From patchwork Mon Nov 20 13:28:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tetsuo Handa X-Patchwork-Id: 13461314 X-Patchwork-Delegate: bpf@iogearbox.net Authentication-Results: smtp.subspace.kernel.org; dkim=none Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id E0B7BD2 for ; Mon, 20 Nov 2023 05:28:20 -0800 (PST) Received: from fsav119.sakura.ne.jp (fsav119.sakura.ne.jp [27.133.134.246]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 3AKDSJZv045904; Mon, 20 Nov 2023 22:28:19 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav119.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav119.sakura.ne.jp); Mon, 20 Nov 2023 22:28:19 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav119.sakura.ne.jp) Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 3AKDRaAK045731 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Mon, 20 Nov 2023 22:28:19 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Message-ID: Date: Mon, 20 Nov 2023 22:28:15 +0900 Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: [PATCH 1/4] LSM: Auto-undef LSM_HOOK macro. Content-Language: en-US From: Tetsuo Handa To: linux-security-module , bpf , KP Singh Cc: Paul Moore , Kees Cook , Casey Schaufler , song@kernel.org, Daniel Borkmann , Alexei Starovoitov , renauld@google.com, Paolo Abeni References: <93b5e861-c1ec-417c-b21e-56d0c4a3ae79@I-love.SAKURA.ne.jp> In-Reply-To: <93b5e861-c1ec-417c-b21e-56d0c4a3ae79@I-love.SAKURA.ne.jp> X-Patchwork-Delegate: bpf@iogearbox.net Since all users are doing "#undef LSM_HOOK" immediately after "#include " line, let lsm_hook_defs.h do it. Signed-off-by: Tetsuo Handa --- include/linux/bpf_lsm.h | 1 - include/linux/lsm_hook_defs.h | 3 ++- include/linux/lsm_hooks.h | 2 -- kernel/bpf/bpf_lsm.c | 3 --- security/bpf/hooks.c | 1 - security/security.c | 3 --- 6 files changed, 2 insertions(+), 11 deletions(-) diff --git a/include/linux/bpf_lsm.h b/include/linux/bpf_lsm.h index 1de7ece5d36d..01b7a2913cb1 100644 --- a/include/linux/bpf_lsm.h +++ b/include/linux/bpf_lsm.h @@ -16,7 +16,6 @@ #define LSM_HOOK(RET, DEFAULT, NAME, ...) \ RET bpf_lsm_##NAME(__VA_ARGS__); #include -#undef LSM_HOOK struct bpf_storage_blob { struct bpf_local_storage __rcu *storage; diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index ff217a5ce552..3febbe4ef87c 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -23,7 +23,6 @@ * struct security_hook_heads { * #define LSM_HOOK(RET, DEFAULT, NAME, ...) struct hlist_head NAME; * #include - * #undef LSM_HOOK * }; */ LSM_HOOK(int, 0, binder_set_context_mgr, const struct cred *mgr) @@ -419,3 +418,5 @@ LSM_HOOK(int, 0, uring_override_creds, const struct cred *new) LSM_HOOK(int, 0, uring_sqpoll, void) LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd) #endif /* CONFIG_IO_URING */ + +#undef LSM_HOOK diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index dcb5e5b5eb13..4ba1aedc7901 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -33,13 +33,11 @@ union security_list_options { #define LSM_HOOK(RET, DEFAULT, NAME, ...) RET (*NAME)(__VA_ARGS__); #include "lsm_hook_defs.h" - #undef LSM_HOOK }; struct security_hook_heads { #define LSM_HOOK(RET, DEFAULT, NAME, ...) struct hlist_head NAME; #include "lsm_hook_defs.h" - #undef LSM_HOOK } __randomize_layout; /* diff --git a/kernel/bpf/bpf_lsm.c b/kernel/bpf/bpf_lsm.c index e14c822f8911..025d05c30f11 100644 --- a/kernel/bpf/bpf_lsm.c +++ b/kernel/bpf/bpf_lsm.c @@ -26,14 +26,11 @@ noinline RET bpf_lsm_##NAME(__VA_ARGS__) \ { \ return DEFAULT; \ } - #include -#undef LSM_HOOK #define LSM_HOOK(RET, DEFAULT, NAME, ...) BTF_ID(func, bpf_lsm_##NAME) BTF_SET_START(bpf_lsm_hooks) #include -#undef LSM_HOOK BTF_SET_END(bpf_lsm_hooks) /* List of LSM hooks that should operate on 'current' cgroup regardless diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c index cfaf1d0e6a5f..93bd9b2cf8fc 100644 --- a/security/bpf/hooks.c +++ b/security/bpf/hooks.c @@ -10,7 +10,6 @@ static struct security_hook_list bpf_lsm_hooks[] __ro_after_init = { #define LSM_HOOK(RET, DEFAULT, NAME, ...) \ LSM_HOOK_INIT(NAME, bpf_lsm_##NAME), #include - #undef LSM_HOOK LSM_HOOK_INIT(inode_free_security, bpf_inode_storage_free), LSM_HOOK_INIT(task_free, bpf_task_storage_free), }; diff --git a/security/security.c b/security/security.c index dcb3e7014f9b..d35d50b218c6 100644 --- a/security/security.c +++ b/security/security.c @@ -407,7 +407,6 @@ int __init early_security_init(void) #define LSM_HOOK(RET, DEFAULT, NAME, ...) \ INIT_HLIST_HEAD(&security_hook_heads.NAME); #include "linux/lsm_hook_defs.h" -#undef LSM_HOOK for (lsm = __start_early_lsm_info; lsm < __end_early_lsm_info; lsm++) { if (!lsm->enabled) @@ -749,9 +748,7 @@ static int lsm_superblock_alloc(struct super_block *sb) static const int __maybe_unused LSM_RET_DEFAULT(NAME) = (DEFAULT); #define LSM_HOOK(RET, DEFAULT, NAME, ...) \ DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME) - #include -#undef LSM_HOOK /* * Hook list operation macros. From patchwork Mon Nov 20 13:28:56 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tetsuo Handa X-Patchwork-Id: 13461315 Authentication-Results: smtp.subspace.kernel.org; dkim=none Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BE420114 for ; Mon, 20 Nov 2023 05:29:02 -0800 (PST) Received: from fsav118.sakura.ne.jp (fsav118.sakura.ne.jp [27.133.134.245]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 3AKDT1CF046059; Mon, 20 Nov 2023 22:29:01 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav118.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav118.sakura.ne.jp); Mon, 20 Nov 2023 22:29:01 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav118.sakura.ne.jp) Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 3AKDRaAL045731 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Mon, 20 Nov 2023 22:29:00 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Message-ID: Date: Mon, 20 Nov 2023 22:28:56 +0900 Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: [PATCH 2/4] LSM: Add a header file containing only arguments of LSM callback functions. Content-Language: en-US From: Tetsuo Handa To: linux-security-module , bpf , KP Singh Cc: Paul Moore , Kees Cook , Casey Schaufler , song@kernel.org, Daniel Borkmann , Alexei Starovoitov , renauld@google.com, Paolo Abeni References: <93b5e861-c1ec-417c-b21e-56d0c4a3ae79@I-love.SAKURA.ne.jp> In-Reply-To: <93b5e861-c1ec-417c-b21e-56d0c4a3ae79@I-love.SAKURA.ne.jp> This file is used by security/mod_lsm.c which is added by PATCH 4/5. This file is mechanically generated by the following command. awk 'BEGIN { print "/* SPDX-License-Identifier: GPL-2.0 */" } { if (substr($1, 1, 1) == "#" || substr($1, 1, 1) == "*") { next } LINE = LINE $0; if (index(LINE, ")") > 0) { gsub("*", " ", LINE); gsub("[ \t]+", " ", LINE); sPos = index(LINE, "(") + 1; N = split(substr(LINE, sPos, index(LINE, ")") - sPos), TOKENS, ",") if (N >= 4) { LINE="#define LSM_CALL_ARGS_" substr(TOKENS[3], match(TOKENS[3], "[A-Za-z]")); for (i = 4; i <= N; i++) { nWords = split(TOKENS[i], WORDS, " "); if (i == 4 && WORDS[nWords] == "void") { break; } LINE=LINE " " WORDS[nWords]; if (i < N) { LINE=LINE ","; } } print LINE; } LINE = ""; } }' include/linux/lsm_hook_defs.h > include/linux/lsm_hook_args.h Signed-off-by: Tetsuo Handa --- include/linux/lsm_hook_args.h | 250 ++++++++++++++++++++++++++++++++++ 1 file changed, 250 insertions(+) create mode 100644 include/linux/lsm_hook_args.h diff --git a/include/linux/lsm_hook_args.h b/include/linux/lsm_hook_args.h new file mode 100644 index 000000000000..d2c4f9401725 --- /dev/null +++ b/include/linux/lsm_hook_args.h @@ -0,0 +1,250 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#define LSM_CALL_ARGS_binder_set_context_mgr mgr +#define LSM_CALL_ARGS_binder_transaction from, to +#define LSM_CALL_ARGS_binder_transfer_binder from, to +#define LSM_CALL_ARGS_binder_transfer_file from, to, file +#define LSM_CALL_ARGS_ptrace_access_check child, mode +#define LSM_CALL_ARGS_ptrace_traceme parent +#define LSM_CALL_ARGS_capget target, effective, inheritable, permitted +#define LSM_CALL_ARGS_capset new, old, effective, inheritable, permitted +#define LSM_CALL_ARGS_capable cred, ns, cap, opts +#define LSM_CALL_ARGS_quotactl cmds, type, id, sb +#define LSM_CALL_ARGS_quota_on dentry +#define LSM_CALL_ARGS_syslog type +#define LSM_CALL_ARGS_settime ts, tz +#define LSM_CALL_ARGS_vm_enough_memory mm, pages +#define LSM_CALL_ARGS_bprm_creds_for_exec bprm +#define LSM_CALL_ARGS_bprm_creds_from_file bprm, file +#define LSM_CALL_ARGS_bprm_check_security bprm +#define LSM_CALL_ARGS_bprm_committing_creds bprm +#define LSM_CALL_ARGS_bprm_committed_creds bprm +#define LSM_CALL_ARGS_fs_context_submount fc, reference +#define LSM_CALL_ARGS_fs_context_dup fc, src_sc +#define LSM_CALL_ARGS_fs_context_parse_param fc, param +#define LSM_CALL_ARGS_sb_alloc_security sb +#define LSM_CALL_ARGS_sb_delete sb +#define LSM_CALL_ARGS_sb_free_security sb +#define LSM_CALL_ARGS_sb_free_mnt_opts mnt_opts +#define LSM_CALL_ARGS_sb_eat_lsm_opts orig, mnt_opts +#define LSM_CALL_ARGS_sb_mnt_opts_compat sb, mnt_opts +#define LSM_CALL_ARGS_sb_remount sb, mnt_opts +#define LSM_CALL_ARGS_sb_kern_mount sb +#define LSM_CALL_ARGS_sb_show_options m, sb +#define LSM_CALL_ARGS_sb_statfs dentry +#define LSM_CALL_ARGS_sb_mount dev_name, path, type, flags, data +#define LSM_CALL_ARGS_sb_umount mnt, flags +#define LSM_CALL_ARGS_sb_pivotroot old_path, new_path +#define LSM_CALL_ARGS_sb_set_mnt_opts sb, mnt_opts, kern_flags, set_kern_flags +#define LSM_CALL_ARGS_sb_clone_mnt_opts oldsb, newsb, kern_flags, set_kern_flags +#define LSM_CALL_ARGS_move_mount from_path, to_path +#define LSM_CALL_ARGS_dentry_init_security dentry, mode, name, xattr_name, ctx, ctxlen +#define LSM_CALL_ARGS_dentry_create_files_as dentry, mode, name, old, new +#define LSM_CALL_ARGS_path_unlink dir, dentry +#define LSM_CALL_ARGS_path_mkdir dir, dentry, mode +#define LSM_CALL_ARGS_path_rmdir dir, dentry +#define LSM_CALL_ARGS_path_mknod dir, dentry, mode, dev +#define LSM_CALL_ARGS_path_truncate path +#define LSM_CALL_ARGS_path_symlink dir, dentry, old_name +#define LSM_CALL_ARGS_path_link old_dentry, new_dir, new_dentry +#define LSM_CALL_ARGS_path_rename old_dir, old_dentry, new_dir, new_dentry, flags +#define LSM_CALL_ARGS_path_chmod path, mode +#define LSM_CALL_ARGS_path_chown path, uid, gid +#define LSM_CALL_ARGS_path_chroot path +#define LSM_CALL_ARGS_path_notify path, mask, obj_type +#define LSM_CALL_ARGS_inode_alloc_security inode +#define LSM_CALL_ARGS_inode_free_security inode +#define LSM_CALL_ARGS_inode_init_security inode, dir, qstr, xattrs, xattr_count +#define LSM_CALL_ARGS_inode_init_security_anon inode, name, context_inode +#define LSM_CALL_ARGS_inode_create dir, dentry, mode +#define LSM_CALL_ARGS_inode_link old_dentry, dir, new_dentry +#define LSM_CALL_ARGS_inode_unlink dir, dentry +#define LSM_CALL_ARGS_inode_symlink dir, dentry, old_name +#define LSM_CALL_ARGS_inode_mkdir dir, dentry, mode +#define LSM_CALL_ARGS_inode_rmdir dir, dentry +#define LSM_CALL_ARGS_inode_mknod dir, dentry, mode, dev +#define LSM_CALL_ARGS_inode_rename old_dir, old_dentry, new_dir, new_dentry +#define LSM_CALL_ARGS_inode_readlink dentry +#define LSM_CALL_ARGS_inode_follow_link dentry, inode, rcu +#define LSM_CALL_ARGS_inode_permission inode, mask +#define LSM_CALL_ARGS_inode_setattr dentry, attr +#define LSM_CALL_ARGS_inode_getattr path +#define LSM_CALL_ARGS_inode_setxattr idmap, dentry, name, value, size, flags +#define LSM_CALL_ARGS_inode_post_setxattr dentry, name, value, size, flags +#define LSM_CALL_ARGS_inode_getxattr dentry, name +#define LSM_CALL_ARGS_inode_listxattr dentry +#define LSM_CALL_ARGS_inode_removexattr idmap, dentry, name +#define LSM_CALL_ARGS_inode_set_acl idmap, dentry, acl_name, kacl +#define LSM_CALL_ARGS_inode_get_acl idmap, dentry, acl_name +#define LSM_CALL_ARGS_inode_remove_acl idmap, dentry, acl_name +#define LSM_CALL_ARGS_inode_need_killpriv dentry +#define LSM_CALL_ARGS_inode_killpriv idmap, dentry +#define LSM_CALL_ARGS_inode_getsecurity idmap, inode, name, buffer, alloc +#define LSM_CALL_ARGS_inode_setsecurity inode, name, value, size, flags +#define LSM_CALL_ARGS_inode_listsecurity inode, buffer, buffer_size +#define LSM_CALL_ARGS_inode_getsecid inode, secid +#define LSM_CALL_ARGS_inode_copy_up src, new +#define LSM_CALL_ARGS_inode_copy_up_xattr name +#define LSM_CALL_ARGS_kernfs_init_security kn_dir, kn +#define LSM_CALL_ARGS_file_permission file, mask +#define LSM_CALL_ARGS_file_alloc_security file +#define LSM_CALL_ARGS_file_free_security file +#define LSM_CALL_ARGS_file_ioctl file, cmd, arg +#define LSM_CALL_ARGS_mmap_addr addr +#define LSM_CALL_ARGS_mmap_file file, reqprot, prot, flags +#define LSM_CALL_ARGS_file_mprotect vma, reqprot, prot +#define LSM_CALL_ARGS_file_lock file, cmd +#define LSM_CALL_ARGS_file_fcntl file, cmd, arg +#define LSM_CALL_ARGS_file_set_fowner file +#define LSM_CALL_ARGS_file_send_sigiotask tsk, fown, sig +#define LSM_CALL_ARGS_file_receive file +#define LSM_CALL_ARGS_file_open file +#define LSM_CALL_ARGS_file_truncate file +#define LSM_CALL_ARGS_task_alloc task, clone_flags +#define LSM_CALL_ARGS_task_free task +#define LSM_CALL_ARGS_cred_alloc_blank cred, gfp +#define LSM_CALL_ARGS_cred_free cred +#define LSM_CALL_ARGS_cred_prepare new, old, gfp +#define LSM_CALL_ARGS_cred_transfer new, old +#define LSM_CALL_ARGS_cred_getsecid c, secid +#define LSM_CALL_ARGS_kernel_act_as new, secid +#define LSM_CALL_ARGS_kernel_create_files_as new, inode +#define LSM_CALL_ARGS_kernel_module_request kmod_name +#define LSM_CALL_ARGS_kernel_load_data id, contents +#define LSM_CALL_ARGS_kernel_post_load_data buf, size, id, description +#define LSM_CALL_ARGS_kernel_read_file file, id, contents +#define LSM_CALL_ARGS_kernel_post_read_file file, buf, size, id +#define LSM_CALL_ARGS_task_fix_setuid new, old, flags +#define LSM_CALL_ARGS_task_fix_setgid new, old, flags +#define LSM_CALL_ARGS_task_fix_setgroups new, old +#define LSM_CALL_ARGS_task_setpgid p, pgid +#define LSM_CALL_ARGS_task_getpgid p +#define LSM_CALL_ARGS_task_getsid p +#define LSM_CALL_ARGS_current_getsecid_subj secid +#define LSM_CALL_ARGS_task_getsecid_obj p, secid +#define LSM_CALL_ARGS_task_setnice p, nice +#define LSM_CALL_ARGS_task_setioprio p, ioprio +#define LSM_CALL_ARGS_task_getioprio p +#define LSM_CALL_ARGS_task_prlimit cred, tcred, flags +#define LSM_CALL_ARGS_task_setrlimit p, resource, new_rlim +#define LSM_CALL_ARGS_task_setscheduler p +#define LSM_CALL_ARGS_task_getscheduler p +#define LSM_CALL_ARGS_task_movememory p +#define LSM_CALL_ARGS_task_kill p, info, sig, cred +#define LSM_CALL_ARGS_task_prctl option, arg2, arg3, arg4, arg5 +#define LSM_CALL_ARGS_task_to_inode p, inode +#define LSM_CALL_ARGS_userns_create cred +#define LSM_CALL_ARGS_ipc_permission ipcp, flag +#define LSM_CALL_ARGS_ipc_getsecid ipcp, secid +#define LSM_CALL_ARGS_msg_msg_alloc_security msg +#define LSM_CALL_ARGS_msg_msg_free_security msg +#define LSM_CALL_ARGS_msg_queue_alloc_security perm +#define LSM_CALL_ARGS_msg_queue_free_security perm +#define LSM_CALL_ARGS_msg_queue_associate perm, msqflg +#define LSM_CALL_ARGS_msg_queue_msgctl perm, cmd +#define LSM_CALL_ARGS_msg_queue_msgsnd perm, msg, msqflg +#define LSM_CALL_ARGS_msg_queue_msgrcv perm, msg, target, type, mode +#define LSM_CALL_ARGS_shm_alloc_security perm +#define LSM_CALL_ARGS_shm_free_security perm +#define LSM_CALL_ARGS_shm_associate perm, shmflg +#define LSM_CALL_ARGS_shm_shmctl perm, cmd +#define LSM_CALL_ARGS_shm_shmat perm, shmaddr, shmflg +#define LSM_CALL_ARGS_sem_alloc_security perm +#define LSM_CALL_ARGS_sem_free_security perm +#define LSM_CALL_ARGS_sem_associate perm, semflg +#define LSM_CALL_ARGS_sem_semctl perm, cmd +#define LSM_CALL_ARGS_sem_semop perm, sops, nsops, alter +#define LSM_CALL_ARGS_netlink_send sk, skb +#define LSM_CALL_ARGS_d_instantiate dentry, inode +#define LSM_CALL_ARGS_getprocattr p, name, value +#define LSM_CALL_ARGS_setprocattr name, value, size +#define LSM_CALL_ARGS_ismaclabel name +#define LSM_CALL_ARGS_secid_to_secctx secid, secdata, seclen +#define LSM_CALL_ARGS_secctx_to_secid secdata, seclen, secid +#define LSM_CALL_ARGS_release_secctx secdata, seclen +#define LSM_CALL_ARGS_inode_invalidate_secctx inode +#define LSM_CALL_ARGS_inode_notifysecctx inode, ctx, ctxlen +#define LSM_CALL_ARGS_inode_setsecctx dentry, ctx, ctxlen +#define LSM_CALL_ARGS_inode_getsecctx inode, ctx, ctxlen +#define LSM_CALL_ARGS_post_notification w_cred, cred, n +#define LSM_CALL_ARGS_watch_key key +#define LSM_CALL_ARGS_unix_stream_connect sock, other, newsk +#define LSM_CALL_ARGS_unix_may_send sock, other +#define LSM_CALL_ARGS_socket_create family, type, protocol, kern +#define LSM_CALL_ARGS_socket_post_create sock, family, type, protocol, kern +#define LSM_CALL_ARGS_socket_socketpair socka, sockb +#define LSM_CALL_ARGS_socket_bind sock, address, addrlen +#define LSM_CALL_ARGS_socket_connect sock, address, addrlen +#define LSM_CALL_ARGS_socket_listen sock, backlog +#define LSM_CALL_ARGS_socket_accept sock, newsock +#define LSM_CALL_ARGS_socket_sendmsg sock, msg, size +#define LSM_CALL_ARGS_socket_recvmsg sock, msg, size, flags +#define LSM_CALL_ARGS_socket_getsockname sock +#define LSM_CALL_ARGS_socket_getpeername sock +#define LSM_CALL_ARGS_socket_getsockopt sock, level, optname +#define LSM_CALL_ARGS_socket_setsockopt sock, level, optname +#define LSM_CALL_ARGS_socket_shutdown sock, how +#define LSM_CALL_ARGS_socket_sock_rcv_skb sk, skb +#define LSM_CALL_ARGS_socket_getpeersec_stream sock, optval, optlen, len +#define LSM_CALL_ARGS_socket_getpeersec_dgram sock, skb, secid +#define LSM_CALL_ARGS_sk_alloc_security sk, family, priority +#define LSM_CALL_ARGS_sk_free_security sk +#define LSM_CALL_ARGS_sk_clone_security sk, newsk +#define LSM_CALL_ARGS_sk_getsecid sk, secid +#define LSM_CALL_ARGS_sock_graft sk, parent +#define LSM_CALL_ARGS_inet_conn_request sk, skb, req +#define LSM_CALL_ARGS_inet_csk_clone newsk, req +#define LSM_CALL_ARGS_inet_conn_established sk, skb +#define LSM_CALL_ARGS_secmark_relabel_packet secid +#define LSM_CALL_ARGS_secmark_refcount_inc +#define LSM_CALL_ARGS_secmark_refcount_dec +#define LSM_CALL_ARGS_req_classify_flow req, flic +#define LSM_CALL_ARGS_tun_dev_alloc_security security +#define LSM_CALL_ARGS_tun_dev_free_security security +#define LSM_CALL_ARGS_tun_dev_create +#define LSM_CALL_ARGS_tun_dev_attach_queue security +#define LSM_CALL_ARGS_tun_dev_attach sk, security +#define LSM_CALL_ARGS_tun_dev_open security +#define LSM_CALL_ARGS_sctp_assoc_request asoc, skb +#define LSM_CALL_ARGS_sctp_bind_connect sk, optname, address, addrlen +#define LSM_CALL_ARGS_sctp_sk_clone asoc, sk, newsk +#define LSM_CALL_ARGS_sctp_assoc_established asoc, skb +#define LSM_CALL_ARGS_mptcp_add_subflow sk, ssk +#define LSM_CALL_ARGS_ib_pkey_access sec, subnet_prefix, pkey +#define LSM_CALL_ARGS_ib_endport_manage_subnet sec, dev_name, port_num +#define LSM_CALL_ARGS_ib_alloc_security sec +#define LSM_CALL_ARGS_ib_free_security sec +#define LSM_CALL_ARGS_xfrm_policy_alloc_security ctxp, sec_ctx, gfp +#define LSM_CALL_ARGS_xfrm_policy_clone_security old_ctx, new_ctx +#define LSM_CALL_ARGS_xfrm_policy_free_security ctx +#define LSM_CALL_ARGS_xfrm_policy_delete_security ctx +#define LSM_CALL_ARGS_xfrm_state_alloc x, sec_ctx +#define LSM_CALL_ARGS_xfrm_state_alloc_acquire x, polsec, secid +#define LSM_CALL_ARGS_xfrm_state_free_security x +#define LSM_CALL_ARGS_xfrm_state_delete_security x +#define LSM_CALL_ARGS_xfrm_policy_lookup ctx, fl_secid +#define LSM_CALL_ARGS_xfrm_state_pol_flow_match x, xp, flic +#define LSM_CALL_ARGS_xfrm_decode_session skb, secid, ckall +#define LSM_CALL_ARGS_key_alloc key, cred, flags +#define LSM_CALL_ARGS_key_free key +#define LSM_CALL_ARGS_key_permission key_ref, cred, need_perm +#define LSM_CALL_ARGS_key_getsecurity key, buffer +#define LSM_CALL_ARGS_audit_rule_init field, op, rulestr, lsmrule +#define LSM_CALL_ARGS_audit_rule_known krule +#define LSM_CALL_ARGS_audit_rule_match secid, field, op, lsmrule +#define LSM_CALL_ARGS_audit_rule_free lsmrule +#define LSM_CALL_ARGS_bpf cmd, attr, size +#define LSM_CALL_ARGS_bpf_map map, fmode +#define LSM_CALL_ARGS_bpf_prog prog +#define LSM_CALL_ARGS_bpf_map_alloc_security map +#define LSM_CALL_ARGS_bpf_map_free_security map +#define LSM_CALL_ARGS_bpf_prog_alloc_security aux +#define LSM_CALL_ARGS_bpf_prog_free_security aux +#define LSM_CALL_ARGS_locked_down what +#define LSM_CALL_ARGS_perf_event_open attr, type +#define LSM_CALL_ARGS_perf_event_alloc event +#define LSM_CALL_ARGS_perf_event_free event +#define LSM_CALL_ARGS_perf_event_read event +#define LSM_CALL_ARGS_perf_event_write event +#define LSM_CALL_ARGS_uring_override_creds new +#define LSM_CALL_ARGS_uring_sqpoll +#define LSM_CALL_ARGS_uring_cmd ioucmd From patchwork Mon Nov 20 13:29:47 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tetsuo Handa X-Patchwork-Id: 13461316 Authentication-Results: smtp.subspace.kernel.org; dkim=none Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B5584D2 for ; Mon, 20 Nov 2023 05:29:53 -0800 (PST) Received: from fsav117.sakura.ne.jp (fsav117.sakura.ne.jp [27.133.134.244]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 3AKDTqDp046220; Mon, 20 Nov 2023 22:29:52 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav117.