1880 return 0;
1881}
1882
1883static inline int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid)
1884{
1885 return 0;
1886}
1887
1888static inline int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
1889 struct xfrm_policy *xp,
1890 const struct flowi_common *flic)
1891{
1892 return 1;
1893}
1894
1895static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
1896{
1897 return 0;
1898}
1899
1900static inline void security_skb_classify_flow(struct sk_buff *skb,
1901 struct flowi_common *flic)
1902{
1903}
1904
1905#endif /* CONFIG_SECURITY_NETWORK_XFRM */
1906
1907#ifdef CONFIG_SECURITY_PATH
1908int security_path_unlink(const struct path *dir, struct dentry *dentry);
1909int security_path_mkdir(const struct path *dir, struct dentry *dentry, umode_t mode);
1910int security_path_rmdir(const struct path *dir, struct dentry *dentry);
1911int security_path_mknod(const struct path *dir, struct dentry *dentry, umode_t mode,
1912 unsigned int dev);
1913int security_path_truncate(const struct path *path);
1914int security_path_symlink(const struct path *dir, struct dentry *dentry,
1915 const char *old_name);
1916int security_path_link(struct dentry *old_dentry, const struct path *new_dir,
1917 struct dentry *new_dentry);
1918int security_path_rename(const struct path *old_dir, struct dentry *old_dentry,
1919 const struct path *new_dir, struct dentry *new_dentry,
1920 unsigned int flags);
1921int security_path_chmod(const struct path *path, umode_t mode);
1922int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid);
1923int security_path_chroot(const struct path *path);
1924#else /* CONFIG_SECURITY_PATH */
1925static inline int security_path_unlink(const struct path *dir, struct dentry *dentry)
1926{
1927 return 0;
1928}
1929
1930static inline int security_path_mkdir(const struct path *dir, struct dentry *dentry,
1931 umode_t mode)
1932{
1933 return 0;
1934}
1935
1936static inline int security_path_rmdir(const struct path *dir, struct dentry *dentry)
1937{
1938 return 0;
1939}
1940
1941static inline int security_path_mknod(const struct path *dir, struct dentry *dentry,
1942 umode_t mode, unsigned int dev)
1943{
1944 return 0;
1945}
1946
1947static inline int security_path_truncate(const struct path *path)
1948{
1949 return 0;
1950}
1951
1952static inline int security_path_symlink(const struct path *dir, struct dentry *dentry,
1953 const char *old_name)
1954{
1955 return 0;
1956}
1957
1958static inline int security_path_link(struct dentry *old_dentry,
1959 const struct path *new_dir,
1960 struct dentry *new_dentry)
1961{
1962 return 0;
1963}
1964
1965static inline int security_path_rename(const struct path *old_dir,
1966 struct dentry *old_dentry,
1967 const struct path *new_dir,
1968 struct dentry *new_dentry,
1969 unsigned int flags)
1970{
1971 return 0;
1972}
1973
1974static inline int security_path_chmod(const struct path *path, umode_t mode)
1975{
1976 return 0;
1977}
1978
1979static inline int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
1980{
1981 return 0;
1982}
1983
1984static inline int security_path_chroot(const struct path *path)
1985{
1986 return 0;
1987}
1988#endif /* CONFIG_SECURITY_PATH */
1989
1990#ifdef CONFIG_KEYS
1991#ifdef CONFIG_SECURITY
1992
1993int security_key_alloc(struct key *key, const struct cred *cred, unsigned long flags);
1994void security_key_free(struct key *key);
1995int security_key_permission(key_ref_t key_ref, const struct cred *cred,
1996 enum key_need_perm need_perm);
1997int security_key_getsecurity(struct key *key, char **_buffer);
1998
1999#else
2000
2001static inline int security_key_alloc(struct key *key,
2002 const struct cred *cred,
2003 unsigned long flags)
2004{
2005 return 0;
2006}
2007
2008static inline void security_key_free(struct key *key)
2009{
2010}
2011
2012static inline int security_key_permission(key_ref_t key_ref,
2013 const struct cred *cred,
2014 enum key_need_perm need_perm)
2015{
2016 return 0;
2017}
2018
2019static inline int security_key_getsecurity(struct key *key, char **_buffer)
2020{
2021 *_buffer = NULL;
2022 return 0;
2023}
2024
2025#endif
2026#endif /* CONFIG_KEYS */
2027
2028#ifdef CONFIG_AUDIT
2029#ifdef CONFIG_SECURITY
2030int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule);
2031int security_audit_rule_known(struct audit_krule *krule);
2032int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
