security.c 163 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103310431053106310731083109311031113112311331143115311631173118311931203121312231233124312531263127312831293130313131323133313431353136313731383139314031413142314331443145314631473148314931503151315231533154315531563157315831593160316131623163316431653166316731683169317031713172317331743175317631773178317931803181318231833184318531863187318831893190319131923193319431953196319731983199320032013202320332043205320632073208320932103211321232133214321532163217321832193220322132223223322432253226322732283229323032313232323332343235323632373238323932403241324232433244324532463247324832493250325132523253325432553256325732583259326032613262326332643265326632673268326932703271327232733274327532763277327832793280328132823283328432853286328732883289329032913292329332943295329632973298329933003301330233033304330533063307330833093310331133123313331433153316331733183319332033213322332333243325332633273328332933303331333233333334333533363337333833393340334133423343334433453346334733483349335033513352335333543355335633573358335933603361336233633364336533663367336833693370337133723373337433753376337733783379338033813382338333843385338633873388338933903391339233933394339533963397339833993400340134023403340434053406340734083409341034113412341334143415341634173418341934203421342234233424342534263427342834293430343134323433343434353436343734383439344034413442344334443445344634473448344934503451345234533454345534563457345834593460346134623463346434653466346734683469347034713472347334743475347634773478347934803481348234833484348534863487348834893490349134923493349434953496349734983499350035013502350335043505350635073508350935103511351235133514351535163517351835193520352135223523352435253526352735283529353035313532353335343535353635373538353935403541354235433544354535463547354835493550355135523553355435553556355735583559356035613562356335643565356635673568356935703571357235733574357535763577357835793580358135823583358435853586358735883589359035913592359335943595359635973598359936003601360236033604360536063607360836093610361136123613361436153616361736183619362036213622362336243625362636273628362936303631363236333634363536363637363836393640364136423643364436453646364736483649365036513652365336543655365636573658365936603661366236633664366536663667366836693670367136723673367436753676367736783679368036813682368336843685368636873688368936903691369236933694369536963697369836993700370137023703370437053706370737083709371037113712371337143715371637173718371937203721372237233724372537263727372837293730373137323733373437353736373737383739374037413742374337443745374637473748374937503751375237533754375537563757375837593760376137623763376437653766376737683769377037713772377337743775377637773778377937803781378237833784378537863787378837893790379137923793379437953796379737983799380038013802380338043805380638073808380938103811381238133814381538163817381838193820382138223823382438253826382738283829383038313832383338343835383638373838383938403841384238433844384538463847384838493850385138523853385438553856385738583859386038613862386338643865386638673868386938703871387238733874387538763877387838793880388138823883388438853886388738883889389038913892389338943895389638973898389939003901390239033904390539063907390839093910391139123913391439153916391739183919392039213922392339243925392639273928392939303931393239333934393539363937393839393940394139423943394439453946394739483949395039513952395339543955395639573958395939603961396239633964396539663967396839693970397139723973397439753976397739783979398039813982398339843985398639873988398939903991399239933994399539963997399839994000400140024003400440054006400740084009401040114012401340144015401640174018401940204021402240234024402540264027402840294030403140324033403440354036403740384039404040414042404340444045404640474048404940504051405240534054405540564057405840594060406140624063406440654066406740684069407040714072407340744075407640774078407940804081408240834084408540864087408840894090409140924093409440954096409740984099410041014102410341044105410641074108410941104111411241134114411541164117411841194120412141224123412441254126412741284129413041314132413341344135413641374138413941404141414241434144414541464147414841494150415141524153415441554156415741584159416041614162416341644165416641674168416941704171417241734174417541764177417841794180418141824183418441854186418741884189419041914192419341944195419641974198419942004201420242034204420542064207420842094210421142124213421442154216421742184219422042214222422342244225422642274228422942304231423242334234423542364237423842394240424142424243424442454246424742484249425042514252425342544255425642574258425942604261426242634264426542664267426842694270427142724273427442754276427742784279428042814282428342844285428642874288428942904291429242934294429542964297429842994300430143024303430443054306430743084309431043114312431343144315431643174318431943204321432243234324432543264327432843294330433143324333433443354336433743384339434043414342434343444345434643474348434943504351435243534354435543564357435843594360436143624363436443654366436743684369437043714372437343744375437643774378437943804381438243834384438543864387438843894390439143924393439443954396439743984399440044014402440344044405440644074408440944104411441244134414441544164417441844194420442144224423442444254426442744284429443044314432443344344435443644374438443944404441444244434444444544464447444844494450445144524453445444554456445744584459446044614462446344644465446644674468446944704471447244734474447544764477447844794480448144824483448444854486448744884489449044914492449344944495449644974498449945004501450245034504450545064507450845094510451145124513451445154516451745184519452045214522452345244525452645274528452945304531453245334534453545364537453845394540454145424543454445454546454745484549455045514552455345544555455645574558455945604561456245634564456545664567456845694570457145724573457445754576457745784579458045814582458345844585458645874588458945904591459245934594459545964597459845994600460146024603460446054606460746084609461046114612461346144615461646174618461946204621462246234624462546264627462846294630463146324633463446354636463746384639464046414642464346444645464646474648464946504651465246534654465546564657465846594660466146624663466446654666466746684669467046714672467346744675467646774678467946804681468246834684468546864687468846894690469146924693469446954696469746984699470047014702470347044705470647074708470947104711471247134714471547164717471847194720472147224723472447254726472747284729473047314732473347344735473647374738473947404741474247434744474547464747474847494750475147524753475447554756475747584759476047614762476347644765476647674768476947704771477247734774477547764777477847794780478147824783478447854786478747884789479047914792479347944795479647974798479948004801480248034804480548064807480848094810481148124813481448154816481748184819482048214822482348244825482648274828482948304831483248334834483548364837483848394840484148424843484448454846484748484849485048514852485348544855485648574858485948604861486248634864486548664867486848694870487148724873487448754876487748784879488048814882488348844885488648874888488948904891489248934894489548964897489848994900490149024903490449054906490749084909491049114912491349144915491649174918491949204921492249234924492549264927492849294930493149324933493449354936493749384939494049414942494349444945494649474948494949504951495249534954495549564957495849594960496149624963496449654966496749684969497049714972497349744975497649774978497949804981498249834984498549864987498849894990499149924993499449954996499749984999500050015002500350045005500650075008500950105011501250135014501550165017501850195020502150225023502450255026502750285029503050315032503350345035503650375038503950405041504250435044504550465047504850495050505150525053505450555056505750585059506050615062506350645065506650675068506950705071507250735074507550765077507850795080508150825083508450855086508750885089509050915092509350945095509650975098509951005101510251035104510551065107510851095110511151125113511451155116511751185119512051215122512351245125512651275128512951305131513251335134513551365137513851395140514151425143514451455146514751485149515051515152515351545155515651575158515951605161516251635164516551665167516851695170517151725173517451755176517751785179518051815182518351845185518651875188518951905191519251935194519551965197519851995200520152025203520452055206520752085209521052115212521352145215521652175218521952205221522252235224522552265227522852295230523152325233523452355236523752385239524052415242524352445245524652475248524952505251525252535254525552565257525852595260526152625263526452655266526752685269527052715272527352745275527652775278527952805281528252835284528552865287528852895290529152925293529452955296529752985299530053015302530353045305530653075308530953105311531253135314531553165317531853195320532153225323532453255326532753285329533053315332533353345335533653375338533953405341534253435344534553465347534853495350535153525353535453555356535753585359536053615362536353645365536653675368536953705371537253735374537553765377537853795380538153825383538453855386538753885389539053915392539353945395539653975398539954005401540254035404540554065407540854095410541154125413541454155416541754185419542054215422542354245425542654275428542954305431543254335434543554365437543854395440544154425443544454455446544754485449545054515452545354545455545654575458545954605461546254635464546554665467546854695470547154725473547454755476547754785479548054815482548354845485548654875488548954905491549254935494549554965497549854995500550155025503550455055506550755085509551055115512551355145515551655175518551955205521552255235524552555265527552855295530553155325533553455355536553755385539554055415542554355445545554655475548554955505551555255535554555555565557555855595560556155625563556455655566556755685569557055715572557355745575557655775578557955805581558255835584558555865587558855895590559155925593559455955596
  1. // SPDX-License-Identifier: GPL-2.0-or-later
  2. /*
  3. * Security plug functions
  4. *
  5. * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com>
  6. * Copyright (C) 2001-2002 Greg Kroah-Hartman <greg@kroah.com>
  7. * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com>
  8. * Copyright (C) 2016 Mellanox Technologies
  9. * Copyright (C) 2023 Microsoft Corporation <paul@paul-moore.com>
  10. */
  11. #define pr_fmt(fmt) "LSM: " fmt
  12. #include <linux/bpf.h>
  13. #include <linux/capability.h>
  14. #include <linux/dcache.h>
  15. #include <linux/export.h>
  16. #include <linux/init.h>
  17. #include <linux/kernel.h>
  18. #include <linux/kernel_read_file.h>
  19. #include <linux/lsm_hooks.h>
  20. #include <linux/mman.h>
  21. #include <linux/mount.h>
  22. #include <linux/personality.h>
  23. #include <linux/backing-dev.h>
  24. #include <linux/string.h>
  25. #include <linux/xattr.h>
  26. #include <linux/msg.h>
  27. #include <linux/overflow.h>
  28. #include <linux/perf_event.h>
  29. #include <linux/fs.h>
  30. #include <net/flow.h>
  31. #include <net/sock.h>
  32. #include "lsm.h"
  33. /*
  34. * These are descriptions of the reasons that can be passed to the
  35. * security_locked_down() LSM hook. Placing this array here allows
  36. * all security modules to use the same descriptions for auditing
  37. * purposes.
  38. */
  39. const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX + 1] = {
  40. [LOCKDOWN_NONE] = "none",
  41. [LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading",
  42. [LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port",
  43. [LOCKDOWN_EFI_TEST] = "/dev/efi_test access",
  44. [LOCKDOWN_KEXEC] = "kexec of unsigned images",
  45. [LOCKDOWN_HIBERNATION] = "hibernation",
  46. [LOCKDOWN_PCI_ACCESS] = "direct PCI access",
  47. [LOCKDOWN_IOPORT] = "raw io port access",
  48. [LOCKDOWN_MSR] = "raw MSR access",
  49. [LOCKDOWN_ACPI_TABLES] = "modifying ACPI tables",
  50. [LOCKDOWN_DEVICE_TREE] = "modifying device tree contents",
  51. [LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage",
  52. [LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO",
  53. [LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters",
  54. [LOCKDOWN_MMIOTRACE] = "unsafe mmio",
  55. [LOCKDOWN_DEBUGFS] = "debugfs access",
  56. [LOCKDOWN_XMON_WR] = "xmon write access",
  57. [LOCKDOWN_BPF_WRITE_USER] = "use of bpf to write user RAM",
  58. [LOCKDOWN_DBG_WRITE_KERNEL] = "use of kgdb/kdb to write kernel RAM",
  59. [LOCKDOWN_RTAS_ERROR_INJECTION] = "RTAS error injection",
  60. [LOCKDOWN_XEN_USER_ACTIONS] = "Xen guest user action",
  61. [LOCKDOWN_INTEGRITY_MAX] = "integrity",
  62. [LOCKDOWN_KCORE] = "/proc/kcore access",
  63. [LOCKDOWN_KPROBES] = "use of kprobes",
  64. [LOCKDOWN_BPF_READ_KERNEL] = "use of bpf to read kernel RAM",
  65. [LOCKDOWN_DBG_READ_KERNEL] = "use of kgdb/kdb to read kernel RAM",
  66. [LOCKDOWN_PERF] = "unsafe use of perf",
  67. [LOCKDOWN_TRACEFS] = "use of tracefs",
  68. [LOCKDOWN_XMON_RW] = "xmon read and write access",
  69. [LOCKDOWN_XFRM_SECRET] = "xfrm SA secret",
  70. [LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",
  71. };
  72. bool lsm_debug __ro_after_init;
  73. unsigned int lsm_active_cnt __ro_after_init;
  74. const struct lsm_id *lsm_idlist[MAX_LSM_COUNT];
  75. struct lsm_blob_sizes blob_sizes;
  76. struct kmem_cache *lsm_file_cache;
  77. struct kmem_cache *lsm_inode_cache;
  78. #define SECURITY_HOOK_ACTIVE_KEY(HOOK, IDX) security_hook_active_##HOOK##_##IDX
  79. /*
  80. * Identifier for the LSM static calls.
  81. * HOOK is an LSM hook as defined in linux/lsm_hookdefs.h
  82. * IDX is the index of the static call. 0 <= NUM < MAX_LSM_COUNT
  83. */
  84. #define LSM_STATIC_CALL(HOOK, IDX) lsm_static_call_##HOOK##_##IDX
  85. /*
  86. * Call the macro M for each LSM hook MAX_LSM_COUNT times.
  87. */
  88. #define LSM_LOOP_UNROLL(M, ...) \
  89. do { \
  90. UNROLL(MAX_LSM_COUNT, M, __VA_ARGS__) \
  91. } while (0)
  92. #define LSM_DEFINE_UNROLL(M, ...) UNROLL(MAX_LSM_COUNT, M, __VA_ARGS__)
  93. #ifdef CONFIG_HAVE_STATIC_CALL
  94. #define LSM_HOOK_TRAMP(NAME, NUM) \
  95. &STATIC_CALL_TRAMP(LSM_STATIC_CALL(NAME, NUM))
  96. #else
  97. #define LSM_HOOK_TRAMP(NAME, NUM) NULL
  98. #endif
  99. /*
  100. * Define static calls and static keys for each LSM hook.
  101. */
  102. #define DEFINE_LSM_STATIC_CALL(NUM, NAME, RET, ...) \
  103. DEFINE_STATIC_CALL_NULL(LSM_STATIC_CALL(NAME, NUM), \
  104. *((RET(*)(__VA_ARGS__))NULL)); \
  105. static DEFINE_STATIC_KEY_FALSE(SECURITY_HOOK_ACTIVE_KEY(NAME, NUM));
  106. #define LSM_HOOK(RET, DEFAULT, NAME, ...) \
  107. LSM_DEFINE_UNROLL(DEFINE_LSM_STATIC_CALL, NAME, RET, __VA_ARGS__)
  108. #include <linux/lsm_hook_defs.h>
  109. #undef LSM_HOOK
  110. #undef DEFINE_LSM_STATIC_CALL
  111. /*
  112. * Initialise a table of static calls for each LSM hook.
  113. * DEFINE_STATIC_CALL_NULL invocation above generates a key (STATIC_CALL_KEY)
  114. * and a trampoline (STATIC_CALL_TRAMP) which are used to call
  115. * __static_call_update when updating the static call.
  116. *
  117. * The static calls table is used by early LSMs, some architectures can fault on
  118. * unaligned accesses and the fault handling code may not be ready by then.
  119. * Thus, the static calls table should be aligned to avoid any unhandled faults
  120. * in early init.
  121. */
  122. struct lsm_static_calls_table
  123. static_calls_table __ro_after_init __aligned(sizeof(u64)) = {
  124. #define INIT_LSM_STATIC_CALL(NUM, NAME) \
  125. (struct lsm_static_call) { \
  126. .key = &STATIC_CALL_KEY(LSM_STATIC_CALL(NAME, NUM)), \
  127. .trampoline = LSM_HOOK_TRAMP(NAME, NUM), \
  128. .active = &SECURITY_HOOK_ACTIVE_KEY(NAME, NUM), \
  129. },
  130. #define LSM_HOOK(RET, DEFAULT, NAME, ...) \
  131. .NAME = { \
  132. LSM_DEFINE_UNROLL(INIT_LSM_STATIC_CALL, NAME) \
  133. },
  134. #include <linux/lsm_hook_defs.h>
  135. #undef LSM_HOOK
  136. #undef INIT_LSM_STATIC_CALL
  137. };
  138. /**
  139. * lsm_file_alloc - allocate a composite file blob
  140. * @file: the file that needs a blob
  141. *
  142. * Allocate the file blob for all the modules
  143. *
  144. * Returns 0, or -ENOMEM if memory can't be allocated.
  145. */
  146. static int lsm_file_alloc(struct file *file)
  147. {
  148. if (!lsm_file_cache) {
  149. file->f_security = NULL;
  150. return 0;
  151. }
  152. file->f_security = kmem_cache_zalloc(lsm_file_cache, GFP_KERNEL);
  153. if (file->f_security == NULL)
  154. return -ENOMEM;
  155. return 0;
  156. }
  157. /**
  158. * lsm_blob_alloc - allocate a composite blob
  159. * @dest: the destination for the blob
  160. * @size: the size of the blob
  161. * @gfp: allocation type
  162. *
  163. * Allocate a blob for all the modules
  164. *
  165. * Returns 0, or -ENOMEM if memory can't be allocated.
  166. */
  167. static int lsm_blob_alloc(void **dest, size_t size, gfp_t gfp)
  168. {
  169. if (size == 0) {
  170. *dest = NULL;
  171. return 0;
  172. }
  173. *dest = kzalloc(size, gfp);
  174. if (*dest == NULL)
  175. return -ENOMEM;
  176. return 0;
  177. }
  178. /**
  179. * lsm_cred_alloc - allocate a composite cred blob
  180. * @cred: the cred that needs a blob
  181. * @gfp: allocation type
  182. *
  183. * Allocate the cred blob for all the modules
  184. *
  185. * Returns 0, or -ENOMEM if memory can't be allocated.
  186. */
  187. int lsm_cred_alloc(struct cred *cred, gfp_t gfp)
  188. {
  189. return lsm_blob_alloc(&cred->security, blob_sizes.lbs_cred, gfp);
  190. }
  191. /**
  192. * lsm_inode_alloc - allocate a composite inode blob
  193. * @inode: the inode that needs a blob
  194. * @gfp: allocation flags
  195. *
  196. * Allocate the inode blob for all the modules
  197. *
  198. * Returns 0, or -ENOMEM if memory can't be allocated.
  199. */
  200. static int lsm_inode_alloc(struct inode *inode, gfp_t gfp)
  201. {
  202. if (!lsm_inode_cache) {
  203. inode->i_security = NULL;
  204. return 0;
  205. }
  206. inode->i_security = kmem_cache_zalloc(lsm_inode_cache, gfp);
  207. if (inode->i_security == NULL)
  208. return -ENOMEM;
  209. return 0;
  210. }
  211. /**
  212. * lsm_task_alloc - allocate a composite task blob
  213. * @task: the task that needs a blob
  214. *
  215. * Allocate the task blob for all the modules
  216. *
  217. * Returns 0, or -ENOMEM if memory can't be allocated.
  218. */
  219. int lsm_task_alloc(struct task_struct *task)
  220. {
  221. return lsm_blob_alloc(&task->security, blob_sizes.lbs_task, GFP_KERNEL);
  222. }
  223. /**
  224. * lsm_ipc_alloc - allocate a composite ipc blob
  225. * @kip: the ipc that needs a blob
  226. *
  227. * Allocate the ipc blob for all the modules
  228. *
  229. * Returns 0, or -ENOMEM if memory can't be allocated.
  230. */
  231. static int lsm_ipc_alloc(struct kern_ipc_perm *kip)
  232. {
  233. return lsm_blob_alloc(&kip->security, blob_sizes.lbs_ipc, GFP_KERNEL);
  234. }
  235. #ifdef CONFIG_KEYS
  236. /**
  237. * lsm_key_alloc - allocate a composite key blob
  238. * @key: the key that needs a blob
  239. *
  240. * Allocate the key blob for all the modules
  241. *
  242. * Returns 0, or -ENOMEM if memory can't be allocated.
  243. */
  244. static int lsm_key_alloc(struct key *key)
  245. {
  246. return lsm_blob_alloc(&key->security, blob_sizes.lbs_key, GFP_KERNEL);
  247. }
  248. #endif /* CONFIG_KEYS */
  249. /**
  250. * lsm_msg_msg_alloc - allocate a composite msg_msg blob
  251. * @mp: the msg_msg that needs a blob
  252. *
  253. * Allocate the ipc blob for all the modules
  254. *
  255. * Returns 0, or -ENOMEM if memory can't be allocated.
  256. */
  257. static int lsm_msg_msg_alloc(struct msg_msg *mp)
  258. {
  259. return lsm_blob_alloc(&mp->security, blob_sizes.lbs_msg_msg,
  260. GFP_KERNEL);
  261. }
  262. /**
  263. * lsm_bdev_alloc - allocate a composite block_device blob
  264. * @bdev: the block_device that needs a blob
  265. *
  266. * Allocate the block_device blob for all the modules
  267. *
  268. * Returns 0, or -ENOMEM if memory can't be allocated.
  269. */
  270. static int lsm_bdev_alloc(struct block_device *bdev)
  271. {
  272. return lsm_blob_alloc(&bdev->bd_security, blob_sizes.lbs_bdev,
  273. GFP_KERNEL);
  274. }
  275. #ifdef CONFIG_BPF_SYSCALL
  276. /**
  277. * lsm_bpf_map_alloc - allocate a composite bpf_map blob
  278. * @map: the bpf_map that needs a blob
  279. *
  280. * Allocate the bpf_map blob for all the modules
  281. *
  282. * Returns 0, or -ENOMEM if memory can't be allocated.
  283. */
  284. static int lsm_bpf_map_alloc(struct bpf_map *map)
  285. {
  286. return lsm_blob_alloc(&map->security, blob_sizes.lbs_bpf_map, GFP_KERNEL);
  287. }
  288. /**
  289. * lsm_bpf_prog_alloc - allocate a composite bpf_prog blob
  290. * @prog: the bpf_prog that needs a blob
  291. *
  292. * Allocate the bpf_prog blob for all the modules
  293. *
  294. * Returns 0, or -ENOMEM if memory can't be allocated.
  295. */
  296. static int lsm_bpf_prog_alloc(struct bpf_prog *prog)
  297. {
  298. return lsm_blob_alloc(&prog->aux->security, blob_sizes.lbs_bpf_prog, GFP_KERNEL);
  299. }
  300. /**
  301. * lsm_bpf_token_alloc - allocate a composite bpf_token blob
  302. * @token: the bpf_token that needs a blob
  303. *
  304. * Allocate the bpf_token blob for all the modules
  305. *
  306. * Returns 0, or -ENOMEM if memory can't be allocated.
  307. */
  308. static int lsm_bpf_token_alloc(struct bpf_token *token)
  309. {
  310. return lsm_blob_alloc(&token->security, blob_sizes.lbs_bpf_token, GFP_KERNEL);
  311. }
  312. #endif /* CONFIG_BPF_SYSCALL */
  313. /**
  314. * lsm_superblock_alloc - allocate a composite superblock blob
  315. * @sb: the superblock that needs a blob
  316. *
  317. * Allocate the superblock blob for all the modules
  318. *
  319. * Returns 0, or -ENOMEM if memory can't be allocated.
  320. */
  321. static int lsm_superblock_alloc(struct super_block *sb)
  322. {
  323. return lsm_blob_alloc(&sb->s_security, blob_sizes.lbs_superblock,
  324. GFP_KERNEL);
  325. }
  326. /**
  327. * lsm_fill_user_ctx - Fill a user space lsm_ctx structure
  328. * @uctx: a userspace LSM context to be filled
  329. * @uctx_len: available uctx size (input), used uctx size (output)
  330. * @val: the new LSM context value
  331. * @val_len: the size of the new LSM context value
  332. * @id: LSM id
  333. * @flags: LSM defined flags
  334. *
  335. * Fill all of the fields in a userspace lsm_ctx structure. If @uctx is NULL
  336. * simply calculate the required size to output via @utc_len and return
  337. * success.
  338. *
  339. * Returns 0 on success, -E2BIG if userspace buffer is not large enough,
  340. * -EFAULT on a copyout error, -ENOMEM if memory can't be allocated.
  341. */
  342. int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len,
  343. void *val, size_t val_len,
  344. u64 id, u64 flags)
  345. {
  346. struct lsm_ctx *nctx = NULL;
  347. size_t nctx_len;
  348. int rc = 0;
  349. nctx_len = ALIGN(struct_size(nctx, ctx, val_len), sizeof(void *));
  350. if (nctx_len > *uctx_len) {
  351. rc = -E2BIG;
  352. goto out;
  353. }
  354. /* no buffer - return success/0 and set @uctx_len to the req size */
  355. if (!uctx)
  356. goto out;
  357. nctx = kzalloc(nctx_len, GFP_KERNEL);
  358. if (nctx == NULL) {
  359. rc = -ENOMEM;
  360. goto out;
  361. }
  362. nctx->id = id;
  363. nctx->flags = flags;
  364. nctx->len = nctx_len;
  365. nctx->ctx_len = val_len;
  366. memcpy(nctx->ctx, val, val_len);
  367. if (copy_to_user(uctx, nctx, nctx_len))
  368. rc = -EFAULT;
  369. out:
  370. kfree(nctx);
  371. *uctx_len = nctx_len;
  372. return rc;
  373. }
  374. /*
  375. * The default value of the LSM hook is defined in linux/lsm_hook_defs.h and
  376. * can be accessed with:
  377. *
  378. * LSM_RET_DEFAULT(<hook_name>)
  379. *
  380. * The macros below define static constants for the default value of each
  381. * LSM hook.
  382. */
  383. #define LSM_RET_DEFAULT(NAME) (NAME##_default)
  384. #define DECLARE_LSM_RET_DEFAULT_void(DEFAULT, NAME)
  385. #define DECLARE_LSM_RET_DEFAULT_int(DEFAULT, NAME) \
  386. static const int __maybe_unused LSM_RET_DEFAULT(NAME) = (DEFAULT);
  387. #define LSM_HOOK(RET, DEFAULT, NAME, ...) \
  388. DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME)
  389. #include <linux/lsm_hook_defs.h>
  390. #undef LSM_HOOK
  391. /*
  392. * Hook list operation macros.
  393. *
  394. * call_void_hook:
  395. * This is a hook that does not return a value.
  396. *
  397. * call_int_hook:
  398. * This is a hook that returns a value.
  399. */
  400. #define __CALL_STATIC_VOID(NUM, HOOK, ...) \
  401. do { \
  402. if (static_branch_unlikely(&SECURITY_HOOK_ACTIVE_KEY(HOOK, NUM))) { \
  403. static_call(LSM_STATIC_CALL(HOOK, NUM))(__VA_ARGS__); \
  404. } \
  405. } while (0);
  406. #define call_void_hook(HOOK, ...) \
  407. do { \
  408. LSM_LOOP_UNROLL(__CALL_STATIC_VOID, HOOK, __VA_ARGS__); \
  409. } while (0)
  410. #define __CALL_STATIC_INT(NUM, R, HOOK, LABEL, ...) \
  411. do { \
  412. if (static_branch_unlikely(&SECURITY_HOOK_ACTIVE_KEY(HOOK, NUM))) { \
  413. R = static_call(LSM_STATIC_CALL(HOOK, NUM))(__VA_ARGS__); \
  414. if (R != LSM_RET_DEFAULT(HOOK)) \
  415. goto LABEL; \
  416. } \
  417. } while (0);
  418. #define call_int_hook(HOOK, ...) \
  419. ({ \
  420. __label__ OUT; \
  421. int RC = LSM_RET_DEFAULT(HOOK); \
  422. \
  423. LSM_LOOP_UNROLL(__CALL_STATIC_INT, RC, HOOK, OUT, __VA_ARGS__); \
  424. OUT: \
  425. RC; \
  426. })
  427. #define lsm_for_each_hook(scall, NAME) \
  428. for (scall = static_calls_table.NAME; \
  429. scall - static_calls_table.NAME < MAX_LSM_COUNT; scall++) \
  430. if (static_key_enabled(&scall->active->key))
  431. /* Security operations */
  432. /**
  433. * security_binder_set_context_mgr() - Check if becoming binder ctx mgr is ok
  434. * @mgr: task credentials of current binder process
  435. *
  436. * Check whether @mgr is allowed to be the binder context manager.
