security.c 55.7 KB
Newer Older
L
Linus Torvalds 已提交
1 2 3 4 5 6 7 8 9 10 11 12 13
/*
 * Security plug functions
 *
 * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com>
 * Copyright (C) 2001-2002 Greg Kroah-Hartman <greg@kroah.com>
 * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com>
 *
 *	This program is free software; you can redistribute it and/or modify
 *	it under the terms of the GNU General Public License as published by
 *	the Free Software Foundation; either version 2 of the License, or
 *	(at your option) any later version.
 */

14
#include <linux/capability.h>
15
#include <linux/dcache.h>
L
Linus Torvalds 已提交
16 17 18
#include <linux/module.h>
#include <linux/init.h>
#include <linux/kernel.h>
C
Casey Schaufler 已提交
19
#include <linux/lsm_hooks.h>
20
#include <linux/integrity.h>
21
#include <linux/ima.h>
22
#include <linux/evm.h>
A
Al Viro 已提交
23
#include <linux/fsnotify.h>
24 25 26
#include <linux/mman.h>
#include <linux/mount.h>
#include <linux/personality.h>
P
Paul Mundt 已提交
27
#include <linux/backing-dev.h>
A
Al Viro 已提交
28
#include <net/flow.h>
L
Linus Torvalds 已提交
29

30
#define MAX_LSM_EVM_XATTR	2
L
Linus Torvalds 已提交
31

C
Casey Schaufler 已提交
32 33 34
/* Maximum number of letters for an LSM name string */
#define SECURITY_NAME_MAX	10

35
char *lsm_names;
36
/* Boot-time LSM user choice */
J
John Johansen 已提交
37 38
static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
	CONFIG_DEFAULT_SECURITY;
L
Linus Torvalds 已提交
39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

static void __init do_security_initcalls(void)
{
	initcall_t *call;
	call = __security_initcall_start;
	while (call < __security_initcall_end) {
		(*call) ();
		call++;
	}
}

/**
 * security_init - initializes the security framework
 *
 * This should be called early in the kernel initialization sequence.
 */
int __init security_init(void)
{
C
Casey Schaufler 已提交
57
	pr_info("Security Framework initialized\n");
L
Linus Torvalds 已提交
58

C
Casey Schaufler 已提交
59
	/*
60
	 * Load minor LSMs, with the capability module always first.
C
Casey Schaufler 已提交
61 62 63
	 */
	capability_add_hooks();
	yama_add_hooks();
64
	loadpin_add_hooks();
65

C
Casey Schaufler 已提交
66
	/*
67
	 * Load all the remaining security modules.
C
Casey Schaufler 已提交
68
	 */
L
Linus Torvalds 已提交
69 70 71 72 73
	do_security_initcalls();

	return 0;
}

74 75 76 77 78 79 80 81
/* Save user chosen LSM */
static int __init choose_lsm(char *str)
{
	strncpy(chosen_lsm, str, SECURITY_NAME_MAX);
	return 1;
}
__setup("security=", choose_lsm);

82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97
static int lsm_append(char *new, char **result)
{
	char *cp;

	if (*result == NULL) {
		*result = kstrdup(new, GFP_KERNEL);
	} else {
		cp = kasprintf(GFP_KERNEL, "%s,%s", *result, new);
		if (cp == NULL)
			return -ENOMEM;
		kfree(*result);
		*result = cp;
	}
	return 0;
}

98 99
/**
 * security_module_enable - Load given security module on boot ?
C
Casey Schaufler 已提交
100
 * @module: the name of the module
101 102 103
 *
 * Each LSM must pass this method before registering its own operations
 * to avoid security registration races. This method may also be used
104
 * to check if your LSM is currently loaded during kernel initialization.
105 106 107
 *
 * Return true if:
 *	-The passed LSM is the one chosen by user at boot time,
J
John Johansen 已提交
108
 *	-or the passed LSM is configured as the default and the user did not
109
 *	 choose an alternate LSM at boot time.
110 111
 * Otherwise, return false.
 */
C
Casey Schaufler 已提交
112
int __init security_module_enable(const char *module)
113
{
C
Casey Schaufler 已提交
114
	return !strcmp(module, chosen_lsm);
115 116
}

117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137
/**
 * security_add_hooks - Add a modules hooks to the hook lists.
 * @hooks: the hooks to add
 * @count: the number of hooks to add
 * @lsm: the name of the security module
 *
 * Each LSM has to register its hooks with the infrastructure.
 */
void __init security_add_hooks(struct security_hook_list *hooks, int count,
				char *lsm)
{
	int i;

	for (i = 0; i < count; i++) {
		hooks[i].lsm = lsm;
		list_add_tail_rcu(&hooks[i].list, hooks[i].head);
	}
	if (lsm_append(lsm, &lsm_names) < 0)
		panic("%s - Cannot get early memory.\n", __func__);
}

138
/*
C
Casey Schaufler 已提交
139
 * Hook list operation macros.
L
Linus Torvalds 已提交
140
 *
141 142
 * call_void_hook:
 *	This is a hook that does not return a value.
L
Linus Torvalds 已提交
143
 *
144 145
 * call_int_hook:
 *	This is a hook that returns a value.
L
Linus Torvalds 已提交
146 147
 */

C
Casey Schaufler 已提交
148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168
#define call_void_hook(FUNC, ...)				\
	do {							\
		struct security_hook_list *P;			\
								\
		list_for_each_entry(P, &security_hook_heads.FUNC, list)	\
			P->hook.FUNC(__VA_ARGS__);		\
	} while (0)

#define call_int_hook(FUNC, IRC, ...) ({			\
	int RC = IRC;						\
	do {							\
		struct security_hook_list *P;			\
								\
		list_for_each_entry(P, &security_hook_heads.FUNC, list) { \
			RC = P->hook.FUNC(__VA_ARGS__);		\
			if (RC != 0)				\
				break;				\
		}						\
	} while (0);						\
	RC;							\
})
L
Linus Torvalds 已提交
169

170 171
/* Security operations */

172 173
int security_binder_set_context_mgr(struct task_struct *mgr)
{
174
	return call_int_hook(binder_set_context_mgr, 0, mgr);
175 176 177 178 179
}

int security_binder_transaction(struct task_struct *from,
				struct task_struct *to)
{
180
	return call_int_hook(binder_transaction, 0, from, to);
181 182 183 184 185
}

int security_binder_transfer_binder(struct task_struct *from,
				    struct task_struct *to)
{
186
	return call_int_hook(binder_transfer_binder, 0, from, to);
187 188 189 190 191
}

int security_binder_transfer_file(struct task_struct *from,
				  struct task_struct *to, struct file *file)
{
192
	return call_int_hook(binder_transfer_file, 0, from, to, file);
193 194
}

195
int security_ptrace_access_check(struct task_struct *child, unsigned int mode)
196
{
197
	return call_int_hook(ptrace_access_check, 0, child, mode);
198 199 200 201
}

int security_ptrace_traceme(struct task_struct *parent)
{
202
	return call_int_hook(ptrace_traceme, 0, parent);
203 204 205 206 207 208 209
}

int security_capget(struct task_struct *target,
		     kernel_cap_t *effective,
		     kernel_cap_t *inheritable,
		     kernel_cap_t *permitted)
{
210 211
	return call_int_hook(capget, 0, target,
				effective, inheritable, permitted);
212 213
}

D
David Howells 已提交
214 215 216 217
int security_capset(struct cred *new, const struct cred *old,
		    const kernel_cap_t *effective,
		    const kernel_cap_t *inheritable,
		    const kernel_cap_t *permitted)
218
{
219 220
	return call_int_hook(capset, 0, new, old,
				effective, inheritable, permitted);
221 222
}

223
int security_capable(const struct cred *cred, struct user_namespace *ns,
224
		     int cap)
225
{
226
	return call_int_hook(capable, 0, cred, ns, cap, SECURITY_CAP_AUDIT);
227 228
}

229 230
int security_capable_noaudit(const struct cred *cred, struct user_namespace *ns,
			     int cap)
231
{
232
	return call_int_hook(capable, 0, cred, ns, cap, SECURITY_CAP_NOAUDIT);
233 234 235 236
}

int security_quotactl(int cmds, int type, int id, struct super_block *sb)
{
237
	return call_int_hook(quotactl, 0, cmds, type, id, sb);
238 239 240 241
}

int security_quota_on(struct dentry *dentry)
{
242
	return call_int_hook(quota_on, 0, dentry);
243 244
}

245
int security_syslog(int type)
246
{
247
	return call_int_hook(syslog, 0, type);
248 249
}

250
int security_settime64(const struct timespec64 *ts, const struct timezone *tz)
251
{
252
	return call_int_hook(settime, 0, ts, tz);
253 254 255 256
}

int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
{
C
Casey Schaufler 已提交
257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275
	struct security_hook_list *hp;
	int cap_sys_admin = 1;
	int rc;

	/*
	 * The module will respond with a positive value if
	 * it thinks the __vm_enough_memory() call should be
	 * made with the cap_sys_admin set. If all of the modules
	 * agree that it should be set it will. If any module
	 * thinks it should not be set it won't.
	 */
	list_for_each_entry(hp, &security_hook_heads.vm_enough_memory, list) {
		rc = hp->hook.vm_enough_memory(mm, pages);
		if (rc <= 0) {
			cap_sys_admin = 0;
			break;
		}
	}
	return __vm_enough_memory(mm, pages, cap_sys_admin);
276 277
}

278
int security_bprm_set_creds(struct linux_binprm *bprm)
279
{
280
	return call_int_hook(bprm_set_creds, 0, bprm);
281 282
}

283
int security_bprm_check(struct linux_binprm *bprm)
284
{
285 286
	int ret;

287
	ret = call_int_hook(bprm_check_security, 0, bprm);
288 289 290
	if (ret)
		return ret;
	return ima_bprm_check(bprm);
291 292
}

293
void security_bprm_committing_creds(struct linux_binprm *bprm)
294
{
295
	call_void_hook(bprm_committing_creds, bprm);
296 297
}

