// SPDX-License-Identifier: GPL-2.0-or-later1/*2* Security plug functions3*4* Copyright (C) 2001 WireX Communications, Inc <[email protected]>5* Copyright (C) 2001-2002 Greg Kroah-Hartman <[email protected]>6* Copyright (C) 2001 Networks Associates Technology, Inc <[email protected]>7* Copyright (C) 2016 Mellanox Technologies8* Copyright (C) 2023 Microsoft Corporation <[email protected]>9*/1011#define pr_fmt(fmt) "LSM: " fmt1213#include <linux/bpf.h>14#include <linux/capability.h>15#include <linux/dcache.h>16#include <linux/export.h>17#include <linux/init.h>18#include <linux/kernel.h>19#include <linux/kernel_read_file.h>20#include <linux/lsm_hooks.h>21#include <linux/mman.h>22#include <linux/mount.h>23#include <linux/personality.h>24#include <linux/backing-dev.h>25#include <linux/string.h>26#include <linux/xattr.h>27#include <linux/msg.h>28#include <linux/overflow.h>29#include <linux/perf_event.h>30#include <linux/fs.h>31#include <net/flow.h>32#include <net/sock.h>3334#define SECURITY_HOOK_ACTIVE_KEY(HOOK, IDX) security_hook_active_##HOOK##_##IDX3536/*37* Identifier for the LSM static calls.38* HOOK is an LSM hook as defined in linux/lsm_hookdefs.h39* IDX is the index of the static call. 0 <= NUM < MAX_LSM_COUNT40*/41#define LSM_STATIC_CALL(HOOK, IDX) lsm_static_call_##HOOK##_##IDX4243/*44* Call the macro M for each LSM hook MAX_LSM_COUNT times.45*/46#define LSM_LOOP_UNROLL(M, ...) \47do { \48UNROLL(MAX_LSM_COUNT, M, __VA_ARGS__) \49} while (0)5051#define LSM_DEFINE_UNROLL(M, ...) UNROLL(MAX_LSM_COUNT, M, __VA_ARGS__)5253/*54* These are descriptions of the reasons that can be passed to the55* security_locked_down() LSM hook. Placing this array here allows56* all security modules to use the same descriptions for auditing57* purposes.58*/59const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX + 1] = {60[LOCKDOWN_NONE] = "none",61[LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading",62[LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port",63[LOCKDOWN_EFI_TEST] = "/dev/efi_test access",64[LOCKDOWN_KEXEC] = "kexec of unsigned images",65[LOCKDOWN_HIBERNATION] = "hibernation",66[LOCKDOWN_PCI_ACCESS] = "direct PCI access",67[LOCKDOWN_IOPORT] = "raw io port access",68[LOCKDOWN_MSR] = "raw MSR access",69[LOCKDOWN_ACPI_TABLES] = "modifying ACPI tables",70[LOCKDOWN_DEVICE_TREE] = "modifying device tree contents",71[LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage",72[LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO",73[LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters",74[LOCKDOWN_MMIOTRACE] = "unsafe mmio",75[LOCKDOWN_DEBUGFS] = "debugfs access",76[LOCKDOWN_XMON_WR] = "xmon write access",77[LOCKDOWN_BPF_WRITE_USER] = "use of bpf to write user RAM",78[LOCKDOWN_DBG_WRITE_KERNEL] = "use of kgdb/kdb to write kernel RAM",79[LOCKDOWN_RTAS_ERROR_INJECTION] = "RTAS error injection",80[LOCKDOWN_INTEGRITY_MAX] = "integrity",81[LOCKDOWN_KCORE] = "/proc/kcore access",82[LOCKDOWN_KPROBES] = "use of kprobes",83[LOCKDOWN_BPF_READ_KERNEL] = "use of bpf to read kernel RAM",84[LOCKDOWN_DBG_READ_KERNEL] = "use of kgdb/kdb to read kernel RAM",85[LOCKDOWN_PERF] = "unsafe use of perf",86[LOCKDOWN_TRACEFS] = "use of tracefs",87[LOCKDOWN_XMON_RW] = "xmon read and write access",88[LOCKDOWN_XFRM_SECRET] = "xfrm SA secret",89[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",90};9192static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain);9394static struct kmem_cache *lsm_file_cache;95static struct kmem_cache *lsm_inode_cache;9697char *lsm_names;98static struct lsm_blob_sizes blob_sizes __ro_after_init;99100/* Boot-time LSM user choice */101static __initdata const char *chosen_lsm_order;102static __initdata const char *chosen_major_lsm;103104static __initconst const char *const builtin_lsm_order = CONFIG_LSM;105106/* Ordered list of LSMs to initialize. */107static __initdata struct lsm_info *ordered_lsms[MAX_LSM_COUNT + 1];108static __initdata struct lsm_info *exclusive;109110#ifdef CONFIG_HAVE_STATIC_CALL111#define LSM_HOOK_TRAMP(NAME, NUM) \112&STATIC_CALL_TRAMP(LSM_STATIC_CALL(NAME, NUM))113#else114#define LSM_HOOK_TRAMP(NAME, NUM) NULL115#endif116117/*118* Define static calls and static keys for each LSM hook.119*/120#define DEFINE_LSM_STATIC_CALL(NUM, NAME, RET, ...) \121DEFINE_STATIC_CALL_NULL(LSM_STATIC_CALL(NAME, NUM), \122*((RET(*)(__VA_ARGS__))NULL)); \123DEFINE_STATIC_KEY_FALSE(SECURITY_HOOK_ACTIVE_KEY(NAME, NUM));124125#define LSM_HOOK(RET, DEFAULT, NAME, ...) \126LSM_DEFINE_UNROLL(DEFINE_LSM_STATIC_CALL, NAME, RET, __VA_ARGS__)127#include <linux/lsm_hook_defs.h>128#undef LSM_HOOK129#undef DEFINE_LSM_STATIC_CALL130131/*132* Initialise a table of static calls for each LSM hook.133* DEFINE_STATIC_CALL_NULL invocation above generates a key (STATIC_CALL_KEY)134* and a trampoline (STATIC_CALL_TRAMP) which are used to call135* __static_call_update when updating the static call.136*137* The static calls table is used by early LSMs, some architectures can fault on138* unaligned accesses and the fault handling code may not be ready by then.139* Thus, the static calls table should be aligned to avoid any unhandled faults140* in early init.141*/142struct lsm_static_calls_table143static_calls_table __ro_after_init __aligned(sizeof(u64)) = {144#define INIT_LSM_STATIC_CALL(NUM, NAME) \145(struct lsm_static_call) { \146.key = &STATIC_CALL_KEY(LSM_STATIC_CALL(NAME, NUM)), \147.trampoline = LSM_HOOK_TRAMP(NAME, NUM), \148.active = &SECURITY_HOOK_ACTIVE_KEY(NAME, NUM), \149},150#define LSM_HOOK(RET, DEFAULT, NAME, ...) \151.NAME = { \152LSM_DEFINE_UNROLL(INIT_LSM_STATIC_CALL, NAME) \153},154#include <linux/lsm_hook_defs.h>155#undef LSM_HOOK156#undef INIT_LSM_STATIC_CALL157};158159static __initdata bool debug;160#define init_debug(...) \161do { \162if (debug) \163pr_info(__VA_ARGS__); \164} while (0)165166static bool __init is_enabled(struct lsm_info *lsm)167{168if (!lsm->enabled)169return false;170171return *lsm->enabled;172}173174/* Mark an LSM's enabled flag. */175static int lsm_enabled_true __initdata = 1;176static int lsm_enabled_false __initdata = 0;177static void __init set_enabled(struct lsm_info *lsm, bool enabled)178{179/*180* When an LSM hasn't configured an enable variable, we can use181* a hard-coded location for storing the default enabled state.182*/183if (!lsm->enabled) {184if (enabled)185lsm->enabled = &lsm_enabled_true;186else187lsm->enabled = &lsm_enabled_false;188} else if (lsm->enabled == &lsm_enabled_true) {189if (!enabled)190lsm->enabled = &lsm_enabled_false;191} else if (lsm->enabled == &lsm_enabled_false) {192if (enabled)193lsm->enabled = &lsm_enabled_true;194} else {195*lsm->enabled = enabled;196}197}198199/* Is an LSM already listed in the ordered LSMs list? */200static bool __init exists_ordered_lsm(struct lsm_info *lsm)201{202struct lsm_info **check;203204for (check = ordered_lsms; *check; check++)205if (*check == lsm)206return true;207208return false;209}210211/* Append an LSM to the list of ordered LSMs to initialize. */212static int last_lsm __initdata;213static void __init append_ordered_lsm(struct lsm_info *lsm, const char *from)214{215/* Ignore duplicate selections. */216if (exists_ordered_lsm(lsm))217return;218219if (WARN(last_lsm == MAX_LSM_COUNT, "%s: out of LSM static calls!?\n", from))220return;221222/* Enable this LSM, if it is not already set. */223if (!lsm->enabled)224lsm->enabled = &lsm_enabled_true;225ordered_lsms[last_lsm++] = lsm;226227init_debug("%s ordered: %s (%s)\n", from, lsm->name,228is_enabled(lsm) ? "enabled" : "disabled");229}230231/* Is an LSM allowed to be initialized? */232static bool __init lsm_allowed(struct lsm_info *lsm)233{234/* Skip if the LSM is disabled. */235if (!is_enabled(lsm))236return false;237238/* Not allowed if another exclusive LSM already initialized. */239if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && exclusive) {240init_debug("exclusive disabled: %s\n", lsm->name);241return false;242}243244return true;245}246247static void __init lsm_set_blob_size(int *need, int *lbs)248{249int offset;250251if (*need <= 0)252return;253254offset = ALIGN(*lbs, sizeof(void *));255*lbs = offset + *need;256*need = offset;257}258259static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed)260{261if (!needed)262return;263264lsm_set_blob_size(&needed->lbs_cred, &blob_sizes.lbs_cred);265lsm_set_blob_size(&needed->lbs_file, &blob_sizes.lbs_file);266lsm_set_blob_size(&needed->lbs_ib, &blob_sizes.lbs_ib);267/*268* The inode blob gets an rcu_head in addition to269* what the modules might need.270*/271if (needed->lbs_inode && blob_sizes.lbs_inode == 0)272blob_sizes.lbs_inode = sizeof(struct rcu_head);273lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode);274lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc);275lsm_set_blob_size(&needed->lbs_key, &blob_sizes.lbs_key);276lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg);277lsm_set_blob_size(&needed->lbs_perf_event, &blob_sizes.lbs_perf_event);278lsm_set_blob_size(&needed->lbs_sock, &blob_sizes.lbs_sock);279lsm_set_blob_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock);280lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task);281lsm_set_blob_size(&needed->lbs_tun_dev, &blob_sizes.lbs_tun_dev);282lsm_set_blob_size(&needed->lbs_xattr_count,283&blob_sizes.lbs_xattr_count);284lsm_set_blob_size(&needed->lbs_bdev, &blob_sizes.lbs_bdev);285lsm_set_blob_size(&needed->lbs_bpf_map, &blob_sizes.lbs_bpf_map);286lsm_set_blob_size(&needed->lbs_bpf_prog, &blob_sizes.lbs_bpf_prog);287lsm_set_blob_size(&needed->lbs_bpf_token, &blob_sizes.lbs_bpf_token);288}289290/* Prepare LSM for initialization. */291static void __init prepare_lsm(struct lsm_info *lsm)292{293int enabled = lsm_allowed(lsm);294295/* Record enablement (to handle any following exclusive LSMs). */296set_enabled(lsm, enabled);297298/* If enabled, do pre-initialization work. */299if (enabled) {300if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && !exclusive) {301exclusive = lsm;302init_debug("exclusive chosen: %s\n", lsm->name);303}304305lsm_set_blob_sizes(lsm->blobs);306}307}308309/* Initialize a given LSM, if it is enabled. */310static void __init initialize_lsm(struct lsm_info *lsm)311{312if (is_enabled(lsm)) {313int ret;314315init_debug("initializing %s\n", lsm->name);316ret = lsm->init();317WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret);318}319}320321/*322* Current index to use while initializing the lsm id list.323*/324u32 lsm_active_cnt __ro_after_init;325const struct lsm_id *lsm_idlist[MAX_LSM_COUNT];326327/* Populate ordered LSMs list from comma-separated LSM name list. */328static void __init ordered_lsm_parse(const char *order, const char *origin)329{330struct lsm_info *lsm;331char *sep, *name, *next;332333/* LSM_ORDER_FIRST is always first. */334for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {335if (lsm->order == LSM_ORDER_FIRST)336append_ordered_lsm(lsm, " first");337}338339/* Process "security=", if given. */340if (chosen_major_lsm) {341struct lsm_info *major;342343/*344* To match the original "security=" behavior, this345* explicitly does NOT fallback to another Legacy Major346* if the selected one was separately disabled: disable347* all non-matching Legacy Major LSMs.348*/349for (major = __start_lsm_info; major < __end_lsm_info;350major++) {351if ((major->flags & LSM_FLAG_LEGACY_MAJOR) &&352strcmp(major->name, chosen_major_lsm) != 0) {353set_enabled(major, false);354init_debug("security=%s disabled: %s (only one legacy major LSM)\n",355chosen_major_lsm, major->name);356}357}358}359360sep = kstrdup(order, GFP_KERNEL);361next = sep;362/* Walk the list, looking for matching LSMs. */363while ((name = strsep(&next, ",")) != NULL) {364bool found = false;365366for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {367if (strcmp(lsm->name, name) == 0) {368if (lsm->order == LSM_ORDER_MUTABLE)369append_ordered_lsm(lsm, origin);370found = true;371}372}373374if (!found)375init_debug("%s ignored: %s (not built into kernel)\n",376origin, name);377}378379/* Process "security=", if given. */380if (chosen_major_lsm) {381for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {382if (exists_ordered_lsm(lsm))383continue;384if (strcmp(lsm->name, chosen_major_lsm) == 0)385append_ordered_lsm(lsm, "security=");386}387}388389/* LSM_ORDER_LAST is always last. */390for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {391if (lsm->order == LSM_ORDER_LAST)392append_ordered_lsm(lsm, " last");393}394395/* Disable all LSMs not in the ordered list. */396for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {397if (exists_ordered_lsm(lsm))398continue;399set_enabled(lsm, false);400init_debug("%s skipped: %s (not in requested order)\n",401origin, lsm->name);402}403404kfree(sep);405}406407static void __init lsm_static_call_init(struct security_hook_list *hl)408{409struct lsm_static_call *scall = hl->scalls;410int i;411412for (i = 0; i < MAX_LSM_COUNT; i++) {413/* Update the first static call that is not used yet */414if (!scall->hl) {415__static_call_update(scall->key, scall->trampoline,416hl->hook.lsm_func_addr);417scall->hl = hl;418static_branch_enable(scall->active);419return;420}421scall++;422}423panic("%s - Ran out of static slots.\n", __func__);424}425426static void __init lsm_early_cred(struct cred *cred);427static void __init lsm_early_task(struct task_struct *task);428429static int lsm_append(const char *new, char **result);430431static void __init report_lsm_order(void)432{433struct lsm_info **lsm, *early;434int first = 0;435436pr_info("initializing lsm=");437438/* Report each enabled LSM name, comma separated. */439for (early = __start_early_lsm_info;440early < __end_early_lsm_info; early++)441if (is_enabled(early))442pr_cont("%s%s", first++ == 0 ? "" : ",", early->name);443for (lsm = ordered_lsms; *lsm; lsm++)444if (is_enabled(*lsm))445pr_cont("%s%s", first++ == 0 ? "" : ",", (*lsm)->name);446447pr_cont("\n");448}449450static void __init ordered_lsm_init(void)451{452struct lsm_info **lsm;453454if (chosen_lsm_order) {455if (chosen_major_lsm) {456pr_warn("security=%s is ignored because it is superseded by lsm=%s\n",457chosen_major_lsm, chosen_lsm_order);458chosen_major_lsm = NULL;459}460ordered_lsm_parse(chosen_lsm_order, "cmdline");461} else462ordered_lsm_parse(builtin_lsm_order, "builtin");463464for (lsm = ordered_lsms; *lsm; lsm++)465prepare_lsm(*lsm);466467report_lsm_order();468469init_debug("cred blob size = %d\n", blob_sizes.lbs_cred);470init_debug("file blob size = %d\n", blob_sizes.lbs_file);471init_debug("ib blob size = %d\n", blob_sizes.lbs_ib);472init_debug("inode blob size = %d\n", blob_sizes.lbs_inode);473init_debug("ipc blob size = %d\n", blob_sizes.lbs_ipc);474#ifdef CONFIG_KEYS475init_debug("key blob size = %d\n", blob_sizes.lbs_key);476#endif /* CONFIG_KEYS */477init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg);478init_debug("sock blob size = %d\n", blob_sizes.lbs_sock);479init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock);480init_debug("perf event blob size = %d\n", blob_sizes.lbs_perf_event);481init_debug("task blob size = %d\n", blob_sizes.lbs_task);482init_debug("tun device blob size = %d\n", blob_sizes.lbs_tun_dev);483init_debug("xattr slots = %d\n", blob_sizes.lbs_xattr_count);484init_debug("bdev blob size = %d\n", blob_sizes.lbs_bdev);485init_debug("bpf map blob size = %d\n", blob_sizes.lbs_bpf_map);486init_debug("bpf prog blob size = %d\n", blob_sizes.lbs_bpf_prog);487init_debug("bpf token blob size = %d\n", blob_sizes.lbs_bpf_token);488489/*490* Create any kmem_caches needed for blobs491*/492if (blob_sizes.lbs_file)493lsm_file_cache = kmem_cache_create("lsm_file_cache",494blob_sizes.lbs_file, 0,495SLAB_PANIC, NULL);496if (blob_sizes.lbs_inode)497lsm_inode_cache = kmem_cache_create("lsm_inode_cache",498blob_sizes.lbs_inode, 0,499SLAB_PANIC, NULL);500501lsm_early_cred((struct cred *) current->cred);502lsm_early_task(current);503for (lsm = ordered_lsms; *lsm; lsm++)504initialize_lsm(*lsm);505}506507int __init early_security_init(void)508{509struct lsm_info *lsm;510511for (lsm = __start_early_lsm_info; lsm < __end_early_lsm_info; lsm++) {512if (!lsm->enabled)513lsm->enabled = &lsm_enabled_true;514prepare_lsm(lsm);515initialize_lsm(lsm);516}517518return 0;519}520521/**522* security_init - initializes the security framework523*524* This should be called early in the kernel initialization sequence.525*/526int __init security_init(void)527{528struct lsm_info *lsm;529530init_debug("legacy security=%s\n", chosen_major_lsm ? : " *unspecified*");531init_debug(" CONFIG_LSM=%s\n", builtin_lsm_order);532init_debug("boot arg lsm=%s\n", chosen_lsm_order ? : " *unspecified*");533534/*535* Append the names of the early LSM modules now that kmalloc() is536* available537*/538for (lsm = __start_early_lsm_info; lsm < __end_early_lsm_info; lsm++) {539init_debug(" early started: %s (%s)\n", lsm->name,540is_enabled(lsm) ? "enabled" : "disabled");541if (lsm->enabled)542lsm_append(lsm->name, &lsm_names);543}544545/* Load LSMs in specified order. */546ordered_lsm_init();547548return 0;549}550551/* Save user chosen LSM */552static int __init choose_major_lsm(char *str)553{554chosen_major_lsm = str;555return 1;556}557__setup("security=", choose_major_lsm);558559/* Explicitly choose LSM initialization order. */560static int __init choose_lsm_order(char *str)561{562chosen_lsm_order = str;563return 1;564}565__setup("lsm=", choose_lsm_order);566567/* Enable LSM order debugging. */568static int __init enable_debug(char *str)569{570debug = true;571return 1;572}573__setup("lsm.debug", enable_debug);574575static bool match_last_lsm(const char *list, const char *lsm)576{577const char *last;578579if (WARN_ON(!list || !lsm))580return false;581last = strrchr(list, ',');582if (last)583/* Pass the comma, strcmp() will check for '\0' */584last++;585else586last = list;587return !strcmp(last, lsm);588}589590static int lsm_append(const char *new, char **result)591{592char *cp;593594if (*result == NULL) {595*result = kstrdup(new, GFP_KERNEL);596if (*result == NULL)597return -ENOMEM;598} else {599/* Check if it is the last registered name */600if (match_last_lsm(*result, new))601return 0;602cp = kasprintf(GFP_KERNEL, "%s,%s", *result, new);603if (cp == NULL)604return -ENOMEM;605kfree(*result);606*result = cp;607}608return 0;609}610611/**612* security_add_hooks - Add a modules hooks to the hook lists.613* @hooks: the hooks to add614* @count: the number of hooks to add615* @lsmid: the identification information for the security module616*617* Each LSM has to register its hooks with the infrastructure.618*/619void __init security_add_hooks(struct security_hook_list *hooks, int count,620const struct lsm_id *lsmid)621{622int i;623624/*625* A security module may call security_add_hooks() more626* than once during initialization, and LSM initialization627* is serialized. Landlock is one such case.628* Look at the previous entry, if there is one, for duplication.629*/630if (lsm_active_cnt == 0 || lsm_idlist[lsm_active_cnt - 1] != lsmid) {631if (lsm_active_cnt >= MAX_LSM_COUNT)632panic("%s Too many LSMs registered.\n", __func__);633lsm_idlist[lsm_active_cnt++] = lsmid;634}635636for (i = 0; i < count; i++) {637hooks[i].lsmid = lsmid;638lsm_static_call_init(&hooks[i]);639}640641/*642* Don't try to append during early_security_init(), we'll come back643* and fix this up afterwards.644*/645if (slab_is_available()) {646if (lsm_append(lsmid->name, &lsm_names) < 0)647panic("%s - Cannot get early memory.\n", __func__);648}649}650651int call_blocking_lsm_notifier(enum lsm_event event, void *data)652{653return blocking_notifier_call_chain(&blocking_lsm_notifier_chain,654event, data);655}656EXPORT_SYMBOL(call_blocking_lsm_notifier);657658int register_blocking_lsm_notifier(struct notifier_block *nb)659{660return blocking_notifier_chain_register(&blocking_lsm_notifier_chain,661nb);662}663EXPORT_SYMBOL(register_blocking_lsm_notifier);664665int unregister_blocking_lsm_notifier(struct notifier_block *nb)666{667return blocking_notifier_chain_unregister(&blocking_lsm_notifier_chain,668nb);669}670EXPORT_SYMBOL(unregister_blocking_lsm_notifier);671672/**673* lsm_blob_alloc - allocate a composite blob674* @dest: the destination for the blob675* @size: the size of the blob676* @gfp: allocation type677*678* Allocate a blob for all the modules679*680* Returns 0, or -ENOMEM if memory can't be allocated.681*/682static int lsm_blob_alloc(void **dest, size_t size, gfp_t gfp)683{684if (size == 0) {685*dest = NULL;686return 0;687}688689*dest = kzalloc(size, gfp);690if (*dest == NULL)691return -ENOMEM;692return 0;693}694695/**696* lsm_cred_alloc - allocate a composite cred blob697* @cred: the cred that needs a blob698* @gfp: allocation type699*700* Allocate the cred blob for all the modules701*702* Returns 0, or -ENOMEM if memory can't be allocated.703*/704static int lsm_cred_alloc(struct cred *cred, gfp_t gfp)705{706return lsm_blob_alloc(&cred->security, blob_sizes.lbs_cred, gfp);707}708709/**710* lsm_early_cred - during initialization allocate a composite cred blob711* @cred: the cred that needs a blob712*713* Allocate the cred blob for all the modules714*/715static void __init lsm_early_cred(struct cred *cred)716{717int rc = lsm_cred_alloc(cred, GFP_KERNEL);718719if (rc)720panic("%s: Early cred alloc failed.\n", __func__);721}722723/**724* lsm_file_alloc - allocate a composite file blob725* @file: the file that needs a blob726*727* Allocate the file blob for all the modules728*729* Returns 0, or -ENOMEM if memory can't be allocated.730*/731static int lsm_file_alloc(struct file *file)732{733if (!lsm_file_cache) {734file->f_security = NULL;735return 0;736}737738file->f_security = kmem_cache_zalloc(lsm_file_cache, GFP_KERNEL);739if (file->f_security == NULL)740return -ENOMEM;741return 0;742}743744/**745* lsm_inode_alloc - allocate a composite inode blob746* @inode: the inode that needs a blob747* @gfp: allocation flags748*749* Allocate the inode blob for all the modules750*751* Returns 0, or -ENOMEM if memory can't be allocated.752*/753static int lsm_inode_alloc(struct inode *inode, gfp_t gfp)754{755if (!lsm_inode_cache) {756inode->i_security = NULL;757return 0;758}759760inode->i_security = kmem_cache_zalloc(lsm_inode_cache, gfp);761if (inode->i_security == NULL)762return -ENOMEM;763return 0;764}765766/**767* lsm_task_alloc - allocate a composite task blob768* @task: the task that needs a blob769*770* Allocate the task blob for all the modules771*772* Returns 0, or -ENOMEM if memory can't be allocated.773*/774static int lsm_task_alloc(struct task_struct *task)775{776return lsm_blob_alloc(&task->security, blob_sizes.lbs_task, GFP_KERNEL);777}778779/**780* lsm_ipc_alloc - allocate a composite ipc blob781* @kip: the ipc that needs a blob782*783* Allocate the ipc blob for all the modules784*785* Returns 0, or -ENOMEM if memory can't be allocated.786*/787static int lsm_ipc_alloc(struct kern_ipc_perm *kip)788{789return lsm_blob_alloc(&kip->security, blob_sizes.lbs_ipc, GFP_KERNEL);790}791792#ifdef CONFIG_KEYS793/**794* lsm_key_alloc - allocate a composite key blob795* @key: the key that needs a blob796*797* Allocate the key blob for all the modules798*799* Returns 0, or -ENOMEM if memory can't be allocated.800*/801static int lsm_key_alloc(struct key *key)802{803return lsm_blob_alloc(&key->security, blob_sizes.lbs_key, GFP_KERNEL);804}805#endif /* CONFIG_KEYS */806807/**808* lsm_msg_msg_alloc - allocate a composite msg_msg blob809* @mp: the msg_msg that needs a blob810*811* Allocate the ipc blob for all the modules812*813* Returns 0, or -ENOMEM if memory can't be allocated.814*/815static int lsm_msg_msg_alloc(struct msg_msg *mp)816{817return lsm_blob_alloc(&mp->security, blob_sizes.lbs_msg_msg,818GFP_KERNEL);819}820821/**822* lsm_bdev_alloc - allocate a composite block_device blob823* @bdev: the block_device that needs a blob824*825* Allocate the block_device blob for all the modules826*827* Returns 0, or -ENOMEM if memory can't be allocated.828*/829static int lsm_bdev_alloc(struct block_device *bdev)830{831return lsm_blob_alloc(&bdev->bd_security, blob_sizes.lbs_bdev,832GFP_KERNEL);833}834835#ifdef CONFIG_BPF_SYSCALL836/**837* lsm_bpf_map_alloc - allocate a composite bpf_map blob838* @map: the bpf_map that needs a blob839*840* Allocate the bpf_map blob for all the modules841*842* Returns 0, or -ENOMEM if memory can't be allocated.843*/844static int lsm_bpf_map_alloc(struct bpf_map *map)845{846return lsm_blob_alloc(&map->security, blob_sizes.lbs_bpf_map, GFP_KERNEL);847}848849/**850* lsm_bpf_prog_alloc - allocate a composite bpf_prog blob851* @prog: the bpf_prog that needs a blob852*853* Allocate the bpf_prog blob for all the modules854*855* Returns 0, or -ENOMEM if memory can't be allocated.856*/857static int lsm_bpf_prog_alloc(struct bpf_prog *prog)858{859return lsm_blob_alloc(&prog->aux->security, blob_sizes.lbs_bpf_prog, GFP_KERNEL);860}861862/**863* lsm_bpf_token_alloc - allocate a composite bpf_token blob864* @token: the bpf_token that needs a blob865*866* Allocate the bpf_token blob for all the modules867*868* Returns 0, or -ENOMEM if memory can't be allocated.869*/870static int lsm_bpf_token_alloc(struct bpf_token *token)871{872return lsm_blob_alloc(&token->security, blob_sizes.lbs_bpf_token, GFP_KERNEL);873}874#endif /* CONFIG_BPF_SYSCALL */875876/**877* lsm_early_task - during initialization allocate a composite task blob878* @task: the task that needs a blob879*880* Allocate the task blob for all the modules881*/882static void __init lsm_early_task(struct task_struct *task)883{884int rc = lsm_task_alloc(task);885886if (rc)887panic("%s: Early task alloc failed.