  437. *
  438. * Return: Return 0 if permission is granted.
  439. */
  440. int security_binder_set_context_mgr(const struct cred *mgr)
  441. {
  442. return call_int_hook(binder_set_context_mgr, mgr);
  443. }
  444. /**
  445. * security_binder_transaction() - Check if a binder transaction is allowed
  446. * @from: sending process
  447. * @to: receiving process
  448. *
  449. * Check whether @from is allowed to invoke a binder transaction call to @to.
  450. *
  451. * Return: Returns 0 if permission is granted.
  452. */
  453. int security_binder_transaction(const struct cred *from,
  454. const struct cred *to)
  455. {
  456. return call_int_hook(binder_transaction, from, to);
  457. }
  458. /**
  459. * security_binder_transfer_binder() - Check if a binder transfer is allowed
  460. * @from: sending process
  461. * @to: receiving process
  462. *
  463. * Check whether @from is allowed to transfer a binder reference to @to.
  464. *
  465. * Return: Returns 0 if permission is granted.
  466. */
  467. int security_binder_transfer_binder(const struct cred *from,
  468. const struct cred *to)
  469. {
  470. return call_int_hook(binder_transfer_binder, from, to);
  471. }
  472. /**
  473. * security_binder_transfer_file() - Check if a binder file xfer is allowed
  474. * @from: sending process
  475. * @to: receiving process
  476. * @file: file being transferred
  477. *
  478. * Check whether @from is allowed to transfer @file to @to.
  479. *
  480. * Return: Returns 0 if permission is granted.
  481. */
  482. int security_binder_transfer_file(const struct cred *from,
  483. const struct cred *to, const struct file *file)
  484. {
  485. return call_int_hook(binder_transfer_file, from, to, file);
  486. }
  487. /**
  488. * security_ptrace_access_check() - Check if tracing is allowed
  489. * @child: target process
  490. * @mode: PTRACE_MODE flags
  491. *
  492. * Check permission before allowing the current process to trace the @child
  493. * process. Security modules may also want to perform a process tracing check
  494. * during an execve in the set_security or apply_creds hooks of tracing check
  495. * during an execve in the bprm_set_creds hook of binprm_security_ops if the
  496. * process is being traced and its security attributes would be changed by the
  497. * execve.
  498. *
  499. * Return: Returns 0 if permission is granted.
  500. */
  501. int security_ptrace_access_check(struct task_struct *child, unsigned int mode)
  502. {
  503. return call_int_hook(ptrace_access_check, child, mode);
  504. }
  505. /**
  506. * security_ptrace_traceme() - Check if tracing is allowed
  507. * @parent: tracing process
  508. *
  509. * Check that the @parent process has sufficient permission to trace the
  510. * current process before allowing the current process to present itself to the
  511. * @parent process for tracing.
  512. *
  513. * Return: Returns 0 if permission is granted.
  514. */
  515. int security_ptrace_traceme(struct task_struct *parent)
  516. {
  517. return call_int_hook(ptrace_traceme, parent);
  518. }
  519. /**
  520. * security_capget() - Get the capability sets for a process
  521. * @target: target process
  522. * @effective: effective capability set
  523. * @inheritable: inheritable capability set
  524. * @permitted: permitted capability set
  525. *
  526. * Get the @effective, @inheritable, and @permitted capability sets for the
  527. * @target process. The hook may also perform permission checking to determine
  528. * if the current process is allowed to see the capability sets of the @target
  529. * process.
  530. *
  531. * Return: Returns 0 if the capability sets were successfully obtained.
  532. */
  533. int security_capget(const struct task_struct *target,
  534. kernel_cap_t *effective,
  535. kernel_cap_t *inheritable,
  536. kernel_cap_t *permitted)
  537. {
  538. return call_int_hook(capget, target, effective, inheritable, permitted);
  539. }
  540. /**
  541. * security_capset() - Set the capability sets for a process
  542. * @new: new credentials for the target process
  543. * @old: current credentials of the target process
  544. * @effective: effective capability set
  545. * @inheritable: inheritable capability set
  546. * @permitted: permitted capability set
  547. *
  548. * Set the @effective, @inheritable, and @permitted capability sets for the
  549. * current process.
  550. *
  551. * Return: Returns 0 and update @new if permission is granted.
  552. */
  553. int security_capset(struct cred *new, const struct cred *old,
  554. const kernel_cap_t *effective,
  555. const kernel_cap_t *inheritable,
  556. const kernel_cap_t *permitted)
  557. {
  558. return call_int_hook(capset, new, old, effective, inheritable,
  559. permitted);
  560. }
  561. /**
  562. * security_capable() - Check if a process has the necessary capability
  563. * @cred: credentials to examine
  564. * @ns: user namespace
  565. * @cap: capability requested
  566. * @opts: capability check options
  567. *
  568. * Check whether the @tsk process has the @cap capability in the indicated
  569. * credentials. @cap contains the capability <include/linux/capability.h>.
  570. * @opts contains options for the capable check <include/linux/security.h>.
  571. *
  572. * Return: Returns 0 if the capability is granted.
  573. */
  574. int security_capable(const struct cred *cred,
  575. struct user_namespace *ns,
  576. int cap,
  577. unsigned int opts)
  578. {
  579. return call_int_hook(capable, cred, ns, cap, opts);
  580. }
  581. /**
  582. * security_quotactl() - Check if a quotactl() syscall is allowed for this fs
  583. * @cmds: commands
  584. * @type: type
  585. * @id: id
  586. * @sb: filesystem
  587. *
  588. * Check whether the quotactl syscall is allowed for this @sb.
  589. *
  590. * Return: Returns 0 if permission is granted.
  591. */
  592. int security_quotactl(int cmds, int type, int id, const struct super_block *sb)
  593. {
  594. return call_int_hook(quotactl, cmds, type, id, sb);
  595. }
  596. /**
  597. * security_quota_on() - Check if QUOTAON is allowed for a dentry
  598. * @dentry: dentry
  599. *
  600. * Check whether QUOTAON is allowed for @dentry.
  601. *
  602. * Return: Returns 0 if permission is granted.
  603. */
  604. int security_quota_on(struct dentry *dentry)
  605. {
  606. return call_int_hook(quota_on, dentry);
  607. }
  608. /**
  609. * security_syslog() - Check if accessing the kernel message ring is allowed
  610. * @type: SYSLOG_ACTION_* type
  611. *
  612. * Check permission before accessing the kernel message ring or changing
  613. * logging to the console. See the syslog(2) manual page for an explanation of
  614. * the @type values.
  615. *
  616. * Return: Return 0 if permission is granted.
  617. */
  618. int security_syslog(int type)
  619. {
  620. return call_int_hook(syslog, type);
  621. }
  622. /**
  623. * security_settime64() - Check if changing the system time is allowed
  624. * @ts: new time
  625. * @tz: timezone
  626. *
  627. * Check permission to change the system time, struct timespec64 is defined in
  628. * <include/linux/time64.h> and timezone is defined in <include/linux/time.h>.
  629. *
  630. * Return: Returns 0 if permission is granted.
  631. */
  632. int security_settime64(const struct timespec64 *ts, const struct timezone *tz)
  633. {
  634. return call_int_hook(settime, ts, tz);
  635. }
  636. /**
  637. * security_vm_enough_memory_mm() - Check if allocating a new mem map is allowed
  638. * @mm: mm struct
  639. * @pages: number of pages
  640. *
  641. * Check permissions for allocating a new virtual mapping. If all LSMs return
  642. * a positive value, __vm_enough_memory() will be called with cap_sys_admin
  643. * set. If at least one LSM returns 0 or negative, __vm_enough_memory() will be
  644. * called with cap_sys_admin cleared.
  645. *
  646. * Return: Returns 0 if permission is granted by the LSM infrastructure to the
  647. * caller.
  648. */
  649. int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
  650. {
  651. struct lsm_static_call *scall;
  652. int cap_sys_admin = 1;
  653. int rc;
  654. /*
  655. * The module will respond with 0 if it thinks the __vm_enough_memory()
  656. * call should be made with the cap_sys_admin set. If all of the modules
  657. * agree that it should be set it will. If any module thinks it should
  658. * not be set it won't.
  659. */
  660. lsm_for_each_hook(scall, vm_enough_memory) {
  661. rc = scall->hl->hook.vm_enough_memory(mm, pages);
  662. if (rc < 0) {
  663. cap_sys_admin = 0;
  664. break;
  665. }
  666. }
  667. return __vm_enough_memory(mm, pages, cap_sys_admin);
  668. }
  669. /**
  670. * security_bprm_creds_for_exec() - Prepare the credentials for exec()
  671. * @bprm: binary program information
  672. *
  673. * If the setup in prepare_exec_creds did not setup @bprm->cred->security
  674. * properly for executing @bprm->file, update the LSM's portion of
  675. * @bprm->cred->security to be what commit_creds needs to install for the new
  676. * program. This hook may also optionally check permissions (e.g. for
  677. * transitions between security domains). The hook must set @bprm->secureexec
  678. * to 1 if AT_SECURE should be set to request libc enable secure mode. @bprm
  679. * contains the linux_binprm structure.
  680. *
  681. * If execveat(2) is called with the AT_EXECVE_CHECK flag, bprm->is_check is
  682. * set. The result must be the same as without this flag even if the execution
  683. * will never really happen and @bprm will always be dropped.
  684. *
  685. * This hook must not change current->cred, only @bprm->cred.
  686. *
  687. * Return: Returns 0 if the hook is successful and permission is granted.
  688. */
  689. int security_bprm_creds_for_exec(struct linux_binprm *bprm)
  690. {
  691. return call_int_hook(bprm_creds_for_exec, bprm);
  692. }
  693. /**
  694. * security_bprm_creds_from_file() - Update linux_binprm creds based on file
  695. * @bprm: binary program information
  696. * @file: associated file
  697. *
  698. * If @file is setpcap, suid, sgid or otherwise marked to change privilege upon
  699. * exec, update @bprm->cred to reflect that change. This is called after
  700. * finding the binary that will be executed without an interpreter. This
  701. * ensures that the credentials will not be derived from a script that the
  702. * binary will need to reopen, which when reopend may end up being a completely
  703. * different file. This hook may also optionally check permissions (e.g. for
  704. * transitions between security domains). The hook must set @bprm->secureexec
  705. * to 1 if AT_SECURE should be set to request libc enable secure mode. The
  706. * hook must add to @bprm->per_clear any personality flags that should be
  707. * cleared from current->personality. @bprm contains the linux_binprm
  708. * structure.
  709. *
  710. * Return: Returns 0 if the hook is successful and permission is granted.
  711. */
  712. int security_bprm_creds_from_file(struct linux_binprm *bprm, const struct file *file)
  713. {
  714. return call_int_hook(bprm_creds_from_file, bprm, file);
  715. }
  716. /**
  717. * security_bprm_check() - Mediate binary handler search
  718. * @bprm: binary program information
  719. *
  720. * This hook mediates the point when a search for a binary handler will begin.
  721. * It allows a check against the @bprm->cred->security value which was set in
  722. * the preceding creds_for_exec call. The argv list and envp list are reliably
  723. * available in @bprm. This hook may be called multiple times during a single
  724. * execve. @bprm contains the linux_binprm structure.
  725. *
  726. * Return: Returns 0 if the hook is successful and permission is granted.
  727. */
  728. int security_bprm_check(struct linux_binprm *bprm)
  729. {
  730. return call_int_hook(bprm_check_security, bprm);
  731. }
  732. /**
  733. * security_bprm_committing_creds() - Install creds for a process during exec()
  734. * @bprm: binary program information
  735. *
  736. * Prepare to install the new security attributes of a process being
  737. * transformed by an execve operation, based on the old credentials pointed to
  738. * by @current->cred and the information set in @bprm->cred by the
  739. * bprm_creds_for_exec hook. @bprm points to the linux_binprm structure. This
  740. * hook is a good place to perform state changes on the process such as closing
  741. * open file descriptors to which access will no longer be granted when the
  742. * attributes are changed. This is called immediately before commit_creds().
  743. */
  744. void security_bprm_committing_creds(const struct linux_binprm *bprm)
  745. {
  746. call_void_hook(bprm_committing_creds, bprm);
  747. }
  748. /**
  749. * security_bprm_committed_creds() - Tidy up after cred install during exec()
  750. * @bprm: binary program information
  751. *
  752. * Tidy up after the installation of the new security attributes of a process
  753. * being transformed by an execve operation. The new credentials have, by this
  754. * point, been set to @current->cred. @bprm points to the linux_binprm
  755. * structure. This hook is a good place to perform state changes on the
  756. * process such as clearing out non-inheritable signal state. This is called
  757. * immediately after commit_creds().
  758. */
  759. void security_bprm_committed_creds(const struct linux_binprm *bprm)
  760. {
  761. call_void_hook(bprm_committed_creds, bprm);
  762. }
  763. /**
  764. * security_fs_context_submount() - Initialise fc->security
  765. * @fc: new filesystem context
  766. * @reference: dentry reference for submount/remount
  767. *
  768. * Fill out the ->security field for a new fs_context.
  769. *
  770. * Return: Returns 0 on success or negative error code on failure.
  771. */
  772. int security_fs_context_submount(struct fs_context *fc, struct super_block *reference)
  773. {
  774. return call_int_hook(fs_context_submount, fc, reference);
  775. }
  776. /**
  777. * security_fs_context_dup() - Duplicate a fs_context LSM blob
  778. * @fc: destination filesystem context
  779. * @src_fc: source filesystem context
  780. *
  781. * Allocate and attach a security structure to sc->security. This pointer is
  782. * initialised to NULL by the caller. @fc indicates the new filesystem context.
  783. * @src_fc indicates the original filesystem context.
  784. *
  785. * Return: Returns 0 on success or a negative error code on failure.
  786. */
  787. int security_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc)
  788. {
  789. return call_int_hook(fs_context_dup, fc, src_fc);
  790. }
  791. /**
  792. * security_fs_context_parse_param() - Configure a filesystem context
  793. * @fc: filesystem context
  794. * @param: filesystem parameter
  795. *
  796. * Userspace provided a parameter to configure a superblock. The LSM can
  797. * consume the parameter or return it to the caller for use elsewhere.
  798. *
  799. * Return: If the parameter is used by the LSM it should return 0, if it is
  800. * returned to the caller -ENOPARAM is returned, otherwise a negative
  801. * error code is returned.
  802. */
  803. int security_fs_context_parse_param(struct fs_context *fc,
  804. struct fs_parameter *param)
  805. {
  806. struct lsm_static_call *scall;
  807. int trc;
  808. int rc = -ENOPARAM;
  809. lsm_for_each_hook(scall, fs_context_parse_param) {
  810. trc = scall->hl->hook.fs_context_parse_param(fc, param);
  811. if (trc == 0)
  812. rc = 0;
  813. else if (trc != -ENOPARAM)
  814. return trc;
  815. }
  816. return rc;
  817. }
  818. /**
  819. * security_sb_alloc() - Allocate a super_block LSM blob
  820. * @sb: filesystem superblock
  821. *
  822. * Allocate and attach a security structure to the sb->s_security field. The
  823. * s_security field is initialized to NULL when the structure is allocated.
  824. * @sb contains the super_block structure to be modified.
  825. *
  826. * Return: Returns 0 if operation was successful.
  827. */
  828. int security_sb_alloc(struct super_block *sb)
  829. {
  830. int rc = lsm_superblock_alloc(sb);
  831. if (unlikely(rc))
  832. return rc;
  833. rc = call_int_hook(sb_alloc_security, sb);
  834. if (unlikely(rc))
  835. security_sb_free(sb);
  836. return rc;
  837. }
  838. /**
  839. * security_sb_delete() - Release super_block LSM associated objects
  840. * @sb: filesystem superblock
  841. *
  842. * Release objects tied to a superblock (e.g. inodes). @sb contains the
  843. * super_block structure being released.
  844. */
  845. void security_sb_delete(struct super_block *sb)
  846. {
  847. call_void_hook(sb_delete, sb);
  848. }
  849. /**
  850. * security_sb_free() - Free a super_block LSM blob
  851. * @sb: filesystem superblock
  852. *
  853. * Deallocate and clear the sb->s_security field. @sb contains the super_block
  854. * structure to be modified.
  855. */
  856. void security_sb_free(struct super_block *sb)
  857. {
  858. call_void_hook(sb_free_security, sb);
  859. kfree(sb->s_security);
  860. sb->s_security = NULL;
  861. }
  862. /**
  863. * security_free_mnt_opts() - Free memory associated with mount options
  864. * @mnt_opts: LSM processed mount options
  865. *
  866. * Free memory associated with @mnt_ops.
  867. */
  868. void security_free_mnt_opts(void **mnt_opts)
  869. {
  870. if (!*mnt_opts)
  871. return;
  872. call_void_hook(sb_free_mnt_opts, *mnt_opts);
  873. *mnt_opts = NULL;
  874. }
  875. EXPORT_SYMBOL(security_free_mnt_opts);
  876. /**
  877. * security_sb_eat_lsm_opts() - Consume LSM mount options
  878. * @options: mount options
  879. * @mnt_opts: LSM processed mount options
  880. *
  881. * Eat (scan @options) and save them in @mnt_opts.
  882. *
  883. * Return: Returns 0 on success, negative values on failure.
  884. */
  885. int security_sb_eat_lsm_opts(char *options, void **mnt_opts)
  886. {
  887. return call_int_hook(sb_eat_lsm_opts, options, mnt_opts);
  888. }
  889. EXPORT_SYMBOL(security_sb_eat_lsm_opts);
  890. /**
  891. * security_sb_mnt_opts_compat() - Check if new mount options are allowed
  892. * @sb: filesystem superblock
  893. * @mnt_opts: new mount options
  894. *
  895. * Determine if the new mount options in @mnt_opts are allowed given the
  896. * existing mounted filesystem at @sb. @sb superblock being compared.
  897. *
  898. * Return: Returns 0 if options are compatible.
  899. */
  900. int security_sb_mnt_opts_compat(struct super_block *sb,
  901. void *mnt_opts)
  902. {
  903. return call_int_hook(sb_mnt_opts_compat, sb, mnt_opts);
  904. }
  905. EXPORT_SYMBOL(security_sb_mnt_opts_compat);
  906. /**
  907. * security_sb_remount() - Verify no incompatible mount changes during remount
  908. * @sb: filesystem superblock
  909. * @mnt_opts: (re)mount options
  910. *
  911. * Extracts security system specific mount options and verifies no changes are
  912. * being made to those options.
  913. *
  914. * Return: Returns 0 if permission is granted.
  915. */
  916. int security_sb_remount(struct super_block *sb,
  917. void *mnt_opts)
  918. {
  919. return call_int_hook(sb_remount, sb, mnt_opts);
  920. }
  921. EXPORT_SYMBOL(security_sb_remount);
  922. /**
  923. * security_sb_kern_mount() - Check if a kernel mount is allowed
  924. * @sb: filesystem superblock
  925. *
  926. * Mount this @sb if allowed by permissions.
  927. *
  928. * Return: Returns 0 if permission is granted.
  929. */
  930. int security_sb_kern_mount(const struct super_block *sb)
  931. {
  932. return call_int_hook(sb_kern_mount, sb);
  933. }
  934. /**
  935. * security_sb_show_options() - Output the mount options for a superblock
  936. * @m: output file
  937. * @sb: filesystem superblock
  938. *
  939. * Show (print on @m) mount options for this @sb.
  940. *
  941. * Return: Returns 0 on success, negative values on failure.
  942. */
  943. int security_sb_show_options(struct seq_file *m, struct super_block *sb)
  944. {
  945. return call_int_hook(sb_show_options, m, sb);
  946. }
  947. /**
  948. * security_sb_statfs() - Check if accessing fs stats is allowed
  949. * @dentry: superblock handle
  950. *
  951. * Check permission before obtaining filesystem statistics for the @mnt
  952. * mountpoint. @dentry is a handle on the superblock for the filesystem.
  953. *
  954. * Return: Returns 0 if permission is granted.
  955. */
  956. int security_sb_statfs(struct dentry *dentry)
  957. {
  958. return call_int_hook(sb_statfs, dentry);
  959. }
  960. /**
  961. * security_sb_mount() - Check permission for mounting a filesystem
  962. * @dev_name: filesystem backing device
  963. * @path: mount point
  964. * @type: filesystem type
  965. * @flags: mount flags
  966. * @data: filesystem specific data
  967. *
  968. * Check permission before an object specified by @dev_name is mounted on the
  969. * mount point named by @nd. For an ordinary mount, @dev_name identifies a
  970. * device if the file system type requires a device. For a remount
  971. * (@flags & MS_REMOUNT), @dev_name is irrelevant. For a loopback/bind mount
  972. * (@flags & MS_BIND), @dev_name identifies the pathname of the object being
  973. * mounted.
  974. *
  975. * Return: Returns 0 if permission is granted.
  976. */
  977. int security_sb_mount(const char *dev_name, const struct path *path,
  978. const char *type, unsigned long flags, void *data)
  979. {
  980. return call_int_hook(sb_mount, dev_name, path, type, flags, data);
  981. }
  982. /**
  983. * security_sb_umount() - Check permission for unmounting a filesystem
  984. * @mnt: mounted filesystem
  985. * @flags: unmount flags
  986. *
  987. * Check permission before the @mnt file system is unmounted.
  988. *
  989. * Return: Returns 0 if permission is granted.
  990. */
  991. int security_sb_umount(struct vfsmount *mnt, int flags)
  992. {
  993. return call_int_hook(sb_umount, mnt, flags);
  994. }
  995. /**
  996. * security_sb_pivotroot() - Check permissions for pivoting the rootfs
  997. * @old_path: new location for current rootfs
  998. * @new_path: location of the new rootfs
  999. *
  1000. * Check permission before pivoting the root filesystem.
  1001. *
  1002. * Return: Returns 0 if permission is granted.
  1003. */
  1004. int security_sb_pivotroot(const struct path *old_path,
  1005. const struct path *new_path)
  1006. {
  1007. return call_int_hook(sb_pivotroot, old_path, new_path);
  1008. }
  1009. /**
  1010. * security_sb_set_mnt_opts() - Set the mount options for a filesystem
  1011. * @sb: filesystem superblock
  1012. * @mnt_opts: binary mount options
  1013. * @kern_flags: kernel flags (in)
  1014. * @set_kern_flags: kernel flags (out)
  1015. *
  1016. * Set the security relevant mount options used for a superblock.
  1017. *
  1018. * Return: Returns 0 on success, error on failure.
  1019. */
  1020. int security_sb_set_mnt_opts(struct super_block *sb,
  1021. void *mnt_opts,
  1022. unsigned long kern_flags,
  1023. unsigned long *set_kern_flags)
  1024. {
  1025. struct lsm_static_call *scall;
  1026. int rc = mnt_opts ? -EOPNOTSUPP : LSM_RET_DEFAULT(sb_set_mnt_opts);
  1027. lsm_for_each_hook(scall, sb_set_mnt_opts) {
  1028. rc = scall->hl->hook.sb_set_mnt_opts(sb, mnt_opts, kern_flags,
  1029. set_kern_flags);
  1030. if (rc != LSM_RET_DEFAULT(sb_set_mnt_opts))
  1031. break;
  1032. }
  1033. return rc;
  1034. }
  1035. EXPORT_SYMBOL(security_sb_set_mnt_opts);
  1036. /**
  1037. * security_sb_clone_mnt_opts() - Duplicate superblock mount options
  1038. * @oldsb: source superblock
  1039. * @newsb: destination superblock
  1040. * @kern_flags: kernel flags (in)
  1041. * @set_kern_flags: kernel flags (out)
  1042. *
  1043. * Copy all security options from a given superblock to another.
  1044. *
  1045. * Return: Returns 0 on success, error on failure.
  1046. */
  1047. int security_sb_clone_mnt_opts(const struct super_block *oldsb,
  1048. struct super_block *newsb,
  1049. unsigned long kern_flags,
  1050. unsigned long *set_kern_flags)
  1051. {
  1052. return call_int_hook(sb_clone_mnt_opts, oldsb, newsb,
  1053. kern_flags, set_kern_flags);
  1054. }
  1055. EXPORT_SYMBOL(security_sb_clone_mnt_opts);
  1056. /**
  1057. * security_move_mount() - Check permissions for moving a mount
  1058. * @from_path: source mount point
  1059. * @to_path: destination mount point
  1060. *
  1061. * Check permission before a mount is moved.
  1062. *
  1063. * Return: Returns 0 if permission is granted.
  1064. */
  1065. int security_move_mount(const struct path *from_path,
  1066. const struct path *to_path)
  1067. {
  1068. return call_int_hook(move_mount, from_path, to_path);
  1069. }
  1070. /**
  1071. * security_path_notify() - Check if setting a watch is allowed
  1072. * @path: file path
  1073. * @mask: event mask
  1074. * @obj_type: file path type
  1075. *
  1076. * Check permissions before setting a watch on events as defined by @mask, on
  1077. * an object at @path, whose type is defined by @obj_type.
  1078. *
  1079. * Return: Returns 0 if permission is granted.
  1080. */
  1081. int security_path_notify(const struct path *path, u64 mask,
  1082. unsigned int obj_type)
  1083. {
  1084. return call_int_hook(path_notify, path, mask, obj_type);
  1085. }
  1086. /**
  1087. * security_inode_alloc() - Allocate an inode LSM blob
  1088. * @inode: the inode
  1089. * @gfp: allocation flags
  1090. *
  1091. * Allocate and attach a security structure to @inode->i_security. The
  1092. * i_security field is initialized to NULL when the inode structure is
  1093. * allocated.
  1094. *
  1095. * Return: Return 0 if operation was successful.
  1096. */
  1097. int security_inode_alloc(struct inode *inode, gfp_t gfp)
  1098. {
  1099. int rc = lsm_inode_alloc(inode, gfp);
  1100. if (unlikely(rc))
  1101. return rc;
  1102. rc = call_int_hook(inode_alloc_security, inode);
  1103. if (unlikely(rc))
  1104. security_inode_free(inode);
  1105. return rc;
  1106. }
  1107. static void inode_free_by_rcu(struct rcu_head *head)
  1108. {
  1109. /* The rcu head is at the start of the inode blob */
  1110. call_void_hook(inode_free_security_rcu, head);
  1111. kmem_cache_free(lsm_inode_cache, head);
  1112. }
  1113. /**
  1114. * security_inode_free() - Free an inode's LSM blob
  1115. * @inode: the inode
  1116. *
  1117. * Release any LSM resources associated with @inode, although due to the
  1118. * inode's RCU protections it is possible that the resources will not be
  1119. * fully released until after the current RCU grace period has elapsed.
