/security/smack/ |
D | smack.h | 288 struct common_audit_data a; member 446 static inline void smk_ad_init(struct smk_audit_info *a, const char *func, in smk_ad_init() argument 449 memset(&a->sad, 0, sizeof(a->sad)); in smk_ad_init() 450 a->a.type = type; in smk_ad_init() 451 a->a.smack_audit_data = &a->sad; in smk_ad_init() 452 a->a.smack_audit_data->function = func; in smk_ad_init() 455 static inline void smk_ad_init_net(struct smk_audit_info *a, const char *func, in smk_ad_init_net() argument 458 smk_ad_init(a, func, type); in smk_ad_init_net() 460 a->a.u.net = net; in smk_ad_init_net() 463 static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a, in smk_ad_setfield_u_tsk() argument [all …]
|
D | Kconfig | 12 Smack is useful for sensitivity, integrity, and a variety 22 When access is granted by a rule with the "b" mode a 24 intention is that a process can be granted a wide set 30 This is a superior mechanism to the oft abused 50 Sending a signal has been treated as a write operation to the 53 to differentiate between delivering a network packet and 54 delivering a signal in the Smack rules.
|
D | smack_access.c | 116 int request, struct smk_audit_info *a) in smk_access() argument 198 if (a) in smk_access() 200 request, rc, a); in smk_access() 219 u32 mode, struct smk_audit_info *a) in smk_tskacc() argument 252 if (a) in smk_tskacc() 254 mode, rc, a); in smk_tskacc() 271 u32 mode, struct smk_audit_info *a) in smk_curacc() argument 275 return smk_tskacc(tsp, obj_known, mode, a); in smk_curacc() 311 static void smack_log_callback(struct audit_buffer *ab, void *a) in smack_log_callback() argument 313 struct common_audit_data *ad = a; in smack_log_callback() [all …]
|
/security/ |
D | lsm_audit.c | 209 struct common_audit_data *a) in dump_common_audit_data() argument 218 BUILD_BUG_ON(sizeof(a->u) > sizeof(void *)*2); in dump_common_audit_data() 223 switch (a->type) { in dump_common_audit_data() 227 audit_log_format(ab, " key=%d ", a->u.ipc_id); in dump_common_audit_data() 230 audit_log_format(ab, " capability=%d ", a->u.cap); in dump_common_audit_data() 235 audit_log_d_path(ab, " path=", &a->u.path); in dump_common_audit_data() 237 inode = d_backing_inode(a->u.path.dentry); in dump_common_audit_data() 248 audit_log_d_path(ab, " path=", &a->u.file->f_path); in dump_common_audit_data() 250 inode = file_inode(a->u.file); in dump_common_audit_data() 261 audit_log_d_path(ab, " path=", &a->u.op->path); in dump_common_audit_data() [all …]
|
D | Kconfig.hardening | 48 on the function calling complexity of a given workload's 53 initialized before use in a function. 69 a __user attribute. This can prevent some classes of 87 As a side-effect, this keeps a lot of variables on the 89 this with CONFIG_KASAN_STACK can lead to a stack overflow 104 As a side-effect, this keeps a lot of variables on the 106 this with CONFIG_KASAN_STACK can lead to a stack overflow 114 with a specific debug value. This is intended to eliminate 132 with a zero value. This is intended to eliminate all 140 suitable as a production security mitigation than pattern [all …]
|
