// SPDX-License-Identifier: GPL-2.0-or-later1/*2* Security plug functions3*4* Copyright (C) 2001 WireX Communications, Inc <[email protected]>5* Copyright (C) 2001-2002 Greg Kroah-Hartman <[email protected]>6* Copyright (C) 2001 Networks Associates Technology, Inc <[email protected]>7* Copyright (C) 2016 Mellanox Technologies8* Copyright (C) 2023 Microsoft Corporation <[email protected]>9*/1011#define pr_fmt(fmt) "LSM: " fmt1213#include <linux/bpf.h>14#include <linux/capability.h>15#include <linux/dcache.h>16#include <linux/export.h>17#include <linux/init.h>18#include <linux/kernel.h>19#include <linux/kernel_read_file.h>20#include <linux/lsm_hooks.h>21#include <linux/mman.h>22#include <linux/mount.h>23#include <linux/personality.h>24#include <linux/backing-dev.h>25#include <linux/string.h>26#include <linux/xattr.h>27#include <linux/msg.h>28#include <linux/overflow.h>29#include <linux/perf_event.h>30#include <linux/fs.h>31#include <net/flow.h>32#include <net/sock.h>3334#define SECURITY_HOOK_ACTIVE_KEY(HOOK, IDX) security_hook_active_##HOOK##_##IDX3536/*37* Identifier for the LSM static calls.38* HOOK is an LSM hook as defined in linux/lsm_hookdefs.h39* IDX is the index of the static call. 0 <= NUM < MAX_LSM_COUNT40*/41#define LSM_STATIC_CALL(HOOK, IDX) lsm_static_call_##HOOK##_##IDX4243/*44* Call the macro M for each LSM hook MAX_LSM_COUNT times.45*/46#define LSM_LOOP_UNROLL(M, ...) \47do { \48UNROLL(MAX_LSM_COUNT, M, __VA_ARGS__) \49} while (0)5051#define LSM_DEFINE_UNROLL(M, ...) UNROLL(MAX_LSM_COUNT, M, __VA_ARGS__)5253/*54* These are descriptions of the reasons that can be passed to the55* security_locked_down() LSM hook. Placing this array here allows56* all security modules to use the same descriptions for auditing57* purposes.58*/59const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX + 1] = {60[LOCKDOWN_NONE] = "none",61[LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading",62[LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port",63[LOCKDOWN_EFI_TEST] = "/dev/efi_test access",64[LOCKDOWN_KEXEC] = "kexec of unsigned images",65[LOCKDOWN_HIBERNATION] = "hibernation",66[LOCKDOWN_PCI_ACCESS] = "direct PCI access",67[LOCKDOWN_IOPORT] = "raw io port access",68[LOCKDOWN_MSR] = "raw MSR access",69[LOCKDOWN_ACPI_TABLES] = "modifying ACPI tables",70[LOCKDOWN_DEVICE_TREE] = "modifying device tree contents",71[LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage",72[LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO",73[LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters",74[LOCKDOWN_MMIOTRACE] = "unsafe mmio",75[LOCKDOWN_DEBUGFS] = "debugfs access",76[LOCKDOWN_XMON_WR] = "xmon write access",77[LOCKDOWN_BPF_WRITE_USER] = "use of bpf to write user RAM",78[LOCKDOWN_DBG_WRITE_KERNEL] = "use of kgdb/kdb to write kernel RAM",79[LOCKDOWN_RTAS_ERROR_INJECTION] = "RTAS error injection",80[LOCKDOWN_INTEGRITY_MAX] = "integrity",81[LOCKDOWN_KCORE] = "/proc/kcore access",82[LOCKDOWN_KPROBES] = "use of kprobes",83[LOCKDOWN_BPF_READ_KERNEL] = "use of bpf to read kernel RAM",84[LOCKDOWN_DBG_READ_KERNEL] = "use of kgdb/kdb to read kernel RAM",85[LOCKDOWN_PERF] = "unsafe use of perf",86[LOCKDOWN_TRACEFS] = "use of tracefs",87[LOCKDOWN_XMON_RW] = "xmon read and write access",88[LOCKDOWN_XFRM_SECRET] = "xfrm SA secret",89[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",90};9192static BLOCKING_NOTIFIER_HEAD(blocking_lsm_notifier_chain);9394static struct kmem_cache *lsm_file_cache;95static struct kmem_cache *lsm_inode_cache;9697char *lsm_names;98static struct lsm_blob_sizes blob_sizes __ro_after_init;99100/* Boot-time LSM user choice */101static __initdata const char *chosen_lsm_order;102static __initdata const char *chosen_major_lsm;103104static __initconst const char *const builtin_lsm_order = CONFIG_LSM;105106/* Ordered list of LSMs to initialize. */107static __initdata struct lsm_info *ordered_lsms[MAX_LSM_COUNT + 1];108static __initdata struct lsm_info *exclusive;109110#ifdef CONFIG_HAVE_STATIC_CALL111#define LSM_HOOK_TRAMP(NAME, NUM) \112&STATIC_CALL_TRAMP(LSM_STATIC_CALL(NAME, NUM))113#else114#define LSM_HOOK_TRAMP(NAME, NUM) NULL115#endif116117/*118* Define static calls and static keys for each LSM hook.119*/120#define DEFINE_LSM_STATIC_CALL(NUM, NAME, RET, ...) \121DEFINE_STATIC_CALL_NULL(LSM_STATIC_CALL(NAME, NUM), \122*((RET(*)(__VA_ARGS__))NULL)); \123DEFINE_STATIC_KEY_FALSE(SECURITY_HOOK_ACTIVE_KEY(NAME, NUM));124125#define LSM_HOOK(RET, DEFAULT, NAME, ...) \126LSM_DEFINE_UNROLL(DEFINE_LSM_STATIC_CALL, NAME, RET, __VA_ARGS__)127#include <linux/lsm_hook_defs.h>128#undef LSM_HOOK129#undef DEFINE_LSM_STATIC_CALL130131/*132* Initialise a table of static calls for each LSM hook.133* DEFINE_STATIC_CALL_NULL invocation above generates a key (STATIC_CALL_KEY)134* and a trampoline (STATIC_CALL_TRAMP) which are used to call135* __static_call_update when updating the static call.136*137* The static calls table is used by early LSMs, some architectures can fault on138* unaligned accesses and the fault handling code may not be ready by then.139* Thus, the static calls table should be aligned to avoid any unhandled faults140* in early init.141*/142struct lsm_static_calls_table143static_calls_table __ro_after_init __aligned(sizeof(u64)) = {144#define INIT_LSM_STATIC_CALL(NUM, NAME) \145(struct lsm_static_call) { \146.key = &STATIC_CALL_KEY(LSM_STATIC_CALL(NAME, NUM)), \147.trampoline = LSM_HOOK_TRAMP(NAME, NUM), \148.active = &SECURITY_HOOK_ACTIVE_KEY(NAME, NUM), \149},150#define LSM_HOOK(RET, DEFAULT, NAME, ...) \151.NAME = { \152LSM_DEFINE_UNROLL(INIT_LSM_STATIC_CALL, NAME) \153},154#include <linux/lsm_hook_defs.h>155#undef LSM_HOOK156#undef INIT_LSM_STATIC_CALL157};158159static __initdata bool debug;160#define init_debug(...) \161do { \162if (debug) \163pr_info(__VA_ARGS__); \164} while (0)165166static bool __init is_enabled(struct lsm_info *lsm)167{168if (!lsm->enabled)169return false;170171return *lsm->enabled;172}173174/* Mark an LSM's enabled flag. */175static int lsm_enabled_true __initdata = 1;176static int lsm_enabled_false __initdata = 0;177static void __init set_enabled(struct lsm_info *lsm, bool enabled)178{179/*180* When an LSM hasn't configured an enable variable, we can use181* a hard-coded location for storing the default enabled state.182*/183if (!lsm->enabled) {184if (enabled)185lsm->enabled = &lsm_enabled_true;186else187lsm->enabled = &lsm_enabled_false;188} else if (lsm->enabled == &lsm_enabled_true) {189if (!enabled)190lsm->enabled = &lsm_enabled_false;191} else if (lsm->enabled == &lsm_enabled_false) {192if (enabled)193lsm->enabled = &lsm_enabled_true;194} else {195*lsm->enabled = enabled;196}197}198199/* Is an LSM already listed in the ordered LSMs list? */200static bool __init exists_ordered_lsm(struct lsm_info *lsm)201{202struct lsm_info **check;203204for (check = ordered_lsms; *check; check++)205if (*check == lsm)206return true;207208return false;209}210211/* Append an LSM to the list of ordered LSMs to initialize. */212static int last_lsm __initdata;213static void __init append_ordered_lsm(struct lsm_info *lsm, const char *from)214{215/* Ignore duplicate selections. */216if (exists_ordered_lsm(lsm))217return;218219if (WARN(last_lsm == MAX_LSM_COUNT, "%s: out of LSM static calls!?\n", from))220return;221222/* Enable this LSM, if it is not already set. */223if (!lsm->enabled)224lsm->enabled = &lsm_enabled_true;225ordered_lsms[last_lsm++] = lsm;226227init_debug("%s ordered: %s (%s)\n", from, lsm->name,228is_enabled(lsm) ? "enabled" : "disabled");229}230231/* Is an LSM allowed to be initialized? */232static bool __init lsm_allowed(struct lsm_info *lsm)233{234/* Skip if the LSM is disabled. */235if (!is_enabled(lsm))236return false;237238/* Not allowed if another exclusive LSM already initialized. */239if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && exclusive) {240init_debug("exclusive disabled: %s\n", lsm->name);241return false;242}243244return true;245}246247static void __init lsm_set_blob_size(int *need, int *lbs)248{249int offset;250251if (*need <= 0)252return;253254offset = ALIGN(*lbs, sizeof(void *));255*lbs = offset + *need;256*need = offset;257}258259static void __init lsm_set_blob_sizes(struct lsm_blob_sizes *needed)260{261if (!needed)262return;263264lsm_set_blob_size(&needed->lbs_cred, &blob_sizes.lbs_cred);265lsm_set_blob_size(&needed->lbs_file, &blob_sizes.lbs_file);266lsm_set_blob_size(&needed->lbs_ib, &blob_sizes.lbs_ib);267/*268* The inode blob gets an rcu_head in addition to269* what the modules might need.270*/271if (needed->lbs_inode && blob_sizes.lbs_inode == 0)272blob_sizes.lbs_inode = sizeof(struct rcu_head);273lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode);274lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc);275lsm_set_blob_size(&needed->lbs_key, &blob_sizes.lbs_key);276lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg);277lsm_set_blob_size(&needed->lbs_perf_event, &blob_sizes.lbs_perf_event);278lsm_set_blob_size(&needed->lbs_sock, &blob_sizes.lbs_sock);279lsm_set_blob_size(&needed->lbs_superblock, &blob_sizes.lbs_superblock);280lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task);281lsm_set_blob_size(&needed->lbs_tun_dev, &blob_sizes.lbs_tun_dev);282lsm_set_blob_size(&needed->lbs_xattr_count,283&blob_sizes.lbs_xattr_count);284lsm_set_blob_size(&needed->lbs_bdev, &blob_sizes.lbs_bdev);285}286287/* Prepare LSM for initialization. */288static void __init prepare_lsm(struct lsm_info *lsm)289{290int enabled = lsm_allowed(lsm);291292/* Record enablement (to handle any following exclusive LSMs). */293set_enabled(lsm, enabled);294295/* If enabled, do pre-initialization work. */296if (enabled) {297if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && !exclusive) {298exclusive = lsm;299init_debug("exclusive chosen: %s\n", lsm->name);300}301302lsm_set_blob_sizes(lsm->blobs);303}304}305306/* Initialize a given LSM, if it is enabled. */307static void __init initialize_lsm(struct lsm_info *lsm)308{309if (is_enabled(lsm)) {310int ret;311312init_debug("initializing %s\n", lsm->name);313ret = lsm->init();314WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret);315}316}317318/*319* Current index to use while initializing the lsm id list.320*/321u32 lsm_active_cnt __ro_after_init;322const struct lsm_id *lsm_idlist[MAX_LSM_COUNT];323324/* Populate ordered LSMs list from comma-separated LSM name list. */325static void __init ordered_lsm_parse(const char *order, const char *origin)326{327struct lsm_info *lsm;328char *sep, *name, *next;329330/* LSM_ORDER_FIRST is always first. */331for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {332if (lsm->order == LSM_ORDER_FIRST)333append_ordered_lsm(lsm, " first");334}335336/* Process "security=", if given. */337if (chosen_major_lsm) {338struct lsm_info *major;339340/*341* To match the original "security=" behavior, this342* explicitly does NOT fallback to another Legacy Major343* if the selected one was separately disabled: disable344* all non-matching Legacy Major LSMs.345*/346for (major = __start_lsm_info; major < __end_lsm_info;347major++) {348if ((major->flags & LSM_FLAG_LEGACY_MAJOR) &&349strcmp(major->name, chosen_major_lsm) != 0) {350set_enabled(major, false);351init_debug("security=%s disabled: %s (only one legacy major LSM)\n",352chosen_major_lsm, major->name);353}354}355}356357sep = kstrdup(order, GFP_KERNEL);358next = sep;359/* Walk the list, looking for matching LSMs. */360while ((name = strsep(&next, ",")) != NULL) {361bool found = false;362363for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {364if (strcmp(lsm->name, name) == 0) {365if (lsm->order == LSM_ORDER_MUTABLE)366append_ordered_lsm(lsm, origin);367found = true;368}369}370371if (!found)372init_debug("%s ignored: %s (not built into kernel)\n",373origin, name);374}375376/* Process "security=", if given. */377if (chosen_major_lsm) {378for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {379if (exists_ordered_lsm(lsm))380continue;381if (strcmp(lsm->name, chosen_major_lsm) == 0)382append_ordered_lsm(lsm, "security=");383}384}385386/* LSM_ORDER_LAST is always last. */387for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {388if (lsm->order == LSM_ORDER_LAST)389append_ordered_lsm(lsm, " last");390}391392/* Disable all LSMs not in the ordered list. */393for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {394if (exists_ordered_lsm(lsm))395continue;396set_enabled(lsm, false);397init_debug("%s skipped: %s (not in requested order)\n",398origin, lsm->name);399}400401kfree(sep);402}403404static void __init lsm_static_call_init(struct security_hook_list *hl)405{406struct lsm_static_call *scall = hl->scalls;407int i;408409for (i = 0; i < MAX_LSM_COUNT; i++) {410/* Update the first static call that is not used yet */411if (!scall->hl) {412__static_call_update(scall->key, scall->trampoline,413hl->hook.lsm_func_addr);414scall->hl = hl;415static_branch_enable(scall->active);416return;417}418scall++;419}420panic("%s - Ran out of static slots.\n", __func__);421}422423static void __init lsm_early_cred(struct cred *cred);424static void __init lsm_early_task(struct task_struct *task);425426static int lsm_append(const char *new, char **result);427428static void __init report_lsm_order(void)429{430struct lsm_info **lsm, *early;431int first = 0;432433pr_info("initializing lsm=");434435/* Report each enabled LSM name, comma separated. */436for (early = __start_early_lsm_info;437early < __end_early_lsm_info; early++)438if (is_enabled(early))439pr_cont("%s%s", first++ == 0 ? "" : ",", early->name);440for (lsm = ordered_lsms; *lsm; lsm++)441if (is_enabled(*lsm))442pr_cont("%s%s", first++ == 0 ? "" : ",", (*lsm)->name);443444pr_cont("\n");445}446447static void __init ordered_lsm_init(void)448{449struct lsm_info **lsm;450451if (chosen_lsm_order) {452if (chosen_major_lsm) {453pr_warn("security=%s is ignored because it is superseded by lsm=%s\n",454chosen_major_lsm, chosen_lsm_order);455chosen_major_lsm = NULL;456}457ordered_lsm_parse(chosen_lsm_order, "cmdline");458} else459ordered_lsm_parse(builtin_lsm_order, "builtin");460461for (lsm = ordered_lsms; *lsm; lsm++)462prepare_lsm(*lsm);463464report_lsm_order();465466init_debug("cred blob size = %d\n", blob_sizes.lbs_cred);467init_debug("file blob size = %d\n", blob_sizes.lbs_file);468init_debug("ib blob size = %d\n", blob_sizes.lbs_ib);469init_debug("inode blob size = %d\n", blob_sizes.lbs_inode);470init_debug("ipc blob size = %d\n", blob_sizes.lbs_ipc);471#ifdef CONFIG_KEYS472init_debug("key blob size = %d\n", blob_sizes.lbs_key);473#endif /* CONFIG_KEYS */474init_debug("msg_msg blob size = %d\n", blob_sizes.lbs_msg_msg);475init_debug("sock blob size = %d\n", blob_sizes.lbs_sock);476init_debug("superblock blob size = %d\n", blob_sizes.lbs_superblock);477init_debug("perf event blob size = %d\n", blob_sizes.lbs_perf_event);478init_debug("task blob size = %d\n", blob_sizes.lbs_task);479init_debug("tun device blob size = %d\n", blob_sizes.lbs_tun_dev);480init_debug("xattr slots = %d\n", blob_sizes.lbs_xattr_count);481init_debug("bdev blob size = %d\n", blob_sizes.lbs_bdev);482483/*484* Create any kmem_caches needed for blobs485*/486if (blob_sizes.lbs_file)487lsm_file_cache = kmem_cache_create("lsm_file_cache",488blob_sizes.lbs_file, 0,489SLAB_PANIC, NULL);490if (blob_sizes.lbs_inode)491lsm_inode_cache = kmem_cache_create("lsm_inode_cache",492blob_sizes.lbs_inode, 0,493SLAB_PANIC, NULL);494495lsm_early_cred((struct cred *) current->cred);496lsm_early_task(current);497for (lsm = ordered_lsms; *lsm; lsm++)498initialize_lsm(*lsm);499}500501int __init early_security_init(void)502{503struct lsm_info *lsm;504505for (lsm = __start_early_lsm_info; lsm < __end_early_lsm_info; lsm++) {506if (!lsm->enabled)507lsm->enabled = &lsm_enabled_true;508prepare_lsm(lsm);509initialize_lsm(lsm);510}511512return 0;513}514515/**516* security_init - initializes the security framework517*518* This should be called early in the kernel initialization sequence.519*/520int __init security_init(void)521{522struct lsm_info *lsm;523524init_debug("legacy security=%s\n", chosen_major_lsm ? : " *unspecified*");525init_debug(" CONFIG_LSM=%s\n", builtin_lsm_order);526init_debug("boot arg lsm=%s\n", chosen_lsm_order ? : " *unspecified*");527528/*529* Append the names of the early LSM modules now that kmalloc() is530* available531*/532for (lsm = __start_early_lsm_info; lsm < __end_early_lsm_info; lsm++) {533init_debug(" early started: %s (%s)\n", lsm->name,534is_enabled(lsm) ? "enabled" : "disabled");535if (lsm->enabled)536lsm_append(lsm->name, &lsm_names);537}538539/* Load LSMs in specified order. */540ordered_lsm_init();541542return 0;543}544545/* Save user chosen LSM */546static int __init choose_major_lsm(char *str)547{548chosen_major_lsm = str;549return 1;550}551__setup("security=", choose_major_lsm);552553/* Explicitly choose LSM initialization order. */554static int __init choose_lsm_order(char *str)555{556chosen_lsm_order = str;557return 1;558}559__setup("lsm=", choose_lsm_order);560561/* Enable LSM order debugging. */562static int __init enable_debug(char *str)563{564debug = true;565return 1;566}567__setup("lsm.debug", enable_debug);568569static bool match_last_lsm(const char *list, const char *lsm)570{571const char *last;572573if (WARN_ON(!list || !lsm))574return false;575last = strrchr(list, ',');576if (last)577/* Pass the comma, strcmp() will check for '\0' */578last++;579else580last = list;581return !strcmp(last, lsm);582}583584static int lsm_append(const char *new, char **result)585{586char *cp;587588if (*result == NULL) {589*result = kstrdup(new, GFP_KERNEL);590if (*result == NULL)591return -ENOMEM;592} else {593/* Check if it is the last registered name */594if (match_last_lsm(*result, new))595return 0;596cp = kasprintf(GFP_KERNEL, "%s,%s", *result, new);597if (cp == NULL)598return -ENOMEM;599kfree(*result);600*result = cp;601}602return 0;603}604605/**606* security_add_hooks - Add a modules hooks to the hook lists.607* @hooks: the hooks to add608* @count: the number of hooks to add609* @lsmid: the identification information for the security module610*611* Each LSM has to register its hooks with the infrastructure.612*/613void __init security_add_hooks(struct security_hook_list *hooks, int count,614const struct lsm_id *lsmid)615{616int i;617618/*619* A security module may call security_add_hooks() more620* than once during initialization, and LSM initialization621* is serialized. Landlock is one such case.622* Look at the previous entry, if there is one, for duplication.623*/624if (lsm_active_cnt == 0 || lsm_idlist[lsm_active_cnt - 1] != lsmid) {625if (lsm_active_cnt >= MAX_LSM_COUNT)626panic("%s Too many LSMs registered.\n", __func__);627lsm_idlist[lsm_active_cnt++] = lsmid;628}629630for (i = 0; i < count; i++) {631hooks[i].lsmid = lsmid;632lsm_static_call_init(&hooks[i]);633}634635/*636* Don't try to append during early_security_init(), we'll come back637* and fix this up afterwards.638*/639if (slab_is_available()) {640if (lsm_append(lsmid->name, &lsm_names) < 0)641panic("%s - Cannot get early memory.\n", __func__);642}643}644645int call_blocking_lsm_notifier(enum lsm_event event, void *data)646{647return blocking_notifier_call_chain(&blocking_lsm_notifier_chain,648event, data);649}650EXPORT_SYMBOL(call_blocking_lsm_notifier);651652int register_blocking_lsm_notifier(struct notifier_block *nb)653{654return blocking_notifier_chain_register(&blocking_lsm_notifier_chain,655nb);656}657EXPORT_SYMBOL(register_blocking_lsm_notifier);658659int unregister_blocking_lsm_notifier(struct notifier_block *nb)660{661return blocking_notifier_chain_unregister(&blocking_lsm_notifier_chain,662nb);663}664EXPORT_SYMBOL(unregister_blocking_lsm_notifier);665666/**667* lsm_blob_alloc - allocate a composite blob668* @dest: the destination for the blob669* @size: the size of the blob670* @gfp: allocation type671*672* Allocate a blob for all the modules673*674* Returns 0, or -ENOMEM if memory can't be allocated.675*/676static int lsm_blob_alloc(void **dest, size_t size, gfp_t gfp)677{678if (size == 0) {679*dest = NULL;680return 0;681}682683*dest = kzalloc(size, gfp);684if (*dest == NULL)685return -ENOMEM;686return 0;687}688689/**690* lsm_cred_alloc - allocate a composite cred blob691* @cred: the cred that needs a blob692* @gfp: allocation type693*694* Allocate the cred blob for all the modules695*696* Returns 0, or -ENOMEM if memory can't be allocated.697*/698static int lsm_cred_alloc(struct cred *cred, gfp_t gfp)699{700return lsm_blob_alloc(&cred->security, blob_sizes.lbs_cred, gfp);701}702703/**704* lsm_early_cred - during initialization allocate a composite cred blob705* @cred: the cred that needs a blob706*707* Allocate the cred blob for all the modules708*/709static void __init lsm_early_cred(struct cred *cred)710{711int rc = lsm_cred_alloc(cred, GFP_KERNEL);712713if (rc)714panic("%s: Early cred alloc failed.\n", __func__);715}716717/**718* lsm_file_alloc - allocate a composite file blob719* @file: the file that needs a blob720*721* Allocate the file blob for all the modules722*723* Returns 0, or -ENOMEM if memory can't be allocated.724*/725static int lsm_file_alloc(struct file *file)726{727if (!lsm_file_cache) {728file->f_security = NULL;729return 0;730}731732file->f_security = kmem_cache_zalloc(lsm_file_cache, GFP_KERNEL);733if (file->f_security == NULL)734return -ENOMEM;735return 0;736}737738/**739* lsm_inode_alloc - allocate a composite inode blob740* @inode: the inode that needs a blob741* @gfp: allocation flags742*743* Allocate the inode blob for all the modules744*745* Returns 0, or -ENOMEM if memory can't be allocated.746*/747static int lsm_inode_alloc(struct inode *inode, gfp_t gfp)748{749if (!lsm_inode_cache) {750inode->i_security = NULL;751return 0;752}753754inode->i_security = kmem_cache_zalloc(lsm_inode_cache, gfp);755if (inode->i_security == NULL)756return -ENOMEM;757return 0;758}759760/**761* lsm_task_alloc - allocate a composite task blob762* @task: the task that needs a blob763*764* Allocate the task blob for all the modules765*766* Returns 0, or -ENOMEM if memory can't be allocated.767*/768static int lsm_task_alloc(struct task_struct *task)769{770return lsm_blob_alloc(&task->security, blob_sizes.lbs_task, GFP_KERNEL);771}772773/**774* lsm_ipc_alloc - allocate a composite ipc blob775* @kip: the ipc that needs a blob776*777* Allocate the ipc blob for all the modules778*779* Returns 0, or -ENOMEM if memory can't be allocated.780*/781static int lsm_ipc_alloc(struct kern_ipc_perm *kip)782{783return lsm_blob_alloc(&kip->security, blob_sizes.lbs_ipc, GFP_KERNEL);784}785786#ifdef CONFIG_KEYS787/**788* lsm_key_alloc - allocate a composite key blob789* @key: the key that needs a blob790*791* Allocate the key blob for all the modules792*793* Returns 0, or -ENOMEM if memory can't be allocated.794*/795static int lsm_key_alloc(struct key *key)796{797return lsm_blob_alloc(&key->security, blob_sizes.lbs_key, GFP_KERNEL);798}799#endif /* CONFIG_KEYS */800801/**802* lsm_msg_msg_alloc - allocate a composite msg_msg blob803* @mp: the msg_msg that needs a blob804*805* Allocate the ipc blob for all the modules806*807* Returns 0, or -ENOMEM if memory can't be allocated.808*/809static int lsm_msg_msg_alloc(struct msg_msg *mp)810{811return lsm_blob_alloc(&mp->security, blob_sizes.lbs_msg_msg,812GFP_KERNEL);813}814815/**816* lsm_bdev_alloc - allocate a composite block_device blob817* @bdev: the block_device that needs a blob818*819* Allocate the block_device blob for all the modules820*821* Returns 0, or -ENOMEM if memory can't be allocated.822*/823static int lsm_bdev_alloc(struct block_device *bdev)824{825if (blob_sizes.lbs_bdev == 0) {826bdev->bd_security = NULL;827return 0;828}829830bdev->bd_security = kzalloc(blob_sizes.lbs_bdev, GFP_KERNEL);831if (!bdev->bd_security)832return -ENOMEM;833834return 0;835}836837/**838* lsm_early_task - during initialization allocate a composite task blob839* @task: the task that needs a blob840*841* Allocate the task blob for all the modules842*/843static void __init lsm_early_task(struct task_struct *task)844{845int rc = lsm_task_alloc(task);846847if (rc)848panic("%s: Early task alloc failed.