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav117.sakura.ne.jp); Mon, 20 Nov 2023 22:29:52 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav117.sakura.ne.jp) Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 3AKDRaAM045731 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Mon, 20 Nov 2023 22:29:52 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Message-ID: Date: Mon, 20 Nov 2023 22:29:47 +0900 Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: [PATCH 3/4] LSM: Break LSM_HOOK() macro into 6 macros. Content-Language: en-US From: Tetsuo Handa To: linux-security-module , bpf , KP Singh Cc: Paul Moore , Kees Cook , Casey Schaufler , song@kernel.org, Daniel Borkmann , Alexei Starovoitov , renauld@google.com, Paolo Abeni References: <93b5e861-c1ec-417c-b21e-56d0c4a3ae79@I-love.SAKURA.ne.jp> In-Reply-To: <93b5e861-c1ec-417c-b21e-56d0c4a3ae79@I-love.SAKURA.ne.jp> These macros are used for deduplicating typical functions in security/security.c and security/mod_lsm.c (which is added by the next patch). Signed-off-by: Tetsuo Handa --- include/linux/lsm_hook_defs.h | 780 ++++++++++++++++++---------------- 1 file changed, 424 insertions(+), 356 deletions(-) diff --git a/include/linux/lsm_hook_defs.h b/include/linux/lsm_hook_defs.h index 3febbe4ef87c..4fdb13373fe2 100644 --- a/include/linux/lsm_hook_defs.h +++ b/include/linux/lsm_hook_defs.h @@ -25,398 +25,466 @@ * #include * }; */ -LSM_HOOK(int, 0, binder_set_context_mgr, const struct cred *mgr) -LSM_HOOK(int, 0, binder_transaction, const struct cred *from, - const struct cred *to) -LSM_HOOK(int, 0, binder_transfer_binder, const struct cred *from, - const struct cred *to) -LSM_HOOK(int, 0, binder_transfer_file, const struct cred *from, - const struct cred *to, const struct file *file) -LSM_HOOK(int, 0, ptrace_access_check, struct task_struct *child, - unsigned int mode) -LSM_HOOK(int, 0, ptrace_traceme, struct task_struct *parent) -LSM_HOOK(int, 0, capget, const struct task_struct *target, kernel_cap_t *effective, - kernel_cap_t *inheritable, kernel_cap_t *permitted) -LSM_HOOK(int, 0, capset, struct cred *new, const struct cred *old, - const kernel_cap_t *effective, const kernel_cap_t *inheritable, - const kernel_cap_t *permitted) -LSM_HOOK(int, 0, capable, const struct cred *cred, struct user_namespace *ns, - int cap, unsigned int opts) -LSM_HOOK(int, 0, quotactl, int cmds, int type, int id, const struct super_block *sb) -LSM_HOOK(int, 0, quota_on, struct dentry *dentry) -LSM_HOOK(int, 0, syslog, int type) -LSM_HOOK(int, 0, settime, const struct timespec64 *ts, - const struct timezone *tz) -LSM_HOOK(int, 1, vm_enough_memory, struct mm_struct *mm, long pages) -LSM_HOOK(int, 0, bprm_creds_for_exec, struct linux_binprm *bprm) -LSM_HOOK(int, 0, bprm_creds_from_file, struct linux_binprm *bprm, const struct file *file) -LSM_HOOK(int, 0, bprm_check_security, struct linux_binprm *bprm) -LSM_HOOK(void, LSM_RET_VOID, bprm_committing_creds, const struct linux_binprm *bprm) -LSM_HOOK(void, LSM_RET_VOID, bprm_committed_creds, const struct linux_binprm *bprm) -LSM_HOOK(int, 0, fs_context_submount, struct fs_context *fc, struct super_block *reference) -LSM_HOOK(int, 0, fs_context_dup, struct fs_context *fc, - struct fs_context *src_sc) -LSM_HOOK(int, -ENOPARAM, fs_context_parse_param, struct fs_context *fc, - struct fs_parameter *param) -LSM_HOOK(int, 0, sb_alloc_security, struct super_block *sb) -LSM_HOOK(void, LSM_RET_VOID, sb_delete, struct super_block *sb) -LSM_HOOK(void, LSM_RET_VOID, sb_free_security, struct super_block *sb) -LSM_HOOK(void, LSM_RET_VOID, sb_free_mnt_opts, void *mnt_opts) -LSM_HOOK(int, 0, sb_eat_lsm_opts, char *orig, void **mnt_opts) -LSM_HOOK(int, 0, sb_mnt_opts_compat, struct super_block *sb, void *mnt_opts) -LSM_HOOK(int, 0, sb_remount, struct super_block *sb, void *mnt_opts) -LSM_HOOK(int, 0, sb_kern_mount, const struct super_block *sb) -LSM_HOOK(int, 0, sb_show_options, struct seq_file *m, struct super_block *sb) -LSM_HOOK(int, 0, sb_statfs, struct dentry *dentry) -LSM_HOOK(int, 0, sb_mount, const char *dev_name, const struct path *path, - const char *type, unsigned long flags, void *data) -LSM_HOOK(int, 0, sb_umount, struct vfsmount *mnt, int flags) -LSM_HOOK(int, 0, sb_pivotroot, const struct path *old_path, - const struct path *new_path) -LSM_HOOK(int, 0, sb_set_mnt_opts, struct super_block *sb, void *mnt_opts, - unsigned long kern_flags, unsigned long *set_kern_flags) -LSM_HOOK(int, 0, sb_clone_mnt_opts, const struct super_block *oldsb, - struct super_block *newsb, unsigned long kern_flags, - unsigned long *set_kern_flags) -LSM_HOOK(int, 0, move_mount, const struct path *from_path, - const struct path *to_path) -LSM_HOOK(int, -EOPNOTSUPP, dentry_init_security, struct dentry *dentry, - int mode, const struct qstr *name, const char **xattr_name, - void **ctx, u32 *ctxlen) -LSM_HOOK(int, 0, dentry_create_files_as, struct dentry *dentry, int mode, - struct qstr *name, const struct cred *old, struct cred *new) + +/* + * The macro LSM_PLAIN_INT_HOOK can be used to automatically define a callback + * function that returns int and the loop can continue as long as the default + * return value is returned by callback functions in that loop. + * LSM_HOOK is used if this macro is not defined. + */ +#ifndef LSM_PLAIN_INT_HOOK +#define LSM_PLAIN_INT_HOOK LSM_HOOK +#endif + +/* + * The macro LSM_CUSTOM_INT_HOOK can be used to define a callback function that + * returns int and the loop can continue as long as the default return value is + * returned by callback functions in that loop, but that callback function has + * something to do before and/or after the loop. + * LSM_HOOK is used if this macro is not defined. + */ +#ifndef LSM_CUSTOM_INT_HOOK +#define LSM_CUSTOM_INT_HOOK LSM_HOOK +#endif + +/* + * The macro LSM_SPECIAL_INT_HOOK can be used to suppess automatically defining + * a callback function that returns int because that callback has something to + * do before and/or after calling callback functions in that loop. + * LSM_HOOK is used if this macro is not defined. + */ +#ifndef LSM_SPECIAL_INT_HOOK +#define LSM_SPECIAL_INT_HOOK LSM_HOOK +#endif + +/* + * The macro LSM_PLAIN_VOID_HOOK can be used to automatically define a callback + * function that does not return a value. + * LSM_HOOK is used if this macro is not defined. + */ +#ifndef LSM_PLAIN_VOID_HOOK +#define LSM_PLAIN_VOID_HOOK LSM_HOOK +#endif + +/* + * The macro LSM_CUSTOM_VOID_HOOK can be used to suppress automatically + * defining a callback function that does not return a value because that + * callback function has something to do before and/or after the loop. + * LSM_HOOK is used if this macro is not defined. + */ +#ifndef LSM_CUSTOM_VOID_HOOK +#define LSM_CUSTOM_VOID_HOOK LSM_HOOK +#endif + +/* + * The macro LSM_SPECIAL_VOID_HOOK can be used to suppess automatically defining + * a callback function that does not return a value because that callback has + * something to do before and/or after calling callback functions in that loop. + * LSM_HOOK is used if this macro is not defined. + */ +#ifndef LSM_SPECIAL_VOID_HOOK +#define LSM_SPECIAL_VOID_HOOK LSM_HOOK +#endif + +LSM_PLAIN_INT_HOOK(int, 0, binder_set_context_mgr, const struct cred *mgr) +LSM_PLAIN_INT_HOOK(int, 0, binder_transaction, const struct cred *from, + const struct cred *to) +LSM_PLAIN_INT_HOOK(int, 0, binder_transfer_binder, const struct cred *from, + const struct cred *to) +LSM_PLAIN_INT_HOOK(int, 0, binder_transfer_file, const struct cred *from, + const struct cred *to, const struct file *file) +LSM_PLAIN_INT_HOOK(int, 0, ptrace_access_check, struct task_struct *child, + unsigned int mode) +LSM_PLAIN_INT_HOOK(int, 0, ptrace_traceme, struct task_struct *parent) +LSM_PLAIN_INT_HOOK(int, 0, capget, const struct task_struct *target, kernel_cap_t *effective, + kernel_cap_t *inheritable, kernel_cap_t *permitted) +LSM_PLAIN_INT_HOOK(int, 0, capset, struct cred *new, const struct cred *old, + const kernel_cap_t *effective, const kernel_cap_t *inheritable, + const kernel_cap_t *permitted) +LSM_PLAIN_INT_HOOK(int, 0, capable, const struct cred *cred, struct user_namespace *ns, + int cap, unsigned int opts) +LSM_PLAIN_INT_HOOK(int, 0, quotactl, int cmds, int type, int id, const struct super_block *sb) +LSM_PLAIN_INT_HOOK(int, 0, quota_on, struct dentry *dentry) +LSM_PLAIN_INT_HOOK(int, 0, syslog, int type) +LSM_SPECIAL_INT_HOOK(int, 0, settime, const struct timespec64 *ts, + const struct timezone *tz) +LSM_SPECIAL_INT_HOOK(int, 1, vm_enough_memory, struct mm_struct *mm, long pages) +LSM_PLAIN_INT_HOOK(int, 0, bprm_creds_for_exec, struct linux_binprm *bprm) +LSM_PLAIN_INT_HOOK(int, 0, bprm_creds_from_file, struct linux_binprm *bprm, const struct file *file) +LSM_PLAIN_INT_HOOK(int, 0, bprm_check_security, struct linux_binprm *bprm) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, bprm_committing_creds, const struct linux_binprm *bprm) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, bprm_committed_creds, const struct linux_binprm *bprm) +LSM_PLAIN_INT_HOOK(int, 0, fs_context_submount, struct fs_context *fc, + struct super_block *reference) +LSM_PLAIN_INT_HOOK(int, 