D | Kconfig | 53 If enabled, a security module can use these hooks to 73 If enabled, a security module can use these hooks to 82 If enabled, a security module can use these hooks to 95 If enabled, a security module can use these hooks to 105 Intel(R) Trusted Execution Technology to perform a measured launch 111 create a robust initial kernel measurement and verification, which 113 correctly. This level of protection requires a root of trust outside 124 See Documentation/x86/intel_txt.rst for a description of how to enable 125 Intel TXT support in a kernel boot. 136 from userspace allocation. Keeping a user from writing to low pages [all …]
|
/security/apparmor/ |
D | label.c | 107 static int ns_cmp(struct aa_ns *a, struct aa_ns *b) in ns_cmp() argument 111 AA_BUG(!a); in ns_cmp() 113 AA_BUG(!a->base.hname); in ns_cmp() 116 if (a == b) in ns_cmp() 119 res = a->level - b->level; in ns_cmp() 123 return strcmp(a->base.hname, b->base.hname); in ns_cmp() 135 static int profile_cmp(struct aa_profile *a, struct aa_profile *b) in profile_cmp() argument 139 AA_BUG(!a); in profile_cmp() 141 AA_BUG(!a->ns); in profile_cmp() 143 AA_BUG(!a->base.hname); in profile_cmp() [all …]
|
D | Kconfig | 35 loaded policy provide system administrators a quick way 58 points. If the assert is triggered it will trigger a WARN
|
/security/tomoyo/ |
D | group.c | 21 static bool tomoyo_same_path_group(const struct tomoyo_acl_head *a, in tomoyo_same_path_group() argument 24 return container_of(a, struct tomoyo_path_group, head)->member_name == in tomoyo_same_path_group() 36 static bool tomoyo_same_number_group(const struct tomoyo_acl_head *a, in tomoyo_same_number_group() argument 39 return !memcmp(&container_of(a, struct tomoyo_number_group, head) in tomoyo_same_number_group() 43 sizeof(container_of(a, struct tomoyo_number_group, head) in tomoyo_same_number_group() 55 static bool tomoyo_same_address_group(const struct tomoyo_acl_head *a, in tomoyo_same_address_group() argument 58 const struct tomoyo_address_group *p1 = container_of(a, typeof(*p1), in tomoyo_same_address_group()
|
D | common.h | 1165 static inline bool tomoyo_pathcmp(const struct tomoyo_path_info *a, in tomoyo_pathcmp() argument 1168 return a->hash != b->hash || strcmp(a->name, b->name); in tomoyo_pathcmp() 1234 (const struct tomoyo_name_union *a, const struct tomoyo_name_union *b) in tomoyo_same_name_union() argument 1236 return a->filename == b->filename && a->group == b->group; in tomoyo_same_name_union() 1248 (const struct tomoyo_number_union *a, const struct tomoyo_number_union *b) in tomoyo_same_number_union() argument 1250 return a->values[0] == b->values[0] && a->values[1] == b->values[1] && in tomoyo_same_number_union() 1251 a->group == b->group && a->value_type[0] == b->value_type[0] && in tomoyo_same_number_union() 1252 a->value_type[1] == b->value_type[1]; in tomoyo_same_number_union() 1264 (const struct tomoyo_ipaddr_union *a, const struct tomoyo_ipaddr_union *b) in tomoyo_same_ipaddr_union() argument 1266 return !memcmp(a->ip, b->ip, sizeof(a->ip)) && a->group == b->group && in tomoyo_same_ipaddr_union() [all …]
|
D | file.c | 341 static bool tomoyo_same_path_acl(const struct tomoyo_acl_info *a, in tomoyo_same_path_acl() argument 344 const struct tomoyo_path_acl *p1 = container_of(a, typeof(*p1), head); in tomoyo_same_path_acl() 359 static bool tomoyo_merge_path_acl(struct tomoyo_acl_info *a, in tomoyo_merge_path_acl() argument 363 u16 * const a_perm = &container_of(a, struct tomoyo_path_acl, head) in tomoyo_merge_path_acl() 413 static bool tomoyo_same_mkdev_acl(const struct tomoyo_acl_info *a, in tomoyo_same_mkdev_acl() argument 416 const struct tomoyo_mkdev_acl *p1 = container_of(a, typeof(*p1), head); in tomoyo_same_mkdev_acl() 434 static bool tomoyo_merge_mkdev_acl(struct tomoyo_acl_info *a, in tomoyo_merge_mkdev_acl() argument 438 u8 *const a_perm = &container_of(a, struct tomoyo_mkdev_acl, in tomoyo_merge_mkdev_acl() 495 static bool tomoyo_same_path2_acl(const struct tomoyo_acl_info *a, in tomoyo_same_path2_acl() argument 498 const struct tomoyo_path2_acl *p1 = container_of(a, typeof(*p1), head); in tomoyo_same_path2_acl() [all …]