\n", __func__);849}850851/**852* lsm_superblock_alloc - allocate a composite superblock blob853* @sb: the superblock that needs a blob854*855* Allocate the superblock blob for all the modules856*857* Returns 0, or -ENOMEM if memory can't be allocated.858*/859static int lsm_superblock_alloc(struct super_block *sb)860{861return lsm_blob_alloc(&sb->s_security, blob_sizes.lbs_superblock,862GFP_KERNEL);863}864865/**866* lsm_fill_user_ctx - Fill a user space lsm_ctx structure867* @uctx: a userspace LSM context to be filled868* @uctx_len: available uctx size (input), used uctx size (output)869* @val: the new LSM context value870* @val_len: the size of the new LSM context value871* @id: LSM id872* @flags: LSM defined flags873*874* Fill all of the fields in a userspace lsm_ctx structure. If @uctx is NULL875* simply calculate the required size to output via @utc_len and return876* success.877*878* Returns 0 on success, -E2BIG if userspace buffer is not large enough,879* -EFAULT on a copyout error, -ENOMEM if memory can't be allocated.880*/881int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len,882void *val, size_t val_len,883u64 id, u64 flags)884{885struct lsm_ctx *nctx = NULL;886size_t nctx_len;887int rc = 0;888889nctx_len = ALIGN(struct_size(nctx, ctx, val_len), sizeof(void *));890if (nctx_len > *uctx_len) {891rc = -E2BIG;892goto out;893}894895/* no buffer - return success/0 and set @uctx_len to the req size */896if (!uctx)897goto out;898899nctx = kzalloc(nctx_len, GFP_KERNEL);900if (nctx == NULL) {901rc = -ENOMEM;902goto out;903}904nctx->id = id;905nctx->flags = flags;906nctx->len = nctx_len;907nctx->ctx_len = val_len;908memcpy(nctx->ctx, val, val_len);909910if (copy_to_user(uctx, nctx, nctx_len))911rc = -EFAULT;912913out:914kfree(nctx);915*uctx_len = nctx_len;916return rc;917}918919/*920* The default value of the LSM hook is defined in linux/lsm_hook_defs.h and921* can be accessed with:922*923* LSM_RET_DEFAULT(<hook_name>)924*925* The macros below define static constants for the default value of each926* LSM hook.927*/928#define LSM_RET_DEFAULT(NAME) (NAME##_default)929#define DECLARE_LSM_RET_DEFAULT_void(DEFAULT, NAME)930#define DECLARE_LSM_RET_DEFAULT_int(DEFAULT, NAME) \931static const int __maybe_unused LSM_RET_DEFAULT(NAME) = (DEFAULT);932#define LSM_HOOK(RET, DEFAULT, NAME, ...) \933DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME)934935#include <linux/lsm_hook_defs.h>936#undef LSM_HOOK937938/*939* Hook list operation macros.940*941* call_void_hook:942* This is a hook that does not return a value.943*944* call_int_hook:945* This is a hook that returns a value.946*/947#define __CALL_STATIC_VOID(NUM, HOOK, ...) \948do { \949if (static_branch_unlikely(&SECURITY_HOOK_ACTIVE_KEY(HOOK, NUM))) { \950static_call(LSM_STATIC_CALL(HOOK, NUM))(__VA_ARGS__); \951} \952} while (0);953954#define call_void_hook(HOOK, ...) \955do { \956LSM_LOOP_UNROLL(__CALL_STATIC_VOID, HOOK, __VA_ARGS__); \957} while (0)958959960#define __CALL_STATIC_INT(NUM, R, HOOK, LABEL, ...) \961do { \962if (static_branch_unlikely(&SECURITY_HOOK_ACTIVE_KEY(HOOK, NUM))) { \963R = static_call(LSM_STATIC_CALL(HOOK, NUM))(__VA_ARGS__); \964if (R != LSM_RET_DEFAULT(HOOK)) \965goto LABEL; \966} \967} while (0);968969#define call_int_hook(HOOK, ...) \970({ \971__label__ OUT; \972int RC = LSM_RET_DEFAULT(HOOK); \973\974LSM_LOOP_UNROLL(__CALL_STATIC_INT, RC, HOOK, OUT, __VA_ARGS__); \975OUT: \976RC; \977})978979#define lsm_for_each_hook(scall, NAME) \980for (scall = static_calls_table.NAME; \981scall - static_calls_table.NAME < MAX_LSM_COUNT; scall++) \982if (static_key_enabled(&scall->active->key))983984/* Security operations */985986/**987* security_binder_set_context_mgr() - Check if becoming binder ctx mgr is ok988* @mgr: task credentials of current binder process989*990* Check whether @mgr is allowed to be the binder context manager.991*992* Return: Return 0 if permission is granted.993*/994int security_binder_set_context_mgr(const struct cred *mgr)995{996return call_int_hook(binder_set_context_mgr, mgr);997}998999/**1000* security_binder_transaction() - Check if a binder transaction is allowed1001* @from: sending process1002* @to: receiving process1003*1004* Check whether @from is allowed to invoke a binder transaction call to @to.1005*1006* Return: Returns 0 if permission is granted.1007*/1008int security_binder_transaction(const struct cred *from,1009const struct cred *to)1010{1011return call_int_hook(binder_transaction, from, to);1012}10131014/**1015* security_binder_transfer_binder() - Check if a binder transfer is allowed1016* @from: sending process1017* @to: receiving process1018*1019* Check whether @from is allowed to transfer a binder reference to @to.1020*1021* Return: Returns 0 if permission is granted.1022*/1023int security_binder_transfer_binder(const struct cred *from,1024const struct cred *to)1025{1026return call_int_hook(binder_transfer_binder, from, to);1027}10281029/**1030* security_binder_transfer_file() - Check if a binder file xfer is allowed1031* @from: sending process1032* @to: receiving process1033* @file: file being transferred1034*1035* Check whether @from is allowed to transfer @file to @to.1036*1037* Return: Returns 0 if permission is granted.1038*/1039int security_binder_transfer_file(const struct cred *from,1040const struct cred *to, const struct file *file)1041{1042return call_int_hook(binder_transfer_file, from, to, file);1043}10441045/**1046* security_ptrace_access_check() - Check if tracing is allowed1047* @child: target process1048* @mode: PTRACE_MODE flags1049*1050* Check permission before allowing the current process to trace the @child1051* process. Security modules may also want to perform a process tracing check1052* during an execve in the set_security or apply_creds hooks of tracing check1053* during an execve in the bprm_set_creds hook of binprm_security_ops if the1054* process is being traced and its security attributes would be changed by the1055* execve.1056*1057* Return: Returns 0 if permission is granted.1058*/1059int security_ptrace_access_check(struct task_struct *child, unsigned int mode)1060{1061return call_int_hook(ptrace_access_check, child, mode);1062}10631064/**1065* security_ptrace_traceme() - Check if tracing is allowed1066* @parent: tracing process1067*1068* Check that the @parent process has sufficient permission to trace the1069* current process before allowing the current process to present itself to the1070* @parent process for tracing.1071*1072* Return: Returns 0 if permission is granted.1073*/1074int security_ptrace_traceme(struct task_struct *parent)1075{1076return call_int_hook(ptrace_traceme, parent);1077}10781079/**1080* security_capget() - Get the capability sets for a process1081* @target: target process1082* @effective: effective capability set1083* @inheritable: inheritable capability set1084* @permitted: permitted capability set1085*1086* Get the @effective, @inheritable, and @permitted capability sets for the1087* @target process. The hook may also perform permission checking to determine1088* if the current process is allowed to see the capability sets of the @target1089* process.1090*1091* Return: Returns 0 if the capability sets were successfully obtained.1092*/1093int security_capget(const struct task_struct *target,1094kernel_cap_t *effective,1095kernel_cap_t *inheritable,1096kernel_cap_t *permitted)1097{1098return call_int_hook(capget, target, effective, inheritable, permitted);1099}11001101/**1102* security_capset() - Set the capability sets for a process1103* @new: new credentials for the target process1104* @old: current credentials of the target process1105* @effective: effective capability set1106* @inheritable: inheritable capability set1107* @permitted: permitted capability set1108*1109* Set the @effective, @inheritable, and @permitted capability sets for the1110* current process.1111*1112* Return: Returns 0 and update @new if permission is granted.1113*/1114int security_capset(struct cred *new, const struct cred *old,1115const kernel_cap_t *effective,1116const kernel_cap_t *inheritable,1117const kernel_cap_t *permitted)1118{1119return call_int_hook(capset, new, old, effective, inheritable,1120permitted);1121}11221123/**1124* security_capable() - Check if a process has the necessary capability1125* @cred: credentials to examine1126* @ns: user namespace1127* @cap: capability requested1128* @opts: capability check options1129*1130* Check whether the @tsk process has the @cap capability in the indicated1131* credentials. @cap contains the capability <include/linux/capability.h>.1132* @opts contains options for the capable check <include/linux/security.h>.1133*1134* Return: Returns 0 if the capability is granted.1135*/1136int security_capable(const struct cred *cred,1137struct user_namespace *ns,1138int cap,1139unsigned int opts)1140{1141return call_int_hook(capable, cred, ns, cap, opts);1142}11431144/**1145* security_quotactl() - Check if a quotactl() syscall is allowed for this fs1146* @cmds: commands1147* @type: type1148* @id: id1149* @sb: filesystem1150*1151* Check whether the quotactl syscall is allowed for this @sb.1152*1153* Return: Returns 0 if permission is granted.1154*/1155int security_quotactl(int cmds, int type, int id, const struct super_block *sb)1156{1157return call_int_hook(quotactl, cmds, type, id, sb);1158}11591160/**1161* security_quota_on() - Check if QUOTAON is allowed for a dentry1162* @dentry: dentry1163*1164* Check whether QUOTAON is allowed for @dentry.1165*1166* Return: Returns 0 if permission is granted.1167*/1168int security_quota_on(struct dentry *dentry)1169{1170return call_int_hook(quota_on, dentry);1171}11721173/**1174* security_syslog() - Check if accessing the kernel message ring is allowed1175* @type: SYSLOG_ACTION_* type1176*1177* Check permission before accessing the kernel message ring or changing1178* logging to the console. See the syslog(2) manual page for an explanation of1179* the @type values.1180*1181* Return: Return 0 if permission is granted.1182*/1183int security_syslog(int type)1184{1185return call_int_hook(syslog, type);1186}11871188/**1189* security_settime64() - Check if changing the system time is allowed1190* @ts: new time1191* @tz: timezone1192*1193* Check permission to change the system time, struct timespec64 is defined in1194* <include/linux/time64.h> and timezone is defined in <include/linux/time.h>.1195*1196* Return: Returns 0 if permission is granted.1197*/1198int security_settime64(const struct timespec64 *ts, const struct timezone *tz)1199{1200return call_int_hook(settime, ts, tz);1201}12021203/**1204* security_vm_enough_memory_mm() - Check if allocating a new mem map is allowed1205* @mm: mm struct1206* @pages: number of pages1207*1208* Check permissions for allocating a new virtual mapping. If all LSMs return1209* a positive value, __vm_enough_memory() will be called with cap_sys_admin1210* set. If at least one LSM returns 0 or negative, __vm_enough_memory() will be1211* called with cap_sys_admin cleared.1212*1213* Return: Returns 0 if permission is granted by the LSM infrastructure to the1214* caller.1215*/1216int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)1217{1218struct lsm_static_call *scall;1219int cap_sys_admin = 1;1220int rc;12211222/*1223* The module will respond with 0 if it thinks the __vm_enough_memory()1224* call should be made with the cap_sys_admin set. If all of the modules1225* agree that it should be set it will. If any module thinks it should1226* not be set it won't.1227*/1228lsm_for_each_hook(scall, vm_enough_memory) {1229rc = scall->hl->hook.vm_enough_memory(mm, pages);1230if (rc < 0) {1231cap_sys_admin = 0;1232break;1233}1234}1235return __vm_enough_memory(mm, pages, cap_sys_admin);1236}12371238/**1239* security_bprm_creds_for_exec() - Prepare the credentials for exec()1240* @bprm: binary program information1241*1242* If the setup in prepare_exec_creds did not setup @bprm->cred->security1243* properly for executing @bprm->file, update the LSM's portion of1244* @bprm->cred->security to be what commit_creds needs to install for the new1245* program. This hook may also optionally check permissions (e.g. for1246* transitions between security domains). The hook must set @bprm->secureexec1247* to 1 if AT_SECURE should be set to request libc enable secure mode. @bprm1248* contains the linux_binprm structure.1249*1250* If execveat(2) is called with the AT_EXECVE_CHECK flag, bprm->is_check is1251* set. The result must be the same as without this flag even if the execution1252* will never really happen and @bprm will always be dropped.1253*1254* This hook must not change current->cred, only @bprm->cred.1255*1256* Return: Returns 0 if the hook is successful and permission is granted.1257*/1258int security_bprm_creds_for_exec(struct linux_binprm *bprm)1259{1260return call_int_hook(bprm_creds_for_exec, bprm);1261}12621263/**1264* security_bprm_creds_from_file() - Update linux_binprm creds based on file1265* @bprm: binary program information1266* @file: associated file1267*1268* If @file is setpcap, suid, sgid or otherwise marked to change privilege upon1269* exec, update @bprm->cred to reflect that change. This is called after1270* finding the binary that will be executed without an interpreter. This1271* ensures that the credentials will not be derived from a script that the1272* binary will need to reopen, which when reopend may end up being a completely1273* different file. This hook may also optionally check permissions (e.g. for1274* transitions between security domains). The hook must set @bprm->secureexec1275* to 1 if AT_SECURE should be set to request libc enable secure mode. The1276* hook must add to @bprm->per_clear any personality flags that should be1277* cleared from current->personality. @bprm contains the linux_binprm1278* structure.1279*1280* Return: Returns 0 if the hook is successful and permission is granted.1281*/1282int security_bprm_creds_from_file(struct linux_binprm *bprm, const struct file *file)1283{1284return call_int_hook(bprm_creds_from_file, bprm, file);1285}12861287/**1288* security_bprm_check() - Mediate binary handler search1289* @bprm: binary program information1290*1291* This hook mediates the point when a search for a binary handler will begin.1292* It allows a check against the @bprm->cred->security value which was set in1293* the preceding creds_for_exec call. The argv list and envp list are reliably1294* available in @bprm. This hook may be called multiple times during a single1295* execve. @bprm contains the linux_binprm structure.1296*1297* Return: Returns 0 if the hook is successful and permission is granted.1298*/1299int security_bprm_check(struct linux_binprm *bprm)1300{1301return call_int_hook(bprm_check_security, bprm);1302}13031304/**1305* security_bprm_committing_creds() - Install creds for a process during exec()1306* @bprm: binary program information1307*1308* Prepare to install the new security attributes of a process being1309* transformed by an execve operation, based on the old credentials pointed to1310* by @current->cred and the information set in @bprm->cred by the1311* bprm_creds_for_exec hook. @bprm points to the linux_binprm structure. This1312* hook is a good place to perform state changes on the process such as closing1313* open file descriptors to which access will no longer be granted when the1314* attributes are changed. This is called immediately before commit_creds().1315*/1316void security_bprm_committing_creds(const struct linux_binprm *bprm)1317{1318call_void_hook(bprm_committing_creds, bprm);1319}13201321/**1322* security_bprm_committed_creds() - Tidy up after cred install during exec()1323* @bprm: binary program information1324*1325* Tidy up after the installation of the new security attributes of a process1326* being transformed by an execve operation. The new credentials have, by this1327* point, been set to @current->cred. @bprm points to the linux_binprm1328* structure. This hook is a good place to perform state changes on the1329* process such as clearing out non-inheritable signal state. This is called1330* immediately after commit_creds().1331*/1332void security_bprm_committed_creds(const struct linux_binprm *bprm)1333{1334call_void_hook(bprm_committed_creds, bprm);1335}13361337/**1338* security_fs_context_submount() - Initialise fc->security1339* @fc: new filesystem context1340* @reference: dentry reference for submount/remount1341*1342* Fill out the ->security field for a new fs_context.1343*1344* Return: Returns 0 on success or negative error code on failure.1345*/1346int security_fs_context_submount(struct fs_context *fc, struct super_block *reference)1347{1348return call_int_hook(fs_context_submount, fc, reference);1349}13501351/**1352* security_fs_context_dup() - Duplicate a fs_context LSM blob1353* @fc: destination filesystem context1354* @src_fc: source filesystem context1355*1356* Allocate and attach a security structure to sc->security. This pointer is1357* initialised to NULL by the caller. @fc indicates the new filesystem context.1358* @src_fc indicates the original filesystem context.1359*1360* Return: Returns 0 on success or a negative error code on failure.1361*/1362int security_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc)1363{1364return call_int_hook(fs_context_dup, fc, src_fc);1365}13661367/**1368* security_fs_context_parse_param() - Configure a filesystem context1369* @fc: filesystem context1370* @param: filesystem parameter1371*1372* Userspace provided a parameter to configure a superblock. The LSM can1373* consume the parameter or return it to the caller for use elsewhere.1374*1375* Return: If the parameter is used by the LSM it should return 0, if it is1376* returned to the caller -ENOPARAM is returned, otherwise a negative1377* error code is returned.1378*/1379int security_fs_context_parse_param(struct fs_context *fc,1380struct fs_parameter *param)1381{1382struct lsm_static_call *scall;1383int trc;1384int rc = -ENOPARAM;13851386lsm_for_each_hook(scall, fs_context_parse_param) {1387trc = scall->hl->hook.fs_context_parse_param(fc, param);1388if (trc == 0)1389rc = 0;1390else if (trc != -ENOPARAM)1391return trc;1392}1393return rc;1394}13951396/**1397* security_sb_alloc() - Allocate a super_block LSM blob1398* @sb: filesystem superblock1399*1400* Allocate and attach a security structure to the sb->s_security field. The1401* s_security field is initialized to NULL when the structure is allocated.1402* @sb contains the super_block structure to be modified.1403*1404* Return: Returns 0 if operation was successful.1405*/1406int security_sb_alloc(struct super_block *sb)1407{1408int rc = lsm_superblock_alloc(sb);14091410if (unlikely(rc))1411return rc;1412rc = call_int_hook(sb_alloc_security, sb);1413if (unlikely(rc))1414security_sb_free(sb);1415return rc;1416}14171418/**1419* security_sb_delete() - Release super_block LSM associated objects1420* @sb: filesystem superblock1421*1422* Release objects tied to a superblock (e.g. inodes). @sb contains the1423* super_block structure being released.1424*/1425void security_sb_delete(struct super_block *sb)1426{1427call_void_hook(sb_delete, sb);1428}14291430/**1431* security_sb_free() - Free a super_block LSM blob1432* @sb: filesystem superblock1433*1434* Deallocate and clear the sb->s_security field. @sb contains the super_block1435* structure to be modified.1436*/1437void security_sb_free(struct super_block *sb)1438{1439call_void_hook(sb_free_security, sb);1440kfree(sb->s_security);1441sb->s_security = NULL;1442}14431444/**1445* security_free_mnt_opts() - Free memory associated with mount options1446* @mnt_opts: LSM processed mount options1447*1448* Free memory associated with @mnt_ops.1449*/1450void security_free_mnt_opts(void **mnt_opts)1451{1452if (!