// SPDX-License-Identifier: GPL-2.0-or-later1/*2* Security plug functions3*4* Copyright (C) 2001 WireX Communications, Inc <[email protected]>5* Copyright (C) 2001-2002 Greg Kroah-Hartman <[email protected]>6* Copyright (C) 2001 Networks Associates Technology, Inc <[email protected]>7* Copyright (C) 2016 Mellanox Technologies8* Copyright (C) 2023 Microsoft Corporation <[email protected]>9*/1011#define pr_fmt(fmt) "LSM: " fmt1213#include <linux/bpf.h>14#include <linux/capability.h>15#include <linux/dcache.h>16#include <linux/export.h>17#include <linux/init.h>18#include <linux/kernel.h>19#include <linux/kernel_read_file.h>20#include <linux/lsm_hooks.h>21#include <linux/mman.h>22#include <linux/mount.h>23#include <linux/personality.h>24#include <linux/backing-dev.h>25#include <linux/string.h>26#include <linux/xattr.h>27#include <linux/msg.h>28#include <linux/overflow.h>29#include <linux/perf_event.h>30#include <linux/fs.h>31#include <net/flow.h>32#include <net/sock.h>3334#include "lsm.h"3536/*37* These are descriptions of the reasons that can be passed to the38* security_locked_down() LSM hook. Placing this array here allows39* all security modules to use the same descriptions for auditing40* purposes.41*/42const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX + 1] = {43[LOCKDOWN_NONE] = "none",44[LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading",45[LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port",46[LOCKDOWN_EFI_TEST] = "/dev/efi_test access",47[LOCKDOWN_KEXEC] = "kexec of unsigned images",48[LOCKDOWN_HIBERNATION] = "hibernation",49[LOCKDOWN_PCI_ACCESS] = "direct PCI access",50[LOCKDOWN_IOPORT] = "raw io port access",51[LOCKDOWN_MSR] = "raw MSR access",52[LOCKDOWN_ACPI_TABLES] = "modifying ACPI tables",53[LOCKDOWN_DEVICE_TREE] = "modifying device tree contents",54[LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage",55[LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO",56[LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters",57[LOCKDOWN_MMIOTRACE] = "unsafe mmio",58[LOCKDOWN_DEBUGFS] = "debugfs access",59[LOCKDOWN_XMON_WR] = "xmon write access",60[LOCKDOWN_BPF_WRITE_USER] = "use of bpf to write user RAM",61[LOCKDOWN_DBG_WRITE_KERNEL] = "use of kgdb/kdb to write kernel RAM",62[LOCKDOWN_RTAS_ERROR_INJECTION] = "RTAS error injection",63[LOCKDOWN_INTEGRITY_MAX] = "integrity",64[LOCKDOWN_KCORE] = "/proc/kcore access",65[LOCKDOWN_KPROBES] = "use of kprobes",66[LOCKDOWN_BPF_READ_KERNEL] = "use of bpf to read kernel RAM",67[LOCKDOWN_DBG_READ_KERNEL] = "use of kgdb/kdb to read kernel RAM",68[LOCKDOWN_PERF] = "unsafe use of perf",69[LOCKDOWN_TRACEFS] = "use of tracefs",70[LOCKDOWN_XMON_RW] = "xmon read and write access",71[LOCKDOWN_XFRM_SECRET] = "xfrm SA secret",72[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",73};7475bool lsm_debug __ro_after_init;7677unsigned int lsm_active_cnt __ro_after_init;78const struct lsm_id *lsm_idlist[MAX_LSM_COUNT];7980struct lsm_blob_sizes blob_sizes;8182struct kmem_cache *lsm_file_cache;83struct kmem_cache *lsm_inode_cache;8485#define SECURITY_HOOK_ACTIVE_KEY(HOOK, IDX) security_hook_active_##HOOK##_##IDX8687/*88* Identifier for the LSM static calls.89* HOOK is an LSM hook as defined in linux/lsm_hookdefs.h90* IDX is the index of the static call. 0 <= NUM < MAX_LSM_COUNT91*/92#define LSM_STATIC_CALL(HOOK, IDX) lsm_static_call_##HOOK##_##IDX9394/*95* Call the macro M for each LSM hook MAX_LSM_COUNT times.96*/97#define LSM_LOOP_UNROLL(M, ...) \98do { \99UNROLL(MAX_LSM_COUNT, M, __VA_ARGS__) \100} while (0)101102#define LSM_DEFINE_UNROLL(M, ...) UNROLL(MAX_LSM_COUNT, M, __VA_ARGS__)103104#ifdef CONFIG_HAVE_STATIC_CALL105#define LSM_HOOK_TRAMP(NAME, NUM) \106&STATIC_CALL_TRAMP(LSM_STATIC_CALL(NAME, NUM))107#else108#define LSM_HOOK_TRAMP(NAME, NUM) NULL109#endif110111/*112* Define static calls and static keys for each LSM hook.113*/114#define DEFINE_LSM_STATIC_CALL(NUM, NAME, RET, ...) \115DEFINE_STATIC_CALL_NULL(LSM_STATIC_CALL(NAME, NUM), \116*((RET(*)(__VA_ARGS__))NULL)); \117DEFINE_STATIC_KEY_FALSE(SECURITY_HOOK_ACTIVE_KEY(NAME, NUM));118119#define LSM_HOOK(RET, DEFAULT, NAME, ...) \120LSM_DEFINE_UNROLL(DEFINE_LSM_STATIC_CALL, NAME, RET, __VA_ARGS__)121#include <linux/lsm_hook_defs.h>122#undef LSM_HOOK123#undef DEFINE_LSM_STATIC_CALL124125/*126* Initialise a table of static calls for each LSM hook.127* DEFINE_STATIC_CALL_NULL invocation above generates a key (STATIC_CALL_KEY)128* and a trampoline (STATIC_CALL_TRAMP) which are used to call129* __static_call_update when updating the static call.130*131* The static calls table is used by early LSMs, some architectures can fault on132* unaligned accesses and the fault handling code may not be ready by then.133* Thus, the static calls table should be aligned to avoid any unhandled faults134* in early init.135*/136struct lsm_static_calls_table137static_calls_table __ro_after_init __aligned(sizeof(u64)) = {138#define INIT_LSM_STATIC_CALL(NUM, NAME) \139(struct lsm_static_call) { \140.key = &STATIC_CALL_KEY(LSM_STATIC_CALL(NAME, NUM)), \141.trampoline = LSM_HOOK_TRAMP(NAME, NUM), \142.active = &SECURITY_HOOK_ACTIVE_KEY(NAME, NUM), \143},144#define LSM_HOOK(RET, DEFAULT, NAME, ...) \145.NAME = { \146LSM_DEFINE_UNROLL(INIT_LSM_STATIC_CALL, NAME) \147},148#include <linux/lsm_hook_defs.h>149#undef LSM_HOOK150#undef INIT_LSM_STATIC_CALL151};152153/**154* lsm_file_alloc - allocate a composite file blob155* @file: the file that needs a blob156*157* Allocate the file blob for all the modules158*159* Returns 0, or -ENOMEM if memory can't be allocated.160*/161static int lsm_file_alloc(struct file *file)162{163if (!lsm_file_cache) {164file->f_security = NULL;165return 0;166}167168file->f_security = kmem_cache_zalloc(lsm_file_cache, GFP_KERNEL);169if (file->f_security == NULL)170return -ENOMEM;171return 0;172}173174/**175* lsm_blob_alloc - allocate a composite blob176* @dest: the destination for the blob177* @size: the size of the blob178* @gfp: allocation type179*180* Allocate a blob for all the modules181*182* Returns 0, or -ENOMEM if memory can't be allocated.183*/184static int lsm_blob_alloc(void **dest, size_t size, gfp_t gfp)185{186if (size == 0) {187*dest = NULL;188return 0;189}190191*dest = kzalloc(size, gfp);192if (*dest == NULL)193return -ENOMEM;194return 0;195}196197/**198* lsm_cred_alloc - allocate a composite cred blob199* @cred: the cred that needs a blob200* @gfp: allocation type201*202* Allocate the cred blob for all the modules203*204* Returns 0, or -ENOMEM if memory can't be allocated.205*/206int lsm_cred_alloc(struct cred *cred, gfp_t gfp)207{208return lsm_blob_alloc(&cred->security, blob_sizes.lbs_cred, gfp);209}210211/**212* lsm_inode_alloc - allocate a composite inode blob213* @inode: the inode that needs a blob214* @gfp: allocation flags215*216* Allocate the inode blob for all the modules217*218* Returns 0, or -ENOMEM if memory can't be allocated.219*/220static int lsm_inode_alloc(struct inode *inode, gfp_t gfp)221{222if (!lsm_inode_cache) {223inode->i_security = NULL;224return 0;225}226227inode->i_security = kmem_cache_zalloc(lsm_inode_cache, gfp);228if (inode->i_security == NULL)229return -ENOMEM;230return 0;231}232233/**234* lsm_task_alloc - allocate a composite task blob235* @task: the task that needs a blob236*237* Allocate the task blob for all the modules238*239* Returns 0, or -ENOMEM if memory can't be allocated.240*/241int lsm_task_alloc(struct task_struct *task)242{243return lsm_blob_alloc(&task->security, blob_sizes.lbs_task, GFP_KERNEL);244}245246/**247* lsm_ipc_alloc - allocate a composite ipc blob248* @kip: the ipc that needs a blob249*250* Allocate the ipc blob for all the modules251*252* Returns 0, or -ENOMEM if memory can't be allocated.253*/254static int lsm_ipc_alloc(struct kern_ipc_perm *kip)255{256return lsm_blob_alloc(&kip->security, blob_sizes.lbs_ipc, GFP_KERNEL);257}258259#ifdef CONFIG_KEYS260/**261* lsm_key_alloc - allocate a composite key blob262* @key: the key that needs a blob263*264* Allocate the key blob for all the modules265*266* Returns 0, or -ENOMEM if memory can't be allocated.267*/268static int lsm_key_alloc(struct key *key)269{270return lsm_blob_alloc(&key->security, blob_sizes.lbs_key, GFP_KERNEL);271}272#endif /* CONFIG_KEYS */273274/**275* lsm_msg_msg_alloc - allocate a composite msg_msg blob276* @mp: the msg_msg that needs a blob277*278* Allocate the ipc blob for all the modules279*280* Returns 0, or -ENOMEM if memory can't be allocated.281*/282static int lsm_msg_msg_alloc(struct msg_msg *mp)283{284return lsm_blob_alloc(&mp->security, blob_sizes.lbs_msg_msg,285GFP_KERNEL);286}287288/**289* lsm_bdev_alloc - allocate a composite block_device blob290* @bdev: the block_device that needs a blob291*292* Allocate the block_device blob for all the modules293*294* Returns 0, or -ENOMEM if memory can't be allocated.295*/296static int lsm_bdev_alloc(struct block_device *bdev)297{298return lsm_blob_alloc(&bdev->bd_security, blob_sizes.lbs_bdev,299GFP_KERNEL);300}301302#ifdef CONFIG_BPF_SYSCALL303/**304* lsm_bpf_map_alloc - allocate a composite bpf_map blob305* @map: the bpf_map that needs a blob306*307* Allocate the bpf_map blob for all the modules308*309* Returns 0, or -ENOMEM if memory can't be allocated.310*/311static int lsm_bpf_map_alloc(struct bpf_map *map)312{313return lsm_blob_alloc(&map->security, blob_sizes.lbs_bpf_map, GFP_KERNEL);314}315316/**317* lsm_bpf_prog_alloc - allocate a composite bpf_prog blob318* @prog: the bpf_prog that needs a blob319*320* Allocate the bpf_prog blob for all the modules321*322* Returns 0, or -ENOMEM if memory can't be allocated.323*/324static int lsm_bpf_prog_alloc(struct bpf_prog *prog)325{326return lsm_blob_alloc(&prog->aux->security, blob_sizes.lbs_bpf_prog, GFP_KERNEL);327}328329/**330* lsm_bpf_token_alloc - allocate a composite bpf_token blob331* @token: the bpf_token that needs a blob332*333* Allocate the bpf_token blob for all the modules334*335* Returns 0, or -ENOMEM if memory can't be allocated.336*/337static int lsm_bpf_token_alloc(struct bpf_token *token)338{339return lsm_blob_alloc(&token->security, blob_sizes.lbs_bpf_token, GFP_KERNEL);340}341#endif /* CONFIG_BPF_SYSCALL */342343/**344* lsm_superblock_alloc - allocate a composite superblock blob345* @sb: the superblock that needs a blob346*347* Allocate the superblock blob for all the modules348*349* Returns 0, or -ENOMEM if memory can't be allocated.350*/351static int lsm_superblock_alloc(struct super_block *sb)352{353return lsm_blob_alloc(&sb->s_security, blob_sizes.lbs_superblock,354GFP_KERNEL);355}356357/**358* lsm_fill_user_ctx - Fill a user space lsm_ctx structure359* @uctx: a userspace LSM context to be filled360* @uctx_len: available uctx size (input), used uctx size (output)361* @val: the new LSM context value362* @val_len: the size of the new LSM context value363* @id: LSM id364* @flags: LSM defined flags365*366* Fill all of the fields in a userspace lsm_ctx structure. If @uctx is NULL367* simply calculate the required size to output via @utc_len and return368* success.369*370* Returns 0 on success, -E2BIG if userspace buffer is not large enough,371* -EFAULT on a copyout error, -ENOMEM if memory can't be allocated.372*/373int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len,374void *val, size_t val_len,375u64 id, u64 flags)376{377struct lsm_ctx *nctx = NULL;378size_t nctx_len;379int rc = 0;380381nctx_len = ALIGN(struct_size(nctx, ctx, val_len), sizeof(void *));382if (nctx_len > *uctx_len) {383rc = -E2BIG;384goto out;385}386387/* no buffer - return success/0 and set @uctx_len to the req size */388if (!uctx)389goto out;390391nctx = kzalloc(nctx_len, GFP_KERNEL);392if (nctx == NULL) {393rc = -ENOMEM;394goto out;395}396nctx->id = id;397nctx->flags = flags;398nctx->len = nctx_len;399nctx->ctx_len = val_len;400memcpy(nctx->ctx, val, val_len);401402if (copy_to_user(uctx, nctx, nctx_len))403rc = -EFAULT;404405out:406kfree(nctx);407*uctx_len = nctx_len;408return rc;409}410411/*412* The default value of the LSM hook is defined in linux/lsm_hook_defs.h and413* can be accessed with:414*415* LSM_RET_DEFAULT(<hook_name>)416*417* The macros below define static constants for the default value of each418* LSM hook.419*/420#define LSM_RET_DEFAULT(NAME) (NAME##_default)421#define DECLARE_LSM_RET_DEFAULT_void(DEFAULT, NAME)422#define DECLARE_LSM_RET_DEFAULT_int(DEFAULT, NAME) \423static const int __maybe_unused LSM_RET_DEFAULT(NAME) = (DEFAULT);424#define LSM_HOOK(RET, DEFAULT, NAME, ...) \425DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME)426427#include <linux/lsm_hook_defs.h>428#undef LSM_HOOK429430/*431* Hook list operation macros.432*433* call_void_hook:434* This is a hook that does not return a value.435*436* call_int_hook:437* This is a hook that returns a value.438*/439#define __CALL_STATIC_VOID(NUM, HOOK, ...) \440do { \441if (static_branch_unlikely(&SECURITY_HOOK_ACTIVE_KEY(HOOK, NUM))) { \442static_call(LSM_STATIC_CALL(HOOK, NUM))(__VA_ARGS__); \443} \444} while (0);445446#define call_void_hook(HOOK, ...) \447do { \448LSM_LOOP_UNROLL(__CALL_STATIC_VOID, HOOK, __VA_ARGS__); \449} while (0)450451452#define __CALL_STATIC_INT(NUM, R, HOOK, LABEL, ...) \453do { \454if (static_branch_unlikely(&SECURITY_HOOK_ACTIVE_KEY(HOOK, NUM))) { \455R = static_call(LSM_STATIC_CALL(HOOK, NUM))(__VA_ARGS__); \456if (R != LSM_RET_DEFAULT(HOOK)) \457goto LABEL; \458} \459} while (0);460461#define call_int_hook(HOOK, ...) \462({ \463__label__ OUT; \464int RC = LSM_RET_DEFAULT(HOOK); \465\466LSM_LOOP_UNROLL(__CALL_STATIC_INT, RC, HOOK, OUT, __VA_ARGS__); \467OUT: \468RC; \469})470471#define lsm_for_each_hook(scall, NAME) \472for (scall = static_calls_table.NAME; \473scall - static_calls_table.NAME < MAX_LSM_COUNT; scall++) \474if (static_key_enabled(&scall->active->key))475476/* Security operations */477478/**479* security_binder_set_context_mgr() - Check if becoming binder ctx mgr is ok480* @mgr: task credentials of current binder process481*482* Check whether @mgr is allowed to be the binder context manager.483*484* Return: Return 0 if permission is granted.485*/486int security_binder_set_context_mgr(const struct cred *mgr)487{488return call_int_hook(binder_set_context_mgr, mgr);489}490491/**492* security_binder_transaction() - Check if a binder transaction is allowed493* @from: sending process494* @to: receiving process495*496* Check whether @from is allowed to invoke a binder transaction call to @to.497*498* Return: Returns 0 if permission is granted.499*/500int security_binder_transaction(const struct cred *from,501const struct cred *to)502{503return call_int_hook(binder_transaction, from, to);504}505506/**507* security_binder_transfer_binder() - Check if a binder transfer is allowed508* @from: sending process509* @to: receiving process510*511* Check whether @from is allowed to transfer a binder reference to @to.512*513* Return: Returns 0 if permission is granted.514*/515int security_binder_transfer_binder(const struct cred *from,516const struct cred *to)517{518return call_int_hook(binder_transfer_binder, from, to);519}520521/**522* security_binder_transfer_file() - Check if a binder file xfer is allowed523* @from: sending process524* @to: receiving process525* @file: file being transferred526*527* Check whether @from is allowed to transfer @file to @to.528*529* Return: Returns 0 if permission is granted.530*/531int security_binder_transfer_file(const struct cred *from,532const struct cred *to, const struct file *file)533{534return call_int_hook(binder_transfer_file, from, to, file);535}536537/**538* security_ptrace_access_check() - Check if tracing is allowed539* @child: target process540* @mode: PTRACE_MODE flags541*542* Check permission before allowing the current process to trace the @child543* process. Security modules may also want to perform a process tracing check544* during an execve in the set_security or apply_creds hooks of tracing check545* during an execve in the bprm_set_creds hook of binprm_security_ops if the546* process is being traced and its security attributes would be changed by the547* execve.548*549* Return: Returns 0 if permission is granted.550*/551int security_ptrace_access_check(struct task_struct *child, unsigned int mode)552{553return call_int_hook(ptrace_access_check, child, mode);554}555556/**557* security_ptrace_traceme() - Check if tracing is allowed558* @parent: tracing process559*560* Check that the @parent process has sufficient permission to trace the561* current process before allowing the current process to present itself to the562* @parent process for tracing.563*564* Return: Returns 0 if permission is granted.565*/566int security_ptrace_traceme(struct task_struct *parent)567{568return call_int_hook(ptrace_traceme, parent);569}570571/**572* security_capget() - Get the capability sets for a process573* @target: target process574* @effective: effective capability set575* @inheritable: inheritable capability set576* @permitted: permitted capability set577*578* Get the @effective, @inheritable, and @permitted capability sets for the579* @target process. The hook may also perform permission checking to determine580* if the current process is allowed to see the capability sets of the @target581* process.582*583* Return: Returns 0 if the capability sets were successfully obtained.584*/585int security_capget(const struct task_struct *target,586kernel_cap_t *effective,587kernel_cap_t *inheritable,588kernel_cap_t *permitted)589{590return call_int_hook(capget, target, effective, inheritable, permitted);591}592593/**594* security_capset() - Set the capability sets for a process595* @new: new credentials for the target process596* @old: current credentials of the target process597* @effective: effective capability set598* @inheritable: inheritable capability set599* @permitted: permitted capability set600*601* Set the @effective, @inheritable, and @permitted capability sets for the602* current process.603*604* Return: Returns 0 and update @new if permission is granted.605*/606int security_capset(struct cred *new, const struct cred *old,607const kernel_cap_t *effective,608const kernel_cap_t *inheritable,609const kernel_cap_t *permitted)610{611return call_int_hook(capset, new, old, effective, inheritable,612permitted);613}614615/**616* security_capable() - Check if a process has the necessary capability617* @cred: credentials to examine618* @ns: user namespace619* @cap: capability requested620* @opts: capability check options621*622* Check whether the @tsk process has the @cap capability in the indicated623* credentials. @cap contains the capability <include/linux/capability.h>.624* @opts contains options for the capable check <include/linux/security.h>.625*626* Return: Returns 0 if the capability is granted.627*/628int security_capable(const struct cred *cred,629struct user_namespace *ns,630int cap,631unsigned int opts)632{633return call_int_hook(capable, cred, ns, cap, opts);634}635636/**637* security_quotactl() - Check if a quotactl() syscall is allowed for this fs638* @cmds: commands639* @type: type640* @id: id641* @sb: filesystem642*643* Check whether the quotactl syscall is allowed for this @sb.644*645* Return: Returns 0 if permission is granted.646*/647int security_quotactl(int cmds, int type, int id, const struct super_block *sb)648{649return call_int_hook(quotactl, cmds, type, id, sb);650}651652/**653* security_quota_on() - Check if QUOTAON is allowed for a dentry654* @dentry: dentry655*656* Check whether QUOTAON is allowed for @dentry.657*658* Return: Returns 0 if permission is granted.659*/660int security_quota_on(struct dentry *dentry)661{662return call_int_hook(quota_on, dentry);663}664665/**666* security_syslog() - Check if accessing the kernel message ring is allowed667* @type: SYSLOG_ACTION_* type668*669* Check permission before accessing the kernel message ring or changing670* logging to the console. See the syslog(2) manual page for an explanation of671* the @type values.672*673* Return: Return 0 if permission is granted.674*/675int security_syslog(int type)676{677return call_int_hook(syslog, type);678}679680/**681* security_settime64() - Check if changing the system time is allowed682* @ts: new time683* @tz: timezone684*685* Check permission to change the system time, struct timespec64 is defined in686* <include/linux/time64.h> and timezone is defined in <include/linux/time.h>.687*688* Return: Returns 0 if permission is granted.689*/690int security_settime64(const struct timespec64 *ts, const struct timezone *tz)691{692return call_int_hook(settime, ts, tz);693}694695/**696* security_vm_enough_memory_mm() - Check if allocating a new mem map is allowed697* @mm: mm struct698* @pages: number of pages699*700* Check permissions for allocating a new virtual mapping. If all LSMs return701* a positive value, __vm_enough_memory() will be called with cap_sys_admin702* set. If at least one LSM returns 0 or negative, __vm_enough_memory() will be703* called with cap_sys_admin cleared.704*705* Return: Returns 0 if permission is granted by the LSM infrastructure to the706* caller.707*/708int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)709{710struct lsm_static_call *scall;711int cap_sys_admin = 1;712int rc;713714/*715* The module will respond with 0 if it thinks the __vm_enough_memory()716* call should be made with the cap_sys_admin set. If all of the modules717* agree that it should be set it will. If any module thinks it should718* not be set it won't.719*/720lsm_for_each_hook(scall, vm_enough_memory) {721rc = scall->hl->hook.vm_enough_memory(mm, pages);722if (rc < 0) {723cap_sys_admin = 0;724break;725}726}727return __vm_enough_memory(mm, pages, cap_sys_admin);728}729730/**731* security_bprm_creds_for_exec() - Prepare the credentials for exec()732* @bprm: binary program information733*734* If the setup in prepare_exec_creds did not setup @bprm->cred->security735* properly for executing @bprm->file, update the LSM's portion of736* @bprm->cred->security to be what commit_creds needs to install for the new737* program. This hook may also optionally