fs/fcntl.c
SYSCALL_DEFINE3(fcntl, unsigned int, fd, unsigned int, cmd, unsigned long, arg)
{
struct file *filp;
long err = -EBADF;
filp = fget(fd);
if (!filp)
goto out;
err = security_file_fcntl(filp, cmd, arg);
if (err) {
fput(filp);
return err;
}
err = do_fcntl(fd, cmd, arg, filp);
fput(filp);
out:
return err;
}
///////////
fs/file_table.c
struct file *fget(unsigned int fd)
{
struct file *file;
struct files_struct *files = current->files;
rcu_read_lock();
file = fcheck_files(files, fd);
if (file) {
if (!atomic_long_inc_not_zero(&file->f_count)) {
/* File object ref couldn't be taken */
rcu_read_unlock();
return NULL;
}
}
rcu_read_unlock();
return file;
}
////////////////////
fs/file_table.c
void fput(struct file *file)
{
if (atomic_long_dec_and_test(&file->f_count))
__fput(file);
}
/* __fput is called from task context when aio completion releases the last
* last use of a struct file *. Do not use otherwise.
*/
void __fput(struct file *file)
{
struct dentry *dentry = file->f_path.dentry;
struct vfsmount *mnt = file->f_path.mnt;
struct inode *inode = dentry->d_inode;
might_sleep();
fsnotify_close(file);
/*
* The function eventpoll_release() should be the first called
* in the file cleanup chain.
*/
eventpoll_release(file);
locks_remove_flock(file);
if (unlikely(file->f_flags & FASYNC)) {
if (file->f_op && file->f_op->fasync)
file->f_op->fasync(-1, file, 0);
}
if (file->f_op && file->f_op->release)
file->f_op->release(inode, file);
security_file_free(file);
if (unlikely(S_ISCHR(inode->i_mode) && inode->i_cdev != NULL))
cdev_put(inode->i_cdev);
fops_put(file->f_op);
put_pid(file->f_owner.pid);
file_kill(file);
if (file->f_mode & FMODE_WRITE)
drop_file_write_access(file);
file->f_path.dentry = NULL;
file->f_path.mnt = NULL;
file_free(file);
dput(dentry);
mntput(mnt);
}
/////////////////////////////
fs/fcntl.c
static long do_fcntl(int fd, unsigned int cmd, unsigned long arg,
struct file *filp)
{
long err = -EINVAL;
switch (cmd) {
case F_DUPFD:
case F_DUPFD_CLOEXEC:
if (arg >= current->signal->rlim[RLIMIT_NOFILE].rlim_cur)
break;
err = alloc_fd(arg, cmd == F_DUPFD_CLOEXEC ? O_CLOEXEC : 0);
if (err >= 0) {
get_file(filp);
fd_install(err, filp);
}
break;
case F_GETFD:
err = get_close_on_exec(fd) ? FD_CLOEXEC : 0;
break;
case F_SETFD:
err = 0;
set_close_on_exec(fd, arg & FD_CLOEXEC);
break;
case F_GETFL:
err = filp->f_flags;
break;
case F_SETFL:
err = setfl(fd, filp, arg);
break;
case F_GETLK:
err = fcntl_getlk(filp, (struct flock __user *) arg);
break;
case F_SETLK:
case F_SETLKW:
err = fcntl_setlk(fd, filp, cmd, (struct flock __user *) arg);
break;
case F_GETOWN:
/*
* XXX If f_owner is a process group, the
* negative return value will get converted
* into an error. Oops. If we keep the
* current syscall conventions, the only way
* to fix this will be in libc.
*/
err = f_getown(filp);
force_successful_syscall_return();
break;
case F_SETOWN:
err = f_setown(filp, arg, 1);
break;
case F_GETSIG:
err = filp->f_owner.signum;
break;
case F_SETSIG:
/* arg == 0 restores default behaviour. */
if (!valid_signal(arg)) {
break;
}
err = 0;
filp->f_owner.signum = arg;
break;
case F_GETLEASE:
err = fcntl_getlease(filp);
break;
case F_SETLEASE:
err = fcntl_setlease(fd, filp, arg);
break;
case F_NOTIFY:
err = fcntl_dirnotify(fd, filp, arg);
break;
default:
break;
}
return err;
}
1.入口参数:
(1)fd:欲访问文件的文件描述符
(2)cmd:要执行的操作的命令,这个参数定义了10个标志,下面介绍其中的5个,
F_DUPFD、F_GETFD、F_SETFD、F_GETFL和 F_SETFL
(3)arg:可选,主要根据第二个命令来决定是否需要
2.出口参数:根据第二个参数的不同,这个返回值也不一样。
3.函数功能:
第二个参数是F_DUPFD,则进行复制文件描述符的操作。它需要用到第三个参数arg,这时arg是一个文件描述符,fcntl(fd,F_DUPFD,arg)在files_struct结构中从指定的arg开始搜索空闲的文件描述符,找到第一个后,将fd的内容复制进来,然后将新找到的文件描述符返回。
第二个参数是F_GETFD,则返回files_struct结构中close_on_exec的值。无需第三个参数。
第二个参数是F_SETFD,则需要第三个参数,若arg最低位为1,则对close_on_exec置位,否则清除close_on_exec。
第二个参数是F_GETFL,则用来读取open系统调用第二个参数设置的标志,即文件的打开方式(O_RDONLY,O_WRONLY,O_APPEND等),它不需要第三个参数。实际上上这时函数返回的是file结构中的flags域。
第二个参数是F_SETFL,则用来对open系统调用第二个参数设置的标志进行改变,但是它只能对O_APPEND和O_NONBLOCK标志进行改变,这时需要第三个参数arg,用来确定如何改变。函数返回0表示操作成功,否则返回-1,并置一个错
///////////////////////////
security/security.c
int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
{
return security_ops->file_fcntl(file, cmd, arg);
}
/***
* struct security_operations - main security structure
*
* Security module identifier.
*
* @name:
*A string that acts as a unique identifeir for the LSM with max number
*of characters = SECURITY_NAME_MAX.
*
* Security hooks for program execution operations.
*
* @bprm_alloc_security:
*Allocate and attach a security structure to the @bprm->security field.
*The security field is initialized to NULL when the bprm structure is
*allocated.
*@bprm contains the linux_binprm structure to be modified.
*Return 0 if operation was successful.
* @bprm_free_security:
*@bprm contains the linux_binprm structure to be modified.
*Deallocate and clear the @bprm->security field.
* @bprm_apply_creds:
*Compute and set the security attributes of a process being transformed
*by an execve operation based on the old attributes (current->security)
*and the information saved in @bprm->security by the set_security hook.
*Since this hook function (and its caller) are void, this hook can not
*return an error. However, it can leave the security attributes of the
*process unchanged if an access failure occurs at this point.
*bprm_apply_creds is called under task_lock. @unsafe indicates various
*reasons why it may be unsafe to change security state.
*@bprm contains the linux_binprm structure.
* @bprm_post_apply_creds:
*Runs after bprm_apply_creds with the task_lock dropped, so that
*functions which cannot be called safely under the task_lock can
*be used. This hook is a good place to perform state changes on
*the process such as closing open file descriptors to which access
*is no longer granted if the attributes were changed.
*Note that a security module might need to save state between
*bprm_apply_creds and bprm_post_apply_creds to store the decision
*on whether the process may proceed.
*@bprm contains the linux_binprm structure.
* @bprm_set_security:
*Save security information in the bprm->security field, typically based
*on information about the bprm->file, for later use by the apply_creds
*hook. This hook may also optionally check permissions (e.g. for
*transitions between security domains).
*This hook may be called multiple times during a single execve, e.g. for
*interpreters. The hook can tell whether it has already been called by
*checking to see if @bprm->security is non-NULL. If so, then the hook
*may decide either to retain the security information saved earlier or
*to replace it.
*@bprm contains the linux_binprm structure.
*Return 0 if the hook is successful and permission is granted.
* @bprm_check_security:
*This hook mediates the point when a search for a binary handlerwill
*begin. It allows a check the @bprm->security value which is set in
*the preceding set_security call. The primary difference from
*set_security is that the argv list and envp list are reliably
*available in @bprm. This hook may be called multiple times
*during a single execve; and in each pass set_security is called
*first.