*mnt_opts)1453return;1454call_void_hook(sb_free_mnt_opts, *mnt_opts);1455*mnt_opts = NULL;1456}1457EXPORT_SYMBOL(security_free_mnt_opts);14581459/**1460* security_sb_eat_lsm_opts() - Consume LSM mount options1461* @options: mount options1462* @mnt_opts: LSM processed mount options1463*1464* Eat (scan @options) and save them in @mnt_opts.1465*1466* Return: Returns 0 on success, negative values on failure.1467*/1468int security_sb_eat_lsm_opts(char *options, void **mnt_opts)1469{1470return call_int_hook(sb_eat_lsm_opts, options, mnt_opts);1471}1472EXPORT_SYMBOL(security_sb_eat_lsm_opts);14731474/**1475* security_sb_mnt_opts_compat() - Check if new mount options are allowed1476* @sb: filesystem superblock1477* @mnt_opts: new mount options1478*1479* Determine if the new mount options in @mnt_opts are allowed given the1480* existing mounted filesystem at @sb. @sb superblock being compared.1481*1482* Return: Returns 0 if options are compatible.1483*/1484int security_sb_mnt_opts_compat(struct super_block *sb,1485void *mnt_opts)1486{1487return call_int_hook(sb_mnt_opts_compat, sb, mnt_opts);1488}1489EXPORT_SYMBOL(security_sb_mnt_opts_compat);14901491/**1492* security_sb_remount() - Verify no incompatible mount changes during remount1493* @sb: filesystem superblock1494* @mnt_opts: (re)mount options1495*1496* Extracts security system specific mount options and verifies no changes are1497* being made to those options.1498*1499* Return: Returns 0 if permission is granted.1500*/1501int security_sb_remount(struct super_block *sb,1502void *mnt_opts)1503{1504return call_int_hook(sb_remount, sb, mnt_opts);1505}1506EXPORT_SYMBOL(security_sb_remount);15071508/**1509* security_sb_kern_mount() - Check if a kernel mount is allowed1510* @sb: filesystem superblock1511*1512* Mount this @sb if allowed by permissions.1513*1514* Return: Returns 0 if permission is granted.1515*/1516int security_sb_kern_mount(const struct super_block *sb)1517{1518return call_int_hook(sb_kern_mount, sb);1519}15201521/**1522* security_sb_show_options() - Output the mount options for a superblock1523* @m: output file1524* @sb: filesystem superblock1525*1526* Show (print on @m) mount options for this @sb.1527*1528* Return: Returns 0 on success, negative values on failure.1529*/1530int security_sb_show_options(struct seq_file *m, struct super_block *sb)1531{1532return call_int_hook(sb_show_options, m, sb);1533}15341535/**1536* security_sb_statfs() - Check if accessing fs stats is allowed1537* @dentry: superblock handle1538*1539* Check permission before obtaining filesystem statistics for the @mnt1540* mountpoint. @dentry is a handle on the superblock for the filesystem.1541*1542* Return: Returns 0 if permission is granted.1543*/1544int security_sb_statfs(struct dentry *dentry)1545{1546return call_int_hook(sb_statfs, dentry);1547}15481549/**1550* security_sb_mount() - Check permission for mounting a filesystem1551* @dev_name: filesystem backing device1552* @path: mount point1553* @type: filesystem type1554* @flags: mount flags1555* @data: filesystem specific data1556*1557* Check permission before an object specified by @dev_name is mounted on the1558* mount point named by @nd. For an ordinary mount, @dev_name identifies a1559* device if the file system type requires a device. For a remount1560* (@flags & MS_REMOUNT), @dev_name is irrelevant. For a loopback/bind mount1561* (@flags & MS_BIND), @dev_name identifies the pathname of the object being1562* mounted.1563*1564* Return: Returns 0 if permission is granted.1565*/1566int security_sb_mount(const char *dev_name, const struct path *path,1567const char *type, unsigned long flags, void *data)1568{1569return call_int_hook(sb_mount, dev_name, path, type, flags, data);1570}15711572/**1573* security_sb_umount() - Check permission for unmounting a filesystem1574* @mnt: mounted filesystem1575* @flags: unmount flags1576*1577* Check permission before the @mnt file system is unmounted.1578*1579* Return: Returns 0 if permission is granted.1580*/1581int security_sb_umount(struct vfsmount *mnt, int flags)1582{1583return call_int_hook(sb_umount, mnt, flags);1584}15851586/**1587* security_sb_pivotroot() - Check permissions for pivoting the rootfs1588* @old_path: new location for current rootfs1589* @new_path: location of the new rootfs1590*1591* Check permission before pivoting the root filesystem.1592*1593* Return: Returns 0 if permission is granted.1594*/1595int security_sb_pivotroot(const struct path *old_path,1596const struct path *new_path)1597{1598return call_int_hook(sb_pivotroot, old_path, new_path);1599}16001601/**1602* security_sb_set_mnt_opts() - Set the mount options for a filesystem1603* @sb: filesystem superblock1604* @mnt_opts: binary mount options1605* @kern_flags: kernel flags (in)1606* @set_kern_flags: kernel flags (out)1607*1608* Set the security relevant mount options used for a superblock.1609*1610* Return: Returns 0 on success, error on failure.1611*/1612int security_sb_set_mnt_opts(struct super_block *sb,1613void *mnt_opts,1614unsigned long kern_flags,1615unsigned long *set_kern_flags)1616{1617struct lsm_static_call *scall;1618int rc = mnt_opts ? -EOPNOTSUPP : LSM_RET_DEFAULT(sb_set_mnt_opts);16191620lsm_for_each_hook(scall, sb_set_mnt_opts) {1621rc = scall->hl->hook.sb_set_mnt_opts(sb, mnt_opts, kern_flags,1622set_kern_flags);1623if (rc != LSM_RET_DEFAULT(sb_set_mnt_opts))1624break;1625}1626return rc;1627}1628EXPORT_SYMBOL(security_sb_set_mnt_opts);16291630/**1631* security_sb_clone_mnt_opts() - Duplicate superblock mount options1632* @oldsb: source superblock1633* @newsb: destination superblock1634* @kern_flags: kernel flags (in)1635* @set_kern_flags: kernel flags (out)1636*1637* Copy all security options from a given superblock to another.1638*1639* Return: Returns 0 on success, error on failure.1640*/1641int security_sb_clone_mnt_opts(const struct super_block *oldsb,1642struct super_block *newsb,1643unsigned long kern_flags,1644unsigned long *set_kern_flags)1645{1646return call_int_hook(sb_clone_mnt_opts, oldsb, newsb,1647kern_flags, set_kern_flags);1648}1649EXPORT_SYMBOL(security_sb_clone_mnt_opts);16501651/**1652* security_move_mount() - Check permissions for moving a mount1653* @from_path: source mount point1654* @to_path: destination mount point1655*1656* Check permission before a mount is moved.1657*1658* Return: Returns 0 if permission is granted.1659*/1660int security_move_mount(const struct path *from_path,1661const struct path *to_path)1662{1663return call_int_hook(move_mount, from_path, to_path);1664}16651666/**1667* security_path_notify() - Check if setting a watch is allowed1668* @path: file path1669* @mask: event mask1670* @obj_type: file path type1671*1672* Check permissions before setting a watch on events as defined by @mask, on1673* an object at @path, whose type is defined by @obj_type.1674*1675* Return: Returns 0 if permission is granted.1676*/1677int security_path_notify(const struct path *path, u64 mask,1678unsigned int obj_type)1679{1680return call_int_hook(path_notify, path, mask, obj_type);1681}16821683/**1684* security_inode_alloc() - Allocate an inode LSM blob1685* @inode: the inode1686* @gfp: allocation flags1687*1688* Allocate and attach a security structure to @inode->i_security. The1689* i_security field is initialized to NULL when the inode structure is1690* allocated.1691*1692* Return: Return 0 if operation was successful.1693*/1694int security_inode_alloc(struct inode *inode, gfp_t gfp)1695{1696int rc = lsm_inode_alloc(inode, gfp);16971698if (unlikely(rc))1699return rc;1700rc = call_int_hook(inode_alloc_security, inode);1701if (unlikely(rc))1702security_inode_free(inode);1703return rc;1704}17051706static void inode_free_by_rcu(struct rcu_head *head)1707{1708/* The rcu head is at the start of the inode blob */1709call_void_hook(inode_free_security_rcu, head);1710kmem_cache_free(lsm_inode_cache, head);1711}17121713/**1714* security_inode_free() - Free an inode's LSM blob1715* @inode: the inode1716*1717* Release any LSM resources associated with @inode, although due to the1718* inode's RCU protections it is possible that the resources will not be1719* fully released until after the current RCU grace period has elapsed.1720*1721* It is important for LSMs to note that despite being present in a call to1722* security_inode_free(), @inode may still be referenced in a VFS path walk1723* and calls to security_inode_permission() may be made during, or after,1724* a call to security_inode_free(). For this reason the inode->i_security1725* field is released via a call_rcu() callback and any LSMs which need to1726* retain inode state for use in security_inode_permission() should only1727* release that state in the inode_free_security_rcu() LSM hook callback.1728*/1729void security_inode_free(struct inode *inode)1730{1731call_void_hook(inode_free_security, inode);1732if (!inode->i_security)1733return;1734call_rcu((struct rcu_head *)inode->i_security, inode_free_by_rcu);1735}17361737/**1738* security_dentry_init_security() - Perform dentry initialization1739* @dentry: the dentry to initialize1740* @mode: mode used to determine resource type1741* @name: name of the last path component1742* @xattr_name: name of the security/LSM xattr1743* @lsmctx: pointer to the resulting LSM context1744*1745* Compute a context for a dentry as the inode is not yet available since NFSv41746* has no label backed by an EA anyway. It is important to note that1747* @xattr_name does not need to be free'd by the caller, it is a static string.1748*1749* Return: Returns 0 on success, negative values on failure.1750*/1751int security_dentry_init_security(struct dentry *dentry, int mode,1752const struct qstr *name,1753const char **xattr_name,1754struct lsm_context *lsmctx)1755{1756return call_int_hook(dentry_init_security, dentry, mode, name,1757xattr_name, lsmctx);1758}1759EXPORT_SYMBOL(security_dentry_init_security);17601761/**1762* security_dentry_create_files_as() - Perform dentry initialization1763* @dentry: the dentry to initialize1764* @mode: mode used to determine resource type1765* @name: name of the last path component1766* @old: creds to use for LSM context calculations1767* @new: creds to modify1768*1769* Compute a context for a dentry as the inode is not yet available and set1770* that context in passed in creds so that new files are created using that1771* context. Context is calculated using the passed in creds and not the creds1772* of the caller.1773*1774* Return: Returns 0 on success, error on failure.1775*/1776int security_dentry_create_files_as(struct dentry *dentry, int mode,1777struct qstr *name,1778const struct cred *old, struct cred *new)1779{1780return call_int_hook(dentry_create_files_as, dentry, mode,1781name, old, new);1782}1783EXPORT_SYMBOL(security_dentry_create_files_as);17841785/**1786* security_inode_init_security() - Initialize an inode's LSM context1787* @inode: the inode1788* @dir: parent directory1789* @qstr: last component of the pathname1790* @initxattrs: callback function to write xattrs1791* @fs_data: filesystem specific data1792*1793* Obtain the security attribute name suffix and value to set on a newly1794* created inode and set up the incore security field for the new inode. This1795* hook is called by the fs code as part of the inode creation transaction and1796* provides for atomic labeling of the inode, unlike the post_create/mkdir/...1797* hooks called by the VFS.1798*1799* The hook function is expected to populate the xattrs array, by calling1800* lsm_get_xattr_slot() to retrieve the slots reserved by the security module1801* with the lbs_xattr_count field of the lsm_blob_sizes structure. For each1802* slot, the hook function should set ->name to the attribute name suffix1803* (e.g. selinux), to allocate ->value (will be freed by the caller) and set it1804* to the attribute value, to set ->value_len to the length of the value. If1805* the security module does not use security attributes or does not wish to put1806* a security attribute on this particular inode, then it should return1807* -EOPNOTSUPP to skip this processing.1808*1809* Return: Returns 0 if the LSM successfully initialized all of the inode1810* security attributes that are required, negative values otherwise.1811*/1812int security_inode_init_security(struct inode *inode, struct inode *dir,1813const struct qstr *qstr,1814const initxattrs initxattrs, void *fs_data)1815{1816struct lsm_static_call *scall;1817struct xattr *new_xattrs = NULL;1818int ret = -EOPNOTSUPP, xattr_count = 0;18191820if (unlikely(IS_PRIVATE(inode)))1821return 0;18221823if (!blob_sizes.lbs_xattr_count)1824return 0;18251826if (initxattrs) {1827/* Allocate +1 as terminator. */1828new_xattrs = kcalloc(blob_sizes.lbs_xattr_count + 1,1829sizeof(*new_xattrs), GFP_NOFS);1830if (!new_xattrs)1831return -ENOMEM;1832}18331834lsm_for_each_hook(scall, inode_init_security) {1835ret = scall->hl->hook.inode_init_security(inode, dir, qstr, new_xattrs,1836&xattr_count);1837if (ret && ret != -EOPNOTSUPP)1838goto out;1839/*1840* As documented in lsm_hooks.h, -EOPNOTSUPP in this context1841* means that the LSM is not willing to provide an xattr, not1842* that it wants to signal an error. Thus, continue to invoke1843* the remaining LSMs.1844*/1845}18461847/* If initxattrs() is NULL, xattr_count is zero, skip the call. */1848if (!xattr_count)1849goto out;18501851ret = initxattrs(inode, new_xattrs, fs_data);1852out:1853for (; xattr_count > 0; xattr_count--)1854kfree(new_xattrs[xattr_count - 1].value);1855kfree(new_xattrs);1856return (ret == -EOPNOTSUPP) ? 0 : ret;1857}1858EXPORT_SYMBOL(security_inode_init_security);18591860/**1861* security_inode_init_security_anon() - Initialize an anonymous inode1862* @inode: the inode1863* @name: the anonymous inode class1864* @context_inode: an optional related inode1865*1866* Set up the incore security field for the new anonymous inode and return1867* whether the inode creation is permitted by the security module or not.1868*1869* Return: Returns 0 on success, -EACCES if the security module denies the1870* creation of this inode, or another -errno upon other errors.1871*/1872int security_inode_init_security_anon(struct inode *inode,1873const struct qstr *name,1874const struct inode *context_inode)1875{1876return call_int_hook(inode_init_security_anon, inode, name,1877context_inode);1878}18791880#ifdef CONFIG_SECURITY_PATH1881/**1882* security_path_mknod() - Check if creating a special file is allowed1883* @dir: parent directory1884* @dentry: new file1885* @mode: new file mode1886* @dev: device number1887*1888* Check permissions when creating a file. Note that this hook is called even1889* if mknod operation is being done for a regular file.1890*1891* Return: Returns 0 if permission is granted.1892*/1893int security_path_mknod(const struct path *dir, struct dentry *dentry,1894umode_t mode, unsigned int dev)1895{1896if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))1897return 0;1898return call_int_hook(path_mknod, dir, dentry, mode, dev);1899}1900EXPORT_SYMBOL(security_path_mknod);19011902/**1903* security_path_post_mknod() - Update inode security after reg file creation1904* @idmap: idmap of the mount1905* @dentry: new file1906*1907* Update inode security field after a regular file has been created.1908*/1909void security_path_post_mknod(struct mnt_idmap *idmap, struct dentry *dentry)1910{1911if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))1912return;1913call_void_hook(path_post_mknod, idmap, dentry);1914}19151916/**1917* security_path_mkdir() - Check if creating a new directory is allowed1918* @dir: parent directory1919* @dentry: new directory1920* @mode: new directory mode1921*1922* Check permissions to create a new directory in the existing directory.1923*1924* Return: Returns 0 if permission is granted.1925*/1926int security_path_mkdir(const struct path *dir, struct dentry *dentry,1927umode_t mode)1928{1929if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))1930return 0;1931return call_int_hook(path_mkdir, dir, dentry, mode);1932}1933EXPORT_SYMBOL(security_path_mkdir);19341935/**1936* security_path_rmdir() - Check if removing a directory is allowed1937* @dir: parent directory1938* @dentry: directory to remove1939*1940* Check the permission to remove a directory.1941*1942* Return: Returns 0 if permission is granted.1943*/1944int security_path_rmdir(const struct path *dir, struct dentry *dentry)1945{1946if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))1947return 0;1948return call_int_hook(path_rmdir, dir, dentry);1949}19501951/**1952* security_path_unlink() - Check if removing a hard link is allowed1953* @dir: parent directory1954* @dentry: file1955*1956* Check the permission to remove a hard link to a file.1957*1958* Return: Returns 0 if permission is granted.1959*/1960int security_path_unlink(const struct path *dir, struct dentry *dentry)1961{1962if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))1963return 0;1964return call_int_hook(path_unlink, dir, dentry);1965}1966EXPORT_SYMBOL(security_path_unlink);19671968/**1969* security_path_symlink() - Check if creating a symbolic link is allowed1970* @dir: parent directory1971* @dentry: symbolic link1972* @old_name: file pathname1973*1974* Check the permission to create a symbolic link to a file.1975*1976* Return: Returns 0 if permission is granted.1977*/1978int security_path_symlink(const struct path *dir, struct dentry *dentry,1979const char *old_name)1980{1981if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))1982return 0;1983return call_int_hook(path_symlink, dir, dentry, old_name);1984}19851986/**1987* security_path_link - Check if creating a hard link is allowed1988* @old_dentry: existing file1989* @new_dir: new parent directory1990* @new_dentry: new link1991*1992* Check permission before creating a new hard link to a file.1993*1994* Return: Returns 0 if permission is granted.1995*/1996int security_path_link(struct dentry *old_dentry, const struct path *new_dir,1997struct dentry *new_dentry)1998{1999if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry))))2000return 0;2001return call_int_hook(path_link, old_dentry, new_dir, new_dentry);2002}20032004/**2005* security_path_rename() - Check if renaming a file is allowed2006* @old_dir: parent directory of the old file2007* @old_dentry: the old file2008* @new_dir: parent directory of the new file2009* @new_dentry: the new file2010* @flags: flags2011*2012* Check for permission to rename a file or directory.2013*2014* Return: Returns 0 if permission is granted.2015*/2016int security_path_rename(const struct path *old_dir, struct dentry *old_dentry,2017const struct path *new_dir, struct dentry *new_dentry,2018unsigned int flags)2019{2020if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry)) ||2021(d_is_positive(new_dentry) &&2022IS_PRIVATE(d_backing_inode(new_dentry)))))2023return 0;20242025return call_int_hook(path_rename, old_dir, old_dentry, new_dir,2026new_dentry, flags);2027}2028EXPORT_SYMBOL(security_path_rename);20292030/**2031* security_path_truncate() - Check if truncating a file is allowed2032* @path: file2033*2034* Check permission before truncating the file indicated by path. Note that2035* truncation permissions may also be checked based on already opened files,2036* using the security_file_truncate() hook.2037*2038* Return: Returns 0 if permission is granted.2039*/2040int security_path_truncate(const struct path *path)2041{2042if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))2043return 0;2044return call_int_hook(path_truncate, path);2045}20462047/**2048* security_path_chmod() - Check if changing the file's mode is allowed2049* @path: file2050* @mode: new mode2051*2052* Check for permission to change a mode of the file @path. The new mode is2053* specified in @mode which is a bitmask of constants from2054* <include/uapi/linux/stat.h>.2055*2056* Return: Returns 0 if permission is granted.2057*/2058int security_path_chmod(const struct path *path, umode_t mode)2059{2060if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))2061return 0;2062return call_int_hook(path_chmod, path, mode);2063}20642065/**2066* security_path_chown() - Check if changing the file's owner/group is allowed2067* @path: file2068* @uid: file owner2069* @gid: file group2070*2071* Check for permission to change owner/group of a file or directory.2072*2073* Return: Returns 0 if permission is granted.2074*/2075int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid)2076{2077if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))2078return 0;2079return call_int_hook(path_chown, path, uid, gid);2080}20812082/**2083* security_path_chroot() - Check if changing the root directory is allowed2084* @path: directory2085*2086* Check for permission to change root directory.2087*2088* Return: Returns 0 if permission is granted.2089*/2090int security_path_chroot(const struct path *path)2091{2092return call_int_hook(path_chroot, path);2093}2094#endif /* CONFIG_SECURITY_PATH */20952096/**2097* security_inode_create() - Check if creating a file is allowed2098* @dir: the parent directory2099* @dentry: the file being created2100* @mode: requested file mode2101*2102* Check permission to create a regular file.2103*2104* Return: Returns 0 if permission is granted.2105*/2106int security_inode_create(struct inode *dir, struct dentry *dentry,2107umode_t mode)2108{2109if (unlikely(IS_PRIVATE(dir)))2110return 0;2111return call_int_hook(inode_create, dir, dentry, mode);2112}2113EXPORT_SYMBOL_GPL(security_inode_create);21142115/**2116* security_inode_post_create_tmpfile() - Update inode security of new tmpfile2117* @idmap: idmap of the mount2118* @inode: inode of the new tmpfile2119*2120* Update inode security data after a tmpfile has been created.2121*/2122void security_inode_post_create_tmpfile(struct mnt_idmap *idmap,2123struct inode *inode)2124{2125if (unlikely(IS_PRIVATE(inode)))2126return;2127call_void_hook(inode_post_create_tmpfile, idmap, inode);2128}21292130/**2131* security_inode_link() - Check if creating a hard link is allowed2132* @old_dentry: existing file2133* @dir: new parent directory2134* @new_dentry: new link2135*2136* Check permission before creating a new hard link to a file.2137*2138* Return: Returns 0 if permission is granted.2139*/2140int security_inode_link(struct dentry *old_dentry, struct inode *dir,2141struct dentry *new_dentry)2142{2143if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry))))2144return 0;2145return call_int_hook(inode_link, old_dentry, dir, new_dentry);2146}21472148/**2149* security_inode_unlink() - Check if removing a hard link is allowed2150* @dir: parent directory2151* @dentry: file2152*2153* Check the permission to remove a hard link to a file.2154*2155* Return: Returns 0 if permission is granted.2156*/2157int security_inode_unlink(struct inode *dir, struct dentry *dentry)2158{2159if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2160return 0;2161return call_int_hook(inode_unlink, dir, dentry);2162}21632164/**2165* security_inode_symlink() - Check if creating a symbolic link is allowed2166* @dir: parent directory2167* @dentry: symbolic link2168* @old_name: existing filename2169*2170* Check the permission to create a symbolic link to a file.2171*2172* Return: Returns 0 if permission is granted.2173*/2174int security_inode_symlink(struct inode *dir, struct dentry *dentry,2175const char *old_name)2176{2177if (unlikely(IS_PRIVATE(dir)))2178return 0;2179return call_int_hook(inode_symlink, dir, dentry, old_name);2180}21812182/**2183* security_inode_mkdir() - Check if creating a new directory is allowed2184* @dir: parent directory2185* @dentry: new directory2186* @mode: new directory mode2187*2188* Check permissions to create a new directory in the existing directory2189* associated with inode structure @dir.2190*2191* Return: Returns 0 if permission is granted.2192*/2193int security_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)2194{2195if (unlikely(IS_PRIVATE(dir)))2196return 0;2197return call_int_hook(inode_mkdir, dir, dentry, mode);2198}2199EXPORT_SYMBOL_GPL(security_inode_mkdir);22002201/**2202* security_inode_rmdir() - Check if removing a directory is allowed2203* @dir: parent directory2204* @dentry: directory to be removed2205*2206* Check the permission to remove a directory.2207*2208* Return: Returns 0 if permission is granted.2209*/2210int security_inode_rmdir(struct inode *dir, struct dentry *dentry)2211{2212if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2213return 0;2214return call_int_hook(inode_rmdir, dir, dentry);2215}22162217/**2218* security_inode_mknod() - Check if creating a special file is allowed2219* @dir: parent directory2220* @dentry: new file2221* @mode: new file mode2222* @dev: device number2223*2224* Check permissions when creating a special file (or a socket or a fifo file2225* created via the mknod system call). Note that if mknod operation is being2226* done for a regular file, then the create hook will be called and not this2227* hook.2228*2229* Return: Returns 0 if permission is granted.2230*/2231int security_inode_mknod(struct inode *dir, struct dentry *dentry,2232umode_t mode, dev_t dev)2233{2234if (unlikely(IS_PRIVATE(dir)))2235return 0;2236return call_int_hook(inode_mknod, dir, dentry, mode, dev);2237}22382239/**2240* security_inode_rename() - Check if renaming a file is allowed2241* @old_dir: parent directory of the old file2242* @old_dentry: the old file2243* @new_dir: parent directory of the new file2244* @new_dentry: the new file2245* @flags: flags2246*2247* Check for permission to rename a file or directory.2248*2249* Return: Returns 0 if permission is granted.2250*/2251int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,2252struct inode *new_dir, struct dentry *new_dentry,2253unsigned int flags)2254{2255if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry)) ||2256(d_is_positive(new_dentry) &&2257IS_PRIVATE(d_backing_inode(new_dentry)))))2258return 0;22592260if (flags & RENAME_EXCHANGE) {2261int err = call_int_hook(inode_rename, new_dir, new_dentry,2262old_dir, old_dentry);2263if (err)2264return err;2265}22662267return call_int_hook(inode_rename, old_dir, old_dentry,2268new_dir, new_dentry);2269}22702271/**2272* security_inode_readlink() - Check if reading a symbolic link is allowed2273* @dentry: link2274*2275* Check the permission to read the symbolic link.2276*2277* Return: Returns 0 if permission is granted.2278*/2279int security_inode_readlink(struct dentry *dentry)2280{2281if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2282return 0;2283return call_int_hook(inode_readlink, dentry);2284}22852286/**2287* security_inode_follow_link() - Check if following a symbolic link is allowed2288* @dentry: link dentry2289* @inode: link inode2290* @rcu: true if in RCU-walk mode2291*2292* Check permission to follow a symbolic link when looking up a pathname. If2293* @rcu is true, @inode is not stable.2294*2295* Return: Returns 0 if permission is granted.2296*/2297int security_inode_follow_link(struct dentry *dentry, struct inode *inode,2298bool rcu)2299{2300if (unlikely(IS_PRIVATE(inode)))2301return 0;2302return call_int_hook(inode_follow_link, dentry, inode, rcu);2303}23042305/**2306* security_inode_permission() - Check