298
void security_bprm_committed_creds(struct linux_binprm *bprm)
299
{
300
	call_void_hook(bprm_committed_creds, bprm);
301 302 303 304
}

int security_bprm_secureexec(struct linux_binprm *bprm)
{
305
	return call_int_hook(bprm_secureexec, 0, bprm);
306 307 308 309
}

int security_sb_alloc(struct super_block *sb)
{
310
	return call_int_hook(sb_alloc_security, 0, sb);
311 312 313 314
}

void security_sb_free(struct super_block *sb)
{
315
	call_void_hook(sb_free_security, sb);
316 317
}

318
int security_sb_copy_data(char *orig, char *copy)
319
{
320
	return call_int_hook(sb_copy_data, 0, orig, copy);
321
}
322
EXPORT_SYMBOL(security_sb_copy_data);
323

324 325
int security_sb_remount(struct super_block *sb, void *data)
{
326
	return call_int_hook(sb_remount, 0, sb, data);
327 328
}

329
int security_sb_kern_mount(struct super_block *sb, int flags, void *data)
330
{
331
	return call_int_hook(sb_kern_mount, 0, sb, flags, data);
332 333
}

334 335
int security_sb_show_options(struct seq_file *m, struct super_block *sb)
{
336
	return call_int_hook(sb_show_options, 0, m, sb);
337 338
}

339 340
int security_sb_statfs(struct dentry *dentry)
{
341
	return call_int_hook(sb_statfs, 0, dentry);
342 343
}

A
Al Viro 已提交
344
int security_sb_mount(const char *dev_name, const struct path *path,
A
Al Viro 已提交
345
                       const char *type, unsigned long flags, void *data)
346
{
347
	return call_int_hook(sb_mount, 0, dev_name, path, type, flags, data);
348 349 350 351
}

int security_sb_umount(struct vfsmount *mnt, int flags)
{
352
	return call_int_hook(sb_umount, 0, mnt, flags);
353 354
}

A
Al Viro 已提交
355
int security_sb_pivotroot(const struct path *old_path, const struct path *new_path)
356
{
357
	return call_int_hook(sb_pivotroot, 0, old_path, new_path);
358 359
}

360
int security_sb_set_mnt_opts(struct super_block *sb,
361 362 363
				struct security_mnt_opts *opts,
				unsigned long kern_flags,
				unsigned long *set_kern_flags)
364
{
C
Casey Schaufler 已提交
365 366 367
	return call_int_hook(sb_set_mnt_opts,
				opts->num_mnt_opts ? -EOPNOTSUPP : 0, sb,
				opts, kern_flags, set_kern_flags);
368
}
369
EXPORT_SYMBOL(security_sb_set_mnt_opts);
370

371
int security_sb_clone_mnt_opts(const struct super_block *oldsb,
372 373
				struct super_block *newsb)
{
374
	return call_int_hook(sb_clone_mnt_opts, 0, oldsb, newsb);
375
}
376 377 378 379
EXPORT_SYMBOL(security_sb_clone_mnt_opts);

int security_sb_parse_opts_str(char *options, struct security_mnt_opts *opts)
{
380
	return call_int_hook(sb_parse_opts_str, 0, options, opts);
381 382
}
EXPORT_SYMBOL(security_sb_parse_opts_str);
383

384 385 386
int security_inode_alloc(struct inode *inode)
{
	inode->i_security = NULL;
387
	return call_int_hook(inode_alloc_security, 0, inode);
388 389 390 391
}

void security_inode_free(struct inode *inode)
{
392
	integrity_inode_free(inode);
393
	call_void_hook(inode_free_security, inode);
394 395
}

396
int security_dentry_init_security(struct dentry *dentry, int mode,
A
Al Viro 已提交
397
					const struct qstr *name, void **ctx,
398 399
					u32 *ctxlen)
{
C
Casey Schaufler 已提交
400 401
	return call_int_hook(dentry_init_security, -EOPNOTSUPP, dentry, mode,
				name, ctx, ctxlen);
402 403 404
}
EXPORT_SYMBOL(security_dentry_init_security);

405 406 407 408 409 410 411 412 413
int security_dentry_create_files_as(struct dentry *dentry, int mode,
				    struct qstr *name,
				    const struct cred *old, struct cred *new)
{
	return call_int_hook(dentry_create_files_as, 0, dentry, mode,
				name, old, new);
}
EXPORT_SYMBOL(security_dentry_create_files_as);

414
int security_inode_init_security(struct inode *inode, struct inode *dir,
415 416
				 const struct qstr *qstr,
				 const initxattrs initxattrs, void *fs_data)
417
{
418 419
	struct xattr new_xattrs[MAX_LSM_EVM_XATTR + 1];
	struct xattr *lsm_xattr, *evm_xattr, *xattr;
420 421
	int ret;

422
	if (unlikely(IS_PRIVATE(inode)))
423
		return 0;
424 425

	if (!initxattrs)
426 427
		return call_int_hook(inode_init_security, -EOPNOTSUPP, inode,
				     dir, qstr, NULL, NULL, NULL);
428
	memset(new_xattrs, 0, sizeof(new_xattrs));
429
	lsm_xattr = new_xattrs;
C
Casey Schaufler 已提交
430
	ret = call_int_hook(inode_init_security, -EOPNOTSUPP, inode, dir, qstr,
431 432 433 434 435
						&lsm_xattr->name,
						&lsm_xattr->value,
						&lsm_xattr->value_len);
	if (ret)
		goto out;
436 437 438 439 440

	evm_xattr = lsm_xattr + 1;
	ret = evm_inode_init_security(inode, lsm_xattr, evm_xattr);
	if (ret)
		goto out;
441 442
	ret = initxattrs(inode, new_xattrs, fs_data);
out:
443
	for (xattr = new_xattrs; xattr->value != NULL; xattr++)
444
		kfree(xattr->value);
445 446 447 448 449
	return (ret == -EOPNOTSUPP) ? 0 : ret;
}
EXPORT_SYMBOL(security_inode_init_security);

int security_old_inode_init_security(struct inode *inode, struct inode *dir,
450
				     const struct qstr *qstr, const char **name,
451
				     void **value, size_t *len)
452 453
{
	if (unlikely(IS_PRIVATE(inode)))
454
		return -EOPNOTSUPP;
455 456
	return call_int_hook(inode_init_security, -EOPNOTSUPP, inode, dir,
			     qstr, name, value, len);
457
}
458
EXPORT_SYMBOL(security_old_inode_init_security);
459

460
#ifdef CONFIG_SECURITY_PATH
461
int security_path_mknod(const struct path *dir, struct dentry *dentry, umode_t mode,
462 463
			unsigned int dev)
{
464
	if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))
465
		return 0;
466
	return call_int_hook(path_mknod, 0, dir, dentry, mode, dev);
467 468 469
}
EXPORT_SYMBOL(security_path_mknod);

470
int security_path_mkdir(const struct path *dir, struct dentry *dentry, umode_t mode)
471
{
472
	if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))
473
		return 0;
474
	return call_int_hook(path_mkdir, 0, dir, dentry, mode);
475
}
476
EXPORT_SYMBOL(security_path_mkdir);
477

A
Al Viro 已提交
478
int security_path_rmdir(const struct path *dir, struct dentry *dentry)
479
{
480
	if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))
481
		return 0;
482
	return call_int_hook(path_rmdir, 0, dir, dentry);
483 484
}

A
Al Viro 已提交
485
int security_path_unlink(const struct path *dir, struct dentry *dentry)
486
{
487
	if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))
488
		return 0;
489
	return call_int_hook(path_unlink, 0, dir, dentry);
490
}
491
EXPORT_SYMBOL(security_path_unlink);
492

493
int security_path_symlink(const struct path *dir, struct dentry *dentry,
494 495
			  const char *old_name)
{
496
	if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))
497
		return 0;
498
	return call_int_hook(path_symlink, 0, dir, dentry, old_name);
499 500
}

A
Al Viro 已提交
501
int security_path_link(struct dentry *old_dentry, const struct path *new_dir,
502 503
		       struct dentry *new_dentry)
{
504
	if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry))))
505
		return 0;
506
	return call_int_hook(path_link, 0, old_dentry, new_dir, new_dentry);
507 508
}

A
Al Viro 已提交
509 510
int security_path_rename(const struct path *old_dir, struct dentry *old_dentry,
			 const struct path *new_dir, struct dentry *new_dentry,
511
			 unsigned int flags)
512
{
513 514
	if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry)) ||
		     (d_is_positive(new_dentry) && IS_PRIVATE(d_backing_inode(new_dentry)))))
515
		return 0;
M
Miklos Szeredi 已提交
516 517

	if (flags & RENAME_EXCHANGE) {
518 519
		int err = call_int_hook(path_rename, 0, new_dir, new_dentry,
					old_dir, old_dentry);
M
Miklos Szeredi 已提交
520 521 522 523
		if (err)
			return err;
	}

524 525
	return call_int_hook(path_rename, 0, old_dir, old_dentry, new_dir,
				new_dentry);
526
}
527
EXPORT_SYMBOL(security_path_rename);
528

A
Al Viro 已提交
529
int security_path_truncate(const struct path *path)
530
{
531
	if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))
532
		return 0;
533
	return call_int_hook(path_truncate, 0, path);
534
}
535

536
int security_path_chmod(const struct path *path, umode_t mode)
537
{
538
	if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))
539
		return 0;
540
	return call_int_hook(path_chmod, 0, path, mode);
541 542
}

543
int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
544
{
545
	if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))
546
		return 0;
547
	return call_int_hook(path_chown, 0, path, uid, gid);
548
}
T
Tetsuo Handa 已提交
549

A
Al Viro 已提交
550
int security_path_chroot(const struct path *path)
T
Tetsuo Handa 已提交
551
{
552
	return call_int_hook(path_chroot, 0, path);
T
Tetsuo Handa 已提交
553
}
554 555
#endif