check permissions (e.g. for738* transitions between security domains). The hook must set @bprm->secureexec739* to 1 if AT_SECURE should be set to request libc enable secure mode. @bprm740* contains the linux_binprm structure.741*742* If execveat(2) is called with the AT_EXECVE_CHECK flag, bprm->is_check is743* set. The result must be the same as without this flag even if the execution744* will never really happen and @bprm will always be dropped.745*746* This hook must not change current->cred, only @bprm->cred.747*748* Return: Returns 0 if the hook is successful and permission is granted.749*/750int security_bprm_creds_for_exec(struct linux_binprm *bprm)751{752return call_int_hook(bprm_creds_for_exec, bprm);753}754755/**756* security_bprm_creds_from_file() - Update linux_binprm creds based on file757* @bprm: binary program information758* @file: associated file759*760* If @file is setpcap, suid, sgid or otherwise marked to change privilege upon761* exec, update @bprm->cred to reflect that change. This is called after762* finding the binary that will be executed without an interpreter. This763* ensures that the credentials will not be derived from a script that the764* binary will need to reopen, which when reopend may end up being a completely765* different file. This hook may also optionally check permissions (e.g. for766* transitions between security domains). The hook must set @bprm->secureexec767* to 1 if AT_SECURE should be set to request libc enable secure mode. The768* hook must add to @bprm->per_clear any personality flags that should be769* cleared from current->personality. @bprm contains the linux_binprm770* structure.771*772* Return: Returns 0 if the hook is successful and permission is granted.773*/774int security_bprm_creds_from_file(struct linux_binprm *bprm, const struct file *file)775{776return call_int_hook(bprm_creds_from_file, bprm, file);777}778779/**780* security_bprm_check() - Mediate binary handler search781* @bprm: binary program information782*783* This hook mediates the point when a search for a binary handler will begin.784* It allows a check against the @bprm->cred->security value which was set in785* the preceding creds_for_exec call. The argv list and envp list are reliably786* available in @bprm. This hook may be called multiple times during a single787* execve. @bprm contains the linux_binprm structure.788*789* Return: Returns 0 if the hook is successful and permission is granted.790*/791int security_bprm_check(struct linux_binprm *bprm)792{793return call_int_hook(bprm_check_security, bprm);794}795796/**797* security_bprm_committing_creds() - Install creds for a process during exec()798* @bprm: binary program information799*800* Prepare to install the new security attributes of a process being801* transformed by an execve operation, based on the old credentials pointed to802* by @current->cred and the information set in @bprm->cred by the803* bprm_creds_for_exec hook. @bprm points to the linux_binprm structure. This804* hook is a good place to perform state changes on the process such as closing805* open file descriptors to which access will no longer be granted when the806* attributes are changed. This is called immediately before commit_creds().807*/808void security_bprm_committing_creds(const struct linux_binprm *bprm)809{810call_void_hook(bprm_committing_creds, bprm);811}812813/**814* security_bprm_committed_creds() - Tidy up after cred install during exec()815* @bprm: binary program information816*817* Tidy up after the installation of the new security attributes of a process818* being transformed by an execve operation. The new credentials have, by this819* point, been set to @current->cred. @bprm points to the linux_binprm820* structure. This hook is a good place to perform state changes on the821* process such as clearing out non-inheritable signal state. This is called822* immediately after commit_creds().823*/824void security_bprm_committed_creds(const struct linux_binprm *bprm)825{826call_void_hook(bprm_committed_creds, bprm);827}828829/**830* security_fs_context_submount() - Initialise fc->security831* @fc: new filesystem context832* @reference: dentry reference for submount/remount833*834* Fill out the ->security field for a new fs_context.835*836* Return: Returns 0 on success or negative error code on failure.837*/838int security_fs_context_submount(struct fs_context *fc, struct super_block *reference)839{840return call_int_hook(fs_context_submount, fc, reference);841}842843/**844* security_fs_context_dup() - Duplicate a fs_context LSM blob845* @fc: destination filesystem context846* @src_fc: source filesystem context847*848* Allocate and attach a security structure to sc->security. This pointer is849* initialised to NULL by the caller. @fc indicates the new filesystem context.850* @src_fc indicates the original filesystem context.851*852* Return: Returns 0 on success or a negative error code on failure.853*/854int security_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc)855{856return call_int_hook(fs_context_dup, fc, src_fc);857}858859/**860* security_fs_context_parse_param() - Configure a filesystem context861* @fc: filesystem context862* @param: filesystem parameter863*864* Userspace provided a parameter to configure a superblock. The LSM can865* consume the parameter or return it to the caller for use elsewhere.866*867* Return: If the parameter is used by the LSM it should return 0, if it is868* returned to the caller -ENOPARAM is returned, otherwise a negative869* error code is returned.870*/871int security_fs_context_parse_param(struct fs_context *fc,872struct fs_parameter *param)873{874struct lsm_static_call *scall;875int trc;876int rc = -ENOPARAM;877878lsm_for_each_hook(scall, fs_context_parse_param) {879trc = scall->hl->hook.fs_context_parse_param(fc, param);880if (trc == 0)881rc = 0;882else if (trc != -ENOPARAM)883return trc;884}885return rc;886}887888/**889* security_sb_alloc() - Allocate a super_block LSM blob890* @sb: filesystem superblock891*892* Allocate and attach a security structure to the sb->s_security field. The893* s_security field is initialized to NULL when the structure is allocated.894* @sb contains the super_block structure to be modified.895*896* Return: Returns 0 if operation was successful.897*/898int security_sb_alloc(struct super_block *sb)899{900int rc = lsm_superblock_alloc(sb);901902if (unlikely(rc))903return rc;904rc = call_int_hook(sb_alloc_security, sb);905if (unlikely(rc))906security_sb_free(sb);907return rc;908}909910/**911* security_sb_delete() - Release super_block LSM associated objects912* @sb: filesystem superblock913*914* Release objects tied to a superblock (e.g. inodes). @sb contains the915* super_block structure being released.916*/917void security_sb_delete(struct super_block *sb)918{919call_void_hook(sb_delete, sb);920}921922/**923* security_sb_free() - Free a super_block LSM blob924* @sb: filesystem superblock925*926* Deallocate and clear the sb->s_security field. @sb contains the super_block927* structure to be modified.928*/929void security_sb_free(struct super_block *sb)930{931call_void_hook(sb_free_security, sb);932kfree(sb->s_security);933sb->s_security = NULL;934}935936/**937* security_free_mnt_opts() - Free memory associated with mount options938* @mnt_opts: LSM processed mount options939*940* Free memory associated with @mnt_ops.941*/942void security_free_mnt_opts(void **mnt_opts)943{944if (!*mnt_opts)945return;946call_void_hook(sb_free_mnt_opts, *mnt_opts);947*mnt_opts = NULL;948}949EXPORT_SYMBOL(security_free_mnt_opts);950951/**952* security_sb_eat_lsm_opts() - Consume LSM mount options953* @options: mount options954* @mnt_opts: LSM processed mount options955*956* Eat (scan @options) and save them in @mnt_opts.957*958* Return: Returns 0 on success, negative values on failure.959*/960int security_sb_eat_lsm_opts(char *options, void **mnt_opts)961{962return call_int_hook(sb_eat_lsm_opts, options, mnt_opts);963}964EXPORT_SYMBOL(security_sb_eat_lsm_opts);965966/**967* security_sb_mnt_opts_compat() - Check if new mount options are allowed968* @sb: filesystem superblock969* @mnt_opts: new mount options970*971* Determine if the new mount options in @mnt_opts are allowed given the972* existing mounted filesystem at @sb. @sb superblock being compared.973*974* Return: Returns 0 if options are compatible.975*/976int security_sb_mnt_opts_compat(struct super_block *sb,977void *mnt_opts)978{979return call_int_hook(sb_mnt_opts_compat, sb, mnt_opts);980}981EXPORT_SYMBOL(security_sb_mnt_opts_compat);982983/**984* security_sb_remount() - Verify no incompatible mount changes during remount985* @sb: filesystem superblock986* @mnt_opts: (re)mount options987*988* Extracts security system specific mount options and verifies no changes are989* being made to those options.990*991* Return: Returns 0 if permission is granted.992*/993int security_sb_remount(struct super_block *sb,994void *mnt_opts)995{996return call_int_hook(sb_remount, sb, mnt_opts);997}998EXPORT_SYMBOL(security_sb_remount);9991000/**1001* security_sb_kern_mount() - Check if a kernel mount is allowed1002* @sb: filesystem superblock1003*1004* Mount this @sb if allowed by permissions.1005*1006* Return: Returns 0 if permission is granted.1007*/1008int security_sb_kern_mount(const struct super_block *sb)1009{1010return call_int_hook(sb_kern_mount, sb);1011}10121013/**1014* security_sb_show_options() - Output the mount options for a superblock1015* @m: output file1016* @sb: filesystem superblock1017*1018* Show (print on @m) mount options for this @sb.1019*1020* Return: Returns 0 on success, negative values on failure.1021*/1022int security_sb_show_options(struct seq_file *m, struct super_block *sb)1023{1024return call_int_hook(sb_show_options, m, sb);1025}10261027/**1028* security_sb_statfs() - Check if accessing fs stats is allowed1029* @dentry: superblock handle1030*1031* Check permission before obtaining filesystem statistics for the @mnt1032* mountpoint. @dentry is a handle on the superblock for the filesystem.1033*1034* Return: Returns 0 if permission is granted.1035*/1036int security_sb_statfs(struct dentry *dentry)1037{1038return call_int_hook(sb_statfs, dentry);1039}10401041/**1042* security_sb_mount() - Check permission for mounting a filesystem1043* @dev_name: filesystem backing device1044* @path: mount point1045* @type: filesystem type1046* @flags: mount flags1047* @data: filesystem specific data1048*1049* Check permission before an object specified by @dev_name is mounted on the1050* mount point named by @nd. For an ordinary mount, @dev_name identifies a1051* device if the file system type requires a device. For a remount1052* (@flags & MS_REMOUNT), @dev_name is irrelevant. For a loopback/bind mount1053* (@flags & MS_BIND), @dev_name identifies the pathname of the object being1054* mounted.1055*1056* Return: Returns 0 if permission is granted.1057*/1058int security_sb_mount(const char *dev_name, const struct path *path,1059const char *type, unsigned long flags, void *data)1060{1061return call_int_hook(sb_mount, dev_name, path, type, flags, data);1062}10631064/**1065* security_sb_umount() - Check permission for unmounting a filesystem1066* @mnt: mounted filesystem1067* @flags: unmount flags1068*1069* Check permission before the @mnt file system is unmounted.1070*1071* Return: Returns 0 if permission is granted.1072*/1073int security_sb_umount(struct vfsmount *mnt, int flags)1074{1075return call_int_hook(sb_umount, mnt, flags);1076}10771078/**1079* security_sb_pivotroot() - Check permissions for pivoting the rootfs1080* @old_path: new location for current rootfs1081* @new_path: location of the new rootfs1082*1083* Check permission before pivoting the root filesystem.1084*1085* Return: Returns 0 if permission is granted.1086*/1087int security_sb_pivotroot(const struct path *old_path,1088const struct path *new_path)1089{1090return call_int_hook(sb_pivotroot, old_path, new_path);1091}10921093/**1094* security_sb_set_mnt_opts() - Set the mount options for a filesystem1095* @sb: filesystem superblock1096* @mnt_opts: binary mount options1097* @kern_flags: kernel flags (in)1098* @set_kern_flags: kernel flags (out)1099*1100* Set the security relevant mount options used for a superblock.1101*1102* Return: Returns 0 on success, error on failure.1103*/1104int security_sb_set_mnt_opts(struct super_block *sb,1105void *mnt_opts,1106unsigned long kern_flags,1107unsigned long *set_kern_flags)1108{1109struct lsm_static_call *scall;1110int rc = mnt_opts ? -EOPNOTSUPP : LSM_RET_DEFAULT(sb_set_mnt_opts);11111112lsm_for_each_hook(scall, sb_set_mnt_opts) {1113rc = scall->hl->hook.sb_set_mnt_opts(sb, mnt_opts, kern_flags,1114set_kern_flags);1115if (rc != LSM_RET_DEFAULT(sb_set_mnt_opts))1116break;1117}1118return rc;1119}1120EXPORT_SYMBOL(security_sb_set_mnt_opts);11211122/**1123* security_sb_clone_mnt_opts() - Duplicate superblock mount options1124* @oldsb: source superblock1125* @newsb: destination superblock1126* @kern_flags: kernel flags (in)1127* @set_kern_flags: kernel flags (out)1128*1129* Copy all security options from a given superblock to another.1130*1131* Return: Returns 0 on success, error on failure.1132*/1133int security_sb_clone_mnt_opts(const struct super_block *oldsb,1134struct super_block *newsb,1135unsigned long kern_flags,1136unsigned long *set_kern_flags)1137{1138return call_int_hook(sb_clone_mnt_opts, oldsb, newsb,1139kern_flags, set_kern_flags);1140}1141EXPORT_SYMBOL(security_sb_clone_mnt_opts);11421143/**1144* security_move_mount() - Check permissions for moving a mount1145* @from_path: source mount point1146* @to_path: destination mount point1147*1148* Check permission before a mount is moved.1149*1150* Return: Returns 0 if permission is granted.1151*/1152int security_move_mount(const struct path *from_path,1153const struct path *to_path)1154{1155return call_int_hook(move_mount, from_path, to_path);1156}11571158/**1159* security_path_notify() - Check if setting a watch is allowed1160* @path: file path1161* @mask: event mask1162* @obj_type: file path type1163*1164* Check permissions before setting a watch on events as defined by @mask, on1165* an object at @path, whose type is defined by @obj_type.1166*1167* Return: Returns 0 if permission is granted.1168*/1169int security_path_notify(const struct path *path, u64 mask,1170unsigned int obj_type)1171{1172return call_int_hook(path_notify, path, mask, obj_type);1173}11741175/**1176* security_inode_alloc() - Allocate an inode LSM blob1177* @inode: the inode1178* @gfp: allocation flags1179*1180* Allocate and attach a security structure to @inode->i_security. The1181* i_security field is initialized to NULL when the inode structure is1182* allocated.1183*1184* Return: Return 0 if operation was successful.1185*/1186int security_inode_alloc(struct inode *inode, gfp_t gfp)1187{1188int rc = lsm_inode_alloc(inode, gfp);11891190if (unlikely(rc))1191return rc;1192rc = call_int_hook(inode_alloc_security, inode);1193if (unlikely(rc))1194security_inode_free(inode);1195return rc;1196}11971198static void inode_free_by_rcu(struct rcu_head *head)1199{1200/* The rcu head is at the start of the inode blob */1201call_void_hook(inode_free_security_rcu, head);1202kmem_cache_free(lsm_inode_cache, head);1203}12041205/**1206* security_inode_free() - Free an inode's LSM blob1207* @inode: the inode1208*1209* Release any LSM resources associated with @inode, although due to the1210* inode's RCU protections it is possible that the resources will not be1211* fully released until after the current RCU grace period has elapsed.1212*1213* It is important for LSMs to note that despite being present in a call to1214* security_inode_free(), @inode may still be referenced in a VFS path walk1215* and calls to security_inode_permission() may be made during, or after,1216* a call to security_inode_free(). For this reason the inode->i_security1217* field is released via a call_rcu() callback and any LSMs which need to1218* retain inode state for use in security_inode_permission() should only1219* release that state in the inode_free_security_rcu() LSM hook callback.1220*/1221void security_inode_free(struct inode *inode)1222{1223call_void_hook(inode_free_security, inode);1224if (!inode->i_security)1225return;1226call_rcu((struct rcu_head *)inode->i_security, inode_free_by_rcu);1227}12281229/**1230* security_dentry_init_security() - Perform dentry initialization1231* @dentry: the dentry to initialize1232* @mode: mode used to determine resource type1233* @name: name of the last path component1234* @xattr_name: name of the security/LSM xattr1235* @lsmctx: pointer to the resulting LSM context1236*1237* Compute a context for a dentry as the inode is not yet available since NFSv41238* has no label backed by an EA anyway. It is important to note that1239* @xattr_name does not need to be free'd by the caller, it is a static string.1240*1241* Return: Returns 0 on success, negative values on failure.1242*/1243int security_dentry_init_security(struct dentry *dentry, int mode,1244const struct qstr *name,1245const char **xattr_name,1246struct lsm_context *lsmctx)1247{1248return call_int_hook(dentry_init_security, dentry, mode, name,1249xattr_name, lsmctx);1250}1251EXPORT_SYMBOL(security_dentry_init_security);12521253/**1254* security_dentry_create_files_as() - Perform dentry initialization1255* @dentry: the dentry to initialize1256* @mode: mode used to determine resource type1257* @name: name of the last path component1258* @old: creds to use for LSM context calculations1259* @new: creds to modify1260*1261* Compute a context for a dentry as the inode is not yet available and set1262* that context in passed in creds so that new files are created using that1263* context. Context is calculated using the passed in creds and not the creds1264* of the caller.1265*1266* Return: Returns 0 on success, error on failure.1267*/1268int security_dentry_create_files_as(struct dentry *dentry, int mode,1269const struct qstr *name,1270const struct cred *old, struct cred *new)1271{1272return call_int_hook(dentry_create_files_as, dentry, mode,1273name, old, new);1274}1275EXPORT_SYMBOL(security_dentry_create_files_as);12761277/**1278* security_inode_init_security() - Initialize an inode's LSM context1279* @inode: the inode1280* @dir: parent directory1281* @qstr: last component of the pathname1282* @initxattrs: callback function to write xattrs1283* @fs_data: filesystem specific data1284*1285* Obtain the security attribute name suffix and value to set on a newly1286* created inode and set up the incore security field for the new inode. This1287* hook is called by the fs code as part of the inode creation transaction and1288* provides for atomic labeling of the inode, unlike the post_create/mkdir/...1289* hooks called by the VFS.1290*1291* The hook function is expected to populate the xattrs array, by calling1292* lsm_get_xattr_slot() to retrieve the slots reserved by the security module1293* with the lbs_xattr_count field of the lsm_blob_sizes structure. For each1294* slot, the hook function should set ->name to the attribute name suffix1295* (e.g. selinux), to allocate ->value (will be freed by the caller) and set it1296* to the attribute value, to set ->value_len to the length of the value. If1297* the security module does not use security attributes or does not wish to put1298* a security attribute on this particular inode, then it should return1299* -EOPNOTSUPP to skip this processing.1300*1301* Return: Returns 0 if the LSM successfully initialized all of the inode1302* security attributes that are required, negative values otherwise.1303*/1304int security_inode_init_security(struct inode *inode, struct inode *dir,1305const struct qstr *qstr,1306const initxattrs initxattrs, void *fs_data)1307{1308struct lsm_static_call *scall;1309struct xattr *new_xattrs = NULL;1310int ret = -EOPNOTSUPP, xattr_count = 0;13111312if (unlikely(IS_PRIVATE(inode)))1313return 0;13141315if (!blob_sizes.lbs_xattr_count)1316return 0;13171318if (initxattrs) {1319/* Allocate +1 as terminator. */1320new_xattrs = kcalloc(blob_sizes.lbs_xattr_count + 1,1321sizeof(*new_xattrs), GFP_NOFS);1322if (!new_xattrs)1323return -ENOMEM;1324}13251326lsm_for_each_hook(scall, inode_init_security) {1327ret = scall->hl->hook.inode_init_security(inode, dir, qstr, new_xattrs,1328&xattr_count);1329if (ret && ret != -EOPNOTSUPP)1330goto out;1331/*1332* As documented in lsm_hooks.h, -EOPNOTSUPP in this context1333* means that the LSM is not willing to provide an xattr, not1334* that it wants to signal an error. Thus, continue to invoke1335* the remaining LSMs.1336*/1337}13381339/* If initxattrs() is NULL, xattr_count is zero, skip the call. */1340if (!xattr_count)1341goto out;13421343ret = initxattrs(inode, new_xattrs, fs_data);1344out:1345for (; xattr_count > 0; xattr_count--)1346kfree(new_xattrs[xattr_count - 1].value);1347kfree(new_xattrs);1348return (ret == -EOPNOTSUPP) ? 