if accessing an inode is allowed2307* @inode: inode2308* @mask: access mask2309*2310* Check permission before accessing an inode. This hook is called by the2311* existing Linux permission function, so a security module can use it to2312* provide additional checking for existing Linux permission checks. Notice2313* that this hook is called when a file is opened (as well as many other2314* operations), whereas the file_security_ops permission hook is called when2315* the actual read/write operations are performed.2316*2317* Return: Returns 0 if permission is granted.2318*/2319int security_inode_permission(struct inode *inode, int mask)2320{2321if (unlikely(IS_PRIVATE(inode)))2322return 0;2323return call_int_hook(inode_permission, inode, mask);2324}23252326/**2327* security_inode_setattr() - Check if setting file attributes is allowed2328* @idmap: idmap of the mount2329* @dentry: file2330* @attr: new attributes2331*2332* Check permission before setting file attributes. Note that the kernel call2333* to notify_change is performed from several locations, whenever file2334* attributes change (such as when a file is truncated, chown/chmod operations,2335* transferring disk quotas, etc).2336*2337* Return: Returns 0 if permission is granted.2338*/2339int security_inode_setattr(struct mnt_idmap *idmap,2340struct dentry *dentry, struct iattr *attr)2341{2342if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2343return 0;2344return call_int_hook(inode_setattr, idmap, dentry, attr);2345}2346EXPORT_SYMBOL_GPL(security_inode_setattr);23472348/**2349* security_inode_post_setattr() - Update the inode after a setattr operation2350* @idmap: idmap of the mount2351* @dentry: file2352* @ia_valid: file attributes set2353*2354* Update inode security field after successful setting file attributes.2355*/2356void security_inode_post_setattr(struct mnt_idmap *idmap, struct dentry *dentry,2357int ia_valid)2358{2359if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2360return;2361call_void_hook(inode_post_setattr, idmap, dentry, ia_valid);2362}23632364/**2365* security_inode_getattr() - Check if getting file attributes is allowed2366* @path: file2367*2368* Check permission before obtaining file attributes.2369*2370* Return: Returns 0 if permission is granted.2371*/2372int security_inode_getattr(const struct path *path)2373{2374if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))2375return 0;2376return call_int_hook(inode_getattr, path);2377}23782379/**2380* security_inode_setxattr() - Check if setting file xattrs is allowed2381* @idmap: idmap of the mount2382* @dentry: file2383* @name: xattr name2384* @value: xattr value2385* @size: size of xattr value2386* @flags: flags2387*2388* This hook performs the desired permission checks before setting the extended2389* attributes (xattrs) on @dentry. It is important to note that we have some2390* additional logic before the main LSM implementation calls to detect if we2391* need to perform an additional capability check at the LSM layer.2392*2393* Normally we enforce a capability check prior to executing the various LSM2394* hook implementations, but if a LSM wants to avoid this capability check,2395* it can register a 'inode_xattr_skipcap' hook and return a value of 1 for2396* xattrs that it wants to avoid the capability check, leaving the LSM fully2397* responsible for enforcing the access control for the specific xattr. If all2398* of the enabled LSMs refrain from registering a 'inode_xattr_skipcap' hook,2399* or return a 0 (the default return value), the capability check is still2400* performed. If no 'inode_xattr_skipcap' hooks are registered the capability2401* check is performed.2402*2403* Return: Returns 0 if permission is granted.2404*/2405int security_inode_setxattr(struct mnt_idmap *idmap,2406struct dentry *dentry, const char *name,2407const void *value, size_t size, int flags)2408{2409int rc;24102411if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2412return 0;24132414/* enforce the capability checks at the lsm layer, if needed */2415if (!call_int_hook(inode_xattr_skipcap, name)) {2416rc = cap_inode_setxattr(dentry, name, value, size, flags);2417if (rc)2418return rc;2419}24202421return call_int_hook(inode_setxattr, idmap, dentry, name, value, size,2422flags);2423}24242425/**2426* security_inode_set_acl() - Check if setting posix acls is allowed2427* @idmap: idmap of the mount2428* @dentry: file2429* @acl_name: acl name2430* @kacl: acl struct2431*2432* Check permission before setting posix acls, the posix acls in @kacl are2433* identified by @acl_name.2434*2435* Return: Returns 0 if permission is granted.2436*/2437int security_inode_set_acl(struct mnt_idmap *idmap,2438struct dentry *dentry, const char *acl_name,2439struct posix_acl *kacl)2440{2441if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2442return 0;2443return call_int_hook(inode_set_acl, idmap, dentry, acl_name, kacl);2444}24452446/**2447* security_inode_post_set_acl() - Update inode security from posix acls set2448* @dentry: file2449* @acl_name: acl name2450* @kacl: acl struct2451*2452* Update inode security data after successfully setting posix acls on @dentry.2453* The posix acls in @kacl are identified by @acl_name.2454*/2455void security_inode_post_set_acl(struct dentry *dentry, const char *acl_name,2456struct posix_acl *kacl)2457{2458if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2459return;2460call_void_hook(inode_post_set_acl, dentry, acl_name, kacl);2461}24622463/**2464* security_inode_get_acl() - Check if reading posix acls is allowed2465* @idmap: idmap of the mount2466* @dentry: file2467* @acl_name: acl name2468*2469* Check permission before getting osix acls, the posix acls are identified by2470* @acl_name.2471*2472* Return: Returns 0 if permission is granted.2473*/2474int security_inode_get_acl(struct mnt_idmap *idmap,2475struct dentry *dentry, const char *acl_name)2476{2477if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2478return 0;2479return call_int_hook(inode_get_acl, idmap, dentry, acl_name);2480}24812482/**2483* security_inode_remove_acl() - Check if removing a posix acl is allowed2484* @idmap: idmap of the mount2485* @dentry: file2486* @acl_name: acl name2487*2488* Check permission before removing posix acls, the posix acls are identified2489* by @acl_name.2490*2491* Return: Returns 0 if permission is granted.2492*/2493int security_inode_remove_acl(struct mnt_idmap *idmap,2494struct dentry *dentry, const char *acl_name)2495{2496if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2497return 0;2498return call_int_hook(inode_remove_acl, idmap, dentry, acl_name);2499}25002501/**2502* security_inode_post_remove_acl() - Update inode security after rm posix acls2503* @idmap: idmap of the mount2504* @dentry: file2505* @acl_name: acl name2506*2507* Update inode security data after successfully removing posix acls on2508* @dentry in @idmap. The posix acls are identified by @acl_name.2509*/2510void security_inode_post_remove_acl(struct mnt_idmap *idmap,2511struct dentry *dentry, const char *acl_name)2512{2513if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2514return;2515call_void_hook(inode_post_remove_acl, idmap, dentry, acl_name);2516}25172518/**2519* security_inode_post_setxattr() - Update the inode after a setxattr operation2520* @dentry: file2521* @name: xattr name2522* @value: xattr value2523* @size: xattr value size2524* @flags: flags2525*2526* Update inode security field after successful setxattr operation.2527*/2528void security_inode_post_setxattr(struct dentry *dentry, const char *name,2529const void *value, size_t size, int flags)2530{2531if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2532return;2533call_void_hook(inode_post_setxattr, dentry, name, value, size, flags);2534}25352536/**2537* security_inode_getxattr() - Check if xattr access is allowed2538* @dentry: file2539* @name: xattr name2540*2541* Check permission before obtaining the extended attributes identified by2542* @name for @dentry.2543*2544* Return: Returns 0 if permission is granted.2545*/2546int security_inode_getxattr(struct dentry *dentry, const char *name)2547{2548if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2549return 0;2550return call_int_hook(inode_getxattr, dentry, name);2551}25522553/**2554* security_inode_listxattr() - Check if listing xattrs is allowed2555* @dentry: file2556*2557* Check permission before obtaining the list of extended attribute names for2558* @dentry.2559*2560* Return: Returns 0 if permission is granted.2561*/2562int security_inode_listxattr(struct dentry *dentry)2563{2564if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2565return 0;2566return call_int_hook(inode_listxattr, dentry);2567}25682569/**2570* security_inode_removexattr() - Check if removing an xattr is allowed2571* @idmap: idmap of the mount2572* @dentry: file2573* @name: xattr name2574*2575* This hook performs the desired permission checks before setting the extended2576* attributes (xattrs) on @dentry. It is important to note that we have some2577* additional logic before the main LSM implementation calls to detect if we2578* need to perform an additional capability check at the LSM layer.2579*2580* Normally we enforce a capability check prior to executing the various LSM2581* hook implementations, but if a LSM wants to avoid this capability check,2582* it can register a 'inode_xattr_skipcap' hook and return a value of 1 for2583* xattrs that it wants to avoid the capability check, leaving the LSM fully2584* responsible for enforcing the access control for the specific xattr. If all2585* of the enabled LSMs refrain from registering a 'inode_xattr_skipcap' hook,2586* or return a 0 (the default return value), the capability check is still2587* performed. If no 'inode_xattr_skipcap' hooks are registered the capability2588* check is performed.2589*2590* Return: Returns 0 if permission is granted.2591*/2592int security_inode_removexattr(struct mnt_idmap *idmap,2593struct dentry *dentry, const char *name)2594{2595int rc;25962597if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2598return 0;25992600/* enforce the capability checks at the lsm layer, if needed */2601if (!call_int_hook(inode_xattr_skipcap, name)) {2602rc = cap_inode_removexattr(idmap, dentry, name);2603if (rc)2604return rc;2605}26062607return call_int_hook(inode_removexattr, idmap, dentry, name);2608}26092610/**2611* security_inode_post_removexattr() - Update the inode after a removexattr op2612* @dentry: file2613* @name: xattr name2614*2615* Update the inode after a successful removexattr operation.2616*/2617void security_inode_post_removexattr(struct dentry *dentry, const char *name)2618{2619if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2620return;2621call_void_hook(inode_post_removexattr, dentry, name);2622}26232624/**2625* security_inode_file_setattr() - check if setting fsxattr is allowed2626* @dentry: file to set filesystem extended attributes on2627* @fa: extended attributes to set on the inode2628*2629* Called when file_setattr() syscall or FS_IOC_FSSETXATTR ioctl() is called on2630* inode2631*2632* Return: Returns 0 if permission is granted.2633*/2634int security_inode_file_setattr(struct dentry *dentry, struct file_kattr *fa)2635{2636return call_int_hook(inode_file_setattr, dentry, fa);2637}26382639/**2640* security_inode_file_getattr() - check if retrieving fsxattr is allowed2641* @dentry: file to retrieve filesystem extended attributes from2642* @fa: extended attributes to get2643*2644* Called when file_getattr() syscall or FS_IOC_FSGETXATTR ioctl() is called on2645* inode2646*2647* Return: Returns 0 if permission is granted.2648*/2649int security_inode_file_getattr(struct dentry *dentry, struct file_kattr *fa)2650{2651return call_int_hook(inode_file_getattr, dentry, fa);2652}26532654/**2655* security_inode_need_killpriv() - Check if security_inode_killpriv() required2656* @dentry: associated dentry2657*2658* Called when an inode has been changed to determine if2659* security_inode_killpriv() should be called.2660*2661* Return: Return <0 on error to abort the inode change operation, return 0 if2662* security_inode_killpriv() does not need to be called, return >0 if2663* security_inode_killpriv() does need to be called.2664*/2665int security_inode_need_killpriv(struct dentry *dentry)2666{2667return call_int_hook(inode_need_killpriv, dentry);2668}26692670/**2671* security_inode_killpriv() - The setuid bit is removed, update LSM state2672* @idmap: idmap of the mount2673* @dentry: associated dentry2674*2675* The @dentry's setuid bit is being removed. Remove similar security labels.2676* Called with the dentry->d_inode->i_mutex held.2677*2678* Return: Return 0 on success. If error is returned, then the operation2679* causing setuid bit removal is failed.2680*/2681int security_inode_killpriv(struct mnt_idmap *idmap,2682struct dentry *dentry)2683{2684return call_int_hook(inode_killpriv, idmap, dentry);2685}26862687/**2688* security_inode_getsecurity() - Get the xattr security label of an inode2689* @idmap: idmap of the mount2690* @inode: inode2691* @name: xattr name2692* @buffer: security label buffer2693* @alloc: allocation flag2694*2695* Retrieve a copy of the extended attribute representation of the security2696* label associated with @name for @inode via @buffer. Note that @name is the2697* remainder of the attribute name after the security prefix has been removed.2698* @alloc is used to specify if the call should return a value via the buffer2699* or just the value length.2700*2701* Return: Returns size of buffer on success.2702*/2703int security_inode_getsecurity(struct mnt_idmap *idmap,2704struct inode *inode, const char *name,2705void **buffer, bool alloc)2706{2707if (unlikely(IS_PRIVATE(inode)))2708return LSM_RET_DEFAULT(inode_getsecurity);27092710return call_int_hook(inode_getsecurity, idmap, inode, name, buffer,2711alloc);2712}27132714/**2715* security_inode_setsecurity() - Set the xattr security label of an inode2716* @inode: inode2717* @name: xattr name2718* @value: security label2719* @size: length of security label2720* @flags: flags2721*2722* Set the security label associated with @name for @inode from the extended2723* attribute value @value. @size indicates the size of the @value in bytes.2724* @flags may be XATTR_CREATE, XATTR_REPLACE, or 0. Note that @name is the2725* remainder of the attribute name after the security. prefix has been removed.2726*2727* Return: Returns 0 on success.2728*/2729int security_inode_setsecurity(struct inode *inode, const char *name,2730const void *value, size_t size, int flags)2731{2732if (unlikely(IS_PRIVATE(inode)))2733return LSM_RET_DEFAULT(inode_setsecurity);27342735return call_int_hook(inode_setsecurity, inode, name, value, size,2736flags);2737}27382739/**2740* security_inode_listsecurity() - List the xattr security label names2741* @inode: inode2742* @buffer: buffer2743* @buffer_size: size of buffer2744*2745* Copy the extended attribute names for the security labels associated with2746* @inode into @buffer. The maximum size of @buffer is specified by2747* @buffer_size. @buffer may be NULL to request the size of the buffer2748* required.2749*2750* Return: Returns number of bytes used/required on success.2751*/2752int security_inode_listsecurity(struct inode *inode,2753char *buffer, size_t buffer_size)2754{2755if (unlikely(IS_PRIVATE(inode)))2756return 0;2757return call_int_hook(inode_listsecurity, inode, buffer, buffer_size);2758}2759EXPORT_SYMBOL(security_inode_listsecurity);27602761/**2762* security_inode_getlsmprop() - Get an inode's LSM data2763* @inode: inode2764* @prop: lsm specific information to return2765*2766* Get the lsm specific information associated with the node.2767*/2768void security_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop)2769{2770call_void_hook(inode_getlsmprop, inode, prop);2771}27722773/**2774* security_inode_copy_up() - Create new creds for an overlayfs copy-up op2775* @src: union dentry of copy-up file2776* @new: newly created creds2777*2778* A file is about to be copied up from lower layer to upper layer of overlay2779* filesystem. Security module can prepare a set of new creds and modify as2780* need be and return new creds. Caller will switch to new creds temporarily to2781* create new file and release newly allocated creds.2782*2783* Return: Returns 0 on success or a negative error code on error.2784*/2785int security_inode_copy_up(struct dentry *src, struct cred **new)2786{2787return call_int_hook(inode_copy_up, src, new);2788}2789EXPORT_SYMBOL(security_inode_copy_up);27902791/**2792* security_inode_copy_up_xattr() - Filter xattrs in an overlayfs copy-up op2793* @src: union dentry of copy-up file2794* @name: xattr name2795*2796* Filter the xattrs being copied up when a unioned file is copied up from a2797* lower layer to the union/overlay layer. The caller is responsible for2798* reading and writing the xattrs, this hook is merely a filter.2799*2800* Return: Returns 0 to accept the xattr, -ECANCELED to discard the xattr,2801* -EOPNOTSUPP if the security module does not know about attribute,2802* or a negative error code to abort the copy up.2803*/2804int security_inode_copy_up_xattr(struct dentry *src, const char *name)2805{2806int rc;28072808rc = call_int_hook(inode_copy_up_xattr, src, name);2809if (rc != LSM_RET_DEFAULT(inode_copy_up_xattr))2810return rc;28112812return LSM_RET_DEFAULT(inode_copy_up_xattr);2813}2814EXPORT_SYMBOL(security_inode_copy_up_xattr);28152816/**2817* security_inode_setintegrity() - Set the inode's integrity data2818* @inode: inode2819* @type: type of integrity, e.g. hash digest, signature, etc2820* @value: the integrity value2821* @size: size of the integrity value2822*2823* Register a verified integrity measurement of a inode with LSMs.2824* LSMs should free the previously saved data if @value is NULL.2825*2826* Return: Returns 0 on success, negative values on failure.2827*/2828int security_inode_setintegrity(const struct inode *inode,2829enum lsm_integrity_type type, const void *value,2830size_t size)2831{2832return call_int_hook(inode_setintegrity, inode, type, value, size);2833}2834EXPORT_SYMBOL(security_inode_setintegrity);28352836/**2837* security_kernfs_init_security() - Init LSM context for a kernfs node2838* @kn_dir: parent kernfs node2839* @kn: the kernfs node to initialize2840*2841* Initialize the security context of a newly created kernfs node based on its2842* own and its parent's attributes.2843*2844* Return: Returns 0 if permission is granted.2845*/2846int security_kernfs_init_security(struct kernfs_node *kn_dir,2847struct kernfs_node *kn)2848{2849return call_int_hook(kernfs_init_security, kn_dir, kn);2850}28512852/**2853* security_file_permission() - Check file permissions2854* @file: file2855* @mask: requested permissions2856*2857* Check file permissions before accessing an open file. This hook is called2858* by various operations that read or write files. A security module can use2859* this hook to perform additional checking on these operations, e.g. to2860* revalidate permissions on use to support privilege bracketing or policy2861* changes. Notice that this hook is used when the actual read/write2862* operations are performed, whereas the inode_security_ops hook is called when2863* a file is opened (as well as many other operations). Although this hook can2864* be used to revalidate permissions for various system call operations that2865* read or write files, it does not address the revalidation of permissions for2866* memory-mapped files. Security modules must handle this separately if they2867* need such revalidation.2868*2869* Return: Returns 0 if permission is granted.2870*/2871int security_file_permission(struct file *file, int mask)2872{2873return call_int_hook(file_permission, file, mask);2874}28752876/**2877* security_file_alloc() - Allocate and init a file's LSM blob2878* @file: the file2879*2880* Allocate and attach a security structure to the file->f_security field. The2881* security field is initialized to NULL when the structure is first created.2882*2883* Return: Return 0 if the hook is successful and permission is granted.2884*/2885int security_file_alloc(struct file *file)2886{2887int rc = lsm_file_alloc(file);28882889if (rc)2890return rc;2891rc = call_int_hook(file_alloc_security, file);2892if (unlikely(rc))2893security_file_free(file);2894return rc;2895}28962897/**2898* security_file_release() - Perform actions before releasing the file ref2899* @file: the file2900*2901* Perform actions before releasing the last reference to a file.2902*/2903void security_file_release(struct file *file)2904{2905call_void_hook(file_release, file);2906}29072908/**2909* security_file_free() - Free a file's LSM blob2910* @file: the file2911*2912* Deallocate and free any security structures stored in file->f_security.2913*/2914void security_file_free(struct file *file)2915{2916void *blob;29172918call_void_hook(file_free_security, file);29192920blob = file->f_security;2921if (blob) {2922file->f_security = NULL;2923kmem_cache_free(lsm_file_cache, blob);2924}2925}29262927/**2928* security_file_ioctl() - Check if an ioctl is allowed2929* @file: associated file2930* @cmd: ioctl cmd2931* @arg: ioctl arguments2932*2933* Check permission for an ioctl operation on @file. Note that @arg sometimes2934* represents a user space pointer; in other cases, it may be a simple integer2935* value. When @arg represents a user space pointer, it should never be used2936* by the security module.2937*2938* Return: Returns 0 if permission is granted.2939*/2940int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)2941{2942return call_int_hook(file_ioctl, file, cmd, arg);2943}2944EXPORT_SYMBOL_GPL(security_file_ioctl);29452946/**2947* security_file_ioctl_compat() - Check if an ioctl is allowed in compat mode2948* @file: associated file2949* @cmd: ioctl cmd2950* @arg: ioctl arguments2951*2952* Compat version of security_file_ioctl() that correctly handles 32-bit2953* processes running on 64-bit kernels.2954*2955* Return: Returns 0 if permission is granted.2956*/2957int security_file_ioctl_compat(struct file *file, unsigned int cmd,2958unsigned long arg)2959{2960return call_int_hook(file_ioctl_compat, file, cmd, arg);2961}2962EXPORT_SYMBOL_GPL(security_file_ioctl_compat);29632964static inline unsigned long mmap_prot(struct file *file, unsigned long prot)2965{2966/*2967* Does we have PROT_READ and does the application expect2968* it to imply PROT_EXEC? If not, nothing to talk about...2969*/2970if ((prot & (PROT_READ | PROT_EXEC)) != PROT_READ)2971return prot;2972if (!(current->personality & READ_IMPLIES_EXEC))2973return prot;2974/*2975* if that's an anonymous mapping, let it.2976*/2977if (!file)2978return prot | PROT_EXEC;2979/*2980* ditto if it's not on noexec mount, except that on !MMU we need2981* NOMMU_MAP_EXEC (== VM_MAYEXEC) in this case2982*/2983if (!path_noexec(&file->f_path)) {2984#ifndef CONFIG_MMU2985if (file->f_op->mmap_capabilities) {2986unsigned caps = file->f_op->mmap_capabilities(file);2987if (!