0, fs_context_dup, struct fs_context *fc, + struct fs_context *src_sc) +LSM_SPECIAL_INT_HOOK(int, -ENOPARAM, fs_context_parse_param, struct fs_context *fc, + struct fs_parameter *param) +LSM_PLAIN_INT_HOOK(int, 0, sb_alloc_security, struct super_block *sb) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, sb_delete, struct super_block *sb) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, sb_free_security, struct super_block *sb) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, sb_free_mnt_opts, void *mnt_opts) +LSM_PLAIN_INT_HOOK(int, 0, sb_eat_lsm_opts, char *orig, void **mnt_opts) +LSM_PLAIN_INT_HOOK(int, 0, sb_mnt_opts_compat, struct super_block *sb, void *mnt_opts) +LSM_PLAIN_INT_HOOK(int, 0, sb_remount, struct super_block *sb, void *mnt_opts) +LSM_PLAIN_INT_HOOK(int, 0, sb_kern_mount, const struct super_block *sb) +LSM_PLAIN_INT_HOOK(int, 0, sb_show_options, struct seq_file *m, struct super_block *sb) +LSM_PLAIN_INT_HOOK(int, 0, sb_statfs, struct dentry *dentry) +LSM_PLAIN_INT_HOOK(int, 0, sb_mount, const char *dev_name, const struct path *path, + const char *type, unsigned long flags, void *data) +LSM_PLAIN_INT_HOOK(int, 0, sb_umount, struct vfsmount *mnt, int flags) +LSM_PLAIN_INT_HOOK(int, 0, sb_pivotroot, const struct path *old_path, + const struct path *new_path) +LSM_CUSTOM_INT_HOOK(int, 0, sb_set_mnt_opts, struct super_block *sb, void *mnt_opts, + unsigned long kern_flags, unsigned long *set_kern_flags) +LSM_PLAIN_INT_HOOK(int, 0, sb_clone_mnt_opts, const struct super_block *oldsb, + struct super_block *newsb, unsigned long kern_flags, + unsigned long *set_kern_flags) +LSM_PLAIN_INT_HOOK(int, 0, move_mount, const struct path *from_path, + const struct path *to_path) +LSM_PLAIN_INT_HOOK(int, -EOPNOTSUPP, dentry_init_security, struct dentry *dentry, + int mode, const struct qstr *name, const char **xattr_name, + void **ctx, u32 *ctxlen) +LSM_PLAIN_INT_HOOK(int, 0, dentry_create_files_as, struct dentry *dentry, int mode, + struct qstr *name, const struct cred *old, struct cred *new) #ifdef CONFIG_SECURITY_PATH -LSM_HOOK(int, 0, path_unlink, const struct path *dir, struct dentry *dentry) -LSM_HOOK(int, 0, path_mkdir, const struct path *dir, struct dentry *dentry, - umode_t mode) -LSM_HOOK(int, 0, path_rmdir, const struct path *dir, struct dentry *dentry) -LSM_HOOK(int, 0, path_mknod, const struct path *dir, struct dentry *dentry, - umode_t mode, unsigned int dev) -LSM_HOOK(int, 0, path_truncate, const struct path *path) -LSM_HOOK(int, 0, path_symlink, const struct path *dir, struct dentry *dentry, - const char *old_name) -LSM_HOOK(int, 0, path_link, struct dentry *old_dentry, - const struct path *new_dir, struct dentry *new_dentry) -LSM_HOOK(int, 0, path_rename, const struct path *old_dir, - struct dentry *old_dentry, const struct path *new_dir, - struct dentry *new_dentry, unsigned int flags) -LSM_HOOK(int, 0, path_chmod, const struct path *path, umode_t mode) -LSM_HOOK(int, 0, path_chown, const struct path *path, kuid_t uid, kgid_t gid) -LSM_HOOK(int, 0, path_chroot, const struct path *path) +LSM_CUSTOM_INT_HOOK(int, 0, path_unlink, const struct path *dir, struct dentry *dentry) +LSM_CUSTOM_INT_HOOK(int, 0, path_mkdir, const struct path *dir, struct dentry *dentry, + umode_t mode) +LSM_CUSTOM_INT_HOOK(int, 0, path_rmdir, const struct path *dir, struct dentry *dentry) +LSM_CUSTOM_INT_HOOK(int, 0, path_mknod, const struct path *dir, struct dentry *dentry, + umode_t mode, unsigned int dev) +LSM_CUSTOM_INT_HOOK(int, 0, path_truncate, const struct path *path) +LSM_CUSTOM_INT_HOOK(int, 0, path_symlink, const struct path *dir, struct dentry *dentry, + const char *old_name) +LSM_CUSTOM_INT_HOOK(int, 0, path_link, struct dentry *old_dentry, + const struct path *new_dir, struct dentry *new_dentry) +LSM_CUSTOM_INT_HOOK(int, 0, path_rename, const struct path *old_dir, + struct dentry *old_dentry, const struct path *new_dir, + struct dentry *new_dentry, unsigned int flags) +LSM_CUSTOM_INT_HOOK(int, 0, path_chmod, const struct path *path, umode_t mode) +LSM_CUSTOM_INT_HOOK(int, 0, path_chown, const struct path *path, kuid_t uid, kgid_t gid) +LSM_PLAIN_INT_HOOK(int, 0, path_chroot, const struct path *path) #endif /* CONFIG_SECURITY_PATH */ /* Needed for inode based security check */ -LSM_HOOK(int, 0, path_notify, const struct path *path, u64 mask, - unsigned int obj_type) -LSM_HOOK(int, 0, inode_alloc_security, struct inode *inode) -LSM_HOOK(void, LSM_RET_VOID, inode_free_security, struct inode *inode) -LSM_HOOK(int, -EOPNOTSUPP, inode_init_security, struct inode *inode, - struct inode *dir, const struct qstr *qstr, struct xattr *xattrs, - int *xattr_count) -LSM_HOOK(int, 0, inode_init_security_anon, struct inode *inode, - const struct qstr *name, const struct inode *context_inode) -LSM_HOOK(int, 0, inode_create, struct inode *dir, struct dentry *dentry, - umode_t mode) -LSM_HOOK(int, 0, inode_link, struct dentry *old_dentry, struct inode *dir, - struct dentry *new_dentry) -LSM_HOOK(int, 0, inode_unlink, struct inode *dir, struct dentry *dentry) -LSM_HOOK(int, 0, inode_symlink, struct inode *dir, struct dentry *dentry, - const char *old_name) -LSM_HOOK(int, 0, inode_mkdir, struct inode *dir, struct dentry *dentry, - umode_t mode) -LSM_HOOK(int, 0, inode_rmdir, struct inode *dir, struct dentry *dentry) -LSM_HOOK(int, 0, inode_mknod, struct inode *dir, struct dentry *dentry, - umode_t mode, dev_t dev) -LSM_HOOK(int, 0, inode_rename, struct inode *old_dir, struct dentry *old_dentry, - struct inode *new_dir, struct dentry *new_dentry) -LSM_HOOK(int, 0, inode_readlink, struct dentry *dentry) -LSM_HOOK(int, 0, inode_follow_link, struct dentry *dentry, struct inode *inode, - bool rcu) -LSM_HOOK(int, 0, inode_permission, struct inode *inode, int mask) -LSM_HOOK(int, 0, inode_setattr, struct dentry *dentry, struct iattr *attr) -LSM_HOOK(int, 0, inode_getattr, const struct path *path) -LSM_HOOK(int, 0, inode_setxattr, struct mnt_idmap *idmap, - struct dentry *dentry, const char *name, const void *value, - size_t size, int flags) -LSM_HOOK(void, LSM_RET_VOID, inode_post_setxattr, struct dentry *dentry, - const char *name, const void *value, size_t size, int flags) -LSM_HOOK(int, 0, inode_getxattr, struct dentry *dentry, const char *name) -LSM_HOOK(int, 0, inode_listxattr, struct dentry *dentry) -LSM_HOOK(int, 0, inode_removexattr, struct mnt_idmap *idmap, - struct dentry *dentry, const char *name) -LSM_HOOK(int, 0, inode_set_acl, struct mnt_idmap *idmap, - struct dentry *dentry, const char *acl_name, struct posix_acl *kacl) -LSM_HOOK(int, 0, inode_get_acl, struct mnt_idmap *idmap, - struct dentry *dentry, const char *acl_name) -LSM_HOOK(int, 0, inode_remove_acl, struct mnt_idmap *idmap, - struct dentry *dentry, const char *acl_name) -LSM_HOOK(int, 0, inode_need_killpriv, struct dentry *dentry) -LSM_HOOK(int, 0, inode_killpriv, struct mnt_idmap *idmap, - struct dentry *dentry) -LSM_HOOK(int, -EOPNOTSUPP, inode_getsecurity, struct mnt_idmap *idmap, - struct inode *inode, const char *name, void **buffer, bool alloc) -LSM_HOOK(int, -EOPNOTSUPP, inode_setsecurity, struct inode *inode, - const char *name, const void *value, size_t size, int flags) -LSM_HOOK(int, 0, inode_listsecurity, struct inode *inode, char *buffer, - size_t buffer_size) -LSM_HOOK(void, LSM_RET_VOID, inode_getsecid, struct inode *inode, u32 *secid) -LSM_HOOK(int, 0, inode_copy_up, struct dentry *src, struct cred **new) -LSM_HOOK(int, -EOPNOTSUPP, inode_copy_up_xattr, const char *name) -LSM_HOOK(int, 0, kernfs_init_security, struct kernfs_node *kn_dir, - struct kernfs_node *kn) -LSM_HOOK(int, 0, file_permission, struct file *file, int mask) -LSM_HOOK(int, 0, file_alloc_security, struct file *file) -LSM_HOOK(void, LSM_RET_VOID, file_free_security, struct file *file) -LSM_HOOK(int, 0, file_ioctl, struct file *file, unsigned int cmd, - unsigned long arg) -LSM_HOOK(int, 0, mmap_addr, unsigned long addr) -LSM_HOOK(int, 0, mmap_file, struct file *file, unsigned long reqprot, - unsigned long prot, unsigned long flags) -LSM_HOOK(int, 0, file_mprotect, struct vm_area_struct *vma, - unsigned long reqprot, unsigned long prot) -LSM_HOOK(int, 0, file_lock, struct file *file, unsigned int cmd) -LSM_HOOK(int, 0, file_fcntl, struct file *file, unsigned int cmd, - unsigned long arg) -LSM_HOOK(void, LSM_RET_VOID, file_set_fowner, struct file *file) -LSM_HOOK(int, 0, file_send_sigiotask, struct task_struct *tsk, - struct fown_struct *fown, int sig) -LSM_HOOK(int, 0, file_receive, struct file *file) -LSM_HOOK(int, 0, file_open, struct file *file) -LSM_HOOK(int, 0, file_truncate, struct file *file) -LSM_HOOK(int, 0, task_alloc, struct task_struct *task, - unsigned long clone_flags) -LSM_HOOK(void, LSM_RET_VOID, task_free, struct task_struct *task) -LSM_HOOK(int, 0, cred_alloc_blank, struct cred *cred, gfp_t gfp) -LSM_HOOK(void, LSM_RET_VOID, cred_free, struct cred *cred) -LSM_HOOK(int, 0, cred_prepare, struct cred *new, const struct cred *old, - gfp_t gfp) -LSM_HOOK(void, LSM_RET_VOID, cred_transfer, struct cred *new, - const struct cred *old) -LSM_HOOK(void, LSM_RET_VOID, cred_getsecid, const struct cred *c, u32 *secid) -LSM_HOOK(int, 0, kernel_act_as, struct cred *new, u32 secid) -LSM_HOOK(int, 0, kernel_create_files_as, struct cred *new, struct inode *inode) -LSM_HOOK(int, 0, kernel_module_request, char *kmod_name) -LSM_HOOK(int, 0, kernel_load_data, enum kernel_load_data_id id, bool contents) -LSM_HOOK(int, 0, kernel_post_load_data, char *buf, loff_t size, - enum kernel_load_data_id id, char *description) -LSM_HOOK(int, 0, kernel_read_file, struct file *file, - enum kernel_read_file_id id, bool contents) -LSM_HOOK(int, 0, kernel_post_read_file, struct file *file, char *buf, - loff_t size, enum kernel_read_file_id id) -LSM_HOOK(int, 0, task_fix_setuid, struct cred *new, const struct cred *old, - int flags) -LSM_HOOK(int, 0, task_fix_setgid, struct cred *new, const struct cred * old, - int flags) -LSM_HOOK(int, 0, task_fix_setgroups, struct cred *new, const struct cred * old) -LSM_HOOK(int, 0, task_setpgid, struct task_struct *p, pid_t pgid) -LSM_HOOK(int, 0, task_getpgid, struct task_struct *p) -LSM_HOOK(int, 0, task_getsid, struct task_struct *p) -LSM_HOOK(void, LSM_RET_VOID, current_getsecid_subj, u32 *secid) -LSM_HOOK(void, LSM_RET_VOID, task_getsecid_obj, - struct task_struct *p, u32 *secid) -LSM_HOOK(int, 0, task_setnice, struct task_struct *p, int nice) -LSM_HOOK(int, 0, task_setioprio, struct task_struct *p, int ioprio) -LSM_HOOK(int, 0, task_getioprio, struct task_struct *p) -LSM_HOOK(int, 0, task_prlimit, const struct cred *cred, - const struct cred *tcred, unsigned int flags) -LSM_HOOK(int, 0, task_setrlimit, struct task_struct *p, unsigned int resource, - struct rlimit *new_rlim) -LSM_HOOK(int, 0, task_setscheduler, struct task_struct *p) -LSM_HOOK(int, 0, task_getscheduler, struct task_struct *p) -LSM_HOOK(int, 0, task_movememory, struct task_struct *p) -LSM_HOOK(int, 0, task_kill, struct task_struct *p, struct kernel_siginfo *info, - int sig, const struct cred *cred) -LSM_HOOK(int, -ENOSYS, task_prctl, int option, unsigned long arg2, - unsigned long arg3, unsigned long arg4, unsigned long arg5) -LSM_HOOK(void, LSM_RET_VOID, task_to_inode, struct task_struct *p, - struct inode *inode) -LSM_HOOK(int, 0, userns_create, const struct cred *cred) -LSM_HOOK(int, 0, ipc_permission, struct kern_ipc_perm *ipcp, short flag) -LSM_HOOK(void, LSM_RET_VOID, ipc_getsecid, struct kern_ipc_perm *ipcp, - u32 *secid) -LSM_HOOK(int, 0, msg_msg_alloc_security, struct msg_msg *msg) -LSM_HOOK(void, LSM_RET_VOID, msg_msg_free_security, struct msg_msg *msg) -LSM_HOOK(int, 0, msg_queue_alloc_security, struct kern_ipc_perm *perm) -LSM_HOOK(void, LSM_RET_VOID, msg_queue_free_security, - struct kern_ipc_perm *perm) -LSM_HOOK(int, 0, msg_queue_associate, struct kern_ipc_perm *perm, int msqflg) -LSM_HOOK(int, 0, msg_queue_msgctl, struct kern_ipc_perm *perm, int cmd) -LSM_HOOK(int, 0, msg_queue_msgsnd, struct kern_ipc_perm *perm, - struct msg_msg *msg, int msqflg) -LSM_HOOK(int, 0, msg_queue_msgrcv, struct kern_ipc_perm *perm, - struct msg_msg *msg, struct task_struct *target, long type, int mode) -LSM_HOOK(int, 0, shm_alloc_security, struct kern_ipc_perm *perm) -LSM_HOOK(void, LSM_RET_VOID, shm_free_security, struct kern_ipc_perm *perm) -LSM_HOOK(int, 0, shm_associate, struct kern_ipc_perm *perm, int shmflg) -LSM_HOOK(int, 0, shm_shmctl, struct kern_ipc_perm *perm, int cmd) -LSM_HOOK(int, 0, shm_shmat, struct kern_ipc_perm *perm, char __user *shmaddr, - int shmflg) -LSM_HOOK(int, 0, sem_alloc_security, struct kern_ipc_perm *perm) -LSM_HOOK(void, LSM_RET_VOID, sem_free_security, struct kern_ipc_perm *perm) -LSM_HOOK(int, 0, sem_associate, struct kern_ipc_perm *perm, int semflg) -LSM_HOOK(int, 0, sem_semctl, struct kern_ipc_perm *perm, int cmd) -LSM_HOOK(int, 0, sem_semop, struct kern_ipc_perm *perm, struct sembuf *sops, - unsigned nsops, int alter) -LSM_HOOK(int, 0, netlink_send, struct sock *sk, struct sk_buff *skb) -LSM_HOOK(void, LSM_RET_VOID, d_instantiate, struct dentry *dentry, - struct inode *inode) -LSM_HOOK(int, -EINVAL, getprocattr, struct task_struct *p, const char *name, - char **value) -LSM_HOOK(int, -EINVAL, setprocattr, const char *name, void *value, size_t size) -LSM_HOOK(int, 0, ismaclabel, const char *name) -LSM_HOOK(int, -EOPNOTSUPP, secid_to_secctx, u32 secid, char **secdata, - u32 *seclen) -LSM_HOOK(int, 0, secctx_to_secid, const char *secdata, u32 seclen, u32 *secid) -LSM_HOOK(void, LSM_RET_VOID, release_secctx, char *secdata, u32 seclen) -LSM_HOOK(void, LSM_RET_VOID, inode_invalidate_secctx, struct inode *inode) -LSM_HOOK(int, 0, inode_notifysecctx, struct inode *inode, void *ctx, u32 ctxlen) -LSM_HOOK(int, 0, inode_setsecctx, struct dentry *dentry, void *ctx, u32 ctxlen) -LSM_HOOK(int, -EOPNOTSUPP, inode_getsecctx, struct inode *inode, void **ctx, - u32 *ctxlen) +LSM_PLAIN_INT_HOOK(int, 0, path_notify, const struct path *path, u64 mask, + unsigned int obj_type) +LSM_PLAIN_INT_HOOK(int, 0, inode_alloc_security, struct inode *inode) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, inode_free_security, struct inode *inode) +LSM_SPECIAL_INT_HOOK(int, -EOPNOTSUPP, inode_init_security, struct inode *inode, + struct inode *dir, const struct qstr *qstr, struct xattr *xattrs, + int *xattr_count) +LSM_PLAIN_INT_HOOK(int, 0, inode_init_security_anon, struct inode *inode, + const struct qstr *name, const struct inode *context_inode) +LSM_CUSTOM_INT_HOOK(int, 0, inode_create, struct inode *dir, struct dentry *dentry, + umode_t mode) +LSM_CUSTOM_INT_HOOK(int, 0, inode_link, struct dentry *old_dentry, struct inode *dir, + struct dentry *new_dentry) +LSM_CUSTOM_INT_HOOK(int, 0, inode_unlink, struct inode *dir, struct dentry *dentry) +LSM_CUSTOM_INT_HOOK(int, 0, inode_symlink, struct inode *dir, struct dentry *dentry, + const char *old_name) +LSM_CUSTOM_INT_HOOK(int, 0, inode_mkdir, struct inode *dir, struct dentry *dentry, + umode_t mode) +LSM_CUSTOM_INT_HOOK(int, 0, inode_rmdir, struct inode *dir, struct dentry *dentry) +LSM_CUSTOM_INT_HOOK(int, 0, inode_mknod, struct inode *dir, struct dentry *dentry, + umode_t mode, dev_t dev) +LSM_CUSTOM_INT_HOOK(int, 0, inode_rename, struct inode *old_dir, struct dentry *old_dentry, + struct inode *new_dir, struct dentry *new_dentry) +LSM_CUSTOM_INT_HOOK(int, 0, inode_readlink, struct dentry *dentry) +LSM_CUSTOM_INT_HOOK(int, 0, inode_follow_link, struct dentry *dentry, struct inode *inode, + bool rcu) +LSM_CUSTOM_INT_HOOK(int, 0, inode_permission, struct inode *inode, int mask) +LSM_CUSTOM_INT_HOOK(int, 0, inode_setattr, struct dentry *dentry, struct iattr *attr) +LSM_CUSTOM_INT_HOOK(int, 0, inode_getattr, const struct path *path) +LSM_CUSTOM_INT_HOOK(int, 0, inode_setxattr, struct mnt_idmap *idmap, + struct dentry *dentry, const char *name, const void *value, + size_t size, int flags) +LSM_CUSTOM_VOID_HOOK(void, LSM_RET_VOID, inode_post_setxattr, struct dentry *dentry, + const char *name, const void *value, size_t size, int flags) +LSM_CUSTOM_INT_HOOK(int, 0, inode_getxattr, struct dentry *dentry, const char *name) +LSM_CUSTOM_INT_HOOK(int, 0, inode_listxattr, struct dentry *dentry) +LSM_CUSTOM_INT_HOOK(int, 0, inode_removexattr, struct mnt_idmap *idmap, + struct dentry *dentry, const char *name) +LSM_CUSTOM_INT_HOOK(int, 0, inode_set_acl, struct mnt_idmap *idmap, + struct dentry *dentry, const char *acl_name, struct posix_acl *kacl) +LSM_CUSTOM_INT_HOOK(int, 0, inode_get_acl, struct mnt_idmap *idmap, + struct dentry *dentry, const char *acl_name) +LSM_CUSTOM_INT_HOOK(int, 0, inode_remove_acl, struct mnt_idmap *idmap, + struct dentry *dentry, const char *acl_name) +LSM_PLAIN_INT_HOOK(int, 0, inode_need_killpriv, struct dentry *dentry) +LSM_PLAIN_INT_HOOK(int, 0, inode_killpriv, struct mnt_idmap *idmap, + struct dentry *dentry) +LSM_CUSTOM_INT_HOOK(int, -EOPNOTSUPP, inode_getsecurity, struct mnt_idmap *idmap, + struct inode *inode, const char *name, void **buffer, bool alloc) +LSM_CUSTOM_INT_HOOK(int, -EOPNOTSUPP, inode_setsecurity, struct inode *inode, + const char *name, const void *value, size_t size, int flags) +LSM_CUSTOM_INT_HOOK(int, 0, inode_listsecurity, struct inode *inode, char *buffer, + size_t buffer_size) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, inode_getsecid, struct inode *inode, u32 *secid) +LSM_PLAIN_INT_HOOK(int, 0, inode_copy_up, struct dentry *src, struct cred **new) +LSM_CUSTOM_INT_HOOK(int, -EOPNOTSUPP, inode_copy_up_xattr, const char *name) +LSM_PLAIN_INT_HOOK(int, 0, kernfs_init_security, struct kernfs_node *kn_dir, + struct kernfs_node *kn) +LSM_CUSTOM_INT_HOOK(int, 0, file_permission, struct file *file, int mask) +LSM_PLAIN_INT_HOOK(int, 0, file_alloc_security, struct file *file) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, file_free_security, struct file *file) +LSM_PLAIN_INT_HOOK(int, 0, file_ioctl, struct file *file, unsigned int cmd, + unsigned long arg) +LSM_PLAIN_INT_HOOK(int, 0, mmap_addr, unsigned long addr) +LSM_CUSTOM_INT_HOOK(int, 0, mmap_file, struct file *file, unsigned long reqprot, + unsigned long prot, unsigned long flags) +LSM_CUSTOM_INT_HOOK(int, 0, file_mprotect, struct vm_area_struct *vma, + unsigned long reqprot, unsigned long prot) +LSM_PLAIN_INT_HOOK(int, 0, file_lock, struct file *file, unsigned int cmd) +LSM_PLAIN_INT_HOOK(int, 0, file_fcntl, struct file *file, unsigned int cmd, + unsigned long arg) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, file_set_fowner, struct file *file) +LSM_PLAIN_INT_HOOK(int, 0, file_send_sigiotask, struct task_struct *tsk, + struct fown_struct *fown, int sig) +LSM_PLAIN_INT_HOOK(int, 0, file_receive, struct file *file) +LSM_CUSTOM_INT_HOOK(int, 0, file_open, struct file *file) +LSM_PLAIN_INT_HOOK(int, 0, file_truncate, struct file *file) +LSM_CUSTOM_INT_HOOK(int, 0, task_alloc, struct task_struct *task, + unsigned long clone_flags) +LSM_SPECIAL_VOID_HOOK(void, LSM_RET_VOID, task_free, struct task_struct *task) +LSM_CUSTOM_INT_HOOK(int, 0, cred_alloc_blank, struct cred *cred, gfp_t gfp) +LSM_CUSTOM_VOID_HOOK(void, LSM_RET_VOID, cred_free, struct cred *cred) +LSM_PLAIN_INT_HOOK(int, 0, cred_prepare, struct cred *new, const struct cred *old, + gfp_t gfp) +LSM_SPECIAL_VOID_HOOK(void, LSM_RET_VOID, cred_transfer, struct cred *new, + const struct cred *old) +LSM_CUSTOM_VOID_HOOK(void, LSM_RET_VOID, cred_getsecid, const struct cred *c, u32 *secid) +LSM_PLAIN_INT_HOOK(int, 0, kernel_act_as, struct cred *new, u32 secid) +LSM_PLAIN_INT_HOOK(int, 0, kernel_create_files_as, struct cred *new, struct inode *inode) +LSM_CUSTOM_INT_HOOK(int, 0, kernel_module_request, char *kmod_name) +LSM_CUSTOM_INT_HOOK(int, 0, kernel_load_data, enum kernel_load_data_id id, bool contents) +LSM_CUSTOM_INT_HOOK(int, 0, kernel_post_load_data, char *buf, loff_t size, + enum kernel_load_data_id id, char *description) +LSM_CUSTOM_INT_HOOK(int, 0, kernel_read_file, struct file *file, + enum kernel_read_file_id id, bool contents) +LSM_CUSTOM_INT_HOOK(int, 0, kernel_post_read_file, struct file *file, char *buf, + loff_t size, enum kernel_read_file_id id) +LSM_PLAIN_INT_HOOK(int, 0, task_fix_setuid, struct cred *new, const struct cred *old, + int flags) +LSM_PLAIN_INT_HOOK(int, 0, task_fix_setgid, struct cred *new, const struct cred *old, + int flags) +LSM_PLAIN_INT_HOOK(int, 0, task_fix_setgroups, struct cred *new, const struct cred *old) +LSM_PLAIN_INT_HOOK(int, 0, task_setpgid, struct task_struct *p, pid_t pgid) +LSM_PLAIN_INT_HOOK(int, 0, task_getpgid, struct task_struct *p) +LSM_PLAIN_INT_HOOK(int, 0, task_getsid, struct task_struct *p) +LSM_CUSTOM_VOID_HOOK(void, LSM_RET_VOID, current_getsecid_subj, u32 *secid) +LSM_CUSTOM_VOID_HOOK(void, LSM_RET_VOID, task_getsecid_obj, + struct task_struct *p, u32 *secid) +LSM_PLAIN_INT_HOOK(int, 0, task_setnice, struct task_struct *p, int nice) +LSM_PLAIN_INT_HOOK(int, 0, task_setioprio, struct task_struct *p, int ioprio) +LSM_PLAIN_INT_HOOK(int, 0, task_getioprio, struct task_struct *p) +LSM_PLAIN_INT_HOOK(int, 0, task_prlimit, const struct cred *cred, + const struct cred *tcred, unsigned int flags) +LSM_PLAIN_INT_HOOK(int, 0, task_setrlimit, struct task_struct *p, unsigned int resource, + struct rlimit *new_rlim) +LSM_PLAIN_INT_HOOK(int, 0, task_setscheduler, struct task_struct *p) +LSM_PLAIN_INT_HOOK(int, 0, task_getscheduler, struct task_struct *p) +LSM_PLAIN_INT_HOOK(int, 0, task_movememory, struct task_struct *p) +LSM_PLAIN_INT_HOOK(int, 0, task_kill, struct task_struct *p, struct kernel_siginfo *info, + int sig, const struct cred *cred) +LSM_SPECIAL_INT_HOOK(int, -ENOSYS, task_prctl, int option, unsigned long arg2, + unsigned long arg3, unsigned long arg4, unsigned long arg5) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, task_to_inode, struct task_struct *p, + struct inode *inode) +LSM_SPECIAL_INT_HOOK(int, 0, userns_create, const struct cred *cred) +LSM_PLAIN_INT_HOOK(int, 0, ipc_permission, struct kern_ipc_perm *ipcp, short flag) +LSM_CUSTOM_VOID_HOOK(void, LSM_RET_VOID, ipc_getsecid, struct kern_ipc_perm *ipcp, + u32 *secid) +LSM_PLAIN_INT_HOOK(int, 0, msg_msg_alloc_security, struct msg_msg *msg) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, msg_msg_free_security, struct msg_msg *msg) +LSM_PLAIN_INT_HOOK(int, 0, msg_queue_alloc_security, struct kern_ipc_perm *perm) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, msg_queue_free_security, + struct kern_ipc_perm *perm) +LSM_PLAIN_INT_HOOK(int, 0, msg_queue_associate, struct kern_ipc_perm *perm, int msqflg) +LSM_PLAIN_INT_HOOK(int, 0, msg_queue_msgctl, struct kern_ipc_perm *perm, int cmd) +LSM_PLAIN_INT_HOOK(int, 0, msg_queue_msgsnd, struct kern_ipc_perm *perm, + struct msg_msg *msg, int msqflg) +LSM_PLAIN_INT_HOOK(int, 0, msg_queue_msgrcv, struct kern_ipc_perm *perm, + struct msg_msg *msg, struct task_struct *target, long type, int mode) +LSM_PLAIN_INT_HOOK(int, 0, shm_alloc_security, struct kern_ipc_perm *perm) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, shm_free_security, struct kern_ipc_perm *perm) +LSM_PLAIN_INT_HOOK(int, 0, shm_associate, struct kern_ipc_perm *perm, int shmflg) +LSM_PLAIN_INT_HOOK(int, 0, shm_shmctl, struct kern_ipc_perm *perm, int cmd) +LSM_PLAIN_INT_HOOK(int, 0, shm_shmat, struct kern_ipc_perm *perm, char __user *shmaddr, + int shmflg) +LSM_PLAIN_INT_HOOK(int, 0, sem_alloc_security, struct kern_ipc_perm *perm) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, sem_free_security, struct kern_ipc_perm *perm) +LSM_PLAIN_INT_HOOK(int, 0, sem_associate, struct kern_ipc_perm *perm, int semflg) +LSM_PLAIN_INT_HOOK(int, 0, sem_semctl, struct kern_ipc_perm *perm, int cmd) +LSM_PLAIN_INT_HOOK(int, 0, sem_semop, struct kern_ipc_perm *perm, struct sembuf *sops, + unsigned int nsops, int alter) +LSM_PLAIN_INT_HOOK(int, 0, netlink_send, struct sock *sk, struct sk_buff *skb) +LSM_CUSTOM_VOID_HOOK(void, LSM_RET_VOID, d_instantiate, struct dentry *dentry, + struct inode *inode) +LSM_SPECIAL_INT_HOOK(int, -EINVAL, getprocattr, struct task_struct *p, const char *name, + char **value) +LSM_SPECIAL_INT_HOOK(int, -EINVAL, setprocattr, const char *name, void *value, size_t size) +LSM_PLAIN_INT_HOOK(int, 0, ismaclabel, const char *name) +LSM_PLAIN_INT_HOOK(int, -EOPNOTSUPP, secid_to_secctx, u32 secid, char **secdata, + u32 *seclen) +LSM_CUSTOM_INT_HOOK(int, 0, secctx_to_secid, const char *secdata, u32 seclen, u32 *secid) +LSM_CUSTOM_VOID_HOOK(void, LSM_RET_VOID, release_secctx, char *secdata, u32 seclen) +LSM_CUSTOM_VOID_HOOK(void, LSM_RET_VOID, inode_invalidate_secctx, struct inode *inode) +LSM_PLAIN_INT_HOOK(int, 0, inode_notifysecctx, struct inode *inode, void *ctx, u32 ctxlen) +LSM_PLAIN_INT_HOOK(int, 0, inode_setsecctx, struct dentry *dentry, void *ctx, u32 ctxlen) +LSM_SPECIAL_INT_HOOK(int, -EOPNOTSUPP, inode_getsecctx, struct inode *inode, void **ctx, + u32 *ctxlen) #if defined(CONFIG_SECURITY) && defined(CONFIG_WATCH_QUEUE) -LSM_HOOK(int, 0, post_notification, const struct cred *w_cred, - const struct cred *cred, struct watch_notification *n) +LSM_PLAIN_INT_HOOK(int, 0, post_notification, const struct cred *w_cred, + const struct cred *cred, struct watch_notification *n) #endif /* CONFIG_SECURITY && CONFIG_WATCH_QUEUE */ #if defined(CONFIG_SECURITY) && defined(CONFIG_KEY_NOTIFICATIONS) -LSM_HOOK(int, 0, watch_key, struct key *key) +LSM_PLAIN_INT_HOOK(int, 0, watch_key, struct key *key) #endif /* CONFIG_SECURITY && CONFIG_KEY_NOTIFICATIONS */ #ifdef CONFIG_SECURITY_NETWORK -LSM_HOOK(int, 0, unix_stream_connect, struct sock *sock, struct sock *other, - struct sock *newsk) -LSM_HOOK(int, 0, unix_may_send, struct socket *sock, struct socket *other) -LSM_HOOK(int, 0, socket_create, int family, int type, int protocol, int kern) -LSM_HOOK(int, 0, socket_post_create, struct socket *sock, int family, int type, - int protocol, int kern) -LSM_HOOK(int, 0, socket_socketpair, struct socket *socka, struct socket *sockb) -LSM_HOOK(int, 0, socket_bind, struct socket *sock, struct sockaddr *address, - int addrlen) -LSM_HOOK(int, 0, socket_connect, struct socket *sock, struct sockaddr *address, - int addrlen) -LSM_HOOK(int, 0, socket_listen, struct socket *sock, int backlog) -LSM_HOOK(int, 0, socket_accept, struct socket *sock, struct socket *newsock) -LSM_HOOK(int, 0, socket_sendmsg, struct socket *sock, struct msghdr *msg, - int size) -LSM_HOOK(int, 0, socket_recvmsg, struct socket *sock, struct msghdr *msg, - int size, int flags) -LSM_HOOK(int, 0, socket_getsockname, struct socket *sock) -LSM_HOOK(int, 0, socket_getpeername, struct socket *sock) -LSM_HOOK(int, 0, socket_getsockopt, struct socket *sock, int level, int optname) -LSM_HOOK(int, 0, socket_setsockopt, struct socket *sock, int level, int optname) -LSM_HOOK(int, 0, socket_shutdown, struct socket *sock, int how) -LSM_HOOK(int, 0, socket_sock_rcv_skb, struct sock *sk, struct sk_buff *skb) -LSM_HOOK(int, 0, socket_getpeersec_stream, struct socket *sock, - sockptr_t optval, sockptr_t optlen, unsigned int len) -LSM_HOOK(int, 0, socket_getpeersec_dgram, struct socket *sock, - struct sk_buff *skb, u32 *secid) -LSM_HOOK(int, 0, sk_alloc_security, struct sock *sk, int family, gfp_t priority) -LSM_HOOK(void, LSM_RET_VOID, sk_free_security, struct sock *sk) -LSM_HOOK(void, LSM_RET_VOID, sk_clone_security, const struct sock *sk, - struct sock *newsk) -LSM_HOOK(void, LSM_RET_VOID, sk_getsecid, const struct sock *sk, u32 *secid) -LSM_HOOK(void, LSM_RET_VOID, sock_graft, struct sock *sk, struct socket *parent) -LSM_HOOK(int, 0, inet_conn_request, const struct sock *sk, struct sk_buff *skb, - struct request_sock *req) -LSM_HOOK(void, LSM_RET_VOID, inet_csk_clone, struct sock *newsk, - const struct request_sock *req) -LSM_HOOK(void, LSM_RET_VOID, inet_conn_established, struct sock *sk, - struct sk_buff *skb) -LSM_HOOK(int, 0, secmark_relabel_packet, u32 secid) -LSM_HOOK(void, LSM_RET_VOID, secmark_refcount_inc, void) -LSM_HOOK(void, LSM_RET_VOID, secmark_refcount_dec, void) -LSM_HOOK(void, LSM_RET_VOID, req_classify_flow, const struct request_sock *req, - struct flowi_common *flic) -LSM_HOOK(int, 0, tun_dev_alloc_security, void **security) -LSM_HOOK(void, LSM_RET_VOID, tun_dev_free_security, void *security) -LSM_HOOK(int, 0, tun_dev_create, void) -LSM_HOOK(int, 0, tun_dev_attach_queue, void *security) -LSM_HOOK(int, 0, tun_dev_attach, struct sock *sk, void *security) -LSM_HOOK(int, 0, tun_dev_open, void *security) -LSM_HOOK(int, 0, sctp_assoc_request, struct sctp_association *asoc, - struct sk_buff *skb) -LSM_HOOK(int, 0, sctp_bind_connect, struct sock *sk, int optname, - struct sockaddr *address, int addrlen) -LSM_HOOK(void, LSM_RET_VOID, sctp_sk_clone, struct sctp_association *asoc, - struct sock *sk, struct sock *newsk) -LSM_HOOK(int, 0, sctp_assoc_established, struct sctp_association *asoc, - struct sk_buff *skb) -LSM_HOOK(int, 0, mptcp_add_subflow, struct sock *sk, struct sock *ssk) +LSM_PLAIN_INT_HOOK(int, 0, unix_stream_connect, struct sock *sock, struct sock *other, + struct sock *newsk) +LSM_PLAIN_INT_HOOK(int, 0, unix_may_send, struct socket *sock, struct socket *other) +LSM_PLAIN_INT_HOOK(int, 0, socket_create, int family, int type, int protocol, int kern) +LSM_PLAIN_INT_HOOK(int, 0, socket_post_create, struct socket *sock, int family, int type, + int protocol, int kern) +LSM_PLAIN_INT_HOOK(int, 0, socket_socketpair, struct socket *socka, struct socket *sockb) +LSM_PLAIN_INT_HOOK(int, 0, socket_bind, struct socket *sock, struct sockaddr *address, + int addrlen) +LSM_PLAIN_INT_HOOK(int, 0, socket_connect, struct socket *sock, struct sockaddr *address, + int addrlen) +LSM_PLAIN_INT_HOOK(int, 0, socket_listen, struct socket *sock, int backlog) +LSM_PLAIN_INT_HOOK(int, 0, socket_accept, struct socket *sock, struct socket *newsock) +LSM_PLAIN_INT_HOOK(int, 0, socket_sendmsg, struct socket *sock, struct msghdr *msg, + int size) +LSM_PLAIN_INT_HOOK(int, 0, socket_recvmsg, struct socket *sock, struct msghdr *msg, + int size, int flags) +LSM_PLAIN_INT_HOOK(int, 0, socket_getsockname, struct socket *sock) +LSM_PLAIN_INT_HOOK(int, 0, socket_getpeername, struct socket *sock) +LSM_PLAIN_INT_HOOK(int, 0, socket_getsockopt, struct socket *sock, int level, int optname) +LSM_PLAIN_INT_HOOK(int, 0, socket_setsockopt, struct socket *sock, int level, int optname) +LSM_PLAIN_INT_HOOK(int, 0, socket_shutdown, struct socket *sock, int how) +LSM_SPECIAL_INT_HOOK(int, 0, socket_sock_rcv_skb, struct sock *sk, struct sk_buff *skb) +LSM_SPECIAL_INT_HOOK(int, 0, socket_getpeersec_stream, struct socket *sock, + sockptr_t optval, sockptr_t optlen, unsigned int len) +LSM_SPECIAL_INT_HOOK(int, 0, socket_getpeersec_dgram, struct socket *sock, + struct sk_buff *skb, u32 *secid) +LSM_SPECIAL_INT_HOOK(int, 0, sk_alloc_security, struct sock *sk, int family, gfp_t priority) +LSM_SPECIAL_VOID_HOOK(void, LSM_RET_VOID, sk_free_security, struct sock *sk) +LSM_SPECIAL_VOID_HOOK(void, LSM_RET_VOID, sk_clone_security, const struct sock *sk, + struct sock *newsk) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, sk_getsecid, const struct sock *sk, u32 *secid) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, sock_graft, struct sock *sk, struct socket *parent) +LSM_PLAIN_INT_HOOK(int, 0, inet_conn_request, const struct sock *sk, struct sk_buff *skb, + struct request_sock *req) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, inet_csk_clone, struct sock *newsk, + const struct request_sock *req) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, inet_conn_established, struct sock *sk, + struct sk_buff *skb) +LSM_PLAIN_INT_HOOK(int, 0, secmark_relabel_packet, u32 secid) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, secmark_refcount_inc, void) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, secmark_refcount_dec, void) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, req_classify_flow, const struct request_sock *req, + struct flowi_common *flic) +LSM_PLAIN_INT_HOOK(int, 0, tun_dev_alloc_security, void **security) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, tun_dev_free_security, void *security) +LSM_PLAIN_INT_HOOK(int, 0, tun_dev_create, void) +LSM_PLAIN_INT_HOOK(int, 0, tun_dev_attach_queue, void *security) +LSM_PLAIN_INT_HOOK(int, 0, tun_dev_attach, struct sock *sk, void *security) +LSM_PLAIN_INT_HOOK(int, 0, tun_dev_open, void *security) +LSM_PLAIN_INT_HOOK(int, 0, sctp_assoc_request, struct sctp_association *asoc, + struct sk_buff *skb) +LSM_PLAIN_INT_HOOK(int, 0, sctp_bind_connect, struct sock *sk, int optname, + struct sockaddr *address, int addrlen) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, sctp_sk_clone, struct sctp_association *asoc, + struct sock *sk, struct sock *newsk) +LSM_PLAIN_INT_HOOK(int, 0, sctp_assoc_established, struct sctp_association *asoc, + struct sk_buff *skb) +LSM_PLAIN_INT_HOOK(int, 0, mptcp_add_subflow, struct sock *sk, struct sock *ssk) #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_INFINIBAND -LSM_HOOK(int, 0, ib_pkey_access, void *sec, u64 subnet_prefix, u16 pkey) -LSM_HOOK(int, 0, ib_endport_manage_subnet, void *sec, const char *dev_name, - u8 port_num) -LSM_HOOK(int, 0, ib_alloc_security, void **sec) -LSM_HOOK(void, LSM_RET_VOID, ib_free_security, void *sec) +LSM_PLAIN_INT_HOOK(int, 0, ib_pkey_access, void *sec, u64 subnet_prefix, u16 pkey) +LSM_PLAIN_INT_HOOK(int, 0, ib_endport_manage_subnet, void *sec, const char *dev_name, + u8 port_num) +LSM_PLAIN_INT_HOOK(int, 0, ib_alloc_security, void **sec) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, ib_free_security, void *sec) #endif /* CONFIG_SECURITY_INFINIBAND */ #ifdef CONFIG_SECURITY_NETWORK_XFRM -LSM_HOOK(int, 0, xfrm_policy_alloc_security, struct xfrm_sec_ctx **ctxp, - struct xfrm_user_sec_ctx *sec_ctx, gfp_t gfp) -LSM_HOOK(int, 0, xfrm_policy_clone_security, struct xfrm_sec_ctx *old_ctx, - struct xfrm_sec_ctx **new_ctx) -LSM_HOOK(void, LSM_RET_VOID, xfrm_policy_free_security, - struct xfrm_sec_ctx *ctx) -LSM_HOOK(int, 0, xfrm_policy_delete_security, struct xfrm_sec_ctx *ctx) -LSM_HOOK(int, 0, xfrm_state_alloc, struct xfrm_state *x, - struct xfrm_user_sec_ctx *sec_ctx) -LSM_HOOK(int, 0, xfrm_state_alloc_acquire, struct xfrm_state *x, - struct xfrm_sec_ctx *polsec, u32 secid) -LSM_HOOK(void, LSM_RET_VOID, xfrm_state_free_security, struct xfrm_state *x) -LSM_HOOK(int, 0, xfrm_state_delete_security, struct xfrm_state *x) -LSM_HOOK(int, 0, xfrm_policy_lookup, struct xfrm_sec_ctx *ctx, u32 fl_secid) -LSM_HOOK(int, 1, xfrm_state_pol_flow_match, struct xfrm_state *x, - struct xfrm_policy *xp, const struct flowi_common *flic) -LSM_HOOK(int, 0, xfrm_decode_session, struct sk_buff *skb, u32 *secid, - int ckall) +LSM_PLAIN_INT_HOOK(int, 0, xfrm_policy_alloc_security, struct xfrm_sec_ctx **ctxp, + struct xfrm_user_sec_ctx *sec_ctx, gfp_t gfp) +LSM_PLAIN_INT_HOOK(int, 0, xfrm_policy_clone_security, struct xfrm_sec_ctx *old_ctx, + struct xfrm_sec_ctx **new_ctx) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, xfrm_policy_free_security, + struct xfrm_sec_ctx *ctx) +LSM_PLAIN_INT_HOOK(int, 0, xfrm_policy_delete_security, struct xfrm_sec_ctx *ctx) +LSM_PLAIN_INT_HOOK(int, 0, xfrm_state_alloc, struct xfrm_state *x, + struct xfrm_user_sec_ctx *sec_ctx) +LSM_PLAIN_INT_HOOK(int, 0, xfrm_state_alloc_acquire, struct xfrm_state *x, + struct xfrm_sec_ctx *polsec, u32 secid) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, xfrm_state_free_security, struct xfrm_state *x) +LSM_PLAIN_INT_HOOK(int, 0, xfrm_state_delete_security, struct xfrm_state *x) +LSM_PLAIN_INT_HOOK(int, 0, xfrm_policy_lookup, struct xfrm_sec_ctx *ctx, u32 fl_secid) +LSM_SPECIAL_INT_HOOK(int, 1, xfrm_state_pol_flow_match, struct xfrm_state *x, + struct xfrm_policy *xp, const struct flowi_common *flic) +LSM_PLAIN_INT_HOOK(int, 0, xfrm_decode_session, struct sk_buff *skb, u32 *secid, + int ckall) #endif /* CONFIG_SECURITY_NETWORK_XFRM */ /* key management security hooks */ #ifdef CONFIG_KEYS -LSM_HOOK(int, 0, key_alloc, struct key *key, const struct cred *cred, - unsigned long flags) -LSM_HOOK(void, LSM_RET_VOID, key_free, struct key *key) -LSM_HOOK(int, 0, key_permission, key_ref_t key_ref, const struct cred *cred, - enum key_need_perm need_perm) -LSM_HOOK(int, 0, key_getsecurity, struct key *key, char **buffer) +LSM_PLAIN_INT_HOOK(int, 0, key_alloc, struct key *key, const struct cred *cred, + unsigned long flags) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, key_free, struct key *key) +LSM_PLAIN_INT_HOOK(int, 0, key_permission, key_ref_t key_ref, const struct cred *cred, + enum key_need_perm need_perm) +LSM_CUSTOM_INT_HOOK(int, 0, key_getsecurity, struct key *key, char **buffer) #endif /* CONFIG_KEYS */ #ifdef CONFIG_AUDIT -LSM_HOOK(int, 0, audit_rule_init, u32 field, u32 op, char *rulestr, - void **lsmrule) -LSM_HOOK(int, 0, audit_rule_known, struct audit_krule *krule) -LSM_HOOK(int, 0, audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule) -LSM_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule) +LSM_PLAIN_INT_HOOK(int, 0, audit_rule_init, u32 field, u32 op, char *rulestr, + void **lsmrule) +LSM_PLAIN_INT_HOOK(int, 0, audit_rule_known, struct audit_krule *krule) +LSM_PLAIN_INT_HOOK(int, 0, audit_rule_match, u32 secid, u32 field, u32 op, void *lsmrule) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, audit_rule_free, void *lsmrule) #endif /* CONFIG_AUDIT */ #ifdef CONFIG_BPF_SYSCALL -LSM_HOOK(int, 0, bpf, int cmd, union bpf_attr *attr, unsigned int size) -LSM_HOOK(int, 0, bpf_map, struct bpf_map *map, fmode_t fmode) -LSM_HOOK(int, 0, bpf_prog, struct bpf_prog *prog) -LSM_HOOK(int, 0, bpf_map_alloc_security, struct bpf_map *map) -LSM_HOOK(void, LSM_RET_VOID, bpf_map_free_security, struct bpf_map *map) -LSM_HOOK(int, 0, bpf_prog_alloc_security, struct bpf_prog_aux *aux) -LSM_HOOK(void, LSM_RET_VOID, bpf_prog_free_security, struct bpf_prog_aux *aux) +LSM_PLAIN_INT_HOOK(int, 0, bpf, int cmd, union bpf_attr *attr, unsigned int size) +LSM_PLAIN_INT_HOOK(int, 0, bpf_map, struct bpf_map *map, fmode_t fmode) +LSM_PLAIN_INT_HOOK(int, 0, bpf_prog, struct bpf_prog *prog) +LSM_PLAIN_INT_HOOK(int, 0, bpf_map_alloc_security, struct bpf_map *map) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, bpf_map_free_security, struct bpf_map *map) +LSM_PLAIN_INT_HOOK(int, 0, bpf_prog_alloc_security, struct bpf_prog_aux *aux) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, bpf_prog_free_security, struct bpf_prog_aux *aux) #endif /* CONFIG_BPF_SYSCALL */ -LSM_HOOK(int, 0, locked_down, enum lockdown_reason what) +LSM_PLAIN_INT_HOOK(int, 0, locked_down, enum lockdown_reason what) #ifdef CONFIG_PERF_EVENTS -LSM_HOOK(int, 0, perf_event_open, struct perf_event_attr *attr, int type) -LSM_HOOK(int, 0, perf_event_alloc, struct perf_event *event) -LSM_HOOK(void, LSM_RET_VOID, perf_event_free, struct perf_event *event) -LSM_HOOK(int, 0, perf_event_read, struct perf_event *event) -LSM_HOOK(int, 0, perf_event_write, struct perf_event *event) +LSM_PLAIN_INT_HOOK(int, 0, perf_event_open, struct perf_event_attr *attr, int type) +LSM_PLAIN_INT_HOOK(int, 0, perf_event_alloc, struct perf_event *event) +LSM_PLAIN_VOID_HOOK(void, LSM_RET_VOID, perf_event_free, struct perf_event *event) +LSM_PLAIN_INT_HOOK(int, 0, perf_event_read, struct perf_event *event) +LSM_PLAIN_INT_HOOK(int, 0, perf_event_write, struct perf_event *event) #endif /* CONFIG_PERF_EVENTS */ #ifdef CONFIG_IO_URING -LSM_HOOK(int, 0, uring_override_creds, const struct cred *new) -LSM_HOOK(int, 0, uring_sqpoll, void) -LSM_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd) +LSM_PLAIN_INT_HOOK(int, 0, uring_override_creds, const struct cred *new) +LSM_PLAIN_INT_HOOK(int, 0, uring_sqpoll, void) +LSM_PLAIN_INT_HOOK(int, 0, uring_cmd, struct io_uring_cmd *ioucmd) #endif /* CONFIG_IO_URING */ +#undef LSM_SPECIAL_INT_HOOK +#undef LSM_CUSTOM_INT_HOOK +#undef LSM_PLAIN_INT_HOOK +#undef LSM_SPECIAL_VOID_HOOK +#undef LSM_CUSTOM_VOID_HOOK +#undef LSM_PLAIN_VOID_HOOK #undef LSM_HOOK From patchwork Mon Nov 20 13:30:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Tetsuo Handa X-Patchwork-Id: 13461317 Authentication-Results: smtp.subspace.kernel.org; dkim=none Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 182DE114 for ; Mon, 20 Nov 2023 05:30:36 -0800 (PST) Received: from fsav414.sakura.ne.jp (fsav414.sakura.ne.jp [133.242.250.113]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 3AKDUZJ5046314; Mon, 20 Nov 2023 22:30:35 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav414.