\n", __func__);888}889890/**891* lsm_superblock_alloc - allocate a composite superblock blob892* @sb: the superblock that needs a blob893*894* Allocate the superblock blob for all the modules895*896* Returns 0, or -ENOMEM if memory can't be allocated.897*/898static int lsm_superblock_alloc(struct super_block *sb)899{900return lsm_blob_alloc(&sb->s_security, blob_sizes.lbs_superblock,901GFP_KERNEL);902}903904/**905* lsm_fill_user_ctx - Fill a user space lsm_ctx structure906* @uctx: a userspace LSM context to be filled907* @uctx_len: available uctx size (input), used uctx size (output)908* @val: the new LSM context value909* @val_len: the size of the new LSM context value910* @id: LSM id911* @flags: LSM defined flags912*913* Fill all of the fields in a userspace lsm_ctx structure. If @uctx is NULL914* simply calculate the required size to output via @utc_len and return915* success.916*917* Returns 0 on success, -E2BIG if userspace buffer is not large enough,918* -EFAULT on a copyout error, -ENOMEM if memory can't be allocated.919*/920int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len,921void *val, size_t val_len,922u64 id, u64 flags)923{924struct lsm_ctx *nctx = NULL;925size_t nctx_len;926int rc = 0;927928nctx_len = ALIGN(struct_size(nctx, ctx, val_len), sizeof(void *));929if (nctx_len > *uctx_len) {930rc = -E2BIG;931goto out;932}933934/* no buffer - return success/0 and set @uctx_len to the req size */935if (!uctx)936goto out;937938nctx = kzalloc(nctx_len, GFP_KERNEL);939if (nctx == NULL) {940rc = -ENOMEM;941goto out;942}943nctx->id = id;944nctx->flags = flags;945nctx->len = nctx_len;946nctx->ctx_len = val_len;947memcpy(nctx->ctx, val, val_len);948949if (copy_to_user(uctx, nctx, nctx_len))950rc = -EFAULT;951952out:953kfree(nctx);954*uctx_len = nctx_len;955return rc;956}957958/*959* The default value of the LSM hook is defined in linux/lsm_hook_defs.h and960* can be accessed with:961*962* LSM_RET_DEFAULT(<hook_name>)963*964* The macros below define static constants for the default value of each965* LSM hook.966*/967#define LSM_RET_DEFAULT(NAME) (NAME##_default)968#define DECLARE_LSM_RET_DEFAULT_void(DEFAULT, NAME)969#define DECLARE_LSM_RET_DEFAULT_int(DEFAULT, NAME) \970static const int __maybe_unused LSM_RET_DEFAULT(NAME) = (DEFAULT);971#define LSM_HOOK(RET, DEFAULT, NAME, ...) \972DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME)973974#include <linux/lsm_hook_defs.h>975#undef LSM_HOOK976977/*978* Hook list operation macros.979*980* call_void_hook:981* This is a hook that does not return a value.982*983* call_int_hook:984* This is a hook that returns a value.985*/986#define __CALL_STATIC_VOID(NUM, HOOK, ...) \987do { \988if (static_branch_unlikely(&SECURITY_HOOK_ACTIVE_KEY(HOOK, NUM))) { \989static_call(LSM_STATIC_CALL(HOOK, NUM))(__VA_ARGS__); \990} \991} while (0);992993#define call_void_hook(HOOK, ...) \994do { \995LSM_LOOP_UNROLL(__CALL_STATIC_VOID, HOOK, __VA_ARGS__); \996} while (0)997998999#define __CALL_STATIC_INT(NUM, R, HOOK, LABEL, ...) \1000do { \1001if (static_branch_unlikely(&SECURITY_HOOK_ACTIVE_KEY(HOOK, NUM))) { \1002R = static_call(LSM_STATIC_CALL(HOOK, NUM))(__VA_ARGS__); \1003if (R != LSM_RET_DEFAULT(HOOK)) \1004goto LABEL; \1005} \1006} while (0);10071008#define call_int_hook(HOOK, ...) \1009({ \1010__label__ OUT; \1011int RC = LSM_RET_DEFAULT(HOOK); \1012\1013LSM_LOOP_UNROLL(__CALL_STATIC_INT, RC, HOOK, OUT, __VA_ARGS__); \1014OUT: \1015RC; \1016})10171018#define lsm_for_each_hook(scall, NAME) \1019for (scall = static_calls_table.NAME; \1020scall - static_calls_table.NAME < MAX_LSM_COUNT; scall++) \1021if (static_key_enabled(&scall->active->key))10221023/* Security operations */10241025/**1026* security_binder_set_context_mgr() - Check if becoming binder ctx mgr is ok1027* @mgr: task credentials of current binder process1028*1029* Check whether @mgr is allowed to be the binder context manager.1030*1031* Return: Return 0 if permission is granted.1032*/1033int security_binder_set_context_mgr(const struct cred *mgr)1034{1035return call_int_hook(binder_set_context_mgr, mgr);1036}10371038/**1039* security_binder_transaction() - Check if a binder transaction is allowed1040* @from: sending process1041* @to: receiving process1042*1043* Check whether @from is allowed to invoke a binder transaction call to @to.1044*1045* Return: Returns 0 if permission is granted.1046*/1047int security_binder_transaction(const struct cred *from,1048const struct cred *to)1049{1050return call_int_hook(binder_transaction, from, to);1051}10521053/**1054* security_binder_transfer_binder() - Check if a binder transfer is allowed1055* @from: sending process1056* @to: receiving process1057*1058* Check whether @from is allowed to transfer a binder reference to @to.1059*1060* Return: Returns 0 if permission is granted.1061*/1062int security_binder_transfer_binder(const struct cred *from,1063const struct cred *to)1064{1065return call_int_hook(binder_transfer_binder, from, to);1066}10671068/**1069* security_binder_transfer_file() - Check if a binder file xfer is allowed1070* @from: sending process1071* @to: receiving process1072* @file: file being transferred1073*1074* Check whether @from is allowed to transfer @file to @to.1075*1076* Return: Returns 0 if permission is granted.1077*/1078int security_binder_transfer_file(const struct cred *from,1079const struct cred *to, const struct file *file)1080{1081return call_int_hook(binder_transfer_file, from, to, file);1082}10831084/**1085* security_ptrace_access_check() - Check if tracing is allowed1086* @child: target process1087* @mode: PTRACE_MODE flags1088*1089* Check permission before allowing the current process to trace the @child1090* process. Security modules may also want to perform a process tracing check1091* during an execve in the set_security or apply_creds hooks of tracing check1092* during an execve in the bprm_set_creds hook of binprm_security_ops if the1093* process is being traced and its security attributes would be changed by the1094* execve.1095*1096* Return: Returns 0 if permission is granted.1097*/1098int security_ptrace_access_check(struct task_struct *child, unsigned int mode)1099{1100return call_int_hook(ptrace_access_check, child, mode);1101}11021103/**1104* security_ptrace_traceme() - Check if tracing is allowed1105* @parent: tracing process1106*1107* Check that the @parent process has sufficient permission to trace the1108* current process before allowing the current process to present itself to the1109* @parent process for tracing.1110*1111* Return: Returns 0 if permission is granted.1112*/1113int security_ptrace_traceme(struct task_struct *parent)1114{1115return call_int_hook(ptrace_traceme, parent);1116}11171118/**1119* security_capget() - Get the capability sets for a process1120* @target: target process1121* @effective: effective capability set1122* @inheritable: inheritable capability set1123* @permitted: permitted capability set1124*1125* Get the @effective, @inheritable, and @permitted capability sets for the1126* @target process. The hook may also perform permission checking to determine1127* if the current process is allowed to see the capability sets of the @target1128* process.1129*1130* Return: Returns 0 if the capability sets were successfully obtained.1131*/1132int security_capget(const struct task_struct *target,1133kernel_cap_t *effective,1134kernel_cap_t *inheritable,1135kernel_cap_t *permitted)1136{1137return call_int_hook(capget, target, effective, inheritable, permitted);1138}11391140/**1141* security_capset() - Set the capability sets for a process1142* @new: new credentials for the target process1143* @old: current credentials of the target process1144* @effective: effective capability set1145* @inheritable: inheritable capability set1146* @permitted: permitted capability set1147*1148* Set the @effective, @inheritable, and @permitted capability sets for the1149* current process.1150*1151* Return: Returns 0 and update @new if permission is granted.1152*/1153int security_capset(struct cred *new, const struct cred *old,1154const kernel_cap_t *effective,1155const kernel_cap_t *inheritable,1156const kernel_cap_t *permitted)1157{1158return call_int_hook(capset, new, old, effective, inheritable,1159permitted);1160}11611162/**1163* security_capable() - Check if a process has the necessary capability1164* @cred: credentials to examine1165* @ns: user namespace1166* @cap: capability requested1167* @opts: capability check options1168*1169* Check whether the @tsk process has the @cap capability in the indicated1170* credentials. @cap contains the capability <include/linux/capability.h>.1171* @opts contains options for the capable check <include/linux/security.h>.1172*1173* Return: Returns 0 if the capability is granted.1174*/1175int security_capable(const struct cred *cred,1176struct user_namespace *ns,1177int cap,1178unsigned int opts)1179{1180return call_int_hook(capable, cred, ns, cap, opts);1181}11821183/**1184* security_quotactl() - Check if a quotactl() syscall is allowed for this fs1185* @cmds: commands1186* @type: type1187* @id: id1188* @sb: filesystem1189*1190* Check whether the quotactl syscall is allowed for this @sb.1191*1192* Return: Returns 0 if permission is granted.1193*/1194int security_quotactl(int cmds, int type, int id, const struct super_block *sb)1195{1196return call_int_hook(quotactl, cmds, type, id, sb);1197}11981199/**1200* security_quota_on() - Check if QUOTAON is allowed for a dentry1201* @dentry: dentry1202*1203* Check whether QUOTAON is allowed for @dentry.1204*1205* Return: Returns 0 if permission is granted.1206*/1207int security_quota_on(struct dentry *dentry)1208{1209return call_int_hook(quota_on, dentry);1210}12111212/**1213* security_syslog() - Check if accessing the kernel message ring is allowed1214* @type: SYSLOG_ACTION_* type1215*1216* Check permission before accessing the kernel message ring or changing1217* logging to the console. See the syslog(2) manual page for an explanation of1218* the @type values.1219*1220* Return: Return 0 if permission is granted.1221*/1222int security_syslog(int type)1223{1224return call_int_hook(syslog, type);1225}12261227/**1228* security_settime64() - Check if changing the system time is allowed1229* @ts: new time1230* @tz: timezone1231*1232* Check permission to change the system time, struct timespec64 is defined in1233* <include/linux/time64.h> and timezone is defined in <include/linux/time.h>.1234*1235* Return: Returns 0 if permission is granted.1236*/1237int security_settime64(const struct timespec64 *ts, const struct timezone *tz)1238{1239return call_int_hook(settime, ts, tz);1240}12411242/**1243* security_vm_enough_memory_mm() - Check if allocating a new mem map is allowed1244* @mm: mm struct1245* @pages: number of pages1246*1247* Check permissions for allocating a new virtual mapping. If all LSMs return1248* a positive value, __vm_enough_memory() will be called with cap_sys_admin1249* set. If at least one LSM returns 0 or negative, __vm_enough_memory() will be1250* called with cap_sys_admin cleared.1251*1252* Return: Returns 0 if permission is granted by the LSM infrastructure to the1253* caller.1254*/1255int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)1256{1257struct lsm_static_call *scall;1258int cap_sys_admin = 1;1259int rc;12601261/*1262* The module will respond with 0 if it thinks the __vm_enough_memory()1263* call should be made with the cap_sys_admin set. If all of the modules1264* agree that it should be set it will. If any module thinks it should1265* not be set it won't.1266*/1267lsm_for_each_hook(scall, vm_enough_memory) {1268rc = scall->hl->hook.vm_enough_memory(mm, pages);1269if (rc < 0) {1270cap_sys_admin = 0;1271break;1272}1273}1274return __vm_enough_memory(mm, pages, cap_sys_admin);1275}12761277/**1278* security_bprm_creds_for_exec() - Prepare the credentials for exec()1279* @bprm: binary program information1280*1281* If the setup in prepare_exec_creds did not setup @bprm->cred->security1282* properly for executing @bprm->file, update the LSM's portion of1283* @bprm->cred->security to be what commit_creds needs to install for the new1284* program. This hook may also optionally check permissions (e.g. for1285* transitions between security domains). The hook must set @bprm->secureexec1286* to 1 if AT_SECURE should be set to request libc enable secure mode. @bprm1287* contains the linux_binprm structure.1288*1289* If execveat(2) is called with the AT_EXECVE_CHECK flag, bprm->is_check is1290* set. The result must be the same as without this flag even if the execution1291* will never really happen and @bprm will always be dropped.1292*1293* This hook must not change current->cred, only @bprm->cred.1294*1295* Return: Returns 0 if the hook is successful and permission is granted.1296*/1297int security_bprm_creds_for_exec(struct linux_binprm *bprm)1298{1299return call_int_hook(bprm_creds_for_exec, bprm);1300}13011302/**1303* security_bprm_creds_from_file() - Update linux_binprm creds based on file1304* @bprm: binary program information1305* @file: associated file1306*1307* If @file is setpcap, suid, sgid or otherwise marked to change privilege upon1308* exec, update @bprm->cred to reflect that change. This is called after1309* finding the binary that will be executed without an interpreter. This1310* ensures that the credentials will not be derived from a script that the1311* binary will need to reopen, which when reopend may end up being a completely1312* different file. This hook may also optionally check permissions (e.g. for1313* transitions between security domains). The hook must set @bprm->secureexec1314* to 1 if AT_SECURE should be set to request libc enable secure mode. The1315* hook must add to @bprm->per_clear any personality flags that should be1316* cleared from current->personality. @bprm contains the linux_binprm1317* structure.1318*1319* Return: Returns 0 if the hook is successful and permission is granted.1320*/1321int security_bprm_creds_from_file(struct linux_binprm *bprm, const struct file *file)1322{1323return call_int_hook(bprm_creds_from_file, bprm, file);1324}13251326/**1327* security_bprm_check() - Mediate binary handler search1328* @bprm: binary program information1329*1330* This hook mediates the point when a search for a binary handler will begin.1331* It allows a check against the @bprm->cred->security value which was set in1332* the preceding creds_for_exec call. The argv list and envp list are reliably1333* available in @bprm. This hook may be called multiple times during a single1334* execve. @bprm contains the linux_binprm structure.1335*1336* Return: Returns 0 if the hook is successful and permission is granted.1337*/1338int security_bprm_check(struct linux_binprm *bprm)1339{1340return call_int_hook(bprm_check_security, bprm);1341}13421343/**1344* security_bprm_committing_creds() - Install creds for a process during exec()1345* @bprm: binary program information1346*1347* Prepare to install the new security attributes of a process being1348* transformed by an execve operation, based on the old credentials pointed to1349* by @current->cred and the information set in @bprm->cred by the1350* bprm_creds_for_exec hook. @bprm points to the linux_binprm structure. This1351* hook is a good place to perform state changes on the process such as closing1352* open file descriptors to which access will no longer be granted when the1353* attributes are changed. This is called immediately before commit_creds().1354*/1355void security_bprm_committing_creds(const struct linux_binprm *bprm)1356{1357call_void_hook(bprm_committing_creds, bprm);1358}13591360/**1361* security_bprm_committed_creds() - Tidy up after cred install during exec()1362* @bprm: binary program information1363*1364* Tidy up after the installation of the new security attributes of a process1365* being transformed by an execve operation. The new credentials have, by this1366* point, been set to @current->cred. @bprm points to the linux_binprm1367* structure. This hook is a good place to perform state changes on the1368* process such as clearing out non-inheritable signal state. This is called1369* immediately after commit_creds().1370*/1371void security_bprm_committed_creds(const struct linux_binprm *bprm)1372{1373call_void_hook(bprm_committed_creds, bprm);1374}13751376/**1377* security_fs_context_submount() - Initialise fc->security1378* @fc: new filesystem context1379* @reference: dentry reference for submount/remount1380*1381* Fill out the ->security field for a new fs_context.1382*1383* Return: Returns 0 on success or negative error code on failure.1384*/1385int security_fs_context_submount(struct fs_context *fc, struct super_block *reference)1386{1387return call_int_hook(fs_context_submount, fc, reference);1388}13891390/**1391* security_fs_context_dup() - Duplicate a fs_context LSM blob1392* @fc: destination filesystem context1393* @src_fc: source filesystem context1394*1395* Allocate and attach a security structure to sc->security. This pointer is1396* initialised to NULL by the caller. @fc indicates the new filesystem context.1397* @src_fc indicates the original filesystem context.1398*1399* Return: Returns 0 on success or a negative error code on failure.1400*/1401int security_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc)1402{1403return call_int_hook(fs_context_dup, fc, src_fc);1404}14051406/**1407* security_fs_context_parse_param() - Configure a filesystem context1408* @fc: filesystem context1409* @param: filesystem parameter1410*1411* Userspace provided a parameter to configure a superblock. The LSM can1412* consume the parameter or return it to the caller for use elsewhere.1413*1414* Return: If the parameter is used by the LSM it should return 0, if it is1415* returned to the caller -ENOPARAM is returned, otherwise a negative1416* error code is returned.1417*/1418int security_fs_context_parse_param(struct fs_context *fc,1419struct fs_parameter *param)1420{1421struct lsm_static_call *scall;1422int trc;1423int rc = -ENOPARAM;14241425lsm_for_each_hook(scall, fs_context_parse_param) {1426trc = scall->hl->hook.fs_context_parse_param(fc, param);1427if (trc == 0)1428rc = 0;1429else if (trc != -ENOPARAM)1430return trc;1431}1432return rc;1433}14341435/**1436* security_sb_alloc() - Allocate a super_block LSM blob1437* @sb: filesystem superblock1438*1439* Allocate and attach a security structure to the sb->s_security field. The1440* s_security field is initialized to NULL when the structure is allocated.1441* @sb contains the super_block structure to be modified.1442*1443* Return: Returns 0 if operation was successful.1444*/1445int security_sb_alloc(struct super_block *sb)1446{1447int rc = lsm_superblock_alloc(sb);14481449if (unlikely(rc))1450return rc;1451rc = call_int_hook(sb_alloc_security, sb);1452if (unlikely(rc))1453security_sb_free(sb);1454return rc;1455}14561457/**1458* security_sb_delete() - Release super_block LSM associated objects1459* @sb: filesystem superblock1460*1461* Release objects tied to a superblock (e.g. inodes). @sb contains the1462* super_block structure being released.1463*/1464void security_sb_delete(struct super_block *sb)1465{1466call_void_hook(sb_delete, sb);1467}14681469/**1470* security_sb_free() - Free a super_block LSM blob1471* @sb: filesystem superblock1472*1473* Deallocate and clear the sb->s_security field. @sb contains the super_block1474* structure to be modified.1475*/1476void security_sb_free(struct super_block *sb)1477{1478call_void_hook(sb_free_security, sb);1479kfree(sb->s_security);1480sb->s_security = NULL;1481}14821483/**1484* security_free_mnt_opts() - Free memory associated with mount options1485* @mnt_opts: LSM processed mount options1486*1487* Free memory associated with @mnt_ops.1488*/1489void security_free_mnt_opts(void **mnt_opts)1490{1491if (!