(caps & NOMMU_MAP_EXEC))2988return prot;2989}2990#endif2991return prot | PROT_EXEC;2992}2993/* anything on noexec mount won't get PROT_EXEC */2994return prot;2995}29962997/**2998* security_mmap_file() - Check if mmap'ing a file is allowed2999* @file: file3000* @prot: protection applied by the kernel3001* @flags: flags3002*3003* Check permissions for a mmap operation. The @file may be NULL, e.g. if3004* mapping anonymous memory.3005*3006* Return: Returns 0 if permission is granted.3007*/3008int security_mmap_file(struct file *file, unsigned long prot,3009unsigned long flags)3010{3011return call_int_hook(mmap_file, file, prot, mmap_prot(file, prot),3012flags);3013}30143015/**3016* security_mmap_addr() - Check if mmap'ing an address is allowed3017* @addr: address3018*3019* Check permissions for a mmap operation at @addr.3020*3021* Return: Returns 0 if permission is granted.3022*/3023int security_mmap_addr(unsigned long addr)3024{3025return call_int_hook(mmap_addr, addr);3026}30273028/**3029* security_file_mprotect() - Check if changing memory protections is allowed3030* @vma: memory region3031* @reqprot: application requested protection3032* @prot: protection applied by the kernel3033*3034* Check permissions before changing memory access permissions.3035*3036* Return: Returns 0 if permission is granted.3037*/3038int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,3039unsigned long prot)3040{3041return call_int_hook(file_mprotect, vma, reqprot, prot);3042}30433044/**3045* security_file_lock() - Check if a file lock is allowed3046* @file: file3047* @cmd: lock operation (e.g. F_RDLCK, F_WRLCK)3048*3049* Check permission before performing file locking operations. Note the hook3050* mediates both flock and fcntl style locks.3051*3052* Return: Returns 0 if permission is granted.3053*/3054int security_file_lock(struct file *file, unsigned int cmd)3055{3056return call_int_hook(file_lock, file, cmd);3057}30583059/**3060* security_file_fcntl() - Check if fcntl() op is allowed3061* @file: file3062* @cmd: fcntl command3063* @arg: command argument3064*3065* Check permission before allowing the file operation specified by @cmd from3066* being performed on the file @file. Note that @arg sometimes represents a3067* user space pointer; in other cases, it may be a simple integer value. When3068* @arg represents a user space pointer, it should never be used by the3069* security module.3070*3071* Return: Returns 0 if permission is granted.3072*/3073int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg)3074{3075return call_int_hook(file_fcntl, file, cmd, arg);3076}30773078/**3079* security_file_set_fowner() - Set the file owner info in the LSM blob3080* @file: the file3081*3082* Save owner security information (typically from current->security) in3083* file->f_security for later use by the send_sigiotask hook.3084*3085* This hook is called with file->f_owner.lock held.3086*3087* Return: Returns 0 on success.3088*/3089void security_file_set_fowner(struct file *file)3090{3091call_void_hook(file_set_fowner, file);3092}30933094/**3095* security_file_send_sigiotask() - Check if sending SIGIO/SIGURG is allowed3096* @tsk: target task3097* @fown: signal sender3098* @sig: signal to be sent, SIGIO is sent if 03099*3100* Check permission for the file owner @fown to send SIGIO or SIGURG to the3101* process @tsk. Note that this hook is sometimes called from interrupt. Note3102* that the fown_struct, @fown, is never outside the context of a struct file,3103* so the file structure (and associated security information) can always be3104* obtained: container_of(fown, struct file, f_owner).3105*3106* Return: Returns 0 if permission is granted.3107*/3108int security_file_send_sigiotask(struct task_struct *tsk,3109struct fown_struct *fown, int sig)3110{3111return call_int_hook(file_send_sigiotask, tsk, fown, sig);3112}31133114/**3115* security_file_receive() - Check if receiving a file via IPC is allowed3116* @file: file being received3117*3118* This hook allows security modules to control the ability of a process to3119* receive an open file descriptor via socket IPC.3120*3121* Return: Returns 0 if permission is granted.3122*/3123int security_file_receive(struct file *file)3124{3125return call_int_hook(file_receive, file);3126}31273128/**3129* security_file_open() - Save open() time state for late use by the LSM3130* @file:3131*3132* Save open-time permission checking state for later use upon file_permission,3133* and recheck access if anything has changed since inode_permission.3134*3135* We can check if a file is opened for execution (e.g. execve(2) call), either3136* directly or indirectly (e.g. ELF's ld.so) by checking file->f_flags &3137* __FMODE_EXEC .3138*3139* Return: Returns 0 if permission is granted.3140*/3141int security_file_open(struct file *file)3142{3143return call_int_hook(file_open, file);3144}31453146/**3147* security_file_post_open() - Evaluate a file after it has been opened3148* @file: the file3149* @mask: access mask3150*3151* Evaluate an opened file and the access mask requested with open(). The hook3152* is useful for LSMs that require the file content to be available in order to3153* make decisions.3154*3155* Return: Returns 0 if permission is granted.3156*/3157int security_file_post_open(struct file *file, int mask)3158{3159return call_int_hook(file_post_open, file, mask);3160}3161EXPORT_SYMBOL_GPL(security_file_post_open);31623163/**3164* security_file_truncate() - Check if truncating a file is allowed3165* @file: file3166*3167* Check permission before truncating a file, i.e. using ftruncate. Note that3168* truncation permission may also be checked based on the path, using the3169* @path_truncate hook.3170*3171* Return: Returns 0 if permission is granted.3172*/3173int security_file_truncate(struct file *file)3174{3175return call_int_hook(file_truncate, file);3176}31773178/**3179* security_task_alloc() - Allocate a task's LSM blob3180* @task: the task3181* @clone_flags: flags indicating what is being shared3182*3183* Handle allocation of task-related resources.3184*3185* Return: Returns a zero on success, negative values on failure.3186*/3187int security_task_alloc(struct task_struct *task, unsigned long clone_flags)3188{3189int rc = lsm_task_alloc(task);31903191if (rc)3192return rc;3193rc = call_int_hook(task_alloc, task, clone_flags);3194if (unlikely(rc))3195security_task_free(task);3196return rc;3197}31983199/**3200* security_task_free() - Free a task's LSM blob and related resources3201* @task: task3202*3203* Handle release of task-related resources. Note that this can be called from3204* interrupt context.3205*/3206void security_task_free(struct task_struct *task)3207{3208call_void_hook(task_free, task);32093210kfree(task->security);3211task->security = NULL;3212}32133214/**3215* security_cred_alloc_blank() - Allocate the min memory to allow cred_transfer3216* @cred: credentials3217* @gfp: gfp flags3218*3219* Only allocate sufficient memory and attach to @cred such that3220* cred_transfer() will not get ENOMEM.3221*3222* Return: Returns 0 on success, negative values on failure.3223*/3224int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)3225{3226int rc = lsm_cred_alloc(cred, gfp);32273228if (rc)3229return rc;32303231rc = call_int_hook(cred_alloc_blank, cred, gfp);3232if (unlikely(rc))3233security_cred_free(cred);3234return rc;3235}32363237/**3238* security_cred_free() - Free the cred's LSM blob and associated resources3239* @cred: credentials3240*3241* Deallocate and clear the cred->security field in a set of credentials.3242*/3243void security_cred_free(struct cred *cred)3244{3245/*3246* There is a failure case in prepare_creds() that3247* may result in a call here with ->security being NULL.3248*/3249if (unlikely(cred->security == NULL))3250return;32513252call_void_hook(cred_free, cred);32533254kfree(cred->security);3255cred->security = NULL;3256}32573258/**3259* security_prepare_creds() - Prepare a new set of credentials3260* @new: new credentials3261* @old: original credentials3262* @gfp: gfp flags3263*3264* Prepare a new set of credentials by copying the data from the old set.3265*3266* Return: Returns 0 on success, negative values on failure.3267*/3268int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp)3269{3270int rc = lsm_cred_alloc(new, gfp);32713272if (rc)3273return rc;32743275rc = call_int_hook(cred_prepare, new, old, gfp);3276if (unlikely(rc))3277security_cred_free(new);3278return rc;3279}32803281/**3282* security_transfer_creds() - Transfer creds3283* @new: target credentials3284* @old: original credentials3285*3286* Transfer data from original creds to new creds.3287*/3288void security_transfer_creds(struct cred *new, const struct cred *old)3289{3290call_void_hook(cred_transfer, new, old);3291}32923293/**3294* security_cred_getsecid() - Get the secid from a set of credentials3295* @c: credentials3296* @secid: secid value3297*3298* Retrieve the security identifier of the cred structure @c. In case of3299* failure, @secid will be set to zero.3300*/3301void security_cred_getsecid(const struct cred *c, u32 *secid)3302{3303*secid = 0;3304call_void_hook(cred_getsecid, c, secid);3305}3306EXPORT_SYMBOL(security_cred_getsecid);33073308/**3309* security_cred_getlsmprop() - Get the LSM data from a set of credentials3310* @c: credentials3311* @prop: destination for the LSM data3312*3313* Retrieve the security data of the cred structure @c. In case of3314* failure, @prop will be cleared.3315*/3316void security_cred_getlsmprop(const struct cred *c, struct lsm_prop *prop)3317{3318lsmprop_init(prop);3319call_void_hook(cred_getlsmprop, c, prop);3320}3321EXPORT_SYMBOL(security_cred_getlsmprop);33223323/**3324* security_kernel_act_as() - Set the kernel credentials to act as secid3325* @new: credentials3326* @secid: secid3327*3328* Set the credentials for a kernel service to act as (subjective context).3329* The current task must be the one that nominated @secid.3330*3331* Return: Returns 0 if successful.3332*/3333int security_kernel_act_as(struct cred *new, u32 secid)3334{3335return call_int_hook(kernel_act_as, new, secid);3336}33373338/**3339* security_kernel_create_files_as() - Set file creation context using an inode3340* @new: target credentials3341* @inode: reference inode3342*3343* Set the file creation context in a set of credentials to be the same as the3344* objective context of the specified inode. The current task must be the one3345* that nominated @inode.3346*3347* Return: Returns 0 if successful.3348*/3349int security_kernel_create_files_as(struct cred *new, struct inode *inode)3350{3351return call_int_hook(kernel_create_files_as, new, inode);3352}33533354/**3355* security_kernel_module_request() - Check if loading a module is allowed3356* @kmod_name: module name3357*3358* Ability to trigger the kernel to automatically upcall to userspace for3359* userspace to load a kernel module with the given name.3360*3361* Return: Returns 0 if successful.3362*/3363int security_kernel_module_request(char *kmod_name)3364{3365return call_int_hook(kernel_module_request, kmod_name);3366}33673368/**3369* security_kernel_read_file() - Read a file specified by userspace3370* @file: file3371* @id: file identifier3372* @contents: trust if security_kernel_post_read_file() will be called3373*3374* Read a file specified by userspace.3375*3376* Return: Returns 0 if permission is granted.3377*/3378int security_kernel_read_file(struct file *file, enum kernel_read_file_id id,3379bool contents)3380{3381return call_int_hook(kernel_read_file, file, id, contents);3382}3383EXPORT_SYMBOL_GPL(security_kernel_read_file);33843385/**3386* security_kernel_post_read_file() - Read a file specified by userspace3387* @file: file3388* @buf: file contents3389* @size: size of file contents3390* @id: file identifier3391*3392* Read a file specified by userspace. This must be paired with a prior call3393* to security_kernel_read_file() call that indicated this hook would also be3394* called, see security_kernel_read_file() for more information.3395*3396* Return: Returns 0 if permission is granted.3397*/3398int security_kernel_post_read_file(struct file *file, char *buf, loff_t size,3399enum kernel_read_file_id id)3400{3401return call_int_hook(kernel_post_read_file, file, buf, size, id);3402}3403EXPORT_SYMBOL_GPL(security_kernel_post_read_file);34043405/**3406* security_kernel_load_data() - Load data provided by userspace3407* @id: data identifier3408* @contents: true if security_kernel_post_load_data() will be called3409*3410* Load data provided by userspace.3411*3412* Return: Returns 0 if permission is granted.3413*/3414int security_kernel_load_data(enum kernel_load_data_id id, bool contents)3415{3416return call_int_hook(kernel_load_data, id, contents);3417}3418EXPORT_SYMBOL_GPL(security_kernel_load_data);34193420/**3421* security_kernel_post_load_data() - Load userspace data from a non-file source3422* @buf: data3423* @size: size of data3424* @id: data identifier3425* @description: text description of data, specific to the id value3426*3427* Load data provided by a non-file source (usually userspace buffer). This3428* must be paired with a prior security_kernel_load_data() call that indicated3429* this hook would also be called, see security_kernel_load_data() for more3430* information.3431*3432* Return: Returns 0 if permission is granted.3433*/3434int security_kernel_post_load_data(char *buf, loff_t size,3435enum kernel_load_data_id id,3436char *description)3437{3438return call_int_hook(kernel_post_load_data, buf, size, id, description);3439}3440EXPORT_SYMBOL_GPL(security_kernel_post_load_data);34413442/**3443* security_task_fix_setuid() - Update LSM with new user id attributes3444* @new: updated credentials3445* @old: credentials being replaced3446* @flags: LSM_SETID_* flag values3447*3448* Update the module's state after setting one or more of the user identity3449* attributes of the current process. The @flags parameter indicates which of3450* the set*uid system calls invoked this hook. If @new is the set of3451* credentials that will be installed. Modifications should be made to this3452* rather than to @current->cred.3453*3454* Return: Returns 0 on success.3455*/3456int security_task_fix_setuid(struct cred *new, const struct cred *old,3457int flags)3458{3459return call_int_hook(task_fix_setuid, new, old, flags);3460}34613462/**3463* security_task_fix_setgid() - Update LSM with new group id attributes3464* @new: updated credentials3465* @old: credentials being replaced3466* @flags: LSM_SETID_* flag value3467*3468* Update the module's state after setting one or more of the group identity3469* attributes of the current process. The @flags parameter indicates which of3470* the set*gid system calls invoked this hook. @new is the set of credentials3471* that will be installed. Modifications should be made to this rather than to3472* @current->cred.3473*3474* Return: Returns 0 on success.3475*/3476int security_task_fix_setgid(struct cred *new, const struct cred *old,3477int flags)3478{3479return call_int_hook(task_fix_setgid, new, old, flags);3480}34813482/**3483* security_task_fix_setgroups() - Update LSM with new supplementary groups3484* @new: updated credentials3485* @old: credentials being replaced3486*3487* Update the module's state after setting the supplementary group identity3488* attributes of the current process. @new is the set of credentials that will3489* be installed. Modifications should be made to this rather than to3490* @current->cred.3491*3492* Return: Returns 0 on success.3493*/3494int security_task_fix_setgroups(struct cred *new, const struct cred *old)3495{3496return call_int_hook(task_fix_setgroups, new, old);3497}34983499/**3500* security_task_setpgid() - Check if setting the pgid is allowed3501* @p: task being modified3502* @pgid: new pgid3503*3504* Check permission before setting the process group identifier of the process3505* @p to @pgid.3506*3507* Return: Returns 0 if permission is granted.3508*/3509int security_task_setpgid(struct task_struct *p, pid_t pgid)3510{3511return call_int_hook(task_setpgid, p, pgid);3512}35133514/**3515* security_task_getpgid() - Check if getting the pgid is allowed3516* @p: task3517*3518* Check permission before getting the process group identifier of the process3519* @p.3520*3521* Return: Returns 0 if permission is granted.3522*/3523int security_task_getpgid(struct task_struct *p)3524{3525return call_int_hook(task_getpgid, p);3526}35273528/**3529* security_task_getsid() - Check if getting the session id is allowed3530* @p: task3531*3532* Check permission before getting the session identifier of the process @p.3533*3534* Return: Returns 0 if permission is granted.3535*/3536int security_task_getsid(struct task_struct *p)3537{3538return call_int_hook(task_getsid, p);3539}35403541/**3542* security_current_getlsmprop_subj() - Current task's subjective LSM data3543* @prop: lsm specific information3544*3545* Retrieve the subjective security identifier of the current task and return3546* it in @prop.3547*/3548void security_current_getlsmprop_subj(struct lsm_prop *prop)3549{3550lsmprop_init(prop);3551call_void_hook(current_getlsmprop_subj, prop);3552}3553EXPORT_SYMBOL(security_current_getlsmprop_subj);35543555/**3556* security_task_getlsmprop_obj() - Get a task's objective LSM data3557* @p: target task3558* @prop: lsm specific information3559*3560* Retrieve the objective security identifier of the task_struct in @p and3561* return it in @prop.3562*/3563void security_task_getlsmprop_obj(struct task_struct *p, struct lsm_prop *prop)3564{3565lsmprop_init(prop);3566call_void_hook(task_getlsmprop_obj, p, prop);3567}3568EXPORT_SYMBOL(security_task_getlsmprop_obj);35693570/**3571* security_task_setnice() - Check if setting a task's nice value is allowed3572* @p: target task3573* @nice: nice value3574*3575* Check permission before setting the nice value of @p to @nice.3576*3577* Return: Returns 0 if permission is granted.3578*/3579int security_task_setnice(struct task_struct *p, int nice)3580{3581return call_int_hook(task_setnice, p, nice);3582}35833584/**3585* security_task_setioprio() - Check if setting a task's ioprio is allowed3586* @p: target task3587* @ioprio: ioprio value3588*3589* Check permission before setting the ioprio value of @p to @ioprio.3590*3591* Return: Returns 0 if permission is granted.3592*/3593int security_task_setioprio(struct task_struct *p, int ioprio)3594{3595return call_int_hook(task_setioprio, p, ioprio);3596}35973598/**3599* security_task_getioprio() - Check if getting a task's ioprio is allowed3600* @p: task3601*3602* Check permission before getting the ioprio value of @p.3603*3604* Return: Returns 0 if permission is granted.3605*/3606int security_task_getioprio(struct task_struct *p)3607{3608return call_int_hook(task_getioprio, p);3609}36103611/**3612* security_task_prlimit() - Check if get/setting resources limits is allowed3613* @cred: current task credentials3614* @tcred: target task credentials3615* @flags: LSM_PRLIMIT_* flag bits indicating a get/set/both3616*3617* Check permission before getting and/or setting the resource limits of3618* another task.3619*3620* Return: Returns 0 if permission is granted.3621*/3622int security_task_prlimit(const struct cred *cred, const struct cred *tcred,3623unsigned int flags)3624{3625return call_int_hook(task_prlimit, cred, tcred, flags);3626}36273628/**3629* security_task_setrlimit() - Check if setting a new rlimit value is allowed3630* @p: target task's group leader3631* @resource: resource whose limit is being set3632* @new_rlim: new resource limit3633*3634* Check permission before setting the resource limits of process @p for3635* @resource to @new_rlim. The old resource limit values can be examined by3636* dereferencing (p->signal->rlim + resource).3637*3638* Return: Returns 0 if permission is granted.3639*/3640int security_task_setrlimit(struct task_struct *p, unsigned int resource,3641struct rlimit *new_rlim)3642{3643return call_int_hook(task_setrlimit, p, resource, new_rlim);3644}36453646/**3647* security_task_setscheduler() - Check if setting sched policy/param is allowed3648* @p: target task3649*3650* Check permission before setting scheduling policy and/or parameters of3651* process @p.3652*3653* Return: Returns 0 if permission is granted.3654*/3655int security_task_setscheduler(struct task_struct *p)3656{3657return call_int_hook(task_setscheduler, p);3658}36593660/**3661* security_task_getscheduler() - Check if getting scheduling info is allowed3662* @p: target task3663*3664* Check permission before obtaining scheduling information for process @p.3665*3666* Return: Returns 0 if permission is granted.3667*/3668int security_task_getscheduler(struct task_struct *p)3669{3670return call_int_hook(task_getscheduler, p);3671}36723673/**3674* security_task_movememory() - Check if moving memory is allowed3675* @p: task3676*3677* Check permission before moving memory owned by process @p.3678*3679* Return: Returns 0 if permission is granted.3680*/3681int security_task_movememory(struct task_struct *p)3682{3683return call_int_hook(task_movememory, p);3684}36853686/**3687* security_task_kill() - Check if sending a signal is allowed3688* @p: target process3689* @info: signal information3690* @sig: signal value3691* @cred: credentials of the signal sender, NULL if @current3692*3693* Check permission before sending signal @sig to @p. @info can be NULL, the3694* constant 1, or a pointer to a kernel_siginfo structure. If @info is 1 or3695* SI_FROMKERNEL(info) is true, then the signal should be viewed as coming from3696* the kernel and should typically be permitted. SIGIO signals are handled3697* separately by the send_sigiotask hook in file_security_ops.3698*3699* Return: Returns 0 if permission is granted.3700*/3701int security_task_kill(struct task_struct *p, struct kernel_siginfo *info,3702int sig, const struct cred *cred)3703{3704return call_int_hook(task_kill, p, info, sig, cred);3705}37063707/**3708* security_task_prctl() - Check if a prctl op is allowed3709* @option: operation3710* @arg2: argument3711* @arg3: argument3712* @arg4: argument3713* @arg5: argument3714*3715* Check permission before performing a process control operation on the3716* current process.3717*3718* Return: Return -ENOSYS if no-one wanted to handle this op, any other value3719* to cause prctl() to return immediately with that value.3720*/3721int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,3722unsigned long arg4, unsigned long arg5)3723{3724int thisrc;3725int rc = LSM_RET_DEFAULT(task_prctl);3726struct lsm_static_call *scall;37273728lsm_for_each_hook(scall, task_prctl) {3729thisrc = scall->hl->hook.task_prctl(option, arg2, arg3, arg4, arg5);3730if (thisrc != LSM_RET_DEFAULT(task_prctl)) {3731rc = thisrc;3732if (thisrc != 0)3733break;3734}3735}3736return rc;3737}37383739/**3740* security_task_to_inode() - Set the security attributes of a task's inode3741* @p: task3742* @inode: inode3743*3744* Set the security attributes for an inode based on an associated task's3745* security attributes, e.g. for /proc/pid inodes.3746*/3747void security_task_to_inode(struct task_struct *p, struct inode *inode)3748{3749call_void_hook(task_to_inode, p, inode);3750}37513752/**3753* security_create_user_ns() - Check if creating a new userns is allowed3754* @cred: prepared creds3755*3756* Check permission prior to creating a new user namespace.3757*3758* Return: Returns 0 if successful, otherwise < 0 error code.3759*/3760int security_create_user_ns(const struct cred *cred)3761{3762return call_int_hook(userns_create, cred);3763}37643765/**3766* security_ipc_permission() - Check if sysv ipc access is allowed3767* @ipcp: ipc permission structure3768* @flag: requested permissions3769*3770* Check permissions for access to IPC.3771*3772* Return: Returns 0 if permission is granted.3773*/3774int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)3775{3776return call_int_hook(ipc_permission, ipcp, flag);3777}37783779/**3780* security_ipc_getlsmprop() - Get the sysv ipc object LSM data3781* @ipcp: ipc permission structure3782* @prop: pointer to lsm information3783*3784* Get the lsm information associated with the ipc object.3785*/37863787void security_ipc_getlsmprop(struct kern_ipc_perm *ipcp, struct lsm_prop *prop)3788{3789lsmprop_init(prop);3790call_void_hook(ipc_getlsmprop, ipcp, prop);3791}37923793/**3794* security_msg_msg_alloc() - Allocate a sysv ipc message LSM blob3795* @msg: message structure3796*3797* Allocate and attach a security structure to the msg->security field. The3798* security field is initialized to NULL when the structure is first created.3799*3800* Return: Return 0 if operation was successful and permission is granted.3801*/3802int security_msg_msg_alloc(struct msg_msg *msg)3803{3804int rc = lsm_msg_msg_alloc(msg);38053806if (unlikely(rc))3807return rc;3808rc = call_int_hook(msg_msg_alloc_security, msg);3809if (unlikely(rc))3810security_msg_msg_free(msg);3811return rc;3812}38133814/**3815* security_msg_msg_free() - Free a sysv ipc message LSM blob3816* @msg: message structure3817*3818* Deallocate the security structure for this message.3819*/3820void security_msg_msg_free(struct msg_msg *msg)3821{3822call_void_hook(msg_msg_free_security, msg);3823kfree(msg->security);3824msg->security = NULL;3825}38263827/**3828* security_msg_queue_alloc() - Allocate a sysv ipc msg queue LSM blob3829* @msq: sysv ipc permission structure3830*3831* Allocate and attach a security structure to @msg. The security field is3832* initialized to NULL when the structure is first created.3833*3834* Return: Returns 0 if operation was successful and permission is granted.3835*/3836int security_msg_queue_alloc(struct kern_ipc_perm *msq)3837{3838int rc = lsm_ipc_alloc(msq);38393840if (unlikely(rc))3841return rc;3842rc = call_int_hook(msg_queue_alloc_security, msq);3843if (unlikely(rc))3844security_msg_queue_free(msq);3845return rc;3846}38473848/**3849* security_msg_queue_free() - Free a sysv ipc msg queue LSM blob3850* @msq: sysv ipc permission structure3851*3852* Deallocate security field @perm->security for the message queue.3853*/3854void security_msg_queue_free(struct kern_ipc_perm *msq)3855{3856call_void_hook(msg_queue_free_security, msq);3857kfree(msq->security);3858msq->security = NULL;3859}38603861/**3862* security_msg_queue_associate() - Check if a msg queue operation is allowed3863* @msq: sysv ipc permission structure3864* @msqflg: operation flags3865*3866* Check permission when a message queue is requested through the msgget system3867* call. This hook is only called when returning the message queue identifier3868* for an existing message queue, not when a new message queue is created.3869*3870* Return: Return 0 if permission is granted.3871*/3872int security_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)3873{3874return call_int_hook(msg_queue_associate, msq, msqflg);3875}38763877/**3878* security_msg_queue_msgctl() - Check if a msg queue operation is allowed3879* @msq: sysv ipc permission structure3880* @cmd: operation3881*3882* Check permission when a message control operation specified by @cmd is to be3883* performed on the message queue with permissions.3884*3885* Return: Returns 0 if permission is granted.3886*/3887int security_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)3888{3889return call_int_hook(msg_queue_msgctl, msq, cmd);3890}38913892/**3893* security_msg_queue_msgsnd() - Check if sending a sysv ipc message is allowed3894* @msq: sysv ipc permission structure3895* @msg: message3896* @msqflg: operation flags3897*3898* Check permission before a message, @msg, is enqueued on the message queue3899* with permissions specified in @msq.3900*3901* Return: Returns 0 if permission is granted.3902*/3903int security_msg_queue_msgsnd(struct kern_ipc_perm *msq,3904struct msg_msg *msg, int msqflg)3905{3906return call_int_hook(msg_queue_msgsnd, msq, msg, msqflg);3907}39083909/**3910* security_msg_queue_msgrcv() - Check if receiving a sysv ipc msg is allowed3911* @msq: sysv ipc permission structure3912* @msg: message3913* @target: target task3914* @type: type of message requested3915* @mode: operation flags3916*3917* Check permission before a message, @msg, is removed from the message queue.3918* The @target task structure contains a pointer to the process that will be3919* receiving the message (not equal to the current process when inline receives3920* are being performed).3921*3922* Return: Returns 0 if permission is granted.3923*/3924int security_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,3925struct task_struct *target, long type, int mode)3926{3927return call_int_hook(msg_queue_msgrcv, msq, msg, target, type, mode);3928}39293930/**3931* security_shm_alloc() - Allocate a sysv shm LSM blob3932* @shp: sysv ipc permission structure3933*3934* Allocate and attach a security structure to the @shp security field. The3935* security field is initialized to NULL when the structure is first created.3936*3937* Return: Returns 0 if operation was successful and permission is granted.3938*/3939int security_shm_alloc(struct kern_ipc_perm *shp)3940{3941int rc = lsm_ipc_alloc(shp);39423943if (unlikely(rc))3944return rc;3945rc = call_int_hook(shm_alloc_security, shp);3946if (unlikely(rc))3947security_shm_free(shp);3948return rc;3949}39503951/**3952* security_shm_free() - Free a sysv shm LSM blob3953* @shp: sysv ipc permission structure3954*3955* Deallocate the security structure @perm->security for the memory segment.3956*/3957void security_shm_free(struct kern_ipc_perm *shp)3958{3959call_void_hook(shm_free_security, shp);3960kfree(shp->security);3961shp->security = NULL;3962}39633964/**3965* security_shm_associate() - Check if a sysv shm operation is allowed3966* @shp: sysv ipc permission structure3967* @shmflg: operation flags3968*3969* Check permission when a shared memory region is requested through the shmget3970* system call. This hook is only called when returning the shared memory3971* region identifier for an existing region, not when a new shared memory3972* region is created.3973*3974* Return: Returns 0 if permission is granted.3975*/3976int security_shm_associate(struct kern_ipc_perm *shp, int shmflg)3977{3978return call_int_hook(shm_associate, shp, shmflg);3979}39803981/**3982* security_shm_shmctl() - Check if a sysv shm operation is allowed3983* @shp: sysv ipc permission structure3984* @cmd: operation3985*3986* Check permission when a shared memory control operation specified by @cmd is3987* to be performed on the shared memory region with permissions in @shp.3988*3989* Return: Return 0 if permission is granted.3990*/3991int security_shm_shmctl(struct kern_ipc_perm *shp, int cmd)3992{3993return call_int_hook(shm_shmctl, shp, cmd);3994}39953996/**3997* security_shm_shmat() - Check if a sysv shm attach operation is allowed3998* @shp: sysv ipc permission structure3999* @shmaddr: address of memory region to attach4000* @shmflg: operation flags4001*4002* Check permissions prior to allowing the shmat system call to attach the4003* shared memory segment with permissions @shp to the data segment of the4004* calling process. The attaching address is specified by @shmaddr.4005*4006* Return: Returns 0 if permission is granted.4007*/4008int security_shm_shmat(struct kern_ipc_perm *shp,4009char __user *shmaddr, int shmflg)4010{4011return call_int_hook(shm_shmat, shp, shmaddr, shmflg);4012}40134014/**4015* security_sem_alloc() - Allocate a sysv semaphore LSM blob4016* @sma: sysv ipc permission structure4017*4018* Allocate and attach a security structure to the @sma security field. The4019* security field is initialized to NULL when the structure is first created.4020*4021* Return: Returns 0 if operation was successful and permission is granted.4022*/4023int security_sem_alloc(struct kern_ipc_perm *sma)4024{4025int rc = lsm_ipc_alloc(sma);40264027if (unlikely(rc))4028return rc;4029rc = call_int_hook(sem_alloc_security, sma);4030if (unlikely(rc))4031security_sem_free(sma);4032return rc;4033}40344035/**4036* security_sem_free() - Free a sysv semaphore LSM blob4037* @sma: sysv ipc permission structure4038*4039* Deallocate security structure @sma->security for the semaphore.4040*/4041void security_sem_free(struct kern_ipc_perm *sma)4042{4043call_void_hook(sem_free_security, sma);4044kfree(sma->security);4045sma->security = NULL;4046}40474048/**4049* security_sem_associate() - Check if a sysv semaphore operation is allowed4050* @sma: sysv ipc permission structure4051* @semflg: operation flags4052*4053* Check permission when a semaphore is requested through the semget system4054* call. This hook is only called when returning the semaphore identifier for4055* an existing semaphore, not when a new one must be created.4056*4057* Return: Returns 0 if permission is granted.4058*/4059int security_sem_associate(struct kern_ipc_perm *sma, int semflg)4060{4061return call_int_hook(sem_associate, sma, semflg);4062}40634064/**4065* security_sem_semctl() - Check if a sysv semaphore operation is allowed4066* @sma: sysv ipc permission structure4067* @cmd: operation4068*4069* Check permission when a semaphore operation specified by @cmd is to be4070* performed on the semaphore.4071*4072* Return: Returns 0 if permission is granted.4073*/4074int security_sem_semctl(struct kern_ipc_perm *sma, int cmd)4075{4076return call_int_hook(sem_semctl, sma, cmd);4077}40784079/**4080* security_sem_semop() - Check if a sysv semaphore operation is allowed4081* @sma: sysv ipc permission structure4082* @sops: operations to perform4083* @nsops: number of operations4084* @alter: flag indicating changes will be made4085*4086* Check permissions before performing operations on members of the semaphore4087* set. If the @alter flag is nonzero, the semaphore set may be modified.4088*4089* Return: Returns 0 if permission is granted.4090*/4091int security_sem_semop(struct kern_ipc_perm *sma, struct sembuf *sops,4092unsigned nsops, int alter)4093{4094return call_int_hook(sem_semop, sma, sops, nsops, alter);4095}40964097/**4098* security_d_instantiate() - Populate an inode's LSM state based on a dentry4099* @dentry: dentry4100* @inode: inode4101*4102* Fill in @inode security information for a @dentry if allowed.4103*/4104void security_d_instantiate(struct dentry *dentry, struct inode *inode)4105{4106if (unlikely(inode && IS_PRIVATE(inode)))4107return;4108call_void_hook(d_instantiate, dentry, inode);4109}4110EXPORT_SYMBOL(security_d_instantiate);41114112/*4113* Please keep this in sync with it's counterpart in security/lsm_syscalls.c4114*/41154116/**4117* security_getselfattr - Read an LSM attribute of the current process.4118* @attr: which attribute to return4119* @uctx: the user-space destination for the information, or NULL4120* @size: pointer to the size of space available to receive the data4121* @flags: special handling options. LSM_FLAG_SINGLE indicates that only4122* attributes associated with the LSM identified in the passed @ctx be4123* reported.4124*4125* A NULL value for @uctx can be used to get both the number of attributes4126* and the size of the data.4127*4128* Returns the number of attributes found on success, negative value4129* on error. @size is reset to the total size of the data.4130* If @size is insufficient to contain the data -E2BIG is returned.4131*/4132int security_getselfattr(unsigned int attr, struct lsm_ctx __user *uctx,4133u32 __user *size, u32 flags)4134{4135struct lsm_static_call *scall;4136struct lsm_ctx lctx = { .id = LSM_ID_UNDEF, };4137u8 __user *base = (u8 __user *)uctx;4138u32 entrysize;4139u32 total = 0;4140u32 left;4141bool toobig = false;4142bool single = false;4143int count = 0;4144int rc;41454146if (attr == LSM_ATTR_UNDEF)4147return -EINVAL;4148if (size == NULL)4149return -EINVAL;4150if (get_user(left, size))4151return -EFAULT;41524153if (flags) {4154/*4155* Only flag supported is LSM_FLAG_SINGLE4156*/4157if (flags != LSM_FLAG_SINGLE || !uctx)4158return -EINVAL;4159if (copy_from_user(&lctx, uctx, sizeof(lctx)))4160return -EFAULT;4161/*4162* If the LSM ID isn't specified it is an error.4163*/4164if (lctx.id == LSM_ID_UNDEF)4165return -EINVAL;4166single = true;4167}41684169/*4170* In the usual case gather all the data from the LSMs.4171* In the single case only get the data from the LSM specified.4172*/4173lsm_for_each_hook(scall, getselfattr) {4174if (single && lctx.id != scall->hl->lsmid->id)4175continue;4176entrysize = left;4177if (base)4178uctx = (struct lsm_ctx __user *)(base + total);4179rc = scall->hl->hook.getselfattr(attr, uctx, &entrysize, flags);4180if (rc == -EOPNOTSUPP)4181continue;4182if (rc == -E2BIG) {4183rc = 0;4184left = 0;4185toobig = true;4186} else if (rc < 0)4187return rc;4188else4189left -= entrysize;41904191total += entrysize;4192count += rc;4193if (single)4194break;4195}4196if (put_user(total, size))4197return -EFAULT;4198if (toobig)4199return -E2BIG;4200if (count == 0)4201return LSM_RET_DEFAULT(getselfattr);4202return count;4203}42044205/*4206* Please keep this in sync with it's counterpart in security/lsm_syscalls.c4207*/42084209/**4210* security_setselfattr - Set an LSM attribute on the current process.4211* @attr: which attribute to set4212* @uctx: the user-space source for the information4213* @size: the size of the data4214* @flags: reserved for future use, must be 04215*4216* Set an LSM attribute for the current process. The LSM, attribute4217* and new value are included in @uctx.4218*4219* Returns 0 on success, -EINVAL if the input is inconsistent, -EFAULT4220* if the user buffer is inaccessible, E2BIG if size is too big, or an4221* LSM specific failure.4222*/4223int security_setselfattr(unsigned int attr, struct lsm_ctx __user *uctx,4224u32 size, u32 flags)4225{4226struct lsm_static_call *scall;4227struct lsm_ctx *lctx;4228int rc = LSM_RET_DEFAULT(setselfattr);4229u64 required_len;42304231if (flags)4232return -EINVAL;4233if (size < sizeof(*lctx))4234return -EINVAL;4235if (size > PAGE_SIZE)4236return -E2BIG;42374238lctx = memdup_user(uctx, size);4239if (IS_ERR(lctx))4240return PTR_ERR(lctx);42414242if (size < lctx->len ||4243check_add_overflow(sizeof(*lctx), lctx->ctx_len, &required_len) ||4244lctx->len < required_len) {4245rc = -EINVAL;4246goto free_out;4247}42484249lsm_for_each_hook(scall, setselfattr)4250if ((scall->hl->lsmid->id) == lctx->id) {4251rc = scall->hl->hook.setselfattr(attr, lctx, size, flags);4252break;4253}42544255free_out:4256kfree(lctx);4257return rc;4258}42594260/**4261* security_getprocattr() - Read an attribute for a task4262* @p: the task4263* @lsmid: LSM identification4264* @name: attribute name4265* @value: attribute value4266*4267* Read attribute @name for task @p and store it into @value if allowed.4268*4269* Return: Returns the length of @value on success, a negative value otherwise.4270*/4271int security_getprocattr(struct task_struct *p, int lsmid, const char *name,4272char **value)4273{4274struct lsm_static_call *scall;42754276lsm_for_each_hook(scall, getprocattr) {4277if (lsmid != 0 && lsmid != scall->hl->lsmid->id)4278continue;4279return scall->hl->hook.getprocattr(p, name, value);4280}4281return LSM_RET_DEFAULT(getprocattr);4282}42834284/**4285* security_setprocattr() - Set an attribute for a task4286* @lsmid: LSM identification4287* @name: attribute name4288* @value: attribute value4289* @size: attribute value size4290*4291* Write (set) the current task's attribute @name to @value, size @size if4292* allowed.4293*4294* Return: Returns bytes written on success, a negative value otherwise.4295*/4296int security_setprocattr(int lsmid, const char *name, void *value, size_t size)4297{4298struct lsm_static_call *scall;42994300lsm_for_each_hook(scall, setprocattr) {4301if (lsmid != 0 && lsmid != scall->hl->lsmid->id)4302continue;4303return scall->hl->hook.setprocattr(name, value, size);4304}4305return LSM_RET_DEFAULT(setprocattr);4306}43074308/**4309* security_ismaclabel() - Check if the named attribute is a MAC label4310* @name: full extended attribute name4311*4312* Check if the extended attribute specified by @name represents a MAC label.4313*4314* Return: Returns 1 if name is a MAC attribute otherwise returns 0.4315*/4316int security_ismaclabel(const char *name)4317{4318return call_int_hook(ismaclabel, name);4319}4320EXPORT_SYMBOL(security_ismaclabel);43214322/**4323* security_secid_to_secctx() - Convert a secid to a secctx4324* @secid: secid4325* @cp: the LSM context4326*4327* Convert secid to security context. If @cp is NULL the length of the4328* result will be returned, but no data will be returned. This4329* does mean that the length could change between calls to check the length and4330* the next call which actually allocates and returns the data.4331*4332* Return: Return length of data on success, error on failure.4333*/4334int security_secid_to_secctx(u32 secid, struct lsm_context *cp)4335{4336return call_int_hook(secid_to_secctx, secid, cp);4337}4338EXPORT_SYMBOL(security_secid_to_secctx);43394340/**4341* security_lsmprop_to_secctx() - Convert a lsm_prop to a secctx4342* @prop: lsm specific information4343* @cp: the LSM context4344*4345* Convert a @prop entry to security context. If @cp is NULL the4346* length of the result will be returned. This does mean that the4347* length could change between calls to check the length and the4348* next call which actually allocates and returns the @cp.4349*4350* Return: Return length of data on success, error on failure.4351*/4352int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp)4353{4354return call_int_hook(lsmprop_to_secctx, prop, cp);4355}4356EXPORT_SYMBOL(security_lsmprop_to_secctx);43574358/**4359* security_secctx_to_secid() - Convert a secctx to a secid4360* @secdata: secctx4361* @seclen: length of secctx4362* @secid: secid4363*4364* Convert security context to secid.4365*4366* Return: Returns 0 on success, error on failure.4367*/4368int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)4369{4370*secid = 0;4371return call_int_hook(secctx_to_secid, secdata, seclen, secid);4372}4373EXPORT_SYMBOL(security_secctx_to_secid);43744375/**4376* security_release_secctx() - Free a secctx buffer4377* @cp: the security context4378*4379* Release the security context.4380*/4381void security_release_secctx(struct lsm_context *cp)4382{4383call_void_hook(release_secctx, cp);4384memset(cp, 0, sizeof(*cp));4385}4386EXPORT_SYMBOL(security_release_secctx);43874388/**4389* security_inode_invalidate_secctx() - Invalidate an inode's security label4390* @inode: inode4391*4392* Notify the security module that it must revalidate the security context of4393* an inode.4394*/4395void security_inode_invalidate_secctx(struct inode *inode)4396{4397call_void_hook(inode_invalidate_secctx, inode);4398}4399EXPORT_SYMBOL(security_inode_invalidate_secctx);44004401/**4402* security_inode_notifysecctx() - Notify the LSM of an inode's security label4403* @inode: inode4404* @ctx: secctx4405* @ctxlen: length of secctx4406*4407* Notify the security module of what the security context of an inode should4408* be. Initializes the incore security context managed by the security module4409* for this inode. Example usage: NFS client invokes this hook to initialize4410* the security context in its incore inode to the value provided by the server4411* for the file when the server returned the file's attributes to the client.4412* Must be called with inode->i_mutex locked.4413*4414* Return: Returns 0 on success, error on failure.4415*/4416int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)4417{4418return call_int_hook(inode_notifysecctx, inode, ctx, ctxlen);4419}4420EXPORT_SYMBOL(security_inode_notifysecctx);44214422/**4423* security_inode_setsecctx() - Change the security label of an inode4424* @dentry: inode4425* @ctx: secctx4426* @ctxlen: length of secctx4427*4428* Change the security context of an inode. Updates the incore security4429* context managed by the security module and invokes the fs code as needed4430* (via __vfs_setxattr_noperm) to update any backing xattrs that represent the4431* context. Example usage: NFS server invokes this hook to change the security4432* context in its incore inode and on the backing filesystem to a value4433* provided by the client on a SETATTR operation. Must be called with4434* inode->i_mutex locked.4435*4436* Return: Returns 0 on success, error on failure.4437*/4438int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)4439{4440return call_int_hook(inode_setsecctx, dentry, ctx, ctxlen);4441}4442EXPORT_SYMBOL(security_inode_setsecctx);44434444/**4445* security_inode_getsecctx() - Get the security label of an inode4446* @inode: inode4447* @cp: security context4448*4449* On success, returns 0 and fills out @cp with the security context4450* for the given @inode.4451*4452* Return: Returns 0 on success, error on failure.4453*/4454int security_inode_getsecctx(struct inode *inode, struct lsm_context *cp)4455{4456memset(cp, 0, sizeof(*cp));4457return call_int_hook(inode_getsecctx, inode, cp);4458}4459EXPORT_SYMBOL(security_inode_getsecctx);44604461#ifdef CONFIG_WATCH_QUEUE4462/**4463* security_post_notification() - Check if a watch notification can be posted4464* @w_cred: credentials of the task that set the watch4465* @cred: credentials of the task which triggered the watch4466* @n: the notification4467*4468* Check to see if a watch notification can be posted to a particular queue.4469*4470* Return: Returns 0 if permission is granted.4471*/4472int security_post_notification(const struct cred *w_cred,4473const struct cred *cred,4474struct watch_notification *n)4475{4476return call_int_hook(post_notification, w_cred, cred, n);4477}4478#endif /* CONFIG_WATCH_QUEUE */44794480#ifdef CONFIG_KEY_NOTIFICATIONS4481/**4482* security_watch_key() - Check if a task is allowed to watch for key events4483* @key: the key to watch4484*4485* Check to see if a process is allowed to watch for event notifications from4486* a key or keyring.4487*4488* Return: Returns 0 if permission is granted.4489*/4490int security_watch_key(struct key *key)4491{4492return call_int_hook(watch_key, key);4493}4494#endif /* CONFIG_KEY_NOTIFICATIONS */44954496#ifdef CONFIG_SECURITY_NETWORK4497/**4498* security_netlink_send() - Save info and check if netlink sending is allowed4499* @sk: sending socket4500* @skb: netlink message4501*4502* Save security information for a netlink message so that permission checking4503* can be performed when the message is processed. The security information4504* can be saved using the eff_cap field of the netlink_skb_parms structure.4505* Also may be used to provide fine grained control over message transmission.4506*4507* Return: Returns 0 if the information was successfully saved and message is4508* allowed to be transmitted.4509*/4510int security_netlink_send(struct sock *sk, struct sk_buff *skb)4511{4512return call_int_hook(netlink_send, sk, skb);4513}45144515/**4516* security_unix_stream_connect() - Check if a AF_UNIX stream is allowed4517* @sock: originating sock4518* @other: peer sock4519* @newsk: new sock4520*4521* Check permissions before establishing a Unix domain stream connection4522* between @sock and @other.4523*4524* The @unix_stream_connect and @unix_may_send hooks were necessary because4525* Linux provides an alternative to the conventional file name space for Unix4526* domain sockets. Whereas binding and connecting to sockets in the file name4527* space is mediated by the typical file permissions (and caught by the mknod4528* and permission hooks in inode_security_ops), binding and connecting to4529* sockets in the abstract name space is completely unmediated. Sufficient4530* control of Unix domain sockets in the abstract name space isn't possible4531* using only the socket layer hooks, since we need to know the actual target4532* socket, which is not looked up until we are inside the af_unix code.4533*4534* Return: Returns 0 if permission is granted.4535*/4536int security_unix_stream_connect(struct sock *sock, struct sock *other,4537struct sock *newsk)4538{4539return