0 : ret;1349}1350EXPORT_SYMBOL(security_inode_init_security);13511352/**1353* security_inode_init_security_anon() - Initialize an anonymous inode1354* @inode: the inode1355* @name: the anonymous inode class1356* @context_inode: an optional related inode1357*1358* Set up the incore security field for the new anonymous inode and return1359* whether the inode creation is permitted by the security module or not.1360*1361* Return: Returns 0 on success, -EACCES if the security module denies the1362* creation of this inode, or another -errno upon other errors.1363*/1364int security_inode_init_security_anon(struct inode *inode,1365const struct qstr *name,1366const struct inode *context_inode)1367{1368return call_int_hook(inode_init_security_anon, inode, name,1369context_inode);1370}13711372#ifdef CONFIG_SECURITY_PATH1373/**1374* security_path_mknod() - Check if creating a special file is allowed1375* @dir: parent directory1376* @dentry: new file1377* @mode: new file mode1378* @dev: device number1379*1380* Check permissions when creating a file. Note that this hook is called even1381* if mknod operation is being done for a regular file.1382*1383* Return: Returns 0 if permission is granted.1384*/1385int security_path_mknod(const struct path *dir, struct dentry *dentry,1386umode_t mode, unsigned int dev)1387{1388if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))1389return 0;1390return call_int_hook(path_mknod, dir, dentry, mode, dev);1391}1392EXPORT_SYMBOL(security_path_mknod);13931394/**1395* security_path_post_mknod() - Update inode security after reg file creation1396* @idmap: idmap of the mount1397* @dentry: new file1398*1399* Update inode security field after a regular file has been created.1400*/1401void security_path_post_mknod(struct mnt_idmap *idmap, struct dentry *dentry)1402{1403if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))1404return;1405call_void_hook(path_post_mknod, idmap, dentry);1406}14071408/**1409* security_path_mkdir() - Check if creating a new directory is allowed1410* @dir: parent directory1411* @dentry: new directory1412* @mode: new directory mode1413*1414* Check permissions to create a new directory in the existing directory.1415*1416* Return: Returns 0 if permission is granted.1417*/1418int security_path_mkdir(const struct path *dir, struct dentry *dentry,1419umode_t mode)1420{1421if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))1422return 0;1423return call_int_hook(path_mkdir, dir, dentry, mode);1424}1425EXPORT_SYMBOL(security_path_mkdir);14261427/**1428* security_path_rmdir() - Check if removing a directory is allowed1429* @dir: parent directory1430* @dentry: directory to remove1431*1432* Check the permission to remove a directory.1433*1434* Return: Returns 0 if permission is granted.1435*/1436int security_path_rmdir(const struct path *dir, struct dentry *dentry)1437{1438if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))1439return 0;1440return call_int_hook(path_rmdir, dir, dentry);1441}14421443/**1444* security_path_unlink() - Check if removing a hard link is allowed1445* @dir: parent directory1446* @dentry: file1447*1448* Check the permission to remove a hard link to a file.1449*1450* Return: Returns 0 if permission is granted.1451*/1452int security_path_unlink(const struct path *dir, struct dentry *dentry)1453{1454if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))1455return 0;1456return call_int_hook(path_unlink, dir, dentry);1457}1458EXPORT_SYMBOL(security_path_unlink);14591460/**1461* security_path_symlink() - Check if creating a symbolic link is allowed1462* @dir: parent directory1463* @dentry: symbolic link1464* @old_name: file pathname1465*1466* Check the permission to create a symbolic link to a file.1467*1468* Return: Returns 0 if permission is granted.1469*/1470int security_path_symlink(const struct path *dir, struct dentry *dentry,1471const char *old_name)1472{1473if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))1474return 0;1475return call_int_hook(path_symlink, dir, dentry, old_name);1476}14771478/**1479* security_path_link - Check if creating a hard link is allowed1480* @old_dentry: existing file1481* @new_dir: new parent directory1482* @new_dentry: new link1483*1484* Check permission before creating a new hard link to a file.1485*1486* Return: Returns 0 if permission is granted.1487*/1488int security_path_link(struct dentry *old_dentry, const struct path *new_dir,1489struct dentry *new_dentry)1490{1491if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry))))1492return 0;1493return call_int_hook(path_link, old_dentry, new_dir, new_dentry);1494}14951496/**1497* security_path_rename() - Check if renaming a file is allowed1498* @old_dir: parent directory of the old file1499* @old_dentry: the old file1500* @new_dir: parent directory of the new file1501* @new_dentry: the new file1502* @flags: flags1503*1504* Check for permission to rename a file or directory.1505*1506* Return: Returns 0 if permission is granted.1507*/1508int security_path_rename(const struct path *old_dir, struct dentry *old_dentry,1509const struct path *new_dir, struct dentry *new_dentry,1510unsigned int flags)1511{1512if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry)) ||1513(d_is_positive(new_dentry) &&1514IS_PRIVATE(d_backing_inode(new_dentry)))))1515return 0;15161517return call_int_hook(path_rename, old_dir, old_dentry, new_dir,1518new_dentry, flags);1519}1520EXPORT_SYMBOL(security_path_rename);15211522/**1523* security_path_truncate() - Check if truncating a file is allowed1524* @path: file1525*1526* Check permission before truncating the file indicated by path. Note that1527* truncation permissions may also be checked based on already opened files,1528* using the security_file_truncate() hook.1529*1530* Return: Returns 0 if permission is granted.1531*/1532int security_path_truncate(const struct path *path)1533{1534if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))1535return 0;1536return call_int_hook(path_truncate, path);1537}15381539/**1540* security_path_chmod() - Check if changing the file's mode is allowed1541* @path: file1542* @mode: new mode1543*1544* Check for permission to change a mode of the file @path. The new mode is1545* specified in @mode which is a bitmask of constants from1546* <include/uapi/linux/stat.h>.1547*1548* Return: Returns 0 if permission is granted.1549*/1550int security_path_chmod(const struct path *path, umode_t mode)1551{1552if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))1553return 0;1554return call_int_hook(path_chmod, path, mode);1555}15561557/**1558* security_path_chown() - Check if changing the file's owner/group is allowed1559* @path: file1560* @uid: file owner1561* @gid: file group1562*1563* Check for permission to change owner/group of a file or directory.1564*1565* Return: Returns 0 if permission is granted.1566*/1567int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid)1568{1569if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))1570return 0;1571return call_int_hook(path_chown, path, uid, gid);1572}15731574/**1575* security_path_chroot() - Check if changing the root directory is allowed1576* @path: directory1577*1578* Check for permission to change root directory.1579*1580* Return: Returns 0 if permission is granted.1581*/1582int security_path_chroot(const struct path *path)1583{1584return call_int_hook(path_chroot, path);1585}1586#endif /* CONFIG_SECURITY_PATH */15871588/**1589* security_inode_create() - Check if creating a file is allowed1590* @dir: the parent directory1591* @dentry: the file being created1592* @mode: requested file mode1593*1594* Check permission to create a regular file.1595*1596* Return: Returns 0 if permission is granted.1597*/1598int security_inode_create(struct inode *dir, struct dentry *dentry,1599umode_t mode)1600{1601if (unlikely(IS_PRIVATE(dir)))1602return 0;1603return call_int_hook(inode_create, dir, dentry, mode);1604}1605EXPORT_SYMBOL_GPL(security_inode_create);16061607/**1608* security_inode_post_create_tmpfile() - Update inode security of new tmpfile1609* @idmap: idmap of the mount1610* @inode: inode of the new tmpfile1611*1612* Update inode security data after a tmpfile has been created.1613*/1614void security_inode_post_create_tmpfile(struct mnt_idmap *idmap,1615struct inode *inode)1616{1617if (unlikely(IS_PRIVATE(inode)))1618return;1619call_void_hook(inode_post_create_tmpfile, idmap, inode);1620}16211622/**1623* security_inode_link() - Check if creating a hard link is allowed1624* @old_dentry: existing file1625* @dir: new parent directory1626* @new_dentry: new link1627*1628* Check permission before creating a new hard link to a file.1629*1630* Return: Returns 0 if permission is granted.1631*/1632int security_inode_link(struct dentry *old_dentry, struct inode *dir,1633struct dentry *new_dentry)1634{1635if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry))))1636return 0;1637return call_int_hook(inode_link, old_dentry, dir, new_dentry);1638}16391640/**1641* security_inode_unlink() - Check if removing a hard link is allowed1642* @dir: parent directory1643* @dentry: file1644*1645* Check the permission to remove a hard link to a file.1646*1647* Return: Returns 0 if permission is granted.1648*/1649int security_inode_unlink(struct inode *dir, struct dentry *dentry)1650{1651if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))1652return 0;1653return call_int_hook(inode_unlink, dir, dentry);1654}16551656/**1657* security_inode_symlink() - Check if creating a symbolic link is allowed1658* @dir: parent directory1659* @dentry: symbolic link1660* @old_name: existing filename1661*1662* Check the permission to create a symbolic link to a file.1663*1664* Return: Returns 0 if permission is granted.1665*/1666int security_inode_symlink(struct inode *dir, struct dentry *dentry,1667const char *old_name)1668{1669if (unlikely(IS_PRIVATE(dir)))1670return 0;1671return call_int_hook(inode_symlink, dir, dentry, old_name);1672}16731674/**1675* security_inode_mkdir() - Check if creating a new directory is allowed1676* @dir: parent directory1677* @dentry: new directory1678* @mode: new directory mode1679*1680* Check permissions to create a new directory in the existing directory1681* associated with inode structure @dir.1682*1683* Return: Returns 0 if permission is granted.1684*/1685int security_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)1686{1687if (unlikely(IS_PRIVATE(dir)))1688return 0;1689return call_int_hook(inode_mkdir, dir, dentry, mode);1690}1691EXPORT_SYMBOL_GPL(security_inode_mkdir);16921693/**1694* security_inode_rmdir() - Check if removing a directory is allowed1695* @dir: parent directory1696* @dentry: directory to be removed1697*1698* Check the permission to remove a directory.1699*1700* Return: Returns 0 if permission is granted.1701*/1702int security_inode_rmdir(struct inode *dir, struct dentry *dentry)1703{1704if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))1705return 0;1706return call_int_hook(inode_rmdir, dir, dentry);1707}17081709/**1710* security_inode_mknod() - Check if creating a special file is allowed1711* @dir: parent directory1712* @dentry: new file1713* @mode: new file mode1714* @dev: device number1715*1716* Check permissions when creating a special file (or a socket or a fifo file1717* created via the mknod system call). Note that if mknod operation is being1718* done for a regular file, then the create hook will be called and not this1719* hook.1720*1721* Return: Returns 0 if permission is granted.1722*/1723int security_inode_mknod(struct inode *dir, struct dentry *dentry,1724umode_t mode, dev_t dev)1725{1726if (unlikely(IS_PRIVATE(dir)))1727return 0;1728return call_int_hook(inode_mknod, dir, dentry, mode, dev);1729}17301731/**1732* security_inode_rename() - Check if renaming a file is allowed1733* @old_dir: parent directory of the old file1734* @old_dentry: the old file1735* @new_dir: parent directory of the new file1736* @new_dentry: the new file1737* @flags: flags1738*1739* Check for permission to rename a file or directory.1740*1741* Return: Returns 0 if permission is granted.1742*/1743int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,1744struct inode *new_dir, struct dentry *new_dentry,1745unsigned int flags)1746{1747if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry)) ||1748(d_is_positive(new_dentry) &&1749IS_PRIVATE(d_backing_inode(new_dentry)))))1750return 0;17511752if (flags & RENAME_EXCHANGE) {1753int err = call_int_hook(inode_rename, new_dir, new_dentry,1754old_dir, old_dentry);1755if (err)1756return err;1757}17581759return call_int_hook(inode_rename, old_dir, old_dentry,1760new_dir, new_dentry);1761}17621763/**1764* security_inode_readlink() - Check if reading a symbolic link is allowed1765* @dentry: link1766*1767* Check the permission to read the symbolic link.1768*1769* Return: Returns 0 if permission is granted.1770*/1771int security_inode_readlink(struct dentry *dentry)1772{1773if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))1774return 0;1775return call_int_hook(inode_readlink, dentry);1776}17771778/**1779* security_inode_follow_link() - Check if following a symbolic link is allowed1780* @dentry: link dentry1781* @inode: link inode1782* @rcu: true if in RCU-walk mode1783*1784* Check permission to follow a symbolic link when looking up a pathname. If1785* @rcu is true, @inode is not stable.1786*1787* Return: Returns 0 if permission is granted.1788*/1789int security_inode_follow_link(struct dentry *dentry, struct inode *inode,1790bool rcu)1791{1792if (unlikely(IS_PRIVATE(inode)))1793return 0;1794return call_int_hook(inode_follow_link, dentry, inode, rcu);1795}17961797/**1798* security_inode_permission() - Check if accessing an inode is allowed1799* @inode: inode1800* @mask: access mask1801*1802* Check permission before accessing an inode. This hook is called by the1803* existing Linux permission function, so a security module can use it to1804* provide additional checking for existing Linux permission checks. Notice1805* that this hook is called when a file is opened (as well as many other1806* operations), whereas the file_security_ops permission hook is called when1807* the actual read/write operations are performed.1808*1809* Return: Returns 0 if permission is granted.1810*/1811int security_inode_permission(struct inode *inode, int mask)1812{1813if (unlikely(IS_PRIVATE(inode)))1814return 0;1815return call_int_hook(inode_permission, inode, mask);1816}18171818/**1819* security_inode_setattr() - Check if setting file attributes is allowed1820* @idmap: idmap of the mount1821* @dentry: file1822* @attr: new attributes1823*1824* Check permission before setting file attributes. Note that the kernel call1825* to notify_change is performed from several locations, whenever file1826* attributes change (such as when a file is truncated, chown/chmod operations,1827* transferring disk quotas, etc).1828*1829* Return: Returns 0 if permission is granted.1830*/1831int security_inode_setattr(struct mnt_idmap *idmap,1832struct dentry *dentry, struct iattr *attr)1833{1834if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))1835return 0;1836return call_int_hook(inode_setattr, idmap, dentry, attr);1837}1838EXPORT_SYMBOL_GPL(security_inode_setattr);18391840/**1841* security_inode_post_setattr() - Update the inode after a setattr operation1842* @idmap: idmap of the mount1843* @dentry: file1844* @ia_valid: file attributes set1845*1846* Update inode security field after successful setting file attributes.1847*/1848void security_inode_post_setattr(struct mnt_idmap *idmap, struct dentry *dentry,1849int ia_valid)1850{1851if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))1852return;1853call_void_hook(inode_post_setattr, idmap, dentry, ia_valid);1854}18551856/**1857* security_inode_getattr() - Check if getting file attributes is allowed1858* @path: file1859*1860* Check permission before obtaining file attributes.1861*1862* Return: Returns 0 if permission is granted.1863*/1864int security_inode_getattr(const struct path *path)1865{1866if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))1867return 0;1868return call_int_hook(inode_getattr, path);1869}18701871/**1872* security_inode_setxattr() - Check if setting file xattrs is allowed1873* @idmap: idmap of the mount1874* @dentry: file1875* @name: xattr name1876* @value: xattr value1877* @size: size of xattr value1878* @flags: flags1879*1880* This hook performs the desired permission checks before setting the extended1881* attributes (xattrs) on @dentry. It is important to note that we have some1882* additional logic before the main LSM implementation calls to detect if we1883* need to perform an additional capability check at the LSM layer.1884*1885* Normally we enforce a capability check prior to executing the various LSM1886* hook implementations, but if a LSM wants to avoid this capability check,1887* it can register a 'inode_xattr_skipcap' hook and return a value of 1 for1888* xattrs that it wants to avoid the capability check, leaving the LSM fully1889* responsible for enforcing the access control for the specific xattr. If all1890* of the enabled LSMs refrain from registering a 'inode_xattr_skipcap' hook,1891* or return a 0 (the default return value), the capability check is still1892* performed. If no 'inode_xattr_skipcap' hooks are registered the capability1893* check is performed.1894*1895* Return: Returns 0 if permission is granted.1896*/1897int security_inode_setxattr(struct mnt_idmap *idmap,1898struct dentry *dentry, const char *name,1899const void *value, size_t size, int flags)1900{1901int rc;19021903if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))1904return 0;19051906/* enforce the capability checks at the lsm layer, if needed */1907if (!call_int_hook(inode_xattr_skipcap, name)) {1908rc = cap_inode_setxattr(dentry, name, value, size, flags);1909if (rc)1910return rc;1911}19121913return call_int_hook(inode_setxattr, idmap, dentry, name, value, size,1914flags);1915}19161917/**1918* security_inode_set_acl() - Check if setting posix acls is allowed1919* @idmap: idmap of the mount1920* @dentry: file1921* @acl_name: acl name1922* @kacl: acl struct1923*1924* Check permission before setting posix acls, the posix acls in @kacl are1925* identified by @acl_name.1926*1927* Return: Returns 0 if permission is granted.1928*/1929int security_inode_set_acl(struct mnt_idmap *idmap,1930struct dentry *dentry, const char *acl_name,1931struct posix_acl *kacl)1932{1933if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))1934return 0;1935return call_int_hook(inode_set_acl, idmap, dentry, acl_name, kacl);1936}19371938/**1939* security_inode_post_set_acl() - Update inode security from posix acls set1940* @dentry: file1941* @acl_name: acl name1942* @kacl: acl struct1943*1944* Update inode security data after successfully setting posix acls on @dentry.1945* The posix acls in @kacl are identified by @acl_name.1946*/1947void security_inode_post_set_acl(struct dentry *dentry, const char *acl_name,1948struct posix_acl *kacl)1949{1950if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))1951return;1952call_void_hook(inode_post_set_acl, dentry, acl_name, kacl);1953}19541955/**1956* security_inode_get_acl() - Check if reading posix acls is allowed1957* @idmap: idmap of the mount1958* @dentry: file1959* @acl_name: acl name1960*1961* Check permission before getting osix acls, the posix acls are identified by1962* @acl_name.1963*1964* Return: Returns 0 if permission is granted.1965*/1966int security_inode_get_acl(struct mnt_idmap *idmap,1967struct dentry *dentry, const char *acl_name)1968{1969if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))1970return 0;1971return call_int_hook(inode_get_acl, idmap, dentry, acl_name);1972}19731974/**1975* security_inode_remove_acl() - Check if removing a posix acl is allowed1976* @idmap: idmap of the mount1977* @dentry: file1978* @acl_name: acl name1979*1980* Check permission before removing posix acls, the posix acls are identified1981* by @acl_name.1982*1983* Return: Returns 0 if permission is granted.1984*/1985int security_inode_remove_acl(struct mnt_idmap *idmap,1986struct dentry *dentry, const char *acl_name)1987{1988if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))1989return 0;1990return call_int_hook(inode_remove_acl, idmap, dentry, acl_name);1991}19921993/**1994* security_inode_post_remove_acl() - Update inode security after rm posix acls1995* @idmap: idmap of the mount1996* @dentry: file1997* @acl_name: acl name1998*1999* Update inode security data after successfully removing posix acls on2000* @dentry in @idmap. The posix acls are identified by @acl_name.2001*/2002void security_inode_post_remove_acl(struct mnt_idmap *idmap,2003struct dentry *dentry, const char *acl_name)2004{2005if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2006return;2007call_void_hook(inode_post_remove_acl, idmap, dentry, acl_name);2008}20092010/**2011* security_inode_post_setxattr() - Update the inode after a setxattr operation2012* @dentry: file2013* @name: xattr name2014* @value: xattr value2015* @size: xattr value size2016* @flags: flags2017*2018* Update inode security field after successful setxattr operation.2019*/2020void security_inode_post_setxattr(struct dentry *dentry, const char *name,2021const void *value, size_t size, int flags)2022{2023if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2024return;2025call_void_hook(inode_post_setxattr, dentry, name, value, size, flags);2026}20272028/**2029* security_inode_getxattr() - Check if xattr access is allowed2030* @dentry: file2031* @name: xattr name2032*2033* Check permission before obtaining the extended attributes identified by2034* @name for @dentry.2035*2036* Return: Returns 0 if permission is granted.2037*/2038int security_inode_getxattr(struct dentry *dentry, const char *name)2039{2040if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2041return 0;2042return call_int_hook(inode_getxattr, dentry, name);2043}20442045/**2046* security_inode_listxattr() - Check if listing xattrs is allowed2047* @dentry: file2048*2049* Check permission before obtaining the list of extended attribute names for2050* @dentry.2051*2052* Return: Returns 0 if permission is granted.2053*/2054int security_inode_listxattr(struct dentry *dentry)2055{2056if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2057return 0;2058return call_int_hook(inode_listxattr, dentry);2059}20602061/**2062* security_inode_removexattr() - Check if removing an xattr is allowed2063* @idmap: idmap of the mount2064* @dentry: file2065* @name: xattr name2066*2067* This hook performs the desired permission checks before setting the extended2068* attributes (xattrs) on @dentry. It is important to note that we have some2069* additional logic before the main LSM implementation calls to detect if we2070* need to perform an additional capability check at the LSM layer.2071*2072* Normally we enforce a capability check prior to executing the various LSM2073* hook implementations, but if a LSM wants to avoid this capability check,2074* it can register a 'inode_xattr_skipcap' hook and return a value of 1 for2075* xattrs that it