  1120. *
  1121. * It is important for LSMs to note that despite being present in a call to
  1122. * security_inode_free(), @inode may still be referenced in a VFS path walk
  1123. * and calls to security_inode_permission() may be made during, or after,
  1124. * a call to security_inode_free(). For this reason the inode->i_security
  1125. * field is released via a call_rcu() callback and any LSMs which need to
  1126. * retain inode state for use in security_inode_permission() should only
  1127. * release that state in the inode_free_security_rcu() LSM hook callback.
  1128. */
  1129. void security_inode_free(struct inode *inode)
  1130. {
  1131. call_void_hook(inode_free_security, inode);
  1132. if (!inode->i_security)
  1133. return;
  1134. call_rcu((struct rcu_head *)inode->i_security, inode_free_by_rcu);
  1135. }
  1136. /**
  1137. * security_dentry_init_security() - Perform dentry initialization
  1138. * @dentry: the dentry to initialize
  1139. * @mode: mode used to determine resource type
  1140. * @name: name of the last path component
  1141. * @xattr_name: name of the security/LSM xattr
  1142. * @lsmctx: pointer to the resulting LSM context
  1143. *
  1144. * Compute a context for a dentry as the inode is not yet available since NFSv4
  1145. * has no label backed by an EA anyway. It is important to note that
  1146. * @xattr_name does not need to be free'd by the caller, it is a static string.
  1147. *
  1148. * Return: Returns 0 on success, negative values on failure.
  1149. */
  1150. int security_dentry_init_security(struct dentry *dentry, int mode,
  1151. const struct qstr *name,
  1152. const char **xattr_name,
  1153. struct lsm_context *lsmctx)
  1154. {
  1155. return call_int_hook(dentry_init_security, dentry, mode, name,
  1156. xattr_name, lsmctx);
  1157. }
  1158. EXPORT_SYMBOL(security_dentry_init_security);
  1159. /**
  1160. * security_dentry_create_files_as() - Perform dentry initialization
  1161. * @dentry: the dentry to initialize
  1162. * @mode: mode used to determine resource type
  1163. * @name: name of the last path component
  1164. * @old: creds to use for LSM context calculations
  1165. * @new: creds to modify
  1166. *
  1167. * Compute a context for a dentry as the inode is not yet available and set
  1168. * that context in passed in creds so that new files are created using that
  1169. * context. Context is calculated using the passed in creds and not the creds
  1170. * of the caller.
  1171. *
  1172. * Return: Returns 0 on success, error on failure.
  1173. */
  1174. int security_dentry_create_files_as(struct dentry *dentry, int mode,
  1175. const struct qstr *name,
  1176. const struct cred *old, struct cred *new)
  1177. {
  1178. return call_int_hook(dentry_create_files_as, dentry, mode,
  1179. name, old, new);
  1180. }
  1181. EXPORT_SYMBOL(security_dentry_create_files_as);
  1182. /**
  1183. * security_inode_init_security() - Initialize an inode's LSM context
  1184. * @inode: the inode
  1185. * @dir: parent directory
  1186. * @qstr: last component of the pathname
  1187. * @initxattrs: callback function to write xattrs
  1188. * @fs_data: filesystem specific data
  1189. *
  1190. * Obtain the security attribute name suffix and value to set on a newly
  1191. * created inode and set up the incore security field for the new inode. This
  1192. * hook is called by the fs code as part of the inode creation transaction and
  1193. * provides for atomic labeling of the inode, unlike the post_create/mkdir/...
  1194. * hooks called by the VFS.
  1195. *
  1196. * The hook function is expected to populate the xattrs array, by calling
  1197. * lsm_get_xattr_slot() to retrieve the slots reserved by the security module
  1198. * with the lbs_xattr_count field of the lsm_blob_sizes structure. For each
  1199. * slot, the hook function should set ->name to the attribute name suffix
  1200. * (e.g. selinux), to allocate ->value (will be freed by the caller) and set it
  1201. * to the attribute value, to set ->value_len to the length of the value. If
  1202. * the security module does not use security attributes or does not wish to put
  1203. * a security attribute on this particular inode, then it should return
  1204. * -EOPNOTSUPP to skip this processing.
  1205. *
  1206. * Return: Returns 0 if the LSM successfully initialized all of the inode
  1207. * security attributes that are required, negative values otherwise.
  1208. */
  1209. int security_inode_init_security(struct inode *inode, struct inode *dir,
  1210. const struct qstr *qstr,
  1211. const initxattrs initxattrs, void *fs_data)
  1212. {
  1213. struct lsm_static_call *scall;
  1214. struct xattr *new_xattrs = NULL;
  1215. int ret = -EOPNOTSUPP, xattr_count = 0;
  1216. if (unlikely(IS_PRIVATE(inode)))
  1217. return 0;
  1218. if (!blob_sizes.lbs_xattr_count)
  1219. return 0;
  1220. if (initxattrs) {
  1221. /* Allocate +1 as terminator. */
  1222. new_xattrs = kcalloc(blob_sizes.lbs_xattr_count + 1,
  1223. sizeof(*new_xattrs), GFP_NOFS);
  1224. if (!new_xattrs)
  1225. return -ENOMEM;
  1226. }
  1227. lsm_for_each_hook(scall, inode_init_security) {
  1228. ret = scall->hl->hook.inode_init_security(inode, dir, qstr, new_xattrs,
  1229. &xattr_count);
  1230. if (ret && ret != -EOPNOTSUPP)
  1231. goto out;
  1232. /*
  1233. * As documented in lsm_hooks.h, -EOPNOTSUPP in this context
  1234. * means that the LSM is not willing to provide an xattr, not
  1235. * that it wants to signal an error. Thus, continue to invoke
  1236. * the remaining LSMs.
  1237. */
  1238. }
  1239. /* If initxattrs() is NULL, xattr_count is zero, skip the call. */
  1240. if (!xattr_count)
  1241. goto out;
  1242. ret = initxattrs(inode, new_xattrs, fs_data);
  1243. out:
  1244. for (; xattr_count > 0; xattr_count--)
  1245. kfree(new_xattrs[xattr_count - 1].value);
  1246. kfree(new_xattrs);
  1247. return (ret == -EOPNOTSUPP) ? 0 : ret;
  1248. }
  1249. EXPORT_SYMBOL(security_inode_init_security);
  1250. /**
  1251. * security_inode_init_security_anon() - Initialize an anonymous inode
  1252. * @inode: the inode
  1253. * @name: the anonymous inode class
  1254. * @context_inode: an optional related inode
  1255. *
  1256. * Set up the incore security field for the new anonymous inode and return
  1257. * whether the inode creation is permitted by the security module or not.
  1258. *
  1259. * Return: Returns 0 on success, -EACCES if the security module denies the
  1260. * creation of this inode, or another -errno upon other errors.
  1261. */
  1262. int security_inode_init_security_anon(struct inode *inode,
  1263. const struct qstr *name,
  1264. const struct inode *context_inode)
  1265. {
  1266. return call_int_hook(inode_init_security_anon, inode, name,
  1267. context_inode);
  1268. }
  1269. #ifdef CONFIG_SECURITY_PATH
  1270. /**
  1271. * security_path_mknod() - Check if creating a special file is allowed
  1272. * @dir: parent directory
  1273. * @dentry: new file
  1274. * @mode: new file mode
  1275. * @dev: device number
  1276. *
  1277. * Check permissions when creating a file. Note that this hook is called even
  1278. * if mknod operation is being done for a regular file.
  1279. *
  1280. * Return: Returns 0 if permission is granted.
  1281. */
  1282. int security_path_mknod(const struct path *dir, struct dentry *dentry,
  1283. umode_t mode, unsigned int dev)
  1284. {
  1285. if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))
  1286. return 0;
  1287. return call_int_hook(path_mknod, dir, dentry, mode, dev);
  1288. }
  1289. EXPORT_SYMBOL(security_path_mknod);
  1290. /**
  1291. * security_path_post_mknod() - Update inode security after reg file creation
  1292. * @idmap: idmap of the mount
  1293. * @dentry: new file
  1294. *
  1295. * Update inode security field after a regular file has been created.
  1296. */
  1297. void security_path_post_mknod(struct mnt_idmap *idmap, struct dentry *dentry)
  1298. {
  1299. if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
  1300. return;
  1301. call_void_hook(path_post_mknod, idmap, dentry);
  1302. }
  1303. /**
  1304. * security_path_mkdir() - Check if creating a new directory is allowed
  1305. * @dir: parent directory
  1306. * @dentry: new directory
  1307. * @mode: new directory mode
  1308. *
  1309. * Check permissions to create a new directory in the existing directory.
  1310. *
  1311. * Return: Returns 0 if permission is granted.
  1312. */
  1313. int security_path_mkdir(const struct path *dir, struct dentry *dentry,
  1314. umode_t mode)
  1315. {
  1316. if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))
  1317. return 0;
  1318. return call_int_hook(path_mkdir, dir, dentry, mode);
  1319. }
  1320. EXPORT_SYMBOL(security_path_mkdir);
  1321. /**
  1322. * security_path_rmdir() - Check if removing a directory is allowed
  1323. * @dir: parent directory
  1324. * @dentry: directory to remove
  1325. *
  1326. * Check the permission to remove a directory.
  1327. *
  1328. * Return: Returns 0 if permission is granted.
  1329. */
  1330. int security_path_rmdir(const struct path *dir, struct dentry *dentry)
  1331. {
  1332. if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))
  1333. return 0;
  1334. return call_int_hook(path_rmdir, dir, dentry);
  1335. }
  1336. /**
  1337. * security_path_unlink() - Check if removing a hard link is allowed
  1338. * @dir: parent directory
  1339. * @dentry: file
  1340. *
  1341. * Check the permission to remove a hard link to a file.
  1342. *
  1343. * Return: Returns 0 if permission is granted.
  1344. */
  1345. int security_path_unlink(const struct path *dir, struct dentry *dentry)
  1346. {
  1347. if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))
  1348. return 0;
  1349. return call_int_hook(path_unlink, dir, dentry);
  1350. }
  1351. EXPORT_SYMBOL(security_path_unlink);
  1352. /**
  1353. * security_path_symlink() - Check if creating a symbolic link is allowed
  1354. * @dir: parent directory
  1355. * @dentry: symbolic link
  1356. * @old_name: file pathname
  1357. *
  1358. * Check the permission to create a symbolic link to a file.
  1359. *
  1360. * Return: Returns 0 if permission is granted.
  1361. */
  1362. int security_path_symlink(const struct path *dir, struct dentry *dentry,
  1363. const char *old_name)
  1364. {
  1365. if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))
  1366. return 0;
  1367. return call_int_hook(path_symlink, dir, dentry, old_name);
  1368. }
  1369. /**
  1370. * security_path_link - Check if creating a hard link is allowed
  1371. * @old_dentry: existing file
  1372. * @new_dir: new parent directory
  1373. * @new_dentry: new link
  1374. *
  1375. * Check permission before creating a new hard link to a file.
  1376. *
  1377. * Return: Returns 0 if permission is granted.
  1378. */
  1379. int security_path_link(struct dentry *old_dentry, const struct path *new_dir,
  1380. struct dentry *new_dentry)
  1381. {
  1382. if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry))))
  1383. return 0;
  1384. return call_int_hook(path_link, old_dentry, new_dir, new_dentry);
  1385. }
  1386. /**
  1387. * security_path_rename() - Check if renaming a file is allowed
  1388. * @old_dir: parent directory of the old file
  1389. * @old_dentry: the old file
  1390. * @new_dir: parent directory of the new file
  1391. * @new_dentry: the new file
  1392. * @flags: flags
  1393. *
  1394. * Check for permission to rename a file or directory.
  1395. *
  1396. * Return: Returns 0 if permission is granted.
  1397. */
  1398. int security_path_rename(const struct path *old_dir, struct dentry *old_dentry,
  1399. const struct path *new_dir, struct dentry *new_dentry,
  1400. unsigned int flags)
  1401. {
  1402. if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry)) ||
  1403. (d_is_positive(new_dentry) &&
  1404. IS_PRIVATE(d_backing_inode(new_dentry)))))
  1405. return 0;
  1406. return call_int_hook(path_rename, old_dir, old_dentry, new_dir,
  1407. new_dentry, flags);
  1408. }
  1409. EXPORT_SYMBOL(security_path_rename);
  1410. /**
  1411. * security_path_truncate() - Check if truncating a file is allowed
  1412. * @path: file
  1413. *
  1414. * Check permission before truncating the file indicated by path. Note that
  1415. * truncation permissions may also be checked based on already opened files,
  1416. * using the security_file_truncate() hook.
  1417. *
  1418. * Return: Returns 0 if permission is granted.
  1419. */
  1420. int security_path_truncate(const struct path *path)
  1421. {
  1422. if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))
  1423. return 0;
  1424. return call_int_hook(path_truncate, path);
  1425. }
  1426. /**
  1427. * security_path_chmod() - Check if changing the file's mode is allowed
  1428. * @path: file
  1429. * @mode: new mode
  1430. *
  1431. * Check for permission to change a mode of the file @path. The new mode is
  1432. * specified in @mode which is a bitmask of constants from
  1433. * <include/uapi/linux/stat.h>.
  1434. *
  1435. * Return: Returns 0 if permission is granted.
  1436. */
  1437. int security_path_chmod(const struct path *path, umode_t mode)
  1438. {
  1439. if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))
  1440. return 0;
  1441. return call_int_hook(path_chmod, path, mode);
  1442. }
  1443. /**
  1444. * security_path_chown() - Check if changing the file's owner/group is allowed
  1445. * @path: file
  1446. * @uid: file owner
  1447. * @gid: file group
  1448. *
  1449. * Check for permission to change owner/group of a file or directory.
  1450. *
  1451. * Return: Returns 0 if permission is granted.
  1452. */
  1453. int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
  1454. {
  1455. if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))
  1456. return 0;
  1457. return call_int_hook(path_chown, path, uid, gid);
  1458. }
  1459. /**
  1460. * security_path_chroot() - Check if changing the root directory is allowed
  1461. * @path: directory
  1462. *
  1463. * Check for permission to change root directory.
  1464. *
  1465. * Return: Returns 0 if permission is granted.
  1466. */
  1467. int security_path_chroot(const struct path *path)
  1468. {
  1469. return call_int_hook(path_chroot, path);
  1470. }
  1471. #endif /* CONFIG_SECURITY_PATH */
  1472. /**
  1473. * security_inode_create() - Check if creating a file is allowed
  1474. * @dir: the parent directory
  1475. * @dentry: the file being created
  1476. * @mode: requested file mode
  1477. *
  1478. * Check permission to create a regular file.
  1479. *
  1480. * Return: Returns 0 if permission is granted.
  1481. */
  1482. int security_inode_create(struct inode *dir, struct dentry *dentry,
  1483. umode_t mode)
  1484. {
  1485. if (unlikely(IS_PRIVATE(dir)))
  1486. return 0;
  1487. return call_int_hook(inode_create, dir, dentry, mode);
  1488. }
  1489. EXPORT_SYMBOL_GPL(security_inode_create);
  1490. /**
  1491. * security_inode_post_create_tmpfile() - Update inode security of new tmpfile
  1492. * @idmap: idmap of the mount
  1493. * @inode: inode of the new tmpfile
  1494. *
  1495. * Update inode security data after a tmpfile has been created.
  1496. */
  1497. void security_inode_post_create_tmpfile(struct mnt_idmap *idmap,
  1498. struct inode *inode)
  1499. {
  1500. if (unlikely(IS_PRIVATE(inode)))
  1501. return;
  1502. call_void_hook(inode_post_create_tmpfile, idmap, inode);
  1503. }
  1504. /**
  1505. * security_inode_link() - Check if creating a hard link is allowed
  1506. * @old_dentry: existing file
  1507. * @dir: new parent directory
  1508. * @new_dentry: new link
  1509. *
  1510. * Check permission before creating a new hard link to a file.
  1511. *
  1512. * Return: Returns 0 if permission is granted.
  1513. */
  1514. int security_inode_link(struct dentry *old_dentry, struct inode *dir,
  1515. struct dentry *new_dentry)
  1516. {
  1517. if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry))))
  1518. return 0;
  1519. return call_int_hook(inode_link, old_dentry, dir, new_dentry);
  1520. }
  1521. /**
  1522. * security_inode_unlink() - Check if removing a hard link is allowed
  1523. * @dir: parent directory
  1524. * @dentry: file
  1525. *
  1526. * Check the permission to remove a hard link to a file.
  1527. *
  1528. * Return: Returns 0 if permission is granted.
  1529. */
  1530. int security_inode_unlink(struct inode *dir, struct dentry *dentry)
  1531. {
  1532. if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
  1533. return 0;
  1534. return call_int_hook(inode_unlink, dir, dentry);
  1535. }
  1536. /**
  1537. * security_inode_symlink() - Check if creating a symbolic link is allowed
  1538. * @dir: parent directory
  1539. * @dentry: symbolic link
  1540. * @old_name: existing filename
  1541. *
  1542. * Check the permission to create a symbolic link to a file.
  1543. *
  1544. * Return: Returns 0 if permission is granted.
  1545. */
  1546. int security_inode_symlink(struct inode *dir, struct dentry *dentry,
  1547. const char *old_name)
  1548. {
  1549. if (unlikely(IS_PRIVATE(dir)))
  1550. return 0;
  1551. return call_int_hook(inode_symlink, dir, dentry, old_name);
  1552. }
  1553. /**
  1554. * security_inode_mkdir() - Check if creating a new directory is allowed
  1555. * @dir: parent directory
  1556. * @dentry: new directory
  1557. * @mode: new directory mode
  1558. *
  1559. * Check permissions to create a new directory in the existing directory
  1560. * associated with inode structure @dir.
  1561. *
  1562. * Return: Returns 0 if permission is granted.
  1563. */
  1564. int security_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
  1565. {
  1566. if (unlikely(IS_PRIVATE(dir)))
  1567. return 0;
  1568. return call_int_hook(inode_mkdir, dir, dentry, mode);
  1569. }
  1570. EXPORT_SYMBOL_GPL(security_inode_mkdir);
  1571. /**
  1572. * security_inode_rmdir() - Check if removing a directory is allowed
  1573. * @dir: parent directory
  1574. * @dentry: directory to be removed
  1575. *
  1576. * Check the permission to remove a directory.
  1577. *
  1578. * Return: Returns 0 if permission is granted.
  1579. */
  1580. int security_inode_rmdir(struct inode *dir, struct dentry *dentry)
  1581. {
  1582. if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
  1583. return 0;
  1584. return call_int_hook(inode_rmdir, dir, dentry);
  1585. }
  1586. /**
  1587. * security_inode_mknod() - Check if creating a special file is allowed
  1588. * @dir: parent directory
  1589. * @dentry: new file
  1590. * @mode: new file mode
  1591. * @dev: device number
  1592. *
  1593. * Check permissions when creating a special file (or a socket or a fifo file
  1594. * created via the mknod system call). Note that if mknod operation is being
  1595. * done for a regular file, then the create hook will be called and not this
  1596. * hook.
  1597. *
  1598. * Return: Returns 0 if permission is granted.
  1599. */
  1600. int security_inode_mknod(struct inode *dir, struct dentry *dentry,
  1601. umode_t mode, dev_t dev)
  1602. {
  1603. if (unlikely(IS_PRIVATE(dir)))
  1604. return 0;
  1605. return call_int_hook(inode_mknod, dir, dentry, mode, dev);
  1606. }
  1607. /**
  1608. * security_inode_rename() - Check if renaming a file is allowed
  1609. * @old_dir: parent directory of the old file
  1610. * @old_dentry: the old file
  1611. * @new_dir: parent directory of the new file
  1612. * @new_dentry: the new file
  1613. * @flags: flags
  1614. *
  1615. * Check for permission to rename a file or directory.
  1616. *
  1617. * Return: Returns 0 if permission is granted.
  1618. */
  1619. int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
  1620. struct inode *new_dir, struct dentry *new_dentry,
  1621. unsigned int flags)
  1622. {
  1623. if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry)) ||
  1624. (d_is_positive(new_dentry) &&
  1625. IS_PRIVATE(d_backing_inode(new_dentry)))))
  1626. return 0;
  1627. if (flags & RENAME_EXCHANGE) {
  1628. int err = call_int_hook(inode_rename, new_dir, new_dentry,
  1629. old_dir, old_dentry);
  1630. if (err)
  1631. return err;
  1632. }
  1633. return call_int_hook(inode_rename, old_dir, old_dentry,
  1634. new_dir, new_dentry);
  1635. }
  1636. /**
  1637. * security_inode_readlink() - Check if reading a symbolic link is allowed
  1638. * @dentry: link
  1639. *
  1640. * Check the permission to read the symbolic link.
  1641. *
  1642. * Return: Returns 0 if permission is granted.
  1643. */
  1644. int security_inode_readlink(struct dentry *dentry)
  1645. {
  1646. if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
  1647. return 0;
  1648. return call_int_hook(inode_readlink, dentry);
  1649. }
  1650. /**
  1651. * security_inode_follow_link() - Check if following a symbolic link is allowed
  1652. * @dentry: link dentry
  1653. * @inode: link inode
  1654. * @rcu: true if in RCU-walk mode
  1655. *
  1656. * Check permission to follow a symbolic link when looking up a pathname. If
  1657. * @rcu is true, @inode is not stable.
  1658. *
  1659. * Return: Returns 0 if permission is granted.
  1660. */
  1661. int security_inode_follow_link(struct dentry *dentry, struct inode *inode,
  1662. bool rcu)
  1663. {
  1664. if (unlikely(IS_PRIVATE(inode)))
  1665. return 0;
  1666. return call_int_hook(inode_follow_link, dentry, inode, rcu);
  1667. }
  1668. /**
  1669. * security_inode_permission() - Check if accessing an inode is allowed
  1670. * @inode: inode
  1671. * @mask: access mask
  1672. *
  1673. * Check permission before accessing an inode. This hook is called by the
  1674. * existing Linux permission function, so a security module can use it to
  1675. * provide additional checking for existing Linux permission checks. Notice
  1676. * that this hook is called when a file is opened (as well as many other
  1677. * operations), whereas the file_security_ops permission hook is called when
  1678. * the actual read/write operations are performed.
  1679. *
  1680. * Return: Returns 0 if permission is granted.
  1681. */
  1682. int security_inode_permission(struct inode *inode, int mask)
  1683. {
  1684. if (unlikely(IS_PRIVATE(inode)))
  1685. return 0;
  1686. return call_int_hook(inode_permission, inode, mask);
  1687. }
  1688. /**
  1689. * security_inode_setattr() - Check if setting file attributes is allowed
  1690. * @idmap: idmap of the mount
  1691. * @dentry: file
  1692. * @attr: new attributes
  1693. *
  1694. * Check permission before setting file attributes. Note that the kernel call
  1695. * to notify_change is performed from several locations, whenever file
  1696. * attributes change (such as when a file is truncated, chown/chmod operations,
  1697. * transferring disk quotas, etc).
  1698. *
  1699. * Return: Returns 0 if permission is granted.
  1700. */
  1701. int security_inode_setattr(struct mnt_idmap *idmap,
  1702. struct dentry *dentry, struct iattr *attr)
  1703. {
  1704. if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
  1705. return 0;
  1706. return call_int_hook(inode_setattr, idmap, dentry, attr);
  1707. }
  1708. EXPORT_SYMBOL_GPL(security_inode_setattr);
  1709. /**
  1710. * security_inode_post_setattr() - Update the inode after a setattr operation
  1711. * @idmap: idmap of the mount
  1712. * @dentry: file
  1713. * @ia_valid: file attributes set
  1714. *
  1715. * Update inode security field after successful setting file attributes.
  1716. */
  1717. void security_inode_post_setattr(struct mnt_idmap *idmap, struct dentry *dentry,
  1718. int ia_valid)
  1719. {
  1720. if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
  1721. return;
  1722. call_void_hook(inode_post_setattr, idmap, dentry, ia_valid);
  1723. }
  1724. /**
  1725. * security_inode_getattr() - Check if getting file attributes is allowed
  1726. * @path: file
  1727. *
  1728. * Check permission before obtaining file attributes.
  1729. *
  1730. * Return: Returns 0 if permission is granted.
  1731. */
  1732. int security_inode_getattr(const struct path *path)
  1733. {
  1734. if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))
  1735. return 0;
  1736. return call_int_hook(inode_getattr, path);
  1737. }
  1738. /**
  1739. * security_inode_setxattr() - Check if setting file xattrs is allowed
  1740. * @idmap: idmap of the mount
  1741. * @dentry: file
  1742. * @name: xattr name
  1743. * @value: xattr value
  1744. * @size: size of xattr value
  1745. * @flags: flags
  1746. *
  1747. * This hook performs the desired permission checks before setting the extended
  1748. * attributes (xattrs) on @dentry. It is important to note that we have some
  1749. * additional logic before the main LSM implementation calls to detect if we
  1750. * need to perform an additional capability check at the LSM layer.
  1751. *
  1752. * Normally we enforce a capability check prior to executing the various LSM
  1753. * hook implementations, but if a LSM wants to avoid this capability check,
  1754. * it can register a 'inode_xattr_skipcap' hook and return a value of 1 for
  1755. * xattrs that it wants to avoid the capability check, leaving the LSM fully
  1756. * responsible for enforcing the access control for the specific xattr. If all
  1757. * of the enabled LSMs refrain from registering a 'inode_xattr_skipcap' hook,
  1758. * or return a 0 (the default return value), the capability check is still
  1759. * performed. If no 'inode_xattr_skipcap' hooks are registered the capability
  1760. * check is performed.
  1761. *
  1762. * Return: Returns 0 if permission is granted.
  1763. */
  1764. int security_inode_setxattr(struct mnt_idmap *idmap,
  1765. struct dentry *dentry, const char *name,
  1766. const void *value, size_t size, int flags)
  1767. {
  1768. int rc;
  1769. if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
  1770. return 0;
  1771. /* enforce the capability checks at the lsm layer, if needed */
  1772. if (!call_int_hook(inode_xattr_skipcap, name)) {
  1773. rc = cap_inode_setxattr(dentry, name, value, size, flags);
  1774. if (rc)
  1775. return rc;
  1776. }
  1777. return call_int_hook(inode_setxattr, idmap, dentry, name, value, size,
  1778. flags);
  1779. }
  1780. /**
  1781. * security_inode_set_acl() - Check if setting posix acls is allowed
  1782. * @idmap: idmap of the mount
  1783. * @dentry: file
  1784. * @acl_name: acl name
  1785. * @kacl: acl struct
  1786. *
  1787. * Check permission before setting posix acls, the posix acls in @kacl are
  1788. * identified by @acl_name.
  1789. *
  1790. * Return: Returns 0 if permission is granted.