*@bprm contains the linux_binprm structure.
*Return 0 if the hook is successful and permission is granted.
* @bprm_secureexec:
*Return a boolean value (0 or 1) indicating whether a "secure exec"
*is required. The flag is passed in the auxiliary table
*on the initial stack to the ELF interpreter to indicate whether libc
*should enable secure mode.
*@bprm contains the linux_binprm structure.
*
* Security hooks for filesystem operations.
*
* @sb_alloc_security:
*Allocate and attach a security structure to the sb->s_security field.
*The s_security field is initialized to NULL when the structure is
*allocated.
*@sb contains the super_block structure to be modified.
*Return 0 if operation was successful.
* @sb_free_security:
*Deallocate and clear the sb->s_security field.
*@sb contains the super_block structure to be modified.
* @sb_statfs:
*Check permission before obtaining filesystem statistics for the @mnt
*mountpoint.
*@dentry is a handle on the superblock for the filesystem.
*Return 0 if permission is granted.
* @sb_mount:
*Check permission before an object specified by @dev_name is mounted on
*the mount point named by @nd. For an ordinary mount, @dev_name
*identifies a device if the file system type requires a device. For a
*remount (@flags & MS_REMOUNT), @dev_name is irrelevant. For a
*loopback/bind mount (@flags & MS_BIND), @dev_name identifies the
*pathname of the object being mounted.
*@dev_name contains the name for object being mounted.
*@path contains the path for mount point object.
*@type contains the filesystem type.
*@flags contains the mount flags.
*@data contains the filesystem-specific data.
*Return 0 if permission is granted.
* @sb_copy_data:
*Allow mount option data to be copied prior to parsing by the filesystem,
*so that the security module can extract security-specific mount
*options cleanly (a filesystem may modify the data e.g. with strsep()).
*This also allows the original mount data to be stripped of security-
*specific options to avoid having to make filesystems aware of them.
*@type the type of filesystem being mounted.
*@orig the original mount data copied from userspace.
*@copy copied data which will be passed to the security module.
*Returns 0 if the copy was successful.
* @sb_check_sb:
*Check permission before the device with superblock @mnt->sb is mounted
*on the mount point named by @nd.
*@mnt contains the vfsmount for device being mounted.
*@path contains the path for the mount point.
*Return 0 if permission is granted.
* @sb_umount:
*Check permission before the @mnt file system is unmounted.
*@mnt contains the mounted file system.
*@flags contains the unmount flags, e.g. MNT_FORCE.
*Return 0 if permission is granted.
* @sb_umount_close:
*Close any files in the @mnt mounted filesystem that are held open by
*the security module. This hook is called during an umount operation
*prior to checking whether the filesystem is still busy.
*@mnt contains the mounted filesystem.
* @sb_umount_busy:
*Handle a failed umount of the @mnt mounted filesystem, e.g. re-opening
*any files that were closed by umount_close. This hook is called during
*an umount operation if the umount fails after a call to the
*umount_close hook.
*@mnt contains the mounted filesystem.
* @sb_post_remount:
*Update the security module's state when a filesystem is remounted.
*This hook is only called if the remount was successful.
*@mnt contains the mounted file system.
*@flags contains the new filesystem flags.
*@data contains the filesystem-specific data.
* @sb_post_addmount:
*Update the security module's state when a filesystem is mounted.
*This hook is called any time a mount is successfully grafetd to
*the tree.
*@mnt contains the mounted filesystem.
*@mountpoint contains the path for the mount point.
* @sb_pivotroot:
*Check permission before pivoting the root filesystem.
*@old_path contains the path for the new location of the current root (put_old).
*@new_path contains the path for the new root (new_root).
*Return 0 if permission is granted.
* @sb_post_pivotroot:
*Update module state after a successful pivot.
*@old_path contains the path for the old root.
*@new_path contains the path for the new root.
* @sb_set_mnt_opts:
*Set the security relevant mount options used for a superblock
*@sb the superblock to set security mount options for
*@opts binary data structure containing all lsm mount data
* @sb_clone_mnt_opts:
*Copy all security options from a given superblock to another
*@oldsb old superblock which contain information to clone
*@newsb new superblock which needs filled in
* @sb_parse_opts_str:
*Parse a string of security data filling in the opts structure
*@options string containing all mount options known by the LSM
*@opts binary data structure usable by the LSM
*
* Security hooks for inode operations.
*
* @inode_alloc_security:
*Allocate and attach a security structure to @inode->i_security. The
*i_security field is initialized to NULL when the inode structure is
*allocated.
*@inode contains the inode structure.
*Return 0 if operation was successful.
* @inode_free_security:
*@inode contains the inode structure.
*Deallocate the inode security structure and set @inode->i_security to
*NULL.
* @inode_init_security:
*Obtain the security attribute name suffix and value to set on a newly
*created inode and set up the incore security field for the new inode.
*This hook is called by the fs code as part of the inode creation
*transaction and provides for atomic labeling of the inode, unlike
*the post_create/mkdir/... hooks called by the VFS. The hook function
*is expected to allocate the name and value via kmalloc, with the caller
*being responsible for calling kfree after using them.
*If the security module does not use security attributes or does
*not wish to put a security attribute on this particular inode,
*then it should return -EOPNOTSUPP to skip this processing.
*@inode contains the inode structure of the newly created inode.
*@dir contains the inode structure of the parent directory.
*@name will be set to the allocated name suffix (e.g. selinux).
*@value will be set to the allocated attribute value.
*@len will be set to the length of the value.
*Returns 0 if @name and @value have been successfully set,
*-EOPNOTSUPP if no security attribute is needed, or
*-ENOMEM on memory allocation failure.
* @inode_create:
*Check permission to create a regular file.
*@dir contains inode structure of the parent of the new file.
*@dentry contains the dentry structure for the file to be created.
*@mode contains the file mode of the file to be created.
*Return 0 if permission is granted.
* @inode_link:
*Check permission before creating a new hard link to a file.
*@old_dentry contains the dentry structure for an existing link to the file.
*@dir contains the inode structure of the parent directory of the new link.
*@new_dentry contains the dentry structure for the new link.
*Return 0 if permission is granted.
* @inode_unlink:
*Check the permission to remove a hard link to a file.
*@dir contains the inode structure of parent directory of the file.
*@dentry contains the dentry structure for file to be unlinked.
*Return 0 if permission is granted.
* @inode_symlink:
*Check the permission to create a symbolic link to a file.
*@dir contains the inode structure of parent directory of the symbolic link.
*@dentry contains the dentry structure of the symbolic link.
*@old_name contains the pathname of file.
*Return 0 if permission is granted.
* @inode_mkdir:
*Check permissions to create a new directory in the existing directory
*associated with inode strcture @dir.
*@dir containst the inode structure of parent of the directory to be created.
*@dentry contains the dentry structure of new directory.
*@mode contains the mode of new directory.
*Return 0 if permission is granted.
* @inode_rmdir:
*Check the permission to remove a directory.
*@dir contains the inode structure of parent of the directory to be removed.
*@dentry contains the dentry structure of directory to be removed.
*Return 0 if permission is granted.
* @inode_mknod:
*Check permissions when creating a special file (or a socket or a fifo
*file created via the mknod system call). Note that if mknod operation
*is being done for a regular file, then the create hook will be called
*and not this hook.
*@dir contains the inode structure of parent of the new file.
*@dentry contains the dentry structure of the new file.
*@mode contains the mode of the new file.
*@dev contains the device number.
*Return 0 if permission is granted.
* @inode_rename:
*Check for permission to rename a file or directory.
*@old_dir contains the inode structure for parent of the old link.
*@old_dentry contains the dentry structure of the old link.
*@new_dir contains the inode structure for parent of the new link.
*@new_dentry contains the dentry structure of the new link.
*Return 0 if permission is granted.
* @inode_readlink:
*Check the permission to read the symbolic link.
*@dentry contains the dentry structure for the file link.
*Return 0 if permission is granted.
* @inode_follow_link:
*Check permission to follow a symbolic link when looking up a pathname.
*@dentry contains the dentry structure for the link.
