Lines Matching +full:evm +full:- +full:sk
1 // SPDX-License-Identifier: GPL-2.0-or-later
6 * Copyright (C) 2001-2002 Greg Kroah-Hartman <greg@kroah.com>
23 #include <linux/evm.h>
28 #include <linux/backing-dev.h>
36 #define LSM_COUNT (__end_lsm_info - __start_lsm_info)
83 /* Boot-time LSM user choice */
102 if (!lsm->enabled) in is_enabled()
105 return *lsm->enabled; in is_enabled()
115 * a hard-coded location for storing the default enabled state. in set_enabled()
117 if (!lsm->enabled) { in set_enabled()
119 lsm->enabled = &lsm_enabled_true; in set_enabled()
121 lsm->enabled = &lsm_enabled_false; in set_enabled()
122 } else if (lsm->enabled == &lsm_enabled_true) { in set_enabled()
124 lsm->enabled = &lsm_enabled_false; in set_enabled()
125 } else if (lsm->enabled == &lsm_enabled_false) { in set_enabled()
127 lsm->enabled = &lsm_enabled_true; in set_enabled()
129 *lsm->enabled = enabled; in set_enabled()
157 if (!lsm->enabled) in append_ordered_lsm()
158 lsm->enabled = &lsm_enabled_true; in append_ordered_lsm()
161 init_debug("%s ordering: %s (%sabled)\n", from, lsm->name, in append_ordered_lsm()
173 if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && exclusive) { in lsm_allowed()
174 init_debug("exclusive disabled: %s\n", lsm->name); in lsm_allowed()
197 lsm_set_blob_size(&needed->lbs_cred, &blob_sizes.lbs_cred); in lsm_set_blob_sizes()
198 lsm_set_blob_size(&needed->lbs_file, &blob_sizes.lbs_file); in lsm_set_blob_sizes()
203 if (needed->lbs_inode && blob_sizes.lbs_inode == 0) in lsm_set_blob_sizes()
205 lsm_set_blob_size(&needed->lbs_inode, &blob_sizes.lbs_inode); in lsm_set_blob_sizes()
206 lsm_set_blob_size(&needed->lbs_ipc, &blob_sizes.lbs_ipc); in lsm_set_blob_sizes()
207 lsm_set_blob_size(&needed->lbs_msg_msg, &blob_sizes.lbs_msg_msg); in lsm_set_blob_sizes()
208 lsm_set_blob_size(&needed->lbs_task, &blob_sizes.lbs_task); in lsm_set_blob_sizes()
219 /* If enabled, do pre-initialization work. */ in prepare_lsm()
221 if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && !exclusive) { in prepare_lsm()
223 init_debug("exclusive chosen: %s\n", lsm->name); in prepare_lsm()
226 lsm_set_blob_sizes(lsm->blobs); in prepare_lsm()
236 init_debug("initializing %s\n", lsm->name); in initialize_lsm()
237 ret = lsm->init(); in initialize_lsm()
238 WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret); in initialize_lsm()
242 /* Populate ordered LSMs list from comma-separated LSM name list. */
250 if (lsm->order == LSM_ORDER_FIRST) in ordered_lsm_parse()
262 * all non-matching Legacy Major LSMs. in ordered_lsm_parse()
266 if ((major->flags & LSM_FLAG_LEGACY_MAJOR) && in ordered_lsm_parse()
267 strcmp(major->name, chosen_major_lsm) != 0) { in ordered_lsm_parse()
270 chosen_major_lsm, major->name); in ordered_lsm_parse()
282 if (lsm->order == LSM_ORDER_MUTABLE && in ordered_lsm_parse()
283 strcmp(lsm->name, name) == 0) { in ordered_lsm_parse()
298 if (strcmp(lsm->name, chosen_major_lsm) == 0) in ordered_lsm_parse()
308 init_debug("%s disabled: %s\n", origin, lsm->name); in ordered_lsm_parse()
357 lsm_early_cred((struct cred *) current->cred); in ordered_lsm_init()
376 if (!lsm->enabled) in early_security_init()
377 lsm->enabled = &lsm_enabled_true; in early_security_init()
386 * security_init - initializes the security framework
401 if (lsm->enabled) in security_init()
402 lsm_append(lsm->name, &lsm_names); in security_init()
457 return -ENOMEM; in lsm_append()
464 return -ENOMEM; in lsm_append()
472 * security_add_hooks - Add a modules hooks to the hook lists.
495 panic("%s - Cannot get early memory.\n", __func__); in security_add_hooks()
521 * lsm_cred_alloc - allocate a composite cred blob
527 * Returns 0, or -ENOMEM if memory can't be allocated.
532 cred->security = NULL; in lsm_cred_alloc()
536 cred->security = kzalloc(blob_sizes.lbs_cred, gfp); in lsm_cred_alloc()
537 if (cred->security == NULL) in lsm_cred_alloc()
538 return -ENOMEM; in lsm_cred_alloc()
543 * lsm_early_cred - during initialization allocate a composite cred blob
557 * lsm_file_alloc - allocate a composite file blob
562 * Returns 0, or -ENOMEM if memory can't be allocated.