  1791. */
  1792. int security_inode_set_acl(struct mnt_idmap *idmap,
  1793. struct dentry *dentry, const char *acl_name,
  1794. struct posix_acl *kacl)
  1795. {
  1796. if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
  1797. return 0;
  1798. return call_int_hook(inode_set_acl, idmap, dentry, acl_name, kacl);
  1799. }
  1800. /**
  1801. * security_inode_post_set_acl() - Update inode security from posix acls set
  1802. * @dentry: file
  1803. * @acl_name: acl name
  1804. * @kacl: acl struct
  1805. *
  1806. * Update inode security data after successfully setting posix acls on @dentry.
  1807. * The posix acls in @kacl are identified by @acl_name.
  1808. */
  1809. void security_inode_post_set_acl(struct dentry *dentry, const char *acl_name,
  1810. struct posix_acl *kacl)
  1811. {
  1812. if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
  1813. return;
  1814. call_void_hook(inode_post_set_acl, dentry, acl_name, kacl);
  1815. }
  1816. /**
  1817. * security_inode_get_acl() - Check if reading posix acls is allowed
  1818. * @idmap: idmap of the mount
  1819. * @dentry: file
  1820. * @acl_name: acl name
  1821. *
  1822. * Check permission before getting osix acls, the posix acls are identified by
  1823. * @acl_name.
  1824. *
  1825. * Return: Returns 0 if permission is granted.
  1826. */
  1827. int security_inode_get_acl(struct mnt_idmap *idmap,
  1828. struct dentry *dentry, const char *acl_name)
  1829. {
  1830. if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
  1831. return 0;
  1832. return call_int_hook(inode_get_acl, idmap, dentry, acl_name);
  1833. }
  1834. /**
  1835. * security_inode_remove_acl() - Check if removing a posix acl is allowed
  1836. * @idmap: idmap of the mount
  1837. * @dentry: file
  1838. * @acl_name: acl name
  1839. *
  1840. * Check permission before removing posix acls, the posix acls are identified
  1841. * by @acl_name.
  1842. *
  1843. * Return: Returns 0 if permission is granted.
  1844. */
  1845. int security_inode_remove_acl(struct mnt_idmap *idmap,
  1846. struct dentry *dentry, const char *acl_name)
  1847. {
  1848. if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
  1849. return 0;
  1850. return call_int_hook(inode_remove_acl, idmap, dentry, acl_name);
  1851. }
  1852. /**
  1853. * security_inode_post_remove_acl() - Update inode security after rm posix acls
  1854. * @idmap: idmap of the mount
  1855. * @dentry: file
  1856. * @acl_name: acl name
  1857. *
  1858. * Update inode security data after successfully removing posix acls on
  1859. * @dentry in @idmap. The posix acls are identified by @acl_name.
  1860. */
  1861. void security_inode_post_remove_acl(struct mnt_idmap *idmap,
  1862. struct dentry *dentry, const char *acl_name)
  1863. {
  1864. if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
  1865. return;
  1866. call_void_hook(inode_post_remove_acl, idmap, dentry, acl_name);
  1867. }
  1868. /**
  1869. * security_inode_post_setxattr() - Update the inode after a setxattr operation
  1870. * @dentry: file
  1871. * @name: xattr name
  1872. * @value: xattr value
  1873. * @size: xattr value size
  1874. * @flags: flags
  1875. *
  1876. * Update inode security field after successful setxattr operation.
  1877. */
  1878. void security_inode_post_setxattr(struct dentry *dentry, const char *name,
  1879. const void *value, size_t size, int flags)
  1880. {
  1881. if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
  1882. return;
  1883. call_void_hook(inode_post_setxattr, dentry, name, value, size, flags);
  1884. }
  1885. /**
  1886. * security_inode_getxattr() - Check if xattr access is allowed
  1887. * @dentry: file
  1888. * @name: xattr name
  1889. *
  1890. * Check permission before obtaining the extended attributes identified by
  1891. * @name for @dentry.
  1892. *
  1893. * Return: Returns 0 if permission is granted.
  1894. */
  1895. int security_inode_getxattr(struct dentry *dentry, const char *name)
  1896. {
  1897. if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
  1898. return 0;
  1899. return call_int_hook(inode_getxattr, dentry, name);
  1900. }
  1901. /**
  1902. * security_inode_listxattr() - Check if listing xattrs is allowed
  1903. * @dentry: file
  1904. *
  1905. * Check permission before obtaining the list of extended attribute names for
  1906. * @dentry.
  1907. *
  1908. * Return: Returns 0 if permission is granted.
  1909. */
  1910. int security_inode_listxattr(struct dentry *dentry)
  1911. {
  1912. if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
  1913. return 0;
  1914. return call_int_hook(inode_listxattr, dentry);
  1915. }
  1916. /**
  1917. * security_inode_removexattr() - Check if removing an xattr is allowed
  1918. * @idmap: idmap of the mount
  1919. * @dentry: file
  1920. * @name: xattr name
  1921. *
  1922. * This hook performs the desired permission checks before setting the extended
  1923. * attributes (xattrs) on @dentry. It is important to note that we have some
  1924. * additional logic before the main LSM implementation calls to detect if we
  1925. * need to perform an additional capability check at the LSM layer.
  1926. *
  1927. * Normally we enforce a capability check prior to executing the various LSM
  1928. * hook implementations, but if a LSM wants to avoid this capability check,
  1929. * it can register a 'inode_xattr_skipcap' hook and return a value of 1 for
  1930. * xattrs that it wants to avoid the capability check, leaving the LSM fully
  1931. * responsible for enforcing the access control for the specific xattr. If all
  1932. * of the enabled LSMs refrain from registering a 'inode_xattr_skipcap' hook,
  1933. * or return a 0 (the default return value), the capability check is still
  1934. * performed. If no 'inode_xattr_skipcap' hooks are registered the capability
  1935. * check is performed.
  1936. *
  1937. * Return: Returns 0 if permission is granted.
  1938. */
  1939. int security_inode_removexattr(struct mnt_idmap *idmap,
  1940. struct dentry *dentry, const char *name)
  1941. {
  1942. int rc;
  1943. if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
  1944. return 0;
  1945. /* enforce the capability checks at the lsm layer, if needed */
  1946. if (!call_int_hook(inode_xattr_skipcap, name)) {
  1947. rc = cap_inode_removexattr(idmap, dentry, name);
  1948. if (rc)
  1949. return rc;
  1950. }
  1951. return call_int_hook(inode_removexattr, idmap, dentry, name);
  1952. }
  1953. /**
  1954. * security_inode_post_removexattr() - Update the inode after a removexattr op
  1955. * @dentry: file
  1956. * @name: xattr name
  1957. *
  1958. * Update the inode after a successful removexattr operation.
  1959. */
  1960. void security_inode_post_removexattr(struct dentry *dentry, const char *name)
  1961. {
  1962. if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
  1963. return;
  1964. call_void_hook(inode_post_removexattr, dentry, name);
  1965. }
  1966. /**
  1967. * security_inode_file_setattr() - check if setting fsxattr is allowed
  1968. * @dentry: file to set filesystem extended attributes on
  1969. * @fa: extended attributes to set on the inode
  1970. *
  1971. * Called when file_setattr() syscall or FS_IOC_FSSETXATTR ioctl() is called on
  1972. * inode
  1973. *
  1974. * Return: Returns 0 if permission is granted.
  1975. */
  1976. int security_inode_file_setattr(struct dentry *dentry, struct file_kattr *fa)
  1977. {
  1978. return call_int_hook(inode_file_setattr, dentry, fa);
  1979. }
  1980. /**
  1981. * security_inode_file_getattr() - check if retrieving fsxattr is allowed
  1982. * @dentry: file to retrieve filesystem extended attributes from
  1983. * @fa: extended attributes to get
  1984. *
  1985. * Called when file_getattr() syscall or FS_IOC_FSGETXATTR ioctl() is called on
  1986. * inode
  1987. *
  1988. * Return: Returns 0 if permission is granted.
  1989. */
  1990. int security_inode_file_getattr(struct dentry *dentry, struct file_kattr *fa)
  1991. {
  1992. return call_int_hook(inode_file_getattr, dentry, fa);
  1993. }
  1994. /**
  1995. * security_inode_need_killpriv() - Check if security_inode_killpriv() required
  1996. * @dentry: associated dentry
  1997. *
  1998. * Called when an inode has been changed to determine if
  1999. * security_inode_killpriv() should be called.
  2000. *
  2001. * Return: Return <0 on error to abort the inode change operation, return 0 if
  2002. * security_inode_killpriv() does not need to be called, return >0 if
  2003. * security_inode_killpriv() does need to be called.
  2004. */
  2005. int security_inode_need_killpriv(struct dentry *dentry)
  2006. {
  2007. return call_int_hook(inode_need_killpriv, dentry);
  2008. }
  2009. /**
  2010. * security_inode_killpriv() - The setuid bit is removed, update LSM state
  2011. * @idmap: idmap of the mount
  2012. * @dentry: associated dentry
  2013. *
  2014. * The @dentry's setuid bit is being removed. Remove similar security labels.
  2015. * Called with the dentry->d_inode->i_mutex held.
  2016. *
  2017. * Return: Return 0 on success. If error is returned, then the operation
  2018. * causing setuid bit removal is failed.
  2019. */
  2020. int security_inode_killpriv(struct mnt_idmap *idmap,
  2021. struct dentry *dentry)
  2022. {
  2023. return call_int_hook(inode_killpriv, idmap, dentry);
  2024. }
  2025. /**
  2026. * security_inode_getsecurity() - Get the xattr security label of an inode
  2027. * @idmap: idmap of the mount
  2028. * @inode: inode
  2029. * @name: xattr name
  2030. * @buffer: security label buffer
  2031. * @alloc: allocation flag
  2032. *
  2033. * Retrieve a copy of the extended attribute representation of the security
  2034. * label associated with @name for @inode via @buffer. Note that @name is the
  2035. * remainder of the attribute name after the security prefix has been removed.
  2036. * @alloc is used to specify if the call should return a value via the buffer
  2037. * or just the value length.
  2038. *
  2039. * Return: Returns size of buffer on success.
  2040. */
  2041. int security_inode_getsecurity(struct mnt_idmap *idmap,
  2042. struct inode *inode, const char *name,
  2043. void **buffer, bool alloc)
  2044. {
  2045. if (unlikely(IS_PRIVATE(inode)))
  2046. return LSM_RET_DEFAULT(inode_getsecurity);
  2047. return call_int_hook(inode_getsecurity, idmap, inode, name, buffer,
  2048. alloc);
  2049. }
  2050. /**
  2051. * security_inode_setsecurity() - Set the xattr security label of an inode
  2052. * @inode: inode
  2053. * @name: xattr name
  2054. * @value: security label
  2055. * @size: length of security label
  2056. * @flags: flags
  2057. *
  2058. * Set the security label associated with @name for @inode from the extended
  2059. * attribute value @value. @size indicates the size of the @value in bytes.
  2060. * @flags may be XATTR_CREATE, XATTR_REPLACE, or 0. Note that @name is the
  2061. * remainder of the attribute name after the security. prefix has been removed.
  2062. *
  2063. * Return: Returns 0 on success.
  2064. */
  2065. int security_inode_setsecurity(struct inode *inode, const char *name,
  2066. const void *value, size_t size, int flags)
  2067. {
  2068. if (unlikely(IS_PRIVATE(inode)))
  2069. return LSM_RET_DEFAULT(inode_setsecurity);
  2070. return call_int_hook(inode_setsecurity, inode, name, value, size,
  2071. flags);
  2072. }
  2073. /**
  2074. * security_inode_listsecurity() - List the xattr security label names
  2075. * @inode: inode
  2076. * @buffer: buffer
  2077. * @buffer_size: size of buffer
  2078. *
  2079. * Copy the extended attribute names for the security labels associated with
  2080. * @inode into @buffer. The maximum size of @buffer is specified by
  2081. * @buffer_size. @buffer may be NULL to request the size of the buffer
  2082. * required.
  2083. *
  2084. * Return: Returns number of bytes used/required on success.
  2085. */
  2086. int security_inode_listsecurity(struct inode *inode,
  2087. char *buffer, size_t buffer_size)
  2088. {
  2089. if (unlikely(IS_PRIVATE(inode)))
  2090. return 0;
  2091. return call_int_hook(inode_listsecurity, inode, buffer, buffer_size);
  2092. }
  2093. EXPORT_SYMBOL(security_inode_listsecurity);
  2094. /**
  2095. * security_inode_getlsmprop() - Get an inode's LSM data
  2096. * @inode: inode
  2097. * @prop: lsm specific information to return
  2098. *
  2099. * Get the lsm specific information associated with the node.
  2100. */
  2101. void security_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop)
  2102. {
  2103. call_void_hook(inode_getlsmprop, inode, prop);
  2104. }
  2105. /**
  2106. * security_inode_copy_up() - Create new creds for an overlayfs copy-up op
  2107. * @src: union dentry of copy-up file
  2108. * @new: newly created creds
  2109. *
  2110. * A file is about to be copied up from lower layer to upper layer of overlay
  2111. * filesystem. Security module can prepare a set of new creds and modify as
  2112. * need be and return new creds. Caller will switch to new creds temporarily to
  2113. * create new file and release newly allocated creds.
  2114. *
  2115. * Return: Returns 0 on success or a negative error code on error.
  2116. */
  2117. int security_inode_copy_up(struct dentry *src, struct cred **new)
  2118. {
  2119. return call_int_hook(inode_copy_up, src, new);
  2120. }
  2121. EXPORT_SYMBOL(security_inode_copy_up);
  2122. /**
  2123. * security_inode_copy_up_xattr() - Filter xattrs in an overlayfs copy-up op
  2124. * @src: union dentry of copy-up file
  2125. * @name: xattr name
  2126. *
  2127. * Filter the xattrs being copied up when a unioned file is copied up from a
  2128. * lower layer to the union/overlay layer. The caller is responsible for
  2129. * reading and writing the xattrs, this hook is merely a filter.
  2130. *
  2131. * Return: Returns 0 to accept the xattr, -ECANCELED to discard the xattr,
  2132. * -EOPNOTSUPP if the security module does not know about attribute,
  2133. * or a negative error code to abort the copy up.
  2134. */
  2135. int security_inode_copy_up_xattr(struct dentry *src, const char *name)
  2136. {
  2137. int rc;
  2138. rc = call_int_hook(inode_copy_up_xattr, src, name);
  2139. if (rc != LSM_RET_DEFAULT(inode_copy_up_xattr))
  2140. return rc;
  2141. return LSM_RET_DEFAULT(inode_copy_up_xattr);
  2142. }
  2143. EXPORT_SYMBOL(security_inode_copy_up_xattr);
  2144. /**
  2145. * security_inode_setintegrity() - Set the inode's integrity data
  2146. * @inode: inode
  2147. * @type: type of integrity, e.g. hash digest, signature, etc
  2148. * @value: the integrity value
  2149. * @size: size of the integrity value
  2150. *
  2151. * Register a verified integrity measurement of a inode with LSMs.
  2152. * LSMs should free the previously saved data if @value is NULL.
  2153. *
  2154. * Return: Returns 0 on success, negative values on failure.
  2155. */
  2156. int security_inode_setintegrity(const struct inode *inode,
  2157. enum lsm_integrity_type type, const void *value,
  2158. size_t size)
  2159. {
  2160. return call_int_hook(inode_setintegrity, inode, type, value, size);
  2161. }
  2162. EXPORT_SYMBOL(security_inode_setintegrity);
  2163. /**
  2164. * security_kernfs_init_security() - Init LSM context for a kernfs node
  2165. * @kn_dir: parent kernfs node
  2166. * @kn: the kernfs node to initialize
  2167. *
  2168. * Initialize the security context of a newly created kernfs node based on its
  2169. * own and its parent's attributes.
  2170. *
  2171. * Return: Returns 0 if permission is granted.
  2172. */
  2173. int security_kernfs_init_security(struct kernfs_node *kn_dir,
  2174. struct kernfs_node *kn)
  2175. {
  2176. return call_int_hook(kernfs_init_security, kn_dir, kn);
  2177. }
  2178. /**
  2179. * security_file_permission() - Check file permissions
  2180. * @file: file
  2181. * @mask: requested permissions
  2182. *
  2183. * Check file permissions before accessing an open file. This hook is called
  2184. * by various operations that read or write files. A security module can use
  2185. * this hook to perform additional checking on these operations, e.g. to
  2186. * revalidate permissions on use to support privilege bracketing or policy
  2187. * changes. Notice that this hook is used when the actual read/write
  2188. * operations are performed, whereas the inode_security_ops hook is called when
  2189. * a file is opened (as well as many other operations). Although this hook can
  2190. * be used to revalidate permissions for various system call operations that
  2191. * read or write files, it does not address the revalidation of permissions for
  2192. * memory-mapped files. Security modules must handle this separately if they
  2193. * need such revalidation.
  2194. *
  2195. * Return: Returns 0 if permission is granted.
  2196. */
  2197. int security_file_permission(struct file *file, int mask)
  2198. {
  2199. return call_int_hook(file_permission, file, mask);
  2200. }
  2201. /**
  2202. * security_file_alloc() - Allocate and init a file's LSM blob
  2203. * @file: the file
  2204. *
  2205. * Allocate and attach a security structure to the file->f_security field. The
  2206. * security field is initialized to NULL when the structure is first created.
  2207. *
  2208. * Return: Return 0 if the hook is successful and permission is granted.
  2209. */
  2210. int security_file_alloc(struct file *file)
  2211. {
  2212. int rc = lsm_file_alloc(file);
  2213. if (rc)
  2214. return rc;
  2215. rc = call_int_hook(file_alloc_security, file);
  2216. if (unlikely(rc))
  2217. security_file_free(file);
  2218. return rc;
  2219. }
  2220. /**
  2221. * security_file_release() - Perform actions before releasing the file ref
  2222. * @file: the file
  2223. *
  2224. * Perform actions before releasing the last reference to a file.
  2225. */
  2226. void security_file_release(struct file *file)
  2227. {
  2228. call_void_hook(file_release, file);
  2229. }
  2230. /**
  2231. * security_file_free() - Free a file's LSM blob
  2232. * @file: the file
  2233. *
  2234. * Deallocate and free any security structures stored in file->f_security.
  2235. */
  2236. void security_file_free(struct file *file)
  2237. {
  2238. void *blob;
  2239. call_void_hook(file_free_security, file);
  2240. blob = file->f_security;
  2241. if (blob) {
  2242. file->f_security = NULL;
  2243. kmem_cache_free(lsm_file_cache, blob);
  2244. }
  2245. }
  2246. /**
  2247. * security_file_ioctl() - Check if an ioctl is allowed
  2248. * @file: associated file
  2249. * @cmd: ioctl cmd
  2250. * @arg: ioctl arguments
  2251. *
  2252. * Check permission for an ioctl operation on @file. Note that @arg sometimes
  2253. * represents a user space pointer; in other cases, it may be a simple integer
  2254. * value. When @arg represents a user space pointer, it should never be used
  2255. * by the security module.
  2256. *
  2257. * Return: Returns 0 if permission is granted.
  2258. */
  2259. int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
  2260. {
  2261. return call_int_hook(file_ioctl, file, cmd, arg);
  2262. }
  2263. EXPORT_SYMBOL_GPL(security_file_ioctl);
  2264. /**
  2265. * security_file_ioctl_compat() - Check if an ioctl is allowed in compat mode
  2266. * @file: associated file
  2267. * @cmd: ioctl cmd
  2268. * @arg: ioctl arguments
  2269. *
  2270. * Compat version of security_file_ioctl() that correctly handles 32-bit
  2271. * processes running on 64-bit kernels.
  2272. *
  2273. * Return: Returns 0 if permission is granted.
  2274. */
  2275. int security_file_ioctl_compat(struct file *file, unsigned int cmd,
  2276. unsigned long arg)
  2277. {
  2278. return call_int_hook(file_ioctl_compat, file, cmd, arg);
  2279. }
  2280. EXPORT_SYMBOL_GPL(security_file_ioctl_compat);
  2281. static inline unsigned long mmap_prot(struct file *file, unsigned long prot)
  2282. {
  2283. /*
  2284. * Does we have PROT_READ and does the application expect
  2285. * it to imply PROT_EXEC? If not, nothing to talk about...
  2286. */
  2287. if ((prot & (PROT_READ | PROT_EXEC)) != PROT_READ)
  2288. return prot;
  2289. if (!(current->personality & READ_IMPLIES_EXEC))
  2290. return prot;
  2291. /*
  2292. * if that's an anonymous mapping, let it.
  2293. */
  2294. if (!file)
  2295. return prot | PROT_EXEC;
  2296. /*
  2297. * ditto if it's not on noexec mount, except that on !MMU we need
  2298. * NOMMU_MAP_EXEC (== VM_MAYEXEC) in this case
  2299. */
  2300. if (!path_noexec(&file->f_path)) {
  2301. #ifndef CONFIG_MMU
  2302. if (file->f_op->mmap_capabilities) {
  2303. unsigned caps = file->f_op->mmap_capabilities(file);
  2304. if (!(caps & NOMMU_MAP_EXEC))
  2305. return prot;
  2306. }
  2307. #endif
  2308. return prot | PROT_EXEC;
  2309. }
  2310. /* anything on noexec mount won't get PROT_EXEC */
  2311. return prot;
  2312. }
  2313. /**
  2314. * security_mmap_file() - Check if mmap'ing a file is allowed
  2315. * @file: file
  2316. * @prot: protection applied by the kernel
  2317. * @flags: flags
  2318. *
  2319. * Check permissions for a mmap operation. The @file may be NULL, e.g. if
  2320. * mapping anonymous memory.
  2321. *
  2322. * Return: Returns 0 if permission is granted.
  2323. */
  2324. int security_mmap_file(struct file *file, unsigned long prot,
  2325. unsigned long flags)
  2326. {
  2327. return call_int_hook(mmap_file, file, prot, mmap_prot(file, prot),
  2328. flags);
  2329. }
  2330. /**
  2331. * security_mmap_addr() - Check if mmap'ing an address is allowed
  2332. * @addr: address
  2333. *
  2334. * Check permissions for a mmap operation at @addr.
  2335. *
  2336. * Return: Returns 0 if permission is granted.
  2337. */
  2338. int security_mmap_addr(unsigned long addr)
  2339. {
  2340. return call_int_hook(mmap_addr, addr);
  2341. }
  2342. /**
  2343. * security_file_mprotect() - Check if changing memory protections is allowed
  2344. * @vma: memory region
  2345. * @reqprot: application requested protection
  2346. * @prot: protection applied by the kernel
  2347. *
  2348. * Check permissions before changing memory access permissions.
  2349. *
  2350. * Return: Returns 0 if permission is granted.
  2351. */
  2352. int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
  2353. unsigned long prot)
  2354. {
  2355. return call_int_hook(file_mprotect, vma, reqprot, prot);
  2356. }
  2357. /**
  2358. * security_file_lock() - Check if a file lock is allowed
  2359. * @file: file
  2360. * @cmd: lock operation (e.g. F_RDLCK, F_WRLCK)
  2361. *
  2362. * Check permission before performing file locking operations. Note the hook
  2363. * mediates both flock and fcntl style locks.
  2364. *
  2365. * Return: Returns 0 if permission is granted.
  2366. */
  2367. int security_file_lock(struct file *file, unsigned int cmd)
  2368. {
  2369. return call_int_hook(file_lock, file, cmd);
  2370. }
  2371. /**
  2372. * security_file_fcntl() - Check if fcntl() op is allowed
  2373. * @file: file
  2374. * @cmd: fcntl command
  2375. * @arg: command argument
  2376. *
  2377. * Check permission before allowing the file operation specified by @cmd from
  2378. * being performed on the file @file. Note that @arg sometimes represents a
  2379. * user space pointer; in other cases, it may be a simple integer value. When
  2380. * @arg represents a user space pointer, it should never be used by the
  2381. * security module.
  2382. *
  2383. * Return: Returns 0 if permission is granted.
  2384. */
  2385. int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
  2386. {
  2387. return call_int_hook(file_fcntl, file, cmd, arg);
  2388. }
  2389. /**
  2390. * security_file_set_fowner() - Set the file owner info in the LSM blob
  2391. * @file: the file
  2392. *
  2393. * Save owner security information (typically from current->security) in
  2394. * file->f_security for later use by the send_sigiotask hook.
  2395. *
  2396. * This hook is called with file->f_owner.lock held.
  2397. *
  2398. * Return: Returns 0 on success.
  2399. */
  2400. void security_file_set_fowner(struct file *file)
  2401. {
  2402. call_void_hook(file_set_fowner, file);
  2403. }
  2404. /**
  2405. * security_file_send_sigiotask() - Check if sending SIGIO/SIGURG is allowed
  2406. * @tsk: target task
  2407. * @fown: signal sender
  2408. * @sig: signal to be sent, SIGIO is sent if 0
  2409. *
  2410. * Check permission for the file owner @fown to send SIGIO or SIGURG to the
  2411. * process @tsk. Note that this hook is sometimes called from interrupt. Note
  2412. * that the fown_struct, @fown, is never outside the context of a struct file,
  2413. * so the file structure (and associated security information) can always be
  2414. * obtained: container_of(fown, struct file, f_owner).
  2415. *
  2416. * Return: Returns 0 if permission is granted.
  2417. */
  2418. int security_file_send_sigiotask(struct task_struct *tsk,
  2419. struct fown_struct *fown, int sig)
  2420. {
  2421. return call_int_hook(file_send_sigiotask, tsk, fown, sig);
  2422. }
  2423. /**
  2424. * security_file_receive() - Check if receiving a file via IPC is allowed
  2425. * @file: file being received
  2426. *
  2427. * This hook allows security modules to control the ability of a process to
  2428. * receive an open file descriptor via socket IPC.
  2429. *
  2430. * Return: Returns 0 if permission is granted.
  2431. */
  2432. int security_file_receive(struct file *file)
  2433. {
  2434. return call_int_hook(file_receive, file);
  2435. }
  2436. /**
  2437. * security_file_open() - Save open() time state for late use by the LSM
  2438. * @file:
  2439. *
  2440. * Save open-time permission checking state for later use upon file_permission,
  2441. * and recheck access if anything has changed since inode_permission.
  2442. *
  2443. * We can check if a file is opened for execution (e.g. execve(2) call), either
  2444. * directly or indirectly (e.g. ELF's ld.so) by checking file->f_flags &
  2445. * __FMODE_EXEC .
  2446. *
  2447. * Return: Returns 0 if permission is granted.
  2448. */
  2449. int security_file_open(struct file *file)
  2450. {
  2451. return call_int_hook(file_open, file);
  2452. }
  2453. /**
  2454. * security_file_post_open() - Evaluate a file after it has been opened
  2455. * @file: the file
  2456. * @mask: access mask
  2457. *
  2458. * Evaluate an opened file and the access mask requested with open(). The hook
  2459. * is useful for LSMs that require the file content to be available in order to
  2460. * make decisions.
  2461. *
  2462. * Return: Returns 0 if permission is granted.