*@nd contains the nameidata structure for the parent directory.
*Return 0 if permission is granted.
* @inode_permission:
*Check permission before accessing an inode. This hook is called by the
*existing Linux permission function, so a security module can use it to
*provide additional checking for existing Linux permission checks.
*Notice that this hook is called when a file is opened (as well as many
*other operations), whereas the file_security_ops permission hook is
*called when the actual read/write operations are performed.
*@inode contains the inode structure to check.
*@mask contains the permission mask.
*@nd contains the nameidata (may be NULL).
*Return 0 if permission is granted.
* @inode_setattr:
*Check permission before setting file attributes. Note that the kernel
*call to notify_change is performed from several locations, whenever
*file attributes change (such as when a file is truncated, chown/chmod
*operations, transferring disk quotas, etc).
*@dentry contains the dentry structure for the file.
*@attr is the iattr structure containing the new file attributes.
*Return 0 if permission is granted.
* @inode_getattr:
*Check permission before obtaining file attributes.
*@mnt is the vfsmount where the dentry was looked up
*@dentry contains the dentry structure for the file.
*Return 0 if permission is granted.
* @inode_delete:
*@inode contains the inode structure for deleted inode.
*This hook is called when a deleted inode is released (i.e. an inode
*with no hard links has its use count drop to zero). A security module
*can use this hook to release any persistent label associated with the
*inode.
* @inode_setxattr:
*Check permission before setting the extended attributes
*@value identified by @name for @dentry.
*Return 0 if permission is granted.
* @inode_post_setxattr:
*Update inode security field after successful setxattr operation.
*@value identified by @name for @dentry.
* @inode_getxattr:
*Check permission before obtaining the extended attributes
*identified by @name for @dentry.
*Return 0 if permission is granted.
* @inode_listxattr:
*Check permission before obtaining the list of extended attribute
*names for @dentry.
*Return 0 if permission is granted.
* @inode_removexattr:
*Check permission before removing the extended attribute
*identified by @name for @dentry.
*Return 0 if permission is granted.
* @inode_getsecurity:
*Retrieve a copy of the extended attribute representation of the
*security label associated with @name for @inode via @buffer. Note that
*@name is the remainder of the attribute name after the security prefix
*has been removed. @alloc is used to specify of the call should return a
*value via the buffer or just the value length Return size of buffer on
*success.
* @inode_setsecurity:
*Set the security label associated with @name for @inode from the
*extended attribute value @value. @size indicates the size of the
*@value in bytes. @flags may be XATTR_CREATE, XATTR_REPLACE, or 0.
*Note that @name is the remainder of the attribute name after the
*security. prefix has been removed.
*Return 0 on success.
* @inode_listsecurity:
*Copy the extended attribute names for the security labels
*associated with @inode into @buffer. The maximum size of @buffer
*is specified by @buffer_size. @buffer may be NULL to request
*the size of the buffer required.
*Returns number of bytes used/required on success.
* @inode_need_killpriv:
*Called when an inode has been changed.
*@dentry is the dentry being changed.
*Return <0 on error to abort the inode change operation.
*Return 0 if inode_killpriv does not need to be called.
*Return >0 if inode_killpriv does need to be called.
* @inode_killpriv:
*The setuid bit is being removed. Remove similar security labels.
*Called with the dentry->d_inode->i_mutex held.
*@dentry is the dentry being changed.
*Return 0 on success. If error is returned, then the operation
*causing setuid bit removal is failed.
* @inode_getsecid:
*Get the secid associated with the node.
*@inode contains a pointer to the inode.
*@secid contains a pointer to the location where result will be saved.
*In case of failure, @secid will be set to zero.
*
* Security hooks for file operations
*
* @file_permission:
*Check file permissions before accessing an open file. This hook is
*called by various operations that read or write files. A security
*module can use this hook to perform additional checking on these
*operations, e.g. to revalidate permissions on use to support privilege
*bracketing or policy changes. Notice that this hook is used when the
*actual read/write operations are performed, whereas the
*inode_security_ops hook is called when a file is opened (as well as
*many other operations).
*Caveat: Although this hook can be used to revalidate permissions for
*various system call operations that read or write files, it does not
*address the revalidation of permissions for memory-mapped files.
*Security modules must handle this separately if they need such
*revalidation.
*@file contains the file structure being accessed.
*@mask contains the requested permissions.
*Return 0 if permission is granted.
* @file_alloc_security:
*Allocate and attach a security structure to the file->f_security field.
*The security field is initialized to NULL when the structure is first
*created.
*@file contains the file structure to secure.
*Return 0 if the hook is successful and permission is granted.
* @file_free_security:
*Deallocate and free any security structures stored in file->f_security.
*@file contains the file structure being modified.
* @file_ioctl:
*@file contains the file structure.
*@cmd contains the operation to perform.
*@arg contains the operational arguments.
*Check permission for an ioctl operation on @file. Note that @arg can
*sometimes represents a user space pointer; in other cases, it may be a
*simple integer value. When @arg represents a user space pointer, it
*should never be used by the security module.
*Return 0 if permission is granted.
* @file_mmap :
*Check permissions for a mmap operation. The @file may be NULL, e.g.
*if mapping anonymous memory.
*@file contains the file structure for file to map (may be NULL).
*@reqprot contains the protection requested by the application.
*@prot contains the protection that will be applied by the kernel.
*@flags contains the operational flags.
*Return 0 if permission is granted.
* @file_mprotect:
*Check permissions before changing memory access permissions.
*@vma contains the memory region to modify.
*@reqprot contains the protection requested by the application.
*@prot contains the protection that will be applied by the kernel.
*Return 0 if permission is granted.
* @file_lock:
*Check permission before performing file locking operations.
*Note: this hook mediates both flock and fcntl style locks.
*@file contains the file structure.
*@cmd contains the posix-translated lock operation to perform
*(e.g. F_RDLCK, F_WRLCK).
*Return 0 if permission is granted.
* @file_fcntl:
*Check permission before allowing the file operation specified by @cmd
*from being performed on the file @file. Note that @arg can sometimes
*represents a user space pointer; in other cases, it may be a simple
*integer value. When @arg represents a user space pointer, it should
*never be used by the security module.
*@file contains the file structure.
*@cmd contains the operation to be performed.
*@arg contains the operational arguments.
*Return 0 if permission is granted.
* @file_set_fowner:
*Save owner security information (typically from current->security) in
*file->f_security for later use by the send_sigiotask hook.
*@file contains the file structure to update.
*Return 0 on success.
* @file_send_sigiotask:
*Check permission for the file owner @fown to send SIGIO or SIGURG to the
*process @tsk. Note that this hook is sometimes called from interrupt.
*Note that the fown_struct, @fown, is never outside the context of a
*struct file, so the file structure (and associated security information)
*can always be obtained:
*container_of(fown, struct file, f_owner)
*@tsk contains the structure of task receiving signal.
*@fown contains the file owner information.
*@sig is the signal that will be sent. When 0, kernel sends SIGIO.
*Return 0 if permission is granted.
* @file_receive:
*This hook allows security modules to control the ability of a process
*to receive an open file descriptor via socket IPC.
*@file contains the file structure being received.
*Return 0 if permission is granted.
*
* Security hook for dentry
*
* @dentry_open
*Save open-time permission checking state for later use upon
*file_permission, and recheck access if anything has changed
*since inode_permission.
*
* Security hooks for task operations.
*
* @task_create:
*Check permission before creating a child process. See the clone(2)
*manual page for definitions of the @clone_flags.
*@clone_flags contains the flags indicating what should be shared.
*Return 0 if permission is granted.
* @task_alloc_security:
*@p contains the task_struct for child process.
*Allocate and attach a security structure to the p->security field. The
*security field is initialized to NULL when the task structure is
*allocated.
*Return 0 if operation was successful.
* @task_free_security:
*@p contains the task_struct for process.
*Deallocate and clear the p->security field.
* @task_setuid:
*Check permission before setting one or more of the user identity
*attributes of the current process. The @flags parameter indicates
*which of the set*uid system calls invoked this hook and how to
*interpret the @id0, @id1, and @id2 parameters. See the LSM_SETID
*definitions at the beginning of this file for the @flags values and
*their meanings.
