| /security/smack/ |
| D | smack.h | 291 struct common_audit_data a; member
451 static inline void smk_ad_init(struct smk_audit_info *a, const char *func, in smk_ad_init() argument
454 memset(&a->sad, 0, sizeof(a->sad)); in smk_ad_init()
455 a->a.type = type; in smk_ad_init()
456 a->a.smack_audit_data = &a->sad; in smk_ad_init()
457 a->a.smack_audit_data->function = func; in smk_ad_init()
460 static inline void smk_ad_init_net(struct smk_audit_info *a, const char *func, in smk_ad_init_net() argument
463 smk_ad_init(a, func, type); in smk_ad_init_net()
465 a->a.u.net = net; in smk_ad_init_net()
468 static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a, in smk_ad_setfield_u_tsk() argument
[all …]
|
| D | Kconfig | 12 Smack is useful for sensitivity, integrity, and a variety
22 When access is granted by a rule with the "b" mode a
24 intention is that a process can be granted a wide set
30 This is a superior mechanism to the oft abused
50 Sending a signal has been treated as a write operation to the
53 to differentiate between delivering a network packet and
54 delivering a signal in the Smack rules.
|
| D | smack_access.c | 117 int request, struct smk_audit_info *a) in smk_access() argument
199 if (a) in smk_access()
201 request, rc, a); in smk_access()
220 u32 mode, struct smk_audit_info *a) in smk_tskacc() argument
253 if (a) in smk_tskacc()
255 mode, rc, a); in smk_tskacc()
272 u32 mode, struct smk_audit_info *a) in smk_curacc() argument
276 return smk_tskacc(tsp, obj_known, mode, a); in smk_curacc()
312 static void smack_log_callback(struct audit_buffer *ab, void *a) in smack_log_callback() argument
314 struct common_audit_data *ad = a; in smack_log_callback()
[all …]
|
| /security/ |
| D | lsm_audit.c | 209 struct common_audit_data *a) in dump_common_audit_data() argument
218 BUILD_BUG_ON(sizeof(a->u) > sizeof(void *)*2); in dump_common_audit_data()
223 switch (a->type) { in dump_common_audit_data()
227 audit_log_format(ab, " key=%d ", a->u.ipc_id); in dump_common_audit_data()
230 audit_log_format(ab, " capability=%d ", a->u.cap); in dump_common_audit_data()
235 audit_log_d_path(ab, " path=", &a->u.path); in dump_common_audit_data()
237 inode = d_backing_inode(a->u.path.dentry); in dump_common_audit_data()
248 audit_log_d_path(ab, " path=", &a->u.file->f_path); in dump_common_audit_data()
250 inode = file_inode(a->u.file); in dump_common_audit_data()
261 audit_log_d_path(ab, " path=", &a->u.op->path); in dump_common_audit_data()
[all …]
|
| D | Kconfig | 53 If enabled, a security module can use these hooks to
73 If enabled, a security module can use these hooks to
82 If enabled, a security module can use these hooks to
95 If enabled, a security module can use these hooks to
105 Intel(R) Trusted Execution Technology to perform a measured launch
111 create a robust initial kernel measurement and verification, which
113 correctly. This level of protection requires a root of trust outside
124 See Documentation/x86/intel_txt.rst for a description of how to enable
125 Intel TXT support in a kernel boot.
136 from userspace allocation. Keeping a user from writing to low pages
[all …]
|
| D | Kconfig.hardening | 35 on the function calling complexity of a given workload's
40 initialized before use in a function.