call_int_hook(unix_stream_connect, sock, other, newsk);4540}4541EXPORT_SYMBOL(security_unix_stream_connect);45424543/**4544* security_unix_may_send() - Check if AF_UNIX socket can send datagrams4545* @sock: originating sock4546* @other: peer sock4547*4548* Check permissions before connecting or sending datagrams from @sock to4549* @other.4550*4551* The @unix_stream_connect and @unix_may_send hooks were necessary because4552* Linux provides an alternative to the conventional file name space for Unix4553* domain sockets. Whereas binding and connecting to sockets in the file name4554* space is mediated by the typical file permissions (and caught by the mknod4555* and permission hooks in inode_security_ops), binding and connecting to4556* sockets in the abstract name space is completely unmediated. Sufficient4557* control of Unix domain sockets in the abstract name space isn't possible4558* using only the socket layer hooks, since we need to know the actual target4559* socket, which is not looked up until we are inside the af_unix code.4560*4561* Return: Returns 0 if permission is granted.4562*/4563int security_unix_may_send(struct socket *sock, struct socket *other)4564{4565return call_int_hook(unix_may_send, sock, other);4566}4567EXPORT_SYMBOL(security_unix_may_send);45684569/**4570* security_socket_create() - Check if creating a new socket is allowed4571* @family: protocol family4572* @type: communications type4573* @protocol: requested protocol4574* @kern: set to 1 if a kernel socket is requested4575*4576* Check permissions prior to creating a new socket.4577*4578* Return: Returns 0 if permission is granted.4579*/4580int security_socket_create(int family, int type, int protocol, int kern)4581{4582return call_int_hook(socket_create, family, type, protocol, kern);4583}45844585/**4586* security_socket_post_create() - Initialize a newly created socket4587* @sock: socket4588* @family: protocol family4589* @type: communications type4590* @protocol: requested protocol4591* @kern: set to 1 if a kernel socket is requested4592*4593* This hook allows a module to update or allocate a per-socket security4594* structure. Note that the security field was not added directly to the socket4595* structure, but rather, the socket security information is stored in the4596* associated inode. Typically, the inode alloc_security hook will allocate4597* and attach security information to SOCK_INODE(sock)->i_security. This hook4598* may be used to update the SOCK_INODE(sock)->i_security field with additional4599* information that wasn't available when the inode was allocated.4600*4601* Return: Returns 0 if permission is granted.4602*/4603int security_socket_post_create(struct socket *sock, int family,4604int type, int protocol, int kern)4605{4606return call_int_hook(socket_post_create, sock, family, type,4607protocol, kern);4608}46094610/**4611* security_socket_socketpair() - Check if creating a socketpair is allowed4612* @socka: first socket4613* @sockb: second socket4614*4615* Check permissions before creating a fresh pair of sockets.4616*4617* Return: Returns 0 if permission is granted and the connection was4618* established.4619*/4620int security_socket_socketpair(struct socket *socka, struct socket *sockb)4621{4622return call_int_hook(socket_socketpair, socka, sockb);4623}4624EXPORT_SYMBOL(security_socket_socketpair);46254626/**4627* security_socket_bind() - Check if a socket bind operation is allowed4628* @sock: socket4629* @address: requested bind address4630* @addrlen: length of address4631*4632* Check permission before socket protocol layer bind operation is performed4633* and the socket @sock is bound to the address specified in the @address4634* parameter.4635*4636* Return: Returns 0 if permission is granted.4637*/4638int security_socket_bind(struct socket *sock,4639struct sockaddr *address, int addrlen)4640{4641return call_int_hook(socket_bind, sock, address, addrlen);4642}46434644/**4645* security_socket_connect() - Check if a socket connect operation is allowed4646* @sock: socket4647* @address: address of remote connection point4648* @addrlen: length of address4649*4650* Check permission before socket protocol layer connect operation attempts to4651* connect socket @sock to a remote address, @address.4652*4653* Return: Returns 0 if permission is granted.4654*/4655int security_socket_connect(struct socket *sock,4656struct sockaddr *address, int addrlen)4657{4658return call_int_hook(socket_connect, sock, address, addrlen);4659}46604661/**4662* security_socket_listen() - Check if a socket is allowed to listen4663* @sock: socket4664* @backlog: connection queue size4665*4666* Check permission before socket protocol layer listen operation.4667*4668* Return: Returns 0 if permission is granted.4669*/4670int security_socket_listen(struct socket *sock, int backlog)4671{4672return call_int_hook(socket_listen, sock, backlog);4673}46744675/**4676* security_socket_accept() - Check if a socket is allowed to accept connections4677* @sock: listening socket4678* @newsock: newly creation connection socket4679*4680* Check permission before accepting a new connection. Note that the new4681* socket, @newsock, has been created and some information copied to it, but4682* the accept operation has not actually been performed.4683*4684* Return: Returns 0 if permission is granted.4685*/4686int security_socket_accept(struct socket *sock, struct socket *newsock)4687{4688return call_int_hook(socket_accept, sock, newsock);4689}46904691/**4692* security_socket_sendmsg() - Check if sending a message is allowed4693* @sock: sending socket4694* @msg: message to send4695* @size: size of message4696*4697* Check permission before transmitting a message to another socket.4698*4699* Return: Returns 0 if permission is granted.4700*/4701int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)4702{4703return call_int_hook(socket_sendmsg, sock, msg, size);4704}47054706/**4707* security_socket_recvmsg() - Check if receiving a message is allowed4708* @sock: receiving socket4709* @msg: message to receive4710* @size: size of message4711* @flags: operational flags4712*4713* Check permission before receiving a message from a socket.4714*4715* Return: Returns 0 if permission is granted.4716*/4717int security_socket_recvmsg(struct socket *sock, struct msghdr *msg,4718int size, int flags)4719{4720return call_int_hook(socket_recvmsg, sock, msg, size, flags);4721}47224723/**4724* security_socket_getsockname() - Check if reading the socket addr is allowed4725* @sock: socket4726*4727* Check permission before reading the local address (name) of the socket4728* object.4729*4730* Return: Returns 0 if permission is granted.4731*/4732int security_socket_getsockname(struct socket *sock)4733{4734return call_int_hook(socket_getsockname, sock);4735}47364737/**4738* security_socket_getpeername() - Check if reading the peer's addr is allowed4739* @sock: socket4740*4741* Check permission before the remote address (name) of a socket object.4742*4743* Return: Returns 0 if permission is granted.4744*/4745int security_socket_getpeername(struct socket *sock)4746{4747return call_int_hook(socket_getpeername, sock);4748}47494750/**4751* security_socket_getsockopt() - Check if reading a socket option is allowed4752* @sock: socket4753* @level: option's protocol level4754* @optname: option name4755*4756* Check permissions before retrieving the options associated with socket4757* @sock.4758*4759* Return: Returns 0 if permission is granted.4760*/4761int security_socket_getsockopt(struct socket *sock, int level, int optname)4762{4763return call_int_hook(socket_getsockopt, sock, level, optname);4764}47654766/**4767* security_socket_setsockopt() - Check if setting a socket option is allowed4768* @sock: socket4769* @level: option's protocol level4770* @optname: option name4771*4772* Check permissions before setting the options associated with socket @sock.4773*4774* Return: Returns 0 if permission is granted.4775*/4776int security_socket_setsockopt(struct socket *sock, int level, int optname)4777{4778return call_int_hook(socket_setsockopt, sock, level, optname);4779}47804781/**4782* security_socket_shutdown() - Checks if shutting down the socket is allowed4783* @sock: socket4784* @how: flag indicating how sends and receives are handled4785*4786* Checks permission before all or part of a connection on the socket @sock is4787* shut down.4788*4789* Return: Returns 0 if permission is granted.4790*/4791int security_socket_shutdown(struct socket *sock, int how)4792{4793return call_int_hook(socket_shutdown, sock, how);4794}47954796/**4797* security_sock_rcv_skb() - Check if an incoming network packet is allowed4798* @sk: destination sock4799* @skb: incoming packet4800*4801* Check permissions on incoming network packets. This hook is distinct from4802* Netfilter's IP input hooks since it is the first time that the incoming4803* sk_buff @skb has been associated with a particular socket, @sk. Must not4804* sleep inside this hook because some callers hold spinlocks.4805*4806* Return: Returns 0 if permission is granted.4807*/4808int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)4809{4810return call_int_hook(socket_sock_rcv_skb, sk, skb);4811}4812EXPORT_SYMBOL(security_sock_rcv_skb);48134814/**4815* security_socket_getpeersec_stream() - Get the remote peer label4816* @sock: socket4817* @optval: destination buffer4818* @optlen: size of peer label copied into the buffer4819* @len: maximum size of the destination buffer4820*4821* This hook allows the security module to provide peer socket security state4822* for unix or connected tcp sockets to userspace via getsockopt SO_GETPEERSEC.4823* For tcp sockets this can be meaningful if the socket is associated with an4824* ipsec SA.4825*4826* Return: Returns 0 if all is well, otherwise, typical getsockopt return4827* values.4828*/4829int security_socket_getpeersec_stream(struct socket *sock, sockptr_t optval,4830sockptr_t optlen, unsigned int len)4831{4832return call_int_hook(socket_getpeersec_stream, sock, optval, optlen,4833len);4834}48354836/**4837* security_socket_getpeersec_dgram() - Get the remote peer label4838* @sock: socket4839* @skb: datagram packet4840* @secid: remote peer label secid4841*4842* This hook allows the security module to provide peer socket security state4843* for udp sockets on a per-packet basis to userspace via getsockopt4844* SO_GETPEERSEC. The application must first have indicated the IP_PASSSEC4845* option via getsockopt. It can then retrieve the security state returned by4846* this hook for a packet via the SCM_SECURITY ancillary message type.4847*4848* Return: Returns 0 on success, error on failure.4849*/4850int security_socket_getpeersec_dgram(struct socket *sock,4851struct sk_buff *skb, u32 *secid)4852{4853return call_int_hook(socket_getpeersec_dgram, sock, skb, secid);4854}4855EXPORT_SYMBOL(security_socket_getpeersec_dgram);48564857/**4858* lsm_sock_alloc - allocate a composite sock blob4859* @sock: the sock that needs a blob4860* @gfp: allocation mode4861*4862* Allocate the sock blob for all the modules4863*4864* Returns 0, or -ENOMEM if memory can't be allocated.4865*/4866static int lsm_sock_alloc(struct sock *sock, gfp_t gfp)4867{4868return lsm_blob_alloc(&sock->sk_security, blob_sizes.lbs_sock, gfp);4869}48704871/**4872* security_sk_alloc() - Allocate and initialize a sock's LSM blob4873* @sk: sock4874* @family: protocol family4875* @priority: gfp flags4876*4877* Allocate and attach a security structure to the sk->sk_security field, which4878* is used to copy security attributes between local stream sockets.4879*4880* Return: Returns 0 on success, error on failure.4881*/4882int security_sk_alloc(struct sock *sk, int family, gfp_t priority)4883{4884int rc = lsm_sock_alloc(sk, priority);48854886if (unlikely(rc))4887return rc;4888rc = call_int_hook(sk_alloc_security, sk, family, priority);4889if (unlikely(rc))4890security_sk_free(sk);4891return rc;4892}48934894/**4895* security_sk_free() - Free the sock's LSM blob4896* @sk: sock4897*4898* Deallocate security structure.4899*/4900void security_sk_free(struct sock *sk)4901{4902call_void_hook(sk_free_security, sk);4903kfree(sk->sk_security);4904sk->sk_security = NULL;4905}49064907/**4908* security_sk_clone() - Clone a sock's LSM state4909* @sk: original sock4910* @newsk: target sock4911*4912* Clone/copy security structure.4913*/4914void security_sk_clone(const struct sock *sk, struct sock *newsk)4915{4916call_void_hook(sk_clone_security, sk, newsk);4917}4918EXPORT_SYMBOL(security_sk_clone);49194920/**4921* security_sk_classify_flow() - Set a flow's secid based on socket4922* @sk: original socket4923* @flic: target flow4924*4925* Set the target flow's secid to socket's secid.4926*/4927void security_sk_classify_flow(const struct sock *sk, struct flowi_common *flic)4928{4929call_void_hook(sk_getsecid, sk, &flic->flowic_secid);4930}4931EXPORT_SYMBOL(security_sk_classify_flow);49324933/**4934* security_req_classify_flow() - Set a flow's secid based on request_sock4935* @req: request_sock4936* @flic: target flow4937*4938* Sets @flic's secid to @req's secid.4939*/4940void security_req_classify_flow(const struct request_sock *req,4941struct flowi_common *flic)4942{4943call_void_hook(req_classify_flow, req, flic);4944}4945EXPORT_SYMBOL(security_req_classify_flow);49464947/**4948* security_sock_graft() - Reconcile LSM state when grafting a sock on a socket4949* @sk: sock being grafted4950* @parent: target parent socket4951*4952* Sets @parent's inode secid to @sk's secid and update @sk with any necessary4953* LSM state from @parent.4954*/4955void security_sock_graft(struct sock *sk, struct socket *parent)4956{4957call_void_hook(sock_graft, sk, parent);4958}4959EXPORT_SYMBOL(security_sock_graft);49604961/**4962* security_inet_conn_request() - Set request_sock state using incoming connect4963* @sk: parent listening sock4964* @skb: incoming connection4965* @req: new request_sock4966*4967* Initialize the @req LSM state based on @sk and the incoming connect in @skb.4968*4969* Return: Returns 0 if permission is granted.4970*/4971int security_inet_conn_request(const struct sock *sk,4972struct sk_buff *skb, struct request_sock *req)4973{4974return call_int_hook(inet_conn_request, sk, skb, req);4975}4976EXPORT_SYMBOL(security_inet_conn_request);49774978/**4979* security_inet_csk_clone() - Set new sock LSM state based on request_sock4980* @newsk: new sock4981* @req: connection request_sock4982*4983* Set that LSM state of @sock using the LSM state from @req.4984*/4985void security_inet_csk_clone(struct sock *newsk,4986const struct request_sock *req)4987{4988call_void_hook(inet_csk_clone, newsk, req);4989}49904991/**4992* security_inet_conn_established() - Update sock's LSM state with connection4993* @sk: sock4994* @skb: connection packet4995*4996* Update @sock's LSM state to represent a new connection from @skb.4997*/4998void security_inet_conn_established(struct sock *sk,4999struct sk_buff *skb)5000{5001call_void_hook(inet_conn_established, sk, skb);5002}5003EXPORT_SYMBOL(security_inet_conn_established);50045005/**5006* security_secmark_relabel_packet() - Check if setting a secmark is allowed5007* @secid: new secmark value5008*5009* Check if the process should be allowed to relabel packets to @secid.5010*5011* Return: Returns 0 if permission is granted.5012*/5013int security_secmark_relabel_packet(u32 secid)5014{5015return call_int_hook(secmark_relabel_packet, secid);5016}5017EXPORT_SYMBOL(security_secmark_relabel_packet);50185019/**5020* security_secmark_refcount_inc() - Increment the secmark labeling rule count5021*5022* Tells the LSM to increment the number of secmark labeling rules loaded.5023*/5024void security_secmark_refcount_inc(void)5025{5026call_void_hook(secmark_refcount_inc);5027}5028EXPORT_SYMBOL(security_secmark_refcount_inc);50295030/**5031* security_secmark_refcount_dec() - Decrement the secmark labeling rule count5032*5033* Tells the LSM to decrement the number of secmark labeling rules loaded.5034*/5035void security_secmark_refcount_dec(void)5036{5037call_void_hook(secmark_refcount_dec);5038}5039EXPORT_SYMBOL(security_secmark_refcount_dec);50405041/**5042* security_tun_dev_alloc_security() - Allocate a LSM blob for a TUN device5043* @security: pointer to the LSM blob5044*5045* This hook allows a module to allocate a security structure for a TUN device,5046* returning the pointer in @security.5047*5048* Return: Returns a zero on success, negative values on failure.5049*/5050int security_tun_dev_alloc_security(void **security)5051{5052int rc;50535054rc = lsm_blob_alloc(security, blob_sizes.lbs_tun_dev, GFP_KERNEL);5055if (rc)5056return rc;50575058rc = call_int_hook(tun_dev_alloc_security, *security);5059if (rc) {5060kfree(*security);5061*security = NULL;5062}5063return rc;5064}5065EXPORT_SYMBOL(security_tun_dev_alloc_security);50665067/**5068* security_tun_dev_free_security() - Free a TUN device LSM blob5069* @security: LSM blob5070*5071* This hook allows a module to free the security structure for a TUN device.5072*/5073void security_tun_dev_free_security(void *security)5074{5075kfree(security);5076}5077EXPORT_SYMBOL(security_tun_dev_free_security);50785079/**5080* security_tun_dev_create() - Check if creating a TUN device is allowed5081*5082* Check permissions prior to creating a new TUN device.5083*5084* Return: Returns 0 if permission is granted.5085*/5086int security_tun_dev_create(void)5087{5088return call_int_hook(tun_dev_create);5089}5090EXPORT_SYMBOL(security_tun_dev_create);50915092/**5093* security_tun_dev_attach_queue() - Check if attaching a TUN queue is allowed5094* @security: TUN device LSM blob5095*5096* Check permissions prior to attaching to a TUN device queue.5097*5098* Return: Returns 0 if permission is granted.5099*/5100int security_tun_dev_attach_queue(void *security)5101{5102return call_int_hook(tun_dev_attach_queue, security);5103}5104EXPORT_SYMBOL(security_tun_dev_attach_queue);51055106/**5107* security_tun_dev_attach() - Update TUN device LSM state on attach5108* @sk: associated sock5109* @security: TUN device LSM blob5110*5111* This hook can be used by the module to update any security state associated5112* with the TUN device's sock structure.5113*5114* Return: Returns 0 if permission is granted.5115*/5116int security_tun_dev_attach(struct sock *sk, void *security)5117{5118return call_int_hook(tun_dev_attach, sk, security);5119}5120EXPORT_SYMBOL(security_tun_dev_attach);51215122/**5123* security_tun_dev_open() - Update TUN device LSM state on open5124* @security: TUN device LSM blob5125*5126* This hook can be used by the module to update any security state associated5127* with the TUN device's security structure.5128*5129* Return: Returns 0 if permission is granted.5130*/5131int security_tun_dev_open(void *security)5132{5133return call_int_hook(tun_dev_open, security);5134}5135EXPORT_SYMBOL(security_tun_dev_open);51365137/**5138* security_sctp_assoc_request() - Update the LSM on a SCTP association req5139* @asoc: SCTP association5140* @skb: packet requesting the association5141*5142* Passes the @asoc and @chunk->skb of the association INIT packet to the LSM.5143*5144* Return: Returns 0 on success, error on failure.5145*/5146int security_sctp_assoc_request(struct sctp_association *asoc,5147struct sk_buff *skb)5148{5149return call_int_hook(sctp_assoc_request, asoc, skb);5150}5151EXPORT_SYMBOL(security_sctp_assoc_request);51525153/**5154* security_sctp_bind_connect() - Validate a list of addrs for a SCTP option5155* @sk: socket5156* @optname: SCTP option to validate5157* @address: list of IP addresses to validate5158* @addrlen: length of the address list5159*5160* Validiate permissions required for each address associated with sock @sk.5161* Depending on @optname, the addresses will be treated as either a connect or5162* bind service. The @addrlen is calculated on each IPv4 and IPv6 address using5163* sizeof(struct sockaddr_in) or sizeof(struct sockaddr_in6).5164*5165* Return: Returns 0 on success, error on failure.5166*/5167int security_sctp_bind_connect(struct sock *sk, int optname,5168struct sockaddr *address, int addrlen)5169{5170return call_int_hook(sctp_bind_connect, sk, optname, address, addrlen);5171}5172EXPORT_SYMBOL(security_sctp_bind_connect);51735174/**5175* security_sctp_sk_clone() - Clone a SCTP sock's LSM state5176* @asoc: SCTP association5177* @sk: original sock5178* @newsk: target sock5179*5180* Called whenever a new socket is created by accept(2) (i.e. a TCP style5181* socket) or when a socket is 'peeled off' e.g userspace calls5182* sctp_peeloff(3).5183*/5184void security_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,5185struct sock *newsk)5186{5187call_void_hook(sctp_sk_clone, asoc, sk, newsk);5188}5189EXPORT_SYMBOL(security_sctp_sk_clone);51905191/**5192* security_sctp_assoc_established() - Update LSM state when assoc established5193* @asoc: SCTP association5194* @skb: packet establishing the association5195*5196* Passes the @asoc and @chunk->skb of the association COOKIE_ACK packet to the5197* security module.5198*5199* Return: Returns 0 if permission is granted.5200*/5201int security_sctp_assoc_established(struct sctp_association *asoc,5202struct sk_buff *skb)5203{5204return call_int_hook(sctp_assoc_established, asoc, skb);5205}5206EXPORT_SYMBOL(security_sctp_assoc_established);52075208/**5209* security_mptcp_add_subflow() - Inherit the LSM label from the MPTCP socket5210* @sk: the owning MPTCP socket5211* @ssk: the new subflow5212*5213* Update the labeling for the given MPTCP subflow, to match the one of the5214* owning MPTCP socket. This hook has to be called after the socket creation and5215* initialization via the security_socket_create() and5216* security_socket_post_create() LSM hooks.5217*5218* Return: Returns 0 on success or a negative error code on failure.5219*/5220int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk)5221{5222return call_int_hook(mptcp_add_subflow, sk, ssk);5223}52245225#endif /* CONFIG_SECURITY_NETWORK */52265227#ifdef CONFIG_SECURITY_INFINIBAND5228/**5229* security_ib_pkey_access() - Check if access to an IB pkey is allowed5230* @sec: LSM blob5231* @subnet_prefix: subnet prefix of the port5232* @pkey: IB pkey5233*5234* Check permission to access a pkey when modifying a QP.5235*5236* Return: Returns 0 if permission is granted.5237*/5238int security_ib_pkey_access(void *sec, u64 subnet_prefix, u16 pkey)5239{5240return call_int_hook(ib_pkey_access, sec, subnet_prefix, pkey);5241}5242EXPORT_SYMBOL(security_ib_pkey_access);52435244/**5245* security_ib_endport_manage_subnet() - Check if SMPs traffic is allowed5246* @sec: LSM blob5247* @dev_name: IB device name5248* @port_num: port number5249*5250* Check permissions to send and receive SMPs on a end port.5251*5252* Return: Returns 0 if permission is granted.5253*/5254int security_ib_endport_manage_subnet(void *sec,5255const char *dev_name, u8 port_num)5256{5257return call_int_hook(ib_endport_manage_subnet, sec, dev_name, port_num);5258}5259EXPORT_SYMBOL(security_ib_endport_manage_subnet);52605261/**5262* security_ib_alloc_security() - Allocate an Infiniband LSM blob5263* @sec: LSM blob5264*5265* Allocate a security structure for Infiniband objects.5266*5267* Return: Returns 0 on success, non-zero on failure.5268*/5269int security_ib_alloc_security(void **sec)5270{5271int rc;52725273rc = lsm_blob_alloc(sec, blob_sizes.lbs_ib, GFP_KERNEL);5274if (rc)5275return rc;52765277rc = call_int_hook(ib_alloc_security, *sec);5278if (rc) {5279kfree(*sec);5280*sec = NULL;5281}5282return rc;5283}5284EXPORT_SYMBOL(security_ib_alloc_security);52855286/**5287* security_ib_free_security() - Free an Infiniband LSM blob5288* @sec: LSM blob5289*5290* Deallocate an Infiniband security structure.5291*/5292void