*@id0 contains a uid.
*@id1 contains a uid.
*@id2 contains a uid.
*@flags contains one of the LSM_SETID_* values.
*Return 0 if permission is granted.
* @task_post_setuid:
*Update the module's state after setting one or more of the user
*identity attributes of the current process. The @flags parameter
*indicates which of the set*uid system calls invoked this hook. If
*@flags is LSM_SETID_FS, then @old_ruid is the old fs uid and the other
*parameters are not used.
*@old_ruid contains the old real uid (or fs uid if LSM_SETID_FS).
*@old_euid contains the old effective uid (or -1 if LSM_SETID_FS).
*@old_suid contains the old saved uid (or -1 if LSM_SETID_FS).
*@flags contains one of the LSM_SETID_* values.
*Return 0 on success.
* @task_setgid:
*Check permission before setting one or more of the group identity
*attributes of the current process. The @flags parameter indicates
*which of the set*gid system calls invoked this hook and how to
*interpret the @id0, @id1, and @id2 parameters. See the LSM_SETID
*definitions at the beginning of this file for the @flags values and
*their meanings.
*@id0 contains a gid.
*@id1 contains a gid.
*@id2 contains a gid.
*@flags contains one of the LSM_SETID_* values.
*Return 0 if permission is granted.
* @task_setpgid:
*Check permission before setting the process group identifier of the
*process @p to @pgid.
*@p contains the task_struct for process being modified.
*@pgid contains the new pgid.
*Return 0 if permission is granted.
* @task_getpgid:
*Check permission before getting the process group identifier of the
*process @p.
*@p contains the task_struct for the process.
*Return 0 if permission is granted.
* @task_getsid:
*Check permission before getting the session identifier of the process
*@p.
*@p contains the task_struct for the process.
*Return 0 if permission is granted.
* @task_getsecid:
*Retrieve the security identifier of the process @p.
*@p contains the task_struct for the process and place is into @secid.
*In case of failure, @secid will be set to zero.
*
* @task_setgroups:
*Check permission before setting the supplementary group set of the
*current process.
*@group_info contains the new group information.
*Return 0 if permission is granted.
* @task_setnice:
*Check permission before setting the nice value of @p to @nice.
*@p contains the task_struct of process.
*@nice contains the new nice value.
*Return 0 if permission is granted.
* @task_setioprio
*Check permission before setting the ioprio value of @p to @ioprio.
*@p contains the task_struct of process.
*@ioprio contains the new ioprio value
*Return 0 if permission is granted.
* @task_getioprio
*Check permission before getting the ioprio value of @p.
*@p contains the task_struct of process.
*Return 0 if permission is granted.
* @task_setrlimit:
*Check permission before setting the resource limits of the current
*process for @resource to @new_rlim. The old resource limit values can
*be examined by dereferencing (current->signal->rlim + resource).
*@resource contains the resource whose limit is being set.
*@new_rlim contains the new limits for @resource.
*Return 0 if permission is granted.
* @task_setscheduler:
*Check permission before setting scheduling policy and/or parameters of
*process @p based on @policy and @lp.
*@p contains the task_struct for process.
*@policy contains the scheduling policy.
*@lp contains the scheduling parameters.
*Return 0 if permission is granted.
* @task_getscheduler:
*Check permission before obtaining scheduling information for process
*@p.
*@p contains the task_struct for process.
*Return 0 if permission is granted.
* @task_movememory
*Check permission before moving memory owned by process @p.
*@p contains the task_struct for process.
*Return 0 if permission is granted.
* @task_kill:
*Check permission before sending signal @sig to @p. @info can be NULL,
*the constant 1, or a pointer to a siginfo structure. If @info is 1 or
*SI_FROMKERNEL(info) is true, then the signal should be viewed as coming
*from the kernel and should typically be permitted.
*SIGIO signals are handled separately by the send_sigiotask hook in
*file_security_ops.
*@p contains the task_struct for process.
*@info contains the signal information.
*@sig contains the signal value.
*@secid contains the sid of the process where the signal originated
*Return 0 if permission is granted.
* @task_wait:
*Check permission before allowing a process to reap a child process @p
*and collect its status information.
*@p contains the task_struct for process.
*Return 0 if permission is granted.
* @task_prctl:
*Check permission before performing a process control operation on the
*current process.
*@option contains the operation.
*@arg2 contains a argument.
*@arg3 contains a argument.
*@arg4 contains a argument.
*@arg5 contains a argument.
* @rc_p contains a pointer to communicate back the forced return code
*Return 0 if permission is granted, and non-zero if the security module
* has taken responsibility (setting *rc_p) for the prctl call.
* @task_reparent_to_init:
*Set the security attributes in @p->security for a kernel thread that
*is being reparented to the init task.
*@p contains the task_struct for the kernel thread.
* @task_to_inode:
*Set the security attributes for an inode based on an associated task's
*security attributes, e.g. for /proc/pid inodes.
*@p contains the task_struct for the task.
*@inode contains the inode structure for the inode.
*
* Security hooks for Netlink messaging.
*
* @netlink_send:
*Save security information for a netlink message so that permission
*checking can be performed when the message is processed. The security
*information can be saved using the eff_cap field of the
*netlink_skb_parms structure. Also may be used to provide fine
*grained control over message transmission.
*@sk associated sock of task sending the message.,
*@skb contains the sk_buff structure for the netlink message.
*Return 0 if the information was successfully saved and message
*is allowed to be transmitted.
* @netlink_recv:
*Check permission before processing the received netlink message in
*@skb.
*@skb contains the sk_buff structure for the netlink message.
*@cap indicates the capability required
*Return 0 if permission is granted.
*
* Security hooks for Unix domain networking.
*
* @unix_stream_connect:
*Check permissions before establishing a Unix domain stream connection
*between @sock and @other.
*@sock contains the socket structure.
*@other contains the peer socket structure.
*Return 0 if permission is granted.
* @unix_may_send:
*Check permissions before connecting or sending datagrams from @sock to
*@other.
*@sock contains the socket structure.
*@sock contains the peer socket structure.
*Return 0 if permission is granted.
*
* The @unix_stream_connect and @unix_may_send hooks were necessary because
* Linux provides an alternative to the conventional file name space for Unix
* domain sockets. Whereas binding and connecting to sockets in the file name
* space is mediated by the typical file permissions (and caught by the mknod
* and permission hooks in inode_security_ops), binding and connecting to
* sockets in the abstract name space is completely unmediated. Sufficient
* control of Unix domain sockets in the abstract name space isn't possible
* using only the socket layer hooks, since we need to know the actual target
* socket, which is not looked up until we are inside the af_unix code.
*
* Security hooks for socket operations.
*
* @socket_create:
*Check permissions prior to creating a new socket.
*@family contains the requested protocol family.
*@type contains the requested communications type.
*@protocol contains the requested protocol.
*@kern set to 1 if a kernel socket.
*Return 0 if permission is granted.
* @socket_post_create:
*This hook allows a module to update or allocate a per-socket security
*structure. Note that the security field was not added directly to the
*socket structure, but rather, the socket security information is stored
*in the associated inode. Typically, the inode alloc_security hook will
*allocate and and attach security information to
*sock->inode->i_security. This hook may be used to update the
*sock->inode->i_security field with additional information that wasn't
*available when the inode was allocated.
*@sock contains the newly created socket structure.
*@family contains the requested protocol family.
*@type contains the requested communications type.
*@protocol contains the requested protocol.
*@kern set to 1 if a kernel socket.
* @socket_bind:
*Check permission before socket protocol layer bind operation is
*performed and the socket @sock is bound to the address specified in the
*@address parameter.
*@sock contains the socket structure.
*@address contains the address to bind to.
*@addrlen contains the length of address.
*Return 0 if permission is granted.
* @socket_connect:
*Check permission before socket protocol layer connect operation
*attempts to connect socket @sock to a remote address, @address.
*@sock contains the socket structure.
*@address contains the address of remote endpoint.
*@addrlen contains the length of address.
*Return 0 if permission is granted.
* @socket_listen:
*Check permission before socket protocol layer listen operation.