*mnt_opts)1492return;1493call_void_hook(sb_free_mnt_opts, *mnt_opts);1494*mnt_opts = NULL;1495}1496EXPORT_SYMBOL(security_free_mnt_opts);14971498/**1499* security_sb_eat_lsm_opts() - Consume LSM mount options1500* @options: mount options1501* @mnt_opts: LSM processed mount options1502*1503* Eat (scan @options) and save them in @mnt_opts.1504*1505* Return: Returns 0 on success, negative values on failure.1506*/1507int security_sb_eat_lsm_opts(char *options, void **mnt_opts)1508{1509return call_int_hook(sb_eat_lsm_opts, options, mnt_opts);1510}1511EXPORT_SYMBOL(security_sb_eat_lsm_opts);15121513/**1514* security_sb_mnt_opts_compat() - Check if new mount options are allowed1515* @sb: filesystem superblock1516* @mnt_opts: new mount options1517*1518* Determine if the new mount options in @mnt_opts are allowed given the1519* existing mounted filesystem at @sb. @sb superblock being compared.1520*1521* Return: Returns 0 if options are compatible.1522*/1523int security_sb_mnt_opts_compat(struct super_block *sb,1524void *mnt_opts)1525{1526return call_int_hook(sb_mnt_opts_compat, sb, mnt_opts);1527}1528EXPORT_SYMBOL(security_sb_mnt_opts_compat);15291530/**1531* security_sb_remount() - Verify no incompatible mount changes during remount1532* @sb: filesystem superblock1533* @mnt_opts: (re)mount options1534*1535* Extracts security system specific mount options and verifies no changes are1536* being made to those options.1537*1538* Return: Returns 0 if permission is granted.1539*/1540int security_sb_remount(struct super_block *sb,1541void *mnt_opts)1542{1543return call_int_hook(sb_remount, sb, mnt_opts);1544}1545EXPORT_SYMBOL(security_sb_remount);15461547/**1548* security_sb_kern_mount() - Check if a kernel mount is allowed1549* @sb: filesystem superblock1550*1551* Mount this @sb if allowed by permissions.1552*1553* Return: Returns 0 if permission is granted.1554*/1555int security_sb_kern_mount(const struct super_block *sb)1556{1557return call_int_hook(sb_kern_mount, sb);1558}15591560/**1561* security_sb_show_options() - Output the mount options for a superblock1562* @m: output file1563* @sb: filesystem superblock1564*1565* Show (print on @m) mount options for this @sb.1566*1567* Return: Returns 0 on success, negative values on failure.1568*/1569int security_sb_show_options(struct seq_file *m, struct super_block *sb)1570{1571return call_int_hook(sb_show_options, m, sb);1572}15731574/**1575* security_sb_statfs() - Check if accessing fs stats is allowed1576* @dentry: superblock handle1577*1578* Check permission before obtaining filesystem statistics for the @mnt1579* mountpoint. @dentry is a handle on the superblock for the filesystem.1580*1581* Return: Returns 0 if permission is granted.1582*/1583int security_sb_statfs(struct dentry *dentry)1584{1585return call_int_hook(sb_statfs, dentry);1586}15871588/**1589* security_sb_mount() - Check permission for mounting a filesystem1590* @dev_name: filesystem backing device1591* @path: mount point1592* @type: filesystem type1593* @flags: mount flags1594* @data: filesystem specific data1595*1596* Check permission before an object specified by @dev_name is mounted on the1597* mount point named by @nd. For an ordinary mount, @dev_name identifies a1598* device if the file system type requires a device. For a remount1599* (@flags & MS_REMOUNT), @dev_name is irrelevant. For a loopback/bind mount1600* (@flags & MS_BIND), @dev_name identifies the pathname of the object being1601* mounted.1602*1603* Return: Returns 0 if permission is granted.1604*/1605int security_sb_mount(const char *dev_name, const struct path *path,1606const char *type, unsigned long flags, void *data)1607{1608return call_int_hook(sb_mount, dev_name, path, type, flags, data);1609}16101611/**1612* security_sb_umount() - Check permission for unmounting a filesystem1613* @mnt: mounted filesystem1614* @flags: unmount flags1615*1616* Check permission before the @mnt file system is unmounted.1617*1618* Return: Returns 0 if permission is granted.1619*/1620int security_sb_umount(struct vfsmount *mnt, int flags)1621{1622return call_int_hook(sb_umount, mnt, flags);1623}16241625/**1626* security_sb_pivotroot() - Check permissions for pivoting the rootfs1627* @old_path: new location for current rootfs1628* @new_path: location of the new rootfs1629*1630* Check permission before pivoting the root filesystem.1631*1632* Return: Returns 0 if permission is granted.1633*/1634int security_sb_pivotroot(const struct path *old_path,1635const struct path *new_path)1636{1637return call_int_hook(sb_pivotroot, old_path, new_path);1638}16391640/**1641* security_sb_set_mnt_opts() - Set the mount options for a filesystem1642* @sb: filesystem superblock1643* @mnt_opts: binary mount options1644* @kern_flags: kernel flags (in)1645* @set_kern_flags: kernel flags (out)1646*1647* Set the security relevant mount options used for a superblock.1648*1649* Return: Returns 0 on success, error on failure.1650*/1651int security_sb_set_mnt_opts(struct super_block *sb,1652void *mnt_opts,1653unsigned long kern_flags,1654unsigned long *set_kern_flags)1655{1656struct lsm_static_call *scall;1657int rc = mnt_opts ? -EOPNOTSUPP : LSM_RET_DEFAULT(sb_set_mnt_opts);16581659lsm_for_each_hook(scall, sb_set_mnt_opts) {1660rc = scall->hl->hook.sb_set_mnt_opts(sb, mnt_opts, kern_flags,1661set_kern_flags);1662if (rc != LSM_RET_DEFAULT(sb_set_mnt_opts))1663break;1664}1665return rc;1666}1667EXPORT_SYMBOL(security_sb_set_mnt_opts);16681669/**1670* security_sb_clone_mnt_opts() - Duplicate superblock mount options1671* @oldsb: source superblock1672* @newsb: destination superblock1673* @kern_flags: kernel flags (in)1674* @set_kern_flags: kernel flags (out)1675*1676* Copy all security options from a given superblock to another.1677*1678* Return: Returns 0 on success, error on failure.1679*/1680int security_sb_clone_mnt_opts(const struct super_block *oldsb,1681struct super_block *newsb,1682unsigned long kern_flags,1683unsigned long *set_kern_flags)1684{1685return call_int_hook(sb_clone_mnt_opts, oldsb, newsb,1686kern_flags, set_kern_flags);1687}1688EXPORT_SYMBOL(security_sb_clone_mnt_opts);16891690/**1691* security_move_mount() - Check permissions for moving a mount1692* @from_path: source mount point1693* @to_path: destination mount point1694*1695* Check permission before a mount is moved.1696*1697* Return: Returns 0 if permission is granted.1698*/1699int security_move_mount(const struct path *from_path,1700const struct path *to_path)1701{1702return call_int_hook(move_mount, from_path, to_path);1703}17041705/**1706* security_path_notify() - Check if setting a watch is allowed1707* @path: file path1708* @mask: event mask1709* @obj_type: file path type1710*1711* Check permissions before setting a watch on events as defined by @mask, on1712* an object at @path, whose type is defined by @obj_type.1713*1714* Return: Returns 0 if permission is granted.1715*/1716int security_path_notify(const struct path *path, u64 mask,1717unsigned int obj_type)1718{1719return call_int_hook(path_notify, path, mask, obj_type);1720}17211722/**1723* security_inode_alloc() - Allocate an inode LSM blob1724* @inode: the inode1725* @gfp: allocation flags1726*1727* Allocate and attach a security structure to @inode->i_security. The1728* i_security field is initialized to NULL when the inode structure is1729* allocated.1730*1731* Return: Return 0 if operation was successful.1732*/1733int security_inode_alloc(struct inode *inode, gfp_t gfp)1734{1735int rc = lsm_inode_alloc(inode, gfp);17361737if (unlikely(rc))1738return rc;1739rc = call_int_hook(inode_alloc_security, inode);1740if (unlikely(rc))1741security_inode_free(inode);1742return rc;1743}17441745static void inode_free_by_rcu(struct rcu_head *head)1746{1747/* The rcu head is at the start of the inode blob */1748call_void_hook(inode_free_security_rcu, head);1749kmem_cache_free(lsm_inode_cache, head);1750}17511752/**1753* security_inode_free() - Free an inode's LSM blob1754* @inode: the inode1755*1756* Release any LSM resources associated with @inode, although due to the1757* inode's RCU protections it is possible that the resources will not be1758* fully released until after the current RCU grace period has elapsed.1759*1760* It is important for LSMs to note that despite being present in a call to1761* security_inode_free(), @inode may still be referenced in a VFS path walk1762* and calls to security_inode_permission() may be made during, or after,1763* a call to security_inode_free(). For this reason the inode->i_security1764* field is released via a call_rcu() callback and any LSMs which need to1765* retain inode state for use in security_inode_permission() should only1766* release that state in the inode_free_security_rcu() LSM hook callback.1767*/1768void security_inode_free(struct inode *inode)1769{1770call_void_hook(inode_free_security, inode);1771if (!inode->i_security)1772return;1773call_rcu((struct rcu_head *)inode->i_security, inode_free_by_rcu);1774}17751776/**1777* security_dentry_init_security() - Perform dentry initialization1778* @dentry: the dentry to initialize1779* @mode: mode used to determine resource type1780* @name: name of the last path component1781* @xattr_name: name of the security/LSM xattr1782* @lsmctx: pointer to the resulting LSM context1783*1784* Compute a context for a dentry as the inode is not yet available since NFSv41785* has no label backed by an EA anyway. It is important to note that1786* @xattr_name does not need to be free'd by the caller, it is a static string.1787*1788* Return: Returns 0 on success, negative values on failure.1789*/1790int security_dentry_init_security(struct dentry *dentry, int mode,1791const struct qstr *name,1792const char **xattr_name,1793struct lsm_context *lsmctx)1794{1795return call_int_hook(dentry_init_security, dentry, mode, name,1796xattr_name, lsmctx);1797}1798EXPORT_SYMBOL(security_dentry_init_security);17991800/**1801* security_dentry_create_files_as() - Perform dentry initialization1802* @dentry: the dentry to initialize1803* @mode: mode used to determine resource type1804* @name: name of the last path component1805* @old: creds to use for LSM context calculations1806* @new: creds to modify1807*1808* Compute a context for a dentry as the inode is not yet available and set1809* that context in passed in creds so that new files are created using that1810* context. Context is calculated using the passed in creds and not the creds1811* of the caller.1812*1813* Return: Returns 0 on success, error on failure.1814*/1815int security_dentry_create_files_as(struct dentry *dentry, int mode,1816const struct qstr *name,1817const struct cred *old, struct cred *new)1818{1819return call_int_hook(dentry_create_files_as, dentry, mode,1820name, old, new);1821}1822EXPORT_SYMBOL(security_dentry_create_files_as);18231824/**1825* security_inode_init_security() - Initialize an inode's LSM context1826* @inode: the inode1827* @dir: parent directory1828* @qstr: last component of the pathname1829* @initxattrs: callback function to write xattrs1830* @fs_data: filesystem specific data1831*1832* Obtain the security attribute name suffix and value to set on a newly1833* created inode and set up the incore security field for the new inode. This1834* hook is called by the fs code as part of the inode creation transaction and1835* provides for atomic labeling of the inode, unlike the post_create/mkdir/...1836* hooks called by the VFS.1837*1838* The hook function is expected to populate the xattrs array, by calling1839* lsm_get_xattr_slot() to retrieve the slots reserved by the security module1840* with the lbs_xattr_count field of the lsm_blob_sizes structure. For each1841* slot, the hook function should set ->name to the attribute name suffix1842* (e.g. selinux), to allocate ->value (will be freed by the caller) and set it1843* to the attribute value, to set ->value_len to the length of the value. If1844* the security module does not use security attributes or does not wish to put1845* a security attribute on this particular inode, then it should return1846* -EOPNOTSUPP to skip this processing.1847*1848* Return: Returns 0 if the LSM successfully initialized all of the inode1849* security attributes that are required, negative values otherwise.1850*/1851int security_inode_init_security(struct inode *inode, struct inode *dir,1852const struct qstr *qstr,1853const initxattrs initxattrs, void *fs_data)1854{1855struct lsm_static_call *scall;1856struct xattr *new_xattrs = NULL;1857int ret = -EOPNOTSUPP, xattr_count = 0;18581859if (unlikely(IS_PRIVATE(inode)))1860return 0;18611862if (!blob_sizes.lbs_xattr_count)1863return 0;18641865if (initxattrs) {1866/* Allocate +1 as terminator. */1867new_xattrs = kcalloc(blob_sizes.lbs_xattr_count + 1,1868sizeof(*new_xattrs), GFP_NOFS);1869if (!new_xattrs)1870return -ENOMEM;1871}18721873lsm_for_each_hook(scall, inode_init_security) {1874ret = scall->hl->hook.inode_init_security(inode, dir, qstr, new_xattrs,1875&xattr_count);1876if (ret && ret != -EOPNOTSUPP)1877goto out;1878/*1879* As documented in lsm_hooks.h, -EOPNOTSUPP in this context1880* means that the LSM is not willing to provide an xattr, not1881* that it wants to signal an error. Thus, continue to invoke1882* the remaining LSMs.1883*/1884}18851886/* If initxattrs() is NULL, xattr_count is zero, skip the call. */1887if (!xattr_count)1888goto out;18891890ret = initxattrs(inode, new_xattrs, fs_data);1891out:1892for (; xattr_count > 0; xattr_count--)1893kfree(new_xattrs[xattr_count - 1].value);1894kfree(new_xattrs);1895return (ret == -EOPNOTSUPP) ? 0 : ret;1896}1897EXPORT_SYMBOL(security_inode_init_security);18981899/**1900* security_inode_init_security_anon() - Initialize an anonymous inode1901* @inode: the inode1902* @name: the anonymous inode class1903* @context_inode: an optional related inode1904*1905* Set up the incore security field for the new anonymous inode and return1906* whether the inode creation is permitted by the security module or not.1907*1908* Return: Returns 0 on success, -EACCES if the security module denies the1909* creation of this inode, or another -errno upon other errors.1910*/1911int security_inode_init_security_anon(struct inode *inode,1912const struct qstr *name,1913const struct inode *context_inode)1914{1915return call_int_hook(inode_init_security_anon, inode, name,1916context_inode);1917}19181919#ifdef CONFIG_SECURITY_PATH1920/**1921* security_path_mknod() - Check if creating a special file is allowed1922* @dir: parent directory1923* @dentry: new file1924* @mode: new file mode1925* @dev: device number1926*1927* Check permissions when creating a file. Note that this hook is called even1928* if mknod operation is being done for a regular file.1929*1930* Return: Returns 0 if permission is granted.1931*/1932int security_path_mknod(const struct path *dir, struct dentry *dentry,1933umode_t mode, unsigned int dev)1934{1935if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))1936return 0;1937return call_int_hook(path_mknod, dir, dentry, mode, dev);1938}1939EXPORT_SYMBOL(security_path_mknod);19401941/**1942* security_path_post_mknod() - Update inode security after reg file creation1943* @idmap: idmap of the mount1944* @dentry: new file1945*1946* Update inode security field after a regular file has been created.1947*/1948void security_path_post_mknod(struct mnt_idmap *idmap, struct dentry *dentry)1949{1950if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))1951return;1952call_void_hook(path_post_mknod, idmap, dentry);1953}19541955/**1956* security_path_mkdir() - Check if creating a new directory is allowed1957* @dir: parent directory1958* @dentry: new directory1959* @mode: new directory mode1960*1961* Check permissions to create a new directory in the existing directory.1962*1963* Return: Returns 0 if permission is granted.1964*/1965int security_path_mkdir(const struct path *dir, struct dentry *dentry,1966umode_t mode)1967{1968if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))1969return 0;1970return call_int_hook(path_mkdir, dir, dentry, mode);1971}1972EXPORT_SYMBOL(security_path_mkdir);19731974/**1975* security_path_rmdir() - Check if removing a directory is allowed1976* @dir: parent directory1977* @dentry: directory to remove1978*1979* Check the permission to remove a directory.1980*1981* Return: Returns 0 if permission is granted.1982*/1983int security_path_rmdir(const struct path *dir, struct dentry *dentry)1984{1985if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))1986return 0;1987return call_int_hook(path_rmdir, dir, dentry);1988}19891990/**1991* security_path_unlink() - Check if removing a hard link is allowed1992* @dir: parent directory1993* @dentry: file1994*1995* Check the permission to remove a hard link to a file.1996*1997* Return: Returns 0 if permission is granted.1998*/1999int security_path_unlink(const struct path *dir, struct dentry *dentry)2000{2001if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))2002return 0;2003return call_int_hook(path_unlink, dir, dentry);2004}2005EXPORT_SYMBOL(security_path_unlink);20062007/**2008* security_path_symlink() - Check if creating a symbolic link is allowed2009* @dir: parent directory2010* @dentry: symbolic link2011* @old_name: file pathname2012*2013* Check the permission to create a symbolic link to a file.2014*2015* Return: Returns 0 if permission is granted.2016*/2017int security_path_symlink(const struct path *dir, struct dentry *dentry,2018const char *old_name)2019{2020if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))2021return 0;2022return call_int_hook(path_symlink, dir, dentry, old_name);2023}20242025/**2026* security_path_link - Check if creating a hard link is allowed2027* @old_dentry: existing file2028* @new_dir: new parent directory2029* @new_dentry: new link2030*2031* Check permission before creating a new hard link to a file.2032*2033* Return: Returns 0 if permission is granted.2034*/2035int security_path_link(struct dentry *old_dentry, const struct path *new_dir,2036struct dentry *new_dentry)2037{2038if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry))))2039return 0;2040return call_int_hook(path_link, old_dentry, new_dir, new_dentry);2041}20422043/**2044* security_path_rename() - Check if renaming a file is allowed2045* @old_dir: parent directory of the old file2046* @old_dentry: the old file2047* @new_dir: parent directory of the new file2048* @new_dentry: the new file2049* @flags: flags2050*2051* Check for permission to rename a file or directory.2052*2053* Return: Returns 0 if permission is granted.2054*/2055int security_path_rename(const struct path *old_dir, struct dentry *old_dentry,2056const struct path *new_dir, struct dentry *new_dentry,2057unsigned int flags)2058{2059if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry)) ||2060(d_is_positive(new_dentry) &&2061IS_PRIVATE(d_backing_inode(new_dentry)))))2062return 0;20632064return call_int_hook(path_rename, old_dir, old_dentry, new_dir,2065new_dentry, flags);2066}2067EXPORT_SYMBOL(security_path_rename);20682069/**2070* security_path_truncate() - Check if truncating a file is allowed2071* @path: file2072*2073* Check permission before truncating the file indicated by path. Note that2074* truncation permissions may also be checked based on already opened files,2075* using the security_file_truncate() hook.2076*2077* Return: Returns 0 if permission is granted.2078*/2079int security_path_truncate(const struct path *path)2080{2081if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))2082return 0;2083return call_int_hook(path_truncate, path);2084}20852086/**2087* security_path_chmod() - Check if changing the file's mode is allowed2088* @path: file2089* @mode: new mode2090*2091* Check for permission to change a mode of the file @path. The new mode is2092* specified in @mode which is a bitmask of constants from2093* <include/uapi/linux/stat.h>.2094*2095* Return: Returns 0 if permission is granted.2096*/2097int security_path_chmod(const struct path *path, umode_t mode)2098{2099if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))2100return 0;2101return call_int_hook(path_chmod, path, mode);2102}21032104/**2105* security_path_chown() - Check if changing the file's owner/group is allowed2106* @path: file2107* @uid: file owner2108* @gid: file group2109*2110* Check for permission to change owner/group of a file or directory.2111*2112* Return: Returns 0 if permission is granted.2113*/2114int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid)2115{2116if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))2117return 0;2118return call_int_hook(path_chown, path, uid, gid);2119}21202121/**2122* security_path_chroot() - Check if changing the root directory is allowed2123* @path: directory2124*2125* Check for permission to change root directory.2126*2127* Return: Returns 0 if permission is granted.2128*/2129int security_path_chroot(const struct path *path)2130{2131return call_int_hook(path_chroot, path);2132}2133#endif /* CONFIG_SECURITY_PATH */21342135/**2136* security_inode_create() - Check if creating a file is allowed2137* @dir: the parent directory2138* @dentry: the file being created2139* @mode: requested file mode2140*2141* Check permission to create a regular file.2142*2143* Return: Returns 0 if permission is granted.2144*/2145int security_inode_create(struct inode *dir, struct dentry *dentry,2146umode_t mode)2147{2148if (unlikely(IS_PRIVATE(dir)))2149return 0;2150return call_int_hook(inode_create, dir, dentry, mode);2151}2152EXPORT_SYMBOL_GPL(security_inode_create);21532154/**2155* security_inode_post_create_tmpfile() - Update inode security of new tmpfile2156* @idmap: idmap of the mount2157* @inode: inode of the new tmpfile2158*2159* Update inode security data after a tmpfile has been created.2160*/2161void security_inode_post_create_tmpfile(struct mnt_idmap *idmap,2162struct inode *inode)2163{2164if (unlikely(IS_PRIVATE(inode)))2165return;2166call_void_hook(inode_post_create_tmpfile, idmap, inode);2167}21682169/**2170* security_inode_link() - Check if creating a hard link is allowed2171* @old_dentry: existing file2172* @dir: new parent directory2173* @new_dentry: new link2174*2175* Check permission before creating a new hard link to a file.2176*2177* Return: Returns 0 if permission is granted.2178*/2179int security_inode_link(struct dentry *old_dentry, struct inode *dir,2180struct dentry *new_dentry)2181{2182if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry))))2183return 0;2184return call_int_hook(inode_link, old_dentry, dir, new_dentry);2185}21862187/**2188* security_inode_unlink() - Check if removing a hard link is allowed2189* @dir: parent directory2190* @dentry: file2191*2192* Check the permission to remove a hard link to a file.2193*2194* Return: Returns 0 if permission is granted.2195*/2196int security_inode_unlink(struct inode *dir, struct dentry *dentry)2197{2198if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2199return 0;2200return call_int_hook(inode_unlink, dir, dentry);2201}22022203/**2204* security_inode_symlink() - Check if creating a symbolic link is allowed2205* @dir: parent directory2206* @dentry: symbolic link2207* @old_name: existing filename2208*2209* Check the permission to create a symbolic link to a file.2210*2211* Return: Returns 0 if permission is granted.2212*/2213int security_inode_symlink(struct inode *dir, struct dentry *dentry,2214const char *old_name)2215{2216if (unlikely(IS_PRIVATE(dir)))2217return 0;2218return call_int_hook(inode_symlink, dir, dentry, old_name);2219}22202221/**2222* security_inode_mkdir() - Check if creating a new directory is allowed2223* @dir: parent directory2224* @dentry: new directory2225* @mode: new directory mode2226*2227* Check permissions to create a new directory in the existing directory2228* associated with inode structure @dir.2229*2230* Return: Returns 0 if permission is granted.2231*/2232int security_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)2233{2234if (unlikely(IS_PRIVATE(dir)))2235return 0;2236return call_int_hook(inode_mkdir, dir, dentry, mode);2237}2238EXPORT_SYMBOL_GPL(security_inode_mkdir);22392240/**2241* security_inode_rmdir() - Check if removing a directory is allowed2242* @dir: parent directory2243* @dentry: directory to be removed2244*2245* Check the permission to remove a directory.2246*2247* Return: Returns 0 if permission is granted.2248*/2249int security_inode_rmdir(struct inode *dir, struct dentry *dentry)2250{2251if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2252return 0;2253return call_int_hook(inode_rmdir, dir, dentry);2254}22552256/**2257* security_inode_mknod() - Check if creating a special file is allowed2258* @dir: parent directory2259* @dentry: new file2260* @mode: new file mode2261* @dev: device number2262*2263* Check permissions when creating a special file (or a socket or a fifo file2264* created via the mknod system call). Note that if mknod operation is being2265* done for a regular file, then the create hook will be called and not this2266* hook.2267*2268* Return: Returns 0 if permission is granted.2269*/2270int security_inode_mknod(struct inode *dir, struct dentry *dentry,2271umode_t mode, dev_t dev)2272{2273if (unlikely(IS_PRIVATE(dir)))2274return 0;2275return call_int_hook(inode_mknod, dir, dentry, mode, dev);2276}22772278/**2279* security_inode_rename() - Check if renaming a file is allowed2280* @old_dir: parent directory of the old file2281* @old_dentry: the old file2282* @new_dir: parent directory of the new file2283* @new_dentry: the new file2284* @flags: flags2285*2286* Check for permission to rename a file or directory.2287*2288* Return: Returns 0 if permission is granted.2289*/2290int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,2291struct inode *new_dir, struct dentry *new_dentry,2292unsigned int flags)2293{2294if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry)) ||2295(d_is_positive(new_dentry) &&2296IS_PRIVATE(d_backing_inode(new_dentry)))))2297return 0;22982299if (flags & RENAME_EXCHANGE) {2300int err = call_int_hook(inode_rename, new_dir, new_dentry,2301old_dir, old_dentry);2302if (err)2303return err;2304}23052306return call_int_hook(inode_rename, old_dir, old_dentry,2307new_dir, new_dentry);2308}23092310/**2311* security_inode_readlink() - Check if reading a symbolic link is allowed2312* @dentry: link2313*2314* Check the permission to read the symbolic link.2315*2316* Return: Returns 0 if permission is granted.2317*/2318int security_inode_readlink(struct dentry *dentry)2319{2320if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2321return 0;2322return call_int_hook(inode_readlink, dentry);2323}23242325/**2326* security_inode_follow_link() - Check if following a symbolic