Lines Matching +full:sig +full:- +full:dir +full:- +full:cmd
1 // SPDX-License-Identifier: GPL-2.0-or-later
6 * Copyright (C) 2001-2002 Greg Kroah-Hartman <greg@kroah.com>
28 #include <linux/backing-dev.h>
36 #define LSM_COUNT (__end_lsm_info - __start_lsm_info)
83 /* Boot-time LSM user choice */
102 if (!lsm->enabled) in is_enabled()
105 return *lsm->enabled; in is_enabled()
115 * a hard-coded location for storing the default enabled state. in set_enabled()
117 if (!lsm->enabled) { in set_enabled()
119 lsm->enabled = &lsm_enabled_true; in set_enabled()
121 lsm->enabled = &lsm_enabled_false; in set_enabled()
122 } else if (lsm->enabled == &lsm_enabled_true) { in set_enabled()
124 lsm->enabled = &lsm_enabled_false; in set_enabled()
125 } else if (lsm->enabled == &lsm_enabled_false) { in set_enabled()
127 lsm->enabled = &lsm_enabled_true; in set_enabled()
129 *lsm->enabled = enabled; in set_enabled()
157 if (!lsm->enabled) in append_ordered_lsm()
158 lsm->enabled = &lsm_enabled_true; in append_ordered_lsm()
161 init_debug("%s ordering: %s (%sabled)\n", from, lsm->name, in append_ordered_lsm()
173 if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && exclusive) { in lsm_allowed()
174 init_debug("exclusive disabled: %s\n", lsm->name); in lsm_allowed()
197 lsm_set_blob_size(&needed->lbs_cred, &blob_sizes.lbs_cred); in lsm_set_blob_sizes()
198 lsm_set_blob_size(&needed->lbs_file, &blob_sizes.lbs_file); in lsm_set_blob_sizes()
203 if (needed->lbs_inode && blob_sizes.lbs_inode == 0) in lsm_set_blob_sizes()
205 lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode); in lsm_set_blob_sizes()
206 lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc); in lsm_set_blob_sizes()
207 lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg); in lsm_set_blob_sizes()
208 lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task); in lsm_set_blob_sizes()
219 /* If enabled, do pre-initialization work. */ in prepare_lsm()
221 if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && !exclusive) { in prepare_lsm()
223 init_debug("exclusive chosen: %s\n", lsm->name); in prepare_lsm()
226 lsm_set_blob_sizes(lsm->blobs); in prepare_lsm()
236 init_debug("initializing %s\n", lsm->name); in initialize_lsm()
237 ret = lsm->init(); in initialize_lsm()
238 WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); in initialize_lsm()
242 /* Populate ordered LSMs list from comma-separated LSM name list. */
250 if (lsm->order == LSM_ORDER_FIRST) in ordered_lsm_parse()
262 * all non-matching Legacy Major LSMs. in ordered_lsm_parse()
266 if ((major->flags & LSM_FLAG_LEGACY_MAJOR) && in ordered_lsm_parse()
267 strcmp(major->name, chosen_major_lsm) != 0) { in ordered_lsm_parse()
270 chosen_major_lsm, major->name); in ordered_lsm_parse()
282 if (lsm->order == LSM_ORDER_MUTABLE && in ordered_lsm_parse()
283 strcmp(lsm->name, name) == 0) { in ordered_lsm_parse()
298 if (strcmp(lsm->name, chosen_major_lsm) == 0) in ordered_lsm_parse()
308 init_debug("%s disabled: %s\n", origin, lsm->name); in ordered_lsm_parse()
357 lsm_early_cred((struct cred *) current->cred); in ordered_lsm_init()
376 if (!lsm->enabled) in early_security_init()
377 lsm->enabled = &lsm_enabled_true; in early_security_init()
386 * security_init - initializes the security framework
401 if (lsm->enabled) in security_init()
402 lsm_append(lsm->name, &lsm_names); in security_init()
457 return -ENOMEM; in lsm_append()
464 return -ENOMEM; in lsm_append()
472 * security_add_hooks - Add a modules hooks to the hook lists.
495 panic("%s - Cannot get early memory.\n", __func__); in security_add_hooks()
521 * lsm_cred_alloc - allocate a composite cred blob
527 * Returns 0, or -ENOMEM if memory can't be allocated.