  2463. */
  2464. int security_file_post_open(struct file *file, int mask)
  2465. {
  2466. return call_int_hook(file_post_open, file, mask);
  2467. }
  2468. EXPORT_SYMBOL_GPL(security_file_post_open);
  2469. /**
  2470. * security_file_truncate() - Check if truncating a file is allowed
  2471. * @file: file
  2472. *
  2473. * Check permission before truncating a file, i.e. using ftruncate. Note that
  2474. * truncation permission may also be checked based on the path, using the
  2475. * @path_truncate hook.
  2476. *
  2477. * Return: Returns 0 if permission is granted.
  2478. */
  2479. int security_file_truncate(struct file *file)
  2480. {
  2481. return call_int_hook(file_truncate, file);
  2482. }
  2483. /**
  2484. * security_task_alloc() - Allocate a task's LSM blob
  2485. * @task: the task
  2486. * @clone_flags: flags indicating what is being shared
  2487. *
  2488. * Handle allocation of task-related resources.
  2489. *
  2490. * Return: Returns a zero on success, negative values on failure.
  2491. */
  2492. int security_task_alloc(struct task_struct *task, u64 clone_flags)
  2493. {
  2494. int rc = lsm_task_alloc(task);
  2495. if (rc)
  2496. return rc;
  2497. rc = call_int_hook(task_alloc, task, clone_flags);
  2498. if (unlikely(rc))
  2499. security_task_free(task);
  2500. return rc;
  2501. }
  2502. /**
  2503. * security_task_free() - Free a task's LSM blob and related resources
  2504. * @task: task
  2505. *
  2506. * Handle release of task-related resources. Note that this can be called from
  2507. * interrupt context.
  2508. */
  2509. void security_task_free(struct task_struct *task)
  2510. {
  2511. call_void_hook(task_free, task);
  2512. kfree(task->security);
  2513. task->security = NULL;
  2514. }
  2515. /**
  2516. * security_cred_alloc_blank() - Allocate the min memory to allow cred_transfer
  2517. * @cred: credentials
  2518. * @gfp: gfp flags
  2519. *
  2520. * Only allocate sufficient memory and attach to @cred such that
  2521. * cred_transfer() will not get ENOMEM.
  2522. *
  2523. * Return: Returns 0 on success, negative values on failure.
  2524. */
  2525. int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
  2526. {
  2527. int rc = lsm_cred_alloc(cred, gfp);
  2528. if (rc)
  2529. return rc;
  2530. rc = call_int_hook(cred_alloc_blank, cred, gfp);
  2531. if (unlikely(rc))
  2532. security_cred_free(cred);
  2533. return rc;
  2534. }
  2535. /**
  2536. * security_cred_free() - Free the cred's LSM blob and associated resources
  2537. * @cred: credentials
  2538. *
  2539. * Deallocate and clear the cred->security field in a set of credentials.
  2540. */
  2541. void security_cred_free(struct cred *cred)
  2542. {
  2543. /*
  2544. * There is a failure case in prepare_creds() that
  2545. * may result in a call here with ->security being NULL.
  2546. */
  2547. if (unlikely(cred->security == NULL))
  2548. return;
  2549. call_void_hook(cred_free, cred);
  2550. kfree(cred->security);
  2551. cred->security = NULL;
  2552. }
  2553. /**
  2554. * security_prepare_creds() - Prepare a new set of credentials
  2555. * @new: new credentials
  2556. * @old: original credentials
  2557. * @gfp: gfp flags
  2558. *
  2559. * Prepare a new set of credentials by copying the data from the old set.
  2560. *
  2561. * Return: Returns 0 on success, negative values on failure.
  2562. */
  2563. int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp)
  2564. {
  2565. int rc = lsm_cred_alloc(new, gfp);
  2566. if (rc)
  2567. return rc;
  2568. rc = call_int_hook(cred_prepare, new, old, gfp);
  2569. if (unlikely(rc))
  2570. security_cred_free(new);
  2571. return rc;
  2572. }
  2573. /**
  2574. * security_transfer_creds() - Transfer creds
  2575. * @new: target credentials
  2576. * @old: original credentials
  2577. *
  2578. * Transfer data from original creds to new creds.
  2579. */
  2580. void security_transfer_creds(struct cred *new, const struct cred *old)
  2581. {
  2582. call_void_hook(cred_transfer, new, old);
  2583. }
  2584. /**
  2585. * security_cred_getsecid() - Get the secid from a set of credentials
  2586. * @c: credentials
  2587. * @secid: secid value
  2588. *
  2589. * Retrieve the security identifier of the cred structure @c. In case of
  2590. * failure, @secid will be set to zero.
  2591. */
  2592. void security_cred_getsecid(const struct cred *c, u32 *secid)
  2593. {
  2594. *secid = 0;
  2595. call_void_hook(cred_getsecid, c, secid);
  2596. }
  2597. EXPORT_SYMBOL(security_cred_getsecid);
  2598. /**
  2599. * security_cred_getlsmprop() - Get the LSM data from a set of credentials
  2600. * @c: credentials
  2601. * @prop: destination for the LSM data
  2602. *
  2603. * Retrieve the security data of the cred structure @c. In case of
  2604. * failure, @prop will be cleared.
  2605. */
  2606. void security_cred_getlsmprop(const struct cred *c, struct lsm_prop *prop)
  2607. {
  2608. lsmprop_init(prop);
  2609. call_void_hook(cred_getlsmprop, c, prop);
  2610. }
  2611. EXPORT_SYMBOL(security_cred_getlsmprop);
  2612. /**
  2613. * security_kernel_act_as() - Set the kernel credentials to act as secid
  2614. * @new: credentials
  2615. * @secid: secid
  2616. *
  2617. * Set the credentials for a kernel service to act as (subjective context).
  2618. * The current task must be the one that nominated @secid.
  2619. *
  2620. * Return: Returns 0 if successful.
  2621. */
  2622. int security_kernel_act_as(struct cred *new, u32 secid)
  2623. {
  2624. return call_int_hook(kernel_act_as, new, secid);
  2625. }
  2626. /**
  2627. * security_kernel_create_files_as() - Set file creation context using an inode
  2628. * @new: target credentials
  2629. * @inode: reference inode
  2630. *
  2631. * Set the file creation context in a set of credentials to be the same as the
  2632. * objective context of the specified inode. The current task must be the one
  2633. * that nominated @inode.
  2634. *
  2635. * Return: Returns 0 if successful.
  2636. */
  2637. int security_kernel_create_files_as(struct cred *new, struct inode *inode)
  2638. {
  2639. return call_int_hook(kernel_create_files_as, new, inode);
  2640. }
  2641. /**
  2642. * security_kernel_module_request() - Check if loading a module is allowed
  2643. * @kmod_name: module name
  2644. *
  2645. * Ability to trigger the kernel to automatically upcall to userspace for
  2646. * userspace to load a kernel module with the given name.
  2647. *
  2648. * Return: Returns 0 if successful.
  2649. */
  2650. int security_kernel_module_request(char *kmod_name)
  2651. {
  2652. return call_int_hook(kernel_module_request, kmod_name);
  2653. }
  2654. /**
  2655. * security_kernel_read_file() - Read a file specified by userspace
  2656. * @file: file
  2657. * @id: file identifier
  2658. * @contents: trust if security_kernel_post_read_file() will be called
  2659. *
  2660. * Read a file specified by userspace.
  2661. *
  2662. * Return: Returns 0 if permission is granted.
  2663. */
  2664. int security_kernel_read_file(struct file *file, enum kernel_read_file_id id,
  2665. bool contents)
  2666. {
  2667. return call_int_hook(kernel_read_file, file, id, contents);
  2668. }
  2669. EXPORT_SYMBOL_GPL(security_kernel_read_file);
  2670. /**
  2671. * security_kernel_post_read_file() - Read a file specified by userspace
  2672. * @file: file
  2673. * @buf: file contents
  2674. * @size: size of file contents
  2675. * @id: file identifier
  2676. *
  2677. * Read a file specified by userspace. This must be paired with a prior call
  2678. * to security_kernel_read_file() call that indicated this hook would also be
  2679. * called, see security_kernel_read_file() for more information.
  2680. *
  2681. * Return: Returns 0 if permission is granted.
  2682. */
  2683. int security_kernel_post_read_file(struct file *file, char *buf, loff_t size,
  2684. enum kernel_read_file_id id)
  2685. {
  2686. return call_int_hook(kernel_post_read_file, file, buf, size, id);
  2687. }
  2688. EXPORT_SYMBOL_GPL(security_kernel_post_read_file);
  2689. /**
  2690. * security_kernel_load_data() - Load data provided by userspace
  2691. * @id: data identifier
  2692. * @contents: true if security_kernel_post_load_data() will be called
  2693. *
  2694. * Load data provided by userspace.
  2695. *
  2696. * Return: Returns 0 if permission is granted.
  2697. */
  2698. int security_kernel_load_data(enum kernel_load_data_id id, bool contents)
  2699. {
  2700. return call_int_hook(kernel_load_data, id, contents);
  2701. }
  2702. EXPORT_SYMBOL_GPL(security_kernel_load_data);
  2703. /**
  2704. * security_kernel_post_load_data() - Load userspace data from a non-file source
  2705. * @buf: data
  2706. * @size: size of data
  2707. * @id: data identifier
  2708. * @description: text description of data, specific to the id value
  2709. *
  2710. * Load data provided by a non-file source (usually userspace buffer). This
  2711. * must be paired with a prior security_kernel_load_data() call that indicated
  2712. * this hook would also be called, see security_kernel_load_data() for more
  2713. * information.
  2714. *
  2715. * Return: Returns 0 if permission is granted.
  2716. */
  2717. int security_kernel_post_load_data(char *buf, loff_t size,
  2718. enum kernel_load_data_id id,
  2719. char *description)
  2720. {
  2721. return call_int_hook(kernel_post_load_data, buf, size, id, description);
  2722. }
  2723. EXPORT_SYMBOL_GPL(security_kernel_post_load_data);
  2724. /**
  2725. * security_task_fix_setuid() - Update LSM with new user id attributes
  2726. * @new: updated credentials
  2727. * @old: credentials being replaced
  2728. * @flags: LSM_SETID_* flag values
  2729. *
  2730. * Update the module's state after setting one or more of the user identity
  2731. * attributes of the current process. The @flags parameter indicates which of
  2732. * the set*uid system calls invoked this hook. If @new is the set of
  2733. * credentials that will be installed. Modifications should be made to this
  2734. * rather than to @current->cred.
  2735. *
  2736. * Return: Returns 0 on success.
  2737. */
  2738. int security_task_fix_setuid(struct cred *new, const struct cred *old,
  2739. int flags)
  2740. {
  2741. return call_int_hook(task_fix_setuid, new, old, flags);
  2742. }
  2743. /**
  2744. * security_task_fix_setgid() - Update LSM with new group id attributes
  2745. * @new: updated credentials
  2746. * @old: credentials being replaced
  2747. * @flags: LSM_SETID_* flag value
  2748. *
  2749. * Update the module's state after setting one or more of the group identity
  2750. * attributes of the current process. The @flags parameter indicates which of
  2751. * the set*gid system calls invoked this hook. @new is the set of credentials
  2752. * that will be installed. Modifications should be made to this rather than to
  2753. * @current->cred.
  2754. *
  2755. * Return: Returns 0 on success.
  2756. */
  2757. int security_task_fix_setgid(struct cred *new, const struct cred *old,
  2758. int flags)
  2759. {
  2760. return call_int_hook(task_fix_setgid, new, old, flags);
  2761. }
  2762. /**
  2763. * security_task_fix_setgroups() - Update LSM with new supplementary groups
  2764. * @new: updated credentials
  2765. * @old: credentials being replaced
  2766. *
  2767. * Update the module's state after setting the supplementary group identity
  2768. * attributes of the current process. @new is the set of credentials that will
  2769. * be installed. Modifications should be made to this rather than to
  2770. * @current->cred.
  2771. *
  2772. * Return: Returns 0 on success.
  2773. */
  2774. int security_task_fix_setgroups(struct cred *new, const struct cred *old)
  2775. {
  2776. return call_int_hook(task_fix_setgroups, new, old);
  2777. }
  2778. /**
  2779. * security_task_setpgid() - Check if setting the pgid is allowed
  2780. * @p: task being modified
  2781. * @pgid: new pgid
  2782. *
  2783. * Check permission before setting the process group identifier of the process
  2784. * @p to @pgid.
  2785. *
  2786. * Return: Returns 0 if permission is granted.
  2787. */
  2788. int security_task_setpgid(struct task_struct *p, pid_t pgid)
  2789. {
  2790. return call_int_hook(task_setpgid, p, pgid);
  2791. }
  2792. /**
  2793. * security_task_getpgid() - Check if getting the pgid is allowed
  2794. * @p: task
  2795. *
  2796. * Check permission before getting the process group identifier of the process
  2797. * @p.
  2798. *
  2799. * Return: Returns 0 if permission is granted.
  2800. */
  2801. int security_task_getpgid(struct task_struct *p)
  2802. {
  2803. return call_int_hook(task_getpgid, p);
  2804. }
  2805. /**
  2806. * security_task_getsid() - Check if getting the session id is allowed
  2807. * @p: task
  2808. *
  2809. * Check permission before getting the session identifier of the process @p.
  2810. *
  2811. * Return: Returns 0 if permission is granted.
  2812. */
  2813. int security_task_getsid(struct task_struct *p)
  2814. {
  2815. return call_int_hook(task_getsid, p);
  2816. }
  2817. /**
  2818. * security_current_getlsmprop_subj() - Current task's subjective LSM data
  2819. * @prop: lsm specific information
  2820. *
  2821. * Retrieve the subjective security identifier of the current task and return
  2822. * it in @prop.
  2823. */
  2824. void security_current_getlsmprop_subj(struct lsm_prop *prop)
  2825. {
  2826. lsmprop_init(prop);
  2827. call_void_hook(current_getlsmprop_subj, prop);
  2828. }
  2829. EXPORT_SYMBOL(security_current_getlsmprop_subj);
  2830. /**
  2831. * security_task_getlsmprop_obj() - Get a task's objective LSM data
  2832. * @p: target task
  2833. * @prop: lsm specific information
  2834. *
  2835. * Retrieve the objective security identifier of the task_struct in @p and
  2836. * return it in @prop.
  2837. */
  2838. void security_task_getlsmprop_obj(struct task_struct *p, struct lsm_prop *prop)
  2839. {
  2840. lsmprop_init(prop);
  2841. call_void_hook(task_getlsmprop_obj, p, prop);
  2842. }
  2843. EXPORT_SYMBOL(security_task_getlsmprop_obj);
  2844. /**
  2845. * security_task_setnice() - Check if setting a task's nice value is allowed
  2846. * @p: target task
  2847. * @nice: nice value
  2848. *
  2849. * Check permission before setting the nice value of @p to @nice.
  2850. *
  2851. * Return: Returns 0 if permission is granted.
  2852. */
  2853. int security_task_setnice(struct task_struct *p, int nice)
  2854. {
  2855. return call_int_hook(task_setnice, p, nice);
  2856. }
  2857. /**
  2858. * security_task_setioprio() - Check if setting a task's ioprio is allowed
  2859. * @p: target task
  2860. * @ioprio: ioprio value
  2861. *
  2862. * Check permission before setting the ioprio value of @p to @ioprio.
  2863. *
  2864. * Return: Returns 0 if permission is granted.
  2865. */
  2866. int security_task_setioprio(struct task_struct *p, int ioprio)
  2867. {
  2868. return call_int_hook(task_setioprio, p, ioprio);
  2869. }
  2870. /**
  2871. * security_task_getioprio() - Check if getting a task's ioprio is allowed
  2872. * @p: task
  2873. *
  2874. * Check permission before getting the ioprio value of @p.
  2875. *
  2876. * Return: Returns 0 if permission is granted.
  2877. */
  2878. int security_task_getioprio(struct task_struct *p)
  2879. {
  2880. return call_int_hook(task_getioprio, p);
  2881. }
  2882. /**
  2883. * security_task_prlimit() - Check if get/setting resources limits is allowed
  2884. * @cred: current task credentials
  2885. * @tcred: target task credentials
  2886. * @flags: LSM_PRLIMIT_* flag bits indicating a get/set/both
  2887. *
  2888. * Check permission before getting and/or setting the resource limits of
  2889. * another task.
  2890. *
  2891. * Return: Returns 0 if permission is granted.
  2892. */
  2893. int security_task_prlimit(const struct cred *cred, const struct cred *tcred,
  2894. unsigned int flags)
  2895. {
  2896. return call_int_hook(task_prlimit, cred, tcred, flags);
  2897. }
  2898. /**
  2899. * security_task_setrlimit() - Check if setting a new rlimit value is allowed
  2900. * @p: target task's group leader
  2901. * @resource: resource whose limit is being set
  2902. * @new_rlim: new resource limit
  2903. *
  2904. * Check permission before setting the resource limits of process @p for
  2905. * @resource to @new_rlim. The old resource limit values can be examined by
  2906. * dereferencing (p->signal->rlim + resource).
  2907. *
  2908. * Return: Returns 0 if permission is granted.
  2909. */
  2910. int security_task_setrlimit(struct task_struct *p, unsigned int resource,
  2911. struct rlimit *new_rlim)
  2912. {
  2913. return call_int_hook(task_setrlimit, p, resource, new_rlim);
  2914. }
  2915. /**
  2916. * security_task_setscheduler() - Check if setting sched policy/param is allowed
  2917. * @p: target task
  2918. *
  2919. * Check permission before setting scheduling policy and/or parameters of
  2920. * process @p.
  2921. *
  2922. * Return: Returns 0 if permission is granted.
  2923. */
  2924. int security_task_setscheduler(struct task_struct *p)
  2925. {
  2926. return call_int_hook(task_setscheduler, p);
  2927. }
  2928. /**
  2929. * security_task_getscheduler() - Check if getting scheduling info is allowed
  2930. * @p: target task
  2931. *
  2932. * Check permission before obtaining scheduling information for process @p.
  2933. *
  2934. * Return: Returns 0 if permission is granted.
  2935. */
  2936. int security_task_getscheduler(struct task_struct *p)
  2937. {
  2938. return call_int_hook(task_getscheduler, p);
  2939. }
  2940. /**
  2941. * security_task_movememory() - Check if moving memory is allowed
  2942. * @p: task
  2943. *
  2944. * Check permission before moving memory owned by process @p.
  2945. *
  2946. * Return: Returns 0 if permission is granted.
  2947. */
  2948. int security_task_movememory(struct task_struct *p)
  2949. {
  2950. return call_int_hook(task_movememory, p);
  2951. }
  2952. /**
  2953. * security_task_kill() - Check if sending a signal is allowed
  2954. * @p: target process
  2955. * @info: signal information
  2956. * @sig: signal value
  2957. * @cred: credentials of the signal sender, NULL if @current
  2958. *
  2959. * Check permission before sending signal @sig to @p. @info can be NULL, the
  2960. * constant 1, or a pointer to a kernel_siginfo structure. If @info is 1 or
  2961. * SI_FROMKERNEL(info) is true, then the signal should be viewed as coming from
  2962. * the kernel and should typically be permitted. SIGIO signals are handled
  2963. * separately by the send_sigiotask hook in file_security_ops.
  2964. *
  2965. * Return: Returns 0 if permission is granted.
  2966. */
  2967. int security_task_kill(struct task_struct *p, struct kernel_siginfo *info,
  2968. int sig, const struct cred *cred)
  2969. {
  2970. return call_int_hook(task_kill, p, info, sig, cred);
  2971. }
  2972. /**
  2973. * security_task_prctl() - Check if a prctl op is allowed
  2974. * @option: operation
  2975. * @arg2: argument
  2976. * @arg3: argument
  2977. * @arg4: argument
  2978. * @arg5: argument
  2979. *
  2980. * Check permission before performing a process control operation on the
  2981. * current process.
  2982. *
  2983. * Return: Return -ENOSYS if no-one wanted to handle this op, any other value
  2984. * to cause prctl() to return immediately with that value.
  2985. */
  2986. int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
  2987. unsigned long arg4, unsigned long arg5)
  2988. {
  2989. int thisrc;
  2990. int rc = LSM_RET_DEFAULT(task_prctl);
  2991. struct lsm_static_call *scall;
  2992. lsm_for_each_hook(scall, task_prctl) {
  2993. thisrc = scall->hl->hook.task_prctl(option, arg2, arg3, arg4, arg5);
  2994. if (thisrc != LSM_RET_DEFAULT(task_prctl)) {
  2995. rc = thisrc;
  2996. if (thisrc != 0)
  2997. break;
  2998. }
  2999. }
  3000. return rc;
  3001. }
  3002. /**
  3003. * security_task_to_inode() - Set the security attributes of a task's inode
  3004. * @p: task
  3005. * @inode: inode
  3006. *
  3007. * Set the security attributes for an inode based on an associated task's
  3008. * security attributes, e.g. for /proc/pid inodes.
  3009. */
  3010. void security_task_to_inode(struct task_struct *p, struct inode *inode)
  3011. {
  3012. call_void_hook(task_to_inode, p, inode);
  3013. }
  3014. /**
  3015. * security_create_user_ns() - Check if creating a new userns is allowed
  3016. * @cred: prepared creds
  3017. *
  3018. * Check permission prior to creating a new user namespace.
  3019. *
  3020. * Return: Returns 0 if successful, otherwise < 0 error code.
  3021. */
  3022. int security_create_user_ns(const struct cred *cred)
  3023. {
  3024. return call_int_hook(userns_create, cred);
  3025. }
  3026. /**
  3027. * security_ipc_permission() - Check if sysv ipc access is allowed
  3028. * @ipcp: ipc permission structure
  3029. * @flag: requested permissions
  3030. *
  3031. * Check permissions for access to IPC.
  3032. *
  3033. * Return: Returns 0 if permission is granted.
  3034. */
  3035. int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
  3036. {
  3037. return call_int_hook(ipc_permission, ipcp, flag);
  3038. }
  3039. /**
  3040. * security_ipc_getlsmprop() - Get the sysv ipc object LSM data
  3041. * @ipcp: ipc permission structure
  3042. * @prop: pointer to lsm information
  3043. *
  3044. * Get the lsm information associated with the ipc object.
  3045. */
  3046. void security_ipc_getlsmprop(struct kern_ipc_perm *ipcp, struct lsm_prop *prop)
  3047. {
  3048. lsmprop_init(prop);
  3049. call_void_hook(ipc_getlsmprop, ipcp, prop);
  3050. }
  3051. /**
  3052. * security_msg_msg_alloc() - Allocate a sysv ipc message LSM blob
  3053. * @msg: message structure
  3054. *
  3055. * Allocate and attach a security structure to the msg->security field. The
  3056. * security field is initialized to NULL when the structure is first created.
  3057. *
  3058. * Return: Return 0 if operation was successful and permission is granted.
  3059. */
  3060. int security_msg_msg_alloc(struct msg_msg *msg)
  3061. {
  3062. int rc = lsm_msg_msg_alloc(msg);
  3063. if (unlikely(rc))
  3064. return rc;
  3065. rc = call_int_hook(msg_msg_alloc_security, msg);
  3066. if (unlikely(rc))
  3067. security_msg_msg_free(msg);
  3068. return rc;
  3069. }
  3070. /**
  3071. * security_msg_msg_free() - Free a sysv ipc message LSM blob
  3072. * @msg: message structure
  3073. *
  3074. * Deallocate the security structure for this message.
  3075. */
  3076. void security_msg_msg_free(struct msg_msg *msg)
  3077. {
  3078. call_void_hook(msg_msg_free_security, msg);
  3079. kfree(msg->security);
  3080. msg->security = NULL;
  3081. }
  3082. /**
  3083. * security_msg_queue_alloc() - Allocate a sysv ipc msg queue LSM blob
  3084. * @msq: sysv ipc permission structure
  3085. *
  3086. * Allocate and attach a security structure to @msg. The security field is
  3087. * initialized to NULL when the structure is first created.
  3088. *
  3089. * Return: Returns 0 if operation was successful and permission is granted.
  3090. */
  3091. int security_msg_queue_alloc(struct kern_ipc_perm *msq)
  3092. {
  3093. int rc = lsm_ipc_alloc(msq);
  3094. if (unlikely(rc))
  3095. return rc;
  3096. rc = call_int_hook(msg_queue_alloc_security, msq);
  3097. if (unlikely(rc))
  3098. security_msg_queue_free(msq);
  3099. return rc;
  3100. }
  3101. /**
  3102. * security_msg_queue_free() - Free a sysv ipc msg queue LSM blob
  3103. * @msq: sysv ipc permission structure
  3104. *
  3105. * Deallocate security field @perm->security for the message queue.
  3106. */
  3107. void security_msg_queue_free(struct kern_ipc_perm *msq)
  3108. {
  3109. call_void_hook(msg_queue_free_security, msq);
  3110. kfree(msq->security);
  3111. msq->security = NULL;
  3112. }
  3113. /**
  3114. * security_msg_queue_associate() - Check if a msg queue operation is allowed
  3115. * @msq: sysv ipc permission structure
  3116. * @msqflg: operation flags
  3117. *
  3118. * Check permission when a message queue is requested through the msgget system
  3119. * call. This hook is only called when returning the message queue identifier
  3120. * for an existing message queue, not when a new message queue is created.
  3121. *
  3122. * Return: Return 0 if permission is granted.
  3123. */
  3124. int security_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
  3125. {
  3126. return call_int_hook(msg_queue_associate, msq, msqflg);
  3127. }
  3128. /**
  3129. * security_msg_queue_msgctl() - Check if a msg queue operation is allowed
  3130. * @msq: sysv ipc permission structure
  3131. * @cmd: operation
  3132. *
  3133. * Check permission when a message control operation specified by @cmd is to be
  3134. * performed on the message queue with permissions.
  3135. *
  3136. * Return: Returns 0 if permission is granted.
  3137. */
  3138. int security_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
  3139. {
  3140. return call_int_hook(msg_queue_msgctl, msq, cmd);
  3141. }
  3142. /**
  3143. * security_msg_queue_msgsnd() - Check if sending a sysv ipc message is allowed
  3144. * @msq: sysv ipc permission structure
  3145. * @msg: message
  3146. * @msqflg: operation flags
  3147. *
  3148. * Check permission before a message, @msg, is enqueued on the message queue
  3149. * with permissions specified in @msq.
  3150. *
  3151. * Return: Returns 0 if permission is granted.
  3152. */
  3153. int security_msg_queue_msgsnd(struct kern_ipc_perm *msq,
  3154. struct msg_msg *msg, int msqflg)
  3155. {
  3156. return call_int_hook(msg_queue_msgsnd, msq, msg, msqflg);
  3157. }
  3158. /**
  3159. * security_msg_queue_msgrcv() - Check if receiving a sysv ipc msg is allowed
  3160. * @msq: sysv ipc permission structure
  3161. * @msg: message
  3162. * @target: target task
  3163. * @type: type of message requested
  3164. * @mode: operation flags
  3165. *
  3166. * Check permission before a message, @msg, is removed from the message queue.
  3167. * The @target task structure contains a pointer to the process that will be
  3168. * receiving the message (not equal to the current process when inline receives
  3169. * are being performed).
  3170. *
  3171. * Return: Returns 0 if permission is granted.