A
Al Viro 已提交
556
int security_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
557 558 559
{
	if (unlikely(IS_PRIVATE(dir)))
		return 0;
560
	return call_int_hook(inode_create, 0, dir, dentry, mode);
561
}
562
EXPORT_SYMBOL_GPL(security_inode_create);
563 564 565 566

int security_inode_link(struct dentry *old_dentry, struct inode *dir,
			 struct dentry *new_dentry)
{
567
	if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry))))
568
		return 0;
569
	return call_int_hook(inode_link, 0, old_dentry, dir, new_dentry);
570 571 572 573
}

int security_inode_unlink(struct inode *dir, struct dentry *dentry)
{
574
	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
575
		return 0;
576
	return call_int_hook(inode_unlink, 0, dir, dentry);
577 578 579 580 581 582 583
}

int security_inode_symlink(struct inode *dir, struct dentry *dentry,
			    const char *old_name)
{
	if (unlikely(IS_PRIVATE(dir)))
		return 0;
584
	return call_int_hook(inode_symlink, 0, dir, dentry, old_name);
585 586
}

587
int security_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
588 589 590
{
	if (unlikely(IS_PRIVATE(dir)))
		return 0;
591
	return call_int_hook(inode_mkdir, 0, dir, dentry, mode);
592
}
593
EXPORT_SYMBOL_GPL(security_inode_mkdir);
594 595 596

int security_inode_rmdir(struct inode *dir, struct dentry *dentry)
{
597
	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
598
		return 0;
599
	return call_int_hook(inode_rmdir, 0, dir, dentry);
600 601
}

A
Al Viro 已提交
602
int security_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
603 604 605
{
	if (unlikely(IS_PRIVATE(dir)))
		return 0;
606
	return call_int_hook(inode_mknod, 0, dir, dentry, mode, dev);
607 608 609
}

int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
610 611
			   struct inode *new_dir, struct dentry *new_dentry,
			   unsigned int flags)
612
{
613 614
        if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry)) ||
            (d_is_positive(new_dentry) && IS_PRIVATE(d_backing_inode(new_dentry)))))
615
		return 0;
M
Miklos Szeredi 已提交
616 617

	if (flags & RENAME_EXCHANGE) {
618
		int err = call_int_hook(inode_rename, 0, new_dir, new_dentry,
M
Miklos Szeredi 已提交
619 620 621 622 623
						     old_dir, old_dentry);
		if (err)
			return err;
	}

624
	return call_int_hook(inode_rename, 0, old_dir, old_dentry,
625 626 627 628 629
					   new_dir, new_dentry);
}

int security_inode_readlink(struct dentry *dentry)
{
630
	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
631
		return 0;
632
	return call_int_hook(inode_readlink, 0, dentry);
633 634
}

635 636
int security_inode_follow_link(struct dentry *dentry, struct inode *inode,
			       bool rcu)
637
{
638
	if (unlikely(IS_PRIVATE(inode)))
639
		return 0;
640
	return call_int_hook(inode_follow_link, 0, dentry, inode, rcu);
641 642
}

643
int security_inode_permission(struct inode *inode, int mask)
644 645 646
{
	if (unlikely(IS_PRIVATE(inode)))
		return 0;
647
	return call_int_hook(inode_permission, 0, inode, mask);
648 649 650 651
}

int security_inode_setattr(struct dentry *dentry, struct iattr *attr)
{
652 653
	int ret;

654
	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
655
		return 0;
656
	ret = call_int_hook(inode_setattr, 0, dentry, attr);
657 658 659
	if (ret)
		return ret;
	return evm_inode_setattr(dentry, attr);
660
}
661
EXPORT_SYMBOL_GPL(security_inode_setattr);
662

663
int security_inode_getattr(const struct path *path)
664
{
665
	if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))
666
		return 0;
667
	return call_int_hook(inode_getattr, 0, path);
668 669
}

670 671
int security_inode_setxattr(struct dentry *dentry, const char *name,
			    const void *value, size_t size, int flags)
672
{
673 674
	int ret;

675
	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
676
		return 0;
C
Casey Schaufler 已提交
677 678 679 680 681
	/*
	 * SELinux and Smack integrate the cap call,
	 * so assume that all LSMs supplying this call do so.
	 */
	ret = call_int_hook(inode_setxattr, 1, dentry, name, value, size,
682
				flags);
C
Casey Schaufler 已提交
683 684 685

	if (ret == 1)
		ret = cap_inode_setxattr(dentry, name, value, size, flags);
686 687 688
	if (ret)
		return ret;
	ret = ima_inode_setxattr(dentry, name, value, size);
689 690 691
	if (ret)
		return ret;
	return evm_inode_setxattr(dentry, name, value, size);
692 693
}

694 695
void security_inode_post_setxattr(struct dentry *dentry, const char *name,
				  const void *value, size_t size, int flags)
696
{
697
	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
698
		return;
699
	call_void_hook(inode_post_setxattr, dentry, name, value, size, flags);
700
	evm_inode_post_setxattr(dentry, name, value, size);
701 702
}

703
int security_inode_getxattr(struct dentry *dentry, const char *name)
704
{
705
	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
706
		return 0;
707
	return call_int_hook(inode_getxattr, 0, dentry, name);
708 709 710 711
}

int security_inode_listxattr(struct dentry *dentry)
{
712
	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
713
		return 0;
714
	return call_int_hook(inode_listxattr, 0, dentry);
715 716
}

717
int security_inode_removexattr(struct dentry *dentry, const char *name)
718
{
719 720
	int ret;

721
	if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
722
		return 0;
C
Casey Schaufler 已提交
723 724 725 726 727 728 729
	/*
	 * SELinux and Smack integrate the cap call,
	 * so assume that all LSMs supplying this call do so.
	 */
	ret = call_int_hook(inode_removexattr, 1, dentry, name);
	if (ret == 1)
		ret = cap_inode_removexattr(dentry, name);
730 731 732
	if (ret)
		return ret;
	ret = ima_inode_removexattr(dentry, name);
733 734 735
	if (ret)
		return ret;
	return evm_inode_removexattr(dentry, name);
736 737
}

738 739
int security_inode_need_killpriv(struct dentry *dentry)
{
740
	return call_int_hook(inode_need_killpriv, 0, dentry);
741 742 743 744
}

int security_inode_killpriv(struct dentry *dentry)
{
745
	return call_int_hook(inode_killpriv, 0, dentry);
746 747
}

748
int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
749
{
750 751 752
	struct security_hook_list *hp;
	int rc;

753
	if (unlikely(IS_PRIVATE(inode)))
754
		return -EOPNOTSUPP;
755 756 757 758 759 760 761 762 763
	/*
	 * Only one module will provide an attribute with a given name.
	 */
	list_for_each_entry(hp, &security_hook_heads.inode_getsecurity, list) {
		rc = hp->hook.inode_getsecurity(inode, name, buffer, alloc);
		if (rc != -EOPNOTSUPP)
			return rc;
	}
	return -EOPNOTSUPP;
764 765 766 767
}

int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
{
768 769 770
	struct security_hook_list *hp;
	int rc;

771
	if (unlikely(IS_PRIVATE(inode)))
772
		return -EOPNOTSUPP;
773 774 775 776 777 778 779 780 781 782
	/*
	 * Only one module will provide an attribute with a given name.
	 */
	list_for_each_entry(hp, &security_hook_heads.inode_setsecurity, list) {
		rc = hp->hook.inode_setsecurity(inode, name, value, size,
								flags);
		if (rc != -EOPNOTSUPP)
			return rc;
	}
	return -EOPNOTSUPP;
783 784 785 786 787 788
}

int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
{
	if (unlikely(IS_PRIVATE(inode)))
		return 0;
789
	return call_int_hook(inode_listsecurity, 0, inode, buffer, buffer_size);
790
}
791
EXPORT_SYMBOL(security_inode_listsecurity);
792

793
void security_inode_getsecid(struct inode *inode, u32 *secid)
794
{
795
	call_void_hook(inode_getsecid, inode, secid);
796 797
}

798 799 800 801 802 803
int security_inode_copy_up(struct dentry *src, struct cred **new)
{
	return call_int_hook(inode_copy_up, 0, src, new);
}
EXPORT_SYMBOL(security_inode_copy_up);

804 805 806 807 808 809
int security_inode_copy_up_xattr(const char *name)
{
	return call_int_hook(inode_copy_up_xattr, -EOPNOTSUPP, name);
}
EXPORT_SYMBOL(security_inode_copy_up_xattr);

810 811
int security_file_permission(struct file *file, int mask)
{
812 813
	int ret;

814
	ret = call_int_hook(file_permission, 0, file, mask);
815 816 817 818
	if (ret)
		return ret;

	return fsnotify_perm(file, mask);
819 820 821 822
}

int security_file_alloc(struct file *file)
{
823
	return call_int_hook(file_alloc_security, 0, file);
824 825 826 827
}

void security_file_free(struct file *file)
{
828
	call_void_hook(file_free_security, file);
829 830 831 832
}

int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
{
833
	return call_int_hook(file_ioctl, 0, file, cmd, arg);
834 835
}

836
static inline unsigned long mmap_prot(struct file *file, unsigned long prot)
837
{
838
	/*
839 840
	 * Does we have PROT_READ and does the application expect
	 * it to imply PROT_EXEC?  If not, nothing to talk about...
841
	 */
842 843
	if ((prot & (PROT_READ | PROT_EXEC)) != PROT_READ)
		return prot;
844
	if (!(current->personality & READ_IMPLIES_EXEC))
845 846 847 848 849 850 851 852
		return prot;
	/*
	 * if that's an anonymous mapping, let it.
	 */
	if (!file)
		return prot | PROT_EXEC;
	/*
	 * ditto if it's not on noexec mount, except that on !MMU we need
853
	 * NOMMU_MAP_EXEC (== VM_MAYEXEC) in this case
854
	 */
855
	if (!path_noexec(&file->f_path)) {
856
#ifndef CONFIG_MMU
857 858 859 860 861
		if (file->f_op->mmap_capabilities) {
			unsigned caps = file->f_op->mmap_capabilities(file);
			if (!(caps & NOMMU_MAP_EXEC))
				return prot;
		}
862
#endif
863
		return prot | PROT_EXEC;
864
	}
865 866 867 868 869 870 871 872
	/* anything on noexec mount won't get PROT_EXEC */
	return prot;
}

int security_mmap_file(struct file *file, unsigned long prot,
			unsigned long flags)
{
	int ret;
873
	ret = call_int_hook(mmap_file, 0, file, prot,
874
					mmap_prot(file, prot), flags);
875 876 877
	if (ret)
		return ret;
	return ima_file_mmap(file, prot);
878 879
}