link is allowed2327* @dentry: link dentry2328* @inode: link inode2329* @rcu: true if in RCU-walk mode2330*2331* Check permission to follow a symbolic link when looking up a pathname. If2332* @rcu is true, @inode is not stable.2333*2334* Return: Returns 0 if permission is granted.2335*/2336int security_inode_follow_link(struct dentry *dentry, struct inode *inode,2337bool rcu)2338{2339if (unlikely(IS_PRIVATE(inode)))2340return 0;2341return call_int_hook(inode_follow_link, dentry, inode, rcu);2342}23432344/**2345* security_inode_permission() - Check if accessing an inode is allowed2346* @inode: inode2347* @mask: access mask2348*2349* Check permission before accessing an inode. This hook is called by the2350* existing Linux permission function, so a security module can use it to2351* provide additional checking for existing Linux permission checks. Notice2352* that this hook is called when a file is opened (as well as many other2353* operations), whereas the file_security_ops permission hook is called when2354* the actual read/write operations are performed.2355*2356* Return: Returns 0 if permission is granted.2357*/2358int security_inode_permission(struct inode *inode, int mask)2359{2360if (unlikely(IS_PRIVATE(inode)))2361return 0;2362return call_int_hook(inode_permission, inode, mask);2363}23642365/**2366* security_inode_setattr() - Check if setting file attributes is allowed2367* @idmap: idmap of the mount2368* @dentry: file2369* @attr: new attributes2370*2371* Check permission before setting file attributes. Note that the kernel call2372* to notify_change is performed from several locations, whenever file2373* attributes change (such as when a file is truncated, chown/chmod operations,2374* transferring disk quotas, etc).2375*2376* Return: Returns 0 if permission is granted.2377*/2378int security_inode_setattr(struct mnt_idmap *idmap,2379struct dentry *dentry, struct iattr *attr)2380{2381if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2382return 0;2383return call_int_hook(inode_setattr, idmap, dentry, attr);2384}2385EXPORT_SYMBOL_GPL(security_inode_setattr);23862387/**2388* security_inode_post_setattr() - Update the inode after a setattr operation2389* @idmap: idmap of the mount2390* @dentry: file2391* @ia_valid: file attributes set2392*2393* Update inode security field after successful setting file attributes.2394*/2395void security_inode_post_setattr(struct mnt_idmap *idmap, struct dentry *dentry,2396int ia_valid)2397{2398if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2399return;2400call_void_hook(inode_post_setattr, idmap, dentry, ia_valid);2401}24022403/**2404* security_inode_getattr() - Check if getting file attributes is allowed2405* @path: file2406*2407* Check permission before obtaining file attributes.2408*2409* Return: Returns 0 if permission is granted.2410*/2411int security_inode_getattr(const struct path *path)2412{2413if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))2414return 0;2415return call_int_hook(inode_getattr, path);2416}24172418/**2419* security_inode_setxattr() - Check if setting file xattrs is allowed2420* @idmap: idmap of the mount2421* @dentry: file2422* @name: xattr name2423* @value: xattr value2424* @size: size of xattr value2425* @flags: flags2426*2427* This hook performs the desired permission checks before setting the extended2428* attributes (xattrs) on @dentry. It is important to note that we have some2429* additional logic before the main LSM implementation calls to detect if we2430* need to perform an additional capability check at the LSM layer.2431*2432* Normally we enforce a capability check prior to executing the various LSM2433* hook implementations, but if a LSM wants to avoid this capability check,2434* it can register a 'inode_xattr_skipcap' hook and return a value of 1 for2435* xattrs that it wants to avoid the capability check, leaving the LSM fully2436* responsible for enforcing the access control for the specific xattr. If all2437* of the enabled LSMs refrain from registering a 'inode_xattr_skipcap' hook,2438* or return a 0 (the default return value), the capability check is still2439* performed. If no 'inode_xattr_skipcap' hooks are registered the capability2440* check is performed.2441*2442* Return: Returns 0 if permission is granted.2443*/2444int security_inode_setxattr(struct mnt_idmap *idmap,2445struct dentry *dentry, const char *name,2446const void *value, size_t size, int flags)2447{2448int rc;24492450if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2451return 0;24522453/* enforce the capability checks at the lsm layer, if needed */2454if (!call_int_hook(inode_xattr_skipcap, name)) {2455rc = cap_inode_setxattr(dentry, name, value, size, flags);2456if (rc)2457return rc;2458}24592460return call_int_hook(inode_setxattr, idmap, dentry, name, value, size,2461flags);2462}24632464/**2465* security_inode_set_acl() - Check if setting posix acls is allowed2466* @idmap: idmap of the mount2467* @dentry: file2468* @acl_name: acl name2469* @kacl: acl struct2470*2471* Check permission before setting posix acls, the posix acls in @kacl are2472* identified by @acl_name.2473*2474* Return: Returns 0 if permission is granted.2475*/2476int security_inode_set_acl(struct mnt_idmap *idmap,2477struct dentry *dentry, const char *acl_name,2478struct posix_acl *kacl)2479{2480if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2481return 0;2482return call_int_hook(inode_set_acl, idmap, dentry, acl_name, kacl);2483}24842485/**2486* security_inode_post_set_acl() - Update inode security from posix acls set2487* @dentry: file2488* @acl_name: acl name2489* @kacl: acl struct2490*2491* Update inode security data after successfully setting posix acls on @dentry.2492* The posix acls in @kacl are identified by @acl_name.2493*/2494void security_inode_post_set_acl(struct dentry *dentry, const char *acl_name,2495struct posix_acl *kacl)2496{2497if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2498return;2499call_void_hook(inode_post_set_acl, dentry, acl_name, kacl);2500}25012502/**2503* security_inode_get_acl() - Check if reading posix acls is allowed2504* @idmap: idmap of the mount2505* @dentry: file2506* @acl_name: acl name2507*2508* Check permission before getting osix acls, the posix acls are identified by2509* @acl_name.2510*2511* Return: Returns 0 if permission is granted.2512*/2513int security_inode_get_acl(struct mnt_idmap *idmap,2514struct dentry *dentry, const char *acl_name)2515{2516if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2517return 0;2518return call_int_hook(inode_get_acl, idmap, dentry, acl_name);2519}25202521/**2522* security_inode_remove_acl() - Check if removing a posix acl is allowed2523* @idmap: idmap of the mount2524* @dentry: file2525* @acl_name: acl name2526*2527* Check permission before removing posix acls, the posix acls are identified2528* by @acl_name.2529*2530* Return: Returns 0 if permission is granted.2531*/2532int security_inode_remove_acl(struct mnt_idmap *idmap,2533struct dentry *dentry, const char *acl_name)2534{2535if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2536return 0;2537return call_int_hook(inode_remove_acl, idmap, dentry, acl_name);2538}25392540/**2541* security_inode_post_remove_acl() - Update inode security after rm posix acls2542* @idmap: idmap of the mount2543* @dentry: file2544* @acl_name: acl name2545*2546* Update inode security data after successfully removing posix acls on2547* @dentry in @idmap. The posix acls are identified by @acl_name.2548*/2549void security_inode_post_remove_acl(struct mnt_idmap *idmap,2550struct dentry *dentry, const char *acl_name)2551{2552if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2553return;2554call_void_hook(inode_post_remove_acl, idmap, dentry, acl_name);2555}25562557/**2558* security_inode_post_setxattr() - Update the inode after a setxattr operation2559* @dentry: file2560* @name: xattr name2561* @value: xattr value2562* @size: xattr value size2563* @flags: flags2564*2565* Update inode security field after successful setxattr operation.2566*/2567void security_inode_post_setxattr(struct dentry *dentry, const char *name,2568const void *value, size_t size, int flags)2569{2570if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2571return;2572call_void_hook(inode_post_setxattr, dentry, name, value, size, flags);2573}25742575/**2576* security_inode_getxattr() - Check if xattr access is allowed2577* @dentry: file2578* @name: xattr name2579*2580* Check permission before obtaining the extended attributes identified by2581* @name for @dentry.2582*2583* Return: Returns 0 if permission is granted.2584*/2585int security_inode_getxattr(struct dentry *dentry, const char *name)2586{2587if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2588return 0;2589return call_int_hook(inode_getxattr, dentry, name);2590}25912592/**2593* security_inode_listxattr() - Check if listing xattrs is allowed2594* @dentry: file2595*2596* Check permission before obtaining the list of extended attribute names for2597* @dentry.2598*2599* Return: Returns 0 if permission is granted.2600*/2601int security_inode_listxattr(struct dentry *dentry)2602{2603if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2604return 0;2605return call_int_hook(inode_listxattr, dentry);2606}26072608/**2609* security_inode_removexattr() - Check if removing an xattr is allowed2610* @idmap: idmap of the mount2611* @dentry: file2612* @name: xattr name2613*2614* This hook performs the desired permission checks before setting the extended2615* attributes (xattrs) on @dentry. It is important to note that we have some2616* additional logic before the main LSM implementation calls to detect if we2617* need to perform an additional capability check at the LSM layer.2618*2619* Normally we enforce a capability check prior to executing the various LSM2620* hook implementations, but if a LSM wants to avoid this capability check,2621* it can register a 'inode_xattr_skipcap' hook and return a value of 1 for2622* xattrs that it wants to avoid the capability check, leaving the LSM fully2623* responsible for enforcing the access control for the specific xattr. If all2624* of the enabled LSMs refrain from registering a 'inode_xattr_skipcap' hook,2625* or return a 0 (the default return value), the capability check is still2626* performed. If no 'inode_xattr_skipcap' hooks are registered the capability2627* check is performed.2628*2629* Return: Returns 0 if permission is granted.2630*/2631int security_inode_removexattr(struct mnt_idmap *idmap,2632struct dentry *dentry, const char *name)2633{2634int rc;26352636if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2637return 0;26382639/* enforce the capability checks at the lsm layer, if needed */2640if (!call_int_hook(inode_xattr_skipcap, name)) {2641rc = cap_inode_removexattr(idmap, dentry, name);2642if (rc)2643return rc;2644}26452646return call_int_hook(inode_removexattr, idmap, dentry, name);2647}26482649/**2650* security_inode_post_removexattr() - Update the inode after a removexattr op2651* @dentry: file2652* @name: xattr name2653*2654* Update the inode after a successful removexattr operation.2655*/2656void security_inode_post_removexattr(struct dentry *dentry, const char *name)2657{2658if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2659return;2660call_void_hook(inode_post_removexattr, dentry, name);2661}26622663/**2664* security_inode_file_setattr() - check if setting fsxattr is allowed2665* @dentry: file to set filesystem extended attributes on2666* @fa: extended attributes to set on the inode2667*2668* Called when file_setattr() syscall or FS_IOC_FSSETXATTR ioctl() is called on2669* inode2670*2671* Return: Returns 0 if permission is granted.2672*/2673int security_inode_file_setattr(struct dentry *dentry, struct file_kattr *fa)2674{2675return call_int_hook(inode_file_setattr, dentry, fa);2676}26772678/**2679* security_inode_file_getattr() - check if retrieving fsxattr is allowed2680* @dentry: file to retrieve filesystem extended attributes from2681* @fa: extended attributes to get2682*2683* Called when file_getattr() syscall or FS_IOC_FSGETXATTR ioctl() is called on2684* inode2685*2686* Return: Returns 0 if permission is granted.2687*/2688int security_inode_file_getattr(struct dentry *dentry, struct file_kattr *fa)2689{2690return call_int_hook(inode_file_getattr, dentry, fa);2691}26922693/**2694* security_inode_need_killpriv() - Check if security_inode_killpriv() required2695* @dentry: associated dentry2696*2697* Called when an inode has been changed to determine if2698* security_inode_killpriv() should be called.2699*2700* Return: Return <0 on error to abort the inode change operation, return 0 if2701* security_inode_killpriv() does not need to be called, return >0 if2702* security_inode_killpriv() does need to be called.2703*/2704int security_inode_need_killpriv(struct dentry *dentry)2705{2706return call_int_hook(inode_need_killpriv, dentry);2707}27082709/**2710* security_inode_killpriv() - The setuid bit is removed, update LSM state2711* @idmap: idmap of the mount2712* @dentry: associated dentry2713*2714* The @dentry's setuid bit is being removed. Remove similar security labels.2715* Called with the dentry->d_inode->i_mutex held.2716*2717* Return: Return 0 on success. If error is returned, then the operation2718* causing setuid bit removal is failed.2719*/2720int security_inode_killpriv(struct mnt_idmap *idmap,2721struct dentry *dentry)2722{2723return call_int_hook(inode_killpriv, idmap, dentry);2724}27252726/**2727* security_inode_getsecurity() - Get the xattr security label of an inode2728* @idmap: idmap of the mount2729* @inode: inode2730* @name: xattr name2731* @buffer: security label buffer2732* @alloc: allocation flag2733*2734* Retrieve a copy of the extended attribute representation of the security2735* label associated with @name for @inode via @buffer. Note that @name is the2736* remainder of the attribute name after the security prefix has been removed.2737* @alloc is used to specify if the call should return a value via the buffer2738* or just the value length.2739*2740* Return: Returns size of buffer on success.2741*/2742int security_inode_getsecurity(struct mnt_idmap *idmap,2743struct inode *inode, const char *name,2744void **buffer, bool alloc)2745{2746if (unlikely(IS_PRIVATE(inode)))2747return LSM_RET_DEFAULT(inode_getsecurity);27482749return call_int_hook(inode_getsecurity, idmap, inode, name, buffer,2750alloc);2751}27522753/**2754* security_inode_setsecurity() - Set the xattr security label of an inode2755* @inode: inode2756* @name: xattr name2757* @value: security label2758* @size: length of security label2759* @flags: flags2760*2761* Set the security label associated with @name for @inode from the extended2762* attribute value @value. @size indicates the size of the @value in bytes.2763* @flags may be XATTR_CREATE, XATTR_REPLACE, or 0. Note that @name is the2764* remainder of the attribute name after the security. prefix has been removed.2765*2766* Return: Returns 0 on success.2767*/2768int security_inode_setsecurity(struct inode *inode, const char *name,2769const void *value, size_t size, int flags)2770{2771if (unlikely(IS_PRIVATE(inode)))2772return LSM_RET_DEFAULT(inode_setsecurity);27732774return call_int_hook(inode_setsecurity, inode, name, value, size,2775flags);2776}27772778/**2779* security_inode_listsecurity() - List the xattr security label names2780* @inode: inode2781* @buffer: buffer2782* @buffer_size: size of buffer2783*2784* Copy the extended attribute names for the security labels associated with2785* @inode into @buffer. The maximum size of @buffer is specified by2786* @buffer_size. @buffer may be NULL to request the size of the buffer2787* required.2788*2789* Return: Returns number of bytes used/required on success.2790*/2791int security_inode_listsecurity(struct inode *inode,2792char *buffer, size_t buffer_size)2793{2794if (unlikely(IS_PRIVATE(inode)))2795return 0;2796return call_int_hook(inode_listsecurity, inode, buffer, buffer_size);2797}2798EXPORT_SYMBOL(security_inode_listsecurity);27992800/**2801* security_inode_getlsmprop() - Get an inode's LSM data2802* @inode: inode2803* @prop: lsm specific information to return2804*2805* Get the lsm specific information associated with the node.2806*/2807void security_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop)2808{2809call_void_hook(inode_getlsmprop, inode, prop);2810}28112812/**2813* security_inode_copy_up() - Create new creds for an overlayfs copy-up op2814* @src: union dentry of copy-up file2815* @new: newly created creds2816*2817* A file is about to be copied up from lower layer to upper layer of overlay2818* filesystem. Security module can prepare a set of new creds and modify as2819* need be and return new creds. Caller will switch to new creds temporarily to2820* create new file and release newly allocated creds.2821*2822* Return: Returns 0 on success or a negative error code on error.2823*/2824int security_inode_copy_up(struct dentry *src, struct cred **new)2825{2826return call_int_hook(inode_copy_up, src, new);2827}2828EXPORT_SYMBOL(security_inode_copy_up);28292830/**2831* security_inode_copy_up_xattr() - Filter xattrs in an overlayfs copy-up op2832* @src: union dentry of copy-up file2833* @name: xattr name2834*2835* Filter the xattrs being copied up when a unioned file is copied up from a2836* lower layer to the union/overlay layer. The caller is responsible for2837* reading and writing the xattrs, this hook is merely a filter.2838*2839* Return: Returns 0 to accept the xattr, -ECANCELED to discard the xattr,2840* -EOPNOTSUPP if the security module does not know about attribute,2841* or a negative error code to abort the copy up.2842*/2843int security_inode_copy_up_xattr(struct dentry *src, const char *name)2844{2845int rc;28462847rc = call_int_hook(inode_copy_up_xattr, src, name);2848if (rc != LSM_RET_DEFAULT(inode_copy_up_xattr))2849return rc;28502851return LSM_RET_DEFAULT(inode_copy_up_xattr);2852}2853EXPORT_SYMBOL(security_inode_copy_up_xattr);28542855/**2856* security_inode_setintegrity() - Set the inode's integrity data2857* @inode: inode2858* @type: type of integrity, e.g. hash digest, signature, etc2859* @value: the integrity value2860* @size: size of the integrity value2861*2862* Register a verified integrity measurement of a inode with LSMs.2863* LSMs should free the previously saved data if @value is NULL.2864*2865* Return: Returns 0 on success, negative values on failure.2866*/2867int security_inode_setintegrity(const struct inode *inode,2868enum lsm_integrity_type type, const void *value,2869size_t size)2870{2871return call_int_hook(inode_setintegrity, inode, type, value, size);2872}2873EXPORT_SYMBOL(security_inode_setintegrity);28742875/**2876* security_kernfs_init_security() - Init LSM context for a kernfs node2877* @kn_dir: parent kernfs node2878* @kn: the kernfs node to initialize2879*2880* Initialize the security context of a newly created kernfs node based on its2881* own and its parent's attributes.2882*2883* Return: Returns 0 if permission is granted.2884*/2885int security_kernfs_init_security(struct kernfs_node *kn_dir,2886struct kernfs_node *kn)2887{2888return call_int_hook(kernfs_init_security, kn_dir, kn);2889}28902891/**2892* security_file_permission() - Check file permissions2893* @file: file2894* @mask: requested permissions2895*2896* Check file permissions before accessing an open file. This hook is called2897* by various operations that read or write files. A security module can use2898* this hook to perform additional checking on these operations, e.g. to2899* revalidate permissions on use to support privilege bracketing or policy2900* changes. Notice that this hook is used when the actual read/write2901* operations are performed, whereas the inode_security_ops hook is called when2902* a file is opened (as well as many other operations). Although this hook can2903* be used to revalidate permissions for various system call operations that2904* read or write files, it does not address the revalidation of permissions for2905* memory-mapped files. Security modules must handle this separately if they2906* need such revalidation.2907*2908* Return: Returns 0 if permission is granted.2909*/2910int security_file_permission(struct file *file, int mask)2911{2912return call_int_hook(file_permission, file, mask);2913}29142915/**2916* security_file_alloc() - Allocate and init a file's LSM blob2917* @file: the file2918*2919* Allocate and attach a security structure to the file->f_security field. The2920* security field is initialized to NULL when the structure is first created.2921*2922* Return: Return 0 if the hook is successful and permission is granted.2923*/2924int security_file_alloc(struct file *file)2925{2926int rc = lsm_file_alloc(file);29272928if (rc)2929return rc;2930rc = call_int_hook(file_alloc_security, file);2931if (unlikely(rc))2932security_file_free(file);2933return rc;2934}29352936/**2937* security_file_release() - Perform actions before releasing the file ref2938* @file: the file2939*2940* Perform actions before releasing the last reference to a file.2941*/2942void security_file_release(struct file *file)2943{2944call_void_hook(file_release, file);2945}29462947/**2948* security_file_free() - Free a file's LSM blob2949* @file: the file2950*2951* Deallocate and free any security structures stored in file->f_security.2952*/2953void security_file_free(struct file *file)2954{2955void *blob;29562957call_void_hook(file_free_security, file);29582959blob = file->f_security;2960if (blob) {2961file->f_security = NULL;2962kmem_cache_free(lsm_file_cache, blob);2963}2964}29652966/**2967* security_file_ioctl() - Check if an ioctl is allowed2968* @file: associated file2969* @cmd: ioctl cmd2970* @arg: ioctl arguments2971*2972* Check permission for an ioctl operation on @file. Note that @arg sometimes2973* represents a user space pointer; in other cases, it may be a simple integer2974* value. When @arg represents a user space pointer, it should never be used2975* by the security module.2976*2977* Return: Returns 0 if permission is granted.2978*/2979int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)2980{2981return call_int_hook(file_ioctl, file, cmd, arg);2982}2983EXPORT_SYMBOL_GPL(security_file_ioctl);29842985/**2986* security_file_ioctl_compat() - Check if an ioctl is allowed in compat mode2987* @file: associated file2988* @cmd: ioctl cmd2989* @arg: ioctl arguments2990*2991* Compat version of security_file_ioctl() that correctly handles 32-bit2992* processes running on 64-bit kernels.2993*2994* Return: Returns 0 if permission is granted.2995*/2996int security_file_ioctl_compat(struct file *file, unsigned int cmd,2997unsigned long arg)2998{2999return call_int_hook(file_ioctl_compat, file, cmd, arg);3000}3001EXPORT_SYMBOL_GPL(security_file_ioctl_compat);30023003static inline unsigned long mmap_prot(struct file *file, unsigned long prot)3004{3005/*3006* Does we have PROT_READ and does the application expect3007* it to imply PROT_EXEC? If not, nothing to talk about...3008*/3009if ((prot & (PROT_READ | PROT_EXEC)) != PROT_READ)3010return prot;3011if (!(current->personality & READ_IMPLIES_EXEC))3012return prot;3013/*3014* if that's an anonymous mapping, let it.3015*/3016if (!file)3017return prot | PROT_EXEC;3018/*3019* ditto if it's not on noexec mount, except that on !MMU we need3020* NOMMU_MAP_EXEC (== VM_MAYEXEC) in this case3021*/3022if (!path_noexec(&file->f_path)) {3023#ifndef CONFIG_MMU3024if (file->f_op->mmap_capabilities) {3025unsigned caps = file->f_op->mmap_capabilities(file);3026if (!