*@sock contains the socket structure.
*@backlog contains the maximum length for the pending connection queue.
*Return 0 if permission is granted.
* @socket_accept:
*Check permission before accepting a new connection. Note that the new
*socket, @newsock, has been created and some information copied to it,
*but the accept operation has not actually been performed.
*@sock contains the listening socket structure.
*@newsock contains the newly created server socket for connection.
*Return 0 if permission is granted.
* @socket_post_accept:
*This hook allows a security module to copy security
*information into the newly created socket's inode.
*@sock contains the listening socket structure.
*@newsock contains the newly created server socket for connection.
* @socket_sendmsg:
*Check permission before transmitting a message to another socket.
*@sock contains the socket structure.
*@msg contains the message to be transmitted.
*@size contains the size of message.
*Return 0 if permission is granted.
* @socket_recvmsg:
*Check permission before receiving a message from a socket.
*@sock contains the socket structure.
*@msg contains the message structure.
*@size contains the size of message structure.
*@flags contains the operational flags.
*Return 0 if permission is granted.
* @socket_getsockname:
*Check permission before the local address (name) of the socket object
*@sock is retrieved.
*@sock contains the socket structure.
*Return 0 if permission is granted.
* @socket_getpeername:
*Check permission before the remote address (name) of a socket object
*@sock is retrieved.
*@sock contains the socket structure.
*Return 0 if permission is granted.
* @socket_getsockopt:
*Check permissions before retrieving the options associated with socket
*@sock.
*@sock contains the socket structure.
*@level contains the protocol level to retrieve option from.
*@optname contains the name of option to retrieve.
*Return 0 if permission is granted.
* @socket_setsockopt:
*Check permissions before setting the options associated with socket
*@sock.
*@sock contains the socket structure.
*@level contains the protocol level to set options for.
*@optname contains the name of the option to set.
*Return 0 if permission is granted.
* @socket_shutdown:
*Checks permission before all or part of a connection on the socket
*@sock is shut down.
*@sock contains the socket structure.
*@how contains the flag indicating how future sends and receives are handled.
*Return 0 if permission is granted.
* @socket_sock_rcv_skb:
*Check permissions on incoming network packets. This hook is distinct
*from Netfilter's IP input hooks since it is the first time that the
*incoming sk_buff @skb has been associated with a particular socket, @sk.
*@sk contains the sock (not socket) associated with the incoming sk_buff.
*@skb contains the incoming network data.
* @socket_getpeersec_stream:
*This hook allows the security module to provide peer socket security
*state for unix or connected tcp sockets to userspace via getsockopt
*SO_GETPEERSEC. For tcp sockets this can be meaningful if the
*socket is associated with an ipsec SA.
*@sock is the local socket.
*@optval userspace memory where the security state is to be copied.
*@optlen userspace int where the module should copy the actual length
*of the security state.
*@len as input is the maximum length to copy to userspace provided
*by the caller.
*Return 0 if all is well, otherwise, typical getsockopt return
*values.
* @socket_getpeersec_dgram:
*This hook allows the security module to provide peer socket security
*state for udp sockets on a per-packet basis to userspace via
*getsockopt SO_GETPEERSEC. The application must first have indicated
*the IP_PASSSEC option via getsockopt. It can then retrieve the
*security state returned by this hook for a packet via the SCM_SECURITY
*ancillary message type.
*@skb is the skbuff for the packet being queried
*@secdata is a pointer to a buffer in which to copy the security data
*@seclen is the maximum length for @secdata
*Return 0 on success, error on failure.
* @sk_alloc_security:
*Allocate and attach a security structure to the sk->sk_security field,
*which is used to copy security attributes between local stream sockets.
* @sk_free_security:
*Deallocate security structure.
* @sk_clone_security:
*Clone/copy security structure.
* @sk_getsecid:
*Retrieve the LSM-specific secid for the sock to enable caching of network
*authorizations.
* @sock_graft:
*Sets the socket's isec sid to the sock's sid.
* @inet_conn_request:
*Sets the openreq's sid to socket's sid with MLS portion taken from peer sid.
* @inet_csk_clone:
*Sets the new child socket's sid to the openreq sid.
* @inet_conn_established:
*Sets the connection's peersid to the secmark on skb.
* @req_classify_flow:
*Sets the flow's sid to the openreq sid.
*
* Security hooks for XFRM operations.
*
* @xfrm_policy_alloc_security:
*@ctxp is a pointer to the xfrm_sec_ctx being added to Security Policy
*Database used by the XFRM system.
*@sec_ctx contains the security context information being provided by
*the user-level policy update program (e.g., setkey).
*Allocate a security structure to the xp->security field; the security
*field is initialized to NULL when the xfrm_policy is allocated.
*Return 0 if operation was successful (memory to allocate, legal context)
* @xfrm_policy_clone_security:
*@old_ctx contains an existing xfrm_sec_ctx.
*@new_ctxp contains a new xfrm_sec_ctx being cloned from old.
*Allocate a security structure in new_ctxp that contains the
*information from the old_ctx structure.
*Return 0 if operation was successful (memory to allocate).
* @xfrm_policy_free_security:
*@ctx contains the xfrm_sec_ctx
*Deallocate xp->security.
* @xfrm_policy_delete_security:
*@ctx contains the xfrm_sec_ctx.
*Authorize deletion of xp->security.
* @xfrm_state_alloc_security:
*@x contains the xfrm_state being added to the Security Association
*Database by the XFRM system.
*@sec_ctx contains the security context information being provided by
*the user-level SA generation program (e.g., setkey or racoon).
*@secid contains the secid from which to take the mls portion of the context.
*Allocate a security structure to the x->security field; the security
*field is initialized to NULL when the xfrm_state is allocated. Set the
*context to correspond to either sec_ctx or polsec, with the mls portion
*taken from secid in the latter case.
*Return 0 if operation was successful (memory to allocate, legal context).
* @xfrm_state_free_security:
*@x contains the xfrm_state.
*Deallocate x->security.
* @xfrm_state_delete_security:
*@x contains the xfrm_state.
*Authorize deletion of x->security.
* @xfrm_policy_lookup:
*@ctx contains the xfrm_sec_ctx for which the access control is being
*checked.
*@fl_secid contains the flow security label that is used to authorize
*access to the policy xp.
*@dir contains the direction of the flow (input or output).
*Check permission when a flow selects a xfrm_policy for processing
*XFRMs on a packet. The hook is called when selecting either a
*per-socket policy or a generic xfrm policy.
*Return 0 if permission is granted, -ESRCH otherwise, or -errno
*on other errors.
* @xfrm_state_pol_flow_match:
*@x contains the state to match.
*@xp contains the policy to check for a match.
*@fl contains the flow to check for a match.
*Return 1 if there is a match.
* @xfrm_decode_session:
*@skb points to skb to decode.
*@secid points to the flow key secid to set.
*@ckall says if all xfrms used should be checked for same secid.
*Return 0 if ckall is zero or all xfrms used have the same secid.
*
* Security hooks affecting all Key Management operations
*
* @key_alloc:
*Permit allocation of a key and assign security data. Note that key does
*not have a serial number assigned at this point.
*@key points to the key.
*@flags is the allocation flags
*Return 0 if permission is granted, -ve error otherwise.
* @key_free:
*Notification of destruction; free security data.
*@key points to the key.
*No return value.
* @key_permission:
*See whether a specific operational right is granted to a process on a
*key.
*@key_ref refers to the key (key pointer + possession attribute bit).
*@context points to the process to provide the context against which to
*evaluate the security data on the key.
*@perm describes the combination of permissions required of this key.
*Return 1 if permission granted, 0 if permission denied and -ve it the
*normal permissions model should be effected.
* @key_getsecurity:
*Get a textual representation of the security context attached to a key
*for the purposes of honouring KEYCTL_GETSECURITY. This function
*allocates the storage for the NUL-terminated string and the caller
*should free it.
*@key points to the key to be queried.
*@_buffer points to a pointer that should be set to point to the
* resulting string (if no label or an error occurs).
*Return the length of the string (including terminating NUL) or -ve if
* an error.
*May also return 0 (and a NULL buffer pointer) if there is no label.