56 a __user attribute. This can prevent some classes of
74 As a side-effect, this keeps a lot of variables on the
76 this with CONFIG_KASAN_STACK can lead to a stack overflow
95 Initializes everything on the stack with a 0xAA
108 This option will cause a warning to be printed each time the
109 structleak plugin finds a variable it thinks needs to be
129 The performance impact on a single CPU system kernel compilation
130 sees a 1% slowdown, other systems and workloads may vary and you
[all …]
|
| /security/apparmor/ |
| D | label.c | 107 static int ns_cmp(struct aa_ns *a, struct aa_ns *b) in ns_cmp() argument
111 AA_BUG(!a); in ns_cmp()
113 AA_BUG(!a->base.hname); in ns_cmp()
116 if (a == b) in ns_cmp()
119 res = a->level - b->level; in ns_cmp()
123 return strcmp(a->base.hname, b->base.hname); in ns_cmp()
135 static int profile_cmp(struct aa_profile *a, struct aa_profile *b) in profile_cmp() argument
139 AA_BUG(!a); in profile_cmp()
141 AA_BUG(!a->ns); in profile_cmp()
143 AA_BUG(!a->base.hname); in profile_cmp()
[all …]
|
| D | Kconfig | 35 loaded policy provide system administrators a quick way
58 points. If the assert is triggered it will trigger a WARN
|
| /security/tomoyo/ |
| D | group.c | 21 static bool tomoyo_same_path_group(const struct tomoyo_acl_head *a, in tomoyo_same_path_group() argument
24 return container_of(a, struct tomoyo_path_group, head)->member_name == in tomoyo_same_path_group()
36 static bool tomoyo_same_number_group(const struct tomoyo_acl_head *a, in tomoyo_same_number_group() argument
39 return !memcmp(&container_of(a, struct tomoyo_number_group, head) in tomoyo_same_number_group()
43 sizeof(container_of(a, struct tomoyo_number_group, head) in tomoyo_same_number_group()
55 static bool tomoyo_same_address_group(const struct tomoyo_acl_head *a, in tomoyo_same_address_group() argument
58 const struct tomoyo_address_group *p1 = container_of(a, typeof(*p1), in tomoyo_same_address_group()
|
| D | common.h | 1165 static inline bool tomoyo_pathcmp(const struct tomoyo_path_info *a, in tomoyo_pathcmp() argument
1168 return a->hash != b->hash || strcmp(a->name, b->name); in tomoyo_pathcmp()
1234 (const struct tomoyo_name_union *a, const struct tomoyo_name_union *b) in tomoyo_same_name_union() argument
1236 return a->filename == b->filename && a->group == b->group; in tomoyo_same_name_union()
1248 (const struct tomoyo_number_union *a, const struct tomoyo_number_union *b) in tomoyo_same_number_union() argument
1250 return a->values[0] == b->values[0] && a->values[1] == b->values[1] && in tomoyo_same_number_union()
1251 a->group == b->group && a->value_type[0] == b->value_type[0] && in tomoyo_same_number_union()
1252 a->value_type[1] == b->value_type[1]; in tomoyo_same_number_union()
1264 (const struct tomoyo_ipaddr_union *a, const struct tomoyo_ipaddr_union *b) in tomoyo_same_ipaddr_union() argument
1266 return !memcmp(a->ip, b->ip, sizeof(a->ip)) && a->group == b->group && in tomoyo_same_ipaddr_union()
[all …]
|
| D | file.c | 341 static bool tomoyo_same_path_acl(const struct tomoyo_acl_info *a, in tomoyo_same_path_acl() argument
344 const struct tomoyo_path_acl *p1 = container_of(a, typeof(*p1), head); in tomoyo_same_path_acl()
359 static bool tomoyo_merge_path_acl(struct tomoyo_acl_info *a, in tomoyo_merge_path_acl() argument
363 u16 * const a_perm = &container_of(a, struct tomoyo_path_acl, head) in tomoyo_merge_path_acl()