2033 void **lsmrule);
2034void security_audit_rule_free(void **lsmrule);
2035
2036#else
2037
2038static inline int security_audit_rule_init(u32 field, u32 op, char *rulestr,
2039 void **lsmrule)
2040{
2041 return 0;
2042}
2043
2044static inline int security_audit_rule_known(struct audit_krule *krule)
2045{
2046 return 0;
2047}
2048
2049static inline int security_audit_rule_match(struct lsmblob *blob, u32 field,
2050 u32 op, void **lsmrule)
2051{
2052 return 0;
2053}
2054
2055static inline void security_audit_rule_free(void **lsmrule)
2056{ }
2057
2058#endif /* CONFIG_SECURITY */
2059#endif /* CONFIG_AUDIT */
2060
2061#ifdef CONFIG_SECURITYFS
2062
2063extern struct dentry *securityfs_create_file(const char *name, umode_t mode,
2064 struct dentry *parent, void *data,
2065 const struct file_operations *fops);
2066extern struct dentry *securityfs_create_dir(const char *name, struct dentry *parent);
2067struct dentry *securityfs_create_symlink(const char *name,
2068 struct dentry *parent,
2069 const char *target,
2070 const struct inode_operations *iops);
2071extern void securityfs_remove(struct dentry *dentry);
2072
2073#else /* CONFIG_SECURITYFS */
2074
2075static inline struct dentry *securityfs_create_dir(const char *name,
2076 struct dentry *parent)
2077{
2078 return ERR_PTR(-ENODEV);
2079}
2080
2081static inline struct dentry *securityfs_create_file(const char *name,
2082 umode_t mode,
2083 struct dentry *parent,
2084 void *data,
2085 const struct file_operations *fops)
2086{
2087 return ERR_PTR(-ENODEV);
2088}
2089
2090static inline struct dentry *securityfs_create_symlink(const char *name,
2091 struct dentry *parent,
2092 const char *target,
2093 const struct inode_operations *iops)
2094{
2095 return ERR_PTR(-ENODEV);
2096}
2097
2098static inline void securityfs_remove(struct dentry *dentry)
2099{}
2100
2101#endif
2102
2103#ifdef CONFIG_BPF_SYSCALL
2104union bpf_attr;
2105struct bpf_map;
2106struct bpf_prog;
2107struct bpf_prog_aux;
2108#ifdef CONFIG_SECURITY
2109extern int security_bpf(int cmd, union bpf_attr *attr, unsigned int size);
2110extern int security_bpf_map(struct bpf_map *map, fmode_t fmode);
2111extern int security_bpf_prog(struct bpf_prog *prog);
2112extern int security_bpf_map_alloc(struct bpf_map *map);
2113extern void security_bpf_map_free(struct bpf_map *map);
2114extern int security_bpf_prog_alloc(struct bpf_prog_aux *aux);
2115extern void security_bpf_prog_free(struct bpf_prog_aux *aux);
2116#else
2117static inline int security_bpf(int cmd, union bpf_attr *attr,
2118 unsigned int size)
2119{
2120 return 0;
2121}
2122
2123static inline int security_bpf_map(struct bpf_map *map, fmode_t fmode)
2124{
2125 return 0;
2126}
2127
2128static inline int security_bpf_prog(struct bpf_prog *prog)
2129{
2130 return 0;
2131}
2132
2133static inline int security_bpf_map_alloc(struct bpf_map *map)
2134{
2135 return 0;
2136}
2137
2138static inline void security_bpf_map_free(struct bpf_map *map)
2139{ }
2140
2141static inline int security_bpf_prog_alloc(struct bpf_prog_aux *aux)
2142{
2143 return 0;
2144}
2145
2146static inline void security_bpf_prog_free(struct bpf_prog_aux *aux)
2147{ }
2148#endif /* CONFIG_SECURITY */
2149#endif /* CONFIG_BPF_SYSCALL */
2150
2151#ifdef CONFIG_PERF_EVENTS
2152struct perf_event_attr;
2153struct perf_event;
2154
2155#ifdef CONFIG_SECURITY
2156extern int security_perf_event_open(struct perf_event_attr *attr, int type);
2157extern int security_perf_event_alloc(struct perf_event *event);
2158extern void security_perf_event_free(struct perf_event *event);
2159extern int security_perf_event_read(struct perf_event *event);
2160extern int security_perf_event_write(struct perf_event *event);
2161#else
2162static inline int security_perf_event_open(struct perf_event_attr *attr,
2163 int type)
2164{
2165 return 0;
2166}
2167
2168static inline int security_perf_event_alloc(struct perf_event *event)
2169{
2170 return 0;
2171}
2172
2173static inline void security_perf_event_free(struct perf_event *event)
2174{
2175}
2176
2177static inline int security_perf_event_read(struct perf_event *event)
2178{
2179 return 0;
2180}
2181
2182static inline int security_perf_event_write(struct perf_event *event)
2183{
2184 return 0;
2185}
2186#endif /* CONFIG_SECURITY */
2187#endif /* CONFIG_PERF_EVENTS */
2188
2189#endif /* ! __LINUX_SECURITY_H */
Ubuntu Jammy Linux kernel mirror