*
* Security hooks affecting all System V IPC operations.
*
* @ipc_permission:
*Check permissions for access to IPC
*@ipcp contains the kernel IPC permission structure
*@flag contains the desired (requested) permission set
*Return 0 if permission is granted.
* @ipc_getsecid:
*Get the secid associated with the ipc object.
*@ipcp contains the kernel IPC permission structure.
*@secid contains a pointer to the location where result will be saved.
*In case of failure, @secid will be set to zero.
*
* Security hooks for individual messages held in System V IPC message queues
* @msg_msg_alloc_security:
*Allocate and attach a security structure to the msg->security field.
*The security field is initialized to NULL when the structure is first
*created.
*@msg contains the message structure to be modified.
*Return 0 if operation was successful and permission is granted.
* @msg_msg_free_security:
*Deallocate the security structure for this message.
*@msg contains the message structure to be modified.
*
* Security hooks for System V IPC Message Queues
*
* @msg_queue_alloc_security:
*Allocate and attach a security structure to the
*msq->q_perm.security field. The security field is initialized to
*NULL when the structure is first created.
*@msq contains the message queue structure to be modified.
*Return 0 if operation was successful and permission is granted.
* @msg_queue_free_security:
*Deallocate security structure for this message queue.
*@msq contains the message queue structure to be modified.
* @msg_queue_associate:
*Check permission when a message queue is requested through the
*msgget system call. This hook is only called when returning the
*message queue identifier for an existing message queue, not when a
*new message queue is created.
*@msq contains the message queue to act upon.
*@msqflg contains the operation control flags.
*Return 0 if permission is granted.
* @msg_queue_msgctl:
*Check permission when a message control operation specified by @cmd
*is to be performed on the message queue @msq.
*The @msq may be NULL, e.g. for IPC_INFO or MSG_INFO.
*@msq contains the message queue to act upon. May be NULL.
*@cmd contains the operation to be performed.
*Return 0 if permission is granted.
* @msg_queue_msgsnd:
*Check permission before a message, @msg, is enqueued on the message
*queue, @msq.
*@msq contains the message queue to send message to.
*@msg contains the message to be enqueued.
*@msqflg contains operational flags.
*Return 0 if permission is granted.
* @msg_queue_msgrcv:
*Check permission before a message, @msg, is removed from the message
*queue, @msq. The @target task structure contains a pointer to the
*process that will be receiving the message (not equal to the current
*process when inline receives are being performed).
*@msq contains the message queue to retrieve message from.
*@msg contains the message destination.
*@target contains the task structure for recipient process.
*@type contains the type of message requested.
*@mode contains the operational flags.
*Return 0 if permission is granted.
*
* Security hooks for System V Shared Memory Segments
*
* @shm_alloc_security:
*Allocate and attach a security structure to the shp->shm_perm.security
*field. The security field is initialized to NULL when the structure is
*first created.
*@shp contains the shared memory structure to be modified.
*Return 0 if operation was successful and permission is granted.
* @shm_free_security:
*Deallocate the security struct for this memory segment.
*@shp contains the shared memory structure to be modified.
* @shm_associate:
*Check permission when a shared memory region is requested through the
*shmget system call. This hook is only called when returning the shared
*memory region identifier for an existing region, not when a new shared
*memory region is created.
*@shp contains the shared memory structure to be modified.
*@shmflg contains the operation control flags.
*Return 0 if permission is granted.
* @shm_shmctl:
*Check permission when a shared memory control operation specified by
*@cmd is to be performed on the shared memory region @shp.
*The @shp may be NULL, e.g. for IPC_INFO or SHM_INFO.
*@shp contains shared memory structure to be modified.
*@cmd contains the operation to be performed.
*Return 0 if permission is granted.
* @shm_shmat:
*Check permissions prior to allowing the shmat system call to attach the
*shared memory segment @shp to the data segment of the calling process.
*The attaching address is specified by @shmaddr.
*@shp contains the shared memory structure to be modified.
*@shmaddr contains the address to attach memory region to.
*@shmflg contains the operational flags.
*Return 0 if permission is granted.
*
* Security hooks for System V Semaphores
*
* @sem_alloc_security:
*Allocate and attach a security structure to the sma->sem_perm.security
*field. The security field is initialized to NULL when the structure is
*first created.
*@sma contains the semaphore structure
*Return 0 if operation was successful and permission is granted.
* @sem_free_security:
*deallocate security struct for this semaphore
*@sma contains the semaphore structure.
* @sem_associate:
*Check permission when a semaphore is requested through the semget
*system call. This hook is only called when returning the semaphore
*identifier for an existing semaphore, not when a new one must be
*created.
*@sma contains the semaphore structure.
*@semflg contains the operation control flags.
*Return 0 if permission is granted.
* @sem_semctl:
*Check permission when a semaphore operation specified by @cmd is to be
*performed on the semaphore @sma. The @sma may be NULL, e.g. for
*IPC_INFO or SEM_INFO.
*@sma contains the semaphore structure. May be NULL.
*@cmd contains the operation to be performed.
*Return 0 if permission is granted.
* @sem_semop
*Check permissions before performing operations on members of the
*semaphore set @sma. If the @alter flag is nonzero, the semaphore set
*may be modified.
*@sma contains the semaphore structure.
*@sops contains the operations to perform.
*@nsops contains the number of operations to perform.
*@alter contains the flag indicating whether changes are to be made.
*Return 0 if permission is granted.
*
* @ptrace_may_access:
*Check permission before allowing the current process to trace the
*@child process.
*Security modules may also want to perform a process tracing check
*during an execve in the set_security or apply_creds hooks of
*binprm_security_ops if the process is being traced and its security
*attributes would be changed by the execve.
*@child contains the task_struct structure for the target process.
*@mode contains the PTRACE_MODE flags indicating the form of access.
*Return 0 if permission is granted.
* @ptrace_traceme:
*Check that the @parent process has sufficient permission to trace the
*current process before allowing the current process to present itself
*to the @parent process for tracing.
*The parent process will still have to undergo the ptrace_may_access
*checks before it is allowed to trace this one.
*@parent contains the task_struct structure for debugger process.
*Return 0 if permission is granted.
* @capget:
*Get the @effective, @inheritable, and @permitted capability sets for
*the @target process. The hook may also perform permission checking to
*determine if the current process is allowed to see the capability sets
*of the @target process.
*@target contains the task_struct structure for target process.
*@effective contains the effective capability set.
*@inheritable contains the inheritable capability set.
*@permitted contains the permitted capability set.
*Return 0 if the capability sets were successfully obtained.
* @capset_check:
*Check permission before setting the @effective, @inheritable, and
*@permitted capability sets for the @target process.
*Caveat: @target is also set to current if a set of processes is
*specified (i.e. all processes other than current and init or a
*particular process group). Hence, the capset_set hook may need to
*revalidate permission to the actual target process.
*@target contains the task_struct structure for target process.
*@effective contains the effective capability set.
*@inheritable contains the inheritable capability set.
*@permitted contains the permitted capability set.
*Return 0 if permission is granted.
* @capset_set:
*Set the @effective, @inheritable, and @permitted capability sets for
*the @target process. Since capset_check cannot always check permission
*to the real @target process, this hook may also perform permission
*checking to determine if the current process is allowed to set the
*capability sets of the @target process. However, this hook has no way
*of returning an error due to the structure of the sys_capset code.
*@target contains the task_struct structure for target process.
*@effective contains the effective capability set.
*@inheritable contains the inheritable capability set.
*@permitted contains the permitted capability set.
* @capable:
*Check whether the @tsk process has the @cap capability.
*@tsk contains the task_struct for the process.
*@cap contains the capability .
*Return 0 if the capability is granted for @tsk.
* @acct:
*Check permission before enabling or disabling process accounting. If
*accounting is being enabled, then @file refers to the open file used to
*store accounting records. If accounting is being disabled, then @file
*is NULL.
*@file contains the file structure for the accounting file (may be NULL).
*Return 0 if permission is granted.
* @sysctl:
*Check permission before accessing the @table sysctl variable in the
*manner specified by @op.
*@table contains the ctl_table structure for the sysctl variable.