  3172. */
  3173. int security_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
  3174. struct task_struct *target, long type, int mode)
  3175. {
  3176. return call_int_hook(msg_queue_msgrcv, msq, msg, target, type, mode);
  3177. }
  3178. /**
  3179. * security_shm_alloc() - Allocate a sysv shm LSM blob
  3180. * @shp: sysv ipc permission structure
  3181. *
  3182. * Allocate and attach a security structure to the @shp security field. The
  3183. * security field is initialized to NULL when the structure is first created.
  3184. *
  3185. * Return: Returns 0 if operation was successful and permission is granted.
  3186. */
  3187. int security_shm_alloc(struct kern_ipc_perm *shp)
  3188. {
  3189. int rc = lsm_ipc_alloc(shp);
  3190. if (unlikely(rc))
  3191. return rc;
  3192. rc = call_int_hook(shm_alloc_security, shp);
  3193. if (unlikely(rc))
  3194. security_shm_free(shp);
  3195. return rc;
  3196. }
  3197. /**
  3198. * security_shm_free() - Free a sysv shm LSM blob
  3199. * @shp: sysv ipc permission structure
  3200. *
  3201. * Deallocate the security structure @perm->security for the memory segment.
  3202. */
  3203. void security_shm_free(struct kern_ipc_perm *shp)
  3204. {
  3205. call_void_hook(shm_free_security, shp);
  3206. kfree(shp->security);
  3207. shp->security = NULL;
  3208. }
  3209. /**
  3210. * security_shm_associate() - Check if a sysv shm operation is allowed
  3211. * @shp: sysv ipc permission structure
  3212. * @shmflg: operation flags
  3213. *
  3214. * Check permission when a shared memory region is requested through the shmget
  3215. * system call. This hook is only called when returning the shared memory
  3216. * region identifier for an existing region, not when a new shared memory
  3217. * region is created.
  3218. *
  3219. * Return: Returns 0 if permission is granted.
  3220. */
  3221. int security_shm_associate(struct kern_ipc_perm *shp, int shmflg)
  3222. {
  3223. return call_int_hook(shm_associate, shp, shmflg);
  3224. }
  3225. /**
  3226. * security_shm_shmctl() - Check if a sysv shm operation is allowed
  3227. * @shp: sysv ipc permission structure
  3228. * @cmd: operation
  3229. *
  3230. * Check permission when a shared memory control operation specified by @cmd is
  3231. * to be performed on the shared memory region with permissions in @shp.
  3232. *
  3233. * Return: Return 0 if permission is granted.
  3234. */
  3235. int security_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
  3236. {
  3237. return call_int_hook(shm_shmctl, shp, cmd);
  3238. }
  3239. /**
  3240. * security_shm_shmat() - Check if a sysv shm attach operation is allowed
  3241. * @shp: sysv ipc permission structure
  3242. * @shmaddr: address of memory region to attach
  3243. * @shmflg: operation flags
  3244. *
  3245. * Check permissions prior to allowing the shmat system call to attach the
  3246. * shared memory segment with permissions @shp to the data segment of the
  3247. * calling process. The attaching address is specified by @shmaddr.
  3248. *
  3249. * Return: Returns 0 if permission is granted.
  3250. */
  3251. int security_shm_shmat(struct kern_ipc_perm *shp,
  3252. char __user *shmaddr, int shmflg)
  3253. {
  3254. return call_int_hook(shm_shmat, shp, shmaddr, shmflg);
  3255. }
  3256. /**
  3257. * security_sem_alloc() - Allocate a sysv semaphore LSM blob
  3258. * @sma: sysv ipc permission structure
  3259. *
  3260. * Allocate and attach a security structure to the @sma security field. The
  3261. * security field is initialized to NULL when the structure is first created.
  3262. *
  3263. * Return: Returns 0 if operation was successful and permission is granted.
  3264. */
  3265. int security_sem_alloc(struct kern_ipc_perm *sma)
  3266. {
  3267. int rc = lsm_ipc_alloc(sma);
  3268. if (unlikely(rc))
  3269. return rc;
  3270. rc = call_int_hook(sem_alloc_security, sma);
  3271. if (unlikely(rc))
  3272. security_sem_free(sma);
  3273. return rc;
  3274. }
  3275. /**
  3276. * security_sem_free() - Free a sysv semaphore LSM blob
  3277. * @sma: sysv ipc permission structure
  3278. *
  3279. * Deallocate security structure @sma->security for the semaphore.
  3280. */
  3281. void security_sem_free(struct kern_ipc_perm *sma)
  3282. {
  3283. call_void_hook(sem_free_security, sma);
  3284. kfree(sma->security);
  3285. sma->security = NULL;
  3286. }
  3287. /**
  3288. * security_sem_associate() - Check if a sysv semaphore operation is allowed
  3289. * @sma: sysv ipc permission structure
  3290. * @semflg: operation flags
  3291. *
  3292. * Check permission when a semaphore is requested through the semget system
  3293. * call. This hook is only called when returning the semaphore identifier for
  3294. * an existing semaphore, not when a new one must be created.
  3295. *
  3296. * Return: Returns 0 if permission is granted.
  3297. */
  3298. int security_sem_associate(struct kern_ipc_perm *sma, int semflg)
  3299. {
  3300. return call_int_hook(sem_associate, sma, semflg);
  3301. }
  3302. /**
  3303. * security_sem_semctl() - Check if a sysv semaphore operation is allowed
  3304. * @sma: sysv ipc permission structure
  3305. * @cmd: operation
  3306. *
  3307. * Check permission when a semaphore operation specified by @cmd is to be
  3308. * performed on the semaphore.
  3309. *
  3310. * Return: Returns 0 if permission is granted.
  3311. */
  3312. int security_sem_semctl(struct kern_ipc_perm *sma, int cmd)
  3313. {
  3314. return call_int_hook(sem_semctl, sma, cmd);
  3315. }
  3316. /**
  3317. * security_sem_semop() - Check if a sysv semaphore operation is allowed
  3318. * @sma: sysv ipc permission structure
  3319. * @sops: operations to perform
  3320. * @nsops: number of operations
  3321. * @alter: flag indicating changes will be made
  3322. *
  3323. * Check permissions before performing operations on members of the semaphore
  3324. * set. If the @alter flag is nonzero, the semaphore set may be modified.
  3325. *
  3326. * Return: Returns 0 if permission is granted.
  3327. */
  3328. int security_sem_semop(struct kern_ipc_perm *sma, struct sembuf *sops,
  3329. unsigned nsops, int alter)
  3330. {
  3331. return call_int_hook(sem_semop, sma, sops, nsops, alter);
  3332. }
  3333. /**
  3334. * security_d_instantiate() - Populate an inode's LSM state based on a dentry
  3335. * @dentry: dentry
  3336. * @inode: inode
  3337. *
  3338. * Fill in @inode security information for a @dentry if allowed.
  3339. */
  3340. void security_d_instantiate(struct dentry *dentry, struct inode *inode)
  3341. {
  3342. if (unlikely(inode && IS_PRIVATE(inode)))
  3343. return;
  3344. call_void_hook(d_instantiate, dentry, inode);
  3345. }
  3346. EXPORT_SYMBOL(security_d_instantiate);
  3347. /*
  3348. * Please keep this in sync with it's counterpart in security/lsm_syscalls.c
  3349. */
  3350. /**
  3351. * security_getselfattr - Read an LSM attribute of the current process.
  3352. * @attr: which attribute to return
  3353. * @uctx: the user-space destination for the information, or NULL
  3354. * @size: pointer to the size of space available to receive the data
  3355. * @flags: special handling options. LSM_FLAG_SINGLE indicates that only
  3356. * attributes associated with the LSM identified in the passed @ctx be
  3357. * reported.
  3358. *
  3359. * A NULL value for @uctx can be used to get both the number of attributes
  3360. * and the size of the data.
  3361. *
  3362. * Returns the number of attributes found on success, negative value
  3363. * on error. @size is reset to the total size of the data.
  3364. * If @size is insufficient to contain the data -E2BIG is returned.
  3365. */
  3366. int security_getselfattr(unsigned int attr, struct lsm_ctx __user *uctx,
  3367. u32 __user *size, u32 flags)
  3368. {
  3369. struct lsm_static_call *scall;
  3370. struct lsm_ctx lctx = { .id = LSM_ID_UNDEF, };
  3371. u8 __user *base = (u8 __user *)uctx;
  3372. u32 entrysize;
  3373. u32 total = 0;
  3374. u32 left;
  3375. bool toobig = false;
  3376. bool single = false;
  3377. int count = 0;
  3378. int rc;
  3379. if (attr == LSM_ATTR_UNDEF)
  3380. return -EINVAL;
  3381. if (size == NULL)
  3382. return -EINVAL;
  3383. if (get_user(left, size))
  3384. return -EFAULT;
  3385. if (flags) {
  3386. /*
  3387. * Only flag supported is LSM_FLAG_SINGLE
  3388. */
  3389. if (flags != LSM_FLAG_SINGLE || !uctx)
  3390. return -EINVAL;
  3391. if (copy_from_user(&lctx, uctx, sizeof(lctx)))
  3392. return -EFAULT;
  3393. /*
  3394. * If the LSM ID isn't specified it is an error.
  3395. */
  3396. if (lctx.id == LSM_ID_UNDEF)
  3397. return -EINVAL;
  3398. single = true;
  3399. }
  3400. /*
  3401. * In the usual case gather all the data from the LSMs.
  3402. * In the single case only get the data from the LSM specified.
  3403. */
  3404. lsm_for_each_hook(scall, getselfattr) {
  3405. if (single && lctx.id != scall->hl->lsmid->id)
  3406. continue;
  3407. entrysize = left;
  3408. if (base)
  3409. uctx = (struct lsm_ctx __user *)(base + total);
  3410. rc = scall->hl->hook.getselfattr(attr, uctx, &entrysize, flags);
  3411. if (rc == -EOPNOTSUPP)
  3412. continue;
  3413. if (rc == -E2BIG) {
  3414. rc = 0;
  3415. left = 0;
  3416. toobig = true;
  3417. } else if (rc < 0)
  3418. return rc;
  3419. else
  3420. left -= entrysize;
  3421. total += entrysize;
  3422. count += rc;
  3423. if (single)
  3424. break;
  3425. }
  3426. if (put_user(total, size))
  3427. return -EFAULT;
  3428. if (toobig)
  3429. return -E2BIG;
  3430. if (count == 0)
  3431. return LSM_RET_DEFAULT(getselfattr);
  3432. return count;
  3433. }
  3434. /*
  3435. * Please keep this in sync with it's counterpart in security/lsm_syscalls.c
  3436. */
  3437. /**
  3438. * security_setselfattr - Set an LSM attribute on the current process.
  3439. * @attr: which attribute to set
  3440. * @uctx: the user-space source for the information
  3441. * @size: the size of the data
  3442. * @flags: reserved for future use, must be 0
  3443. *
  3444. * Set an LSM attribute for the current process. The LSM, attribute
  3445. * and new value are included in @uctx.
  3446. *
  3447. * Returns 0 on success, -EINVAL if the input is inconsistent, -EFAULT
  3448. * if the user buffer is inaccessible, E2BIG if size is too big, or an
  3449. * LSM specific failure.
  3450. */
  3451. int security_setselfattr(unsigned int attr, struct lsm_ctx __user *uctx,
  3452. u32 size, u32 flags)
  3453. {
  3454. struct lsm_static_call *scall;
  3455. struct lsm_ctx *lctx;
  3456. int rc = LSM_RET_DEFAULT(setselfattr);
  3457. u64 required_len;
  3458. if (flags)
  3459. return -EINVAL;
  3460. if (size < sizeof(*lctx))
  3461. return -EINVAL;
  3462. if (size > PAGE_SIZE)
  3463. return -E2BIG;
  3464. lctx = memdup_user(uctx, size);
  3465. if (IS_ERR(lctx))
  3466. return PTR_ERR(lctx);
  3467. if (size < lctx->len ||
  3468. check_add_overflow(sizeof(*lctx), lctx->ctx_len, &required_len) ||
  3469. lctx->len < required_len) {
  3470. rc = -EINVAL;
  3471. goto free_out;
  3472. }
  3473. lsm_for_each_hook(scall, setselfattr)
  3474. if ((scall->hl->lsmid->id) == lctx->id) {
  3475. rc = scall->hl->hook.setselfattr(attr, lctx, size, flags);
  3476. break;
  3477. }
  3478. free_out:
  3479. kfree(lctx);
  3480. return rc;
  3481. }
  3482. /**
  3483. * security_getprocattr() - Read an attribute for a task
  3484. * @p: the task
  3485. * @lsmid: LSM identification
  3486. * @name: attribute name
  3487. * @value: attribute value
  3488. *
  3489. * Read attribute @name for task @p and store it into @value if allowed.
  3490. *
  3491. * Return: Returns the length of @value on success, a negative value otherwise.
  3492. */
  3493. int security_getprocattr(struct task_struct *p, int lsmid, const char *name,
  3494. char **value)
  3495. {
  3496. struct lsm_static_call *scall;
  3497. lsm_for_each_hook(scall, getprocattr) {
  3498. if (lsmid != 0 && lsmid != scall->hl->lsmid->id)
  3499. continue;
  3500. return scall->hl->hook.getprocattr(p, name, value);
  3501. }
  3502. return LSM_RET_DEFAULT(getprocattr);
  3503. }
  3504. /**
  3505. * security_setprocattr() - Set an attribute for a task
  3506. * @lsmid: LSM identification
  3507. * @name: attribute name
  3508. * @value: attribute value
  3509. * @size: attribute value size
  3510. *
  3511. * Write (set) the current task's attribute @name to @value, size @size if
  3512. * allowed.
  3513. *
  3514. * Return: Returns bytes written on success, a negative value otherwise.
  3515. */
  3516. int security_setprocattr(int lsmid, const char *name, void *value, size_t size)
  3517. {
  3518. struct lsm_static_call *scall;
  3519. lsm_for_each_hook(scall, setprocattr) {
  3520. if (lsmid != 0 && lsmid != scall->hl->lsmid->id)
  3521. continue;
  3522. return scall->hl->hook.setprocattr(name, value, size);
  3523. }
  3524. return LSM_RET_DEFAULT(setprocattr);
  3525. }
  3526. /**
  3527. * security_ismaclabel() - Check if the named attribute is a MAC label
  3528. * @name: full extended attribute name
  3529. *
  3530. * Check if the extended attribute specified by @name represents a MAC label.
  3531. *
  3532. * Return: Returns 1 if name is a MAC attribute otherwise returns 0.
  3533. */
  3534. int security_ismaclabel(const char *name)
  3535. {
  3536. return call_int_hook(ismaclabel, name);
  3537. }
  3538. EXPORT_SYMBOL(security_ismaclabel);
  3539. /**
  3540. * security_secid_to_secctx() - Convert a secid to a secctx
  3541. * @secid: secid
  3542. * @cp: the LSM context
  3543. *
  3544. * Convert secid to security context. If @cp is NULL the length of the
  3545. * result will be returned, but no data will be returned. This
  3546. * does mean that the length could change between calls to check the length and
  3547. * the next call which actually allocates and returns the data.
  3548. *
  3549. * Return: Return length of data on success, error on failure.
  3550. */
  3551. int security_secid_to_secctx(u32 secid, struct lsm_context *cp)
  3552. {
  3553. return call_int_hook(secid_to_secctx, secid, cp);
  3554. }
  3555. EXPORT_SYMBOL(security_secid_to_secctx);
  3556. /**
  3557. * security_lsmprop_to_secctx() - Convert a lsm_prop to a secctx
  3558. * @prop: lsm specific information
  3559. * @cp: the LSM context
  3560. * @lsmid: which security module to report
  3561. *
  3562. * Convert a @prop entry to security context. If @cp is NULL the
  3563. * length of the result will be returned. This does mean that the
  3564. * length could change between calls to check the length and the
  3565. * next call which actually allocates and returns the @cp.
  3566. *
  3567. * @lsmid identifies which LSM should supply the context.
  3568. * A value of LSM_ID_UNDEF indicates that the first LSM suppling
  3569. * the hook should be used. This is used in cases where the
  3570. * ID of the supplying LSM is unambiguous.
  3571. *
  3572. * Return: Return length of data on success, error on failure.
  3573. */
  3574. int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp,
  3575. int lsmid)
  3576. {
  3577. struct lsm_static_call *scall;
  3578. lsm_for_each_hook(scall, lsmprop_to_secctx) {
  3579. if (lsmid != LSM_ID_UNDEF && lsmid != scall->hl->lsmid->id)
  3580. continue;
  3581. return scall->hl->hook.lsmprop_to_secctx(prop, cp);
  3582. }
  3583. return LSM_RET_DEFAULT(lsmprop_to_secctx);
  3584. }
  3585. EXPORT_SYMBOL(security_lsmprop_to_secctx);
  3586. /**
  3587. * security_secctx_to_secid() - Convert a secctx to a secid
  3588. * @secdata: secctx
  3589. * @seclen: length of secctx
  3590. * @secid: secid
  3591. *
  3592. * Convert security context to secid.
  3593. *
  3594. * Return: Returns 0 on success, error on failure.
  3595. */
  3596. int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
  3597. {
  3598. *secid = 0;
  3599. return call_int_hook(secctx_to_secid, secdata, seclen, secid);
  3600. }
  3601. EXPORT_SYMBOL(security_secctx_to_secid);
  3602. /**
  3603. * security_release_secctx() - Free a secctx buffer
  3604. * @cp: the security context
  3605. *
  3606. * Release the security context.
  3607. */
  3608. void security_release_secctx(struct lsm_context *cp)
  3609. {
  3610. call_void_hook(release_secctx, cp);
  3611. memset(cp, 0, sizeof(*cp));
  3612. }
  3613. EXPORT_SYMBOL(security_release_secctx);
  3614. /**
  3615. * security_inode_invalidate_secctx() - Invalidate an inode's security label
  3616. * @inode: inode
  3617. *
  3618. * Notify the security module that it must revalidate the security context of
  3619. * an inode.
  3620. */
  3621. void security_inode_invalidate_secctx(struct inode *inode)
  3622. {
  3623. call_void_hook(inode_invalidate_secctx, inode);
  3624. }
  3625. EXPORT_SYMBOL(security_inode_invalidate_secctx);
  3626. /**
  3627. * security_inode_notifysecctx() - Notify the LSM of an inode's security label
  3628. * @inode: inode
  3629. * @ctx: secctx
  3630. * @ctxlen: length of secctx
  3631. *
  3632. * Notify the security module of what the security context of an inode should
  3633. * be. Initializes the incore security context managed by the security module
  3634. * for this inode. Example usage: NFS client invokes this hook to initialize
  3635. * the security context in its incore inode to the value provided by the server
  3636. * for the file when the server returned the file's attributes to the client.
  3637. * Must be called with inode->i_mutex locked.
  3638. *
  3639. * Return: Returns 0 on success, error on failure.
  3640. */
  3641. int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
  3642. {
  3643. return call_int_hook(inode_notifysecctx, inode, ctx, ctxlen);
  3644. }
  3645. EXPORT_SYMBOL(security_inode_notifysecctx);
  3646. /**
  3647. * security_inode_setsecctx() - Change the security label of an inode
  3648. * @dentry: inode
  3649. * @ctx: secctx
  3650. * @ctxlen: length of secctx
  3651. *
  3652. * Change the security context of an inode. Updates the incore security
  3653. * context managed by the security module and invokes the fs code as needed
  3654. * (via __vfs_setxattr_noperm) to update any backing xattrs that represent the
  3655. * context. Example usage: NFS server invokes this hook to change the security
  3656. * context in its incore inode and on the backing filesystem to a value
  3657. * provided by the client on a SETATTR operation. Must be called with
  3658. * inode->i_mutex locked.
  3659. *
  3660. * Return: Returns 0 on success, error on failure.
  3661. */
  3662. int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
  3663. {
  3664. return call_int_hook(inode_setsecctx, dentry, ctx, ctxlen);
  3665. }
  3666. EXPORT_SYMBOL(security_inode_setsecctx);
  3667. /**
  3668. * security_inode_getsecctx() - Get the security label of an inode
  3669. * @inode: inode
  3670. * @cp: security context
  3671. *
  3672. * On success, returns 0 and fills out @cp with the security context
  3673. * for the given @inode.
  3674. *
  3675. * Return: Returns 0 on success, error on failure.
  3676. */
  3677. int security_inode_getsecctx(struct inode *inode, struct lsm_context *cp)
  3678. {
  3679. memset(cp, 0, sizeof(*cp));
  3680. return call_int_hook(inode_getsecctx, inode, cp);
  3681. }
  3682. EXPORT_SYMBOL(security_inode_getsecctx);
  3683. #ifdef CONFIG_WATCH_QUEUE
  3684. /**
  3685. * security_post_notification() - Check if a watch notification can be posted
  3686. * @w_cred: credentials of the task that set the watch
  3687. * @cred: credentials of the task which triggered the watch
  3688. * @n: the notification
  3689. *
  3690. * Check to see if a watch notification can be posted to a particular queue.
  3691. *
  3692. * Return: Returns 0 if permission is granted.
  3693. */
  3694. int security_post_notification(const struct cred *w_cred,
  3695. const struct cred *cred,
  3696. struct watch_notification *n)
  3697. {
  3698. return call_int_hook(post_notification, w_cred, cred, n);
  3699. }
  3700. #endif /* CONFIG_WATCH_QUEUE */
  3701. #ifdef CONFIG_KEY_NOTIFICATIONS
  3702. /**
  3703. * security_watch_key() - Check if a task is allowed to watch for key events
  3704. * @key: the key to watch
  3705. *
  3706. * Check to see if a process is allowed to watch for event notifications from
  3707. * a key or keyring.
  3708. *
  3709. * Return: Returns 0 if permission is granted.
  3710. */
  3711. int security_watch_key(struct key *key)
  3712. {
  3713. return call_int_hook(watch_key, key);
  3714. }
  3715. #endif /* CONFIG_KEY_NOTIFICATIONS */
  3716. #ifdef CONFIG_SECURITY_NETWORK
  3717. /**
  3718. * security_netlink_send() - Save info and check if netlink sending is allowed
  3719. * @sk: sending socket
  3720. * @skb: netlink message
  3721. *
  3722. * Save security information for a netlink message so that permission checking
  3723. * can be performed when the message is processed. The security information
  3724. * can be saved using the eff_cap field of the netlink_skb_parms structure.
  3725. * Also may be used to provide fine grained control over message transmission.
  3726. *
  3727. * Return: Returns 0 if the information was successfully saved and message is
  3728. * allowed to be transmitted.
  3729. */
  3730. int security_netlink_send(struct sock *sk, struct sk_buff *skb)
  3731. {
  3732. return call_int_hook(netlink_send, sk, skb);
  3733. }
  3734. /**
  3735. * security_unix_stream_connect() - Check if a AF_UNIX stream is allowed
  3736. * @sock: originating sock
  3737. * @other: peer sock
  3738. * @newsk: new sock
  3739. *
  3740. * Check permissions before establishing a Unix domain stream connection
  3741. * between @sock and @other.
  3742. *
  3743. * The @unix_stream_connect and @unix_may_send hooks were necessary because
  3744. * Linux provides an alternative to the conventional file name space for Unix
  3745. * domain sockets. Whereas binding and connecting to sockets in the file name
  3746. * space is mediated by the typical file permissions (and caught by the mknod
  3747. * and permission hooks in inode_security_ops), binding and connecting to
  3748. * sockets in the abstract name space is completely unmediated. Sufficient
  3749. * control of Unix domain sockets in the abstract name space isn't possible
  3750. * using only the socket layer hooks, since we need to know the actual target
  3751. * socket, which is not looked up until we are inside the af_unix code.
  3752. *
  3753. * Return: Returns 0 if permission is granted.
  3754. */
  3755. int security_unix_stream_connect(struct sock *sock, struct sock *other,
  3756. struct sock *newsk)
  3757. {
  3758. return call_int_hook(unix_stream_connect, sock, other, newsk);
  3759. }
  3760. EXPORT_SYMBOL(security_unix_stream_connect);
  3761. /**
  3762. * security_unix_may_send() - Check if AF_UNIX socket can send datagrams
  3763. * @sock: originating sock
  3764. * @other: peer sock
  3765. *
  3766. * Check permissions before connecting or sending datagrams from @sock to
  3767. * @other.
  3768. *
  3769. * The @unix_stream_connect and @unix_may_send hooks were necessary because
  3770. * Linux provides an alternative to the conventional file name space for Unix
  3771. * domain sockets. Whereas binding and connecting to sockets in the file name
  3772. * space is mediated by the typical file permissions (and caught by the mknod
  3773. * and permission hooks in inode_security_ops), binding and connecting to
  3774. * sockets in the abstract name space is completely unmediated. Sufficient
  3775. * control of Unix domain sockets in the abstract name space isn't possible
  3776. * using only the socket layer hooks, since we need to know the actual target
  3777. * socket, which is not looked up until we are inside the af_unix code.
  3778. *
  3779. * Return: Returns 0 if permission is granted.
  3780. */
  3781. int security_unix_may_send(struct socket *sock, struct socket *other)
  3782. {
  3783. return call_int_hook(unix_may_send, sock, other);
  3784. }
  3785. EXPORT_SYMBOL(security_unix_may_send);
  3786. /**
  3787. * security_socket_create() - Check if creating a new socket is allowed
  3788. * @family: protocol family
  3789. * @type: communications type
  3790. * @protocol: requested protocol
  3791. * @kern: set to 1 if a kernel socket is requested
  3792. *
  3793. * Check permissions prior to creating a new socket.
  3794. *
  3795. * Return: Returns 0 if permission is granted.
  3796. */
  3797. int security_socket_create(int family, int type, int protocol, int kern)
  3798. {
  3799. return call_int_hook(socket_create, family, type, protocol, kern);
  3800. }
  3801. /**
  3802. * security_socket_post_create() - Initialize a newly created socket
  3803. * @sock: socket
  3804. * @family: protocol family
  3805. * @type: communications type
  3806. * @protocol: requested protocol
  3807. * @kern: set to 1 if a kernel socket is requested
  3808. *
  3809. * This hook allows a module to update or allocate a per-socket security
  3810. * structure. Note that the security field was not added directly to the socket
  3811. * structure, but rather, the socket security information is stored in the
  3812. * associated inode. Typically, the inode alloc_security hook will allocate
  3813. * and attach security information to SOCK_INODE(sock)->i_security. This hook
  3814. * may be used to update the SOCK_INODE(sock)->i_security field with additional
  3815. * information that wasn't available when the inode was allocated.
  3816. *
  3817. * Return: Returns 0 if permission is granted.
  3818. */
  3819. int security_socket_post_create(struct socket *sock, int family,
  3820. int type, int protocol, int kern)
  3821. {
  3822. return call_int_hook(socket_post_create, sock, family, type,
  3823. protocol, kern);
  3824. }
  3825. /**
  3826. * security_socket_socketpair() - Check if creating a socketpair is allowed
  3827. * @socka: first socket
  3828. * @sockb: second socket
  3829. *
  3830. * Check permissions before creating a fresh pair of sockets.
  3831. *
  3832. * Return: Returns 0 if permission is granted and the connection was
  3833. * established.