(caps & NOMMU_MAP_EXEC))3027return prot;3028}3029#endif3030return prot | PROT_EXEC;3031}3032/* anything on noexec mount won't get PROT_EXEC */3033return prot;3034}30353036/**3037* security_mmap_file() - Check if mmap'ing a file is allowed3038* @file: file3039* @prot: protection applied by the kernel3040* @flags: flags3041*3042* Check permissions for a mmap operation. The @file may be NULL, e.g. if3043* mapping anonymous memory.3044*3045* Return: Returns 0 if permission is granted.3046*/3047int security_mmap_file(struct file *file, unsigned long prot,3048unsigned long flags)3049{3050return call_int_hook(mmap_file, file, prot, mmap_prot(file, prot),3051flags);3052}30533054/**3055* security_mmap_addr() - Check if mmap'ing an address is allowed3056* @addr: address3057*3058* Check permissions for a mmap operation at @addr.3059*3060* Return: Returns 0 if permission is granted.3061*/3062int security_mmap_addr(unsigned long addr)3063{3064return call_int_hook(mmap_addr, addr);3065}30663067/**3068* security_file_mprotect() - Check if changing memory protections is allowed3069* @vma: memory region3070* @reqprot: application requested protection3071* @prot: protection applied by the kernel3072*3073* Check permissions before changing memory access permissions.3074*3075* Return: Returns 0 if permission is granted.3076*/3077int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,3078unsigned long prot)3079{3080return call_int_hook(file_mprotect, vma, reqprot, prot);3081}30823083/**3084* security_file_lock() - Check if a file lock is allowed3085* @file: file3086* @cmd: lock operation (e.g. F_RDLCK, F_WRLCK)3087*3088* Check permission before performing file locking operations. Note the hook3089* mediates both flock and fcntl style locks.3090*3091* Return: Returns 0 if permission is granted.3092*/3093int security_file_lock(struct file *file, unsigned int cmd)3094{3095return call_int_hook(file_lock, file, cmd);3096}30973098/**3099* security_file_fcntl() - Check if fcntl() op is allowed3100* @file: file3101* @cmd: fcntl command3102* @arg: command argument3103*3104* Check permission before allowing the file operation specified by @cmd from3105* being performed on the file @file. Note that @arg sometimes represents a3106* user space pointer; in other cases, it may be a simple integer value. When3107* @arg represents a user space pointer, it should never be used by the3108* security module.3109*3110* Return: Returns 0 if permission is granted.3111*/3112int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg)3113{3114return call_int_hook(file_fcntl, file, cmd, arg);3115}31163117/**3118* security_file_set_fowner() - Set the file owner info in the LSM blob3119* @file: the file3120*3121* Save owner security information (typically from current->security) in3122* file->f_security for later use by the send_sigiotask hook.3123*3124* This hook is called with file->f_owner.lock held.3125*3126* Return: Returns 0 on success.3127*/3128void security_file_set_fowner(struct file *file)3129{3130call_void_hook(file_set_fowner, file);3131}31323133/**3134* security_file_send_sigiotask() - Check if sending SIGIO/SIGURG is allowed3135* @tsk: target task3136* @fown: signal sender3137* @sig: signal to be sent, SIGIO is sent if 03138*3139* Check permission for the file owner @fown to send SIGIO or SIGURG to the3140* process @tsk. Note that this hook is sometimes called from interrupt. Note3141* that the fown_struct, @fown, is never outside the context of a struct file,3142* so the file structure (and associated security information) can always be3143* obtained: container_of(fown, struct file, f_owner).3144*3145* Return: Returns 0 if permission is granted.3146*/3147int security_file_send_sigiotask(struct task_struct *tsk,3148struct fown_struct *fown, int sig)3149{3150return call_int_hook(file_send_sigiotask, tsk, fown, sig);3151}31523153/**3154* security_file_receive() - Check if receiving a file via IPC is allowed3155* @file: file being received3156*3157* This hook allows security modules to control the ability of a process to3158* receive an open file descriptor via socket IPC.3159*3160* Return: Returns 0 if permission is granted.3161*/3162int security_file_receive(struct file *file)3163{3164return call_int_hook(file_receive, file);3165}31663167/**3168* security_file_open() - Save open() time state for late use by the LSM3169* @file:3170*3171* Save open-time permission checking state for later use upon file_permission,3172* and recheck access if anything has changed since inode_permission.3173*3174* We can check if a file is opened for execution (e.g. execve(2) call), either3175* directly or indirectly (e.g. ELF's ld.so) by checking file->f_flags &3176* __FMODE_EXEC .3177*3178* Return: Returns 0 if permission is granted.3179*/3180int security_file_open(struct file *file)3181{3182return call_int_hook(file_open, file);3183}31843185/**3186* security_file_post_open() - Evaluate a file after it has been opened3187* @file: the file3188* @mask: access mask3189*3190* Evaluate an opened file and the access mask requested with open(). The hook3191* is useful for LSMs that require the file content to be available in order to3192* make decisions.3193*3194* Return: Returns 0 if permission is granted.3195*/3196int security_file_post_open(struct file *file, int mask)3197{3198return call_int_hook(file_post_open, file, mask);3199}3200EXPORT_SYMBOL_GPL(security_file_post_open);32013202/**3203* security_file_truncate() - Check if truncating a file is allowed3204* @file: file3205*3206* Check permission before truncating a file, i.e. using ftruncate. Note that3207* truncation permission may also be checked based on the path, using the3208* @path_truncate hook.3209*3210* Return: Returns 0 if permission is granted.3211*/3212int security_file_truncate(struct file *file)3213{3214return call_int_hook(file_truncate, file);3215}32163217/**3218* security_task_alloc() - Allocate a task's LSM blob3219* @task: the task3220* @clone_flags: flags indicating what is being shared3221*3222* Handle allocation of task-related resources.3223*3224* Return: Returns a zero on success, negative values on failure.3225*/3226int security_task_alloc(struct task_struct *task, u64 clone_flags)3227{3228int rc = lsm_task_alloc(task);32293230if (rc)3231return rc;3232rc = call_int_hook(task_alloc, task, clone_flags);3233if (unlikely(rc))3234security_task_free(task);3235return rc;3236}32373238/**3239* security_task_free() - Free a task's LSM blob and related resources3240* @task: task3241*3242* Handle release of task-related resources. Note that this can be called from3243* interrupt context.3244*/3245void security_task_free(struct task_struct *task)3246{3247call_void_hook(task_free, task);32483249kfree(task->security);3250task->security = NULL;3251}32523253/**3254* security_cred_alloc_blank() - Allocate the min memory to allow cred_transfer3255* @cred: credentials3256* @gfp: gfp flags3257*3258* Only allocate sufficient memory and attach to @cred such that3259* cred_transfer() will not get ENOMEM.3260*3261* Return: Returns 0 on success, negative values on failure.3262*/3263int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)3264{3265int rc = lsm_cred_alloc(cred, gfp);32663267if (rc)3268return rc;32693270rc = call_int_hook(cred_alloc_blank, cred, gfp);3271if (unlikely(rc))3272security_cred_free(cred);3273return rc;3274}32753276/**3277* security_cred_free() - Free the cred's LSM blob and associated resources3278* @cred: credentials3279*3280* Deallocate and clear the cred->security field in a set of credentials.3281*/3282void security_cred_free(struct cred *cred)3283{3284/*3285* There is a failure case in prepare_creds() that3286* may result in a call here with ->security being NULL.3287*/3288if (unlikely(cred->security == NULL))3289return;32903291call_void_hook(cred_free, cred);32923293kfree(cred->security);3294cred->security = NULL;3295}32963297/**3298* security_prepare_creds() - Prepare a new set of credentials3299* @new: new credentials3300* @old: original credentials3301* @gfp: gfp flags3302*3303* Prepare a new set of credentials by copying the data from the old set.3304*3305* Return: Returns 0 on success, negative values on failure.3306*/3307int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp)3308{3309int rc = lsm_cred_alloc(new, gfp);33103311if (rc)3312return rc;33133314rc = call_int_hook(cred_prepare, new, old, gfp);3315if (unlikely(rc))3316security_cred_free(new);3317return rc;3318}33193320/**3321* security_transfer_creds() - Transfer creds3322* @new: target credentials3323* @old: original credentials3324*3325* Transfer data from original creds to new creds.3326*/3327void security_transfer_creds(struct cred *new, const struct cred *old)3328{3329call_void_hook(cred_transfer, new, old);3330}33313332/**3333* security_cred_getsecid() - Get the secid from a set of credentials3334* @c: credentials3335* @secid: secid value3336*3337* Retrieve the security identifier of the cred structure @c. In case of3338* failure, @secid will be set to zero.3339*/3340void security_cred_getsecid(const struct cred *c, u32 *secid)3341{3342*secid = 0;3343call_void_hook(cred_getsecid, c, secid);3344}3345EXPORT_SYMBOL(security_cred_getsecid);33463347/**3348* security_cred_getlsmprop() - Get the LSM data from a set of credentials3349* @c: credentials3350* @prop: destination for the LSM data3351*3352* Retrieve the security data of the cred structure @c. In case of3353* failure, @prop will be cleared.3354*/3355void security_cred_getlsmprop(const struct cred *c, struct lsm_prop *prop)3356{3357lsmprop_init(prop);3358call_void_hook(cred_getlsmprop, c, prop);3359}3360EXPORT_SYMBOL(security_cred_getlsmprop);33613362/**3363* security_kernel_act_as() - Set the kernel credentials to act as secid3364* @new: credentials3365* @secid: secid3366*3367* Set the credentials for a kernel service to act as (subjective context).3368* The current task must be the one that nominated @secid.3369*3370* Return: Returns 0 if successful.3371*/3372int security_kernel_act_as(struct cred *new, u32 secid)3373{3374return call_int_hook(kernel_act_as, new, secid);3375}33763377/**3378* security_kernel_create_files_as() - Set file creation context using an inode3379* @new: target credentials3380* @inode: reference inode3381*3382* Set the file creation context in a set of credentials to be the same as the3383* objective context of the specified inode. The current task must be the one3384* that nominated @inode.3385*3386* Return: Returns 0 if successful.3387*/3388int security_kernel_create_files_as(struct cred *new, struct inode *inode)3389{3390return call_int_hook(kernel_create_files_as, new, inode);3391}33923393/**3394* security_kernel_module_request() - Check if loading a module is allowed3395* @kmod_name: module name3396*3397* Ability to trigger the kernel to automatically upcall to userspace for3398* userspace to load a kernel module with the given name.3399*3400* Return: Returns 0 if successful.3401*/3402int security_kernel_module_request(char *kmod_name)3403{3404return call_int_hook(kernel_module_request, kmod_name);3405}34063407/**3408* security_kernel_read_file() - Read a file specified by userspace3409* @file: file3410* @id: file identifier3411* @contents: trust if security_kernel_post_read_file() will be called3412*3413* Read a file specified by userspace.3414*3415* Return: Returns 0 if permission is granted.3416*/3417int security_kernel_read_file(struct file *file, enum kernel_read_file_id id,3418bool contents)3419{3420return call_int_hook(kernel_read_file, file, id, contents);3421}3422EXPORT_SYMBOL_GPL(security_kernel_read_file);34233424/**3425* security_kernel_post_read_file() - Read a file specified by userspace3426* @file: file3427* @buf: file contents3428* @size: size of file contents3429* @id: file identifier3430*3431* Read a file specified by userspace. This must be paired with a prior call3432* to security_kernel_read_file() call that indicated this hook would also be3433* called, see security_kernel_read_file() for more information.3434*3435* Return: Returns 0 if permission is granted.3436*/3437int security_kernel_post_read_file(struct file *file, char *buf, loff_t size,3438enum kernel_read_file_id id)3439{3440return call_int_hook(kernel_post_read_file, file, buf, size, id);3441}3442EXPORT_SYMBOL_GPL(security_kernel_post_read_file);34433444/**3445* security_kernel_load_data() - Load data provided by userspace3446* @id: data identifier3447* @contents: true if security_kernel_post_load_data() will be called3448*3449* Load data provided by userspace.3450*3451* Return: Returns 0 if permission is granted.3452*/3453int security_kernel_load_data(enum kernel_load_data_id id, bool contents)3454{3455return call_int_hook(kernel_load_data, id, contents);3456}3457EXPORT_SYMBOL_GPL(security_kernel_load_data);34583459/**3460* security_kernel_post_load_data() - Load userspace data from a non-file source3461* @buf: data3462* @size: size of data3463* @id: data identifier3464* @description: text description of data, specific to the id value3465*3466* Load data provided by a non-file source (usually userspace buffer). This3467* must be paired with a prior security_kernel_load_data() call that indicated3468* this hook would also be called, see security_kernel_load_data() for more3469* information.3470*3471* Return: Returns 0 if permission is granted.3472*/3473int security_kernel_post_load_data(char *buf, loff_t size,3474enum kernel_load_data_id id,3475char *description)3476{3477return call_int_hook(kernel_post_load_data, buf, size, id, description);3478}3479EXPORT_SYMBOL_GPL(security_kernel_post_load_data);34803481/**3482* security_task_fix_setuid() - Update LSM with new user id attributes3483* @new: updated credentials3484* @old: credentials being replaced3485* @flags: LSM_SETID_* flag values3486*3487* Update the module's state after setting one or more of the user identity3488* attributes of the current process. The @flags parameter indicates which of3489* the set*uid system calls invoked this hook. If @new is the set of3490* credentials that will be installed. Modifications should be made to this3491* rather than to @current->cred.3492*3493* Return: Returns 0 on success.3494*/3495int security_task_fix_setuid(struct cred *new, const struct cred *old,3496int flags)3497{3498return call_int_hook(task_fix_setuid, new, old, flags);3499}35003501/**3502* security_task_fix_setgid() - Update LSM with new group id attributes3503* @new: updated credentials3504* @old: credentials being replaced3505* @flags: LSM_SETID_* flag value3506*3507* Update the module's state after setting one or more of the group identity3508* attributes of the current process. The @flags parameter indicates which of3509* the set*gid system calls invoked this hook. @new is the set of credentials3510* that will be installed. Modifications should be made to this rather than to3511* @current->cred.3512*3513* Return: Returns 0 on success.3514*/3515int security_task_fix_setgid(struct cred *new, const struct cred *old,3516int flags)3517{3518return call_int_hook(task_fix_setgid, new, old, flags);3519}35203521/**3522* security_task_fix_setgroups() - Update LSM with new supplementary groups3523* @new: updated credentials3524* @old: credentials being replaced3525*3526* Update the module's state after setting the supplementary group identity3527* attributes of the current process. @new is the set of credentials that will3528* be installed. Modifications should be made to this rather than to3529* @current->cred.3530*3531* Return: Returns 0 on success.3532*/3533int security_task_fix_setgroups(struct cred *new, const struct cred *old)3534{3535return call_int_hook(task_fix_setgroups, new, old);3536}35373538/**3539* security_task_setpgid() - Check if setting the pgid is allowed3540* @p: task being modified3541* @pgid: new pgid3542*3543* Check permission before setting the process group identifier of the process3544* @p to @pgid.3545*3546* Return: Returns 0 if permission is granted.3547*/3548int security_task_setpgid(struct task_struct *p, pid_t pgid)3549{3550return call_int_hook(task_setpgid, p, pgid);3551}35523553/**3554* security_task_getpgid() - Check if getting the pgid is allowed3555* @p: task3556*3557* Check permission before getting the process group identifier of the process3558* @p.3559*3560* Return: Returns 0 if permission is granted.3561*/3562int security_task_getpgid(struct task_struct *p)3563{3564return call_int_hook(task_getpgid, p);3565}35663567/**3568* security_task_getsid() - Check if getting the session id is allowed3569* @p: task3570*3571* Check permission before getting the session identifier of the process @p.3572*3573* Return: Returns 0 if permission is granted.3574*/3575int security_task_getsid(struct task_struct *p)3576{3577return call_int_hook(task_getsid, p);3578}35793580/**3581* security_current_getlsmprop_subj() - Current task's subjective LSM data3582* @prop: lsm specific information3583*3584* Retrieve the subjective security identifier of the current task and return3585* it in @prop.3586*/3587void security_current_getlsmprop_subj(struct lsm_prop *prop)3588{3589lsmprop_init(prop);3590call_void_hook(current_getlsmprop_subj, prop);3591}3592EXPORT_SYMBOL(security_current_getlsmprop_subj);35933594/**3595* security_task_getlsmprop_obj() - Get a task's objective LSM data3596* @p: target task3597* @prop: lsm specific information3598*3599* Retrieve the objective security identifier of the task_struct in @p and3600* return it in @prop.3601*/3602void security_task_getlsmprop_obj(struct task_struct *p, struct lsm_prop *prop)3603{3604lsmprop_init(prop);3605call_void_hook(task_getlsmprop_obj, p, prop);3606}3607EXPORT_SYMBOL(security_task_getlsmprop_obj);36083609/**3610* security_task_setnice() - Check if setting a task's nice value is allowed3611* @p: target task3612* @nice: nice value3613*3614* Check permission before setting the nice value of @p to @nice.3615*3616* Return: Returns 0 if permission is granted.3617*/3618int security_task_setnice(struct task_struct *p, int nice)3619{3620return call_int_hook(task_setnice, p, nice);3621}36223623/**3624* security_task_setioprio() - Check if setting a task's ioprio is allowed3625* @p: target task3626* @ioprio: ioprio value3627*3628* Check permission before setting the ioprio value of @p to @ioprio.3629*3630* Return: Returns 0 if permission is granted.3631*/3632int security_task_setioprio(struct task_struct *p, int ioprio)3633{3634return call_int_hook(task_setioprio, p, ioprio);3635}36363637/**3638* security_task_getioprio() - Check if getting a task's ioprio is allowed3639* @p: task3640*3641* Check permission before getting the ioprio value of @p.3642*3643* Return: Returns 0 if permission is granted.3644*/3645int security_task_getioprio(struct task_struct *p)3646{3647return call_int_hook(task_getioprio, p);3648}36493650/**3651* security_task_prlimit() - Check if get/setting resources limits is allowed3652* @cred: current task credentials3653* @tcred: target task credentials3654* @flags: LSM_PRLIMIT_* flag bits indicating a get/set/both3655*3656* Check permission before getting and/or setting the resource limits of3657* another task.3658*3659* Return: Returns 0 if permission is granted.3660*/3661int security_task_prlimit(const struct cred *cred, const struct cred *tcred,3662unsigned int flags)3663{3664return call_int_hook(task_prlimit, cred, tcred, flags);3665}36663667/**3668* security_task_setrlimit() - Check if setting a new rlimit value is allowed3669* @p: target task's group leader3670* @resource: resource whose limit is being set3671* @new_rlim: new resource limit3672*3673* Check permission before setting the resource limits of process @p for3674* @resource to @new_rlim. The old resource limit values can be examined by3675* dereferencing (p->signal->rlim + resource).3676*3677* Return: Returns 0 if permission is granted.3678*/3679int security_task_setrlimit(struct task_struct *p, unsigned int resource,3680struct rlimit *new_rlim)3681{3682return call_int_hook(task_setrlimit, p, resource, new_rlim);3683}36843685/**3686* security_task_setscheduler() - Check if setting sched policy/param is allowed3687* @p: target task3688*3689* Check permission before setting scheduling policy and/or parameters of3690* process @p.3691*3692* Return: Returns 0 if permission is granted.3693*/3694int security_task_setscheduler(struct task_struct *p)3695{3696return call_int_hook(task_setscheduler, p);3697}36983699/**3700* security_task_getscheduler() - Check if getting scheduling info is allowed3701* @p: target task3702*3703* Check permission before obtaining scheduling information for process @p.3704*3705* Return: Returns 0 if permission is granted.3706*/3707int security_task_getscheduler(struct task_struct *p)3708{3709return call_int_hook(task_getscheduler, p);3710}37113712/**3713* security_task_movememory() - Check if moving memory is allowed3714* @p: task3715*3716* Check permission before moving memory owned by process @p.3717*3718* Return: Returns 0 if permission is granted.3719*/3720int security_task_movememory(struct task_struct *p)3721{3722return call_int_hook(task_movememory, p);3723}37243725/**3726* security_task_kill() - Check if sending a signal is allowed3727* @p: target process3728* @info: signal information3729* @sig: signal value3730* @cred: credentials of the signal sender, NULL if @current3731*3732* Check permission before sending signal @sig to @p. @info can be NULL, the3733* constant 1, or a pointer to a kernel_siginfo structure. If @info is 1 or3734* SI_FROMKERNEL(info) is true, then the signal should be viewed as coming from3735* the kernel and should typically be permitted. SIGIO signals are handled3736* separately by the send_sigiotask hook in file_security_ops.3737*3738* Return: Returns 0 if permission is granted.3739*/3740int security_task_kill(struct task_struct *p, struct kernel_siginfo *info,3741int sig, const struct cred *cred)3742{3743return call_int_hook(task_kill, p, info, sig, cred);3744}37453746/**3747* security_task_prctl() - Check if a prctl op is allowed3748* @option: operation3749* @arg2: argument3750* @arg3: argument3751* @arg4: argument3752* @arg5: argument3753*3754* Check permission before performing a process control operation on the3755* current process.3756*3757* Return: Return -ENOSYS if no-one wanted to handle this op, any other value3758* to cause prctl() to return immediately with that value.3759*/3760int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,3761unsigned long arg4, unsigned long arg5)3762{3763int thisrc;3764int rc = LSM_RET_DEFAULT(task_prctl);3765struct lsm_static_call *scall;37663767lsm_for_each_hook(scall, task_prctl) {3768thisrc = scall->hl->hook.task_prctl(option, arg2, arg3, arg4, arg5);3769if (thisrc != LSM_RET_DEFAULT(task_prctl)) {3770rc = thisrc;3771if (thisrc != 0)3772break;3773}3774}3775return rc;3776}37773778/**3779* security_task_to_inode() - Set the security attributes of a task's inode3780* @p: task3781* @inode: inode3782*3783* Set the security attributes for an inode based on an associated task's3784* security attributes, e.g. for /proc/pid inodes.3785*/3786void security_task_to_inode(struct task_struct *p, struct inode *inode)3787{3788call_void_hook(task_to_inode, p, inode);3789}37903791/**3792* security_create_user_ns() - Check if creating a new userns is allowed3793* @cred: prepared creds3794*3795* Check permission prior to creating a new user namespace.3796*3797* Return: Returns 0 if successful, otherwise < 0 error code.3798*/3799int security_create_user_ns(const struct cred *cred)3800{3801return call_int_hook(userns_create, cred);3802}38033804/**3805* security_ipc_permission() - Check if sysv ipc access is allowed3806* @ipcp: ipc permission structure3807* @flag: requested permissions3808*3809* Check permissions for access to IPC.3810*3811* Return: Returns 0 if permission is granted.3812*/3813int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)3814{3815return call_int_hook(ipc_permission, ipcp, flag);3816}38173818/**3819* security_ipc_getlsmprop() - Get the sysv ipc object LSM data3820* @ipcp: ipc permission structure3821* @prop: pointer to lsm information3822*3823* Get the lsm information associated with the ipc object.3824*/38253826void security_ipc_getlsmprop(struct kern_ipc_perm *ipcp, struct lsm_prop *prop)3827{3828lsmprop_init(prop);3829call_void_hook(ipc_getlsmprop, ipcp, prop);3830}38313832/**3833* security_msg_msg_alloc() - Allocate a sysv ipc message LSM blob3834* @msg: message structure3835*3836* Allocate