567 file->f_security = NULL; in lsm_file_alloc()
571 file->f_security = kmem_cache_zalloc(lsm_file_cache, GFP_KERNEL); in lsm_file_alloc()
572 if (file->f_security == NULL) in lsm_file_alloc()
573 return -ENOMEM; in lsm_file_alloc()
578 * lsm_inode_alloc - allocate a composite inode blob
583 * Returns 0, or -ENOMEM if memory can't be allocated.
588 inode->i_security = NULL; in lsm_inode_alloc()
592 inode->i_security = kmem_cache_zalloc(lsm_inode_cache, GFP_NOFS); in lsm_inode_alloc()
593 if (inode->i_security == NULL) in lsm_inode_alloc()
594 return -ENOMEM; in lsm_inode_alloc()
599 * lsm_task_alloc - allocate a composite task blob
604 * Returns 0, or -ENOMEM if memory can't be allocated.
609 task->security = NULL; in lsm_task_alloc()
613 task->security = kzalloc(blob_sizes.lbs_task, GFP_KERNEL); in lsm_task_alloc()
614 if (task->security == NULL) in lsm_task_alloc()
615 return -ENOMEM; in lsm_task_alloc()
620 * lsm_ipc_alloc - allocate a composite ipc blob
625 * Returns 0, or -ENOMEM if memory can't be allocated.
630 kip->security = NULL; in lsm_ipc_alloc()
634 kip->security = kzalloc(blob_sizes.lbs_ipc, GFP_KERNEL); in lsm_ipc_alloc()
635 if (kip->security == NULL) in lsm_ipc_alloc()
636 return -ENOMEM; in lsm_ipc_alloc()
641 * lsm_msg_msg_alloc - allocate a composite msg_msg blob
646 * Returns 0, or -ENOMEM if memory can't be allocated.
651 mp->security = NULL; in lsm_msg_msg_alloc()
655 mp->security = kzalloc(blob_sizes.lbs_msg_msg, GFP_KERNEL); in lsm_msg_msg_alloc()
656 if (mp->security == NULL) in lsm_msg_msg_alloc()
657 return -ENOMEM; in lsm_msg_msg_alloc()
662 * lsm_early_task - during initialization allocate a composite task blob
709 P->hook.FUNC(__VA_ARGS__); \
718 RC = P->hook.FUNC(__VA_ARGS__); \
821 rc = hp->hook.vm_enough_memory(mm, pages); in security_vm_enough_memory_mm()
870 int rc = -ENOPARAM; in security_fs_context_parse_param()
874 trc = hp->hook.fs_context_parse_param(fc, param); in security_fs_context_parse_param()
877 else if (trc != -ENOPARAM) in security_fs_context_parse_param()
952 mnt_opts ? -EOPNOTSUPP : 0, sb, in security_sb_set_mnt_opts()
970 return call_int_hook(sb_add_mnt_opt, -EINVAL, in security_add_mnt_opt()
1016 * leave the current inode->i_security pointer intact. in security_inode_free()
1019 if (inode->i_security) in security_inode_free()
1020 call_rcu((struct rcu_head *)inode->i_security, in security_inode_free()
1028 return call_int_hook(dentry_init_security, -EOPNOTSUPP, dentry, mode, in security_dentry_init_security()
1054 return call_int_hook(inode_init_security, -EOPNOTSUPP, inode, in security_inode_init_security()
1058 ret = call_int_hook(inode_init_security, -EOPNOTSUPP, inode, dir, qstr, in security_inode_init_security()
1059 &lsm_xattr->name, in security_inode_init_security()
1060 &lsm_xattr->value, in security_inode_init_security()
1061 &lsm_xattr->value_len); in security_inode_init_security()
1071 for (xattr = new_xattrs; xattr->value != NULL; xattr++) in security_inode_init_security()
1072 kfree(xattr->value); in security_inode_init_security()
1073 return (ret == -EOPNOTSUPP) ? 0 : ret; in security_inode_init_security()
1082 return -EOPNOTSUPP; in security_old_inode_init_security()
1083 return call_int_hook(inode_init_security, -EOPNOTSUPP, inode, dir, in security_old_inode_init_security()
1092 if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry)))) in security_path_mknod()
1100 if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry)))) in security_path_mkdir()
1108 if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry)))) in security_path_rmdir()
1115 if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry)))) in security_path_unlink()
1124 if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry)))) in security_path_symlink()
1159 if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry)))) in security_path_truncate()
1166 if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry)))) in security_path_chmod()
1173 if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry)))) in security_path_chown()
1293 if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry)))) in security_inode_getattr()
1387 rc = hp->hook.inode_getsecurity(inode, name, buffer, alloc); in security_inode_getsecurity()
1405 rc = hp->hook.inode_setsecurity(inode, name, value, size, in security_inode_setsecurity()
1439 * xattr), -EOPNOTSUPP if it does not know anything about the xattr or in security_inode_copy_up_xattr()
1444 rc = hp->hook.inode_copy_up_xattr(name); in security_inode_copy_up_xattr()
1488 blob = file->f_security; in security_file_free()
1490 file->f_security = NULL; in security_file_free()
1502 * security_file_ioctl_compat() - Check if an ioctl is allowed in compat mode
1507 * Compat version of security_file_ioctl() that correctly handles 32-bit
1508 * processes running on 64-bit kernels.