880 881
int security_mmap_addr(unsigned long addr)
{
882
	return call_int_hook(mmap_addr, 0, addr);
883 884
}

885 886 887
int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
			    unsigned long prot)
{
888
	return call_int_hook(file_mprotect, 0, vma, reqprot, prot);
889 890 891 892
}

int security_file_lock(struct file *file, unsigned int cmd)
{
893
	return call_int_hook(file_lock, 0, file, cmd);
894 895 896 897
}

int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
{
898
	return call_int_hook(file_fcntl, 0, file, cmd, arg);
899 900
}

901
void security_file_set_fowner(struct file *file)
902
{
903
	call_void_hook(file_set_fowner, file);
904 905 906 907 908
}

int security_file_send_sigiotask(struct task_struct *tsk,
				  struct fown_struct *fown, int sig)
{
909
	return call_int_hook(file_send_sigiotask, 0, tsk, fown, sig);
910 911 912 913
}

int security_file_receive(struct file *file)
{
914
	return call_int_hook(file_receive, 0, file);
915 916
}

917
int security_file_open(struct file *file, const struct cred *cred)
918
{
919 920
	int ret;

921
	ret = call_int_hook(file_open, 0, file, cred);
922 923 924 925
	if (ret)
		return ret;

	return fsnotify_perm(file, MAY_OPEN);
926 927 928 929
}

int security_task_create(unsigned long clone_flags)
{
930
	return call_int_hook(task_create, 0, clone_flags);
931 932
}

933 934
void security_task_free(struct task_struct *task)
{
935
	call_void_hook(task_free, task);
936 937
}

938 939
int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
{
940
	return call_int_hook(cred_alloc_blank, 0, cred, gfp);
941 942
}

D
David Howells 已提交
943
void security_cred_free(struct cred *cred)
944
{
945
	call_void_hook(cred_free, cred);
946 947
}

D
David Howells 已提交
948
int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp)
949
{
950
	return call_int_hook(cred_prepare, 0, new, old, gfp);
D
David Howells 已提交
951 952
}

953 954
void security_transfer_creds(struct cred *new, const struct cred *old)
{
955
	call_void_hook(cred_transfer, new, old);
956 957
}

958 959
int security_kernel_act_as(struct cred *new, u32 secid)
{
960
	return call_int_hook(kernel_act_as, 0, new, secid);
961 962 963 964
}

int security_kernel_create_files_as(struct cred *new, struct inode *inode)
{
965
	return call_int_hook(kernel_create_files_as, 0, new, inode);
966 967
}

968
int security_kernel_module_request(char *kmod_name)
969
{
970
	return call_int_hook(kernel_module_request, 0, kmod_name);
971 972
}

973 974 975 976 977 978 979 980 981 982 983
int security_kernel_read_file(struct file *file, enum kernel_read_file_id id)
{
	int ret;

	ret = call_int_hook(kernel_read_file, 0, file, id);
	if (ret)
		return ret;
	return ima_read_file(file, id);
}
EXPORT_SYMBOL_GPL(security_kernel_read_file);

984 985
int security_kernel_post_read_file(struct file *file, char *buf, loff_t size,
				   enum kernel_read_file_id id)
986
{
987 988 989 990 991 992
	int ret;

	ret = call_int_hook(kernel_post_read_file, 0, file, buf, size, id);
	if (ret)
		return ret;
	return ima_post_read_file(file, buf, size, id);
993 994 995
}
EXPORT_SYMBOL_GPL(security_kernel_post_read_file);

D
David Howells 已提交
996 997
int security_task_fix_setuid(struct cred *new, const struct cred *old,
			     int flags)
998
{
999
	return call_int_hook(task_fix_setuid, 0, new, old, flags);
1000 1001 1002 1003
}

int security_task_setpgid(struct task_struct *p, pid_t pgid)
{
1004
	return call_int_hook(task_setpgid, 0, p, pgid);
1005 1006 1007 1008
}

int security_task_getpgid(struct task_struct *p)
{
1009
	return call_int_hook(task_getpgid, 0, p);
1010 1011 1012 1013
}

int security_task_getsid(struct task_struct *p)
{
1014
	return call_int_hook(task_getsid, 0, p);
1015 1016 1017 1018
}

void security_task_getsecid(struct task_struct *p, u32 *secid)
{
C
Casey Schaufler 已提交
1019
	*secid = 0;
1020
	call_void_hook(task_getsecid, p, secid);
1021 1022 1023 1024 1025
}
EXPORT_SYMBOL(security_task_getsecid);

int security_task_setnice(struct task_struct *p, int nice)
{
1026
	return call_int_hook(task_setnice, 0, p, nice);
1027 1028 1029 1030
}

int security_task_setioprio(struct task_struct *p, int ioprio)
{
1031
	return call_int_hook(task_setioprio, 0, p, ioprio);
1032 1033 1034 1035
}

int security_task_getioprio(struct task_struct *p)
{
1036
	return call_int_hook(task_getioprio, 0, p);
1037 1038
}

1039 1040 1041 1042 1043 1044
int security_task_prlimit(const struct cred *cred, const struct cred *tcred,
			  unsigned int flags)
{
	return call_int_hook(task_prlimit, 0, cred, tcred, flags);
}

1045 1046
int security_task_setrlimit(struct task_struct *p, unsigned int resource,
		struct rlimit *new_rlim)
1047
{
1048
	return call_int_hook(task_setrlimit, 0, p, resource, new_rlim);
1049 1050
}

1051
int security_task_setscheduler(struct task_struct *p)
1052
{
1053
	return call_int_hook(task_setscheduler, 0, p);
1054 1055 1056 1057
}

int security_task_getscheduler(struct task_struct *p)
{
1058
	return call_int_hook(task_getscheduler, 0, p);
1059 1060 1061 1062
}

int security_task_movememory(struct task_struct *p)
{
1063
	return call_int_hook(task_movememory, 0, p);
1064 1065 1066 1067 1068
}

int security_task_kill(struct task_struct *p, struct siginfo *info,
			int sig, u32 secid)
{
1069
	return call_int_hook(task_kill, 0, p, info, sig, secid);
1070 1071 1072
}

int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
D
David Howells 已提交
1073
			 unsigned long arg4, unsigned long arg5)
1074
{
C
Casey Schaufler 已提交
1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087
	int thisrc;
	int rc = -ENOSYS;
	struct security_hook_list *hp;

	list_for_each_entry(hp, &security_hook_heads.task_prctl, list) {
		thisrc = hp->hook.task_prctl(option, arg2, arg3, arg4, arg5);
		if (thisrc != -ENOSYS) {
			rc = thisrc;
			if (thisrc != 0)
				break;
		}
	}
	return rc;
1088 1089 1090 1091
}

void security_task_to_inode(struct task_struct *p, struct inode *inode)
{
1092
	call_void_hook(task_to_inode, p, inode);
1093 1094 1095 1096
}

int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
{
1097
	return call_int_hook(ipc_permission, 0, ipcp, flag);
1098 1099
}

1100 1101
void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
{
C
Casey Schaufler 已提交
1102
	*secid = 0;
1103
	call_void_hook(ipc_getsecid, ipcp, secid);
1104 1105
}

1106 1107
int security_msg_msg_alloc(struct msg_msg *msg)
{
1108
	return call_int_hook(msg_msg_alloc_security, 0, msg);
1109 1110 1111 1112
}

void security_msg_msg_free(struct msg_msg *msg)
{
1113
	call_void_hook(msg_msg_free_security, msg);
1114 1115 1116 1117
}

int security_msg_queue_alloc(struct msg_queue *msq)
{
1118
	return call_int_hook(msg_queue_alloc_security, 0, msq);
1119 1120 1121 1122
}

void security_msg_queue_free(struct msg_queue *msq)
{
1123
	call_void_hook(msg_queue_free_security, msq);
1124 1125 1126 1127
}

int security_msg_queue_associate(struct msg_queue *msq, int msqflg)
{
1128
	return call_int_hook(msg_queue_associate, 0, msq, msqflg);
1129 1130 1131 1132
}

int security_msg_queue_msgctl(struct msg_queue *msq, int cmd)
{
1133
	return call_int_hook(msg_queue_msgctl, 0, msq, cmd);
1134 1135 1136 1137 1138
}

int security_msg_queue_msgsnd(struct msg_queue *msq,
			       struct msg_msg *msg, int msqflg)
{
1139
	return call_int_hook(msg_queue_msgsnd, 0, msq, msg, msqflg);
1140 1141 1142 1143 1144
}

int security_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
			       struct task_struct *target, long type, int mode)
{
1145
	return call_int_hook(msg_queue_msgrcv, 0, msq, msg, target, type, mode);
1146 1147 1148 1149
}

int security_shm_alloc(struct shmid_kernel *shp)
{
1150
	return call_int_hook(shm_alloc_security, 0, shp);
1151 1152 1153 1154
}

void security_shm_free(struct shmid_kernel *shp)
{
1155
	call_void_hook(shm_free_security, shp);
1156 1157 1158 1159
}

int security_shm_associate(struct shmid_kernel *shp, int shmflg)
{
1160
	return call_int_hook(shm_associate, 0, shp, shmflg);
1161 1162 1163 1164
}

int security_shm_shmctl(struct shmid_kernel *shp, int cmd)
{
1165
	return call_int_hook(shm_shmctl, 0, shp, cmd);
1166 1167 1168 1169
}

int security_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, int shmflg)
{
1170
	return call_int_hook(shm_shmat, 0, shp, shmaddr, shmflg);
1171 1172 1173 1174
}

int security_sem_alloc(struct sem_array *sma)
{
1175
	return call_int_hook(sem_alloc_security, 0, sma);
1176 1177 1178 1179
}

void security_sem_free(struct sem_array *sma)
{
1180
	call_void_hook(sem_free_security, sma);
1181 1182 1183 1184
}

int security_sem_associate(struct sem_array *sma, int semflg)
{
1185
	return call_int_hook(sem_associate, 0, sma, semflg);
1186 1187 1188 1189
}

int security_sem_semctl(struct sem_array *sma, int cmd)
{
1190
	return call_int_hook(sem_semctl, 0, sma, cmd);
1191 1192 1193 1194 1195
}

int security_sem_semop(struct sem_array *sma, struct sembuf *sops,
			unsigned nsops, int alter)
{
1196
	return call_int_hook(sem_semop, 0, sma, sops, nsops, alter);
1197 1198 1199 1200 1201 1202
}

void security_d_instantiate(struct dentry *dentry, struct inode *inode)
{
	if (unlikely(inode && IS_PRIVATE(inode)))
		return;
1203
	call_void_hook(d_instantiate, dentry, inode);
1204 1205 1206 1207 1208
}
EXPORT_SYMBOL(security_d_instantiate);

int security_getprocattr(struct task_struct *p, char *name, char **value)
{
C
Casey Schaufler 已提交
1209
	return call_int_hook(getprocattr, -EINVAL, p, name, value);
1210 1211
}