532 cred->security = NULL; in lsm_cred_alloc()
536 cred->security = kzalloc(blob_sizes.lbs_cred, gfp); in lsm_cred_alloc()
537 if (cred->security == NULL) in lsm_cred_alloc()
538 return -ENOMEM; in lsm_cred_alloc()
543 * lsm_early_cred - during initialization allocate a composite cred blob
557 * lsm_file_alloc - allocate a composite file blob
562 * Returns 0, or -ENOMEM if memory can't be allocated.
567 file->f_security = NULL; in lsm_file_alloc()
571 file->f_security = kmem_cache_zalloc(lsm_file_cache, GFP_KERNEL); in lsm_file_alloc()
572 if (file->f_security == NULL) in lsm_file_alloc()
573 return -ENOMEM; in lsm_file_alloc()
578 * lsm_inode_alloc - allocate a composite inode blob
583 * Returns 0, or -ENOMEM if memory can't be allocated.
588 inode->i_security = NULL; in lsm_inode_alloc()
592 inode->i_security = kmem_cache_zalloc(lsm_inode_cache, GFP_NOFS); in lsm_inode_alloc()
593 if (inode->i_security == NULL) in lsm_inode_alloc()
594 return -ENOMEM; in lsm_inode_alloc()
599 * lsm_task_alloc - allocate a composite task blob
604 * Returns 0, or -ENOMEM if memory can't be allocated.
609 task->security = NULL; in lsm_task_alloc()
613 task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL); in lsm_task_alloc()
614 if (task->security == NULL) in lsm_task_alloc()
615 return -ENOMEM; in lsm_task_alloc()
620 * lsm_ipc_alloc - allocate a composite ipc blob
625 * Returns 0, or -ENOMEM if memory can't be allocated.
630 kip->security = NULL; in lsm_ipc_alloc()
634 kip->security = kzalloc(blob_sizes.lbs_ipc, GFP_KERNEL); in lsm_ipc_alloc()
635 if (kip->security == NULL) in lsm_ipc_alloc()
636 return -ENOMEM; in lsm_ipc_alloc()
641 * lsm_msg_msg_alloc - allocate a composite msg_msg blob
646 * Returns 0, or -ENOMEM if memory can't be allocated.
651 mp->security = NULL; in lsm_msg_msg_alloc()
655 mp->security = kzalloc(blob_sizes.lbs_msg_msg, GFP_KERNEL); in lsm_msg_msg_alloc()
656 if (mp->security == NULL) in lsm_msg_msg_alloc()
657 return -ENOMEM; in lsm_msg_msg_alloc()
662 * lsm_early_task - during initialization allocate a composite task blob
709 P->hook.FUNC(__VA_ARGS__); \
718 RC = P->hook.FUNC(__VA_ARGS__); \
821 rc = hp->hook.vm_enough_memory(mm, pages); in security_vm_enough_memory_mm()
870 int rc = -ENOPARAM; in security_fs_context_parse_param()
874 trc = hp->hook.fs_context_parse_param(fc, param); in security_fs_context_parse_param()
877 else if (trc != -ENOPARAM) in security_fs_context_parse_param()
952 mnt_opts ? -EOPNOTSUPP : 0, sb, in security_sb_set_mnt_opts()
970 return call_int_hook(sb_add_mnt_opt, -EINVAL, in security_add_mnt_opt()
1016 * leave the current inode->i_security pointer intact. in security_inode_free()
1019 if (inode->i_security) in security_inode_free()
1020 call_rcu((struct rcu_head *)inode->i_security, in security_inode_free()
1028 return call_int_hook(dentry_init_security, -EOPNOTSUPP, dentry, mode, in security_dentry_init_security()
1042 int security_inode_init_security(struct inode *inode, struct inode *dir, in security_inode_init_security() argument
1054 return call_int_hook(inode_init_security, -EOPNOTSUPP, inode, in security_inode_init_security()
1055 dir, qstr, NULL, NULL, NULL); in security_inode_init_security()
1058 ret = call_int_hook(inode_init_security, -EOPNOTSUPP, inode, dir, qstr, in security_inode_init_security()
1059 &lsm_xattr->name, in security_inode_init_security()
1060 &lsm_xattr->value, in security_inode_init_security()
1061 &lsm_xattr->value_len); in security_inode_init_security()
1071 for (xattr = new_xattrs; xattr->value != NULL; xattr++) in security_inode_init_security()
1072 kfree(xattr->value); in security_inode_init_security()
1073 return (ret == -EOPNOTSUPP) ? 0 : ret; in security_inode_init_security()
1077 int security_old_inode_init_security(struct inode *inode, struct inode *dir, in security_old_inode_init_security() argument
1082 return -EOPNOTSUPP; in security_old_inode_init_security()
1083 return call_int_hook(inode_init_security, -EOPNOTSUPP, inode, dir, in security_old_inode_init_security()
1089 int security_path_mknod(const struct path *dir, struct dentry *dentry, umode_t mode, in security_path_mknod() argument
1092 if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry)))) in security_path_mknod()