and attach a security structure to the msg->security field. The3837* security field is initialized to NULL when the structure is first created.3838*3839* Return: Return 0 if operation was successful and permission is granted.3840*/3841int security_msg_msg_alloc(struct msg_msg *msg)3842{3843int rc = lsm_msg_msg_alloc(msg);38443845if (unlikely(rc))3846return rc;3847rc = call_int_hook(msg_msg_alloc_security, msg);3848if (unlikely(rc))3849security_msg_msg_free(msg);3850return rc;3851}38523853/**3854* security_msg_msg_free() - Free a sysv ipc message LSM blob3855* @msg: message structure3856*3857* Deallocate the security structure for this message.3858*/3859void security_msg_msg_free(struct msg_msg *msg)3860{3861call_void_hook(msg_msg_free_security, msg);3862kfree(msg->security);3863msg->security = NULL;3864}38653866/**3867* security_msg_queue_alloc() - Allocate a sysv ipc msg queue LSM blob3868* @msq: sysv ipc permission structure3869*3870* Allocate and attach a security structure to @msg. The security field is3871* initialized to NULL when the structure is first created.3872*3873* Return: Returns 0 if operation was successful and permission is granted.3874*/3875int security_msg_queue_alloc(struct kern_ipc_perm *msq)3876{3877int rc = lsm_ipc_alloc(msq);38783879if (unlikely(rc))3880return rc;3881rc = call_int_hook(msg_queue_alloc_security, msq);3882if (unlikely(rc))3883security_msg_queue_free(msq);3884return rc;3885}38863887/**3888* security_msg_queue_free() - Free a sysv ipc msg queue LSM blob3889* @msq: sysv ipc permission structure3890*3891* Deallocate security field @perm->security for the message queue.3892*/3893void security_msg_queue_free(struct kern_ipc_perm *msq)3894{3895call_void_hook(msg_queue_free_security, msq);3896kfree(msq->security);3897msq->security = NULL;3898}38993900/**3901* security_msg_queue_associate() - Check if a msg queue operation is allowed3902* @msq: sysv ipc permission structure3903* @msqflg: operation flags3904*3905* Check permission when a message queue is requested through the msgget system3906* call. This hook is only called when returning the message queue identifier3907* for an existing message queue, not when a new message queue is created.3908*3909* Return: Return 0 if permission is granted.3910*/3911int security_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)3912{3913return call_int_hook(msg_queue_associate, msq, msqflg);3914}39153916/**3917* security_msg_queue_msgctl() - Check if a msg queue operation is allowed3918* @msq: sysv ipc permission structure3919* @cmd: operation3920*3921* Check permission when a message control operation specified by @cmd is to be3922* performed on the message queue with permissions.3923*3924* Return: Returns 0 if permission is granted.3925*/3926int security_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)3927{3928return call_int_hook(msg_queue_msgctl, msq, cmd);3929}39303931/**3932* security_msg_queue_msgsnd() - Check if sending a sysv ipc message is allowed3933* @msq: sysv ipc permission structure3934* @msg: message3935* @msqflg: operation flags3936*3937* Check permission before a message, @msg, is enqueued on the message queue3938* with permissions specified in @msq.3939*3940* Return: Returns 0 if permission is granted.3941*/3942int security_msg_queue_msgsnd(struct kern_ipc_perm *msq,3943struct msg_msg *msg, int msqflg)3944{3945return call_int_hook(msg_queue_msgsnd, msq, msg, msqflg);3946}39473948/**3949* security_msg_queue_msgrcv() - Check if receiving a sysv ipc msg is allowed3950* @msq: sysv ipc permission structure3951* @msg: message3952* @target: target task3953* @type: type of message requested3954* @mode: operation flags3955*3956* Check permission before a message, @msg, is removed from the message queue.3957* The @target task structure contains a pointer to the process that will be3958* receiving the message (not equal to the current process when inline receives3959* are being performed).3960*3961* Return: Returns 0 if permission is granted.3962*/3963int security_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,3964struct task_struct *target, long type, int mode)3965{3966return call_int_hook(msg_queue_msgrcv, msq, msg, target, type, mode);3967}39683969/**3970* security_shm_alloc() - Allocate a sysv shm LSM blob3971* @shp: sysv ipc permission structure3972*3973* Allocate and attach a security structure to the @shp security field. The3974* security field is initialized to NULL when the structure is first created.3975*3976* Return: Returns 0 if operation was successful and permission is granted.3977*/3978int security_shm_alloc(struct kern_ipc_perm *shp)3979{3980int rc = lsm_ipc_alloc(shp);39813982if (unlikely(rc))3983return rc;3984rc = call_int_hook(shm_alloc_security, shp);3985if (unlikely(rc))3986security_shm_free(shp);3987return rc;3988}39893990/**3991* security_shm_free() - Free a sysv shm LSM blob3992* @shp: sysv ipc permission structure3993*3994* Deallocate the security structure @perm->security for the memory segment.3995*/3996void security_shm_free(struct kern_ipc_perm *shp)3997{3998call_void_hook(shm_free_security, shp);3999kfree(shp->security);4000shp->security = NULL;4001}40024003/**4004* security_shm_associate() - Check if a sysv shm operation is allowed4005* @shp: sysv ipc permission structure4006* @shmflg: operation flags4007*4008* Check permission when a shared memory region is requested through the shmget4009* system call. This hook is only called when returning the shared memory4010* region identifier for an existing region, not when a new shared memory4011* region is created.4012*4013* Return: Returns 0 if permission is granted.4014*/4015int security_shm_associate(struct kern_ipc_perm *shp, int shmflg)4016{4017return call_int_hook(shm_associate, shp, shmflg);4018}40194020/**4021* security_shm_shmctl() - Check if a sysv shm operation is allowed4022* @shp: sysv ipc permission structure4023* @cmd: operation4024*4025* Check permission when a shared memory control operation specified by @cmd is4026* to be performed on the shared memory region with permissions in @shp.4027*4028* Return: Return 0 if permission is granted.4029*/4030int security_shm_shmctl(struct kern_ipc_perm *shp, int cmd)4031{4032return call_int_hook(shm_shmctl, shp, cmd);4033}40344035/**4036* security_shm_shmat() - Check if a sysv shm attach operation is allowed4037* @shp: sysv ipc permission structure4038* @shmaddr: address of memory region to attach4039* @shmflg: operation flags4040*4041* Check permissions prior to allowing the shmat system call to attach the4042* shared memory segment with permissions @shp to the data segment of the4043* calling process. The attaching address is specified by @shmaddr.4044*4045* Return: Returns 0 if permission is granted.4046*/4047int security_shm_shmat(struct kern_ipc_perm *shp,4048char __user *shmaddr, int shmflg)4049{4050return call_int_hook(shm_shmat, shp, shmaddr, shmflg);4051}40524053/**4054* security_sem_alloc() - Allocate a sysv semaphore LSM blob4055* @sma: sysv ipc permission structure4056*4057* Allocate and attach a security structure to the @sma security field. The4058* security field is initialized to NULL when the structure is first created.4059*4060* Return: Returns 0 if operation was successful and permission is granted.4061*/4062int security_sem_alloc(struct kern_ipc_perm *sma)4063{4064int rc = lsm_ipc_alloc(sma);40654066if (unlikely(rc))4067return rc;4068rc = call_int_hook(sem_alloc_security, sma);4069if (unlikely(rc))4070security_sem_free(sma);4071return rc;4072}40734074/**4075* security_sem_free() - Free a sysv semaphore LSM blob4076* @sma: sysv ipc permission structure4077*4078* Deallocate security structure @sma->security for the semaphore.4079*/4080void security_sem_free(struct kern_ipc_perm *sma)4081{4082call_void_hook(sem_free_security, sma);4083kfree(sma->security);4084sma->security = NULL;4085}40864087/**4088* security_sem_associate() - Check if a sysv semaphore operation is allowed4089* @sma: sysv ipc permission structure4090* @semflg: operation flags4091*4092* Check permission when a semaphore is requested through the semget system4093* call. This hook is only called when returning the semaphore identifier for4094* an existing semaphore, not when a new one must be created.4095*4096* Return: Returns 0 if permission is granted.4097*/4098int security_sem_associate(struct kern_ipc_perm *sma, int semflg)4099{4100return call_int_hook(sem_associate, sma, semflg);4101}41024103/**4104* security_sem_semctl() - Check if a sysv semaphore operation is allowed4105* @sma: sysv ipc permission structure4106* @cmd: operation4107*4108* Check permission when a semaphore operation specified by @cmd is to be4109* performed on the semaphore.4110*4111* Return: Returns 0 if permission is granted.4112*/4113int security_sem_semctl(struct kern_ipc_perm *sma, int cmd)4114{4115return call_int_hook(sem_semctl, sma, cmd);4116}41174118/**4119* security_sem_semop() - Check if a sysv semaphore operation is allowed4120* @sma: sysv ipc permission structure4121* @sops: operations to perform4122* @nsops: number of operations4123* @alter: flag indicating changes will be made4124*4125* Check permissions before performing operations on members of the semaphore4126* set. If the @alter flag is nonzero, the semaphore set may be modified.4127*4128* Return: Returns 0 if permission is granted.4129*/4130int security_sem_semop(struct kern_ipc_perm *sma, struct sembuf *sops,4131unsigned nsops, int alter)4132{4133return call_int_hook(sem_semop, sma, sops, nsops, alter);4134}41354136/**4137* security_d_instantiate() - Populate an inode's LSM state based on a dentry4138* @dentry: dentry4139* @inode: inode4140*4141* Fill in @inode security information for a @dentry if allowed.4142*/4143void security_d_instantiate(struct dentry *dentry, struct inode *inode)4144{4145if (unlikely(inode && IS_PRIVATE(inode)))4146return;4147call_void_hook(d_instantiate, dentry, inode);4148}4149EXPORT_SYMBOL(security_d_instantiate);41504151/*4152* Please keep this in sync with it's counterpart in security/lsm_syscalls.c4153*/41544155/**4156* security_getselfattr - Read an LSM attribute of the current process.4157* @attr: which attribute to return4158* @uctx: the user-space destination for the information, or NULL4159* @size: pointer to the size of space available to receive the data4160* @flags: special handling options. LSM_FLAG_SINGLE indicates that only4161* attributes associated with the LSM identified in the passed @ctx be4162* reported.4163*4164* A NULL value for @uctx can be used to get both the number of attributes4165* and the size of the data.4166*4167* Returns the number of attributes found on success, negative value4168* on error. @size is reset to the total size of the data.4169* If @size is insufficient to contain the data -E2BIG is returned.4170*/4171int security_getselfattr(unsigned int attr, struct lsm_ctx __user *uctx,4172u32 __user *size, u32 flags)4173{4174struct lsm_static_call *scall;4175struct lsm_ctx lctx = { .id = LSM_ID_UNDEF, };4176u8 __user *base = (u8 __user *)uctx;4177u32 entrysize;4178u32 total = 0;4179u32 left;4180bool toobig = false;4181bool single = false;4182int count = 0;4183int rc;41844185if (attr == LSM_ATTR_UNDEF)4186return -EINVAL;4187if (size == NULL)4188return -EINVAL;4189if (get_user(left, size))4190return -EFAULT;41914192if (flags) {4193/*4194* Only flag supported is LSM_FLAG_SINGLE4195*/4196if (flags != LSM_FLAG_SINGLE || !uctx)4197return -EINVAL;4198if (copy_from_user(&lctx, uctx, sizeof(lctx)))4199return -EFAULT;4200/*4201* If the LSM ID isn't specified it is an error.4202*/4203if (lctx.id == LSM_ID_UNDEF)4204return -EINVAL;4205single = true;4206}42074208/*4209* In the usual case gather all the data from the LSMs.4210* In the single case only get the data from the LSM specified.4211*/4212lsm_for_each_hook(scall, getselfattr) {4213if (single && lctx.id != scall->hl->lsmid->id)4214continue;4215entrysize = left;4216if (base)4217uctx = (struct lsm_ctx __user *)(base + total);4218rc = scall->hl->hook.getselfattr(attr, uctx, &entrysize, flags);4219if (rc == -EOPNOTSUPP)4220continue;4221if (rc == -E2BIG) {4222rc = 0;4223left = 0;4224toobig = true;4225} else if (rc < 0)4226return rc;4227else4228left -= entrysize;42294230total += entrysize;4231count += rc;4232if (single)4233break;4234}4235if (put_user(total, size))4236return -EFAULT;4237if (toobig)4238return -E2BIG;4239if (count == 0)4240return LSM_RET_DEFAULT(getselfattr);4241return count;4242}42434244/*4245* Please keep this in sync with it's counterpart in security/lsm_syscalls.c4246*/42474248/**4249* security_setselfattr - Set an LSM attribute on the current process.4250* @attr: which attribute to set4251* @uctx: the user-space source for the information4252* @size: the size of the data4253* @flags: reserved for future use, must be 04254*4255* Set an LSM attribute for the current process. The LSM, attribute4256* and new value are included in @uctx.4257*4258* Returns 0 on success, -EINVAL if the input is inconsistent, -EFAULT4259* if the user buffer is inaccessible, E2BIG if size is too big, or an4260* LSM specific failure.4261*/4262int security_setselfattr(unsigned int attr, struct lsm_ctx __user *uctx,4263u32 size, u32 flags)4264{4265struct lsm_static_call *scall;4266struct lsm_ctx *lctx;4267int rc = LSM_RET_DEFAULT(setselfattr);4268u64 required_len;42694270if (flags)4271return -EINVAL;4272if (size < sizeof(*lctx))4273return -EINVAL;4274if (size > PAGE_SIZE)4275return -E2BIG;42764277lctx = memdup_user(uctx, size);4278if (IS_ERR(lctx))4279return PTR_ERR(lctx);42804281if (size < lctx->len ||4282check_add_overflow(sizeof(*lctx), lctx->ctx_len, &required_len) ||4283lctx->len < required_len) {4284rc = -EINVAL;4285goto free_out;4286}42874288lsm_for_each_hook(scall, setselfattr)4289if ((scall->hl->lsmid->id) == lctx->id) {4290rc = scall->hl->hook.setselfattr(attr, lctx, size, flags);4291break;4292}42934294free_out:4295kfree(lctx);4296return rc;4297}42984299/**4300* security_getprocattr() - Read an attribute for a task4301* @p: the task4302* @lsmid: LSM identification4303* @name: attribute name4304* @value: attribute value4305*4306* Read attribute @name for task @p and store it into @value if allowed.4307*4308* Return: Returns the length of @value on success, a negative value otherwise.4309*/4310int security_getprocattr(struct task_struct *p, int lsmid, const char *name,4311char **value)4312{4313struct lsm_static_call *scall;43144315lsm_for_each_hook(scall, getprocattr) {4316if (lsmid != 0 && lsmid != scall->hl->lsmid->id)4317continue;4318return scall->hl->hook.getprocattr(p, name, value);4319}4320return LSM_RET_DEFAULT(getprocattr);4321}43224323/**4324* security_setprocattr() - Set an attribute for a task4325* @lsmid: LSM identification4326* @name: attribute name4327* @value: attribute value4328* @size: attribute value size4329*4330* Write (set) the current task's attribute @name to @value, size @size if4331* allowed.4332*4333* Return: Returns bytes written on success, a negative value otherwise.4334*/4335int security_setprocattr(int lsmid, const char *name, void *value, size_t size)4336{4337struct lsm_static_call *scall;43384339lsm_for_each_hook(scall, setprocattr) {4340if (lsmid != 0 && lsmid != scall->hl->lsmid->id)4341continue;4342return scall->hl->hook.setprocattr(name, value, size);4343}4344return LSM_RET_DEFAULT(setprocattr);4345}43464347/**4348* security_ismaclabel() - Check if the named attribute is a MAC label4349* @name: full extended attribute name4350*4351* Check if the extended attribute specified by @name represents a MAC label.4352*4353* Return: Returns 1 if name is a MAC attribute otherwise returns 0.4354*/4355int security_ismaclabel(const char *name)4356{4357return call_int_hook(ismaclabel, name);4358}4359EXPORT_SYMBOL(security_ismaclabel);43604361/**4362* security_secid_to_secctx() - Convert a secid to a secctx4363* @secid: secid4364* @cp: the LSM context4365*4366* Convert secid to security context. If @cp is NULL the length of the4367* result will be returned, but no data will be returned. This4368* does mean that the length could change between calls to check the length and4369* the next call which actually allocates and returns the data.4370*4371* Return: Return length of data on success, error on failure.4372*/4373int security_secid_to_secctx(u32 secid, struct lsm_context *cp)4374{4375return call_int_hook(secid_to_secctx, secid, cp);4376}4377EXPORT_SYMBOL(security_secid_to_secctx);43784379/**4380* security_lsmprop_to_secctx() - Convert a lsm_prop to a secctx4381* @prop: lsm specific information4382* @cp: the LSM context4383* @lsmid: which security module to report4384*4385* Convert a @prop entry to security context. If @cp is NULL the4386* length of the result will be returned. This does mean that the4387* length could change between calls to check the length and the4388* next call which actually allocates and returns the @cp.4389*4390* @lsmid identifies which LSM should supply the context.4391* A value of LSM_ID_UNDEF indicates that the first LSM suppling4392* the hook should be used. This is used in cases where the4393* ID of the supplying LSM is unambiguous.4394*4395* Return: Return length of data on success, error on failure.4396*/4397int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp,4398int lsmid)4399{4400struct lsm_static_call *scall;44014402lsm_for_each_hook(scall, lsmprop_to_secctx) {4403if (lsmid != LSM_ID_UNDEF && lsmid != scall->hl->lsmid->id)4404continue;4405return scall->hl->hook.lsmprop_to_secctx(prop, cp);4406}4407return LSM_RET_DEFAULT(lsmprop_to_secctx);4408}4409EXPORT_SYMBOL(security_lsmprop_to_secctx);44104411/**4412* security_secctx_to_secid() - Convert a secctx to a secid4413* @secdata: secctx4414* @seclen: length of secctx4415* @secid: secid4416*4417* Convert security context to secid.4418*4419* Return: Returns 0 on success, error on failure.4420*/4421int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)4422{4423*secid = 0;4424return call_int_hook(secctx_to_secid, secdata, seclen, secid);4425}4426EXPORT_SYMBOL(security_secctx_to_secid);44274428/**4429* security_release_secctx() - Free a secctx buffer4430* @cp: the security context4431*4432* Release the security context.4433*/4434void security_release_secctx(struct lsm_context *cp)4435{4436call_void_hook(release_secctx, cp);4437memset(cp, 0, sizeof(*cp));4438}4439EXPORT_SYMBOL(security_release_secctx);44404441/**4442* security_inode_invalidate_secctx() - Invalidate an inode's security label4443* @inode: inode4444*4445* Notify the security module that it must revalidate the security context of4446* an inode.4447*/4448void security_inode_invalidate_secctx(struct inode *inode)4449{4450call_void_hook(inode_invalidate_secctx, inode);4451}4452EXPORT_SYMBOL(security_inode_invalidate_secctx);44534454/**4455* security_inode_notifysecctx() - Notify the LSM of an inode's security label4456* @inode: inode4457* @ctx: secctx4458* @ctxlen: length of secctx4459*4460* Notify the security module of what the security context of an inode should4461* be. Initializes the incore security context managed by the security module4462* for this inode. Example usage: NFS client invokes this hook to initialize4463* the security context in its incore inode to the value provided by the server4464* for the file when the server returned the file's attributes to the client.4465* Must be called with inode->i_mutex locked.4466*4467* Return: Returns 0 on success, error on failure.4468*/4469int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)4470{4471return call_int_hook(inode_notifysecctx, inode, ctx, ctxlen);4472}4473EXPORT_SYMBOL(security_inode_notifysecctx);44744475/**4476* security_inode_setsecctx() - Change the security label of an inode4477* @dentry: inode4478* @ctx: secctx4479* @ctxlen: length of secctx4480*4481* Change the security context of an inode. Updates the incore security4482* context managed by the security module and invokes the fs code as needed4483* (via __vfs_setxattr_noperm) to update any backing xattrs that represent the4484* context. Example usage: NFS server invokes this hook to change the security4485* context in its incore inode and on the backing filesystem to a value4486* provided by the client on a SETATTR operation. Must be called with4487* inode->i_mutex locked.4488*4489* Return: Returns 0 on success, error on failure.4490*/4491int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)4492{4493return call_int_hook(inode_setsecctx, dentry, ctx, ctxlen);4494}4495EXPORT_SYMBOL(security_inode_setsecctx);44964497/**4498* security_inode_getsecctx() - Get the security label of an inode4499* @inode: inode4500* @cp: security context4501*4502* On success, returns 0 and fills out @cp with the security context4503* for the given @inode.4504*4505* Return: Returns 0 on success, error on failure.4506*/4507int security_inode_getsecctx(struct inode *inode, struct lsm_context *cp)4508{4509memset(cp, 0, sizeof(*cp));4510return call_int_hook(inode_getsecctx, inode, cp);4511}4512EXPORT_SYMBOL(security_inode_getsecctx);45134514#ifdef CONFIG_WATCH_QUEUE4515/**4516* security_post_notification() - Check if a watch notification can be posted4517* @w_cred: credentials of the task that set the watch4518* @cred: credentials of the task which triggered the watch4519* @n: the notification4520*4521* Check to see if a watch notification can be posted to a particular queue.4522*4523* Return: Returns 0 if permission is granted.4524*/4525int security_post_notification(const struct cred *w_cred,4526const struct cred *cred,4527struct watch_notification *n)4528{4529return call_int_hook(post_notification, w_cred, cred, n);4530}4531#endif /* CONFIG_WATCH_QUEUE */45324533#ifdef CONFIG_KEY_NOTIFICATIONS4534/**4535* security_watch_key() - Check if a task is allowed to watch for key events4536* @key: the key to watch4537*4538* Check to see if a process is allowed to watch for event notifications from4539* a key or keyring.4540*4541* Return: Returns 0 if permission is granted.4542*/4543int security_watch_key(struct key *key)4544{4545return call_int_hook(watch_key, key);4546}4547#endif /* CONFIG_KEY_NOTIFICATIONS */45484549#ifdef CONFIG_SECURITY_NETWORK4550/**4551* security_netlink_send() - Save info and check if netlink sending is allowed4552* @sk: sending socket4553* @skb: netlink message4554*4555* Save security information for a netlink message so that permission checking4556* can be performed when the message is processed. The security information4557* can be saved using the eff_cap field of the netlink_skb_parms structure.4558* Also may be used to provide fine grained control over message transmission.4559*4560* Return: Returns 0 if the information was successfully saved and message is4561* allowed to be transmitted.4562*/4563int security_netlink_send(struct sock *sk, struct sk_buff *skb)4564{4565return call_int_hook(netlink_send, sk, skb);4566}45674568/**4569* security_unix_stream_connect() - Check if a AF_UNIX stream is allowed4570* @sock: originating sock4571* @other: peer sock4572* @newsk: new sock4573*4574* Check permissions before establishing a Unix domain stream connection4575* between @sock and @other.4576*4577* The @unix_stream_connect and @unix_may_send hooks were necessary because4578* Linux provides an alternative to the conventional file name space for Unix4579* domain sockets. Whereas binding and connecting to sockets in the file name4580* space is mediated by the typical file permissions (and caught by the mknod4581* and permission hooks in inode_security_ops), binding and connecting to4582* sockets in the abstract name space is completely unmediated. Sufficient4583* control of Unix domain sockets in the abstract name space isn't possible4584* using only the socket layer hooks, since we need to know the actual target4585* socket, which is not looked up until we are inside the af_unix code.4586*4587* Return: Returns 0 if permission is granted.4588*/4589int security_unix_stream_connect(struct sock *sock, struct sock *other,4590struct sock *newsk)4591{4592return