  3834. */
  3835. int security_socket_socketpair(struct socket *socka, struct socket *sockb)
  3836. {
  3837. return call_int_hook(socket_socketpair, socka, sockb);
  3838. }
  3839. EXPORT_SYMBOL(security_socket_socketpair);
  3840. /**
  3841. * security_socket_bind() - Check if a socket bind operation is allowed
  3842. * @sock: socket
  3843. * @address: requested bind address
  3844. * @addrlen: length of address
  3845. *
  3846. * Check permission before socket protocol layer bind operation is performed
  3847. * and the socket @sock is bound to the address specified in the @address
  3848. * parameter.
  3849. *
  3850. * Return: Returns 0 if permission is granted.
  3851. */
  3852. int security_socket_bind(struct socket *sock,
  3853. struct sockaddr *address, int addrlen)
  3854. {
  3855. return call_int_hook(socket_bind, sock, address, addrlen);
  3856. }
  3857. /**
  3858. * security_socket_connect() - Check if a socket connect operation is allowed
  3859. * @sock: socket
  3860. * @address: address of remote connection point
  3861. * @addrlen: length of address
  3862. *
  3863. * Check permission before socket protocol layer connect operation attempts to
  3864. * connect socket @sock to a remote address, @address.
  3865. *
  3866. * Return: Returns 0 if permission is granted.
  3867. */
  3868. int security_socket_connect(struct socket *sock,
  3869. struct sockaddr *address, int addrlen)
  3870. {
  3871. return call_int_hook(socket_connect, sock, address, addrlen);
  3872. }
  3873. /**
  3874. * security_socket_listen() - Check if a socket is allowed to listen
  3875. * @sock: socket
  3876. * @backlog: connection queue size
  3877. *
  3878. * Check permission before socket protocol layer listen operation.
  3879. *
  3880. * Return: Returns 0 if permission is granted.
  3881. */
  3882. int security_socket_listen(struct socket *sock, int backlog)
  3883. {
  3884. return call_int_hook(socket_listen, sock, backlog);
  3885. }
  3886. /**
  3887. * security_socket_accept() - Check if a socket is allowed to accept connections
  3888. * @sock: listening socket
  3889. * @newsock: newly creation connection socket
  3890. *
  3891. * Check permission before accepting a new connection. Note that the new
  3892. * socket, @newsock, has been created and some information copied to it, but
  3893. * the accept operation has not actually been performed.
  3894. *
  3895. * Return: Returns 0 if permission is granted.
  3896. */
  3897. int security_socket_accept(struct socket *sock, struct socket *newsock)
  3898. {
  3899. return call_int_hook(socket_accept, sock, newsock);
  3900. }
  3901. /**
  3902. * security_socket_sendmsg() - Check if sending a message is allowed
  3903. * @sock: sending socket
  3904. * @msg: message to send
  3905. * @size: size of message
  3906. *
  3907. * Check permission before transmitting a message to another socket.
  3908. *
  3909. * Return: Returns 0 if permission is granted.
  3910. */
  3911. int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
  3912. {
  3913. return call_int_hook(socket_sendmsg, sock, msg, size);
  3914. }
  3915. /**
  3916. * security_socket_recvmsg() - Check if receiving a message is allowed
  3917. * @sock: receiving socket
  3918. * @msg: message to receive
  3919. * @size: size of message
  3920. * @flags: operational flags
  3921. *
  3922. * Check permission before receiving a message from a socket.
  3923. *
  3924. * Return: Returns 0 if permission is granted.
  3925. */
  3926. int security_socket_recvmsg(struct socket *sock, struct msghdr *msg,
  3927. int size, int flags)
  3928. {
  3929. return call_int_hook(socket_recvmsg, sock, msg, size, flags);
  3930. }
  3931. /**
  3932. * security_socket_getsockname() - Check if reading the socket addr is allowed
  3933. * @sock: socket
  3934. *
  3935. * Check permission before reading the local address (name) of the socket
  3936. * object.
  3937. *
  3938. * Return: Returns 0 if permission is granted.
  3939. */
  3940. int security_socket_getsockname(struct socket *sock)
  3941. {
  3942. return call_int_hook(socket_getsockname, sock);
  3943. }
  3944. /**
  3945. * security_socket_getpeername() - Check if reading the peer's addr is allowed
  3946. * @sock: socket
  3947. *
  3948. * Check permission before the remote address (name) of a socket object.
  3949. *
  3950. * Return: Returns 0 if permission is granted.
  3951. */
  3952. int security_socket_getpeername(struct socket *sock)
  3953. {
  3954. return call_int_hook(socket_getpeername, sock);
  3955. }
  3956. /**
  3957. * security_socket_getsockopt() - Check if reading a socket option is allowed
  3958. * @sock: socket
  3959. * @level: option's protocol level
  3960. * @optname: option name
  3961. *
  3962. * Check permissions before retrieving the options associated with socket
  3963. * @sock.
  3964. *
  3965. * Return: Returns 0 if permission is granted.
  3966. */
  3967. int security_socket_getsockopt(struct socket *sock, int level, int optname)
  3968. {
  3969. return call_int_hook(socket_getsockopt, sock, level, optname);
  3970. }
  3971. /**
  3972. * security_socket_setsockopt() - Check if setting a socket option is allowed
  3973. * @sock: socket
  3974. * @level: option's protocol level
  3975. * @optname: option name
  3976. *
  3977. * Check permissions before setting the options associated with socket @sock.
  3978. *
  3979. * Return: Returns 0 if permission is granted.
  3980. */
  3981. int security_socket_setsockopt(struct socket *sock, int level, int optname)
  3982. {
  3983. return call_int_hook(socket_setsockopt, sock, level, optname);
  3984. }
  3985. /**
  3986. * security_socket_shutdown() - Checks if shutting down the socket is allowed
  3987. * @sock: socket
  3988. * @how: flag indicating how sends and receives are handled
  3989. *
  3990. * Checks permission before all or part of a connection on the socket @sock is
  3991. * shut down.
  3992. *
  3993. * Return: Returns 0 if permission is granted.
  3994. */
  3995. int security_socket_shutdown(struct socket *sock, int how)
  3996. {
  3997. return call_int_hook(socket_shutdown, sock, how);
  3998. }
  3999. /**
  4000. * security_sock_rcv_skb() - Check if an incoming network packet is allowed
  4001. * @sk: destination sock
  4002. * @skb: incoming packet
  4003. *
  4004. * Check permissions on incoming network packets. This hook is distinct from
  4005. * Netfilter's IP input hooks since it is the first time that the incoming
  4006. * sk_buff @skb has been associated with a particular socket, @sk. Must not
  4007. * sleep inside this hook because some callers hold spinlocks.
  4008. *
  4009. * Return: Returns 0 if permission is granted.
  4010. */
  4011. int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
  4012. {
  4013. return call_int_hook(socket_sock_rcv_skb, sk, skb);
  4014. }
  4015. EXPORT_SYMBOL(security_sock_rcv_skb);
  4016. /**
  4017. * security_socket_getpeersec_stream() - Get the remote peer label
  4018. * @sock: socket
  4019. * @optval: destination buffer
  4020. * @optlen: size of peer label copied into the buffer
  4021. * @len: maximum size of the destination buffer
  4022. *
  4023. * This hook allows the security module to provide peer socket security state
  4024. * for unix or connected tcp sockets to userspace via getsockopt SO_GETPEERSEC.
  4025. * For tcp sockets this can be meaningful if the socket is associated with an
  4026. * ipsec SA.
  4027. *
  4028. * Return: Returns 0 if all is well, otherwise, typical getsockopt return
  4029. * values.
  4030. */
  4031. int security_socket_getpeersec_stream(struct socket *sock, sockptr_t optval,
  4032. sockptr_t optlen, unsigned int len)
  4033. {
  4034. return call_int_hook(socket_getpeersec_stream, sock, optval, optlen,
  4035. len);
  4036. }
  4037. /**
  4038. * security_socket_getpeersec_dgram() - Get the remote peer label
  4039. * @sock: socket
  4040. * @skb: datagram packet
  4041. * @secid: remote peer label secid
  4042. *
  4043. * This hook allows the security module to provide peer socket security state
  4044. * for udp sockets on a per-packet basis to userspace via getsockopt
  4045. * SO_GETPEERSEC. The application must first have indicated the IP_PASSSEC
  4046. * option via getsockopt. It can then retrieve the security state returned by
  4047. * this hook for a packet via the SCM_SECURITY ancillary message type.
  4048. *
  4049. * Return: Returns 0 on success, error on failure.
  4050. */
  4051. int security_socket_getpeersec_dgram(struct socket *sock,
  4052. struct sk_buff *skb, u32 *secid)
  4053. {
  4054. return call_int_hook(socket_getpeersec_dgram, sock, skb, secid);
  4055. }
  4056. EXPORT_SYMBOL(security_socket_getpeersec_dgram);
  4057. /**
  4058. * lsm_sock_alloc - allocate a composite sock blob
  4059. * @sock: the sock that needs a blob
  4060. * @gfp: allocation mode
  4061. *
  4062. * Allocate the sock blob for all the modules
  4063. *
  4064. * Returns 0, or -ENOMEM if memory can't be allocated.
  4065. */
  4066. static int lsm_sock_alloc(struct sock *sock, gfp_t gfp)
  4067. {
  4068. return lsm_blob_alloc(&sock->sk_security, blob_sizes.lbs_sock, gfp);
  4069. }
  4070. /**
  4071. * security_sk_alloc() - Allocate and initialize a sock's LSM blob
  4072. * @sk: sock
  4073. * @family: protocol family
  4074. * @priority: gfp flags
  4075. *
  4076. * Allocate and attach a security structure to the sk->sk_security field, which
  4077. * is used to copy security attributes between local stream sockets.
  4078. *
  4079. * Return: Returns 0 on success, error on failure.
  4080. */
  4081. int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
  4082. {
  4083. int rc = lsm_sock_alloc(sk, priority);
  4084. if (unlikely(rc))
  4085. return rc;
  4086. rc = call_int_hook(sk_alloc_security, sk, family, priority);
  4087. if (unlikely(rc))
  4088. security_sk_free(sk);
  4089. return rc;
  4090. }
  4091. /**
  4092. * security_sk_free() - Free the sock's LSM blob
  4093. * @sk: sock
  4094. *
  4095. * Deallocate security structure.
  4096. */
  4097. void security_sk_free(struct sock *sk)
  4098. {
  4099. call_void_hook(sk_free_security, sk);
  4100. kfree(sk->sk_security);
  4101. sk->sk_security = NULL;
  4102. }
  4103. /**
  4104. * security_sk_clone() - Clone a sock's LSM state
  4105. * @sk: original sock
  4106. * @newsk: target sock
  4107. *
  4108. * Clone/copy security structure.
  4109. */
  4110. void security_sk_clone(const struct sock *sk, struct sock *newsk)
  4111. {
  4112. call_void_hook(sk_clone_security, sk, newsk);
  4113. }
  4114. EXPORT_SYMBOL(security_sk_clone);
  4115. /**
  4116. * security_sk_classify_flow() - Set a flow's secid based on socket
  4117. * @sk: original socket
  4118. * @flic: target flow
  4119. *
  4120. * Set the target flow's secid to socket's secid.
  4121. */
  4122. void security_sk_classify_flow(const struct sock *sk, struct flowi_common *flic)
  4123. {
  4124. call_void_hook(sk_getsecid, sk, &flic->flowic_secid);
  4125. }
  4126. EXPORT_SYMBOL(security_sk_classify_flow);
  4127. /**
  4128. * security_req_classify_flow() - Set a flow's secid based on request_sock
  4129. * @req: request_sock
  4130. * @flic: target flow
  4131. *
  4132. * Sets @flic's secid to @req's secid.
  4133. */
  4134. void security_req_classify_flow(const struct request_sock *req,
  4135. struct flowi_common *flic)
  4136. {
  4137. call_void_hook(req_classify_flow, req, flic);
  4138. }
  4139. EXPORT_SYMBOL(security_req_classify_flow);
  4140. /**
  4141. * security_sock_graft() - Reconcile LSM state when grafting a sock on a socket
  4142. * @sk: sock being grafted
  4143. * @parent: target parent socket
  4144. *
  4145. * Sets @parent's inode secid to @sk's secid and update @sk with any necessary
  4146. * LSM state from @parent.
  4147. */
  4148. void security_sock_graft(struct sock *sk, struct socket *parent)
  4149. {
  4150. call_void_hook(sock_graft, sk, parent);
  4151. }
  4152. EXPORT_SYMBOL(security_sock_graft);
  4153. /**
  4154. * security_inet_conn_request() - Set request_sock state using incoming connect
  4155. * @sk: parent listening sock
  4156. * @skb: incoming connection
  4157. * @req: new request_sock
  4158. *
  4159. * Initialize the @req LSM state based on @sk and the incoming connect in @skb.
  4160. *
  4161. * Return: Returns 0 if permission is granted.
  4162. */
  4163. int security_inet_conn_request(const struct sock *sk,
  4164. struct sk_buff *skb, struct request_sock *req)
  4165. {
  4166. return call_int_hook(inet_conn_request, sk, skb, req);
  4167. }
  4168. EXPORT_SYMBOL(security_inet_conn_request);
  4169. /**
  4170. * security_inet_csk_clone() - Set new sock LSM state based on request_sock
  4171. * @newsk: new sock
  4172. * @req: connection request_sock
  4173. *
  4174. * Set that LSM state of @sock using the LSM state from @req.
  4175. */
  4176. void security_inet_csk_clone(struct sock *newsk,
  4177. const struct request_sock *req)
  4178. {
  4179. call_void_hook(inet_csk_clone, newsk, req);
  4180. }
  4181. /**
  4182. * security_inet_conn_established() - Update sock's LSM state with connection
  4183. * @sk: sock
  4184. * @skb: connection packet
  4185. *
  4186. * Update @sock's LSM state to represent a new connection from @skb.
  4187. */
  4188. void security_inet_conn_established(struct sock *sk,
  4189. struct sk_buff *skb)
  4190. {
  4191. call_void_hook(inet_conn_established, sk, skb);
  4192. }
  4193. EXPORT_SYMBOL(security_inet_conn_established);
  4194. /**
  4195. * security_secmark_relabel_packet() - Check if setting a secmark is allowed
  4196. * @secid: new secmark value
  4197. *
  4198. * Check if the process should be allowed to relabel packets to @secid.
  4199. *
  4200. * Return: Returns 0 if permission is granted.
  4201. */
  4202. int security_secmark_relabel_packet(u32 secid)
  4203. {
  4204. return call_int_hook(secmark_relabel_packet, secid);
  4205. }
  4206. EXPORT_SYMBOL(security_secmark_relabel_packet);
  4207. /**
  4208. * security_secmark_refcount_inc() - Increment the secmark labeling rule count
  4209. *
  4210. * Tells the LSM to increment the number of secmark labeling rules loaded.
  4211. */
  4212. void security_secmark_refcount_inc(void)
  4213. {
  4214. call_void_hook(secmark_refcount_inc);
  4215. }
  4216. EXPORT_SYMBOL(security_secmark_refcount_inc);
  4217. /**
  4218. * security_secmark_refcount_dec() - Decrement the secmark labeling rule count
  4219. *
  4220. * Tells the LSM to decrement the number of secmark labeling rules loaded.
  4221. */
  4222. void security_secmark_refcount_dec(void)
  4223. {
  4224. call_void_hook(secmark_refcount_dec);
  4225. }
  4226. EXPORT_SYMBOL(security_secmark_refcount_dec);
  4227. /**
  4228. * security_tun_dev_alloc_security() - Allocate a LSM blob for a TUN device
  4229. * @security: pointer to the LSM blob
  4230. *
  4231. * This hook allows a module to allocate a security structure for a TUN device,
  4232. * returning the pointer in @security.
  4233. *
  4234. * Return: Returns a zero on success, negative values on failure.
  4235. */
  4236. int security_tun_dev_alloc_security(void **security)
  4237. {
  4238. int rc;
  4239. rc = lsm_blob_alloc(security, blob_sizes.lbs_tun_dev, GFP_KERNEL);
  4240. if (rc)
  4241. return rc;
  4242. rc = call_int_hook(tun_dev_alloc_security, *security);
  4243. if (rc) {
  4244. kfree(*security);
  4245. *security = NULL;
  4246. }
  4247. return rc;
  4248. }
  4249. EXPORT_SYMBOL(security_tun_dev_alloc_security);
  4250. /**
  4251. * security_tun_dev_free_security() - Free a TUN device LSM blob
  4252. * @security: LSM blob
  4253. *
  4254. * This hook allows a module to free the security structure for a TUN device.
  4255. */
  4256. void security_tun_dev_free_security(void *security)
  4257. {
  4258. kfree(security);
  4259. }
  4260. EXPORT_SYMBOL(security_tun_dev_free_security);
  4261. /**
  4262. * security_tun_dev_create() - Check if creating a TUN device is allowed
  4263. *
  4264. * Check permissions prior to creating a new TUN device.
  4265. *
  4266. * Return: Returns 0 if permission is granted.
  4267. */
  4268. int security_tun_dev_create(void)
  4269. {
  4270. return call_int_hook(tun_dev_create);
  4271. }
  4272. EXPORT_SYMBOL(security_tun_dev_create);
  4273. /**
  4274. * security_tun_dev_attach_queue() - Check if attaching a TUN queue is allowed
  4275. * @security: TUN device LSM blob
  4276. *
  4277. * Check permissions prior to attaching to a TUN device queue.
  4278. *
  4279. * Return: Returns 0 if permission is granted.
  4280. */
  4281. int security_tun_dev_attach_queue(void *security)
  4282. {
  4283. return call_int_hook(tun_dev_attach_queue, security);
  4284. }
  4285. EXPORT_SYMBOL(security_tun_dev_attach_queue);
  4286. /**
  4287. * security_tun_dev_attach() - Update TUN device LSM state on attach
  4288. * @sk: associated sock
  4289. * @security: TUN device LSM blob
  4290. *
  4291. * This hook can be used by the module to update any security state associated
  4292. * with the TUN device's sock structure.
  4293. *
  4294. * Return: Returns 0 if permission is granted.
  4295. */
  4296. int security_tun_dev_attach(struct sock *sk, void *security)
  4297. {
  4298. return call_int_hook(tun_dev_attach, sk, security);
  4299. }
  4300. EXPORT_SYMBOL(security_tun_dev_attach);
  4301. /**
  4302. * security_tun_dev_open() - Update TUN device LSM state on open
  4303. * @security: TUN device LSM blob
  4304. *
  4305. * This hook can be used by the module to update any security state associated
  4306. * with the TUN device's security structure.
  4307. *
  4308. * Return: Returns 0 if permission is granted.
  4309. */
  4310. int security_tun_dev_open(void *security)
  4311. {
  4312. return call_int_hook(tun_dev_open, security);
  4313. }
  4314. EXPORT_SYMBOL(security_tun_dev_open);
  4315. /**
  4316. * security_sctp_assoc_request() - Update the LSM on a SCTP association req
  4317. * @asoc: SCTP association
  4318. * @skb: packet requesting the association
  4319. *
  4320. * Passes the @asoc and @chunk->skb of the association INIT packet to the LSM.
  4321. *
  4322. * Return: Returns 0 on success, error on failure.
  4323. */
  4324. int security_sctp_assoc_request(struct sctp_association *asoc,
  4325. struct sk_buff *skb)
  4326. {
  4327. return call_int_hook(sctp_assoc_request, asoc, skb);
  4328. }
  4329. EXPORT_SYMBOL(security_sctp_assoc_request);
  4330. /**
  4331. * security_sctp_bind_connect() - Validate a list of addrs for a SCTP option
  4332. * @sk: socket
  4333. * @optname: SCTP option to validate
  4334. * @address: list of IP addresses to validate
  4335. * @addrlen: length of the address list
  4336. *
  4337. * Validiate permissions required for each address associated with sock @sk.
  4338. * Depending on @optname, the addresses will be treated as either a connect or
  4339. * bind service. The @addrlen is calculated on each IPv4 and IPv6 address using
  4340. * sizeof(struct sockaddr_in) or sizeof(struct sockaddr_in6).
  4341. *
  4342. * Return: Returns 0 on success, error on failure.
  4343. */
  4344. int security_sctp_bind_connect(struct sock *sk, int optname,
  4345. struct sockaddr *address, int addrlen)
  4346. {
  4347. return call_int_hook(sctp_bind_connect, sk, optname, address, addrlen);
  4348. }
  4349. EXPORT_SYMBOL(security_sctp_bind_connect);
  4350. /**
  4351. * security_sctp_sk_clone() - Clone a SCTP sock's LSM state
  4352. * @asoc: SCTP association
  4353. * @sk: original sock
  4354. * @newsk: target sock
  4355. *
  4356. * Called whenever a new socket is created by accept(2) (i.e. a TCP style
  4357. * socket) or when a socket is 'peeled off' e.g userspace calls
  4358. * sctp_peeloff(3).
  4359. */
  4360. void security_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,
  4361. struct sock *newsk)
  4362. {
  4363. call_void_hook(sctp_sk_clone, asoc, sk, newsk);
  4364. }
  4365. EXPORT_SYMBOL(security_sctp_sk_clone);
  4366. /**
  4367. * security_sctp_assoc_established() - Update LSM state when assoc established
  4368. * @asoc: SCTP association
  4369. * @skb: packet establishing the association
  4370. *
  4371. * Passes the @asoc and @chunk->skb of the association COOKIE_ACK packet to the
  4372. * security module.
  4373. *
  4374. * Return: Returns 0 if permission is granted.
  4375. */
  4376. int security_sctp_assoc_established(struct sctp_association *asoc,
  4377. struct sk_buff *skb)
  4378. {
  4379. return call_int_hook(sctp_assoc_established, asoc, skb);
  4380. }
  4381. EXPORT_SYMBOL(security_sctp_assoc_established);
  4382. /**
  4383. * security_mptcp_add_subflow() - Inherit the LSM label from the MPTCP socket
  4384. * @sk: the owning MPTCP socket
  4385. * @ssk: the new subflow
  4386. *
  4387. * Update the labeling for the given MPTCP subflow, to match the one of the
  4388. * owning MPTCP socket. This hook has to be called after the socket creation and
  4389. * initialization via the security_socket_create() and
  4390. * security_socket_post_create() LSM hooks.
  4391. *
  4392. * Return: Returns 0 on success or a negative error code on failure.
  4393. */
  4394. int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk)
  4395. {
  4396. return call_int_hook(mptcp_add_subflow, sk, ssk);
  4397. }
  4398. #endif /* CONFIG_SECURITY_NETWORK */
  4399. #ifdef CONFIG_SECURITY_INFINIBAND
  4400. /**
  4401. * security_ib_pkey_access() - Check if access to an IB pkey is allowed
  4402. * @sec: LSM blob
  4403. * @subnet_prefix: subnet prefix of the port
  4404. * @pkey: IB pkey
  4405. *
  4406. * Check permission to access a pkey when modifying a QP.
  4407. *
  4408. * Return: Returns 0 if permission is granted.
  4409. */
  4410. int security_ib_pkey_access(void *sec, u64 subnet_prefix, u16 pkey)
  4411. {
  4412. return call_int_hook(ib_pkey_access, sec, subnet_prefix, pkey);
  4413. }
  4414. EXPORT_SYMBOL(security_ib_pkey_access);
  4415. /**
  4416. * security_ib_endport_manage_subnet() - Check if SMPs traffic is allowed
  4417. * @sec: LSM blob
  4418. * @dev_name: IB device name
  4419. * @port_num: port number
  4420. *
  4421. * Check permissions to send and receive SMPs on a end port.
  4422. *
  4423. * Return: Returns 0 if permission is granted.
  4424. */
  4425. int security_ib_endport_manage_subnet(void *sec,
  4426. const char *dev_name, u8 port_num)
  4427. {
  4428. return call_int_hook(ib_endport_manage_subnet, sec, dev_name, port_num);
  4429. }
  4430. EXPORT_SYMBOL(security_ib_endport_manage_subnet);
  4431. /**
  4432. * security_ib_alloc_security() - Allocate an Infiniband LSM blob
  4433. * @sec: LSM blob
  4434. *
  4435. * Allocate a security structure for Infiniband objects.
  4436. *
  4437. * Return: Returns 0 on success, non-zero on failure.
  4438. */
  4439. int security_ib_alloc_security(void **sec)
  4440. {
  4441. int rc;
  4442. rc = lsm_blob_alloc(sec, blob_sizes.lbs_ib, GFP_KERNEL);
  4443. if (rc)
  4444. return rc;
  4445. rc = call_int_hook(ib_alloc_security, *sec);
  4446. if (rc) {
  4447. kfree(*sec);
  4448. *sec = NULL;
  4449. }
  4450. return rc;
  4451. }
  4452. EXPORT_SYMBOL(security_ib_alloc_security);
  4453. /**
  4454. * security_ib_free_security() - Free an Infiniband LSM blob
  4455. * @sec: LSM blob
  4456. *
  4457. * Deallocate an Infiniband security structure.
  4458. */
  4459. void security_ib_free_security(void *sec)
  4460. {
  4461. kfree(sec);
  4462. }
  4463. EXPORT_SYMBOL(security_ib_free_security);
  4464. #endif /* CONFIG_SECURITY_INFINIBAND */
  4465. #ifdef CONFIG_SECURITY_NETWORK_XFRM
  4466. /**
  4467. * security_xfrm_policy_alloc() - Allocate a xfrm policy LSM blob
  4468. * @ctxp: xfrm security context being added to the SPD
  4469. * @sec_ctx: security label provided by userspace
  4470. * @gfp: gfp flags
  4471. *
  4472. * Allocate a security structure to the xp->security field; the security field
  4473. * is initialized to NULL when the xfrm_policy is allocated.
  4474. *
  4475. * Return: Return 0 if operation was successful.
  4476. */
  4477. int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
  4478. struct xfrm_user_sec_ctx *sec_ctx,
  4479. gfp_t gfp)
  4480. {
  4481. return call_int_hook(xfrm_policy_alloc_security, ctxp, sec_ctx, gfp);
  4482. }
  4483. EXPORT_SYMBOL(security_xfrm_policy_alloc);
  4484. /**
  4485. * security_xfrm_policy_clone() - Clone xfrm policy LSM state
  4486. * @old_ctx: xfrm security context
  4487. * @new_ctxp: target xfrm security context
  4488. *
  4489. * Allocate a security structure in new_ctxp that contains the information from
  4490. * the old_ctx structure.
  4491. *
  4492. * Return: Return 0 if operation was successful.
  4493. */
  4494. int security_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
  4495. struct xfrm_sec_ctx **new_ctxp)
  4496. {
  4497. return call_int_hook(xfrm_policy_clone_security, old_ctx, new_ctxp);
  4498. }
  4499. /**
  4500. * security_xfrm_policy_free() - Free a xfrm security context
  4501. * @ctx: xfrm security context
  4502. *
  4503. * Free LSM resources associated with @ctx.