|
D | condition.c | 357 static inline bool tomoyo_same_condition(const struct tomoyo_condition *a, in tomoyo_same_condition() argument 360 return a->size == b->size && a->condc == b->condc && in tomoyo_same_condition() 361 a->numbers_count == b->numbers_count && in tomoyo_same_condition() 362 a->names_count == b->names_count && in tomoyo_same_condition() 363 a->argc == b->argc && a->envc == b->envc && in tomoyo_same_condition() 364 a->grant_log == b->grant_log && a->transit == b->transit && in tomoyo_same_condition() 365 !memcmp(a + 1, b + 1, a->size - sizeof(*a)); in tomoyo_same_condition()
|
D | network.c | 192 static bool tomoyo_same_inet_acl(const struct tomoyo_acl_info *a, in tomoyo_same_inet_acl() argument 195 const struct tomoyo_inet_acl *p1 = container_of(a, typeof(*p1), head); in tomoyo_same_inet_acl() 211 static bool tomoyo_same_unix_acl(const struct tomoyo_acl_info *a, in tomoyo_same_unix_acl() argument 214 const struct tomoyo_unix_acl *p1 = container_of(a, typeof(*p1), head); in tomoyo_same_unix_acl() 230 static bool tomoyo_merge_inet_acl(struct tomoyo_acl_info *a, in tomoyo_merge_inet_acl() argument 235 &container_of(a, struct tomoyo_inet_acl, head)->perm; in tomoyo_merge_inet_acl() 256 static bool tomoyo_merge_unix_acl(struct tomoyo_acl_info *a, in tomoyo_merge_unix_acl() argument 261 &container_of(a, struct tomoyo_unix_acl, head)->perm; in tomoyo_merge_unix_acl()
|
D | environ.c | 76 static bool tomoyo_same_env_acl(const struct tomoyo_acl_info *a, in tomoyo_same_env_acl() argument 79 const struct tomoyo_env_acl *p1 = container_of(a, typeof(*p1), head); in tomoyo_same_env_acl()
|
D | domain.c | 73 static inline bool tomoyo_same_acl_head(const struct tomoyo_acl_info *a, in tomoyo_same_acl_head() argument 76 return a->type == b->type && a->cond == b->cond; in tomoyo_same_acl_head() 219 static bool tomoyo_same_transition_control(const struct tomoyo_acl_head *a, in tomoyo_same_transition_control() argument 222 const struct tomoyo_transition_control *p1 = container_of(a, in tomoyo_same_transition_control() 382 static bool tomoyo_same_aggregator(const struct tomoyo_acl_head *a, in tomoyo_same_aggregator() argument 385 const struct tomoyo_aggregator *p1 = container_of(a, typeof(*p1), in tomoyo_same_aggregator()
|
/security/keys/ |
D | Kconfig | 14 associated with a process so that network filesystems, encryption 17 Furthermore, a special type of key is available that acts as keyring: 18 a searchable sequence of keys. Each process is equipped with access 38 wants to request a key that is likely the same as the one requested 41 An example of such a process is a pathwalk through a network 50 This option provides a register of persistent per-UID keyrings, 56 it is or by a process with administrative privileges. The active 61 removed if they expire (a default timeout is set upon creation). 105 which are encrypted/decrypted with a 'master' symmetric key. The 106 'master' key can be either a trusted-key or user-key type.