call_int_hook(unix_stream_connect, sock, other, newsk);4593}4594EXPORT_SYMBOL(security_unix_stream_connect);45954596/**4597* security_unix_may_send() - Check if AF_UNIX socket can send datagrams4598* @sock: originating sock4599* @other: peer sock4600*4601* Check permissions before connecting or sending datagrams from @sock to4602* @other.4603*4604* The @unix_stream_connect and @unix_may_send hooks were necessary because4605* Linux provides an alternative to the conventional file name space for Unix4606* domain sockets. Whereas binding and connecting to sockets in the file name4607* space is mediated by the typical file permissions (and caught by the mknod4608* and permission hooks in inode_security_ops), binding and connecting to4609* sockets in the abstract name space is completely unmediated. Sufficient4610* control of Unix domain sockets in the abstract name space isn't possible4611* using only the socket layer hooks, since we need to know the actual target4612* socket, which is not looked up until we are inside the af_unix code.4613*4614* Return: Returns 0 if permission is granted.4615*/4616int security_unix_may_send(struct socket *sock, struct socket *other)4617{4618return call_int_hook(unix_may_send, sock, other);4619}4620EXPORT_SYMBOL(security_unix_may_send);46214622/**4623* security_socket_create() - Check if creating a new socket is allowed4624* @family: protocol family4625* @type: communications type4626* @protocol: requested protocol4627* @kern: set to 1 if a kernel socket is requested4628*4629* Check permissions prior to creating a new socket.4630*4631* Return: Returns 0 if permission is granted.4632*/4633int security_socket_create(int family, int type, int protocol, int kern)4634{4635return call_int_hook(socket_create, family, type, protocol, kern);4636}46374638/**4639* security_socket_post_create() - Initialize a newly created socket4640* @sock: socket4641* @family: protocol family4642* @type: communications type4643* @protocol: requested protocol4644* @kern: set to 1 if a kernel socket is requested4645*4646* This hook allows a module to update or allocate a per-socket security4647* structure. Note that the security field was not added directly to the socket4648* structure, but rather, the socket security information is stored in the4649* associated inode. Typically, the inode alloc_security hook will allocate4650* and attach security information to SOCK_INODE(sock)->i_security. This hook4651* may be used to update the SOCK_INODE(sock)->i_security field with additional4652* information that wasn't available when the inode was allocated.4653*4654* Return: Returns 0 if permission is granted.4655*/4656int security_socket_post_create(struct socket *sock, int family,4657int type, int protocol, int kern)4658{4659return call_int_hook(socket_post_create, sock, family, type,4660protocol, kern);4661}46624663/**4664* security_socket_socketpair() - Check if creating a socketpair is allowed4665* @socka: first socket4666* @sockb: second socket4667*4668* Check permissions before creating a fresh pair of sockets.4669*4670* Return: Returns 0 if permission is granted and the connection was4671* established.4672*/4673int security_socket_socketpair(struct socket *socka, struct socket *sockb)4674{4675return call_int_hook(socket_socketpair, socka, sockb);4676}4677EXPORT_SYMBOL(security_socket_socketpair);46784679/**4680* security_socket_bind() - Check if a socket bind operation is allowed4681* @sock: socket4682* @address: requested bind address4683* @addrlen: length of address4684*4685* Check permission before socket protocol layer bind operation is performed4686* and the socket @sock is bound to the address specified in the @address4687* parameter.4688*4689* Return: Returns 0 if permission is granted.4690*/4691int security_socket_bind(struct socket *sock,4692struct sockaddr *address, int addrlen)4693{4694return call_int_hook(socket_bind, sock, address, addrlen);4695}46964697/**4698* security_socket_connect() - Check if a socket connect operation is allowed4699* @sock: socket4700* @address: address of remote connection point4701* @addrlen: length of address4702*4703* Check permission before socket protocol layer connect operation attempts to4704* connect socket @sock to a remote address, @address.4705*4706* Return: Returns 0 if permission is granted.4707*/4708int security_socket_connect(struct socket *sock,4709struct sockaddr *address, int addrlen)4710{4711return call_int_hook(socket_connect, sock, address, addrlen);4712}47134714/**4715* security_socket_listen() - Check if a socket is allowed to listen4716* @sock: socket4717* @backlog: connection queue size4718*4719* Check permission before socket protocol layer listen operation.4720*4721* Return: Returns 0 if permission is granted.4722*/4723int security_socket_listen(struct socket *sock, int backlog)4724{4725return call_int_hook(socket_listen, sock, backlog);4726}47274728/**4729* security_socket_accept() - Check if a socket is allowed to accept connections4730* @sock: listening socket4731* @newsock: newly creation connection socket4732*4733* Check permission before accepting a new connection. Note that the new4734* socket, @newsock, has been created and some information copied to it, but4735* the accept operation has not actually been performed.4736*4737* Return: Returns 0 if permission is granted.4738*/4739int security_socket_accept(struct socket *sock, struct socket *newsock)4740{4741return call_int_hook(socket_accept, sock, newsock);4742}47434744/**4745* security_socket_sendmsg() - Check if sending a message is allowed4746* @sock: sending socket4747* @msg: message to send4748* @size: size of message4749*4750* Check permission before transmitting a message to another socket.4751*4752* Return: Returns 0 if permission is granted.4753*/4754int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)4755{4756return call_int_hook(socket_sendmsg, sock, msg, size);4757}47584759/**4760* security_socket_recvmsg() - Check if receiving a message is allowed4761* @sock: receiving socket4762* @msg: message to receive4763* @size: size of message4764* @flags: operational flags4765*4766* Check permission before receiving a message from a socket.4767*4768* Return: Returns 0 if permission is granted.4769*/4770int security_socket_recvmsg(struct socket *sock, struct msghdr *msg,4771int size, int flags)4772{4773return call_int_hook(socket_recvmsg, sock, msg, size, flags);4774}47754776/**4777* security_socket_getsockname() - Check if reading the socket addr is allowed4778* @sock: socket4779*4780* Check permission before reading the local address (name) of the socket4781* object.4782*4783* Return: Returns 0 if permission is granted.4784*/4785int security_socket_getsockname(struct socket *sock)4786{4787return call_int_hook(socket_getsockname, sock);4788}47894790/**4791* security_socket_getpeername() - Check if reading the peer's addr is allowed4792* @sock: socket4793*4794* Check permission before the remote address (name) of a socket object.4795*4796* Return: Returns 0 if permission is granted.4797*/4798int security_socket_getpeername(struct socket *sock)4799{4800return call_int_hook(socket_getpeername, sock);4801}48024803/**4804* security_socket_getsockopt() - Check if reading a socket option is allowed4805* @sock: socket4806* @level: option's protocol level4807* @optname: option name4808*4809* Check permissions before retrieving the options associated with socket4810* @sock.4811*4812* Return: Returns 0 if permission is granted.4813*/4814int security_socket_getsockopt(struct socket *sock, int level, int optname)4815{4816return call_int_hook(socket_getsockopt, sock, level, optname);4817}48184819/**4820* security_socket_setsockopt() - Check if setting a socket option is allowed4821* @sock: socket4822* @level: option's protocol level4823* @optname: option name4824*4825* Check permissions before setting the options associated with socket @sock.4826*4827* Return: Returns 0 if permission is granted.4828*/4829int security_socket_setsockopt(struct socket *sock, int level, int optname)4830{4831return call_int_hook(socket_setsockopt, sock, level, optname);4832}48334834/**4835* security_socket_shutdown() - Checks if shutting down the socket is allowed4836* @sock: socket4837* @how: flag indicating how sends and receives are handled4838*4839* Checks permission before all or part of a connection on the socket @sock is4840* shut down.4841*4842* Return: Returns 0 if permission is granted.4843*/4844int security_socket_shutdown(struct socket *sock, int how)4845{4846return call_int_hook(socket_shutdown, sock, how);4847}48484849/**4850* security_sock_rcv_skb() - Check if an incoming network packet is allowed4851* @sk: destination sock4852* @skb: incoming packet4853*4854* Check permissions on incoming network packets. This hook is distinct from4855* Netfilter's IP input hooks since it is the first time that the incoming4856* sk_buff @skb has been associated with a particular socket, @sk. Must not4857* sleep inside this hook because some callers hold spinlocks.4858*4859* Return: Returns 0 if permission is granted.4860*/4861int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)4862{4863return call_int_hook(socket_sock_rcv_skb, sk, skb);4864}4865EXPORT_SYMBOL(security_sock_rcv_skb);48664867/**4868* security_socket_getpeersec_stream() - Get the remote peer label4869* @sock: socket4870* @optval: destination buffer4871* @optlen: size of peer label copied into the buffer4872* @len: maximum size of the destination buffer4873*4874* This hook allows the security module to provide peer socket security state4875* for unix or connected tcp sockets to userspace via getsockopt SO_GETPEERSEC.4876* For tcp sockets this can be meaningful if the socket is associated with an4877* ipsec SA.4878*4879* Return: Returns 0 if all is well, otherwise, typical getsockopt return4880* values.4881*/4882int security_socket_getpeersec_stream(struct socket *sock, sockptr_t optval,4883sockptr_t optlen, unsigned int len)4884{4885return call_int_hook(socket_getpeersec_stream, sock, optval, optlen,4886len);4887}48884889/**4890* security_socket_getpeersec_dgram() - Get the remote peer label4891* @sock: socket4892* @skb: datagram packet4893* @secid: remote peer label secid4894*4895* This hook allows the security module to provide peer socket security state4896* for udp sockets on a per-packet basis to userspace via getsockopt4897* SO_GETPEERSEC. The application must first have indicated the IP_PASSSEC4898* option via getsockopt. It can then retrieve the security state returned by4899* this hook for a packet via the SCM_SECURITY ancillary message type.4900*4901* Return: Returns 0 on success, error on failure.4902*/4903int security_socket_getpeersec_dgram(struct socket *sock,4904struct sk_buff *skb, u32 *secid)4905{4906return call_int_hook(socket_getpeersec_dgram, sock, skb, secid);4907}4908EXPORT_SYMBOL(security_socket_getpeersec_dgram);49094910/**4911* lsm_sock_alloc - allocate a composite sock blob4912* @sock: the sock that needs a blob4913* @gfp: allocation mode4914*4915* Allocate the sock blob for all the modules4916*4917* Returns 0, or -ENOMEM if memory can't be allocated.4918*/4919static int lsm_sock_alloc(struct sock *sock, gfp_t gfp)4920{4921return lsm_blob_alloc(&sock->sk_security, blob_sizes.lbs_sock, gfp);4922}49234924/**4925* security_sk_alloc() - Allocate and initialize a sock's LSM blob4926* @sk: sock4927* @family: protocol family4928* @priority: gfp flags4929*4930* Allocate and attach a security structure to the sk->sk_security field, which4931* is used to copy security attributes between local stream sockets.4932*4933* Return: Returns 0 on success, error on failure.4934*/4935int security_sk_alloc(struct sock *sk, int family, gfp_t priority)4936{4937int rc = lsm_sock_alloc(sk, priority);49384939if (unlikely(rc))4940return rc;4941rc = call_int_hook(sk_alloc_security, sk, family, priority);4942if (unlikely(rc))4943security_sk_free(sk);4944return rc;4945}49464947/**4948* security_sk_free() - Free the sock's LSM blob4949* @sk: sock4950*4951* Deallocate security structure.4952*/4953void security_sk_free(struct sock *sk)4954{4955call_void_hook(sk_free_security, sk);4956kfree(sk->sk_security);4957sk->sk_security = NULL;4958}49594960/**4961* security_sk_clone() - Clone a sock's LSM state4962* @sk: original sock4963* @newsk: target sock4964*4965* Clone/copy security structure.4966*/4967void security_sk_clone(const struct sock *sk, struct sock *newsk)4968{4969call_void_hook(sk_clone_security, sk, newsk);4970}4971EXPORT_SYMBOL(security_sk_clone);49724973/**4974* security_sk_classify_flow() - Set a flow's secid based on socket4975* @sk: original socket4976* @flic: target flow4977*4978* Set the target flow's secid to socket's secid.4979*/4980void security_sk_classify_flow(const struct sock *sk, struct flowi_common *flic)4981{4982call_void_hook(sk_getsecid, sk, &flic->flowic_secid);4983}4984EXPORT_SYMBOL(security_sk_classify_flow);49854986/**4987* security_req_classify_flow() - Set a flow's secid based on request_sock4988* @req: request_sock4989* @flic: target flow4990*4991* Sets @flic's secid to @req's secid.4992*/4993void security_req_classify_flow(const struct request_sock *req,4994struct flowi_common *flic)4995{4996call_void_hook(req_classify_flow, req, flic);4997}4998EXPORT_SYMBOL(security_req_classify_flow);49995000/**5001* security_sock_graft() - Reconcile LSM state when grafting a sock on a socket5002* @sk: sock being grafted5003* @parent: target parent socket5004*5005* Sets @parent's inode secid to @sk's secid and update @sk with any necessary5006* LSM state from @parent.5007*/5008void security_sock_graft(struct sock *sk, struct socket *parent)5009{5010call_void_hook(sock_graft, sk, parent);5011}5012EXPORT_SYMBOL(security_sock_graft);50135014/**5015* security_inet_conn_request() - Set request_sock state using incoming connect5016* @sk: parent listening sock5017* @skb: incoming connection5018* @req: new request_sock5019*5020* Initialize the @req LSM state based on @sk and the incoming connect in @skb.5021*5022* Return: Returns 0 if permission is granted.5023*/5024int security_inet_conn_request(const struct sock *sk,5025struct sk_buff *skb, struct request_sock *req)5026{5027return call_int_hook(inet_conn_request, sk, skb, req);5028}5029EXPORT_SYMBOL(security_inet_conn_request);50305031/**5032* security_inet_csk_clone() - Set new sock LSM state based on request_sock5033* @newsk: new sock5034* @req: connection request_sock5035*5036* Set that LSM state of @sock using the LSM state from @req.5037*/5038void security_inet_csk_clone(struct sock *newsk,5039const struct request_sock *req)5040{5041call_void_hook(inet_csk_clone, newsk, req);5042}50435044/**5045* security_inet_conn_established() - Update sock's LSM state with connection5046* @sk: sock5047* @skb: connection packet5048*5049* Update @sock's LSM state to represent a new connection from @skb.5050*/5051void security_inet_conn_established(struct sock *sk,5052struct sk_buff *skb)5053{5054call_void_hook(inet_conn_established, sk, skb);5055}5056EXPORT_SYMBOL(security_inet_conn_established);50575058/**5059* security_secmark_relabel_packet() - Check if setting a secmark is allowed5060* @secid: new secmark value5061*5062* Check if the process should be allowed to relabel packets to @secid.5063*5064* Return: Returns 0 if permission is granted.5065*/5066int security_secmark_relabel_packet(u32 secid)5067{5068return call_int_hook(secmark_relabel_packet, secid);5069}5070EXPORT_SYMBOL(security_secmark_relabel_packet);50715072/**5073* security_secmark_refcount_inc() - Increment the secmark labeling rule count5074*5075* Tells the LSM to increment the number of secmark labeling rules loaded.5076*/5077void security_secmark_refcount_inc(void)5078{5079call_void_hook(secmark_refcount_inc);5080}5081EXPORT_SYMBOL(security_secmark_refcount_inc);50825083/**5084* security_secmark_refcount_dec() - Decrement the secmark labeling rule count5085*5086* Tells the LSM to decrement the number of secmark labeling rules loaded.5087*/5088void security_secmark_refcount_dec(void)5089{5090call_void_hook(secmark_refcount_dec);5091}5092EXPORT_SYMBOL(security_secmark_refcount_dec);50935094/**5095* security_tun_dev_alloc_security() - Allocate a LSM blob for a TUN device5096* @security: pointer to the LSM blob5097*5098* This hook allows a module to allocate a security structure for a TUN device,5099* returning the pointer in @security.5100*5101* Return: Returns a zero on success, negative values on failure.5102*/5103int security_tun_dev_alloc_security(void **security)5104{5105int rc;51065107rc = lsm_blob_alloc(security, blob_sizes.lbs_tun_dev, GFP_KERNEL);5108if (rc)5109return rc;51105111rc = call_int_hook(tun_dev_alloc_security, *security);5112if (rc) {5113kfree(*security);5114*security = NULL;5115}5116return rc;5117}5118EXPORT_SYMBOL(security_tun_dev_alloc_security);51195120/**5121* security_tun_dev_free_security() - Free a TUN device LSM blob5122* @security: LSM blob5123*5124* This hook allows a module to free the security structure for a TUN device.5125*/5126void security_tun_dev_free_security(void *security)5127{5128kfree(security);5129}5130EXPORT_SYMBOL(security_tun_dev_free_security);51315132/**5133* security_tun_dev_create() - Check if creating a TUN device is allowed5134*5135* Check permissions prior to creating a new TUN device.5136*5137* Return: Returns 0 if permission is granted.5138*/5139int security_tun_dev_create(void)5140{5141return call_int_hook(tun_dev_create);5142}5143EXPORT_SYMBOL(security_tun_dev_create);51445145/**5146* security_tun_dev_attach_queue() - Check if attaching a TUN queue is allowed5147* @security: TUN device LSM blob5148*5149* Check permissions prior to attaching to a TUN device queue.5150*5151* Return: Returns 0 if permission is granted.5152*/5153int security_tun_dev_attach_queue(void *security)5154{5155return call_int_hook(tun_dev_attach_queue, security);5156}5157EXPORT_SYMBOL(security_tun_dev_attach_queue);51585159/**5160* security_tun_dev_attach() - Update TUN device LSM state on attach5161* @sk: associated sock5162* @security: TUN device LSM blob5163*5164* This hook can be used by the module to update any security state associated5165* with the TUN device's sock structure.5166*5167* Return: Returns 0 if permission is granted.5168*/5169int security_tun_dev_attach(struct sock *sk, void *security)5170{5171return call_int_hook(tun_dev_attach, sk, security);5172}5173EXPORT_SYMBOL(security_tun_dev_attach);51745175/**5176* security_tun_dev_open() - Update TUN device LSM state on open5177* @security: TUN device LSM blob5178*5179* This hook can be used by the module to update any security state associated5180* with the TUN device's security structure.5181*5182* Return: Returns 0 if permission is granted.5183*/5184int security_tun_dev_open(void *security)5185{5186return call_int_hook(tun_dev_open, security);5187}5188EXPORT_SYMBOL(security_tun_dev_open);51895190/**5191* security_sctp_assoc_request() - Update the LSM on a SCTP association req5192* @asoc: SCTP association5193* @skb: packet requesting the association5194*5195* Passes the @asoc and @chunk->skb of the association INIT packet to the LSM.5196*5197* Return: Returns 0 on success, error on failure.5198*/5199int security_sctp_assoc_request(struct sctp_association *asoc,5200struct sk_buff *skb)5201{5202return call_int_hook(sctp_assoc_request, asoc, skb);5203}5204EXPORT_SYMBOL(security_sctp_assoc_request);52055206/**5207* security_sctp_bind_connect() - Validate a list of addrs for a SCTP option5208* @sk: socket5209* @optname: SCTP option to validate5210* @address: list of IP addresses to validate5211* @addrlen: length of the address list5212*5213* Validiate permissions required for each address associated with sock @sk.5214* Depending on @optname, the addresses will be treated as either a connect or5215* bind service. The @addrlen is calculated on each IPv4 and IPv6 address using5216* sizeof(struct sockaddr_in) or sizeof(struct sockaddr_in6).5217*5218* Return: Returns 0 on success, error on failure.5219*/5220int security_sctp_bind_connect(struct sock *sk, int optname,5221struct sockaddr *address, int addrlen)5222{5223return call_int_hook(sctp_bind_connect, sk, optname, address, addrlen);5224}5225EXPORT_SYMBOL(security_sctp_bind_connect);52265227/**5228* security_sctp_sk_clone() - Clone a SCTP sock's LSM state5229* @asoc: SCTP association5230* @sk: original sock5231* @newsk: target sock5232*5233* Called whenever a new socket is created by accept(2) (i.e. a TCP style5234* socket) or when a socket is 'peeled off' e.g userspace calls5235* sctp_peeloff(3).5236*/5237void security_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,5238struct sock *newsk)5239{5240call_void_hook(sctp_sk_clone, asoc, sk, newsk);5241}5242EXPORT_SYMBOL(security_sctp_sk_clone);52435244/**5245* security_sctp_assoc_established() - Update LSM state when assoc established5246* @asoc: SCTP association5247* @skb: packet establishing the association5248*5249* Passes the @asoc and @chunk->skb of the association COOKIE_ACK packet to the5250* security module.5251*5252* Return: Returns 0 if permission is granted.5253*/5254int security_sctp_assoc_established(struct sctp_association *asoc,5255struct sk_buff *skb)5256{5257return call_int_hook(sctp_assoc_established, asoc, skb);5258}5259EXPORT_SYMBOL(security_sctp_assoc_established);52605261/**5262* security_mptcp_add_subflow() - Inherit the LSM label from the MPTCP socket5263* @sk: the owning MPTCP socket5264* @ssk: the new subflow5265*5266* Update the labeling for the given MPTCP subflow, to match the one of the5267* owning MPTCP socket. This hook has to be called after the socket creation and5268* initialization via the security_socket_create() and5269* security_socket_post_create() LSM hooks.5270*5271* Return: Returns 0 on success or a negative error code on failure.5272*/5273int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk)5274{5275return call_int_hook(mptcp_add_subflow, sk, ssk);5276}52775278#endif /* CONFIG_SECURITY_NETWORK */52795280#ifdef CONFIG_SECURITY_INFINIBAND5281/**5282* security_ib_pkey_access() - Check if access to an IB pkey is allowed5283* @sec: LSM blob5284* @subnet_prefix: subnet prefix of the port5285* @pkey: IB pkey5286*5287* Check permission to access a pkey when modifying a QP.5288*5289* Return: Returns 0 if permission is granted.5290*/5291int security_ib_pkey_access(void *sec, u64 subnet_prefix, u16 pkey)5292{5293return call_int_hook(ib_pkey_access, sec, subnet_prefix, pkey);5294}5295EXPORT_SYMBOL(security_ib_pkey_access);52965297/**5298* security_ib_endport_manage_subnet() - Check if SMPs traffic is allowed5299* @sec: LSM blob5300* @dev_name: IB device name5301* @port_num: port number5302*5303* Check permissions to send and receive SMPs on a end port.5304*5305* Return: Returns 0 if permission is granted.5306*/5307int security_ib_endport_manage_subnet(void *sec,5308const char *dev_name, u8 port_num)5309{5310return call_int_hook(ib_endport_manage_subnet, sec, dev_name, port_num);5311}5312EXPORT_SYMBOL(security_ib_endport_manage_subnet);53135314/**5315* security_ib_alloc_security() - Allocate an Infiniband LSM blob5316* @sec: LSM blob5317*5318* Allocate a security structure for Infiniband objects.5319*5320* Return: Returns 0 on success, non-zero on failure.5321*/5322int security_ib_alloc_security(void **sec)5323{5324int rc;53255326rc = lsm_blob_alloc(sec, blob_sizes.lbs_ib, GFP_KERNEL);5327if (rc)5328return rc;53295330rc = call_int_hook(ib_alloc_security, *sec);5331if (rc) {5332kfree(*sec);5333*sec = NULL;5334}5335return rc;5336}5337EXPORT_SYMBOL(security_ib_alloc_security);53385339/**5340* security_ib_free_security() - Free an Infiniband LSM blob5341* @sec: LSM blob5342*5343* Deallocate an Infiniband security structure.5344*/5345void security_ib_free_security(void *sec)5346{5347kfree(sec);5348}5349EXPORT_SYMBOL(security_ib_free_security);5350#endif /* CONFIG_SECURITY_INFINIBAND */53515352#ifdef CONFIG_SECURITY_NETWORK_XFRM5353/**5354* security_xfrm_policy_alloc() - Allocate a xfrm policy LSM blob5355* @ctxp: xfrm