1527 if (!(current->personality & READ_IMPLIES_EXEC)) in mmap_prot()
1538 if (!path_noexec(&file->f_path)) { in mmap_prot()
1540 if (file->f_op->mmap_capabilities) { in mmap_prot()
1541 unsigned caps = file->f_op->mmap_capabilities(file); in mmap_prot()
1633 kfree(task->security); in security_task_free()
1634 task->security = NULL; in security_task_free()
1654 * may result in a call here with ->security being NULL. in security_cred_free()
1656 if (unlikely(cred->security == NULL)) in security_cred_free()
1661 kfree(cred->security); in security_cred_free()
1662 cred->security = NULL; in security_cred_free()
1849 thisrc = hp->hook.task_prctl(option, arg2, arg3, arg4, arg5); in security_task_prctl()
1890 kfree(msg->security); in security_msg_msg_free()
1891 msg->security = NULL; in security_msg_msg_free()
1909 kfree(msq->security); in security_msg_queue_free()
1910 msq->security = NULL; in security_msg_queue_free()
1950 kfree(shp->security); in security_shm_free()
1951 shp->security = NULL; in security_shm_free()
1984 kfree(sma->security); in security_sem_free()
1985 sma->security = NULL; in security_sem_free()
2018 if (lsm != NULL && strcmp(lsm, hp->lsm)) in security_getprocattr()
2020 return hp->hook.getprocattr(p, name, value); in security_getprocattr()
2031 if (lsm != NULL && strcmp(lsm, hp->lsm)) in security_setprocattr()
2033 return hp->hook.setprocattr(name, value, size); in security_setprocattr()
2038 int security_netlink_send(struct sock *sk, struct sk_buff *skb) in security_netlink_send() argument
2040 return call_int_hook(netlink_send, 0, sk, skb); in security_netlink_send()
2059 rc = hp->hook.secid_to_secctx(secid, secdata, seclen); in security_secid_to_secctx()
2108 rc = hp->hook.inode_getsecctx(inode, ctx, ctxlen); in security_inode_getsecctx()
2221 int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) in security_sock_rcv_skb() argument
2223 return call_int_hook(socket_sock_rcv_skb, 0, sk, skb); in security_sock_rcv_skb()
2230 return call_int_hook(socket_getpeersec_stream, -ENOPROTOOPT, sock, in security_socket_getpeersec_stream()
2236 return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock, in security_socket_getpeersec_dgram()
2241 int security_sk_alloc(struct sock *sk, int family, gfp_t priority) in security_sk_alloc() argument
2243 return call_int_hook(sk_alloc_security, 0, sk, family, priority); in security_sk_alloc()
2246 void security_sk_free(struct sock *sk) in security_sk_free() argument
2248 call_void_hook(sk_free_security, sk); in security_sk_free()
2251 void security_sk_clone(const struct sock *sk, struct sock *newsk) in security_sk_clone() argument
2253 call_void_hook(sk_clone_security, sk, newsk); in security_sk_clone()
2257 void security_sk_classify_flow(struct sock *sk, struct flowi_common *flic) in security_sk_classify_flow() argument
2259 call_void_hook(sk_getsecid, sk, &flic->flowic_secid); in security_sk_classify_flow()
2270 void security_sock_graft(struct sock *sk, struct socket *parent) in security_sock_graft() argument
2272 call_void_hook(sock_graft, sk, parent); in security_sock_graft()
2276 int security_inet_conn_request(struct sock *sk, in security_inet_conn_request() argument
2279 return call_int_hook(inet_conn_request, 0, sk, skb, req); in security_inet_conn_request()
2289 void security_inet_conn_established(struct sock *sk, in security_inet_conn_established() argument
2292 call_void_hook(inet_conn_established, sk, skb); in security_inet_conn_established()
2338 int security_tun_dev_attach(struct sock *sk, void *security) in security_tun_dev_attach() argument
2340 return call_int_hook(tun_dev_attach, 0, sk, security); in security_tun_dev_attach()
2356 int security_sctp_bind_connect(struct sock *sk, int optname, in security_sctp_bind_connect() argument
2359 return call_int_hook(sctp_bind_connect, 0, sk, optname, in security_sctp_bind_connect()
2364 void security_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk, in security_sctp_sk_clone() argument
2367 call_void_hook(sctp_sk_clone, ep, sk, newsk); in security_sctp_sk_clone()
2474 rc = hp->hook.xfrm_state_pol_flow_match(x, xp, flic); in security_xfrm_state_pol_flow_match()
2487 int rc = call_int_hook(xfrm_decode_session, 0, skb, &flic->flowic_secid, in security_skb_classify_flow()