wants to avoid the capability check, leaving the LSM fully2076* responsible for enforcing the access control for the specific xattr. If all2077* of the enabled LSMs refrain from registering a 'inode_xattr_skipcap' hook,2078* or return a 0 (the default return value), the capability check is still2079* performed. If no 'inode_xattr_skipcap' hooks are registered the capability2080* check is performed.2081*2082* Return: Returns 0 if permission is granted.2083*/2084int security_inode_removexattr(struct mnt_idmap *idmap,2085struct dentry *dentry, const char *name)2086{2087int rc;20882089if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2090return 0;20912092/* enforce the capability checks at the lsm layer, if needed */2093if (!call_int_hook(inode_xattr_skipcap, name)) {2094rc = cap_inode_removexattr(idmap, dentry, name);2095if (rc)2096return rc;2097}20982099return call_int_hook(inode_removexattr, idmap, dentry, name);2100}21012102/**2103* security_inode_post_removexattr() - Update the inode after a removexattr op2104* @dentry: file2105* @name: xattr name2106*2107* Update the inode after a successful removexattr operation.2108*/2109void security_inode_post_removexattr(struct dentry *dentry, const char *name)2110{2111if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))2112return;2113call_void_hook(inode_post_removexattr, dentry, name);2114}21152116/**2117* security_inode_file_setattr() - check if setting fsxattr is allowed2118* @dentry: file to set filesystem extended attributes on2119* @fa: extended attributes to set on the inode2120*2121* Called when file_setattr() syscall or FS_IOC_FSSETXATTR ioctl() is called on2122* inode2123*2124* Return: Returns 0 if permission is granted.2125*/2126int security_inode_file_setattr(struct dentry *dentry, struct file_kattr *fa)2127{2128return call_int_hook(inode_file_setattr, dentry, fa);2129}21302131/**2132* security_inode_file_getattr() - check if retrieving fsxattr is allowed2133* @dentry: file to retrieve filesystem extended attributes from2134* @fa: extended attributes to get2135*2136* Called when file_getattr() syscall or FS_IOC_FSGETXATTR ioctl() is called on2137* inode2138*2139* Return: Returns 0 if permission is granted.2140*/2141int security_inode_file_getattr(struct dentry *dentry, struct file_kattr *fa)2142{2143return call_int_hook(inode_file_getattr, dentry, fa);2144}21452146/**2147* security_inode_need_killpriv() - Check if security_inode_killpriv() required2148* @dentry: associated dentry2149*2150* Called when an inode has been changed to determine if2151* security_inode_killpriv() should be called.2152*2153* Return: Return <0 on error to abort the inode change operation, return 0 if2154* security_inode_killpriv() does not need to be called, return >0 if2155* security_inode_killpriv() does need to be called.2156*/2157int security_inode_need_killpriv(struct dentry *dentry)2158{2159return call_int_hook(inode_need_killpriv, dentry);2160}21612162/**2163* security_inode_killpriv() - The setuid bit is removed, update LSM state2164* @idmap: idmap of the mount2165* @dentry: associated dentry2166*2167* The @dentry's setuid bit is being removed. Remove similar security labels.2168* Called with the dentry->d_inode->i_mutex held.2169*2170* Return: Return 0 on success. If error is returned, then the operation2171* causing setuid bit removal is failed.2172*/2173int security_inode_killpriv(struct mnt_idmap *idmap,2174struct dentry *dentry)2175{2176return call_int_hook(inode_killpriv, idmap, dentry);2177}21782179/**2180* security_inode_getsecurity() - Get the xattr security label of an inode2181* @idmap: idmap of the mount2182* @inode: inode2183* @name: xattr name2184* @buffer: security label buffer2185* @alloc: allocation flag2186*2187* Retrieve a copy of the extended attribute representation of the security2188* label associated with @name for @inode via @buffer. Note that @name is the2189* remainder of the attribute name after the security prefix has been removed.2190* @alloc is used to specify if the call should return a value via the buffer2191* or just the value length.2192*2193* Return: Returns size of buffer on success.2194*/2195int security_inode_getsecurity(struct mnt_idmap *idmap,2196struct inode *inode, const char *name,2197void **buffer, bool alloc)2198{2199if (unlikely(IS_PRIVATE(inode)))2200return LSM_RET_DEFAULT(inode_getsecurity);22012202return call_int_hook(inode_getsecurity, idmap, inode, name, buffer,2203alloc);2204}22052206/**2207* security_inode_setsecurity() - Set the xattr security label of an inode2208* @inode: inode2209* @name: xattr name2210* @value: security label2211* @size: length of security label2212* @flags: flags2213*2214* Set the security label associated with @name for @inode from the extended2215* attribute value @value. @size indicates the size of the @value in bytes.2216* @flags may be XATTR_CREATE, XATTR_REPLACE, or 0. Note that @name is the2217* remainder of the attribute name after the security. prefix has been removed.2218*2219* Return: Returns 0 on success.2220*/2221int security_inode_setsecurity(struct inode *inode, const char *name,2222const void *value, size_t size, int flags)2223{2224if (unlikely(IS_PRIVATE(inode)))2225return LSM_RET_DEFAULT(inode_setsecurity);22262227return call_int_hook(inode_setsecurity, inode, name, value, size,2228flags);2229}22302231/**2232* security_inode_listsecurity() - List the xattr security label names2233* @inode: inode2234* @buffer: buffer2235* @buffer_size: size of buffer2236*2237* Copy the extended attribute names for the security labels associated with2238* @inode into @buffer. The maximum size of @buffer is specified by2239* @buffer_size. @buffer may be NULL to request the size of the buffer2240* required.2241*2242* Return: Returns number of bytes used/required on success.2243*/2244int security_inode_listsecurity(struct inode *inode,2245char *buffer, size_t buffer_size)2246{2247if (unlikely(IS_PRIVATE(inode)))2248return 0;2249return call_int_hook(inode_listsecurity, inode, buffer, buffer_size);2250}2251EXPORT_SYMBOL(security_inode_listsecurity);22522253/**2254* security_inode_getlsmprop() - Get an inode's LSM data2255* @inode: inode2256* @prop: lsm specific information to return2257*2258* Get the lsm specific information associated with the node.2259*/2260void security_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop)2261{2262call_void_hook(inode_getlsmprop, inode, prop);2263}22642265/**2266* security_inode_copy_up() - Create new creds for an overlayfs copy-up op2267* @src: union dentry of copy-up file2268* @new: newly created creds2269*2270* A file is about to be copied up from lower layer to upper layer of overlay2271* filesystem. Security module can prepare a set of new creds and modify as2272* need be and return new creds. Caller will switch to new creds temporarily to2273* create new file and release newly allocated creds.2274*2275* Return: Returns 0 on success or a negative error code on error.2276*/2277int security_inode_copy_up(struct dentry *src, struct cred **new)2278{2279return call_int_hook(inode_copy_up, src, new);2280}2281EXPORT_SYMBOL(security_inode_copy_up);22822283/**2284* security_inode_copy_up_xattr() - Filter xattrs in an overlayfs copy-up op2285* @src: union dentry of copy-up file2286* @name: xattr name2287*2288* Filter the xattrs being copied up when a unioned file is copied up from a2289* lower layer to the union/overlay layer. The caller is responsible for2290* reading and writing the xattrs, this hook is merely a filter.2291*2292* Return: Returns 0 to accept the xattr, -ECANCELED to discard the xattr,2293* -EOPNOTSUPP if the security module does not know about attribute,2294* or a negative error code to abort the copy up.2295*/2296int security_inode_copy_up_xattr(struct dentry *src, const char *name)2297{2298int rc;22992300rc = call_int_hook(inode_copy_up_xattr, src, name);2301if (rc != LSM_RET_DEFAULT(inode_copy_up_xattr))2302return rc;23032304return LSM_RET_DEFAULT(inode_copy_up_xattr);2305}2306EXPORT_SYMBOL(security_inode_copy_up_xattr);23072308/**2309* security_inode_setintegrity() - Set the inode's integrity data2310* @inode: inode2311* @type: type of integrity, e.g. hash digest, signature, etc2312* @value: the integrity value2313* @size: size of the integrity value2314*2315* Register a verified integrity measurement of a inode with LSMs.2316* LSMs should free the previously saved data if @value is NULL.2317*2318* Return: Returns 0 on success, negative values on failure.2319*/2320int security_inode_setintegrity(const struct inode *inode,2321enum lsm_integrity_type type, const void *value,2322size_t size)2323{2324return call_int_hook(inode_setintegrity, inode, type, value, size);2325}2326EXPORT_SYMBOL(security_inode_setintegrity);23272328/**2329* security_kernfs_init_security() - Init LSM context for a kernfs node2330* @kn_dir: parent kernfs node2331* @kn: the kernfs node to initialize2332*2333* Initialize the security context of a newly created kernfs node based on its2334* own and its parent's attributes.2335*2336* Return: Returns 0 if permission is granted.2337*/2338int security_kernfs_init_security(struct kernfs_node *kn_dir,2339struct kernfs_node *kn)2340{2341return call_int_hook(kernfs_init_security, kn_dir, kn);2342}23432344/**2345* security_file_permission() - Check file permissions2346* @file: file2347* @mask: requested permissions2348*2349* Check file permissions before accessing an open file. This hook is called2350* by various operations that read or write files. A security module can use2351* this hook to perform additional checking on these operations, e.g. to2352* revalidate permissions on use to support privilege bracketing or policy2353* changes. Notice that this hook is used when the actual read/write2354* operations are performed, whereas the inode_security_ops hook is called when2355* a file is opened (as well as many other operations). Although this hook can2356* be used to revalidate permissions for various system call operations that2357* read or write files, it does not address the revalidation of permissions for2358* memory-mapped files. Security modules must handle this separately if they2359* need such revalidation.2360*2361* Return: Returns 0 if permission is granted.2362*/2363int security_file_permission(struct file *file, int mask)2364{2365return call_int_hook(file_permission, file, mask);2366}23672368/**2369* security_file_alloc() - Allocate and init a file's LSM blob2370* @file: the file2371*2372* Allocate and attach a security structure to the file->f_security field. The2373* security field is initialized to NULL when the structure is first created.2374*2375* Return: Return 0 if the hook is successful and permission is granted.2376*/2377int security_file_alloc(struct file *file)2378{2379int rc = lsm_file_alloc(file);23802381if (rc)2382return rc;2383rc = call_int_hook(file_alloc_security, file);2384if (unlikely(rc))2385security_file_free(file);2386return rc;2387}23882389/**2390* security_file_release() - Perform actions before releasing the file ref2391* @file: the file2392*2393* Perform actions before releasing the last reference to a file.2394*/2395void security_file_release(struct file *file)2396{2397call_void_hook(file_release, file);2398}23992400/**2401* security_file_free() - Free a file's LSM blob2402* @file: the file2403*2404* Deallocate and free any security structures stored in file->f_security.2405*/2406void security_file_free(struct file *file)2407{2408void *blob;24092410call_void_hook(file_free_security, file);24112412blob = file->f_security;2413if (blob) {2414file->f_security = NULL;2415kmem_cache_free(lsm_file_cache, blob);2416}2417}24182419/**2420* security_file_ioctl() - Check if an ioctl is allowed2421* @file: associated file2422* @cmd: ioctl cmd2423* @arg: ioctl arguments2424*2425* Check permission for an ioctl operation on @file. Note that @arg sometimes2426* represents a user space pointer; in other cases, it may be a simple integer2427* value. When @arg represents a user space pointer, it should never be used2428* by the security module.2429*2430* Return: Returns 0 if permission is granted.2431*/2432int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)2433{2434return call_int_hook(file_ioctl, file, cmd, arg);2435}2436EXPORT_SYMBOL_GPL(security_file_ioctl);24372438/**2439* security_file_ioctl_compat() - Check if an ioctl is allowed in compat mode2440* @file: associated file2441* @cmd: ioctl cmd2442* @arg: ioctl arguments2443*2444* Compat version of security_file_ioctl() that correctly handles 32-bit2445* processes running on 64-bit kernels.2446*2447* Return: Returns 0 if permission is granted.2448*/2449int security_file_ioctl_compat(struct file *file, unsigned int cmd,2450unsigned long arg)2451{2452return call_int_hook(file_ioctl_compat, file, cmd, arg);2453}2454EXPORT_SYMBOL_GPL(security_file_ioctl_compat);24552456static inline unsigned long mmap_prot(struct file *file, unsigned long prot)2457{2458/*2459* Does we have PROT_READ and does the application expect2460* it to imply PROT_EXEC? If not, nothing to talk about...2461*/2462if ((prot & (PROT_READ | PROT_EXEC)) != PROT_READ)2463return prot;2464if (!(current->personality & READ_IMPLIES_EXEC))2465return prot;2466/*2467* if that's an anonymous mapping, let it.2468*/2469if (!file)2470return prot | PROT_EXEC;2471/*2472* ditto if it's not on noexec mount, except that on !MMU we need2473* NOMMU_MAP_EXEC (== VM_MAYEXEC) in this case2474*/2475if (!path_noexec(&file->f_path)) {2476#ifndef CONFIG_MMU2477if (file->f_op->mmap_capabilities) {2478unsigned caps = file->f_op->mmap_capabilities(file);2479if (!(caps & NOMMU_MAP_EXEC))2480return prot;2481}2482#endif2483return prot | PROT_EXEC;2484}2485/* anything on noexec mount won't get PROT_EXEC */2486return prot;2487}24882489/**2490* security_mmap_file() - Check if mmap'ing a file is allowed2491* @file: file2492* @prot: protection applied by the kernel2493* @flags: flags2494*2495* Check permissions for a mmap operation. The @file may be NULL, e.g. if2496* mapping anonymous memory.2497*2498* Return: Returns 0 if permission is granted.2499*/2500int security_mmap_file(struct file *file, unsigned long prot,2501unsigned long flags)2502{2503return call_int_hook(mmap_file, file, prot, mmap_prot(file, prot),2504flags);2505}25062507/**2508* security_mmap_addr() - Check if mmap'ing an address is allowed2509* @addr: address2510*2511* Check permissions for a mmap operation at @addr.2512*2513* Return: Returns 0 if permission is granted.2514*/2515int security_mmap_addr(unsigned long addr)2516{2517return call_int_hook(mmap_addr, addr);2518}25192520/**2521* security_file_mprotect() - Check if changing memory protections is allowed2522* @vma: memory region2523* @reqprot: application requested protection2524* @prot: protection applied by the kernel2525*2526* Check permissions before changing memory access permissions.2527*2528* Return: Returns 0 if permission is granted.2529*/2530int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,2531unsigned long prot)2532{2533return call_int_hook(file_mprotect, vma, reqprot, prot);2534}25352536/**2537* security_file_lock() - Check if a file lock is allowed2538* @file: file2539* @cmd: lock operation (e.g. F_RDLCK, F_WRLCK)2540*2541* Check permission before performing file locking operations. Note the hook2542* mediates both flock and fcntl style locks.2543*2544* Return: Returns 0 if permission is granted.2545*/2546int security_file_lock(struct file *file, unsigned int cmd)2547{2548return call_int_hook(file_lock, file, cmd);2549}25502551/**2552* security_file_fcntl() - Check if fcntl() op is allowed2553* @file: file2554* @cmd: fcntl command2555* @arg: command argument2556*2557* Check permission before allowing the file operation specified by @cmd from2558* being performed on the file @file. Note that @arg sometimes represents a2559* user space pointer; in other cases, it may be a simple integer value. When2560* @arg represents a user space pointer, it should never be used by the2561* security module.2562*2563* Return: Returns 0 if permission is granted.2564*/2565int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg)2566{2567return call_int_hook(file_fcntl, file, cmd, arg);2568}25692570/**2571* security_file_set_fowner() - Set the file owner info in the LSM blob2572* @file: the file2573*2574* Save owner security information (typically from current->security) in2575* file->f_security for later use by the send_sigiotask hook.2576*2577* This hook is called with file->f_owner.lock held.2578*2579* Return: Returns 0 on success.2580*/2581void security_file_set_fowner(struct file *file)2582{2583call_void_hook(file_set_fowner, file);2584}25852586/**2587* security_file_send_sigiotask() - Check if sending SIGIO/SIGURG is allowed2588* @tsk: target task2589* @fown: signal sender2590* @sig: signal to be sent, SIGIO is sent if 02591*2592* Check permission for the file owner @fown to send SIGIO or SIGURG to the2593* process @tsk. Note that this hook is sometimes called from interrupt. Note2594* that the fown_struct, @fown, is never outside the context of a struct file,2595* so the file structure (and associated security information) can always be2596* obtained: container_of(fown, struct file, f_owner).2597*2598* Return: Returns 0 if permission is granted.2599*/2600int security_file_send_sigiotask(struct task_struct *tsk,2601struct fown_struct *fown, int sig)2602{2603return call_int_hook(file_send_sigiotask, tsk, fown, sig);2604}26052606/**2607* security_file_receive() - Check if receiving a file via IPC is allowed2608* @file: file being received2609*2610* This hook allows security modules to control the ability of a process to2611* receive an open file descriptor via socket IPC.2612*2613* Return: Returns 0 if permission is granted.2614*/2615int security_file_receive(struct file *file)2616{2617return call_int_hook(file_receive, file);2618}26192620/**2621* security_file_open() - Save open() time state for late use by the LSM2622* @file:2623*2624* Save open-time permission checking state for later use upon file_permission,2625* and recheck access if anything has changed since inode_permission.2626*2627* We can check if a file is opened for execution (e.g. execve(2) call), either2628* directly or indirectly (e.g. ELF's ld.so) by checking file->f_flags &2629* __FMODE_EXEC .2630*2631* Return: Returns 0 if permission is granted.2632*/2633int security_file_open(struct file *file)2634{2635return call_int_hook(file_open, file);2636}26372638/**2639* security_file_post_open() - Evaluate a file after it has been opened2640* @file: the file2641* @mask: access mask2642*2643* Evaluate an opened file and the access mask requested with open(). The hook2644* is useful for LSMs that require the file content to be available in order to2645* make decisions.2646*2647* Return: Returns 0 if permission is granted.2648*/2649int security_file_post_open(struct file *file, int mask)2650{2651return call_int_hook(file_post_open, file, mask);2652}2653EXPORT_SYMBOL_GPL(security_file_post_open);26542655/**2656* security_file_truncate() - Check if truncating a file is allowed2657* @file: file2658*2659* Check permission before truncating a file, i.e. using ftruncate. Note that2660* truncation permission may also be checked based on the path, using the2661* @path_truncate hook.2662*2663* Return: Returns 0 if permission is granted.2664*/2665int security_file_truncate(struct file *file)2666{2667return call_int_hook(file_truncate, file);2668}26692670/**2671* security_task_alloc() - Allocate a task's LSM blob2672* @task: the task2673* @clone_flags: flags indicating what is being shared2674*2675* Handle allocation of task-related resources.2676*2677* Return: Returns a zero on success, negative values on failure.2678*/2679int security_task_alloc(struct task_struct *task, u64 clone_flags)2680{2681int rc = lsm_task_alloc(task);26822683if (rc)2684return rc;2685rc = call_int_hook(task_alloc, task, clone_flags);2686if (unlikely(rc))2687security_task_free(task);2688return rc;2689}26902691/**2692* security_task_free() - Free a task's LSM blob and related resources2693* @task: task2694*2695* Handle release of task-related resources. Note that this can be called from2696* interrupt context.2697*/2698void security_task_free(struct task_struct *task)2699{2700call_void_hook(task_free, task);27012702kfree(task->security);2703task->security = NULL;2704}27052706/**2707* security_cred_alloc_blank() - Allocate the min memory to allow cred_transfer2708* @cred: credentials2709* @gfp: gfp flags2710*2711* Only allocate sufficient memory and attach to @cred such that2712* cred_transfer() will not get ENOMEM.2713*2714* Return: Returns 0 on success, negative values on failure.2715*/2716int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)2717{2718int rc = lsm_cred_alloc(cred, gfp);27192720if (rc)2721return rc;27222723rc = call_int_hook(cred_alloc_blank, cred, gfp);2724if (unlikely(rc))2725security_cred_free(cred);2726return rc;2727}27282729/**2730* security_cred_free() - Free the cred's LSM blob and associated resources2731* @cred: credentials2732*2733* Deallocate and clear the cred->security field in a set of credentials.2734*/2735void security_cred_free(struct cred *cred)2736{2737/*2738* There is a failure case in prepare_creds() that2739* may result in a call here with ->security being NULL.2740*/2741if (unlikely(cred->security == NULL))2742return;27432744call_void_hook(cred_free, cred);27452746kfree(cred->security);2747cred->security = NULL;2748}27492750/**2751* security_prepare_creds() - Prepare a new set of credentials2752* @new: new credentials2753* @old: original credentials2754* @gfp: gfp flags2755*2756* Prepare a new set of credentials by copying the data from the old set.2757*2758* Return: Returns 0 on success, negative values on failure.2759*/2760int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp)2761{2762int rc = lsm_cred_alloc(new, gfp);27632764if (rc)2765return rc;27662767rc = call_int_hook(cred_prepare, new, old, gfp);2768if (unlikely(rc))2769security_cred_free(new);2770return