security context being added to the SPD5356* @sec_ctx: security label provided by userspace5357* @gfp: gfp flags5358*5359* Allocate a security structure to the xp->security field; the security field5360* is initialized to NULL when the xfrm_policy is allocated.5361*5362* Return: Return 0 if operation was successful.5363*/5364int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,5365struct xfrm_user_sec_ctx *sec_ctx,5366gfp_t gfp)5367{5368return call_int_hook(xfrm_policy_alloc_security, ctxp, sec_ctx, gfp);5369}5370EXPORT_SYMBOL(security_xfrm_policy_alloc);53715372/**5373* security_xfrm_policy_clone() - Clone xfrm policy LSM state5374* @old_ctx: xfrm security context5375* @new_ctxp: target xfrm security context5376*5377* Allocate a security structure in new_ctxp that contains the information from5378* the old_ctx structure.5379*5380* Return: Return 0 if operation was successful.5381*/5382int security_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,5383struct xfrm_sec_ctx **new_ctxp)5384{5385return call_int_hook(xfrm_policy_clone_security, old_ctx, new_ctxp);5386}53875388/**5389* security_xfrm_policy_free() - Free a xfrm security context5390* @ctx: xfrm security context5391*5392* Free LSM resources associated with @ctx.5393*/5394void security_xfrm_policy_free(struct xfrm_sec_ctx *ctx)5395{5396call_void_hook(xfrm_policy_free_security, ctx);5397}5398EXPORT_SYMBOL(security_xfrm_policy_free);53995400/**5401* security_xfrm_policy_delete() - Check if deleting a xfrm policy is allowed5402* @ctx: xfrm security context5403*5404* Authorize deletion of a SPD entry.5405*5406* Return: Returns 0 if permission is granted.5407*/5408int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)5409{5410return call_int_hook(xfrm_policy_delete_security, ctx);5411}54125413/**5414* security_xfrm_state_alloc() - Allocate a xfrm state LSM blob5415* @x: xfrm state being added to the SAD5416* @sec_ctx: security label provided by userspace5417*5418* Allocate a security structure to the @x->security field; the security field5419* is initialized to NULL when the xfrm_state is allocated. Set the context to5420* correspond to @sec_ctx.5421*5422* Return: Return 0 if operation was successful.5423*/5424int security_xfrm_state_alloc(struct xfrm_state *x,5425struct xfrm_user_sec_ctx *sec_ctx)5426{5427return call_int_hook(xfrm_state_alloc, x, sec_ctx);5428}5429EXPORT_SYMBOL(security_xfrm_state_alloc);54305431/**5432* security_xfrm_state_alloc_acquire() - Allocate a xfrm state LSM blob5433* @x: xfrm state being added to the SAD5434* @polsec: associated policy's security context5435* @secid: secid from the flow5436*5437* Allocate a security structure to the x->security field; the security field5438* is initialized to NULL when the xfrm_state is allocated. Set the context to5439* correspond to secid.5440*5441* Return: Returns 0 if operation was successful.5442*/5443int security_xfrm_state_alloc_acquire(struct xfrm_state *x,5444struct xfrm_sec_ctx *polsec, u32 secid)5445{5446return call_int_hook(xfrm_state_alloc_acquire, x, polsec, secid);5447}54485449/**5450* security_xfrm_state_delete() - Check if deleting a xfrm state is allowed5451* @x: xfrm state5452*5453* Authorize deletion of x->security.5454*5455* Return: Returns 0 if permission is granted.5456*/5457int security_xfrm_state_delete(struct xfrm_state *x)5458{5459return call_int_hook(xfrm_state_delete_security, x);5460}5461EXPORT_SYMBOL(security_xfrm_state_delete);54625463/**5464* security_xfrm_state_free() - Free a xfrm state5465* @x: xfrm state5466*5467* Deallocate x->security.5468*/5469void security_xfrm_state_free(struct xfrm_state *x)5470{5471call_void_hook(xfrm_state_free_security, x);5472}54735474/**5475* security_xfrm_policy_lookup() - Check if using a xfrm policy is allowed5476* @ctx: target xfrm security context5477* @fl_secid: flow secid used to authorize access5478*5479* Check permission when a flow selects a xfrm_policy for processing XFRMs on a5480* packet. The hook is called when selecting either a per-socket policy or a5481* generic xfrm policy.5482*5483* Return: Return 0 if permission is granted, -ESRCH otherwise, or -errno on5484* other errors.5485*/5486int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid)5487{5488return call_int_hook(xfrm_policy_lookup, ctx, fl_secid);5489}54905491/**5492* security_xfrm_state_pol_flow_match() - Check for a xfrm match5493* @x: xfrm state to match5494* @xp: xfrm policy to check for a match5495* @flic: flow to check for a match.5496*5497* Check @xp and @flic for a match with @x.5498*5499* Return: Returns 1 if there is a match.5500*/5501int security_xfrm_state_pol_flow_match(struct xfrm_state *x,5502struct xfrm_policy *xp,5503const struct flowi_common *flic)5504{5505struct lsm_static_call *scall;5506int rc = LSM_RET_DEFAULT(xfrm_state_pol_flow_match);55075508/*5509* Since this function is expected to return 0 or 1, the judgment5510* becomes difficult if multiple LSMs supply this call. Fortunately,5511* we can use the first LSM's judgment because currently only SELinux5512* supplies this call.5513*5514* For speed optimization, we explicitly break the loop rather than5515* using the macro5516*/5517lsm_for_each_hook(scall, xfrm_state_pol_flow_match) {5518rc = scall->hl->hook.xfrm_state_pol_flow_match(x, xp, flic);5519break;5520}5521return rc;5522}55235524/**5525* security_xfrm_decode_session() - Determine the xfrm secid for a packet5526* @skb: xfrm packet5527* @secid: secid5528*5529* Decode the packet in @skb and return the security label in @secid.5530*5531* Return: Return 0 if all xfrms used have the same secid.5532*/5533int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)5534{5535return call_int_hook(xfrm_decode_session, skb, secid, 1);5536}55375538void security_skb_classify_flow(struct sk_buff *skb, struct flowi_common *flic)5539{5540int rc = call_int_hook(xfrm_decode_session, skb, &flic->flowic_secid,55410);55425543BUG_ON(rc);5544}5545EXPORT_SYMBOL(security_skb_classify_flow);5546#endif /* CONFIG_SECURITY_NETWORK_XFRM */55475548#ifdef CONFIG_KEYS5549/**5550* security_key_alloc() - Allocate and initialize a kernel key LSM blob5551* @key: key5552* @cred: credentials5553* @flags: allocation flags5554*5555* Permit allocation of a key and assign security data. Note that key does not5556* have a serial number assigned at this point.5557*5558* Return: Return 0 if permission is granted, -ve error otherwise.5559*/5560int security_key_alloc(struct key *key, const struct cred *cred,5561unsigned long flags)5562{5563int rc = lsm_key_alloc(key);55645565if (unlikely(rc))5566return rc;5567rc = call_int_hook(key_alloc, key, cred, flags);5568if (unlikely(rc))5569security_key_free(key);5570return rc;5571}55725573/**5574* security_key_free() - Free a kernel key LSM blob5575* @key: key5576*5577* Notification of destruction; free security data.5578*/5579void security_key_free(struct key *key)5580{5581kfree(key->security);5582key->security = NULL;5583}55845585/**5586* security_key_permission() - Check if a kernel key operation is allowed5587* @key_ref: key reference5588* @cred: credentials of actor requesting access5589* @need_perm: requested permissions5590*5591* See whether a specific operational right is granted to a process on a key.5592*5593* Return: Return 0 if permission is granted, -ve error otherwise.5594*/5595int security_key_permission(key_ref_t key_ref, const struct cred *cred,5596enum key_need_perm need_perm)5597{5598return call_int_hook(key_permission, key_ref, cred, need_perm);5599}56005601/**5602* security_key_getsecurity() - Get the key's security label5603* @key: key5604* @buffer: security label buffer5605*5606* Get a textual representation of the security context attached to a key for5607* the purposes of honouring KEYCTL_GETSECURITY. This function allocates the5608* storage for the NUL-terminated string and the caller should free it.5609*5610* Return: Returns the length of @buffer (including terminating NUL) or -ve if5611* an error occurs. May also return 0 (and a NULL buffer pointer) if5612* there is no security label assigned to the key.5613*/5614int security_key_getsecurity(struct key *key, char **buffer)5615{5616*buffer = NULL;5617return call_int_hook(key_getsecurity, key, buffer);5618}56195620/**5621* security_key_post_create_or_update() - Notification of key create or update5622* @keyring: keyring to which the key is linked to5623* @key: created or updated key5624* @payload: data used to instantiate or update the key5625* @payload_len: length of payload5626* @flags: key flags5627* @create: flag indicating whether the key was created or updated5628*5629* Notify the caller of a key creation or update.5630*/5631void security_key_post_create_or_update(struct key *keyring, struct key *key,5632const void *payload, size_t payload_len,5633unsigned long flags, bool create)5634{5635call_void_hook(key_post_create_or_update, keyring, key, payload,5636payload_len, flags, create);5637}5638#endif /* CONFIG_KEYS */56395640#ifdef CONFIG_AUDIT5641/**5642* security_audit_rule_init() - Allocate and init an LSM audit rule struct5643* @field: audit action5644* @op: rule operator5645* @rulestr: rule context5646* @lsmrule: receive buffer for audit rule struct5647* @gfp: GFP flag used for kmalloc5648*5649* Allocate and initialize an LSM audit rule structure.5650*5651* Return: Return 0 if @lsmrule has been successfully set, -EINVAL in case of5652* an invalid rule.5653*/5654int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule,5655gfp_t gfp)5656{5657return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule, gfp);5658}56595660/**5661* security_audit_rule_known() - Check if an audit rule contains LSM fields5662* @krule: audit rule5663*5664* Specifies whether given @krule contains any fields related to the current5665* LSM.5666*5667* Return: Returns 1 in case of relation found, 0 otherwise.5668*/5669int security_audit_rule_known(struct audit_krule *krule)5670{5671return call_int_hook(audit_rule_known, krule);5672}56735674/**5675* security_audit_rule_free() - Free an LSM audit rule struct5676* @lsmrule: audit rule struct5677*5678* Deallocate the LSM audit rule structure previously allocated by5679* audit_rule_init().5680*/5681void security_audit_rule_free(void *lsmrule)5682{5683call_void_hook(audit_rule_free, lsmrule);5684}56855686/**5687* security_audit_rule_match() - Check if a label matches an audit rule5688* @prop: security label5689* @field: LSM audit field5690* @op: matching operator5691* @lsmrule: audit rule5692*5693* Determine if given @secid matches a rule previously approved by5694* security_audit_rule_known().5695*5696* Return: Returns 1 if secid matches the rule, 0 if it does not, -ERRNO on5697* failure.5698*/5699int security_audit_rule_match(struct lsm_prop *prop, u32 field, u32 op,5700void *lsmrule)5701{5702return call_int_hook(audit_rule_match, prop, field, op, lsmrule);5703}5704#endif /* CONFIG_AUDIT */57055706#ifdef CONFIG_BPF_SYSCALL5707/**5708* security_bpf() - Check if the bpf syscall operation is allowed5709* @cmd: command5710* @attr: bpf attribute5711* @size: size5712* @kernel: whether or not call originated from kernel5713*5714* Do a initial check for all bpf syscalls after the attribute is copied into5715* the kernel. The actual security module can implement their own rules to5716* check the specific cmd they need.5717*5718* Return: Returns 0 if permission is granted.5719*/5720int security_bpf(int cmd, union bpf_attr *attr, unsigned int size, bool kernel)5721{5722return call_int_hook(bpf, cmd, attr, size, kernel);5723}57245725/**5726* security_bpf_map() - Check if access to a bpf map is allowed5727* @map: bpf map5728* @fmode: mode5729*5730* Do a check when the kernel generates and returns a file descriptor for eBPF5731* maps.5732*5733* Return: Returns 0 if permission is granted.5734*/5735int security_bpf_map(struct bpf_map *map, fmode_t fmode)5736{5737return call_int_hook(bpf_map, map, fmode);5738}57395740/**5741* security_bpf_prog() - Check if access to a bpf program is allowed5742* @prog: bpf program5743*5744* Do a check when the kernel generates and returns a file descriptor for eBPF5745* programs.5746*5747* Return: Returns 0 if permission is granted.5748*/5749int security_bpf_prog(struct bpf_prog *prog)5750{5751return call_int_hook(bpf_prog, prog);5752}57535754/**5755* security_bpf_map_create() - Check if BPF map creation is allowed5756* @map: BPF map object5757* @attr: BPF syscall attributes used to create BPF map5758* @token: BPF token used to grant user access5759* @kernel: whether or not call originated from kernel5760*5761* Do a check when the kernel creates a new BPF map. This is also the5762* point where LSM blob is allocated for LSMs that need them.5763*5764* Return: Returns 0 on success, error on failure.5765*/5766int security_bpf_map_create(struct bpf_map *map, union bpf_attr *attr,5767struct bpf_token *token, bool kernel)5768{5769int rc;57705771rc = lsm_bpf_map_alloc(map);5772if (unlikely(rc))5773return rc;57745775rc = call_int_hook(bpf_map_create, map, attr, token, kernel);5776if (unlikely(rc))5777security_bpf_map_free(map);5778return rc;5779}57805781/**5782* security_bpf_prog_load() - Check if loading of BPF program is allowed5783* @prog: BPF program object5784* @attr: BPF syscall attributes used to create BPF program5785* @token: BPF token used to grant user access to BPF subsystem5786* @kernel: whether or not call originated from kernel5787*5788* Perform an access control check when the kernel loads a BPF program and5789* allocates associated BPF program object. This hook is also responsible for5790* allocating any required LSM state for the BPF program.5791*5792* Return: Returns 0 on success, error on failure.5793*/5794int security_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr,5795struct bpf_token *token, bool kernel)5796{5797int rc;57985799rc = lsm_bpf_prog_alloc(prog);5800if (unlikely(rc))5801return rc;58025803rc = call_int_hook(bpf_prog_load, prog, attr, token, kernel);5804if (unlikely(rc))5805security_bpf_prog_free(prog);5806return rc;5807}58085809/**5810* security_bpf_token_create() - Check if creating of BPF token is allowed5811* @token: BPF token object5812* @attr: BPF syscall attributes used to create BPF token5813* @path: path pointing to BPF FS mount point from which BPF token is created5814*5815* Do a check when the kernel instantiates a new BPF token object from BPF FS5816* instance. This is also the point where LSM blob can be allocated for LSMs.5817*5818* Return: Returns 0 on success, error on failure.5819*/5820int security_bpf_token_create(struct bpf_token *token, union bpf_attr *attr,5821const struct path *path)5822{5823int rc;58245825rc = lsm_bpf_token_alloc(token);5826if (unlikely(rc))5827return rc;58285829rc = call_int_hook(bpf_token_create, token, attr, path);5830if (unlikely(rc))5831security_bpf_token_free(token);5832return rc;5833}58345835/**5836* security_bpf_token_cmd() - Check if BPF token is allowed to delegate5837* requested BPF syscall command5838* @token: BPF token object5839* @cmd: BPF syscall command requested to be delegated by BPF token5840*5841* Do a check when the kernel decides whether provided BPF token should allow5842* delegation of requested BPF syscall command.5843*5844* Return: Returns 0 on success, error on failure.5845*/5846int security_bpf_token_cmd(const struct bpf_token *token, enum bpf_cmd cmd)5847{5848return call_int_hook(bpf_token_cmd, token, cmd);5849}58505851/**5852* security_bpf_token_capable() - Check if BPF token is allowed to delegate5853* requested BPF-related capability5854* @token: BPF token object5855* @cap: capabilities requested to be delegated by BPF token5856*5857* Do a check when the kernel decides whether provided BPF token should allow5858* delegation of requested BPF-related capabilities.5859*5860* Return: Returns 0 on success, error on failure.5861*/5862int security_bpf_token_capable(const struct bpf_token *token, int cap)5863{5864return call_int_hook(bpf_token_capable, token, cap);5865}58665867/**5868* security_bpf_map_free() - Free a bpf map's LSM blob5869* @map: bpf map5870*5871* Clean up the security information stored inside bpf map.5872*/5873void security_bpf_map_free(struct bpf_map *map)5874{5875call_void_hook(bpf_map_free, map);5876kfree(map->security);5877map->security = NULL;5878}58795880/**5881* security_bpf_prog_free() - Free a BPF program's LSM blob5882* @prog: BPF program struct5883*5884* Clean up the security information stored inside BPF program.5885*/5886void security_bpf_prog_free(struct bpf_prog *prog)5887{5888call_void_hook(bpf_prog_free, prog);5889kfree(prog->aux->security);5890prog->aux->security = NULL;5891}58925893/**5894* security_bpf_token_free() - Free a BPF token's LSM blob5895* @token: BPF token struct5896*5897* Clean up the security information stored inside BPF token.5898*/5899void security_bpf_token_free(struct bpf_token *token)5900{5901call_void_hook(bpf_token_free, token);5902kfree(token->security);5903token->security = NULL;5904}5905#endif /* CONFIG_BPF_SYSCALL */59065907/**5908* security_locked_down() - Check if a kernel feature is allowed5909* @what: requested kernel feature5910*5911* Determine whether a kernel feature that potentially enables arbitrary code5912* execution in kernel space should be permitted.5913*5914* Return: Returns 0 if permission is granted.5915*/5916int security_locked_down(enum lockdown_reason what)5917{5918return call_int_hook(locked_down, what);5919}5920EXPORT_SYMBOL(security_locked_down);59215922/**5923* security_bdev_alloc() - Allocate a block device LSM blob5924* @bdev: block device5925*5926* Allocate and attach a security structure to @bdev->bd_security. The5927* security field is initialized to NULL when the bdev structure is5928* allocated.5929*5930* Return: Return 0 if operation was successful.5931*/5932int security_bdev_alloc(struct block_device *bdev)5933{5934int rc = 0;59355936rc = lsm_bdev_alloc(bdev);5937if (unlikely(rc))5938return rc;59395940rc = call_int_hook(bdev_alloc_security, bdev);5941if (unlikely(rc))5942security_bdev_free(bdev);59435944return rc;5945}5946EXPORT_SYMBOL(security_bdev_alloc);59475948/**5949* security_bdev_free() - Free a block device's LSM blob5950* @bdev: block device5951*5952* Deallocate the bdev security structure and set @bdev->bd_security to NULL.5953*/5954void security_bdev_free(struct block_device *bdev)5955{5956if (!bdev->bd_security)5957return;59585959call_void_hook(bdev_free_security, bdev);59605961kfree(bdev->bd_security);5962bdev->bd_security = NULL;5963}5964EXPORT_SYMBOL(security_bdev_free);59655966/**5967* security_bdev_setintegrity() - Set the device's integrity data5968* @bdev: block device5969* @type: type of integrity, e.g. hash digest, signature, etc5970* @value: the integrity value5971* @size: size of the integrity value5972*5973* Register a verified integrity measurement of a bdev with LSMs.5974* LSMs should free the previously saved data if @value is NULL.5975* Please note that the new hook should be invoked every time the security5976* information is updated to keep these data current. For example, in dm-verity,5977* if the mapping table is reloaded and configured to use a different dm-verity5978* target with a new roothash and signing information, the previously stored5979* data in the LSM blob will become obsolete. It is crucial to re-invoke the5980* hook to refresh these data and ensure they are up to date. This necessity5981* arises from the design of device-mapper, where a device-mapper device is5982* first created, and then targets are subsequently loaded into it. These5983* targets can be modified multiple times during the device's lifetime.5984* Therefore, while the LSM blob is allocated during the creation of the block5985* device, its actual contents are not initialized at this stage and can change5986* substantially over time. This includes alterations from data that the LSMs5987* 'trusts' to those they do not, making it essential to handle these changes5988* correctly. Failure to address this dynamic aspect could potentially allow5989* for bypassing LSM checks.5990*5991* Return: Returns 0 on success, negative values on failure.5992*/5993int security_bdev_setintegrity(struct block_device *bdev,5994enum lsm_integrity_type type, const void *value,5995size_t size)5996{5997return call_int_hook(bdev_setintegrity, bdev, type, value, size);5998}5999EXPORT_SYMBOL(security_bdev_setintegrity);60006001#ifdef CONFIG_PERF_EVENTS6002/**6003* security_perf_event_open() - Check if a perf event open is allowed6004* @type: type of event6005*6006* Check whether the @type of perf_event_open syscall is allowed.6007*6008* Return: Returns 0 if permission is granted.6009*/6010int security_perf_event_open(int type)6011{6012return call_int_hook(perf_event_open, type);6013}60146015/**6016* security_perf_event_alloc() - Allocate a perf event LSM blob6017* @event: perf event6018*6019* Allocate and save perf_event security info.6020*6021* Return: Returns 0 on success, error on failure.6022*/6023int security_perf_event_alloc(struct perf_event *event)6024{6025int rc;60266027rc = lsm_blob_alloc(&event->security, blob_sizes.lbs_perf_event,6028GFP_KERNEL);6029if (rc)6030return rc;60316032rc = call_int_hook(perf_event_alloc, event);6033if (rc) {6034kfree(event->security);6035event->security = NULL;6036}6037return rc;6038}60396040/**6041* security_perf_event_free() - Free a perf event LSM blob6042* @event: perf event6043*6044* Release (free) perf_event security info.6045*/6046void security_perf_event_free(struct perf_event *event)6047{6048kfree(event->security);6049event->security = NULL;6050}60516052/**6053* security_perf_event_read() - Check if reading a perf event label is allowed6054* @event: perf event6055*6056* Read perf_event security info if allowed.6057*6058* Return: Returns 0 if permission is granted.6059*/6060int security_perf_event_read(struct perf_event *event)6061{6062return call_int_hook(perf_event_read, event);6063}60646065/**6066* security_perf_event_write() - Check if writing a perf event label is allowed6067* @event: perf event6068*6069* Write perf_event security info if allowed.6070*6071* Return: Returns 0 if permission is granted.6072*/6073int security_perf_event_write(struct perf_event *event)6074{6075return call_int_hook(perf_event_write, event);6076}6077#endif /* CONFIG_PERF_EVENTS */60786079#ifdef CONFIG_IO_URING6080/**6081* security_uring_override_creds() - Check if overriding creds is allowed6082* @new: new credentials6083*6084* Check if the current task, executing an io_uring operation, is allowed to6085* override it's credentials with @new.6086*6087* Return: Returns 0 if permission is granted.6088*/6089int security_uring_override_creds(const struct cred *new)6090{6091return call_int_hook(uring_override_creds, new);6092}60936094/**6095* security_uring_sqpoll() - Check if IORING_SETUP_SQPOLL is allowed6096*6097* Check whether the current task is allowed to spawn a io_uring polling thread6098* (IORING_SETUP_SQPOLL).6099*6100* Return: Returns 0 if permission is granted.6101*/6102int security_uring_sqpoll(void)6103{6104return call_int_hook(uring_sqpoll);6105}61066107/**6108* security_uring_cmd() - Check if a io_uring passthrough command is allowed6109* @ioucmd: command6110*6111* Check whether the file_operations uring_cmd is allowed to run.6112*6113* Return: Returns 0 if permission is granted.6114*/6115int security_uring_cmd(struct io_uring_cmd *ioucmd)6116{6117return call_int_hook(uring_cmd, ioucmd);6118}61196120/**6121* security_uring_allowed() - Check if io_uring_setup() is allowed6122*6123* Check whether the current task is allowed to call io_uring_setup().6124*6125* Return: Returns 0 if permission is granted.6126*/6127int security_uring_allowed(void)6128{6129return call_int_hook(uring_allowed);6130}6131#endif /* CONFIG_IO_URING */61326133/**6134* security_initramfs_populated() - Notify LSMs that initramfs has been loaded6135*6136* Tells the LSMs the initramfs has been unpacked into the rootfs.6137*/6138void security_initramfs_populated(void)6139{6140call_void_hook(initramfs_populated);6141}614261436144