413 static bool tomoyo_same_mkdev_acl(const struct tomoyo_acl_info *a, in tomoyo_same_mkdev_acl() argument
416 const struct tomoyo_mkdev_acl *p1 = container_of(a, typeof(*p1), head); in tomoyo_same_mkdev_acl()
434 static bool tomoyo_merge_mkdev_acl(struct tomoyo_acl_info *a, in tomoyo_merge_mkdev_acl() argument
438 u8 *const a_perm = &container_of(a, struct tomoyo_mkdev_acl, in tomoyo_merge_mkdev_acl()
495 static bool tomoyo_same_path2_acl(const struct tomoyo_acl_info *a, in tomoyo_same_path2_acl() argument
498 const struct tomoyo_path2_acl *p1 = container_of(a, typeof(*p1), head); in tomoyo_same_path2_acl()
[all …]
|
| D | condition.c | 357 static inline bool tomoyo_same_condition(const struct tomoyo_condition *a, in tomoyo_same_condition() argument
360 return a->size == b->size && a->condc == b->condc && in tomoyo_same_condition()
361 a->numbers_count == b->numbers_count && in tomoyo_same_condition()
362 a->names_count == b->names_count && in tomoyo_same_condition()
363 a->argc == b->argc && a->envc == b->envc && in tomoyo_same_condition()
364 a->grant_log == b->grant_log && a->transit == b->transit && in tomoyo_same_condition()
365 !memcmp(a + 1, b + 1, a->size - sizeof(*a)); in tomoyo_same_condition()
|
| D | network.c | 192 static bool tomoyo_same_inet_acl(const struct tomoyo_acl_info *a, in tomoyo_same_inet_acl() argument
195 const struct tomoyo_inet_acl *p1 = container_of(a, typeof(*p1), head); in tomoyo_same_inet_acl()
211 static bool tomoyo_same_unix_acl(const struct tomoyo_acl_info *a, in tomoyo_same_unix_acl() argument
214 const struct tomoyo_unix_acl *p1 = container_of(a, typeof(*p1), head); in tomoyo_same_unix_acl()
230 static bool tomoyo_merge_inet_acl(struct tomoyo_acl_info *a, in tomoyo_merge_inet_acl() argument
235 &container_of(a, struct tomoyo_inet_acl, head)->perm; in tomoyo_merge_inet_acl()
256 static bool tomoyo_merge_unix_acl(struct tomoyo_acl_info *a, in tomoyo_merge_unix_acl() argument
261 &container_of(a, struct tomoyo_unix_acl, head)->perm; in tomoyo_merge_unix_acl()
|
| D | environ.c | 76 static bool tomoyo_same_env_acl(const struct tomoyo_acl_info *a, in tomoyo_same_env_acl() argument
79 const struct tomoyo_env_acl *p1 = container_of(a, typeof(*p1), head); in tomoyo_same_env_acl()
|
| D | domain.c | 73 static inline bool tomoyo_same_acl_head(const struct tomoyo_acl_info *a, in tomoyo_same_acl_head() argument
76 return a->type == b->type && a->cond == b->cond; in tomoyo_same_acl_head()
219 static bool tomoyo_same_transition_control(const struct tomoyo_acl_head *a, in tomoyo_same_transition_control() argument
222 const struct tomoyo_transition_control *p1 = container_of(a, in tomoyo_same_transition_control()
382 static bool tomoyo_same_aggregator(const struct tomoyo_acl_head *a, in tomoyo_same_aggregator() argument
385 const struct tomoyo_aggregator *p1 = container_of(a, typeof(*p1), in tomoyo_same_aggregator()
|
| /security/keys/ |
| D | Kconfig | 14 associated with a process so that network filesystems, encryption
17 Furthermore, a special type of key is available that acts as keyring:
18 a searchable sequence of keys. Each process is equipped with access
38 wants to request a key that is likely the same as the one requested
41 An example of such a process is a pathwalk through a network
50 This option provides a register of persistent per-UID keyrings,
56 it is or by a process with administrative privileges. The active
61 removed if they expire (a default timeout is set upon creation).