rc;2771}27722773/**2774* security_transfer_creds() - Transfer creds2775* @new: target credentials2776* @old: original credentials2777*2778* Transfer data from original creds to new creds.2779*/2780void security_transfer_creds(struct cred *new, const struct cred *old)2781{2782call_void_hook(cred_transfer, new, old);2783}27842785/**2786* security_cred_getsecid() - Get the secid from a set of credentials2787* @c: credentials2788* @secid: secid value2789*2790* Retrieve the security identifier of the cred structure @c. In case of2791* failure, @secid will be set to zero.2792*/2793void security_cred_getsecid(const struct cred *c, u32 *secid)2794{2795*secid = 0;2796call_void_hook(cred_getsecid, c, secid);2797}2798EXPORT_SYMBOL(security_cred_getsecid);27992800/**2801* security_cred_getlsmprop() - Get the LSM data from a set of credentials2802* @c: credentials2803* @prop: destination for the LSM data2804*2805* Retrieve the security data of the cred structure @c. In case of2806* failure, @prop will be cleared.2807*/2808void security_cred_getlsmprop(const struct cred *c, struct lsm_prop *prop)2809{2810lsmprop_init(prop);2811call_void_hook(cred_getlsmprop, c, prop);2812}2813EXPORT_SYMBOL(security_cred_getlsmprop);28142815/**2816* security_kernel_act_as() - Set the kernel credentials to act as secid2817* @new: credentials2818* @secid: secid2819*2820* Set the credentials for a kernel service to act as (subjective context).2821* The current task must be the one that nominated @secid.2822*2823* Return: Returns 0 if successful.2824*/2825int security_kernel_act_as(struct cred *new, u32 secid)2826{2827return call_int_hook(kernel_act_as, new, secid);2828}28292830/**2831* security_kernel_create_files_as() - Set file creation context using an inode2832* @new: target credentials2833* @inode: reference inode2834*2835* Set the file creation context in a set of credentials to be the same as the2836* objective context of the specified inode. The current task must be the one2837* that nominated @inode.2838*2839* Return: Returns 0 if successful.2840*/2841int security_kernel_create_files_as(struct cred *new, struct inode *inode)2842{2843return call_int_hook(kernel_create_files_as, new, inode);2844}28452846/**2847* security_kernel_module_request() - Check if loading a module is allowed2848* @kmod_name: module name2849*2850* Ability to trigger the kernel to automatically upcall to userspace for2851* userspace to load a kernel module with the given name.2852*2853* Return: Returns 0 if successful.2854*/2855int security_kernel_module_request(char *kmod_name)2856{2857return call_int_hook(kernel_module_request, kmod_name);2858}28592860/**2861* security_kernel_read_file() - Read a file specified by userspace2862* @file: file2863* @id: file identifier2864* @contents: trust if security_kernel_post_read_file() will be called2865*2866* Read a file specified by userspace.2867*2868* Return: Returns 0 if permission is granted.2869*/2870int security_kernel_read_file(struct file *file, enum kernel_read_file_id id,2871bool contents)2872{2873return call_int_hook(kernel_read_file, file, id, contents);2874}2875EXPORT_SYMBOL_GPL(security_kernel_read_file);28762877/**2878* security_kernel_post_read_file() - Read a file specified by userspace2879* @file: file2880* @buf: file contents2881* @size: size of file contents2882* @id: file identifier2883*2884* Read a file specified by userspace. This must be paired with a prior call2885* to security_kernel_read_file() call that indicated this hook would also be2886* called, see security_kernel_read_file() for more information.2887*2888* Return: Returns 0 if permission is granted.2889*/2890int security_kernel_post_read_file(struct file *file, char *buf, loff_t size,2891enum kernel_read_file_id id)2892{2893return call_int_hook(kernel_post_read_file, file, buf, size, id);2894}2895EXPORT_SYMBOL_GPL(security_kernel_post_read_file);28962897/**2898* security_kernel_load_data() - Load data provided by userspace2899* @id: data identifier2900* @contents: true if security_kernel_post_load_data() will be called2901*2902* Load data provided by userspace.2903*2904* Return: Returns 0 if permission is granted.2905*/2906int security_kernel_load_data(enum kernel_load_data_id id, bool contents)2907{2908return call_int_hook(kernel_load_data, id, contents);2909}2910EXPORT_SYMBOL_GPL(security_kernel_load_data);29112912/**2913* security_kernel_post_load_data() - Load userspace data from a non-file source2914* @buf: data2915* @size: size of data2916* @id: data identifier2917* @description: text description of data, specific to the id value2918*2919* Load data provided by a non-file source (usually userspace buffer). This2920* must be paired with a prior security_kernel_load_data() call that indicated2921* this hook would also be called, see security_kernel_load_data() for more2922* information.2923*2924* Return: Returns 0 if permission is granted.2925*/2926int security_kernel_post_load_data(char *buf, loff_t size,2927enum kernel_load_data_id id,2928char *description)2929{2930return call_int_hook(kernel_post_load_data, buf, size, id, description);2931}2932EXPORT_SYMBOL_GPL(security_kernel_post_load_data);29332934/**2935* security_task_fix_setuid() - Update LSM with new user id attributes2936* @new: updated credentials2937* @old: credentials being replaced2938* @flags: LSM_SETID_* flag values2939*2940* Update the module's state after setting one or more of the user identity2941* attributes of the current process. The @flags parameter indicates which of2942* the set*uid system calls invoked this hook. If @new is the set of2943* credentials that will be installed. Modifications should be made to this2944* rather than to @current->cred.2945*2946* Return: Returns 0 on success.2947*/2948int security_task_fix_setuid(struct cred *new, const struct cred *old,2949int flags)2950{2951return call_int_hook(task_fix_setuid, new, old, flags);2952}29532954/**2955* security_task_fix_setgid() - Update LSM with new group id attributes2956* @new: updated credentials2957* @old: credentials being replaced2958* @flags: LSM_SETID_* flag value2959*2960* Update the module's state after setting one or more of the group identity2961* attributes of the current process. The @flags parameter indicates which of2962* the set*gid system calls invoked this hook. @new is the set of credentials2963* that will be installed. Modifications should be made to this rather than to2964* @current->cred.2965*2966* Return: Returns 0 on success.2967*/2968int security_task_fix_setgid(struct cred *new, const struct cred *old,2969int flags)2970{2971return call_int_hook(task_fix_setgid, new, old, flags);2972}29732974/**2975* security_task_fix_setgroups() - Update LSM with new supplementary groups2976* @new: updated credentials2977* @old: credentials being replaced2978*2979* Update the module's state after setting the supplementary group identity2980* attributes of the current process. @new is the set of credentials that will2981* be installed. Modifications should be made to this rather than to2982* @current->cred.2983*2984* Return: Returns 0 on success.2985*/2986int security_task_fix_setgroups(struct cred *new, const struct cred *old)2987{2988return call_int_hook(task_fix_setgroups, new, old);2989}29902991/**2992* security_task_setpgid() - Check if setting the pgid is allowed2993* @p: task being modified2994* @pgid: new pgid2995*2996* Check permission before setting the process group identifier of the process2997* @p to @pgid.2998*2999* Return: Returns 0 if permission is granted.3000*/3001int security_task_setpgid(struct task_struct *p, pid_t pgid)3002{3003return call_int_hook(task_setpgid, p, pgid);3004}30053006/**3007* security_task_getpgid() - Check if getting the pgid is allowed3008* @p: task3009*3010* Check permission before getting the process group identifier of the process3011* @p.3012*3013* Return: Returns 0 if permission is granted.3014*/3015int security_task_getpgid(struct task_struct *p)3016{3017return call_int_hook(task_getpgid, p);3018}30193020/**3021* security_task_getsid() - Check if getting the session id is allowed3022* @p: task3023*3024* Check permission before getting the session identifier of the process @p.3025*3026* Return: Returns 0 if permission is granted.3027*/3028int security_task_getsid(struct task_struct *p)3029{3030return call_int_hook(task_getsid, p);3031}30323033/**3034* security_current_getlsmprop_subj() - Current task's subjective LSM data3035* @prop: lsm specific information3036*3037* Retrieve the subjective security identifier of the current task and return3038* it in @prop.3039*/3040void security_current_getlsmprop_subj(struct lsm_prop *prop)3041{3042lsmprop_init(prop);3043call_void_hook(current_getlsmprop_subj, prop);3044}3045EXPORT_SYMBOL(security_current_getlsmprop_subj);30463047/**3048* security_task_getlsmprop_obj() - Get a task's objective LSM data3049* @p: target task3050* @prop: lsm specific information3051*3052* Retrieve the objective security identifier of the task_struct in @p and3053* return it in @prop.3054*/3055void security_task_getlsmprop_obj(struct task_struct *p, struct lsm_prop *prop)3056{3057lsmprop_init(prop);3058call_void_hook(task_getlsmprop_obj, p, prop);3059}3060EXPORT_SYMBOL(security_task_getlsmprop_obj);30613062/**3063* security_task_setnice() - Check if setting a task's nice value is allowed3064* @p: target task3065* @nice: nice value3066*3067* Check permission before setting the nice value of @p to @nice.3068*3069* Return: Returns 0 if permission is granted.3070*/3071int security_task_setnice(struct task_struct *p, int nice)3072{3073return call_int_hook(task_setnice, p, nice);3074}30753076/**3077* security_task_setioprio() - Check if setting a task's ioprio is allowed3078* @p: target task3079* @ioprio: ioprio value3080*3081* Check permission before setting the ioprio value of @p to @ioprio.3082*3083* Return: Returns 0 if permission is granted.3084*/3085int security_task_setioprio(struct task_struct *p, int ioprio)3086{3087return call_int_hook(task_setioprio, p, ioprio);3088}30893090/**3091* security_task_getioprio() - Check if getting a task's ioprio is allowed3092* @p: task3093*3094* Check permission before getting the ioprio value of @p.3095*3096* Return: Returns 0 if permission is granted.3097*/3098int security_task_getioprio(struct task_struct *p)3099{3100return call_int_hook(task_getioprio, p);3101}31023103/**3104* security_task_prlimit() - Check if get/setting resources limits is allowed3105* @cred: current task credentials3106* @tcred: target task credentials3107* @flags: LSM_PRLIMIT_* flag bits indicating a get/set/both3108*3109* Check permission before getting and/or setting the resource limits of3110* another task.3111*3112* Return: Returns 0 if permission is granted.3113*/3114int security_task_prlimit(const struct cred *cred, const struct cred *tcred,3115unsigned int flags)3116{3117return call_int_hook(task_prlimit, cred, tcred, flags);3118}31193120/**3121* security_task_setrlimit() - Check if setting a new rlimit value is allowed3122* @p: target task's group leader3123* @resource: resource whose limit is being set3124* @new_rlim: new resource limit3125*3126* Check permission before setting the resource limits of process @p for3127* @resource to @new_rlim. The old resource limit values can be examined by3128* dereferencing (p->signal->rlim + resource).3129*3130* Return: Returns 0 if permission is granted.3131*/3132int security_task_setrlimit(struct task_struct *p, unsigned int resource,3133struct rlimit *new_rlim)3134{3135return call_int_hook(task_setrlimit, p, resource, new_rlim);3136}31373138/**3139* security_task_setscheduler() - Check if setting sched policy/param is allowed3140* @p: target task3141*3142* Check permission before setting scheduling policy and/or parameters of3143* process @p.3144*3145* Return: Returns 0 if permission is granted.3146*/3147int security_task_setscheduler(struct task_struct *p)3148{3149return call_int_hook(task_setscheduler, p);3150}31513152/**3153* security_task_getscheduler() - Check if getting scheduling info is allowed3154* @p: target task3155*3156* Check permission before obtaining scheduling information for process @p.3157*3158* Return: Returns 0 if permission is granted.3159*/3160int security_task_getscheduler(struct task_struct *p)3161{3162return call_int_hook(task_getscheduler, p);3163}31643165/**3166* security_task_movememory() - Check if moving memory is allowed3167* @p: task3168*3169* Check permission before moving memory owned by process @p.3170*3171* Return: Returns 0 if permission is granted.3172*/3173int security_task_movememory(struct task_struct *p)3174{3175return call_int_hook(task_movememory, p);3176}31773178/**3179* security_task_kill() - Check if sending a signal is allowed3180* @p: target process3181* @info: signal information3182* @sig: signal value3183* @cred: credentials of the signal sender, NULL if @current3184*3185* Check permission before sending signal @sig to @p. @info can be NULL, the3186* constant 1, or a pointer to a kernel_siginfo structure. If @info is 1 or3187* SI_FROMKERNEL(info) is true, then the signal should be viewed as coming from3188* the kernel and should typically be permitted. SIGIO signals are handled3189* separately by the send_sigiotask hook in file_security_ops.3190*3191* Return: Returns 0 if permission is granted.3192*/3193int security_task_kill(struct task_struct *p, struct kernel_siginfo *info,3194int sig, const struct cred *cred)3195{3196return call_int_hook(task_kill, p, info, sig, cred);3197}31983199/**3200* security_task_prctl() - Check if a prctl op is allowed3201* @option: operation3202* @arg2: argument3203* @arg3: argument3204* @arg4: argument3205* @arg5: argument3206*3207* Check permission before performing a process control operation on the3208* current process.3209*3210* Return: Return -ENOSYS if no-one wanted to handle this op, any other value3211* to cause prctl() to return immediately with that value.3212*/3213int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,3214unsigned long arg4, unsigned long arg5)3215{3216int thisrc;3217int rc = LSM_RET_DEFAULT(task_prctl);3218struct lsm_static_call *scall;32193220lsm_for_each_hook(scall, task_prctl) {3221thisrc = scall->hl->hook.task_prctl(option, arg2, arg3, arg4, arg5);3222if (thisrc != LSM_RET_DEFAULT(task_prctl)) {3223rc = thisrc;3224if (thisrc != 0)3225break;3226}3227}3228return rc;3229}32303231/**3232* security_task_to_inode() - Set the security attributes of a task's inode3233* @p: task3234* @inode: inode3235*3236* Set the security attributes for an inode based on an associated task's3237* security attributes, e.g. for /proc/pid inodes.3238*/3239void security_task_to_inode(struct task_struct *p, struct inode *inode)3240{3241call_void_hook(task_to_inode, p, inode);3242}32433244/**3245* security_create_user_ns() - Check if creating a new userns is allowed3246* @cred: prepared creds3247*3248* Check permission prior to creating a new user namespace.3249*3250* Return: Returns 0 if successful, otherwise < 0 error code.3251*/3252int security_create_user_ns(const struct cred *cred)3253{3254return call_int_hook(userns_create, cred);3255}32563257/**3258* security_ipc_permission() - Check if sysv ipc access is allowed3259* @ipcp: ipc permission structure3260* @flag: requested permissions3261*3262* Check permissions for access to IPC.3263*3264* Return: Returns 0 if permission is granted.3265*/3266int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)3267{3268return call_int_hook(ipc_permission, ipcp, flag);3269}32703271/**3272* security_ipc_getlsmprop() - Get the sysv ipc object LSM data3273* @ipcp: ipc permission structure3274* @prop: pointer to lsm information3275*3276* Get the lsm information associated with the ipc object.3277*/32783279void security_ipc_getlsmprop(struct kern_ipc_perm *ipcp, struct lsm_prop *prop)3280{3281lsmprop_init(prop);3282call_void_hook(ipc_getlsmprop, ipcp, prop);3283}32843285/**3286* security_msg_msg_alloc() - Allocate a sysv ipc message LSM blob3287* @msg: message structure3288*3289* Allocate and attach a security structure to the msg->security field. The3290* security field is initialized to NULL when the structure is first created.3291*3292* Return: Return 0 if operation was successful and permission is granted.3293*/3294int security_msg_msg_alloc(struct msg_msg *msg)3295{3296int rc = lsm_msg_msg_alloc(msg);32973298if (unlikely(rc))3299return rc;3300rc = call_int_hook(msg_msg_alloc_security, msg);3301if (unlikely(rc))3302security_msg_msg_free(msg);3303return rc;3304}33053306/**3307* security_msg_msg_free() - Free a sysv ipc message LSM blob3308* @msg: message structure3309*3310* Deallocate the security structure for this message.3311*/3312void security_msg_msg_free(struct msg_msg *msg)3313{3314call_void_hook(msg_msg_free_security, msg);3315kfree(msg->security);3316msg->security = NULL;3317}33183319/**3320* security_msg_queue_alloc() - Allocate a sysv ipc msg queue LSM blob3321* @msq: sysv ipc permission structure3322*3323* Allocate and attach a security structure to @msg. The security field is3324* initialized to NULL when the structure is first created.3325*3326* Return: Returns 0 if operation was successful and permission is granted.3327*/3328int security_msg_queue_alloc(struct kern_ipc_perm *msq)3329{3330int rc = lsm_ipc_alloc(msq);33313332if (unlikely(rc))3333return rc;3334rc = call_int_hook(msg_queue_alloc_security, msq);3335if (unlikely(rc))3336security_msg_queue_free(msq);3337return rc;3338}33393340/**3341* security_msg_queue_free() - Free a sysv ipc msg queue LSM blob3342* @msq: sysv ipc permission structure3343*3344* Deallocate security field @perm->security for the message queue.3345*/3346void security_msg_queue_free(struct kern_ipc_perm *msq)3347{3348call_void_hook(msg_queue_free_security, msq);3349kfree(msq->security);3350msq->security = NULL;3351}33523353/**3354* security_msg_queue_associate() - Check if a msg queue operation is allowed3355* @msq: sysv ipc permission structure3356* @msqflg: operation flags3357*3358* Check permission when a message queue is requested through the msgget system3359* call. This hook is only called when returning the message queue identifier3360* for an existing message queue, not when a new message queue is created.3361*3362* Return: Return 0 if permission is granted.3363*/3364int security_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)3365{3366return call_int_hook(msg_queue_associate, msq, msqflg);3367}33683369/**3370* security_msg_queue_msgctl() - Check if a msg queue operation is allowed3371* @msq: sysv ipc permission structure3372* @cmd: operation3373*3374* Check permission when a message control operation specified by @cmd is to be3375* performed on the message queue with permissions.3376*3377* Return: Returns 0 if permission is granted.3378*/3379int security_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)3380{3381return call_int_hook(msg_queue_msgctl, msq, cmd);3382}33833384/**3385* security_msg_queue_msgsnd() - Check if sending a sysv ipc message is allowed3386* @msq: sysv ipc permission structure3387* @msg: message3388* @msqflg: operation flags3389*3390* Check permission before a message, @msg, is enqueued on the message queue3391* with permissions specified in @msq.3392*3393* Return: Returns 0 if permission is granted.3394*/3395int security_msg_queue_msgsnd(struct kern_ipc_perm *msq,3396struct msg_msg *msg, int msqflg)3397{3398return call_int_hook(msg_queue_msgsnd, msq, msg, msqflg);3399}34003401/**3402* security_msg_queue_msgrcv() - Check if receiving a sysv ipc msg is allowed3403* @msq: sysv ipc permission structure3404* @msg: message3405* @target: target task3406* @type: type of message requested3407* @mode: operation flags3408*3409* Check permission before a message, @msg, is removed from the message queue.3410* The @target task structure contains a pointer to the process that will be3411* receiving the message (not equal to the current process when inline receives3412* are being performed).3413*3414* Return: Returns 0 if permission is granted.3415*/3416int security_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,3417struct task_struct *target, long type, int mode)3418{3419return call_int_hook(msg_queue_msgrcv, msq, msg, target, type, mode);3420}34213422/**3423* security_shm_alloc() - Allocate a sysv shm LSM blob3424* @shp: sysv ipc permission structure3425*3426* Allocate and attach a security structure to the @shp security field. The3427* security field is initialized to NULL when the structure is first created.3428*3429* Return: Returns 0 if operation was successful and permission is granted.3430*/3431int security_shm_alloc(struct kern_ipc_perm *shp)3432{3433int rc = lsm_ipc_alloc(shp);34343435if (unlikely(rc))3436return rc;3437rc = call_int_hook(shm_alloc_security, shp);3438if (unlikely(rc))3439security_shm_free(shp);3440return rc;3441}34423443/**3444* security_shm_free() - Free a sysv shm LSM blob3445* @shp: sysv ipc permission structure3446*3447* Deallocate the security structure @perm->security for the memory segment.3448*/3449void security_shm_free(struct kern_ipc_perm *shp)3450{3451call_void_hook(shm_free_security, shp);3452kfree(shp->security);3453shp->security = NULL;3454}34553456/**3457* security_shm_associate() - Check if a sysv shm operation is allowed3458* @shp: sysv ipc permission structure3459* @shmflg: operation flags3460*3461* Check permission when a shared memory region is requested through the shmget3462* system call. This hook is only called when returning the shared memory3463* region identifier for an existing region, not when a new shared memory3464* region is created.3465*3466* Return: Returns 0 if permission is granted.3467*/3468int security_shm_associate(struct kern_ipc_perm *shp, int shmflg)3469{3470return call_int_hook(shm_associate, shp, shmflg);3471}34723473/**3474* security_shm_shmctl() - Check if a sysv shm operation is allowed3475* @shp: sysv ipc permission structure3476* @cmd: operation3477*3478* Check permission when a shared memory control operation specified