1212
int security_setprocattr(const char *name, void *value, size_t size)
1213
{
1214
	return call_int_hook(setprocattr, -EINVAL, name, value, size);
1215 1216 1217 1218
}

int security_netlink_send(struct sock *sk, struct sk_buff *skb)
{
1219
	return call_int_hook(netlink_send, 0, sk, skb);
1220 1221
}

1222 1223
int security_ismaclabel(const char *name)
{
1224
	return call_int_hook(ismaclabel, 0, name);
1225 1226 1227
}
EXPORT_SYMBOL(security_ismaclabel);

1228 1229
int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
{
C
Casey Schaufler 已提交
1230 1231
	return call_int_hook(secid_to_secctx, -EOPNOTSUPP, secid, secdata,
				seclen);
1232 1233 1234
}
EXPORT_SYMBOL(security_secid_to_secctx);

1235
int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
1236
{
C
Casey Schaufler 已提交
1237
	*secid = 0;
1238
	return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid);
1239 1240 1241
}
EXPORT_SYMBOL(security_secctx_to_secid);

1242 1243
void security_release_secctx(char *secdata, u32 seclen)
{
1244
	call_void_hook(release_secctx, secdata, seclen);
1245 1246 1247
}
EXPORT_SYMBOL(security_release_secctx);

1248 1249 1250 1251 1252 1253
void security_inode_invalidate_secctx(struct inode *inode)
{
	call_void_hook(inode_invalidate_secctx, inode);
}
EXPORT_SYMBOL(security_inode_invalidate_secctx);

1254 1255
int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
{
1256
	return call_int_hook(inode_notifysecctx, 0, inode, ctx, ctxlen);
1257 1258 1259 1260 1261
}
EXPORT_SYMBOL(security_inode_notifysecctx);

int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
{
1262
	return call_int_hook(inode_setsecctx, 0, dentry, ctx, ctxlen);
1263 1264 1265 1266 1267
}
EXPORT_SYMBOL(security_inode_setsecctx);

int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
{
C
Casey Schaufler 已提交
1268
	return call_int_hook(inode_getsecctx, -EOPNOTSUPP, inode, ctx, ctxlen);
1269 1270 1271
}
EXPORT_SYMBOL(security_inode_getsecctx);

1272 1273
#ifdef CONFIG_SECURITY_NETWORK

1274
int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk)
1275
{
1276
	return call_int_hook(unix_stream_connect, 0, sock, other, newsk);
1277 1278 1279 1280 1281
}
EXPORT_SYMBOL(security_unix_stream_connect);

int security_unix_may_send(struct socket *sock,  struct socket *other)
{
1282
	return call_int_hook(unix_may_send, 0, sock, other);
1283 1284 1285 1286 1287
}
EXPORT_SYMBOL(security_unix_may_send);

int security_socket_create(int family, int type, int protocol, int kern)
{
1288
	return call_int_hook(socket_create, 0, family, type, protocol, kern);
1289 1290 1291 1292 1293
}

int security_socket_post_create(struct socket *sock, int family,
				int type, int protocol, int kern)
{
1294
	return call_int_hook(socket_post_create, 0, sock, family, type,
1295 1296 1297 1298 1299
						protocol, kern);
}

int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
{
1300
	return call_int_hook(socket_bind, 0, sock, address, addrlen);
1301 1302 1303 1304
}

int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
{
1305
	return call_int_hook(socket_connect, 0, sock, address, addrlen);
1306 1307 1308 1309
}

int security_socket_listen(struct socket *sock, int backlog)
{
1310
	return call_int_hook(socket_listen, 0, sock, backlog);
1311 1312 1313 1314
}

int security_socket_accept(struct socket *sock, struct socket *newsock)
{
1315
	return call_int_hook(socket_accept, 0, sock, newsock);
1316 1317 1318 1319
}

int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
{
1320
	return call_int_hook(socket_sendmsg, 0, sock, msg, size);
1321 1322 1323 1324 1325
}

int security_socket_recvmsg(struct socket *sock, struct msghdr *msg,
			    int size, int flags)
{
1326
	return call_int_hook(socket_recvmsg, 0, sock, msg, size, flags);
1327 1328 1329 1330
}

int security_socket_getsockname(struct socket *sock)
{
1331
	return call_int_hook(socket_getsockname, 0, sock);
1332 1333 1334 1335
}

int security_socket_getpeername(struct socket *sock)
{
1336
	return call_int_hook(socket_getpeername, 0, sock);
1337 1338 1339 1340
}

int security_socket_getsockopt(struct socket *sock, int level, int optname)
{
1341
	return call_int_hook(socket_getsockopt, 0, sock, level, optname);
1342 1343 1344 1345
}

int security_socket_setsockopt(struct socket *sock, int level, int optname)
{
1346
	return call_int_hook(socket_setsockopt, 0, sock, level, optname);
1347 1348 1349 1350
}

int security_socket_shutdown(struct socket *sock, int how)
{
1351
	return call_int_hook(socket_shutdown, 0, sock, how);
1352 1353 1354 1355
}

int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
{
1356
	return call_int_hook(socket_sock_rcv_skb, 0, sk, skb);
1357 1358 1359 1360 1361 1362
}
EXPORT_SYMBOL(security_sock_rcv_skb);

int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
				      int __user *optlen, unsigned len)
{
C
Casey Schaufler 已提交
1363 1364
	return call_int_hook(socket_getpeersec_stream, -ENOPROTOOPT, sock,
				optval, optlen, len);
1365 1366 1367 1368
}

int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
{
1369 1370
	return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock,
			     skb, secid);
1371 1372 1373 1374 1375
}
EXPORT_SYMBOL(security_socket_getpeersec_dgram);

int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
{
1376
	return call_int_hook(sk_alloc_security, 0, sk, family, priority);
1377 1378 1379 1380
}

void security_sk_free(struct sock *sk)
{
1381
	call_void_hook(sk_free_security, sk);
1382 1383 1384 1385
}

void security_sk_clone(const struct sock *sk, struct sock *newsk)
{
1386
	call_void_hook(sk_clone_security, sk, newsk);
1387
}
1388
EXPORT_SYMBOL(security_sk_clone);
1389 1390 1391

void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
{
1392
	call_void_hook(sk_getsecid, sk, &fl->flowi_secid);
1393 1394 1395 1396 1397
}
EXPORT_SYMBOL(security_sk_classify_flow);

void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
{
1398
	call_void_hook(req_classify_flow, req, fl);
1399 1400 1401 1402 1403
}
EXPORT_SYMBOL(security_req_classify_flow);

void security_sock_graft(struct sock *sk, struct socket *parent)
{
1404
	call_void_hook(sock_graft, sk, parent);
1405 1406 1407 1408 1409 1410
}
EXPORT_SYMBOL(security_sock_graft);

int security_inet_conn_request(struct sock *sk,
			struct sk_buff *skb, struct request_sock *req)
{
1411
	return call_int_hook(inet_conn_request, 0, sk, skb, req);
1412 1413 1414 1415 1416 1417
}
EXPORT_SYMBOL(security_inet_conn_request);

void security_inet_csk_clone(struct sock *newsk,
			const struct request_sock *req)
{
1418
	call_void_hook(inet_csk_clone, newsk, req);
1419 1420 1421 1422 1423
}

void security_inet_conn_established(struct sock *sk,
			struct sk_buff *skb)
{
1424
	call_void_hook(inet_conn_established, sk, skb);
1425 1426
}

1427 1428
int security_secmark_relabel_packet(u32 secid)
{
1429
	return call_int_hook(secmark_relabel_packet, 0, secid);
1430 1431 1432 1433 1434
}
EXPORT_SYMBOL(security_secmark_relabel_packet);

void security_secmark_refcount_inc(void)
{
1435
	call_void_hook(secmark_refcount_inc);
1436 1437 1438 1439 1440
}
EXPORT_SYMBOL(security_secmark_refcount_inc);

void security_secmark_refcount_dec(void)
{
1441
	call_void_hook(secmark_refcount_dec);
1442 1443 1444
}
EXPORT_SYMBOL(security_secmark_refcount_dec);

1445 1446
int security_tun_dev_alloc_security(void **security)
{
1447
	return call_int_hook(tun_dev_alloc_security, 0, security);
1448 1449 1450 1451 1452
}
EXPORT_SYMBOL(security_tun_dev_alloc_security);

void security_tun_dev_free_security(void *security)
{
1453
	call_void_hook(tun_dev_free_security, security);
1454 1455 1456
}
EXPORT_SYMBOL(security_tun_dev_free_security);

P
Paul Moore 已提交
1457 1458
int security_tun_dev_create(void)
{
1459
	return call_int_hook(tun_dev_create, 0);
P
Paul Moore 已提交
1460 1461 1462
}
EXPORT_SYMBOL(security_tun_dev_create);