1094 return call_int_hook(path_mknod, 0, dir, dentry, mode, dev); in security_path_mknod()
1098 int security_path_mkdir(const struct path *dir, struct dentry *dentry, umode_t mode) in security_path_mkdir() argument
1100 if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry)))) in security_path_mkdir()
1102 return call_int_hook(path_mkdir, 0, dir, dentry, mode); in security_path_mkdir()
1106 int security_path_rmdir(const struct path *dir, struct dentry *dentry) in security_path_rmdir() argument
1108 if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry)))) in security_path_rmdir()
1110 return call_int_hook(path_rmdir, 0, dir, dentry); in security_path_rmdir()
1113 int security_path_unlink(const struct path *dir, struct dentry *dentry) in security_path_unlink() argument
1115 if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry)))) in security_path_unlink()
1117 return call_int_hook(path_unlink, 0, dir, dentry); in security_path_unlink()
1121 int security_path_symlink(const struct path *dir, struct dentry *dentry, in security_path_symlink() argument
1124 if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry)))) in security_path_symlink()
1126 return call_int_hook(path_symlink, 0, dir, dentry, old_name); in security_path_symlink()
1159 if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry)))) in security_path_truncate()
1166 if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry)))) in security_path_chmod()
1173 if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry)))) in security_path_chown()
1184 int security_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode) in security_inode_create() argument
1186 if (unlikely(IS_PRIVATE(dir))) in security_inode_create()
1188 return call_int_hook(inode_create, 0, dir, dentry, mode); in security_inode_create()
1192 int security_inode_link(struct dentry *old_dentry, struct inode *dir, in security_inode_link() argument
1197 return call_int_hook(inode_link, 0, old_dentry, dir, new_dentry); in security_inode_link()
1200 int security_inode_unlink(struct inode *dir, struct dentry *dentry) in security_inode_unlink() argument
1204 return call_int_hook(inode_unlink, 0, dir, dentry); in security_inode_unlink()
1207 int security_inode_symlink(struct inode *dir, struct dentry *dentry, in security_inode_symlink() argument
1210 if (unlikely(IS_PRIVATE(dir))) in security_inode_symlink()
1212 return call_int_hook(inode_symlink, 0, dir, dentry, old_name); in security_inode_symlink()
1215 int security_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode) in security_inode_mkdir() argument
1217 if (unlikely(IS_PRIVATE(dir))) in security_inode_mkdir()
1219 return call_int_hook(inode_mkdir, 0, dir, dentry, mode); in security_inode_mkdir()
1223 int security_inode_rmdir(struct inode *dir, struct dentry *dentry) in security_inode_rmdir() argument
1227 return call_int_hook(inode_rmdir, 0, dir, dentry); in security_inode_rmdir()
1230 int security_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev) in security_inode_mknod() argument
1232 if (unlikely(IS_PRIVATE(dir))) in security_inode_mknod()
1234 return call_int_hook(inode_mknod, 0, dir, dentry, mode, dev); in security_inode_mknod()
1293 if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry)))) in security_inode_getattr()
1387 rc = hp->hook.inode_getsecurity(inode, name, buffer, alloc); in security_inode_getsecurity()
1405 rc = hp->hook.inode_setsecurity(inode, name, value, size, in security_inode_setsecurity()
1439 * xattr), -EOPNOTSUPP if it does not know anything about the xattr or in security_inode_copy_up_xattr()
1444 rc = hp->hook.inode_copy_up_xattr(name); in security_inode_copy_up_xattr()
1488 blob = file->f_security; in security_file_free()
1490 file->f_security = NULL; in security_file_free()
1495 int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg) in security_file_ioctl() argument
1497 return call_int_hook(file_ioctl, 0, file, cmd, arg); in security_file_ioctl()
1502 * security_file_ioctl_compat() - Check if an ioctl is allowed in compat mode
1504 * @cmd: ioctl cmd
1507 * Compat version of security_file_ioctl() that correctly handles 32-bit
1508 * processes running on 64-bit kernels.