by @cmd is3479* to be performed on the shared memory region with permissions in @shp.3480*3481* Return: Return 0 if permission is granted.3482*/3483int security_shm_shmctl(struct kern_ipc_perm *shp, int cmd)3484{3485return call_int_hook(shm_shmctl, shp, cmd);3486}34873488/**3489* security_shm_shmat() - Check if a sysv shm attach operation is allowed3490* @shp: sysv ipc permission structure3491* @shmaddr: address of memory region to attach3492* @shmflg: operation flags3493*3494* Check permissions prior to allowing the shmat system call to attach the3495* shared memory segment with permissions @shp to the data segment of the3496* calling process. The attaching address is specified by @shmaddr.3497*3498* Return: Returns 0 if permission is granted.3499*/3500int security_shm_shmat(struct kern_ipc_perm *shp,3501char __user *shmaddr, int shmflg)3502{3503return call_int_hook(shm_shmat, shp, shmaddr, shmflg);3504}35053506/**3507* security_sem_alloc() - Allocate a sysv semaphore LSM blob3508* @sma: sysv ipc permission structure3509*3510* Allocate and attach a security structure to the @sma security field. The3511* security field is initialized to NULL when the structure is first created.3512*3513* Return: Returns 0 if operation was successful and permission is granted.3514*/3515int security_sem_alloc(struct kern_ipc_perm *sma)3516{3517int rc = lsm_ipc_alloc(sma);35183519if (unlikely(rc))3520return rc;3521rc = call_int_hook(sem_alloc_security, sma);3522if (unlikely(rc))3523security_sem_free(sma);3524return rc;3525}35263527/**3528* security_sem_free() - Free a sysv semaphore LSM blob3529* @sma: sysv ipc permission structure3530*3531* Deallocate security structure @sma->security for the semaphore.3532*/3533void security_sem_free(struct kern_ipc_perm *sma)3534{3535call_void_hook(sem_free_security, sma);3536kfree(sma->security);3537sma->security = NULL;3538}35393540/**3541* security_sem_associate() - Check if a sysv semaphore operation is allowed3542* @sma: sysv ipc permission structure3543* @semflg: operation flags3544*3545* Check permission when a semaphore is requested through the semget system3546* call. This hook is only called when returning the semaphore identifier for3547* an existing semaphore, not when a new one must be created.3548*3549* Return: Returns 0 if permission is granted.3550*/3551int security_sem_associate(struct kern_ipc_perm *sma, int semflg)3552{3553return call_int_hook(sem_associate, sma, semflg);3554}35553556/**3557* security_sem_semctl() - Check if a sysv semaphore operation is allowed3558* @sma: sysv ipc permission structure3559* @cmd: operation3560*3561* Check permission when a semaphore operation specified by @cmd is to be3562* performed on the semaphore.3563*3564* Return: Returns 0 if permission is granted.3565*/3566int security_sem_semctl(struct kern_ipc_perm *sma, int cmd)3567{3568return call_int_hook(sem_semctl, sma, cmd);3569}35703571/**3572* security_sem_semop() - Check if a sysv semaphore operation is allowed3573* @sma: sysv ipc permission structure3574* @sops: operations to perform3575* @nsops: number of operations3576* @alter: flag indicating changes will be made3577*3578* Check permissions before performing operations on members of the semaphore3579* set. If the @alter flag is nonzero, the semaphore set may be modified.3580*3581* Return: Returns 0 if permission is granted.3582*/3583int security_sem_semop(struct kern_ipc_perm *sma, struct sembuf *sops,3584unsigned nsops, int alter)3585{3586return call_int_hook(sem_semop, sma, sops, nsops, alter);3587}35883589/**3590* security_d_instantiate() - Populate an inode's LSM state based on a dentry3591* @dentry: dentry3592* @inode: inode3593*3594* Fill in @inode security information for a @dentry if allowed.3595*/3596void security_d_instantiate(struct dentry *dentry, struct inode *inode)3597{3598if (unlikely(inode && IS_PRIVATE(inode)))3599return;3600call_void_hook(d_instantiate, dentry, inode);3601}3602EXPORT_SYMBOL(security_d_instantiate);36033604/*3605* Please keep this in sync with it's counterpart in security/lsm_syscalls.c3606*/36073608/**3609* security_getselfattr - Read an LSM attribute of the current process.3610* @attr: which attribute to return3611* @uctx: the user-space destination for the information, or NULL3612* @size: pointer to the size of space available to receive the data3613* @flags: special handling options. LSM_FLAG_SINGLE indicates that only3614* attributes associated with the LSM identified in the passed @ctx be3615* reported.3616*3617* A NULL value for @uctx can be used to get both the number of attributes3618* and the size of the data.3619*3620* Returns the number of attributes found on success, negative value3621* on error. @size is reset to the total size of the data.3622* If @size is insufficient to contain the data -E2BIG is returned.3623*/3624int security_getselfattr(unsigned int attr, struct lsm_ctx __user *uctx,3625u32 __user *size, u32 flags)3626{3627struct lsm_static_call *scall;3628struct lsm_ctx lctx = { .id = LSM_ID_UNDEF, };3629u8 __user *base = (u8 __user *)uctx;3630u32 entrysize;3631u32 total = 0;3632u32 left;3633bool toobig = false;3634bool single = false;3635int count = 0;3636int rc;36373638if (attr == LSM_ATTR_UNDEF)3639return -EINVAL;3640if (size == NULL)3641return -EINVAL;3642if (get_user(left, size))3643return -EFAULT;36443645if (flags) {3646/*3647* Only flag supported is LSM_FLAG_SINGLE3648*/3649if (flags != LSM_FLAG_SINGLE || !uctx)3650return -EINVAL;3651if (copy_from_user(&lctx, uctx, sizeof(lctx)))3652return -EFAULT;3653/*3654* If the LSM ID isn't specified it is an error.3655*/3656if (lctx.id == LSM_ID_UNDEF)3657return -EINVAL;3658single = true;3659}36603661/*3662* In the usual case gather all the data from the LSMs.3663* In the single case only get the data from the LSM specified.3664*/3665lsm_for_each_hook(scall, getselfattr) {3666if (single && lctx.id != scall->hl->lsmid->id)3667continue;3668entrysize = left;3669if (base)3670uctx = (struct lsm_ctx __user *)(base + total);3671rc = scall->hl->hook.getselfattr(attr, uctx, &entrysize, flags);3672if (rc == -EOPNOTSUPP)3673continue;3674if (rc == -E2BIG) {3675rc = 0;3676left = 0;3677toobig = true;3678} else if (rc < 0)3679return rc;3680else3681left -= entrysize;36823683total += entrysize;3684count += rc;3685if (single)3686break;3687}3688if (put_user(total, size))3689return -EFAULT;3690if (toobig)3691return -E2BIG;3692if (count == 0)3693return LSM_RET_DEFAULT(getselfattr);3694return count;3695}36963697/*3698* Please keep this in sync with it's counterpart in security/lsm_syscalls.c3699*/37003701/**3702* security_setselfattr - Set an LSM attribute on the current process.3703* @attr: which attribute to set3704* @uctx: the user-space source for the information3705* @size: the size of the data3706* @flags: reserved for future use, must be 03707*3708* Set an LSM attribute for the current process. The LSM, attribute3709* and new value are included in @uctx.3710*3711* Returns 0 on success, -EINVAL if the input is inconsistent, -EFAULT3712* if the user buffer is inaccessible, E2BIG if size is too big, or an3713* LSM specific failure.3714*/3715int security_setselfattr(unsigned int attr, struct lsm_ctx __user *uctx,3716u32 size, u32 flags)3717{3718struct lsm_static_call *scall;3719struct lsm_ctx *lctx;3720int rc = LSM_RET_DEFAULT(setselfattr);3721u64 required_len;37223723if (flags)3724return -EINVAL;3725if (size < sizeof(*lctx))3726return -EINVAL;3727if (size > PAGE_SIZE)3728return -E2BIG;37293730lctx = memdup_user(uctx, size);3731if (IS_ERR(lctx))3732return PTR_ERR(lctx);37333734if (size < lctx->len ||3735check_add_overflow(sizeof(*lctx), lctx->ctx_len, &required_len) ||3736lctx->len < required_len) {3737rc = -EINVAL;3738goto free_out;3739}37403741lsm_for_each_hook(scall, setselfattr)3742if ((scall->hl->lsmid->id) == lctx->id) {3743rc = scall->hl->hook.setselfattr(attr, lctx, size, flags);3744break;3745}37463747free_out:3748kfree(lctx);3749return rc;3750}37513752/**3753* security_getprocattr() - Read an attribute for a task3754* @p: the task3755* @lsmid: LSM identification3756* @name: attribute name3757* @value: attribute value3758*3759* Read attribute @name for task @p and store it into @value if allowed.3760*3761* Return: Returns the length of @value on success, a negative value otherwise.3762*/3763int security_getprocattr(struct task_struct *p, int lsmid, const char *name,3764char **value)3765{3766struct lsm_static_call *scall;37673768lsm_for_each_hook(scall, getprocattr) {3769if (lsmid != 0 && lsmid != scall->hl->lsmid->id)3770continue;3771return scall->hl->hook.getprocattr(p, name, value);3772}3773return LSM_RET_DEFAULT(getprocattr);3774}37753776/**3777* security_setprocattr() - Set an attribute for a task3778* @lsmid: LSM identification3779* @name: attribute name3780* @value: attribute value3781* @size: attribute value size3782*3783* Write (set) the current task's attribute @name to @value, size @size if3784* allowed.3785*3786* Return: Returns bytes written on success, a negative value otherwise.3787*/3788int security_setprocattr(int lsmid, const char *name, void *value, size_t size)3789{3790struct lsm_static_call *scall;37913792lsm_for_each_hook(scall, setprocattr) {3793if (lsmid != 0 && lsmid != scall->hl->lsmid->id)3794continue;3795return scall->hl->hook.setprocattr(name, value, size);3796}3797return LSM_RET_DEFAULT(setprocattr);3798}37993800/**3801* security_ismaclabel() - Check if the named attribute is a MAC label3802* @name: full extended attribute name3803*3804* Check if the extended attribute specified by @name represents a MAC label.3805*3806* Return: Returns 1 if name is a MAC attribute otherwise returns 0.3807*/3808int security_ismaclabel(const char *name)3809{3810return call_int_hook(ismaclabel, name);3811}3812EXPORT_SYMBOL(security_ismaclabel);38133814/**3815* security_secid_to_secctx() - Convert a secid to a secctx3816* @secid: secid3817* @cp: the LSM context3818*3819* Convert secid to security context. If @cp is NULL the length of the3820* result will be returned, but no data will be returned. This3821* does mean that the length could change between calls to check the length and3822* the next call which actually allocates and returns the data.3823*3824* Return: Return length of data on success, error on failure.3825*/3826int security_secid_to_secctx(u32 secid, struct lsm_context *cp)3827{3828return call_int_hook(secid_to_secctx, secid, cp);3829}3830EXPORT_SYMBOL(security_secid_to_secctx);38313832/**3833* security_lsmprop_to_secctx() - Convert a lsm_prop to a secctx3834* @prop: lsm specific information3835* @cp: the LSM context3836* @lsmid: which security module to report3837*3838* Convert a @prop entry to security context. If @cp is NULL the3839* length of the result will be returned. This does mean that the3840* length could change between calls to check the length and the3841* next call which actually allocates and returns the @cp.3842*3843* @lsmid identifies which LSM should supply the context.3844* A value of LSM_ID_UNDEF indicates that the first LSM suppling3845* the hook should be used. This is used in cases where the3846* ID of the supplying LSM is unambiguous.3847*3848* Return: Return length of data on success, error on failure.3849*/3850int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp,3851int lsmid)3852{3853struct lsm_static_call *scall;38543855lsm_for_each_hook(scall, lsmprop_to_secctx) {3856if (lsmid != LSM_ID_UNDEF && lsmid != scall->hl->lsmid->id)3857continue;3858return scall->hl->hook.lsmprop_to_secctx(prop, cp);3859}3860return LSM_RET_DEFAULT(lsmprop_to_secctx);3861}3862EXPORT_SYMBOL(security_lsmprop_to_secctx);38633864/**3865* security_secctx_to_secid() - Convert a secctx to a secid3866* @secdata: secctx3867* @seclen: length of secctx3868* @secid: secid3869*3870* Convert security context to secid.3871*3872* Return: Returns 0 on success, error on failure.3873*/3874int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)3875{3876*secid = 0;3877return call_int_hook(secctx_to_secid, secdata, seclen, secid);3878}3879EXPORT_SYMBOL(security_secctx_to_secid);38803881/**3882* security_release_secctx() - Free a secctx buffer3883* @cp: the security context3884*3885* Release the security context.3886*/3887void security_release_secctx(struct lsm_context *cp)3888{3889call_void_hook(release_secctx, cp);3890memset(cp, 0, sizeof(*cp));3891}3892EXPORT_SYMBOL(security_release_secctx);38933894/**3895* security_inode_invalidate_secctx() - Invalidate an inode's security label3896* @inode: inode3897*3898* Notify the security module that it must revalidate the security context of3899* an inode.3900*/3901void security_inode_invalidate_secctx(struct inode *inode)3902{3903call_void_hook(inode_invalidate_secctx, inode);3904}3905EXPORT_SYMBOL(security_inode_invalidate_secctx);39063907/**3908* security_inode_notifysecctx() - Notify the LSM of an inode's security label3909* @inode: inode3910* @ctx: secctx3911* @ctxlen: length of secctx3912*3913* Notify the security module of what the security context of an inode should3914* be. Initializes the incore security context managed by the security module3915* for this inode. Example usage: NFS client invokes this hook to initialize3916* the security context in its incore inode to the value provided by the server3917* for the file when the server returned the file's attributes to the client.3918* Must be called with inode->i_mutex locked.3919*3920* Return: Returns 0 on success, error on failure.3921*/3922int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)3923{3924return call_int_hook(inode_notifysecctx, inode, ctx, ctxlen);3925}3926EXPORT_SYMBOL(security_inode_notifysecctx);39273928/**3929* security_inode_setsecctx() - Change the security label of an inode3930* @dentry: inode3931* @ctx: secctx3932* @ctxlen: length of secctx3933*3934* Change the security context of an inode. Updates the incore security3935* context managed by the security module and invokes the fs code as needed3936* (via __vfs_setxattr_noperm) to update any backing xattrs that represent the3937* context. Example usage: NFS server invokes this hook to change the security3938* context in its incore inode and on the backing filesystem to a value3939* provided by the client on a SETATTR operation. Must be called with3940* inode->i_mutex locked.3941*3942* Return: Returns 0 on success, error on failure.3943*/3944int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)3945{3946return call_int_hook(inode_setsecctx, dentry, ctx, ctxlen);3947}3948EXPORT_SYMBOL(security_inode_setsecctx);39493950/**3951* security_inode_getsecctx() - Get the security label of an inode3952* @inode: inode3953* @cp: security context3954*3955* On success, returns 0 and fills out @cp with the security context3956* for the given @inode.3957*3958* Return: Returns 0 on success, error on failure.3959*/3960int security_inode_getsecctx(struct inode *inode, struct lsm_context *cp)3961{3962memset(cp, 0, sizeof(*cp));3963return call_int_hook(inode_getsecctx, inode, cp);3964}3965EXPORT_SYMBOL(security_inode_getsecctx);39663967#ifdef CONFIG_WATCH_QUEUE3968/**3969* security_post_notification() - Check if a watch notification can be posted3970* @w_cred: credentials of the task that set the watch3971* @cred: credentials of the task which triggered the watch3972* @n: the notification3973*3974* Check to see if a watch notification can be posted to a particular queue.3975*3976* Return: Returns 0 if permission is granted.3977*/3978int security_post_notification(const struct cred *w_cred,3979const struct cred *cred,3980struct watch_notification *n)3981{3982return call_int_hook(post_notification, w_cred, cred, n);3983}3984#endif /* CONFIG_WATCH_QUEUE */39853986#ifdef CONFIG_KEY_NOTIFICATIONS3987/**3988* security_watch_key() - Check if a task is allowed to watch for key events3989* @key: the key to watch3990*3991* Check to see if a process is allowed to watch for event notifications from3992* a key or keyring.3993*3994* Return: Returns 0 if permission is granted.3995*/3996int security_watch_key(struct key *key)3997{3998return call_int_hook(watch_key, key);3999}4000#endif /* CONFIG_KEY_NOTIFICATIONS */40014002#ifdef CONFIG_SECURITY_NETWORK4003/**4004* security_netlink_send() - Save info and check if netlink sending is allowed4005* @sk: sending socket4006* @skb: netlink message4007*4008* Save security information for a netlink message so that permission checking4009* can be performed when the message is processed. The security information4010* can be saved using the eff_cap field of the netlink_skb_parms structure.4011* Also may be used to provide fine grained control over message transmission.4012*4013* Return: Returns 0 if the information was successfully saved and message is4014* allowed to be transmitted.4015*/4016int security_netlink_send(struct sock *sk, struct sk_buff *skb)4017{4018return call_int_hook(netlink_send, sk, skb);4019}40204021/**4022* security_unix_stream_connect() - Check if a AF_UNIX stream is allowed4023* @sock: originating sock4024* @other: peer sock4025* @newsk: new sock4026*4027* Check permissions before establishing a Unix domain stream connection4028* between @sock and @other.4029*4030* The @unix_stream_connect and @unix_may_send hooks were necessary because4031* Linux provides an alternative to the conventional file name space for Unix4032* domain sockets. Whereas binding and connecting to sockets in the file name4033* space is mediated by the typical file permissions (and caught by the mknod4034* and permission hooks in inode_security_ops), binding and connecting to4035* sockets in the abstract name space is completely unmediated. Sufficient4036* control of Unix domain sockets in the abstract name space isn't possible4037* using only the socket layer hooks, since we need to know the actual target4038* socket, which is not looked up until we are inside the af_unix code.4039*4040* Return: Returns 0 if permission is granted.4041*/4042int security_unix_stream_connect(struct sock *sock, struct sock *other,4043struct sock *newsk)4044{4045return call_int_hook(unix_stream_connect, sock, other, newsk);4046}4047EXPORT_SYMBOL(security_unix_stream_connect);40484049/**4050* security_unix_may_send() - Check if AF_UNIX socket can send datagrams4051* @sock: originating sock4052* @other: peer sock4053*4054* Check permissions before connecting or sending datagrams from @sock to4055* @other.4056*4057* The @unix_stream_connect and @unix_may_send hooks were necessary because4058* Linux provides an alternative to the conventional file name space for Unix4059* domain sockets. Whereas binding and connecting to sockets in the file name4060* space is mediated by the typical file permissions (and caught by the mknod4061* and permission hooks in inode_security_ops), binding and connecting to4062* sockets in the abstract name space is completely unmediated. Sufficient4063* control of Unix domain sockets in the abstract name space isn't possible4064* using only the socket layer hooks, since we need to know the actual target4065* socket, which is not looked up until we are inside the af_unix code.4066*4067* Return: Returns 0 if permission is granted.4068*/4069int security_unix_may_send(struct socket *sock, struct socket *other)4070{4071return call_int_hook(unix_may_send, sock, other);4072}4073EXPORT_SYMBOL(security_unix_may_send);40744075/**4076* security_socket_create() - Check if creating a new socket is allowed4077* @family: protocol family4078* @type: communications type4079* @protocol: requested protocol4080* @kern: set to 1 if a kernel socket is requested4081*4082* Check permissions prior to creating a new socket.4083*4084* Return: Returns 0 if permission is granted.4085*/4086int security_socket_create(int family, int type, int protocol, int kern)4087{4088return call_int_hook(socket_create, family, type, protocol, kern);4089}40904091/**4092* security_socket_post_create() - Initialize a newly created socket4093* @sock: socket4094* @family: protocol family4095* @type: communications type4096* @protocol: requested protocol4097* @kern: set to 1 if a kernel socket is requested4098*4099* This hook allows a module to update or allocate a per-socket security4100* structure. Note that the security field was not added directly to the socket4101* structure, but rather, the socket security information is stored in the4102* associated inode. Typically, the inode alloc_security hook will allocate4103* and attach security information to SOCK_INODE(sock)->i_security. This hook4104* may be used to update the SOCK_INODE(sock)->i_security field with additional4105* information that wasn't available when the inode was allocated.4106*4107* Return: Returns 0 if permission is granted.4108*/4109int security_socket_post_create(struct socket *sock, int family,4110int type, int protocol, int kern)4111{4112return call_int_hook(socket_post_create, sock, family, type,4113protocol, kern);4114}41154116/**4117* security_socket_socketpair() - Check if creating a socketpair is allowed4118* @socka: first socket4119* @sockb: second socket4120*4121* Check permissions before creating a fresh pair of sockets.4122*4123* Return: Returns 0 if permission is granted and the connection was4124* established.4125*/4126int security_socket_socketpair(struct socket *socka, struct socket *sockb)4127{4128return call_int_hook(socket_socketpair, socka, sockb);4129}4130EXPORT_SYMBOL(security_socket_socketpair);41314132/**4133* security_socket_bind() - Check if a socket bind operation is allowed4134* @sock: socket4135* @address: requested bind address4136* @addrlen: length of address4137*4138* Check permission before socket protocol layer bind operation is performed4139* and the socket @sock is bound to the address specified in the @address4140* parameter.4141*4142* Return: Returns 0 if permission is granted.4143*/4144int security_socket_bind(struct socket *sock,4145struct sockaddr *address, int addrlen)4146{4147return call_int_hook(socket_bind, sock, address, addrlen);4148}41494150/**4151* security_socket_connect() - Check if a socket connect operation is