1463
int security_tun_dev_attach_queue(void *security)
P
Paul Moore 已提交
1464
{
1465
	return call_int_hook(tun_dev_attach_queue, 0, security);
P
Paul Moore 已提交
1466
}
1467
EXPORT_SYMBOL(security_tun_dev_attach_queue);
P
Paul Moore 已提交
1468

1469
int security_tun_dev_attach(struct sock *sk, void *security)
P
Paul Moore 已提交
1470
{
1471
	return call_int_hook(tun_dev_attach, 0, sk, security);
P
Paul Moore 已提交
1472 1473 1474
}
EXPORT_SYMBOL(security_tun_dev_attach);

1475 1476
int security_tun_dev_open(void *security)
{
1477
	return call_int_hook(tun_dev_open, 0, security);
1478 1479 1480
}
EXPORT_SYMBOL(security_tun_dev_open);

1481 1482 1483 1484
#endif	/* CONFIG_SECURITY_NETWORK */

#ifdef CONFIG_SECURITY_NETWORK_XFRM

1485 1486 1487
int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
			       struct xfrm_user_sec_ctx *sec_ctx,
			       gfp_t gfp)
1488
{
1489
	return call_int_hook(xfrm_policy_alloc_security, 0, ctxp, sec_ctx, gfp);
1490 1491 1492
}
EXPORT_SYMBOL(security_xfrm_policy_alloc);

1493 1494
int security_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
			      struct xfrm_sec_ctx **new_ctxp)
1495
{
1496
	return call_int_hook(xfrm_policy_clone_security, 0, old_ctx, new_ctxp);
1497 1498
}

1499
void security_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
1500
{
1501
	call_void_hook(xfrm_policy_free_security, ctx);
1502 1503 1504
}
EXPORT_SYMBOL(security_xfrm_policy_free);

1505
int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
1506
{
1507
	return call_int_hook(xfrm_policy_delete_security, 0, ctx);
1508 1509
}

1510 1511
int security_xfrm_state_alloc(struct xfrm_state *x,
			      struct xfrm_user_sec_ctx *sec_ctx)
1512
{
1513
	return call_int_hook(xfrm_state_alloc, 0, x, sec_ctx);
1514 1515 1516 1517 1518 1519
}
EXPORT_SYMBOL(security_xfrm_state_alloc);

int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
				      struct xfrm_sec_ctx *polsec, u32 secid)
{
1520
	return call_int_hook(xfrm_state_alloc_acquire, 0, x, polsec, secid);
1521 1522 1523 1524
}

int security_xfrm_state_delete(struct xfrm_state *x)
{
1525
	return call_int_hook(xfrm_state_delete_security, 0, x);
1526 1527 1528 1529 1530
}
EXPORT_SYMBOL(security_xfrm_state_delete);

void security_xfrm_state_free(struct xfrm_state *x)
{
1531
	call_void_hook(xfrm_state_free_security, x);
1532 1533
}

1534
int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
1535
{
1536
	return call_int_hook(xfrm_policy_lookup, 0, ctx, fl_secid, dir);
1537 1538 1539
}

int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
1540 1541
				       struct xfrm_policy *xp,
				       const struct flowi *fl)
1542
{
C
Casey Schaufler 已提交
1543 1544 1545 1546 1547 1548 1549 1550 1551 1552 1553 1554 1555 1556 1557 1558 1559 1560
	struct security_hook_list *hp;
	int rc = 1;

	/*
	 * Since this function is expected to return 0 or 1, the judgment
	 * becomes difficult if multiple LSMs supply this call. Fortunately,
	 * we can use the first LSM's judgment because currently only SELinux
	 * supplies this call.
	 *
	 * For speed optimization, we explicitly break the loop rather than
	 * using the macro
	 */
	list_for_each_entry(hp, &security_hook_heads.xfrm_state_pol_flow_match,
				list) {
		rc = hp->hook.xfrm_state_pol_flow_match(x, xp, fl);
		break;
	}
	return rc;
1561 1562 1563 1564
}

int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
{
1565
	return call_int_hook(xfrm_decode_session, 0, skb, secid, 1);
1566 1567 1568 1569
}

void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
{
1570 1571
	int rc = call_int_hook(xfrm_decode_session, 0, skb, &fl->flowi_secid,
				0);
1572 1573 1574 1575 1576 1577 1578 1579 1580

	BUG_ON(rc);
}
EXPORT_SYMBOL(security_skb_classify_flow);

#endif	/* CONFIG_SECURITY_NETWORK_XFRM */

#ifdef CONFIG_KEYS

D
David Howells 已提交
1581 1582
int security_key_alloc(struct key *key, const struct cred *cred,
		       unsigned long flags)
1583
{
1584
	return call_int_hook(key_alloc, 0, key, cred, flags);
1585 1586 1587 1588
}

void security_key_free(struct key *key)
{
1589
	call_void_hook(key_free, key);
1590 1591 1592
}

int security_key_permission(key_ref_t key_ref,
1593
			    const struct cred *cred, unsigned perm)
1594
{
1595
	return call_int_hook(key_permission, 0, key_ref, cred, perm);
1596 1597
}

1598 1599
int security_key_getsecurity(struct key *key, char **_buffer)
{
C
Casey Schaufler 已提交
1600
	*_buffer = NULL;
1601
	return call_int_hook(key_getsecurity, 0, key, _buffer);
1602 1603
}

1604
#endif	/* CONFIG_KEYS */
1605 1606 1607 1608 1609

#ifdef CONFIG_AUDIT

int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
{
1610
	return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule);
1611 1612 1613 1614
}

int security_audit_rule_known(struct audit_krule *krule)
{
1615
	return call_int_hook(audit_rule_known, 0, krule);
1616 1617 1618 1619
}

void security_audit_rule_free(void *lsmrule)
{
1620
	call_void_hook(audit_rule_free, lsmrule);
1621 1622 1623 1624 1625
}

int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
			      struct audit_context *actx)
{
1626 1627
	return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule,
				actx);
1628
}
C
Casey Schaufler 已提交
1629
#endif /* CONFIG_AUDIT */
1630

1631
struct security_hook_heads security_hook_heads __lsm_ro_after_init = {
C
Casey Schaufler 已提交
1632 1633 1634 1635 1636 1637 1638 1639 1640 1641 1642 1643 1644 1645 1646 1647 1648 1649 1650 1651 1652 1653 1654 1655 1656 1657 1658 1659 1660 1661 1662 1663 1664 1665 1666 1667 1668 1669 1670 1671 1672 1673 1674 1675 1676 1677 1678 1679 1680 1681 1682 1683 1684 1685
	.binder_set_context_mgr =
		LIST_HEAD_INIT(security_hook_heads.binder_set_context_mgr),
	.binder_transaction =
		LIST_HEAD_INIT(security_hook_heads.binder_transaction),
	.binder_transfer_binder =
		LIST_HEAD_INIT(security_hook_heads.binder_transfer_binder),
	.binder_transfer_file =
		LIST_HEAD_INIT(security_hook_heads.binder_transfer_file),