*@op contains the operation (001 = search, 002 = write, 004 = read).
*Return 0 if permission is granted.
* @syslog:
*Check permission before accessing the kernel message ring or changing
*logging to the console.
*See the syslog(2) manual page for an explanation of the @type values.
*@type contains the type of action.
*Return 0 if permission is granted.
* @settime:
*Check permission to change the system time.
*struct timespec and timezone are defined in include/linux/time.h
*@ts contains new time
*@tz contains new timezone
*Return 0 if permission is granted.
* @vm_enough_memory:
*Check permissions for allocating a new virtual mapping.
*@mm contains the mm struct it is being added to.
*@pages contains the number of pages.
*Return 0 if permission is granted.
*
* @secid_to_secctx:
*Convert secid to security context.
*@secid contains the security ID.
*@secdata contains the pointer that stores the converted security context.
* @secctx_to_secid:
*Convert security context to secid.
*@secid contains the pointer to the generated security ID.
*@secdata contains the security context.
*
* @release_secctx:
*Release the security context.
*@secdata contains the security context.
*@seclen contains the length of the security context.
*
* Security hooks for Audit
*
* @audit_rule_init:
*Allocate and initialize an LSM audit rule structure.
*@field contains the required Audit action. Fields flags are defined in include/linux/audit.h
*@op contains the operator the rule uses.
*@rulestr contains the context where the rule will be applied to.
*@lsmrule contains a pointer to receive the result.
*Return 0 if @lsmrule has been successfully set,
*-EINVAL in case of an invalid rule.
*
* @audit_rule_known:
*Specifies whether given @rule contains any fields related to current LSM.
*@rule contains the audit rule of interest.
*Return 1 in case of relation found, 0 otherwise.
*
* @audit_rule_match:
*Determine if given @secid matches a rule previously approved
*by @audit_rule_known.
*@secid contains the security id in question.
*@field contains the field which relates to current LSM.
*@op contains the operator that will be used for matching.
*@rule points to the audit rule that will be checked against.
*@actx points to the audit context associated with the check.
*Return 1 if secid matches the rule, 0 if it does not, -ERRNO on failure.
*
* @audit_rule_free:
*Deallocate the LSM audit rule structure previously allocated by
*audit_rule_init.
*@rule contains the allocated rule
*
* This is the main security structure.
*/
include/ linux/security.h
struct security_operations {
char name[SECURITY_NAME_MAX + 1];
int (*ptrace_may_access) (struct task_struct *child, unsigned int mode);
int (*ptrace_traceme) (struct task_struct *parent);
int (*capget) (struct task_struct *target,
kernel_cap_t *effective,
kernel_cap_t *inheritable, kernel_cap_t *permitted);
int (*capset_check) (struct task_struct *target,
kernel_cap_t *effective,
kernel_cap_t *inheritable,
kernel_cap_t *permitted);
void (*capset_set) (struct task_struct *target,
kernel_cap_t *effective,
kernel_cap_t *inheritable,
kernel_cap_t *permitted);
int (*capable) (struct task_struct *tsk, int cap);
int (*acct) (struct file *file);
int (*sysctl) (struct ctl_table *table, int op);
int (*quotactl) (int cmds, int type, int id, struct super_block *sb);
int (*quota_on) (struct dentry *dentry);
int (*syslog) (int type);
int (*settime) (struct timespec *ts, struct timezone *tz);
int (*vm_enough_memory) (struct mm_struct *mm, long pages);
int (*bprm_alloc_security) (struct linux_binprm *bprm);
void (*bprm_free_security) (struct linux_binprm *bprm);
void (*bprm_apply_creds) (struct linux_binprm *bprm, int unsafe);
void (*bprm_post_apply_creds) (struct linux_binprm *bprm);
int (*bprm_set_security) (struct linux_binprm *bprm);
int (*bprm_check_security) (struct linux_binprm *bprm);
int (*bprm_secureexec) (struct linux_binprm *bprm);
int (*sb_alloc_security) (struct super_block *sb);
void (*sb_free_security) (struct super_block *sb);
int (*sb_copy_data) (char *orig, char *copy);
int (*sb_kern_mount) (struct super_block *sb, void *data);
int (*sb_show_options) (struct seq_file *m, struct super_block *sb);
int (*sb_statfs) (struct dentry *dentry);
int (*sb_mount) (char *dev_name, struct path *path,
char *type, unsigned long flags, void *data);
int (*sb_check_sb) (struct vfsmount *mnt, struct path *path);
int (*sb_umount) (struct vfsmount *mnt, int flags);
void (*sb_umount_close) (struct vfsmount *mnt);
void (*sb_umount_busy) (struct vfsmount *mnt);
void (*sb_post_remount) (struct vfsmount *mnt,
unsigned long flags, void *data);
void (*sb_post_addmount) (struct vfsmount *mnt,
struct path *mountpoint);
int (*sb_pivotroot) (struct path *old_path,
struct path *new_path);
void (*sb_post_pivotroot) (struct path *old_path,
struct path *new_path);
int (*sb_set_mnt_opts) (struct super_block *sb,
struct security_mnt_opts *opts);
void (*sb_clone_mnt_opts) (const struct super_block *oldsb,
struct super_block *newsb);
int (*sb_parse_opts_str) (char *options, struct security_mnt_opts *opts);
int (*inode_alloc_security) (struct inode *inode);
void (*inode_free_security) (struct inode *inode);
int (*inode_init_security) (struct inode *inode, struct inode *dir,
char **name, void **value, size_t *len);
int (*inode_create) (struct inode *dir,
struct dentry *dentry, int mode);
int (*inode_link) (struct dentry *old_dentry,
struct inode *dir, struct dentry *new_dentry);
int (*inode_unlink) (struct inode *dir, struct dentry *dentry);
int (*inode_symlink) (struct inode *dir,
struct dentry *dentry, const char *old_name);
int (*inode_mkdir) (struct inode *dir, struct dentry *dentry, int mode);
int (*inode_rmdir) (struct inode *dir, struct dentry *dentry);
int (*inode_mknod) (struct inode *dir, struct dentry *dentry,
int mode, dev_t dev);
int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry,
struct inode *new_dir, struct dentry *new_dentry);
int (*inode_readlink) (struct dentry *dentry);
int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd);
int (*inode_permission) (struct inode *inode, int mask);
int (*inode_setattr)(struct dentry *dentry, struct iattr *attr);
int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry);
void (*inode_delete) (struct inode *inode);
int (*inode_setxattr) (struct dentry *dentry, const char *name,
const void *value, size_t size, int flags);
void (*inode_post_setxattr) (struct dentry *dentry, const char *name,
const void *value, size_t size, int flags);
int (*inode_getxattr) (struct dentry *dentry, const char *name);
int (*inode_listxattr) (struct dentry *dentry);
int (*inode_removexattr) (struct dentry *dentry, const char *name);
int (*inode_need_killpriv) (struct dentry *dentry);
int (*inode_killpriv) (struct dentry *dentry);
int (*inode_getsecurity) (const struct inode *inode, const char *name, void **buffer, bool alloc);
int (*inode_setsecurity) (struct inode *inode, const char *name, const void *value, size_t size, int flags);
int (*inode_listsecurity) (struct inode *inode, char *buffer, size_t buffer_size);
void (*inode_getsecid) (const struct inode *inode, u32 *secid);
int (*file_permission) (struct file *file, int mask);
int (*file_alloc_security) (struct file *file);
void (*file_free_security) (struct file *file);
int (*file_ioctl) (struct file *file, unsigned int cmd,
unsigned long arg);
int (*file_mmap) (struct file *file,
unsigned long reqprot, unsigned long prot,