security_ib_free_security(void *sec)5293{5294kfree(sec);5295}5296EXPORT_SYMBOL(security_ib_free_security);5297#endif /* CONFIG_SECURITY_INFINIBAND */52985299#ifdef CONFIG_SECURITY_NETWORK_XFRM5300/**5301* security_xfrm_policy_alloc() - Allocate a xfrm policy LSM blob5302* @ctxp: xfrm security context being added to the SPD5303* @sec_ctx: security label provided by userspace5304* @gfp: gfp flags5305*5306* Allocate a security structure to the xp->security field; the security field5307* is initialized to NULL when the xfrm_policy is allocated.5308*5309* Return: Return 0 if operation was successful.5310*/5311int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,5312struct xfrm_user_sec_ctx *sec_ctx,5313gfp_t gfp)5314{5315return call_int_hook(xfrm_policy_alloc_security, ctxp, sec_ctx, gfp);5316}5317EXPORT_SYMBOL(security_xfrm_policy_alloc);53185319/**5320* security_xfrm_policy_clone() - Clone xfrm policy LSM state5321* @old_ctx: xfrm security context5322* @new_ctxp: target xfrm security context5323*5324* Allocate a security structure in new_ctxp that contains the information from5325* the old_ctx structure.5326*5327* Return: Return 0 if operation was successful.5328*/5329int security_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,5330struct xfrm_sec_ctx **new_ctxp)5331{5332return call_int_hook(xfrm_policy_clone_security, old_ctx, new_ctxp);5333}53345335/**5336* security_xfrm_policy_free() - Free a xfrm security context5337* @ctx: xfrm security context5338*5339* Free LSM resources associated with @ctx.5340*/5341void security_xfrm_policy_free(struct xfrm_sec_ctx *ctx)5342{5343call_void_hook(xfrm_policy_free_security, ctx);5344}5345EXPORT_SYMBOL(security_xfrm_policy_free);53465347/**5348* security_xfrm_policy_delete() - Check if deleting a xfrm policy is allowed5349* @ctx: xfrm security context5350*5351* Authorize deletion of a SPD entry.5352*5353* Return: Returns 0 if permission is granted.5354*/5355int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)5356{5357return call_int_hook(xfrm_policy_delete_security, ctx);5358}53595360/**5361* security_xfrm_state_alloc() - Allocate a xfrm state LSM blob5362* @x: xfrm state being added to the SAD5363* @sec_ctx: security label provided by userspace5364*5365* Allocate a security structure to the @x->security field; the security field5366* is initialized to NULL when the xfrm_state is allocated. Set the context to5367* correspond to @sec_ctx.5368*5369* Return: Return 0 if operation was successful.5370*/5371int security_xfrm_state_alloc(struct xfrm_state *x,5372struct xfrm_user_sec_ctx *sec_ctx)5373{5374return call_int_hook(xfrm_state_alloc, x, sec_ctx);5375}5376EXPORT_SYMBOL(security_xfrm_state_alloc);53775378/**5379* security_xfrm_state_alloc_acquire() - Allocate a xfrm state LSM blob5380* @x: xfrm state being added to the SAD5381* @polsec: associated policy's security context5382* @secid: secid from the flow5383*5384* Allocate a security structure to the x->security field; the security field5385* is initialized to NULL when the xfrm_state is allocated. Set the context to5386* correspond to secid.5387*5388* Return: Returns 0 if operation was successful.5389*/5390int security_xfrm_state_alloc_acquire(struct xfrm_state *x,5391struct xfrm_sec_ctx *polsec, u32 secid)5392{5393return call_int_hook(xfrm_state_alloc_acquire, x, polsec, secid);5394}53955396/**5397* security_xfrm_state_delete() - Check if deleting a xfrm state is allowed5398* @x: xfrm state5399*5400* Authorize deletion of x->security.5401*5402* Return: Returns 0 if permission is granted.5403*/5404int security_xfrm_state_delete(struct xfrm_state *x)5405{5406return call_int_hook(xfrm_state_delete_security, x);5407}5408EXPORT_SYMBOL(security_xfrm_state_delete);54095410/**5411* security_xfrm_state_free() - Free a xfrm state5412* @x: xfrm state5413*5414* Deallocate x->security.5415*/5416void security_xfrm_state_free(struct xfrm_state *x)5417{5418call_void_hook(xfrm_state_free_security, x);5419}54205421/**5422* security_xfrm_policy_lookup() - Check if using a xfrm policy is allowed5423* @ctx: target xfrm security context5424* @fl_secid: flow secid used to authorize access5425*5426* Check permission when a flow selects a xfrm_policy for processing XFRMs on a5427* packet. The hook is called when selecting either a per-socket policy or a5428* generic xfrm policy.5429*5430* Return: Return 0 if permission is granted, -ESRCH otherwise, or -errno on5431* other errors.5432*/5433int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid)5434{5435return call_int_hook(xfrm_policy_lookup, ctx, fl_secid);5436}54375438/**5439* security_xfrm_state_pol_flow_match() - Check for a xfrm match5440* @x: xfrm state to match5441* @xp: xfrm policy to check for a match5442* @flic: flow to check for a match.5443*5444* Check @xp and @flic for a match with @x.5445*5446* Return: Returns 1 if there is a match.5447*/5448int security_xfrm_state_pol_flow_match(struct xfrm_state *x,5449struct xfrm_policy *xp,5450const struct flowi_common *flic)5451{5452struct lsm_static_call *scall;5453int rc = LSM_RET_DEFAULT(xfrm_state_pol_flow_match);54545455/*5456* Since this function is expected to return 0 or 1, the judgment5457* becomes difficult if multiple LSMs supply this call. Fortunately,5458* we can use the first LSM's judgment because currently only SELinux5459* supplies this call.5460*5461* For speed optimization, we explicitly break the loop rather than5462* using the macro5463*/5464lsm_for_each_hook(scall, xfrm_state_pol_flow_match) {5465rc = scall->hl->hook.xfrm_state_pol_flow_match(x, xp, flic);5466break;5467}5468return rc;5469}54705471/**5472* security_xfrm_decode_session() - Determine the xfrm secid for a packet5473* @skb: xfrm packet5474* @secid: secid5475*5476* Decode the packet in @skb and return the security label in @secid.5477*5478* Return: Return 0 if all xfrms used have the same secid.5479*/5480int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)5481{5482return call_int_hook(xfrm_decode_session, skb, secid, 1);5483}54845485void security_skb_classify_flow(struct sk_buff *skb, struct flowi_common *flic)5486{5487int rc = call_int_hook(xfrm_decode_session, skb, &flic->flowic_secid,54880);54895490BUG_ON(rc);5491}5492EXPORT_SYMBOL(security_skb_classify_flow);5493#endif /* CONFIG_SECURITY_NETWORK_XFRM */54945495#ifdef CONFIG_KEYS5496/**5497* security_key_alloc() - Allocate and initialize a kernel key LSM blob5498* @key: key5499* @cred: credentials5500* @flags: allocation flags5501*5502* Permit allocation of a key and assign security data. Note that key does not5503* have a serial number assigned at this point.5504*5505* Return: Return 0 if permission is granted, -ve error otherwise.5506*/5507int security_key_alloc(struct key *key, const struct cred *cred,5508unsigned long flags)5509{5510int rc = lsm_key_alloc(key);55115512if (unlikely(rc))5513return rc;5514rc = call_int_hook(key_alloc, key, cred, flags);5515if (unlikely(rc))5516security_key_free(key);5517return rc;5518}55195520/**5521* security_key_free() - Free a kernel key LSM blob5522* @key: key5523*5524* Notification of destruction; free security data.5525*/5526void security_key_free(struct key *key)5527{5528kfree(key->security);5529key->security = NULL;5530}55315532/**5533* security_key_permission() - Check if a kernel key operation is allowed5534* @key_ref: key reference5535* @cred: credentials of actor requesting access5536* @need_perm: requested permissions5537*5538* See whether a specific operational right is granted to a process on a key.5539*5540* Return: Return 0 if permission is granted, -ve error otherwise.5541*/5542int security_key_permission(key_ref_t key_ref, const struct cred *cred,5543enum key_need_perm need_perm)5544{5545return call_int_hook(key_permission, key_ref, cred, need_perm);5546}55475548/**5549* security_key_getsecurity() - Get the key's security label5550* @key: key5551* @buffer: security label buffer5552*5553* Get a textual representation of the security context attached to a key for5554* the purposes of honouring KEYCTL_GETSECURITY. This function allocates the5555* storage for the NUL-terminated string and the caller should free it.5556*5557* Return: Returns the length of @buffer (including terminating NUL) or -ve if5558* an error occurs. May also return 0 (and a NULL buffer pointer) if5559* there is no security label assigned to the key.5560*/5561int security_key_getsecurity(struct key *key, char **buffer)5562{5563*buffer = NULL;5564return call_int_hook(key_getsecurity, key, buffer);5565}55665567/**5568* security_key_post_create_or_update() - Notification of key create or update5569* @keyring: keyring to which the key is linked to5570* @key: created or updated key5571* @payload: data used to instantiate or update the key5572* @payload_len: length of payload5573* @flags: key flags5574* @create: flag indicating whether the key was created or updated5575*5576* Notify the caller of a key creation or update.5577*/5578void security_key_post_create_or_update(struct key *keyring, struct key *key,5579const void *payload, size_t payload_len,5580unsigned long flags, bool create)5581{5582call_void_hook(key_post_create_or_update, keyring, key, payload,5583payload_len, flags, create);5584}5585#endif /* CONFIG_KEYS */55865587#ifdef CONFIG_AUDIT5588/**5589* security_audit_rule_init() - Allocate and init an LSM audit rule struct5590* @field: audit action5591* @op: rule operator5592* @rulestr: rule context5593* @lsmrule: receive buffer for audit rule struct5594* @gfp: GFP flag used for kmalloc5595*5596* Allocate and initialize an LSM audit rule structure.5597*5598* Return: Return 0 if @lsmrule has been successfully set, -EINVAL in case of5599* an invalid rule.5600*/5601int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule,5602gfp_t gfp)5603{5604return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule, gfp);5605}56065607/**5608* security_audit_rule_known() - Check if an audit rule contains LSM fields5609* @krule: audit rule5610*5611* Specifies whether given @krule contains any fields related to the current5612* LSM.5613*5614* Return: Returns 1 in case of relation found, 0 otherwise.5615*/5616int security_audit_rule_known(struct audit_krule *krule)5617{5618return call_int_hook(audit_rule_known, krule);5619}56205621/**5622* security_audit_rule_free() - Free an LSM audit rule struct5623* @lsmrule: audit rule struct5624*5625* Deallocate the LSM audit rule structure previously allocated by5626* audit_rule_init().5627*/5628void security_audit_rule_free(void *lsmrule)5629{5630call_void_hook(audit_rule_free, lsmrule);5631}56325633/**5634* security_audit_rule_match() - Check if a label matches an audit rule5635* @prop: security label5636* @field: LSM audit field5637* @op: matching operator5638* @lsmrule: audit rule5639*5640* Determine if given @secid matches a rule previously approved by5641* security_audit_rule_known().5642*5643* Return: Returns 1 if secid matches the rule, 0 if it does not, -ERRNO on5644* failure.5645*/5646int security_audit_rule_match(struct lsm_prop *prop, u32 field, u32 op,5647void *lsmrule)5648{5649return call_int_hook(audit_rule_match, prop, field, op, lsmrule);5650}5651#endif /* CONFIG_AUDIT */56525653#ifdef CONFIG_BPF_SYSCALL5654/**5655* security_bpf() - Check if the bpf syscall operation is allowed5656* @cmd: command5657* @attr: bpf attribute5658* @size: size5659* @kernel: whether or not call originated from kernel5660*5661* Do a initial check for all bpf syscalls after the attribute is copied into5662* the kernel. The actual security module can implement their own rules to5663* check the specific cmd they need.5664*5665* Return: Returns 0 if permission is granted.5666*/5667int security_bpf(int cmd, union bpf_attr *attr, unsigned int size, bool kernel)5668{5669return call_int_hook(bpf, cmd, attr, size, kernel);5670}56715672/**5673* security_bpf_map() - Check if access to a bpf map is allowed5674* @map: bpf map5675* @fmode: mode5676*5677* Do a check when the kernel generates and returns a file descriptor for eBPF5678* maps.5679*5680* Return: Returns 0 if permission is granted.5681*/5682int security_bpf_map(struct bpf_map *map, fmode_t fmode)5683{5684return call_int_hook(bpf_map, map, fmode);5685}56865687/**5688* security_bpf_prog() - Check if access to a bpf program is allowed5689* @prog: bpf program5690*5691* Do a check when the kernel generates and returns a file descriptor for eBPF5692* programs.5693*5694* Return: Returns 0 if permission is granted.5695*/5696int security_bpf_prog(struct bpf_prog *prog)5697{5698return call_int_hook(bpf_prog, prog);5699}57005701/**5702* security_bpf_map_create() - Check if BPF map creation is allowed5703* @map: BPF map object5704* @attr: BPF syscall attributes used to create BPF map5705* @token: BPF token used to grant user access5706* @kernel: whether or not call originated from kernel5707*5708* Do a check when the kernel creates a new BPF map. This is also the5709* point where LSM blob is allocated for LSMs that need them.5710*5711* Return: Returns 0 on success, error on failure.5712*/5713int security_bpf_map_create(struct bpf_map *map, union bpf_attr *attr,5714struct bpf_token *token, bool kernel)5715{5716return call_int_hook(bpf_map_create, map, attr, token, kernel);5717}57185719/**5720* security_bpf_prog_load() - Check if loading of BPF program is allowed5721* @prog: BPF program object5722* @attr: BPF syscall attributes used to create BPF program5723* @token: BPF token used to grant user access to BPF subsystem5724* @kernel: whether or not call originated from kernel5725*5726* Perform an access control check when the kernel loads a BPF program and5727* allocates associated BPF program object. This hook is also responsible for5728* allocating any required LSM state for the BPF program.5729*5730* Return: Returns 0 on success, error on failure.5731*/5732int security_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr,5733struct bpf_token *token, bool kernel)5734{5735return call_int_hook(bpf_prog_load, prog, attr, token, kernel);5736}57375738/**5739* security_bpf_token_create() - Check if creating of BPF token is allowed5740* @token: BPF token object5741* @attr: BPF syscall attributes used to create BPF token5742* @path: path pointing to BPF FS mount point from which BPF token is created5743*5744* Do a check when the kernel instantiates a new BPF token object from BPF FS5745* instance. This is also the point where LSM blob can be allocated for LSMs.5746*5747* Return: Returns 0 on success, error on failure.5748*/5749int security_bpf_token_create(struct bpf_token *token, union bpf_attr *attr,5750const struct path *path)5751{5752return call_int_hook(bpf_token_create, token, attr, path);5753}57545755/**5756* security_bpf_token_cmd() - Check if BPF token is allowed to delegate5757* requested BPF syscall command5758* @token: BPF token object5759* @cmd: BPF syscall command requested to be delegated by BPF token5760*5761* Do a check when the kernel decides whether provided BPF token should allow5762* delegation of requested BPF syscall command.5763*5764* Return: Returns 0 on success, error on failure.5765*/5766int security_bpf_token_cmd(const struct bpf_token *token, enum bpf_cmd cmd)5767{5768return call_int_hook(bpf_token_cmd, token, cmd);5769}57705771/**5772* security_bpf_token_capable() - Check if BPF token is allowed to delegate5773* requested BPF-related capability5774* @token: BPF token object5775* @cap: capabilities requested to be delegated by BPF token5776*5777* Do a check when the kernel decides whether provided BPF token should allow5778* delegation of requested BPF-related capabilities.5779*5780* Return: Returns 0 on success, error on failure.5781*/5782int security_bpf_token_capable(const struct bpf_token *token, int cap)5783{5784return call_int_hook(bpf_token_capable, token, cap);5785}57865787/**5788* security_bpf_map_free() - Free a bpf map's LSM blob5789* @map: bpf map5790*5791* Clean up the security information stored inside bpf map.5792*/5793void security_bpf_map_free(struct bpf_map *map)5794{5795call_void_hook(bpf_map_free, map);5796}57975798/**5799* security_bpf_prog_free() - Free a BPF program's LSM blob5800* @prog: BPF program struct5801*5802* Clean up the security information stored inside BPF program.5803*/5804void security_bpf_prog_free(struct bpf_prog *prog)5805{5806call_void_hook(bpf_prog_free, prog);5807}58085809/**5810* security_bpf_token_free() - Free a BPF token's LSM blob5811* @token: BPF token struct5812*5813* Clean up the security information stored inside BPF token.5814*/5815void security_bpf_token_free(struct bpf_token *token)5816{5817call_void_hook(bpf_token_free, token);5818}5819#endif /* CONFIG_BPF_SYSCALL */58205821/**5822* security_locked_down() - Check if a kernel feature is allowed5823* @what: requested kernel feature5824*5825* Determine whether a kernel feature that potentially enables arbitrary code5826* execution in kernel space should be permitted.5827*5828* Return: Returns 0 if permission is granted.5829*/5830int security_locked_down(enum lockdown_reason what)5831{5832return call_int_hook(locked_down, what);5833}5834EXPORT_SYMBOL(security_locked_down);58355836/**5837* security_bdev_alloc() - Allocate a block device LSM blob5838* @bdev: block device5839*5840* Allocate and attach a security structure to @bdev->bd_security. The5841* security field is initialized to NULL when the bdev structure is5842* allocated.5843*5844* Return: Return 0 if operation was successful.5845*/5846int security_bdev_alloc(struct block_device *bdev)5847{5848int rc = 0;58495850rc = lsm_bdev_alloc(bdev);5851if (unlikely(rc))5852return rc;58535854rc = call_int_hook(bdev_alloc_security, bdev);5855if (unlikely(rc))5856security_bdev_free(bdev);58575858return rc;5859}5860EXPORT_SYMBOL(security_bdev_alloc);58615862/**5863* security_bdev_free() - Free a block device's LSM blob5864* @bdev: block device5865*5866* Deallocate the bdev security structure and set @bdev->bd_security to NULL.5867*/5868void security_bdev_free(struct block_device *bdev)5869{5870if (!bdev->bd_security)5871return;58725873call_void_hook(bdev_free_security, bdev);58745875kfree(bdev->bd_security);5876bdev->bd_security = NULL;5877}5878EXPORT_SYMBOL(security_bdev_free);58795880/**5881* security_bdev_setintegrity() - Set the device's integrity data5882* @bdev: block device5883* @type: type of integrity, e.g. hash digest, signature, etc5884* @value: the integrity value5885* @size: size of the integrity value5886*5887* Register a verified integrity measurement of a bdev with LSMs.5888* LSMs should free the previously saved data if @value is NULL.5889* Please note that the new hook should be invoked every time the security5890* information is updated to keep these data current. For example, in dm-verity,5891* if the mapping table is reloaded and configured to use a different dm-verity5892* target with a new roothash and signing information, the previously stored5893* data in the LSM blob will become obsolete. It is crucial to re-invoke the5894* hook to refresh these data and ensure they are up to date. This necessity5895* arises from the design of device-mapper, where a device-mapper device is5896* first created, and then targets are subsequently loaded into it. These5897* targets can be modified multiple times during the device's lifetime.5898* Therefore, while the LSM blob is allocated during the creation of the block5899* device, its actual contents are not initialized at this stage and can change5900* substantially over time. This includes alterations from data that the LSMs5901* 'trusts' to those they do not, making it essential to handle these changes5902* correctly. Failure to address this dynamic aspect could potentially allow5903* for bypassing LSM checks.5904*5905* Return: Returns 0 on success, negative values on failure.5906*/5907int security_bdev_setintegrity(struct block_device *bdev,5908enum lsm_integrity_type type, const void *value,5909size_t size)5910{5911return call_int_hook(bdev_setintegrity, bdev, type, value, size);5912}5913EXPORT_SYMBOL(security_bdev_setintegrity);59145915#ifdef CONFIG_PERF_EVENTS5916/**5917* security_perf_event_open() - Check if a perf event open is allowed5918* @type: type of event5919*5920* Check whether the @type of perf_event_open syscall is allowed.5921*5922* Return: Returns 0 if permission is granted.5923*/5924int security_perf_event_open(int type)5925{5926return call_int_hook(perf_event_open, type);5927}59285929/**5930* security_perf_event_alloc() - Allocate a perf event LSM blob5931* @event: perf event5932*5933* Allocate and save perf_event security info.5934*5935* Return: Returns 0 on success, error on failure.5936*/5937int security_perf_event_alloc(struct perf_event *event)5938{5939int rc;59405941rc = lsm_blob_alloc(&event->security, blob_sizes.lbs_perf_event,5942GFP_KERNEL);5943if (rc)5944return rc;59455946rc = call_int_hook(perf_event_alloc, event);5947if (rc) {5948kfree(event->security);5949event->security = NULL;5950}5951return rc;5952}59535954/**5955* security_perf_event_free() - Free a perf event LSM blob5956* @event: perf event5957*5958* Release (free) perf_event security info.5959*/5960void security_perf_event_free(struct perf_event *event)5961{5962kfree(event->security);5963event->security = NULL;5964}59655966/**5967* security_perf_event_read() - Check if reading a perf event label is allowed5968* @event: perf event5969*5970* Read perf_event security info if allowed.5971*5972* Return: Returns 0 if permission is granted.5973*/5974int security_perf_event_read(struct perf_event *event)5975{5976return call_int_hook(perf_event_read, event);5977}59785979/**5980* security_perf_event_write() - Check if writing a perf event label is allowed5981* @event: perf event5982*5983* Write perf_event security info if allowed.5984*5985* Return: Returns 0 if permission is granted.5986*/5987int security_perf_event_write(struct perf_event *event)5988{5989return call_int_hook(perf_event_write, event);5990}5991#endif /* CONFIG_PERF_EVENTS */59925993#ifdef CONFIG_IO_URING5994/**5995* security_uring_override_creds() - Check if overriding creds is allowed5996* @new: new credentials5997*5998* Check if the current task, executing an io_uring operation, is allowed to5999* override it's credentials with @new.6000*6001* Return: Returns 0 if permission is granted.6002*/6003int security_uring_override_creds(const struct cred *new)6004{6005return call_int_hook(uring_override_creds, new);6006}60076008/**6009* security_uring_sqpoll() - Check if IORING_SETUP_SQPOLL is allowed6010*6011* Check whether the current task is allowed to spawn a io_uring polling thread6012* (IORING_SETUP_SQPOLL).6013*6014* Return: Returns 0 if permission is granted.6015*/6016int security_uring_sqpoll(void)6017{6018return call_int_hook(uring_sqpoll);6019}60206021/**6022* security_uring_cmd() - Check if a io_uring passthrough command is allowed6023* @ioucmd: command6024*6025* Check whether the file_operations uring_cmd is allowed to run.6026*6027* Return: Returns 0 if permission is granted.6028*/6029int security_uring_cmd(struct io_uring_cmd *ioucmd)6030{6031return call_int_hook(uring_cmd, ioucmd);6032}60336034/**6035* security_uring_allowed() - Check if io_uring_setup() is allowed6036*6037* Check whether the current task is allowed to call io_uring_setup().6038*6039* Return: Returns 0 if permission is granted.6040*/6041int security_uring_allowed(void)6042{6043return call_int_hook(uring_allowed);6044}6045#endif /* CONFIG_IO_URING */60466047/**6048* security_initramfs_populated() - Notify LSMs that initramfs has been loaded6049*6050* Tells the LSMs the initramfs has been unpacked into the rootfs.6051*/6052void security_initramfs_populated(void)6053{6054call_void_hook(initramfs_populated);6055}605660576058