	.ptrace_access_check =
		LIST_HEAD_INIT(security_hook_heads.ptrace_access_check),
	.ptrace_traceme =
		LIST_HEAD_INIT(security_hook_heads.ptrace_traceme),
	.capget =	LIST_HEAD_INIT(security_hook_heads.capget),
	.capset =	LIST_HEAD_INIT(security_hook_heads.capset),
	.capable =	LIST_HEAD_INIT(security_hook_heads.capable),
	.quotactl =	LIST_HEAD_INIT(security_hook_heads.quotactl),
	.quota_on =	LIST_HEAD_INIT(security_hook_heads.quota_on),
	.syslog =	LIST_HEAD_INIT(security_hook_heads.syslog),
	.settime =	LIST_HEAD_INIT(security_hook_heads.settime),
	.vm_enough_memory =
		LIST_HEAD_INIT(security_hook_heads.vm_enough_memory),
	.bprm_set_creds =
		LIST_HEAD_INIT(security_hook_heads.bprm_set_creds),
	.bprm_check_security =
		LIST_HEAD_INIT(security_hook_heads.bprm_check_security),
	.bprm_secureexec =
		LIST_HEAD_INIT(security_hook_heads.bprm_secureexec),
	.bprm_committing_creds =
		LIST_HEAD_INIT(security_hook_heads.bprm_committing_creds),
	.bprm_committed_creds =
		LIST_HEAD_INIT(security_hook_heads.bprm_committed_creds),
	.sb_alloc_security =
		LIST_HEAD_INIT(security_hook_heads.sb_alloc_security),
	.sb_free_security =
		LIST_HEAD_INIT(security_hook_heads.sb_free_security),
	.sb_copy_data =	LIST_HEAD_INIT(security_hook_heads.sb_copy_data),
	.sb_remount =	LIST_HEAD_INIT(security_hook_heads.sb_remount),
	.sb_kern_mount =
		LIST_HEAD_INIT(security_hook_heads.sb_kern_mount),
	.sb_show_options =
		LIST_HEAD_INIT(security_hook_heads.sb_show_options),
	.sb_statfs =	LIST_HEAD_INIT(security_hook_heads.sb_statfs),
	.sb_mount =	LIST_HEAD_INIT(security_hook_heads.sb_mount),
	.sb_umount =	LIST_HEAD_INIT(security_hook_heads.sb_umount),
	.sb_pivotroot =	LIST_HEAD_INIT(security_hook_heads.sb_pivotroot),
	.sb_set_mnt_opts =
		LIST_HEAD_INIT(security_hook_heads.sb_set_mnt_opts),
	.sb_clone_mnt_opts =
		LIST_HEAD_INIT(security_hook_heads.sb_clone_mnt_opts),
	.sb_parse_opts_str =
		LIST_HEAD_INIT(security_hook_heads.sb_parse_opts_str),
	.dentry_init_security =
		LIST_HEAD_INIT(security_hook_heads.dentry_init_security),
1686 1687
	.dentry_create_files_as =
		LIST_HEAD_INIT(security_hook_heads.dentry_create_files_as),
C
Casey Schaufler 已提交
1688 1689 1690 1691 1692 1693 1694 1695 1696 1697 1698 1699 1700 1701 1702 1703 1704 1705 1706 1707 1708 1709 1710 1711 1712 1713 1714 1715 1716 1717 1718 1719 1720 1721 1722 1723 1724 1725 1726 1727 1728 1729 1730 1731 1732 1733 1734 1735 1736 1737 1738 1739 1740 1741 1742 1743 1744 1745 1746 1747 1748
#ifdef CONFIG_SECURITY_PATH
	.path_unlink =	LIST_HEAD_INIT(security_hook_heads.path_unlink),
	.path_mkdir =	LIST_HEAD_INIT(security_hook_heads.path_mkdir),
	.path_rmdir =	LIST_HEAD_INIT(security_hook_heads.path_rmdir),
	.path_mknod =	LIST_HEAD_INIT(security_hook_heads.path_mknod),
	.path_truncate =
		LIST_HEAD_INIT(security_hook_heads.path_truncate),
	.path_symlink =	LIST_HEAD_INIT(security_hook_heads.path_symlink),
	.path_link =	LIST_HEAD_INIT(security_hook_heads.path_link),
	.path_rename =	LIST_HEAD_INIT(security_hook_heads.path_rename),
	.path_chmod =	LIST_HEAD_INIT(security_hook_heads.path_chmod),
	.path_chown =	LIST_HEAD_INIT(security_hook_heads.path_chown),
	.path_chroot =	LIST_HEAD_INIT(security_hook_heads.path_chroot),
#endif
	.inode_alloc_security =
		LIST_HEAD_INIT(security_hook_heads.inode_alloc_security),
	.inode_free_security =
		LIST_HEAD_INIT(security_hook_heads.inode_free_security),
	.inode_init_security =
		LIST_HEAD_INIT(security_hook_heads.inode_init_security),
	.inode_create =	LIST_HEAD_INIT(security_hook_heads.inode_create),
	.inode_link =	LIST_HEAD_INIT(security_hook_heads.inode_link),
	.inode_unlink =	LIST_HEAD_INIT(security_hook_heads.inode_unlink),
	.inode_symlink =
		LIST_HEAD_INIT(security_hook_heads.inode_symlink),
	.inode_mkdir =	LIST_HEAD_INIT(security_hook_heads.inode_mkdir),
	.inode_rmdir =	LIST_HEAD_INIT(security_hook_heads.inode_rmdir),
	.inode_mknod =	LIST_HEAD_INIT(security_hook_heads.inode_mknod),
	.inode_rename =	LIST_HEAD_INIT(security_hook_heads.inode_rename),
	.inode_readlink =
		LIST_HEAD_INIT(security_hook_heads.inode_readlink),
	.inode_follow_link =
		LIST_HEAD_INIT(security_hook_heads.inode_follow_link),
	.inode_permission =
		LIST_HEAD_INIT(security_hook_heads.inode_permission),
	.inode_setattr =
		LIST_HEAD_INIT(security_hook_heads.inode_setattr),
	.inode_getattr =
		LIST_HEAD_INIT(security_hook_heads.inode_getattr),
	.inode_setxattr =
		LIST_HEAD_INIT(security_hook_heads.inode_setxattr),
	.inode_post_setxattr =
		LIST_HEAD_INIT(security_hook_heads.inode_post_setxattr),
	.inode_getxattr =
		LIST_HEAD_INIT(security_hook_heads.inode_getxattr),
	.inode_listxattr =
		LIST_HEAD_INIT(security_hook_heads.inode_listxattr),
	.inode_removexattr =
		LIST_HEAD_INIT(security_hook_heads.inode_removexattr),
	.inode_need_killpriv =
		LIST_HEAD_INIT(security_hook_heads.inode_need_killpriv),
	.inode_killpriv =
		LIST_HEAD_INIT(security_hook_heads.inode_killpriv),
	.inode_getsecurity =
		LIST_HEAD_INIT(security_hook_heads.inode_getsecurity),
	.inode_setsecurity =
		LIST_HEAD_INIT(security_hook_heads.inode_setsecurity),
	.inode_listsecurity =
		LIST_HEAD_INIT(security_hook_heads.inode_listsecurity),
	.inode_getsecid =
		LIST_HEAD_INIT(security_hook_heads.inode_getsecid),
1749 1750
	.inode_copy_up =
		LIST_HEAD_INIT(security_hook_heads.inode_copy_up),
1751 1752
	.inode_copy_up_xattr =
		LIST_HEAD_INIT(security_hook_heads.inode_copy_up_xattr),
C
Casey Schaufler 已提交
1753 1754 1755 1756 1757 1758 1759 1760 1761 1762 1763 1764 1765 1766 1767 1768 1769 1770 1771 1772 1773 1774 1775 1776 1777 1778 1779 1780 1781 1782 1783 1784 1785
	.file_permission =
		LIST_HEAD_INIT(security_hook_heads.file_permission),
	.file_alloc_security =
		LIST_HEAD_INIT(security_hook_heads.file_alloc_security),
	.file_free_security =
		LIST_HEAD_INIT(security_hook_heads.file_free_security),
	.file_ioctl =	LIST_HEAD_INIT(security_hook_heads.file_ioctl),
	.mmap_addr =	LIST_HEAD_INIT(security_hook_heads.mmap_addr),
	.mmap_file =	LIST_HEAD_INIT(security_hook_heads.mmap_file),
	.file_mprotect =
		LIST_HEAD_INIT(security_hook_heads.file_mprotect),
	.file_lock =	LIST_HEAD_INIT(security_hook_heads.file_lock),
	.file_fcntl =	LIST_HEAD_INIT(security_hook_heads.file_fcntl),
	.file_set_fowner =
		LIST_HEAD_INIT(security_hook_heads.file_set_fowner),
	.file_send_sigiotask =
		LIST_HEAD_INIT(security_hook_heads.file_send_sigiotask),
	.file_receive =	LIST_HEAD_INIT(security_hook_heads.file_receive),
	.file_open =	LIST_HEAD_INIT(security_hook_heads.file_open),
	.task_create =	LIST_HEAD_INIT(security_hook_heads.task_create),
	.task_free =	LIST_HEAD_INIT(security_hook_heads.task_free),
	.cred_alloc_blank =
		LIST_HEAD_INIT(security_hook_heads.cred_alloc_blank),
	.cred_free =	LIST_HEAD_INIT(security_hook_heads.cred_free),
	.cred_prepare =	LIST_HEAD_INIT(security_hook_heads.cred_prepare),
	.cred_transfer =
		LIST_HEAD_INIT(security_hook_heads.cred_transfer),
	.kernel_act_as =
		LIST_HEAD_INIT(security_hook_heads.kernel_act_as),
	.kernel_create_files_as =
		LIST_HEAD_INIT(security_hook_heads.kernel_create_files_as),
	.kernel_module_request =
		LIST_HEAD_INIT(security_hook_heads.kernel_module_request),
1786 1787
	.kernel_read_file =
		LIST_HEAD_INIT(security_hook_heads.kernel_read_file),
1788 1789
	.kernel_post_read_file =
		LIST_HEAD_INIT(security_hook_heads.kernel_post_read_file),
C
Casey Schaufler 已提交
1790 1791 1792 1793 1794 1795 1796 1797 1798 1799 1800 1801
	.task_fix_setuid =
		LIST_HEAD_INIT(security_hook_heads.task_fix_setuid),
	.task_setpgid =	LIST_HEAD_INIT(security_hook_heads.task_setpgid),
	.task_getpgid =	LIST_HEAD_INIT(security_hook_heads.task_getpgid),
	.task_getsid =	LIST_HEAD_INIT(security_hook_heads.task_getsid),
	.task_getsecid =
		LIST_HEAD_INIT(security_hook_heads.task_getsecid),
	.task_setnice =	LIST_HEAD_INIT(security_hook_heads.task_setnice),
	.task_setioprio =
		LIST_HEAD_INIT(security_hook_heads.task_setioprio),
	.task_getioprio =
		LIST_HEAD_INIT(security_hook_heads.task_getioprio),
1802 1803
	.task_prlimit =
		LIST_HEAD_INIT(security_hook_heads.task_prlimit),
C
Casey Schaufler 已提交
1804 1805 1806 1807 1808 1809 1810 1811 1812 1813 1814 1815 1816 1817 1818 1819 1820 1821 1822 1823 1824 1825 1826 1827 1828 1829 1830 1831 1832 1833 1834 1835 1836 1837 1838 1839 1840 1841 1842 1843 1844 1845 1846 1847 1848 1849 1850 1851 1852 1853 1854 1855 1856 1857 1858 1859 1860 1861 1862