1512 int security_file_ioctl_compat(struct file *file, unsigned int cmd, in security_file_ioctl_compat() argument
1515 return call_int_hook(file_ioctl_compat, 0, file, cmd, arg); in security_file_ioctl_compat()
1527 if (!(current->personality & READ_IMPLIES_EXEC)) in mmap_prot()
1538 if (!path_noexec(&file->f_path)) { in mmap_prot()
1540 if (file->f_op->mmap_capabilities) { in mmap_prot()
1541 unsigned caps = file->f_op->mmap_capabilities(file); in mmap_prot()
1580 int security_file_lock(struct file *file, unsigned int cmd) in security_file_lock() argument
1582 return call_int_hook(file_lock, 0, file, cmd); in security_file_lock()
1585 int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg) in security_file_fcntl() argument
1587 return call_int_hook(file_fcntl, 0, file, cmd, arg); in security_file_fcntl()
1596 struct fown_struct *fown, int sig) in security_file_send_sigiotask() argument
1598 return call_int_hook(file_send_sigiotask, 0, tsk, fown, sig); in security_file_send_sigiotask()
1633 kfree(task->security); in security_task_free()
1634 task->security = NULL; in security_task_free()
1654 * may result in a call here with ->security being NULL. in security_cred_free()
1656 if (unlikely(cred->security == NULL)) in security_cred_free()
1661 kfree(cred->security); in security_cred_free()
1662 cred->security = NULL; in security_cred_free()
1836 int sig, const struct cred *cred) in security_task_kill() argument
1838 return call_int_hook(task_kill, 0, p, info, sig, cred); in security_task_kill()
1849 thisrc = hp->hook.task_prctl(option, arg2, arg3, arg4, arg5); in security_task_prctl()
1890 kfree(msg->security); in security_msg_msg_free()
1891 msg->security = NULL; in security_msg_msg_free()
1909 kfree(msq->security); in security_msg_queue_free()
1910 msq->security = NULL; in security_msg_queue_free()
1918 int security_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) in security_msg_queue_msgctl() argument
1920 return call_int_hook(msg_queue_msgctl, 0, msq, cmd); in security_msg_queue_msgctl()
1950 kfree(shp->security); in security_shm_free()
1951 shp->security = NULL; in security_shm_free()
1959 int security_shm_shmctl(struct kern_ipc_perm *shp, int cmd) in security_shm_shmctl() argument
1961 return call_int_hook(shm_shmctl, 0, shp, cmd); in security_shm_shmctl()
1984 kfree(sma->security); in security_sem_free()
1985 sma->security = NULL; in security_sem_free()
1993 int security_sem_semctl(struct kern_ipc_perm *sma, int cmd) in security_sem_semctl() argument
1995 return call_int_hook(sem_semctl, 0, sma, cmd); in security_sem_semctl()
2018 if (lsm != NULL && strcmp(lsm, hp->lsm)) in security_getprocattr()
2020 return hp->hook.getprocattr(p, name, value); in security_getprocattr()
2031 if (lsm != NULL && strcmp(lsm, hp->lsm)) in security_setprocattr()
2033 return hp->hook.setprocattr(name, value, size); in security_setprocattr()
2059 rc = hp->hook.secid_to_secctx(secid, secdata, seclen); in security_secid_to_secctx()
2108 rc = hp->hook.inode_getsecctx(inode, ctx, ctxlen); in security_inode_getsecctx()
2230 return call_int_hook(socket_getpeersec_stream, -ENOPROTOOPT, sock, in security_socket_getpeersec_stream()
2236 return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock, in security_socket_getpeersec_dgram()
2259 call_void_hook(sk_getsecid, sk, &flic->flowic_secid); in security_sk_classify_flow()
2451 int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir) in security_xfrm_policy_lookup() argument
2453 return call_int_hook(xfrm_policy_lookup, 0, ctx, fl_secid, dir); in security_xfrm_policy_lookup()
2474 rc = hp->hook.xfrm_state_pol_flow_match(x, xp, flic); in security_xfrm_state_pol_flow_match()
2487 int rc = call_int_hook(xfrm_decode_session, 0, skb, &flic->flowic_secid, in security_skb_classify_flow()
2547 int security_bpf(int cmd, union bpf_attr *attr, unsigned int size) in security_bpf() argument
2549 return call_int_hook(bpf, 0, cmd, attr, size); in security_bpf()