allowed4152* @sock: socket4153* @address: address of remote connection point4154* @addrlen: length of address4155*4156* Check permission before socket protocol layer connect operation attempts to4157* connect socket @sock to a remote address, @address.4158*4159* Return: Returns 0 if permission is granted.4160*/4161int security_socket_connect(struct socket *sock,4162struct sockaddr *address, int addrlen)4163{4164return call_int_hook(socket_connect, sock, address, addrlen);4165}41664167/**4168* security_socket_listen() - Check if a socket is allowed to listen4169* @sock: socket4170* @backlog: connection queue size4171*4172* Check permission before socket protocol layer listen operation.4173*4174* Return: Returns 0 if permission is granted.4175*/4176int security_socket_listen(struct socket *sock, int backlog)4177{4178return call_int_hook(socket_listen, sock, backlog);4179}41804181/**4182* security_socket_accept() - Check if a socket is allowed to accept connections4183* @sock: listening socket4184* @newsock: newly creation connection socket4185*4186* Check permission before accepting a new connection. Note that the new4187* socket, @newsock, has been created and some information copied to it, but4188* the accept operation has not actually been performed.4189*4190* Return: Returns 0 if permission is granted.4191*/4192int security_socket_accept(struct socket *sock, struct socket *newsock)4193{4194return call_int_hook(socket_accept, sock, newsock);4195}41964197/**4198* security_socket_sendmsg() - Check if sending a message is allowed4199* @sock: sending socket4200* @msg: message to send4201* @size: size of message4202*4203* Check permission before transmitting a message to another socket.4204*4205* Return: Returns 0 if permission is granted.4206*/4207int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)4208{4209return call_int_hook(socket_sendmsg, sock, msg, size);4210}42114212/**4213* security_socket_recvmsg() - Check if receiving a message is allowed4214* @sock: receiving socket4215* @msg: message to receive4216* @size: size of message4217* @flags: operational flags4218*4219* Check permission before receiving a message from a socket.4220*4221* Return: Returns 0 if permission is granted.4222*/4223int security_socket_recvmsg(struct socket *sock, struct msghdr *msg,4224int size, int flags)4225{4226return call_int_hook(socket_recvmsg, sock, msg, size, flags);4227}42284229/**4230* security_socket_getsockname() - Check if reading the socket addr is allowed4231* @sock: socket4232*4233* Check permission before reading the local address (name) of the socket4234* object.4235*4236* Return: Returns 0 if permission is granted.4237*/4238int security_socket_getsockname(struct socket *sock)4239{4240return call_int_hook(socket_getsockname, sock);4241}42424243/**4244* security_socket_getpeername() - Check if reading the peer's addr is allowed4245* @sock: socket4246*4247* Check permission before the remote address (name) of a socket object.4248*4249* Return: Returns 0 if permission is granted.4250*/4251int security_socket_getpeername(struct socket *sock)4252{4253return call_int_hook(socket_getpeername, sock);4254}42554256/**4257* security_socket_getsockopt() - Check if reading a socket option is allowed4258* @sock: socket4259* @level: option's protocol level4260* @optname: option name4261*4262* Check permissions before retrieving the options associated with socket4263* @sock.4264*4265* Return: Returns 0 if permission is granted.4266*/4267int security_socket_getsockopt(struct socket *sock, int level, int optname)4268{4269return call_int_hook(socket_getsockopt, sock, level, optname);4270}42714272/**4273* security_socket_setsockopt() - Check if setting a socket option is allowed4274* @sock: socket4275* @level: option's protocol level4276* @optname: option name4277*4278* Check permissions before setting the options associated with socket @sock.4279*4280* Return: Returns 0 if permission is granted.4281*/4282int security_socket_setsockopt(struct socket *sock, int level, int optname)4283{4284return call_int_hook(socket_setsockopt, sock, level, optname);4285}42864287/**4288* security_socket_shutdown() - Checks if shutting down the socket is allowed4289* @sock: socket4290* @how: flag indicating how sends and receives are handled4291*4292* Checks permission before all or part of a connection on the socket @sock is4293* shut down.4294*4295* Return: Returns 0 if permission is granted.4296*/4297int security_socket_shutdown(struct socket *sock, int how)4298{4299return call_int_hook(socket_shutdown, sock, how);4300}43014302/**4303* security_sock_rcv_skb() - Check if an incoming network packet is allowed4304* @sk: destination sock4305* @skb: incoming packet4306*4307* Check permissions on incoming network packets. This hook is distinct from4308* Netfilter's IP input hooks since it is the first time that the incoming4309* sk_buff @skb has been associated with a particular socket, @sk. Must not4310* sleep inside this hook because some callers hold spinlocks.4311*4312* Return: Returns 0 if permission is granted.4313*/4314int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)4315{4316return call_int_hook(socket_sock_rcv_skb, sk, skb);4317}4318EXPORT_SYMBOL(security_sock_rcv_skb);43194320/**4321* security_socket_getpeersec_stream() - Get the remote peer label4322* @sock: socket4323* @optval: destination buffer4324* @optlen: size of peer label copied into the buffer4325* @len: maximum size of the destination buffer4326*4327* This hook allows the security module to provide peer socket security state4328* for unix or connected tcp sockets to userspace via getsockopt SO_GETPEERSEC.4329* For tcp sockets this can be meaningful if the socket is associated with an4330* ipsec SA.4331*4332* Return: Returns 0 if all is well, otherwise, typical getsockopt return4333* values.4334*/4335int security_socket_getpeersec_stream(struct socket *sock, sockptr_t optval,4336sockptr_t optlen, unsigned int len)4337{4338return call_int_hook(socket_getpeersec_stream, sock, optval, optlen,4339len);4340}43414342/**4343* security_socket_getpeersec_dgram() - Get the remote peer label4344* @sock: socket4345* @skb: datagram packet4346* @secid: remote peer label secid4347*4348* This hook allows the security module to provide peer socket security state4349* for udp sockets on a per-packet basis to userspace via getsockopt4350* SO_GETPEERSEC. The application must first have indicated the IP_PASSSEC4351* option via getsockopt. It can then retrieve the security state returned by4352* this hook for a packet via the SCM_SECURITY ancillary message type.4353*4354* Return: Returns 0 on success, error on failure.4355*/4356int security_socket_getpeersec_dgram(struct socket *sock,4357struct sk_buff *skb, u32 *secid)4358{4359return call_int_hook(socket_getpeersec_dgram, sock, skb, secid);4360}4361EXPORT_SYMBOL(security_socket_getpeersec_dgram);43624363/**4364* lsm_sock_alloc - allocate a composite sock blob4365* @sock: the sock that needs a blob4366* @gfp: allocation mode4367*4368* Allocate the sock blob for all the modules4369*4370* Returns 0, or -ENOMEM if memory can't be allocated.4371*/4372static int lsm_sock_alloc(struct sock *sock, gfp_t gfp)4373{4374return lsm_blob_alloc(&sock->sk_security, blob_sizes.lbs_sock, gfp);4375}43764377/**4378* security_sk_alloc() - Allocate and initialize a sock's LSM blob4379* @sk: sock4380* @family: protocol family4381* @priority: gfp flags4382*4383* Allocate and attach a security structure to the sk->sk_security field, which4384* is used to copy security attributes between local stream sockets.4385*4386* Return: Returns 0 on success, error on failure.4387*/4388int security_sk_alloc(struct sock *sk, int family, gfp_t priority)4389{4390int rc = lsm_sock_alloc(sk, priority);43914392if (unlikely(rc))4393return rc;4394rc = call_int_hook(sk_alloc_security, sk, family, priority);4395if (unlikely(rc))4396security_sk_free(sk);4397return rc;4398}43994400/**4401* security_sk_free() - Free the sock's LSM blob4402* @sk: sock4403*4404* Deallocate security structure.4405*/4406void security_sk_free(struct sock *sk)4407{4408call_void_hook(sk_free_security, sk);4409kfree(sk->sk_security);4410sk->sk_security = NULL;4411}44124413/**4414* security_sk_clone() - Clone a sock's LSM state4415* @sk: original sock4416* @newsk: target sock4417*4418* Clone/copy security structure.4419*/4420void security_sk_clone(const struct sock *sk, struct sock *newsk)4421{4422call_void_hook(sk_clone_security, sk, newsk);4423}4424EXPORT_SYMBOL(security_sk_clone);44254426/**4427* security_sk_classify_flow() - Set a flow's secid based on socket4428* @sk: original socket4429* @flic: target flow4430*4431* Set the target flow's secid to socket's secid.4432*/4433void security_sk_classify_flow(const struct sock *sk, struct flowi_common *flic)4434{4435call_void_hook(sk_getsecid, sk, &flic->flowic_secid);4436}4437EXPORT_SYMBOL(security_sk_classify_flow);44384439/**4440* security_req_classify_flow() - Set a flow's secid based on request_sock4441* @req: request_sock4442* @flic: target flow4443*4444* Sets @flic's secid to @req's secid.4445*/4446void security_req_classify_flow(const struct request_sock *req,4447struct flowi_common *flic)4448{4449call_void_hook(req_classify_flow, req, flic);4450}4451EXPORT_SYMBOL(security_req_classify_flow);44524453/**4454* security_sock_graft() - Reconcile LSM state when grafting a sock on a socket4455* @sk: sock being grafted4456* @parent: target parent socket4457*4458* Sets @parent's inode secid to @sk's secid and update @sk with any necessary4459* LSM state from @parent.4460*/4461void security_sock_graft(struct sock *sk, struct socket *parent)4462{4463call_void_hook(sock_graft, sk, parent);4464}4465EXPORT_SYMBOL(security_sock_graft);44664467/**4468* security_inet_conn_request() - Set request_sock state using incoming connect4469* @sk: parent listening sock4470* @skb: incoming connection4471* @req: new request_sock4472*4473* Initialize the @req LSM state based on @sk and the incoming connect in @skb.4474*4475* Return: Returns 0 if permission is granted.4476*/4477int security_inet_conn_request(const struct sock *sk,4478struct sk_buff *skb, struct request_sock *req)4479{4480return call_int_hook(inet_conn_request, sk, skb, req);4481}4482EXPORT_SYMBOL(security_inet_conn_request);44834484/**4485* security_inet_csk_clone() - Set new sock LSM state based on request_sock4486* @newsk: new sock4487* @req: connection request_sock4488*4489* Set that LSM state of @sock using the LSM state from @req.4490*/4491void security_inet_csk_clone(struct sock *newsk,4492const struct request_sock *req)4493{4494call_void_hook(inet_csk_clone, newsk, req);4495}44964497/**4498* security_inet_conn_established() - Update sock's LSM state with connection4499* @sk: sock4500* @skb: connection packet4501*4502* Update @sock's LSM state to represent a new connection from @skb.4503*/4504void security_inet_conn_established(struct sock *sk,4505struct sk_buff *skb)4506{4507call_void_hook(inet_conn_established, sk, skb);4508}4509EXPORT_SYMBOL(security_inet_conn_established);45104511/**4512* security_secmark_relabel_packet() - Check if setting a secmark is allowed4513* @secid: new secmark value4514*4515* Check if the process should be allowed to relabel packets to @secid.4516*4517* Return: Returns 0 if permission is granted.4518*/4519int security_secmark_relabel_packet(u32 secid)4520{4521return call_int_hook(secmark_relabel_packet, secid);4522}4523EXPORT_SYMBOL(security_secmark_relabel_packet);45244525/**4526* security_secmark_refcount_inc() - Increment the secmark labeling rule count4527*4528* Tells the LSM to increment the number of secmark labeling rules loaded.4529*/4530void security_secmark_refcount_inc(void)4531{4532call_void_hook(secmark_refcount_inc);4533}4534EXPORT_SYMBOL(security_secmark_refcount_inc);45354536/**4537* security_secmark_refcount_dec() - Decrement the secmark labeling rule count4538*4539* Tells the LSM to decrement the number of secmark labeling rules loaded.4540*/4541void security_secmark_refcount_dec(void)4542{4543call_void_hook(secmark_refcount_dec);4544}4545EXPORT_SYMBOL(security_secmark_refcount_dec);45464547/**4548* security_tun_dev_alloc_security() - Allocate a LSM blob for a TUN device4549* @security: pointer to the LSM blob4550*4551* This hook allows a module to allocate a security structure for a TUN device,4552* returning the pointer in @security.4553*4554* Return: Returns a zero on success, negative values on failure.4555*/4556int security_tun_dev_alloc_security(void **security)4557{4558int rc;45594560rc = lsm_blob_alloc(security, blob_sizes.lbs_tun_dev, GFP_KERNEL);4561if (rc)4562return rc;45634564rc = call_int_hook(tun_dev_alloc_security, *security);4565if (rc) {4566kfree(*security);4567*security = NULL;4568}4569return rc;4570}4571EXPORT_SYMBOL(security_tun_dev_alloc_security);45724573/**4574* security_tun_dev_free_security() - Free a TUN device LSM blob4575* @security: LSM blob4576*4577* This hook allows a module to free the security structure for a TUN device.4578*/4579void security_tun_dev_free_security(void *security)4580{4581kfree(security);4582}4583EXPORT_SYMBOL(security_tun_dev_free_security);45844585/**4586* security_tun_dev_create() - Check if creating a TUN device is allowed4587*4588* Check permissions prior to creating a new TUN device.4589*4590* Return: Returns 0 if permission is granted.4591*/4592int security_tun_dev_create(void)4593{4594return call_int_hook(tun_dev_create);4595}4596EXPORT_SYMBOL(security_tun_dev_create);45974598/**4599* security_tun_dev_attach_queue() - Check if attaching a TUN queue is allowed4600* @security: TUN device LSM blob4601*4602* Check permissions prior to attaching to a TUN device queue.4603*4604* Return: Returns 0 if permission is granted.4605*/4606int security_tun_dev_attach_queue(void *security)4607{4608return call_int_hook(tun_dev_attach_queue, security);4609}4610EXPORT_SYMBOL(security_tun_dev_attach_queue);46114612/**4613* security_tun_dev_attach() - Update TUN device LSM state on attach4614* @sk: associated sock4615* @security: TUN device LSM blob4616*4617* This hook can be used by the module to update any security state associated4618* with the TUN device's sock structure.4619*4620* Return: Returns 0 if permission is granted.4621*/4622int security_tun_dev_attach(struct sock *sk, void *security)4623{4624return call_int_hook(tun_dev_attach, sk, security);4625}4626EXPORT_SYMBOL(security_tun_dev_attach);46274628/**4629* security_tun_dev_open() - Update TUN device LSM state on open4630* @security: TUN device LSM blob4631*4632* This hook can be used by the module to update any security state associated4633* with the TUN device's security structure.4634*4635* Return: Returns 0 if permission is granted.4636*/4637int security_tun_dev_open(void *security)4638{4639return call_int_hook(tun_dev_open, security);4640}4641EXPORT_SYMBOL(security_tun_dev_open);46424643/**4644* security_sctp_assoc_request() - Update the LSM on a SCTP association req4645* @asoc: SCTP association4646* @skb: packet requesting the association4647*4648* Passes the @asoc and @chunk->skb of the association INIT packet to the LSM.4649*4650* Return: Returns 0 on success, error on failure.4651*/4652int security_sctp_assoc_request(struct sctp_association *asoc,4653struct sk_buff *skb)4654{4655return call_int_hook(sctp_assoc_request, asoc, skb);4656}4657EXPORT_SYMBOL(security_sctp_assoc_request);46584659/**4660* security_sctp_bind_connect() - Validate a list of addrs for a SCTP option4661* @sk: socket4662* @optname: SCTP option to validate4663* @address: list of IP addresses to validate4664* @addrlen: length of the address list4665*4666* Validiate permissions required for each address associated with sock @sk.4667* Depending on @optname, the addresses will be treated as either a connect or4668* bind service. The @addrlen is calculated on each IPv4 and IPv6 address using4669* sizeof(struct sockaddr_in) or sizeof(struct sockaddr_in6).4670*4671* Return: Returns 0 on success, error on failure.4672*/4673int security_sctp_bind_connect(struct sock *sk, int optname,4674struct sockaddr *address, int addrlen)4675{4676return call_int_hook(sctp_bind_connect, sk, optname, address, addrlen);4677}4678EXPORT_SYMBOL(security_sctp_bind_connect);46794680/**4681* security_sctp_sk_clone() - Clone a SCTP sock's LSM state4682* @asoc: SCTP association4683* @sk: original sock4684* @newsk: target sock4685*4686* Called whenever a new socket is created by accept(2) (i.e. a TCP style4687* socket) or when a socket is 'peeled off' e.g userspace calls4688* sctp_peeloff(3).4689*/4690void security_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk,4691struct sock *newsk)4692{4693call_void_hook(sctp_sk_clone, asoc, sk, newsk);4694}4695EXPORT_SYMBOL(security_sctp_sk_clone);46964697/**4698* security_sctp_assoc_established() - Update LSM state when assoc established4699* @asoc: SCTP association4700* @skb: packet establishing the association4701*4702* Passes the @asoc and @chunk->skb of the association COOKIE_ACK packet to the4703* security module.4704*4705* Return: Returns 0 if permission is granted.4706*/4707int security_sctp_assoc_established(struct sctp_association *asoc,4708struct sk_buff *skb)4709{4710return call_int_hook(sctp_assoc_established, asoc, skb);4711}4712EXPORT_SYMBOL(security_sctp_assoc_established);47134714/**4715* security_mptcp_add_subflow() - Inherit the LSM label from the MPTCP socket4716* @sk: the owning MPTCP socket4717* @ssk: the new subflow4718*4719* Update the labeling for the given MPTCP subflow, to match the one of the4720* owning MPTCP socket. This hook has to be called after the socket creation and4721* initialization via the security_socket_create() and4722* security_socket_post_create() LSM hooks.4723*4724* Return: Returns 0 on success or a negative error code on failure.4725*/4726int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk)4727{4728return call_int_hook(mptcp_add_subflow, sk, ssk);4729}47304731#endif /* CONFIG_SECURITY_NETWORK */47324733#ifdef CONFIG_SECURITY_INFINIBAND4734/**4735* security_ib_pkey_access() - Check if access to an IB pkey is allowed4736* @sec: LSM blob4737* @subnet_prefix: subnet prefix of the port4738* @pkey: IB pkey4739*4740* Check permission to access a pkey when modifying a QP.4741*4742* Return: Returns 0 if permission is granted.4743*/4744int security_ib_pkey_access(void *sec, u64 subnet_prefix, u16 pkey)4745{4746return call_int_hook(ib_pkey_access, sec, subnet_prefix, pkey);4747}4748EXPORT_SYMBOL(security_ib_pkey_access);47494750/**4751* security_ib_endport_manage_subnet() - Check if SMPs traffic is allowed4752* @sec: LSM blob4753* @dev_name: IB device name4754* @port_num: port number4755*4756* Check permissions to send and receive SMPs on a end port.4757*4758* Return: Returns 0 if permission is granted.4759*/4760int security_ib_endport_manage_subnet(void *sec,4761const char *dev_name, u8 port_num)4762{4763return call_int_hook(ib_endport_manage_subnet, sec, dev_name, port_num);4764}4765EXPORT_SYMBOL(security_ib_endport_manage_subnet);47664767/**4768* security_ib_alloc_security() - Allocate an Infiniband LSM blob4769* @sec: LSM blob4770*4771* Allocate a security structure for Infiniband objects.4772*4773* Return: Returns 0 on success, non-zero on failure.4774*/4775int security_ib_alloc_security(void **sec)4776{4777int rc;47784779rc = lsm_blob_alloc(sec, blob_sizes.lbs_ib, GFP_KERNEL);4780if (rc)4781return rc;47824783rc = call_int_hook(ib_alloc_security, *sec);4784if (rc) {4785kfree(*sec);4786*sec = NULL;4787}4788return rc;4789}4790EXPORT_SYMBOL(security_ib_alloc_security);47914792/**4793* security_ib_free_security() - Free an Infiniband LSM blob4794* @sec: LSM blob4795*4796* Deallocate an Infiniband security structure.4797*/4798void security_ib_free_security(void *sec)4799{4800kfree(sec);4801}4802EXPORT_SYMBOL(security_ib_free_security);4803#endif /* CONFIG_SECURITY_INFINIBAND */48044805#ifdef CONFIG_SECURITY_NETWORK_XFRM4806/**4807* security_xfrm_policy_alloc() - Allocate a xfrm policy LSM blob4808* @ctxp: xfrm security context being added to the SPD4809* @sec_ctx: security label provided by userspace4810* @gfp: gfp flags4811*4812* Allocate a security structure to the xp->security field; the security field4813* is initialized to NULL when the xfrm_policy is allocated.4814*4815* Return: Return 0 if operation was successful.4816*/4817int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,4818struct xfrm_user_sec_ctx *sec_ctx,4819gfp_t gfp)4820{4821return call_int_hook(xfrm_policy_alloc_security, ctxp, sec_ctx, gfp);4822}4823EXPORT_SYMBOL(security_xfrm_policy_alloc);48244825/**4826* security_xfrm_policy_clone() - Clone xfrm policy LSM state4827* @old_ctx: xfrm security context4828* @new_ctxp: target xfrm security context4829*4830* Allocate a security structure in new_ctxp that contains the information from4831* the old_ctx structure.4832*4833* Return: Return 0 if operation was successful.4834*/4835int security_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,4836struct xfrm_sec_ctx **new_ctxp)4837{4838return call_int_hook(xfrm_policy_clone_security, old_ctx, new_ctxp);4839}48404841/**4842* security_xfrm_policy_free() - Free a xfrm security context4843* @ctx: xfrm security context4844*4845* Free LSM resources associated with @ctx.4846*/4847void security_xfrm_policy_free(struct xfrm_sec_ctx *ctx)4848{4849call_void_hook(xfrm_policy_free_security, ctx);4850}4851EXPORT_SYMBOL(security_xfrm_policy_free);48524853/**4854* security_xfrm_policy_delete() - Check if deleting a xfrm policy is allowed4855* @ctx: xfrm security context4856*4857* Authorize deletion of a SPD entry.4858*4859* Return: Returns 0 if permission is granted.4860*/4861int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)4862{4863return call_int_hook(xfrm_policy_delete_security, ctx);4864}48654866/**4867* security_xfrm_state_alloc() - Allocate a xfrm state LSM blob4868* @x: xfrm state being added to the SAD4869* @sec_ctx: security label provided by userspace4870*4871* Allocate a security structure to the @x->security