	.task_setrlimit =
		LIST_HEAD_INIT(security_hook_heads.task_setrlimit),
	.task_setscheduler =
		LIST_HEAD_INIT(security_hook_heads.task_setscheduler),
	.task_getscheduler =
		LIST_HEAD_INIT(security_hook_heads.task_getscheduler),
	.task_movememory =
		LIST_HEAD_INIT(security_hook_heads.task_movememory),
	.task_kill =	LIST_HEAD_INIT(security_hook_heads.task_kill),
	.task_prctl =	LIST_HEAD_INIT(security_hook_heads.task_prctl),
	.task_to_inode =
		LIST_HEAD_INIT(security_hook_heads.task_to_inode),
	.ipc_permission =
		LIST_HEAD_INIT(security_hook_heads.ipc_permission),
	.ipc_getsecid =	LIST_HEAD_INIT(security_hook_heads.ipc_getsecid),
	.msg_msg_alloc_security =
		LIST_HEAD_INIT(security_hook_heads.msg_msg_alloc_security),
	.msg_msg_free_security =
		LIST_HEAD_INIT(security_hook_heads.msg_msg_free_security),
	.msg_queue_alloc_security =
		LIST_HEAD_INIT(security_hook_heads.msg_queue_alloc_security),
	.msg_queue_free_security =
		LIST_HEAD_INIT(security_hook_heads.msg_queue_free_security),
	.msg_queue_associate =
		LIST_HEAD_INIT(security_hook_heads.msg_queue_associate),
	.msg_queue_msgctl =
		LIST_HEAD_INIT(security_hook_heads.msg_queue_msgctl),
	.msg_queue_msgsnd =
		LIST_HEAD_INIT(security_hook_heads.msg_queue_msgsnd),
	.msg_queue_msgrcv =
		LIST_HEAD_INIT(security_hook_heads.msg_queue_msgrcv),
	.shm_alloc_security =
		LIST_HEAD_INIT(security_hook_heads.shm_alloc_security),
	.shm_free_security =
		LIST_HEAD_INIT(security_hook_heads.shm_free_security),
	.shm_associate =
		LIST_HEAD_INIT(security_hook_heads.shm_associate),
	.shm_shmctl =	LIST_HEAD_INIT(security_hook_heads.shm_shmctl),
	.shm_shmat =	LIST_HEAD_INIT(security_hook_heads.shm_shmat),
	.sem_alloc_security =
		LIST_HEAD_INIT(security_hook_heads.sem_alloc_security),
	.sem_free_security =
		LIST_HEAD_INIT(security_hook_heads.sem_free_security),
	.sem_associate =
		LIST_HEAD_INIT(security_hook_heads.sem_associate),
	.sem_semctl =	LIST_HEAD_INIT(security_hook_heads.sem_semctl),
	.sem_semop =	LIST_HEAD_INIT(security_hook_heads.sem_semop),
	.netlink_send =	LIST_HEAD_INIT(security_hook_heads.netlink_send),
	.d_instantiate =
		LIST_HEAD_INIT(security_hook_heads.d_instantiate),
	.getprocattr =	LIST_HEAD_INIT(security_hook_heads.getprocattr),
	.setprocattr =	LIST_HEAD_INIT(security_hook_heads.setprocattr),
	.ismaclabel =	LIST_HEAD_INIT(security_hook_heads.ismaclabel),
	.secid_to_secctx =
		LIST_HEAD_INIT(security_hook_heads.secid_to_secctx),
	.secctx_to_secid =
		LIST_HEAD_INIT(security_hook_heads.secctx_to_secid),
	.release_secctx =
		LIST_HEAD_INIT(security_hook_heads.release_secctx),
1863 1864
	.inode_invalidate_secctx =
		LIST_HEAD_INIT(security_hook_heads.inode_invalidate_secctx),
C
Casey Schaufler 已提交
1865 1866 1867 1868 1869 1870 1871 1872 1873 1874 1875 1876 1877 1878 1879 1880 1881 1882 1883 1884 1885 1886 1887 1888 1889 1890 1891 1892 1893 1894 1895 1896 1897 1898 1899 1900 1901 1902 1903 1904 1905 1906 1907 1908 1909 1910 1911 1912 1913 1914 1915 1916 1917 1918 1919 1920 1921 1922 1923 1924 1925 1926 1927 1928 1929 1930 1931 1932 1933 1934 1935 1936 1937 1938 1939 1940 1941 1942 1943 1944 1945 1946 1947 1948 1949 1950 1951 1952 1953 1954 1955 1956 1957 1958 1959 1960 1961 1962 1963 1964 1965 1966 1967 1968 1969 1970 1971 1972 1973 1974 1975 1976 1977 1978 1979 1980 1981
	.inode_notifysecctx =
		LIST_HEAD_INIT(security_hook_heads.inode_notifysecctx),
	.inode_setsecctx =
		LIST_HEAD_INIT(security_hook_heads.inode_setsecctx),
	.inode_getsecctx =
		LIST_HEAD_INIT(security_hook_heads.inode_getsecctx),
#ifdef CONFIG_SECURITY_NETWORK
	.unix_stream_connect =
		LIST_HEAD_INIT(security_hook_heads.unix_stream_connect),
	.unix_may_send =
		LIST_HEAD_INIT(security_hook_heads.unix_may_send),
	.socket_create =
		LIST_HEAD_INIT(security_hook_heads.socket_create),
	.socket_post_create =
		LIST_HEAD_INIT(security_hook_heads.socket_post_create),
	.socket_bind =	LIST_HEAD_INIT(security_hook_heads.socket_bind),
	.socket_connect =
		LIST_HEAD_INIT(security_hook_heads.socket_connect),
	.socket_listen =
		LIST_HEAD_INIT(security_hook_heads.socket_listen),
	.socket_accept =
		LIST_HEAD_INIT(security_hook_heads.socket_accept),
	.socket_sendmsg =
		LIST_HEAD_INIT(security_hook_heads.socket_sendmsg),
	.socket_recvmsg =
		LIST_HEAD_INIT(security_hook_heads.socket_recvmsg),
	.socket_getsockname =
		LIST_HEAD_INIT(security_hook_heads.socket_getsockname),
	.socket_getpeername =
		LIST_HEAD_INIT(security_hook_heads.socket_getpeername),
	.socket_getsockopt =
		LIST_HEAD_INIT(security_hook_heads.socket_getsockopt),
	.socket_setsockopt =
		LIST_HEAD_INIT(security_hook_heads.socket_setsockopt),
	.socket_shutdown =
		LIST_HEAD_INIT(security_hook_heads.socket_shutdown),
	.socket_sock_rcv_skb =
		LIST_HEAD_INIT(security_hook_heads.socket_sock_rcv_skb),
	.socket_getpeersec_stream =
		LIST_HEAD_INIT(security_hook_heads.socket_getpeersec_stream),
	.socket_getpeersec_dgram =
		LIST_HEAD_INIT(security_hook_heads.socket_getpeersec_dgram),
	.sk_alloc_security =
		LIST_HEAD_INIT(security_hook_heads.sk_alloc_security),
	.sk_free_security =
		LIST_HEAD_INIT(security_hook_heads.sk_free_security),
	.sk_clone_security =
		LIST_HEAD_INIT(security_hook_heads.sk_clone_security),
	.sk_getsecid =	LIST_HEAD_INIT(security_hook_heads.sk_getsecid),
	.sock_graft =	LIST_HEAD_INIT(security_hook_heads.sock_graft),
	.inet_conn_request =
		LIST_HEAD_INIT(security_hook_heads.inet_conn_request),
	.inet_csk_clone =
		LIST_HEAD_INIT(security_hook_heads.inet_csk_clone),
	.inet_conn_established =
		LIST_HEAD_INIT(security_hook_heads.inet_conn_established),
	.secmark_relabel_packet =
		LIST_HEAD_INIT(security_hook_heads.secmark_relabel_packet),
	.secmark_refcount_inc =
		LIST_HEAD_INIT(security_hook_heads.secmark_refcount_inc),
	.secmark_refcount_dec =
		LIST_HEAD_INIT(security_hook_heads.secmark_refcount_dec),
	.req_classify_flow =
		LIST_HEAD_INIT(security_hook_heads.req_classify_flow),
	.tun_dev_alloc_security =
		LIST_HEAD_INIT(security_hook_heads.tun_dev_alloc_security),
	.tun_dev_free_security =
		LIST_HEAD_INIT(security_hook_heads.tun_dev_free_security),
	.tun_dev_create =
		LIST_HEAD_INIT(security_hook_heads.tun_dev_create),
	.tun_dev_attach_queue =
		LIST_HEAD_INIT(security_hook_heads.tun_dev_attach_queue),
	.tun_dev_attach =
		LIST_HEAD_INIT(security_hook_heads.tun_dev_attach),
	.tun_dev_open =	LIST_HEAD_INIT(security_hook_heads.tun_dev_open),
#endif	/* CONFIG_SECURITY_NETWORK */
#ifdef CONFIG_SECURITY_NETWORK_XFRM
	.xfrm_policy_alloc_security =
		LIST_HEAD_INIT(security_hook_heads.xfrm_policy_alloc_security),
	.xfrm_policy_clone_security =
		LIST_HEAD_INIT(security_hook_heads.xfrm_policy_clone_security),
	.xfrm_policy_free_security =
		LIST_HEAD_INIT(security_hook_heads.xfrm_policy_free_security),
	.xfrm_policy_delete_security =
		LIST_HEAD_INIT(security_hook_heads.xfrm_policy_delete_security),
	.xfrm_state_alloc =
		LIST_HEAD_INIT(security_hook_heads.xfrm_state_alloc),
	.xfrm_state_alloc_acquire =
		LIST_HEAD_INIT(security_hook_heads.xfrm_state_alloc_acquire),
	.xfrm_state_free_security =
		LIST_HEAD_INIT(security_hook_heads.xfrm_state_free_security),
	.xfrm_state_delete_security =
		LIST_HEAD_INIT(security_hook_heads.xfrm_state_delete_security),
	.xfrm_policy_lookup =
		LIST_HEAD_INIT(security_hook_heads.xfrm_policy_lookup),
	.xfrm_state_pol_flow_match =
		LIST_HEAD_INIT(security_hook_heads.xfrm_state_pol_flow_match),
	.xfrm_decode_session =
		LIST_HEAD_INIT(security_hook_heads.xfrm_decode_session),
#endif	/* CONFIG_SECURITY_NETWORK_XFRM */
#ifdef CONFIG_KEYS
	.key_alloc =	LIST_HEAD_INIT(security_hook_heads.key_alloc),
	.key_free =	LIST_HEAD_INIT(security_hook_heads.key_free),
	.key_permission =
		LIST_HEAD_INIT(security_hook_heads.key_permission),
	.key_getsecurity =
		LIST_HEAD_INIT(security_hook_heads.key_getsecurity),
#endif	/* CONFIG_KEYS */
#ifdef CONFIG_AUDIT
	.audit_rule_init =
		LIST_HEAD_INIT(security_hook_heads.audit_rule_init),
	.audit_rule_known =
		LIST_HEAD_INIT(security_hook_heads.audit_rule_known),
	.audit_rule_match =
		LIST_HEAD_INIT(security_hook_heads.audit_rule_match),
	.audit_rule_free =
		LIST_HEAD_INIT(security_hook_heads.audit_rule_free),
1982
#endif /* CONFIG_AUDIT */
C
Casey Schaufler 已提交
1983
};