|
/security/integrity/ima/ |
D | Kconfig | 18 Measurement Architecture(IMA) maintains a list of hash 24 If your system has a TPM chip, then IMA also maintains 26 TPM hardware, so that the TPM can prove to a third party 35 bool "Enable carrying the IMA measurement list across a soft boot" 39 TPM PCRs are only reset on a hard reboot. In order to validate 40 a TPM's quote after a soft boot, the IMA measurement list of the 68 The original 'ima' measurement list template contains a 69 hash, defined as 20 bytes, and a null terminated pathname, 143 It requires the system to be labeled with a security extended 167 is enforced at run time without having to specify a builtin [all …]
|
/security/selinux/ss/ |
D | avtab.h | 97 int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, 98 int (*insert)(struct avtab *a, struct avtab_key *k, 102 int avtab_read(struct avtab *a, void *fp, struct policydb *pol); 104 int avtab_write(struct policydb *p, struct avtab *a, void *fp);
|
D | avtab.c | 387 int avtab_read_item(struct avtab *a, void *fp, struct policydb *pol, in avtab_read_item() argument 388 int (*insertf)(struct avtab *a, struct avtab_key *k, in avtab_read_item() argument 464 rc = insertf(a, &key, &datum, p); in avtab_read_item() 546 return insertf(a, &key, &datum, p); in avtab_read_item() 549 static int avtab_insertf(struct avtab *a, struct avtab_key *k, in avtab_insertf() argument 552 return avtab_insert(a, k, d); in avtab_insertf() 555 int avtab_read(struct avtab *a, void *fp, struct policydb *pol) in avtab_read() argument 574 rc = avtab_alloc(a, nel); in avtab_read() 579 rc = avtab_read_item(a, fp, pol, avtab_insertf, NULL); in avtab_read() 595 avtab_destroy(a); in avtab_read() [all …]
|
/security/safesetid/ |
D | Kconfig | 9 restrict UID/GID transitions from a given UID/GID to only those 10 approved by a system-wide whitelist. These restrictions also prohibit 12 with CAP_SET{U/G}ID, such as allowing a user to set up user namespace
|
/security/loadpin/ |
D | Kconfig | 11 have a root filesystem backed by a read-only device such as 12 dm-verity or a CDROM.
|
/security/selinux/ |
D | Kconfig | 9 You will also need a policy configuration and a labeled filesystem. 17 This option adds a kernel parameter 'selinux', which allows SELinux 20 command line. The purpose of this option is to allow a single 32 This option enables writing to a selinuxfs node 'disable', which 98 chain lengths are high (e.g. > 20) then selecting a higher value here
|
D | avc.c | 661 static void avc_audit_pre_callback(struct audit_buffer *ab, void *a) in avc_audit_pre_callback() argument 663 struct common_audit_data *ad = a; in avc_audit_pre_callback() 702 static void avc_audit_post_callback(struct audit_buffer *ab, void *a) in avc_audit_post_callback() argument 704 struct common_audit_data *ad = a; in avc_audit_post_callback() 759 struct common_audit_data *a) in slow_avc_audit() argument 767 if (!a) { in slow_avc_audit() 768 a = &stack_data; in slow_avc_audit() 769 a->type = LSM_AUDIT_DATA_NONE; in slow_avc_audit() 781 a->selinux_audit_data = &sad; in slow_avc_audit() 783 common_lsm_audit(a, avc_audit_pre_callback, avc_audit_post_callback); in slow_avc_audit()
|
/security/integrity/ |
D | Kconfig | 9 of a number of different components including the Integrity 52 .evm keyrings be signed by a key on the system trusted 60 Provide a separate, distinct keyring for platform trusted keys, which 81 option adds a kernel parameter 'integrity_audit', which
|
/security/selinux/include/ |
D | avc.h | 103 struct common_audit_data *a); 130 struct common_audit_data *a, in avc_audit() argument 142 a); in avc_audit()
|