field; the security field4872* is initialized to NULL when the xfrm_state is allocated. Set the context to4873* correspond to @sec_ctx.4874*4875* Return: Return 0 if operation was successful.4876*/4877int security_xfrm_state_alloc(struct xfrm_state *x,4878struct xfrm_user_sec_ctx *sec_ctx)4879{4880return call_int_hook(xfrm_state_alloc, x, sec_ctx);4881}4882EXPORT_SYMBOL(security_xfrm_state_alloc);48834884/**4885* security_xfrm_state_alloc_acquire() - Allocate a xfrm state LSM blob4886* @x: xfrm state being added to the SAD4887* @polsec: associated policy's security context4888* @secid: secid from the flow4889*4890* Allocate a security structure to the x->security field; the security field4891* is initialized to NULL when the xfrm_state is allocated. Set the context to4892* correspond to secid.4893*4894* Return: Returns 0 if operation was successful.4895*/4896int security_xfrm_state_alloc_acquire(struct xfrm_state *x,4897struct xfrm_sec_ctx *polsec, u32 secid)4898{4899return call_int_hook(xfrm_state_alloc_acquire, x, polsec, secid);4900}49014902/**4903* security_xfrm_state_delete() - Check if deleting a xfrm state is allowed4904* @x: xfrm state4905*4906* Authorize deletion of x->security.4907*4908* Return: Returns 0 if permission is granted.4909*/4910int security_xfrm_state_delete(struct xfrm_state *x)4911{4912return call_int_hook(xfrm_state_delete_security, x);4913}4914EXPORT_SYMBOL(security_xfrm_state_delete);49154916/**4917* security_xfrm_state_free() - Free a xfrm state4918* @x: xfrm state4919*4920* Deallocate x->security.4921*/4922void security_xfrm_state_free(struct xfrm_state *x)4923{4924call_void_hook(xfrm_state_free_security, x);4925}49264927/**4928* security_xfrm_policy_lookup() - Check if using a xfrm policy is allowed4929* @ctx: target xfrm security context4930* @fl_secid: flow secid used to authorize access4931*4932* Check permission when a flow selects a xfrm_policy for processing XFRMs on a4933* packet. The hook is called when selecting either a per-socket policy or a4934* generic xfrm policy.4935*4936* Return: Return 0 if permission is granted, -ESRCH otherwise, or -errno on4937* other errors.4938*/4939int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid)4940{4941return call_int_hook(xfrm_policy_lookup, ctx, fl_secid);4942}49434944/**4945* security_xfrm_state_pol_flow_match() - Check for a xfrm match4946* @x: xfrm state to match4947* @xp: xfrm policy to check for a match4948* @flic: flow to check for a match.4949*4950* Check @xp and @flic for a match with @x.4951*4952* Return: Returns 1 if there is a match.4953*/4954int security_xfrm_state_pol_flow_match(struct xfrm_state *x,4955struct xfrm_policy *xp,4956const struct flowi_common *flic)4957{4958struct lsm_static_call *scall;4959int rc = LSM_RET_DEFAULT(xfrm_state_pol_flow_match);49604961/*4962* Since this function is expected to return 0 or 1, the judgment4963* becomes difficult if multiple LSMs supply this call. Fortunately,4964* we can use the first LSM's judgment because currently only SELinux4965* supplies this call.4966*4967* For speed optimization, we explicitly break the loop rather than4968* using the macro4969*/4970lsm_for_each_hook(scall, xfrm_state_pol_flow_match) {4971rc = scall->hl->hook.xfrm_state_pol_flow_match(x, xp, flic);4972break;4973}4974return rc;4975}49764977/**4978* security_xfrm_decode_session() - Determine the xfrm secid for a packet4979* @skb: xfrm packet4980* @secid: secid4981*4982* Decode the packet in @skb and return the security label in @secid.4983*4984* Return: Return 0 if all xfrms used have the same secid.4985*/4986int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)4987{4988return call_int_hook(xfrm_decode_session, skb, secid, 1);4989}49904991void security_skb_classify_flow(struct sk_buff *skb, struct flowi_common *flic)4992{4993int rc = call_int_hook(xfrm_decode_session, skb, &flic->flowic_secid,49940);49954996BUG_ON(rc);4997}4998EXPORT_SYMBOL(security_skb_classify_flow);4999#endif /* CONFIG_SECURITY_NETWORK_XFRM */50005001#ifdef CONFIG_KEYS5002/**5003* security_key_alloc() - Allocate and initialize a kernel key LSM blob5004* @key: key5005* @cred: credentials5006* @flags: allocation flags5007*5008* Permit allocation of a key and assign security data. Note that key does not5009* have a serial number assigned at this point.5010*5011* Return: Return 0 if permission is granted, -ve error otherwise.5012*/5013int security_key_alloc(struct key *key, const struct cred *cred,5014unsigned long flags)5015{5016int rc = lsm_key_alloc(key);50175018if (unlikely(rc))5019return rc;5020rc = call_int_hook(key_alloc, key, cred, flags);5021if (unlikely(rc))5022security_key_free(key);5023return rc;5024}50255026/**5027* security_key_free() - Free a kernel key LSM blob5028* @key: key5029*5030* Notification of destruction; free security data.5031*/5032void security_key_free(struct key *key)5033{5034kfree(key->security);5035key->security = NULL;5036}50375038/**5039* security_key_permission() - Check if a kernel key operation is allowed5040* @key_ref: key reference5041* @cred: credentials of actor requesting access5042* @need_perm: requested permissions5043*5044* See whether a specific operational right is granted to a process on a key.5045*5046* Return: Return 0 if permission is granted, -ve error otherwise.5047*/5048int security_key_permission(key_ref_t key_ref, const struct cred *cred,5049enum key_need_perm need_perm)5050{5051return call_int_hook(key_permission, key_ref, cred, need_perm);5052}50535054/**5055* security_key_getsecurity() - Get the key's security label5056* @key: key5057* @buffer: security label buffer5058*5059* Get a textual representation of the security context attached to a key for5060* the purposes of honouring KEYCTL_GETSECURITY. This function allocates the5061* storage for the NUL-terminated string and the caller should free it.5062*5063* Return: Returns the length of @buffer (including terminating NUL) or -ve if5064* an error occurs. May also return 0 (and a NULL buffer pointer) if5065* there is no security label assigned to the key.5066*/5067int security_key_getsecurity(struct key *key, char **buffer)5068{5069*buffer = NULL;5070return call_int_hook(key_getsecurity, key, buffer);5071}50725073/**5074* security_key_post_create_or_update() - Notification of key create or update5075* @keyring: keyring to which the key is linked to5076* @key: created or updated key5077* @payload: data used to instantiate or update the key5078* @payload_len: length of payload5079* @flags: key flags5080* @create: flag indicating whether the key was created or updated5081*5082* Notify the caller of a key creation or update.5083*/5084void security_key_post_create_or_update(struct key *keyring, struct key *key,5085const void *payload, size_t payload_len,5086unsigned long flags, bool create)5087{5088call_void_hook(key_post_create_or_update, keyring, key, payload,5089payload_len, flags, create);5090}5091#endif /* CONFIG_KEYS */50925093#ifdef CONFIG_AUDIT5094/**5095* security_audit_rule_init() - Allocate and init an LSM audit rule struct5096* @field: audit action5097* @op: rule operator5098* @rulestr: rule context5099* @lsmrule: receive buffer for audit rule struct5100* @gfp: GFP flag used for kmalloc5101*5102* Allocate and initialize an LSM audit rule structure.5103*5104* Return: Return 0 if @lsmrule has been successfully set, -EINVAL in case of5105* an invalid rule.5106*/5107int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule,5108gfp_t gfp)5109{5110return call_int_hook(audit_rule_init, field, op, rulestr, lsmrule, gfp);5111}51125113/**5114* security_audit_rule_known() - Check if an audit rule contains LSM fields5115* @krule: audit rule5116*5117* Specifies whether given @krule contains any fields related to the current5118* LSM.5119*5120* Return: Returns 1 in case of relation found, 0 otherwise.5121*/5122int security_audit_rule_known(struct audit_krule *krule)5123{5124return call_int_hook(audit_rule_known, krule);5125}51265127/**5128* security_audit_rule_free() - Free an LSM audit rule struct5129* @lsmrule: audit rule struct5130*5131* Deallocate the LSM audit rule structure previously allocated by5132* audit_rule_init().5133*/5134void security_audit_rule_free(void *lsmrule)5135{5136call_void_hook(audit_rule_free, lsmrule);5137}51385139/**5140* security_audit_rule_match() - Check if a label matches an audit rule5141* @prop: security label5142* @field: LSM audit field5143* @op: matching operator5144* @lsmrule: audit rule5145*5146* Determine if given @secid matches a rule previously approved by5147* security_audit_rule_known().5148*5149* Return: Returns 1 if secid matches the rule, 0 if it does not, -ERRNO on5150* failure.5151*/5152int security_audit_rule_match(struct lsm_prop *prop, u32 field, u32 op,5153void *lsmrule)5154{5155return call_int_hook(audit_rule_match, prop, field, op, lsmrule);5156}5157#endif /* CONFIG_AUDIT */51585159#ifdef CONFIG_BPF_SYSCALL5160/**5161* security_bpf() - Check if the bpf syscall operation is allowed5162* @cmd: command5163* @attr: bpf attribute5164* @size: size5165* @kernel: whether or not call originated from kernel5166*5167* Do a initial check for all bpf syscalls after the attribute is copied into5168* the kernel. The actual security module can implement their own rules to5169* check the specific cmd they need.5170*5171* Return: Returns 0 if permission is granted.5172*/5173int security_bpf(int cmd, union bpf_attr *attr, unsigned int size, bool kernel)5174{5175return call_int_hook(bpf, cmd, attr, size, kernel);5176}51775178/**5179* security_bpf_map() - Check if access to a bpf map is allowed5180* @map: bpf map5181* @fmode: mode5182*5183* Do a check when the kernel generates and returns a file descriptor for eBPF5184* maps.5185*5186* Return: Returns 0 if permission is granted.5187*/5188int security_bpf_map(struct bpf_map *map, fmode_t fmode)5189{5190return call_int_hook(bpf_map, map, fmode);5191}51925193/**5194* security_bpf_prog() - Check if access to a bpf program is allowed5195* @prog: bpf program5196*5197* Do a check when the kernel generates and returns a file descriptor for eBPF5198* programs.5199*5200* Return: Returns 0 if permission is granted.5201*/5202int security_bpf_prog(struct bpf_prog *prog)5203{5204return call_int_hook(bpf_prog, prog);5205}52065207/**5208* security_bpf_map_create() - Check if BPF map creation is allowed5209* @map: BPF map object5210* @attr: BPF syscall attributes used to create BPF map5211* @token: BPF token used to grant user access5212* @kernel: whether or not call originated from kernel5213*5214* Do a check when the kernel creates a new BPF map. This is also the5215* point where LSM blob is allocated for LSMs that need them.5216*5217* Return: Returns 0 on success, error on failure.5218*/5219int security_bpf_map_create(struct bpf_map *map, union bpf_attr *attr,5220struct bpf_token *token, bool kernel)5221{5222int rc;52235224rc = lsm_bpf_map_alloc(map);5225if (unlikely(rc))5226return rc;52275228rc = call_int_hook(bpf_map_create, map, attr, token, kernel);5229if (unlikely(rc))5230security_bpf_map_free(map);5231return rc;5232}52335234/**5235* security_bpf_prog_load() - Check if loading of BPF program is allowed5236* @prog: BPF program object5237* @attr: BPF syscall attributes used to create BPF program5238* @token: BPF token used to grant user access to BPF subsystem5239* @kernel: whether or not call originated from kernel5240*5241* Perform an access control check when the kernel loads a BPF program and5242* allocates associated BPF program object. This hook is also responsible for5243* allocating any required LSM state for the BPF program.5244*5245* Return: Returns 0 on success, error on failure.5246*/5247int security_bpf_prog_load(struct bpf_prog *prog, union bpf_attr *attr,5248struct bpf_token *token, bool kernel)5249{5250int rc;52515252rc = lsm_bpf_prog_alloc(prog);5253if (unlikely(rc))5254return rc;52555256rc = call_int_hook(bpf_prog_load, prog, attr, token, kernel);5257if (unlikely(rc))5258security_bpf_prog_free(prog);5259return rc;5260}52615262/**5263* security_bpf_token_create() - Check if creating of BPF token is allowed5264* @token: BPF token object5265* @attr: BPF syscall attributes used to create BPF token5266* @path: path pointing to BPF FS mount point from which BPF token is created5267*5268* Do a check when the kernel instantiates a new BPF token object from BPF FS5269* instance. This is also the point where LSM blob can be allocated for LSMs.5270*5271* Return: Returns 0 on success, error on failure.5272*/5273int security_bpf_token_create(struct bpf_token *token, union bpf_attr *attr,5274const struct path *path)5275{5276int rc;52775278rc = lsm_bpf_token_alloc(token);5279if (unlikely(rc))5280return rc;52815282rc = call_int_hook(bpf_token_create, token, attr, path);5283if (unlikely(rc))5284security_bpf_token_free(token);5285return rc;5286}52875288/**5289* security_bpf_token_cmd() - Check if BPF token is allowed to delegate5290* requested BPF syscall command5291* @token: BPF token object5292* @cmd: BPF syscall command requested to be delegated by BPF token5293*5294* Do a check when the kernel decides whether provided BPF token should allow5295* delegation of requested BPF syscall command.5296*5297* Return: Returns 0 on success, error on failure.5298*/5299int security_bpf_token_cmd(const struct bpf_token *token, enum bpf_cmd cmd)5300{5301return call_int_hook(bpf_token_cmd, token, cmd);5302}53035304/**5305* security_bpf_token_capable() - Check if BPF token is allowed to delegate5306* requested BPF-related capability5307* @token: BPF token object5308* @cap: capabilities requested to be delegated by BPF token5309*5310* Do a check when the kernel decides whether provided BPF token should allow5311* delegation of requested BPF-related capabilities.5312*5313* Return: Returns 0 on success, error on failure.5314*/5315int security_bpf_token_capable(const struct bpf_token *token, int cap)5316{5317return call_int_hook(bpf_token_capable, token, cap);5318}53195320/**5321* security_bpf_map_free() - Free a bpf map's LSM blob5322* @map: bpf map5323*5324* Clean up the security information stored inside bpf map.5325*/5326void security_bpf_map_free(struct bpf_map *map)5327{5328call_void_hook(bpf_map_free, map);5329kfree(map->security);5330map->security = NULL;5331}53325333/**5334* security_bpf_prog_free() - Free a BPF program's LSM blob5335* @prog: BPF program struct5336*5337* Clean up the security information stored inside BPF program.5338*/5339void security_bpf_prog_free(struct bpf_prog *prog)5340{5341call_void_hook(bpf_prog_free, prog);5342kfree(prog->aux->security);5343prog->aux->security = NULL;5344}53455346/**5347* security_bpf_token_free() - Free a BPF token's LSM blob5348* @token: BPF token struct5349*5350* Clean up the security information stored inside BPF token.5351*/5352void security_bpf_token_free(struct bpf_token *token)5353{5354call_void_hook(bpf_token_free, token);5355kfree(token->security);5356token->security = NULL;5357}5358#endif /* CONFIG_BPF_SYSCALL */53595360/**5361* security_locked_down() - Check if a kernel feature is allowed5362* @what: requested kernel feature5363*5364* Determine whether a kernel feature that potentially enables arbitrary code5365* execution in kernel space should be permitted.5366*5367* Return: Returns 0 if permission is granted.5368*/5369int security_locked_down(enum lockdown_reason what)5370{5371return call_int_hook(locked_down, what);5372}5373EXPORT_SYMBOL(security_locked_down);53745375/**5376* security_bdev_alloc() - Allocate a block device LSM blob5377* @bdev: block device5378*5379* Allocate and attach a security structure to @bdev->bd_security. The5380* security field is initialized to NULL when the bdev structure is5381* allocated.5382*5383* Return: Return 0 if operation was successful.5384*/5385int security_bdev_alloc(struct block_device *bdev)5386{5387int rc = 0;53885389rc = lsm_bdev_alloc(bdev);5390if (unlikely(rc))5391return rc;53925393rc = call_int_hook(bdev_alloc_security, bdev);5394if (unlikely(rc))5395security_bdev_free(bdev);53965397return rc;5398}5399EXPORT_SYMBOL(security_bdev_alloc);54005401/**5402* security_bdev_free() - Free a block device's LSM blob5403* @bdev: block device5404*5405* Deallocate the bdev security structure and set @bdev->bd_security to NULL.5406*/5407void security_bdev_free(struct block_device *bdev)5408{5409if (!bdev->bd_security)5410return;54115412call_void_hook(bdev_free_security, bdev);54135414kfree(bdev->bd_security);5415bdev->bd_security = NULL;5416}5417EXPORT_SYMBOL(security_bdev_free);54185419/**5420* security_bdev_setintegrity() - Set the device's integrity data5421* @bdev: block device5422* @type: type of integrity, e.g. hash digest, signature, etc5423* @value: the integrity value5424* @size: size of the integrity value5425*5426* Register a verified integrity measurement of a bdev with LSMs.5427* LSMs should free the previously saved data if @value is NULL.5428* Please note that the new hook should be invoked every time the security5429* information is updated to keep these data current. For example, in dm-verity,5430* if the mapping table is reloaded and configured to use a different dm-verity5431* target with a new roothash and signing information, the previously stored5432* data in the LSM blob will become obsolete. It is crucial to re-invoke the5433* hook to refresh these data and ensure they are up to date. This necessity5434* arises from the design of device-mapper, where a device-mapper device is5435* first created, and then targets are subsequently loaded into it. These5436* targets can be modified multiple times during the device's lifetime.5437* Therefore, while the LSM blob is allocated during the creation of the block5438* device, its actual contents are not initialized at this stage and can change5439* substantially over time. This includes alterations from data that the LSMs5440* 'trusts' to those they do not, making it essential to handle these changes5441* correctly. Failure to address this dynamic aspect could potentially allow5442* for bypassing LSM checks.5443*5444* Return: Returns 0 on success, negative values on failure.5445*/5446int security_bdev_setintegrity(struct block_device *bdev,5447enum lsm_integrity_type type, const void *value,5448size_t size)5449{5450return call_int_hook(bdev_setintegrity, bdev, type, value, size);5451}5452EXPORT_SYMBOL(security_bdev_setintegrity);54535454#ifdef CONFIG_PERF_EVENTS5455/**5456* security_perf_event_open() - Check if a perf event open is allowed5457* @type: type of event5458*5459* Check whether the @type of perf_event_open syscall is allowed.5460*5461* Return: Returns 0 if permission is granted.5462*/5463int security_perf_event_open(int type)5464{5465return call_int_hook(perf_event_open, type);5466}54675468/**5469* security_perf_event_alloc() - Allocate a perf event LSM blob5470* @event: perf event5471*5472* Allocate and save perf_event security info.5473*5474* Return: Returns 0 on success, error on failure.5475*/5476int security_perf_event_alloc(struct perf_event *event)5477{5478int rc;54795480rc = lsm_blob_alloc(&event->security, blob_sizes.lbs_perf_event,5481GFP_KERNEL);5482if (rc)5483return rc;54845485rc = call_int_hook(perf_event_alloc, event);5486if (rc) {5487kfree(event->security);5488event->security = NULL;5489}5490return rc;5491}54925493/**5494* security_perf_event_free() - Free a perf event LSM blob5495* @event: perf event5496*5497* Release (free) perf_event security info.5498*/5499void security_perf_event_free(struct perf_event *event)5500{5501kfree(event->security);5502event->security = NULL;5503}55045505/**5506* security_perf_event_read() - Check if reading a perf event label is allowed5507* @event: perf event5508*5509* Read perf_event security info if allowed.5510*5511* Return: Returns 0 if permission is granted.5512*/5513int security_perf_event_read(struct perf_event *event)5514{5515return call_int_hook(perf_event_read, event);5516}55175518/**5519* security_perf_event_write() - Check if writing a perf event label is allowed5520* @event: perf event5521*5522* Write perf_event security info if allowed.5523*5524* Return: Returns 0 if permission is granted.5525*/5526int security_perf_event_write(struct perf_event *event)5527{5528return call_int_hook(perf_event_write, event);5529}5530#endif /* CONFIG_PERF_EVENTS */55315532#ifdef CONFIG_IO_URING5533/**5534* security_uring_override_creds() - Check if overriding creds is allowed5535* @new: new credentials5536*5537* Check if the current task, executing an io_uring operation, is allowed to5538* override it's credentials with @new.5539*5540* Return: Returns 0 if permission is granted.5541*/5542int security_uring_override_creds(const struct cred *new)5543{5544return call_int_hook(uring_override_creds, new);5545}55465547/**5548* security_uring_sqpoll() - Check if IORING_SETUP_SQPOLL is allowed5549*5550* Check whether the current task is allowed to spawn a io_uring polling thread5551* (IORING_SETUP_SQPOLL).5552*5553* Return: Returns 0 if permission is granted.5554*/5555int security_uring_sqpoll(void)5556{5557return call_int_hook(uring_sqpoll);5558}55595560/**5561* security_uring_cmd() - Check if a io_uring passthrough command is allowed5562* @ioucmd: command5563*5564* Check whether the file_operations uring_cmd is allowed to run.5565*5566* Return: Returns 0 if permission is granted.5567*/5568int security_uring_cmd(struct io_uring_cmd *ioucmd)5569{5570return call_int_hook(uring_cmd, ioucmd);5571}55725573/**5574* security_uring_allowed() - Check if io_uring_setup() is allowed5575*5576* Check whether the current task is allowed to call io_uring_setup().5577*5578* Return: Returns 0 if permission is granted.5579*/5580int security_uring_allowed(void)5581{5582return call_int_hook(uring_allowed);5583}5584#endif /* CONFIG_IO_URING */55855586/**5587* security_initramfs_populated() - Notify LSMs that initramfs has been loaded5588*5589* Tells the LSMs the initramfs has been unpacked into the rootfs.5590*/5591void security_initramfs_populated(void)5592{5593call_void_hook(initramfs_populated);5594}559555965597