unsigned long flags, unsigned long addr,
unsigned long addr_only);
int (*file_mprotect) (struct vm_area_struct *vma,
unsigned long reqprot,
unsigned long prot);
int (*file_lock) (struct file *file, unsigned int cmd);
int (*file_fcntl) (struct file *file, unsigned int cmd,
unsigned long arg);
int (*file_set_fowner) (struct file *file);
int (*file_send_sigiotask) (struct task_struct *tsk,
struct fown_struct *fown, int sig);
int (*file_receive) (struct file *file);
int (*dentry_open) (struct file *file);
int (*task_create) (unsigned long clone_flags);
int (*task_alloc_security) (struct task_struct *p);
void (*task_free_security) (struct task_struct *p);
int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags);
int (*task_post_setuid) (uid_t old_ruid /* or fsuid */ ,
uid_t old_euid, uid_t old_suid, int flags);
int (*task_setgid) (gid_t id0, gid_t id1, gid_t id2, int flags);
int (*task_setpgid) (struct task_struct *p, pid_t pgid);
int (*task_getpgid) (struct task_struct *p);
int (*task_getsid) (struct task_struct *p);
void (*task_getsecid) (struct task_struct *p, u32 *secid);
int (*task_setgroups) (struct group_info *group_info);
int (*task_setnice) (struct task_struct *p, int nice);
int (*task_setioprio) (struct task_struct *p, int ioprio);
int (*task_getioprio) (struct task_struct *p);
int (*task_setrlimit) (unsigned int resource, struct rlimit *new_rlim);
int (*task_setscheduler) (struct task_struct *p, int policy,
struct sched_param *lp);
int (*task_getscheduler) (struct task_struct *p);
int (*task_movememory) (struct task_struct *p);
int (*task_kill) (struct task_struct *p,
struct siginfo *info, int sig, u32 secid);
int (*task_wait) (struct task_struct *p);
int (*task_prctl) (int option, unsigned long arg2,
unsigned long arg3, unsigned long arg4,
unsigned long arg5, long *rc_p);
void (*task_reparent_to_init) (struct task_struct *p);
void (*task_to_inode) (struct task_struct *p, struct inode *inode);
int (*ipc_permission) (struct kern_ipc_perm *ipcp, short flag);
void (*ipc_getsecid) (struct kern_ipc_perm *ipcp, u32 *secid);
int (*msg_msg_alloc_security) (struct msg_msg *msg);
void (*msg_msg_free_security) (struct msg_msg *msg);
int (*msg_queue_alloc_security) (struct msg_queue *msq);
void (*msg_queue_free_security) (struct msg_queue *msq);
int (*msg_queue_associate) (struct msg_queue *msq, int msqflg);
int (*msg_queue_msgctl) (struct msg_queue *msq, int cmd);
int (*msg_queue_msgsnd) (struct msg_queue *msq,
struct msg_msg *msg, int msqflg);
int (*msg_queue_msgrcv) (struct msg_queue *msq,
struct msg_msg *msg,
struct task_struct *target,
long type, int mode);
int (*shm_alloc_security) (struct shmid_kernel *shp);
void (*shm_free_security) (struct shmid_kernel *shp);
int (*shm_associate) (struct shmid_kernel *shp, int shmflg);
int (*shm_shmctl) (struct shmid_kernel *shp, int cmd);
int (*shm_shmat) (struct shmid_kernel *shp,
char __user *shmaddr, int shmflg);
int (*sem_alloc_security) (struct sem_array *sma);
void (*sem_free_security) (struct sem_array *sma);
int (*sem_associate) (struct sem_array *sma, int semflg);
int (*sem_semctl) (struct sem_array *sma, int cmd);
int (*sem_semop) (struct sem_array *sma,
struct sembuf *sops, unsigned nsops, int alter);
int (*netlink_send) (struct sock *sk, struct sk_buff *skb);
int (*netlink_recv) (struct sk_buff *skb, int cap);
void (*d_instantiate) (struct dentry *dentry, struct inode *inode);
int (*getprocattr) (struct task_struct *p, char *name, char **value);
int (*setprocattr) (struct task_struct *p, char *name, void *value, size_t size);
int (*secid_to_secctx) (u32 secid, char **secdata, u32 *seclen);
int (*secctx_to_secid) (const char *secdata, u32 seclen, u32 *secid);
void (*release_secctx) (char *secdata, u32 seclen);
#ifdef CONFIG_SECURITY_NETWORK
int (*unix_stream_connect) (struct socket *sock,
struct socket *other, struct sock *newsk);
int (*unix_may_send) (struct socket *sock, struct socket *other);
int (*socket_create) (int family, int type, int protocol, int kern);
int (*socket_post_create) (struct socket *sock, int family,
int type, int protocol, int kern);
int (*socket_bind) (struct socket *sock,
struct sockaddr *address, int addrlen);
int (*socket_connect) (struct socket *sock,
struct sockaddr *address, int addrlen);
int (*socket_listen) (struct socket *sock, int backlog);
int (*socket_accept) (struct socket *sock, struct socket *newsock);
void (*socket_post_accept) (struct socket *sock,
struct socket *newsock);
int (*socket_sendmsg) (struct socket *sock,
struct msghdr *msg, int size);
int (*socket_recvmsg) (struct socket *sock,
struct msghdr *msg, int size, int flags);
int (*socket_getsockname) (struct socket *sock);
int (*socket_getpeername) (struct socket *sock);
int (*socket_getsockopt) (struct socket *sock, int level, int optname);
int (*socket_setsockopt) (struct socket *sock, int level, int optname);
int (*socket_shutdown) (struct socket *sock, int how);
int (*socket_sock_rcv_skb) (struct sock *sk, struct sk_buff *skb);
int (*socket_getpeersec_stream) (struct socket *sock, char __user *optval, int __user *optlen, unsigned len);
int (*socket_getpeersec_dgram) (struct socket *sock, struct sk_buff *skb, u32 *secid);
int (*sk_alloc_security) (struct sock *sk, int family, gfp_t priority);
void (*sk_free_security) (struct sock *sk);
void (*sk_clone_security) (const struct sock *sk, struct sock *newsk);
void (*sk_getsecid) (struct sock *sk, u32 *secid);
void (*sock_graft) (struct sock *sk, struct socket *parent);
int (*inet_conn_request) (struct sock *sk, struct sk_buff *skb,
struct request_sock *req);
void (*inet_csk_clone) (struct sock *newsk, const struct request_sock *req);
void (*inet_conn_established) (struct sock *sk, struct sk_buff *skb);
void (*req_classify_flow) (const struct request_sock *req, struct flowi *fl);
#endif/* CONFIG_SECURITY_NETWORK */
#ifdef CONFIG_SECURITY_NETWORK_XFRM
int (*xfrm_policy_alloc_security) (struct xfrm_sec_ctx **ctxp,
struct xfrm_user_sec_ctx *sec_ctx);
int (*xfrm_policy_clone_security) (struct xfrm_sec_ctx *old_ctx, struct xfrm_sec_ctx **new_ctx);
void (*xfrm_policy_free_security) (struct xfrm_sec_ctx *ctx);
int (*xfrm_policy_delete_security) (struct xfrm_sec_ctx *ctx);
int (*xfrm_state_alloc_security) (struct xfrm_state *x,
struct xfrm_user_sec_ctx *sec_ctx,
u32 secid);
void (*xfrm_state_free_security) (struct xfrm_state *x);
int (*xfrm_state_delete_security) (struct xfrm_state *x);
int (*xfrm_policy_lookup) (struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir);
int (*xfrm_state_pol_flow_match) (struct xfrm_state *x,
struct xfrm_policy *xp,
struct flowi *fl);
int (*xfrm_decode_session) (struct sk_buff *skb, u32 *secid, int ckall);
#endif/* CONFIG_SECURITY_NETWORK_XFRM */
/* key management security hooks */
#ifdef CONFIG_KEYS
int (*key_alloc) (struct key *key, struct task_struct *tsk, unsigned long flags);
void (*key_free) (struct key *key);
int (*key_permission) (key_ref_t key_ref,
struct task_struct *context,
key_perm_t perm);
int (*key_getsecurity)(struct key *key, char **_buffer);
#endif/* CONFIG_KEYS */
#ifdef CONFIG_AUDIT
int (*audit_rule_init) (u32 field, u32 op, char *rulestr, void **lsmrule);
int (*audit_rule_known) (struct audit_krule *krule);
int (*audit_rule_match) (u32 secid, u32 field, u32 op, void *lsmrule,
struct audit_context *actx);
void (*audit_rule_free) (void *lsmrule);
#endif /* CONFIG_AUDIT */
};
////////////////////////////////////////////////////////////////