105 which are encrypted/decrypted with a 'master' symmetric key. The
106 'master' key can be either a trusted-key or user-key type.
|
| /security/integrity/ima/ |
| D | Kconfig | 19 Measurement Architecture(IMA) maintains a list of hash
25 If your system has a TPM chip, then IMA also maintains
27 TPM hardware, so that the TPM can prove to a third party
34 bool "Enable carrying the IMA measurement list across a soft boot"
38 TPM PCRs are only reset on a hard reboot. In order to validate
39 a TPM's quote after a soft boot, the IMA measurement list of the
69 The original 'ima' measurement list template contains a
70 hash, defined as 20 bytes, and a null terminated pathname,
152 It requires the system to be labeled with a security extended
176 is enforced at run time without having to specify a builtin
[all …]
|
| /security/selinux/ss/ |
| D | avtab.h | 97 int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol,
98 int (*insert)(struct avtab *a, struct avtab_key *k,
102 int avtab_read(struct avtab *a, void *fp, struct policydb *pol);
104 int avtab_write(struct policydb *p, struct avtab *a, void *fp);
|
| D | avtab.c | 387 int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, in avtab_read_item() argument
388 int (*insertf)(struct avtab *a, struct avtab_key *k, in avtab_read_item() argument
464 rc = insertf(a, &key, &datum, p); in avtab_read_item()
546 return insertf(a, &key, &datum, p); in avtab_read_item()
549 static int avtab_insertf(struct avtab *a, struct avtab_key *k, in avtab_insertf() argument
552 return avtab_insert(a, k, d); in avtab_insertf()
555 int avtab_read(struct avtab *a, void *fp, struct policydb *pol) in avtab_read() argument
574 rc = avtab_alloc(a, nel); in avtab_read()
579 rc = avtab_read_item(a, fp, pol, avtab_insertf, NULL); in avtab_read()
595 avtab_destroy(a); in avtab_read()
[all …]
|
| /security/safesetid/ |
| D | Kconfig | 9 restrict UID/GID transitions from a given UID/GID to only those
10 approved by a system-wide whitelist. These restrictions also prohibit
12 with CAP_SET{U/G}ID, such as allowing a user to set up user namespace
|
| /security/loadpin/ |
| D | Kconfig | 11 have a root filesystem backed by a read-only device such as
12 dm-verity or a CDROM.
|
| /security/selinux/ |
| D | Kconfig | 9 You will also need a policy configuration and a labeled filesystem.
17 This option adds a kernel parameter 'selinux', which allows SELinux
20 command line. The purpose of this option is to allow a single
32 This option enables writing to a selinuxfs node 'disable', which
98 chain lengths are high (e.g. > 20) then selecting a higher value here
|
| D | avc.c | 663 static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) in avc_audit_pre_callback() argument
665 struct common_audit_data *ad = a; in avc_audit_pre_callback()
704 static void avc_audit_post_callback(struct audit_buffer *ab, void *a) in avc_audit_post_callback() argument
706 struct common_audit_data *ad = a; in avc_audit_post_callback()
761 struct common_audit_data *a, in slow_avc_audit() argument
770 if (!a) { in slow_avc_audit()
771 a = &stack_data; in slow_avc_audit()
772 a->type = LSM_AUDIT_DATA_NONE; in slow_avc_audit()
782 if ((a->type == LSM_AUDIT_DATA_INODE) && in slow_avc_audit()
795 a->selinux_audit_data = &sad; in slow_avc_audit()
[all …]
|
| /security/selinux/include/ |
| D | avc.h | 103 struct common_audit_data *a,
131 struct common_audit_data *a, in avc_audit() argument
140 a, flags); in avc_audit()
|
| /security/integrity/ |
| D | Kconfig | 9 of a number of different components including the Integrity
52 .evm keyrings be signed by a key on the system trusted
60 Provide a separate, distinct keyring for platform trusted keys, which
81 option adds a kernel parameter 'integrity_audit', which
|