  4504. */
  4505. void security_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
  4506. {
  4507. call_void_hook(xfrm_policy_free_security, ctx);
  4508. }
  4509. EXPORT_SYMBOL(security_xfrm_policy_free);
  4510. /**
  4511. * security_xfrm_policy_delete() - Check if deleting a xfrm policy is allowed
  4512. * @ctx: xfrm security context
  4513. *
  4514. * Authorize deletion of a SPD entry.
  4515. *
  4516. * Return: Returns 0 if permission is granted.
  4517. */
  4518. int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
  4519. {
  4520. return call_int_hook(xfrm_policy_delete_security, ctx);
  4521. }
  4522. /**
  4523. * security_xfrm_state_alloc() - Allocate a xfrm state LSM blob
  4524. * @x: xfrm state being added to the SAD
  4525. * @sec_ctx: security label provided by userspace
  4526. *
  4527. * Allocate a security structure to the @x->security field; the security field
  4528. * is initialized to NULL when the xfrm_state is allocated. Set the context to
  4529. * correspond to @sec_ctx.
  4530. *
  4531. * Return: Return 0 if operation was successful.
  4532. */
  4533. int security_xfrm_state_alloc(struct xfrm_state *x,
  4534. struct xfrm_user_sec_ctx *sec_ctx)
  4535. {
  4536. return call_int_hook(xfrm_state_alloc, x, sec_ctx);
  4537. }
  4538. EXPORT_SYMBOL(security_xfrm_state_alloc);
  4539. /**
  4540. * security_xfrm_state_alloc_acquire() - Allocate a xfrm state LSM blob
  4541. * @x: xfrm state being added to the SAD
  4542. * @polsec: associated policy's security context
  4543. * @secid: secid from the flow
  4544. *
  4545. * Allocate a security structure to the x->security field; the security field
  4546. * is initialized to NULL when the xfrm_state is allocated. Set the context to
  4547. * correspond to secid.
  4548. *
  4549. * Return: Returns 0 if operation was successful.
  4550. */
  4551. int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
  4552. struct xfrm_sec_ctx *polsec, u32 secid)
  4553. {
  4554. return call_int_hook(xfrm_state_alloc_acquire, x, polsec, secid);
  4555. }
  4556. /**
  4557. * security_xfrm_state_delete() - Check if deleting a xfrm state is allowed
  4558. * @x: xfrm state
  4559. *
  4560. * Authorize deletion of x->security.
  4561. *
  4562. * Return: Returns 0 if permission is granted.
  4563. */
  4564. int security_xfrm_state_delete(struct xfrm_state *x)
  4565. {
  4566. return call_int_hook(xfrm_state_delete_security, x);
  4567. }
  4568. EXPORT_SYMBOL(security_xfrm_state_delete);
  4569. /**
  4570. * security_xfrm_state_free() - Free a xfrm state
  4571. * @x: xfrm state
  4572. *
  4573. * Deallocate x->security.
  4574. */
  4575. void security_xfrm_state_free(struct xfrm_state *x)
  4576. {
  4577. call_void_hook(xfrm_state_free_security, x);
  4578. }
  4579. /**
  4580. * security_xfrm_policy_lookup() - Check if using a xfrm policy is allowed
  4581. * @ctx: target xfrm security context
  4582. * @fl_secid: flow secid used to authorize access
  4583. *
  4584. * Check permission when a flow selects a xfrm_policy for processing XFRMs on a
  4585. * packet. The hook is called when selecting either a per-socket policy or a
  4586. * generic xfrm policy.
  4587. *
  4588. * Return: Return 0 if permission is granted, -ESRCH otherwise, or -errno on
  4589. * other errors.
  4590. */
  4591. int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid)
  4592. {
  4593. return call_int_hook(xfrm_policy_lookup, ctx, fl_secid);
  4594. }
  4595. /**
  4596. * security_xfrm_state_pol_flow_match() - Check for a xfrm match
  4597. * @x: xfrm state to match
  4598. * @xp: xfrm policy to check for a match
  4599. * @flic: flow to check for a match.
  4600. *
  4601. * Check @xp and @flic for a match with @x.
  4602. *
  4603. * Return: Returns 1 if there is a match.
  4604. */
  4605. int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
  4606. struct xfrm_policy *xp,
  4607. const struct flowi_common *flic)
  4608. {
  4609. struct lsm_static_call *scall;
  4610. int rc = LSM_RET_DEFAULT(xfrm_state_pol_flow_match);
  4611. /*
  4612. * Since this function is expected to return 0 or 1, the judgment
  4613. * becomes difficult if multiple LSMs supply this call. Fortunately,
  4614. * we can use the first LSM's judgment because currently only SELinux
  4615. * supplies this call.
  4616. *
  4617. * For speed optimization, we explicitly break the loop rather than
  4618. * using the macro
  4619. */
  4620. lsm_for_each_hook(scall, xfrm_state_pol_flow_match) {
  4621. rc = scall->hl->hook.xfrm_state_pol_flow_match(x, xp, flic);
  4622. break;
  4623. }
  4624. return rc;
  4625. }
  4626. /**
  4627. * security_xfrm_decode_session() - Determine the xfrm secid for a packet
  4628. * @skb: xfrm packet
  4629. * @secid: secid
  4630. *
  4631. * Decode the packet in @skb and return the security label in @secid.
  4632. *
  4633. * Return: Return 0 if all xfrms used have the same secid.
  4634. */
  4635. int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
  4636. {
  4637. return call_int_hook(xfrm_decode_session, skb, secid, 1);
  4638. }
  4639. void security_skb_classify_flow(struct sk_buff *skb, struct flowi_common *flic)
  4640. {
  4641. int rc = call_int_hook(xfrm_decode_session, skb, &flic->flowic_secid,
  4642. 0);
  4643. BUG_ON(rc);
  4644. }
  4645. EXPORT_SYMBOL(security_skb_classify_flow);
  4646. #endif /* CONFIG_SECURITY_NETWORK_XFRM */
  4647. #ifdef CONFIG_KEYS
  4648. /**
  4649. * security_key_alloc() - Allocate and initialize a kernel key LSM blob
  4650. * @key: key
  4651. * @cred: credentials
  4652. * @flags: allocation flags
  4653. *
  4654. * Permit allocation of a key and assign security data. Note that key does not
  4655. * have a serial number assigned at this point.
  4656. *
  4657. * Return: Return 0 if permission is granted, -ve error otherwise.
  4658. */
  4659. int security_key_alloc(struct key *key, const struct cred *cred,
  4660. unsigned long flags)
  4661. {
  4662. int rc = lsm_key_alloc(key);
  4663. if (unlikely(rc))
  4664. return rc;
  4665. rc = call_int_hook(key_alloc, key, cred, flags);
  4666. if (unlikely(rc))
  4667. security_key_free(key);
  4668. return rc;
  4669. }
  4670. /**
  4671. * security_key_free() - Free a kernel key LSM blob
  4672. * @key: key
  4673. *
  4674. * Notification of destruction; free security data.
  4675. */
  4676. void security_key_free(struct key *key)
  4677. {
  4678. kfree(key->security);
  4679. key->security = NULL;
  4680. }
  4681. /**
  4682. * security_key_permission() - Check if a kernel key operation is allowed
  4683. * @key_ref: key reference
  4684. * @cred: credentials of actor requesting access
  4685. * @need_perm: requested permissions
  4686. *
  4687. * See whether a specific operational right is granted to a process on a key.
  4688. *
  4689. * Return: Return 0 if permission is granted, -ve error otherwise.
  4690. */
  4691. int security_key_permission(key_ref_t key_ref, const struct cred *cred,
  4692. enum key_need_perm need_perm)
  4693. {
  4694. return call_int_hook(key_permission, key_ref, cred, need_perm);
  4695. }
  4696. /**
  4697. * security_key_getsecurity() - Get the key's security label
  4698. * @key: key
  4699. * @buffer: security label buffer
  4700. *
  4701. * Get a textual representation of the security context attached to a key for
  4702. * the purposes of honouring KEYCTL_GETSECURITY. This function allocates the
  4703. * storage for the NUL-terminated string and the caller should free it.
  4704. *
  4705. * Return: Returns the length of @buffer (including terminating NUL) or -ve if
  4706. * an error occurs. May also return 0 (and a NULL buffer pointer) if
  4707. * there is no security label assigned to the key.
  4708. */
  4709. int security_key_getsecurity(struct key *key, char **buffer)
  4710. {
  4711. *buffer = NULL;
  4712. return call_int_hook(key_getsecurity, key, buffer);
  4713. }
  4714. /**
  4715. * security_key_post_create_or_update() - Notification of key create or update
  4716. * @keyring: keyring to which the key is linked to
  4717. * @key: created or updated key
  4718. * @payload: data used to instantiate or update the key
  4719. * @payload_len: length of payload
  4720. * @flags: key flags
  4721. * @create: flag indicating whether the key was created or updated
  4722. *
  4723. * Notify the caller of a key creation or update.
  4724. */
  4725. void security_key_post_create_or_update(struct key *keyring, struct key *key,
  4726. const void *payload, size_t payload_len,
  4727. unsigned long flags, bool create)
  4728. {
  4729. call_void_hook(key_post_create_or_update, keyring, key, payload,
  4730. payload_len, flags, create);
  4731. }
  4732. #endif /* CONFIG_KEYS */
  4733. #ifdef CONFIG_AUDIT
  4734. /**
  4735. * security_audit_rule_init() - Allocate and init an LSM audit rule struct
  4736. * @field: audit action
  4737. * @op: rule operator
  4738. * @rulestr: rule context
  4739. * @lsmrule: receive buffer for audit rule struct
  4740. * @gfp: GFP flag used for kmalloc
  4741. *
  4742. * Allocate and initialize an LSM audit rule structure.
  4743. *
  4744. * Return: Return 0 if @lsmrule has been successfully set, -EINVAL in case of
  4745. * an invalid rule.
  4746. */
  4747. int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule,
  4748. gfp_t gfp)
  4749. {
  4750. return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule, gfp);
  4751. }
  4752. /**
  4753. * security_audit_rule_known() - Check if an audit rule contains LSM fields
  4754. * @krule: audit rule
  4755. *
  4756. * Specifies whether given @krule contains any fields related to the current
  4757. * LSM.
  4758. *
  4759. * Return: Returns 1 in case of relation found, 0 otherwise.
  4760. */
  4761. int security_audit_rule_known(struct audit_krule *krule)
  4762. {
  4763. return call_int_hook(audit_rule_known, krule);
  4764. }
  4765. /**
  4766. * security_audit_rule_free() - Free an LSM audit rule struct
  4767. * @lsmrule: audit rule struct
  4768. *
  4769. * Deallocate the LSM audit rule structure previously allocated by
  4770. * audit_rule_init().
  4771. */
  4772. void security_audit_rule_free(void *lsmrule)
  4773. {
  4774. call_void_hook(audit_rule_free, lsmrule);
  4775. }
  4776. /**
  4777. * security_audit_rule_match() - Check if a label matches an audit rule
  4778. * @prop: security label
  4779. * @field: LSM audit field
  4780. * @op: matching operator
  4781. * @lsmrule: audit rule
  4782. *
  4783. * Determine if given @secid matches a rule previously approved by
  4784. * security_audit_rule_known().
  4785. *
  4786. * Return: Returns 1 if secid matches the rule, 0 if it does not, -ERRNO on
  4787. * failure.
  4788. */
  4789. int security_audit_rule_match(struct lsm_prop *prop, u32 field, u32 op,
  4790. void *lsmrule)
  4791. {
  4792. return call_int_hook(audit_rule_match, prop, field, op, lsmrule);
  4793. }
  4794. #endif /* CONFIG_AUDIT */
  4795. #ifdef CONFIG_BPF_SYSCALL
  4796. /**
  4797. * security_bpf() - Check if the bpf syscall operation is allowed
  4798. * @cmd: command
  4799. * @attr: bpf attribute
  4800. * @size: size
  4801. * @kernel: whether or not call originated from kernel
  4802. *
  4803. * Do a initial check for all bpf syscalls after the attribute is copied into
  4804. * the kernel. The actual security module can implement their own rules to
  4805. * check the specific cmd they need.
  4806. *
  4807. * Return: Returns 0 if permission is granted.
  4808. */
  4809. int security_bpf(int cmd, union bpf_attr *attr, unsigned int size, bool kernel)
  4810. {
  4811. return call_int_hook(bpf, cmd, attr, size, kernel);
  4812. }
  4813. /**
  4814. * security_bpf_map() - Check if access to a bpf map is allowed
  4815. * @map: bpf map
  4816. * @fmode: mode
  4817. *
  4818. * Do a check when the kernel generates and returns a file descriptor for eBPF
  4819. * maps.
  4820. *
  4821. * Return: Returns 0 if permission is granted.
  4822. */
  4823. int security_bpf_map(struct bpf_map *map, fmode_t fmode)
  4824. {
  4825. return call_int_hook(bpf_map, map, fmode);
  4826. }
  4827. /**
  4828. * security_bpf_prog() - Check if access to a bpf program is allowed
  4829. * @prog: bpf program
  4830. *
  4831. * Do a check when the kernel generates and returns a file descriptor for eBPF
  4832. * programs.
  4833. *
  4834. * Return: Returns 0 if permission is granted.
  4835. */
  4836. int security_bpf_prog(struct bpf_prog *prog)
  4837. {
  4838. return call_int_hook(bpf_prog, prog);
  4839. }
  4840. /**
  4841. * security_bpf_map_create() - Check if BPF map creation is allowed
  4842. * @map: BPF map object
  4843. * @attr: BPF syscall attributes used to create BPF map
  4844. * @token: BPF token used to grant user access
  4845. * @kernel: whether or not call originated from kernel
  4846. *
  4847. * Do a check when the kernel creates a new BPF map. This is also the
  4848. * point where LSM blob is allocated for LSMs that need them.
  4849. *
  4850. * Return: Returns 0 on success, error on failure.
  4851. */
  4852. int security_bpf_map_create(struct bpf_map *map, union bpf_attr *attr,
  4853. struct bpf_token *token, bool kernel)
  4854. {
  4855. int rc;
  4856. rc = lsm_bpf_map_alloc(map);
  4857. if (unlikely(rc))
  4858. return rc;
  4859. rc = call_int_hook(bpf_map_create, map, attr, token, kernel);
  4860. if (unlikely(rc))
  4861. security_bpf_map_free(map);
  4862. return rc;
  4863. }
  4864. /**
  4865. * security_bpf_prog_load() - Check if loading of BPF program is allowed
  4866. * @prog: BPF program object
  4867. * @attr: BPF syscall attributes used to create BPF program
  4868. * @token: BPF token used to grant user access to BPF subsystem
  4869. * @kernel: whether or not call originated from kernel
  4870. *
  4871. * Perform an access control check when the kernel loads a BPF program and
  4872. * allocates associated BPF program object. This hook is also responsible for
  4873. * allocating any required LSM state for the BPF program.
  4874. *
  4875. * Return: Returns 0 on success, error on failure.
  4876. */
  4877. int security_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr,
  4878. struct bpf_token *token, bool kernel)
  4879. {
  4880. int rc;
  4881. rc = lsm_bpf_prog_alloc(prog);
  4882. if (unlikely(rc))
  4883. return rc;
  4884. rc = call_int_hook(bpf_prog_load, prog, attr, token, kernel);
  4885. if (unlikely(rc))
  4886. security_bpf_prog_free(prog);
  4887. return rc;
  4888. }
  4889. /**
  4890. * security_bpf_token_create() - Check if creating of BPF token is allowed
  4891. * @token: BPF token object
  4892. * @attr: BPF syscall attributes used to create BPF token
  4893. * @path: path pointing to BPF FS mount point from which BPF token is created
  4894. *
  4895. * Do a check when the kernel instantiates a new BPF token object from BPF FS
  4896. * instance. This is also the point where LSM blob can be allocated for LSMs.
  4897. *
  4898. * Return: Returns 0 on success, error on failure.
  4899. */
  4900. int security_bpf_token_create(struct bpf_token *token, union bpf_attr *attr,
  4901. const struct path *path)
  4902. {
  4903. int rc;
  4904. rc = lsm_bpf_token_alloc(token);
  4905. if (unlikely(rc))
  4906. return rc;
  4907. rc = call_int_hook(bpf_token_create, token, attr, path);
  4908. if (unlikely(rc))
  4909. security_bpf_token_free(token);
  4910. return rc;
  4911. }
  4912. /**
  4913. * security_bpf_token_cmd() - Check if BPF token is allowed to delegate
  4914. * requested BPF syscall command
  4915. * @token: BPF token object
  4916. * @cmd: BPF syscall command requested to be delegated by BPF token
  4917. *
  4918. * Do a check when the kernel decides whether provided BPF token should allow
  4919. * delegation of requested BPF syscall command.
  4920. *
  4921. * Return: Returns 0 on success, error on failure.
  4922. */
  4923. int security_bpf_token_cmd(const struct bpf_token *token, enum bpf_cmd cmd)
  4924. {
  4925. return call_int_hook(bpf_token_cmd, token, cmd);
  4926. }
  4927. /**
  4928. * security_bpf_token_capable() - Check if BPF token is allowed to delegate
  4929. * requested BPF-related capability
  4930. * @token: BPF token object
  4931. * @cap: capabilities requested to be delegated by BPF token
  4932. *
  4933. * Do a check when the kernel decides whether provided BPF token should allow
  4934. * delegation of requested BPF-related capabilities.
  4935. *
  4936. * Return: Returns 0 on success, error on failure.
  4937. */
  4938. int security_bpf_token_capable(const struct bpf_token *token, int cap)
  4939. {
  4940. return call_int_hook(bpf_token_capable, token, cap);
  4941. }
  4942. /**
  4943. * security_bpf_map_free() - Free a bpf map's LSM blob
  4944. * @map: bpf map
  4945. *
  4946. * Clean up the security information stored inside bpf map.
  4947. */
  4948. void security_bpf_map_free(struct bpf_map *map)
  4949. {
  4950. call_void_hook(bpf_map_free, map);
  4951. kfree(map->security);
  4952. map->security = NULL;
  4953. }
  4954. /**
  4955. * security_bpf_prog_free() - Free a BPF program's LSM blob
  4956. * @prog: BPF program struct
  4957. *
  4958. * Clean up the security information stored inside BPF program.
  4959. */
  4960. void security_bpf_prog_free(struct bpf_prog *prog)
  4961. {
  4962. call_void_hook(bpf_prog_free, prog);
  4963. kfree(prog->aux->security);
  4964. prog->aux->security = NULL;
  4965. }
  4966. /**
  4967. * security_bpf_token_free() - Free a BPF token's LSM blob
  4968. * @token: BPF token struct
  4969. *
  4970. * Clean up the security information stored inside BPF token.
  4971. */
  4972. void security_bpf_token_free(struct bpf_token *token)
  4973. {
  4974. call_void_hook(bpf_token_free, token);
  4975. kfree(token->security);
  4976. token->security = NULL;
  4977. }
  4978. #endif /* CONFIG_BPF_SYSCALL */
  4979. /**
  4980. * security_locked_down() - Check if a kernel feature is allowed
  4981. * @what: requested kernel feature
  4982. *
  4983. * Determine whether a kernel feature that potentially enables arbitrary code
  4984. * execution in kernel space should be permitted.
  4985. *
  4986. * Return: Returns 0 if permission is granted.
  4987. */
  4988. int security_locked_down(enum lockdown_reason what)
  4989. {
  4990. return call_int_hook(locked_down, what);
  4991. }
  4992. EXPORT_SYMBOL(security_locked_down);
  4993. /**
  4994. * security_bdev_alloc() - Allocate a block device LSM blob
  4995. * @bdev: block device
  4996. *
  4997. * Allocate and attach a security structure to @bdev->bd_security. The
  4998. * security field is initialized to NULL when the bdev structure is
  4999. * allocated.
  5000. *
  5001. * Return: Return 0 if operation was successful.
  5002. */
  5003. int security_bdev_alloc(struct block_device *bdev)
  5004. {
  5005. int rc = 0;
  5006. rc = lsm_bdev_alloc(bdev);
  5007. if (unlikely(rc))
  5008. return rc;
  5009. rc = call_int_hook(bdev_alloc_security, bdev);
  5010. if (unlikely(rc))
  5011. security_bdev_free(bdev);
  5012. return rc;
  5013. }
  5014. EXPORT_SYMBOL(security_bdev_alloc);
  5015. /**
  5016. * security_bdev_free() - Free a block device's LSM blob
  5017. * @bdev: block device
  5018. *
  5019. * Deallocate the bdev security structure and set @bdev->bd_security to NULL.
  5020. */
  5021. void security_bdev_free(struct block_device *bdev)
  5022. {
  5023. if (!bdev->bd_security)
  5024. return;
  5025. call_void_hook(bdev_free_security, bdev);
  5026. kfree(bdev->bd_security);
  5027. bdev->bd_security = NULL;
  5028. }
  5029. EXPORT_SYMBOL(security_bdev_free);
  5030. /**
  5031. * security_bdev_setintegrity() - Set the device's integrity data
  5032. * @bdev: block device
  5033. * @type: type of integrity, e.g. hash digest, signature, etc
  5034. * @value: the integrity value
  5035. * @size: size of the integrity value
  5036. *
  5037. * Register a verified integrity measurement of a bdev with LSMs.
  5038. * LSMs should free the previously saved data if @value is NULL.
  5039. * Please note that the new hook should be invoked every time the security
  5040. * information is updated to keep these data current. For example, in dm-verity,
  5041. * if the mapping table is reloaded and configured to use a different dm-verity
  5042. * target with a new roothash and signing information, the previously stored
  5043. * data in the LSM blob will become obsolete. It is crucial to re-invoke the
  5044. * hook to refresh these data and ensure they are up to date. This necessity
  5045. * arises from the design of device-mapper, where a device-mapper device is
  5046. * first created, and then targets are subsequently loaded into it. These
  5047. * targets can be modified multiple times during the device's lifetime.
  5048. * Therefore, while the LSM blob is allocated during the creation of the block
  5049. * device, its actual contents are not initialized at this stage and can change
  5050. * substantially over time. This includes alterations from data that the LSMs
  5051. * 'trusts' to those they do not, making it essential to handle these changes
  5052. * correctly. Failure to address this dynamic aspect could potentially allow
  5053. * for bypassing LSM checks.
  5054. *
  5055. * Return: Returns 0 on success, negative values on failure.
  5056. */
  5057. int security_bdev_setintegrity(struct block_device *bdev,
  5058. enum lsm_integrity_type type, const void *value,
  5059. size_t size)
  5060. {
  5061. return call_int_hook(bdev_setintegrity, bdev, type, value, size);
  5062. }
  5063. EXPORT_SYMBOL(security_bdev_setintegrity);
  5064. #ifdef CONFIG_PERF_EVENTS
  5065. /**
  5066. * security_perf_event_open() - Check if a perf event open is allowed
  5067. * @type: type of event
  5068. *
  5069. * Check whether the @type of perf_event_open syscall is allowed.
  5070. *
  5071. * Return: Returns 0 if permission is granted.
  5072. */
  5073. int security_perf_event_open(int type)
  5074. {
  5075. return call_int_hook(perf_event_open, type);
  5076. }
  5077. /**
  5078. * security_perf_event_alloc() - Allocate a perf event LSM blob
  5079. * @event: perf event
  5080. *
  5081. * Allocate and save perf_event security info.
  5082. *
  5083. * Return: Returns 0 on success, error on failure.
  5084. */
  5085. int security_perf_event_alloc(struct perf_event *event)
  5086. {
  5087. int rc;
  5088. rc = lsm_blob_alloc(&event->security, blob_sizes.lbs_perf_event,
  5089. GFP_KERNEL);
  5090. if (rc)
  5091. return rc;
  5092. rc = call_int_hook(perf_event_alloc, event);
  5093. if (rc) {
  5094. kfree(event->security);
  5095. event->security = NULL;
  5096. }
  5097. return rc;
  5098. }
  5099. /**
  5100. * security_perf_event_free() - Free a perf event LSM blob
  5101. * @event: perf event
  5102. *
  5103. * Release (free) perf_event security info.
  5104. */
  5105. void security_perf_event_free(struct perf_event *event)
  5106. {
  5107. kfree(event->security);
  5108. event->security = NULL;
  5109. }
  5110. /**
  5111. * security_perf_event_read() - Check if reading a perf event label is allowed
  5112. * @event: perf event
  5113. *
  5114. * Read perf_event security info if allowed.
  5115. *
  5116. * Return: Returns 0 if permission is granted.
  5117. */
  5118. int security_perf_event_read(struct perf_event *event)
  5119. {
  5120. return call_int_hook(perf_event_read, event);
  5121. }
  5122. /**
  5123. * security_perf_event_write() - Check if writing a perf event label is allowed
  5124. * @event: perf event
  5125. *
  5126. * Write perf_event security info if allowed.
  5127. *
  5128. * Return: Returns 0 if permission is granted.
  5129. */
  5130. int security_perf_event_write(struct perf_event *event)
  5131. {
  5132. return call_int_hook(perf_event_write, event);
  5133. }
  5134. #endif /* CONFIG_PERF_EVENTS */
  5135. #ifdef CONFIG_IO_URING
  5136. /**
  5137. * security_uring_override_creds() - Check if overriding creds is allowed
  5138. * @new: new credentials
  5139. *
  5140. * Check if the current task, executing an io_uring operation, is allowed to
  5141. * override it's credentials with @new.
  5142. *
  5143. * Return: Returns 0 if permission is granted.
  5144. */
  5145. int security_uring_override_creds(const struct cred *new)
  5146. {
  5147. return call_int_hook(uring_override_creds, new);
  5148. }
  5149. /**
  5150. * security_uring_sqpoll() - Check if IORING_SETUP_SQPOLL is allowed
  5151. *
  5152. * Check whether the current task is allowed to spawn a io_uring polling thread
  5153. * (IORING_SETUP_SQPOLL).
  5154. *
  5155. * Return: Returns 0 if permission is granted.
  5156. */
  5157. int security_uring_sqpoll(void)
  5158. {
  5159. return call_int_hook(uring_sqpoll);
  5160. }
  5161. /**
  5162. * security_uring_cmd() - Check if a io_uring passthrough command is allowed
  5163. * @ioucmd: command
  5164. *
  5165. * Check whether the file_operations uring_cmd is allowed to run.
  5166. *
  5167. * Return: Returns 0 if permission is granted.
  5168. */
  5169. int security_uring_cmd(struct io_uring_cmd *ioucmd)
  5170. {
  5171. return call_int_hook(uring_cmd, ioucmd);
  5172. }
  5173. /**
  5174. * security_uring_allowed() - Check if io_uring_setup() is allowed
  5175. *
  5176. * Check whether the current task is allowed to call io_uring_setup().
  5177. *
  5178. * Return: Returns 0 if permission is granted.
  5179. */
  5180. int security_uring_allowed(void)
  5181. {
  5182. return call_int_hook(uring_allowed);
  5183. }
  5184. #endif /* CONFIG_IO_URING */
  5185. /**
  5186. * security_initramfs_populated() - Notify LSMs that initramfs has been loaded
  5187. *
  5188. * Tells the LSMs the initramfs has been unpacked into the rootfs.
  5189. */
  5190. void security_initramfs_populated(void)
  5191. {
  5192. call_void_hook(initramfs_populated);
  5193. }