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav414.sakura.ne.jp); Mon, 20 Nov 2023 22:30:35 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav414.sakura.ne.jp) Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 3AKDRaAN045731 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Mon, 20 Nov 2023 22:30:35 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Message-ID: <34be5cd8-1fdd-4323-82a3-40f2e7d35db3@I-love.SAKURA.ne.jp> Date: Mon, 20 Nov 2023 22:30:30 +0900 Precedence: bulk X-Mailing-List: bpf@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: [PATCH 4/4] LSM: Add a LSM module which handles dynamically appendable LSM hooks. Content-Language: en-US From: Tetsuo Handa To: linux-security-module , bpf , KP Singh Cc: Paul Moore , Kees Cook , Casey Schaufler , song@kernel.org, Daniel Borkmann , Alexei Starovoitov , renauld@google.com, Paolo Abeni References: <93b5e861-c1ec-417c-b21e-56d0c4a3ae79@I-love.SAKURA.ne.jp> In-Reply-To: <93b5e861-c1ec-417c-b21e-56d0c4a3ae79@I-love.SAKURA.ne.jp> TOMOYO security module will use this functionality. Signed-off-by: Tetsuo Handa --- include/linux/lsm_hooks.h | 9 + security/Makefile | 2 +- security/mod_lsm.c | 321 ++++++++++++++++ security/security.c | 752 ++------------------------------------ 4 files changed, 359 insertions(+), 725 deletions(-) create mode 100644 security/mod_lsm.c diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 4ba1aedc7901..2166ff6541aa 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -137,4 +137,13 @@ extern struct lsm_info __start_early_lsm_info[], __end_early_lsm_info[]; extern int lsm_inode_alloc(struct inode *inode); +/* Definition of all modular callbacks. */ +struct security_hook_mappings { +#define LSM_HOOK(RET, DEFAULT, NAME, ...) \ + RET (*NAME)(__VA_ARGS__); +#include +} /* __randomize_layout is useless here, for this is a "const __initdata" struct. */; + +extern int mod_lsm_add_hooks(const struct security_hook_mappings *maps); + #endif /* ! __LINUX_LSM_HOOKS_H */ diff --git a/security/Makefile b/security/Makefile index 18121f8f85cd..a611350e9da4 100644 --- a/security/Makefile +++ b/security/Makefile @@ -10,7 +10,7 @@ obj-y += commoncap.o obj-$(CONFIG_MMU) += min_addr.o # Object file lists -obj-$(CONFIG_SECURITY) += security.o +obj-$(CONFIG_SECURITY) += security.o mod_lsm.o obj-$(CONFIG_SECURITYFS) += inode.o obj-$(CONFIG_SECURITY_SELINUX) += selinux/ obj-$(CONFIG_SECURITY_SMACK) += smack/ diff --git a/security/mod_lsm.c b/security/mod_lsm.c new file mode 100644 index 000000000000..074a73326fc7 --- /dev/null +++ b/security/mod_lsm.c @@ -0,0 +1,321 @@ +// SPDX-License-Identifier: GPL-2.0-or-later +#include + +extern int mod_lsm_add_hooks(const struct security_hook_mappings *maps); + +/* List of registered modular callbacks. */ +static struct { +#define LSM_HOOK(RET, DEFAULT, NAME, ...) struct hlist_head NAME; +#include +} mod_lsm_dynamic_hooks; + +#define LSM_RET_DEFAULT(NAME) (NAME##_default) +#define DECLARE_LSM_RET_DEFAULT_void(DEFAULT, NAME) +#define DECLARE_LSM_RET_DEFAULT_int(DEFAULT, NAME) \ + static const int __maybe_unused LSM_RET_DEFAULT(NAME) = (DEFAULT); + +#define call_void_hook(FUNC, ...) \ + do { \ + struct security_hook_list *P; \ + \ + hlist_for_each_entry(P, &mod_lsm_dynamic_hooks.FUNC, list) \ + P->hook.FUNC(__VA_ARGS__); \ + } while (0) + +#define call_int_hook(FUNC, IRC, ...) ({ \ + int RC = IRC; \ + do { \ + struct security_hook_list *P; \ + \ + hlist_for_each_entry(P, &mod_lsm_dynamic_hooks.FUNC, list) { \ + RC = P->hook.FUNC(__VA_ARGS__); \ + if (RC != 0) \ + break; \ + } \ + } while (0); \ + RC; \ +}) + +#include +#define LSM_PLAIN_INT_HOOK(RET, DEFAULT, NAME, ...) \ + static int mod_lsm_##NAME(__VA_ARGS__) \ + { \ + struct security_hook_list *P; \ + \ + hlist_for_each_entry(P, &mod_lsm_dynamic_hooks.NAME, list) { \ + int RC = P->hook.NAME(LSM_CALL_ARGS_##NAME); \ + \ + if (RC != DEFAULT) \ + return RC; \ + } \ + return DEFAULT; \ + } +#define LSM_CUSTOM_INT_HOOK LSM_PLAIN_INT_HOOK +#define LSM_SPECIAL_INT_HOOK(RET, DEFAULT, NAME, ...) DECLARE_LSM_RET_DEFAULT_int(DEFAULT, NAME) +#define LSM_PLAIN_VOID_HOOK(RET, DEFAULT, NAME, ...) \ + static void mod_lsm_##NAME(__VA_ARGS__) \ + { \ + struct security_hook_list *P; \ + \ + hlist_for_each_entry(P, &mod_lsm_dynamic_hooks.NAME, list) \ + P->hook.NAME(LSM_CALL_ARGS_##NAME); \ + } +#define LSM_CUSTOM_VOID_HOOK(RET, DEFAULT, NAME, ...) +#define LSM_SPECIAL_VOID_HOOK(RET, DEFAULT, NAME, ...) DECLARE_LSM_RET_DEFAULT_void(DEFAULT, NAME) +#include + +static int mod_lsm_settime(const struct timespec64 *ts, const struct timezone *tz) +{ + return call_int_hook(settime, 0, ts, tz); +} + +static int mod_lsm_vm_enough_memory(struct mm_struct *mm, long pages) +{ + struct security_hook_list *hp; + int cap_sys_admin = 1; + int rc; + + hlist_for_each_entry(hp, &mod_lsm_dynamic_hooks.vm_enough_memory, list) { + rc = hp->hook.vm_enough_memory(mm, pages); + if (rc <= 0) { + cap_sys_admin = 0; + break; + } + } + return cap_sys_admin; +} + +static int mod_lsm_fs_context_parse_param(struct fs_context *fc, struct fs_parameter *param) +{ + struct security_hook_list *hp; + int trc; + int rc = -ENOPARAM; + + hlist_for_each_entry(hp, &mod_lsm_dynamic_hooks.fs_context_parse_param, list) { + trc = hp->hook.fs_context_parse_param(fc, param); + if (trc == 0) + rc = 0; + else if (trc != -ENOPARAM) + return trc; + } + return rc; +} + +static int mod_lsm_inode_init_security(struct inode *inode, struct inode *dir, + const struct qstr *qstr, struct xattr *xattrs, + int *xattr_count) +{ + struct security_hook_list *hp; + int ret = -EOPNOTSUPP; + + hlist_for_each_entry(hp, &mod_lsm_dynamic_hooks.inode_init_security, list) { + ret = hp->hook.inode_init_security(inode, dir, qstr, xattrs, xattr_count); + if (ret && ret != -EOPNOTSUPP) + return ret; + } + return ret; +} + +static void mod_lsm_inode_post_setxattr(struct dentry *dentry, const char *name, const void *value, + size_t size, int flags) +{ + call_void_hook(inode_post_setxattr, dentry, name, value, size, flags); +} + +static void mod_lsm_task_free(struct task_struct *task) +{ + call_void_hook(task_free, task); +} + +static void mod_lsm_cred_free(struct cred *cred) +{ + call_void_hook(cred_free, cred); +} + +static void mod_lsm_cred_transfer(struct cred *new, const struct cred *old) +{ + call_void_hook(cred_transfer, new, old); +} + +static void mod_lsm_cred_getsecid(const struct cred *c, u32 *secid) +{ + call_void_hook(cred_getsecid, c, secid); +} + +static void mod_lsm_current_getsecid_subj(u32 *secid) +{ + call_void_hook(current_getsecid_subj, secid); +} + +static void mod_lsm_task_getsecid_obj(struct task_struct *p, u32 *secid) +{ + call_void_hook(task_getsecid_obj, p, secid); +} + +static int mod_lsm_task_prctl(int option, unsigned long arg2, unsigned long arg3, + unsigned long arg4, unsigned long arg5) +{ + int thisrc; + int rc = LSM_RET_DEFAULT(task_prctl); + struct security_hook_list *hp; + + hlist_for_each_entry(hp, &mod_lsm_dynamic_hooks.task_prctl, list) { + thisrc = hp->hook.task_prctl(option, arg2, arg3, arg4, arg5); + if (thisrc != LSM_RET_DEFAULT(task_prctl)) { + rc = thisrc; + if (thisrc != 0) + break; + } + } + return rc; +} + +static int mod_lsm_userns_create(const struct cred *cred) +{ + return call_int_hook(userns_create, 0, cred); +} + +static void mod_lsm_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) +{ + call_void_hook(ipc_getsecid, ipcp, secid); +} + + +static void mod_lsm_d_instantiate(struct dentry *dentry, struct inode *inode) +{ + call_void_hook(d_instantiate, dentry, inode); +} + +static int mod_lsm_getprocattr(struct task_struct *p, const char *name, char **value) +{ + /* Can't work because "lsm" argument is not available. */ + return LSM_RET_DEFAULT(getprocattr); +} + +static int mod_lsm_setprocattr(const char *name, void *value, size_t size) +{ + /* Can't work because "lsm" argument is not available. */ + return LSM_RET_DEFAULT(setprocattr); +} + +static void mod_lsm_release_secctx(char *secdata, u32 seclen) +{ + call_void_hook(release_secctx, secdata, seclen); +} + +static void mod_lsm_inode_invalidate_secctx(struct inode *inode) +{ + call_void_hook(inode_invalidate_secctx, inode); +} + +static int mod_lsm_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) +{ + return call_int_hook(inode_getsecctx, -EOPNOTSUPP, inode, ctx, ctxlen); +} + +#ifdef CONFIG_SECURITY_NETWORK +static int mod_lsm_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) +{ + return call_int_hook(socket_sock_rcv_skb, 0, sk, skb); +} + +static int mod_lsm_socket_getpeersec_stream(struct socket *sock, sockptr_t optval, + sockptr_t optlen, unsigned int len) +{ + return call_int_hook(socket_getpeersec_stream, -ENOPROTOOPT, sock, optval, optlen, len); +} + +static int mod_lsm_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) +{ + return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock, skb, secid); +} + +static int mod_lsm_sk_alloc_security(struct sock *sk, int family, gfp_t priority) +{ + return call_int_hook(sk_alloc_security, 0, sk, family, priority); +} + +static void mod_lsm_sk_free_security(struct sock *sk) +{ + call_void_hook(sk_free_security, sk); +} + +static void mod_lsm_sk_clone_security(const struct sock *sk, struct sock *newsk) +{ + call_void_hook(sk_clone_security, sk, newsk); +} +#endif + +#ifdef CONFIG_SECURITY_NETWORK_XFRM +static int mod_lsm_xfrm_state_pol_flow_match(struct xfrm_state *x, struct xfrm_policy *xp, + const struct flowi_common *flic) +{ + struct security_hook_list *hp; + int rc = LSM_RET_DEFAULT(xfrm_state_pol_flow_match); + + hlist_for_each_entry(hp, &mod_lsm_dynamic_hooks.xfrm_state_pol_flow_match, list) { + rc = hp->hook.xfrm_state_pol_flow_match(x, xp, flic); + break; + } + return rc; +} +#endif + +/* Initialize all built-in callbacks here. */ +#define LSM_HOOK(RET, DEFAULT, NAME, ...) LSM_HOOK_INIT(NAME, mod_lsm_##NAME), +static struct security_hook_list mod_lsm_builtin_hooks[] __ro_after_init = { +#include +}; + +static int mod_lsm_enabled __ro_after_init = 1; +static struct lsm_blob_sizes mod_lsm_blob_sizes __ro_after_init = { }; + +static int __init mod_lsm_init(void) +{ + /* Initialize modular callbacks list. */ +#define LSM_HOOK(RET, DEFAULT, NAME, ...) INIT_HLIST_HEAD(&mod_lsm_dynamic_hooks.NAME); +#include + /* Register built-in callbacks. */ + security_add_hooks(mod_lsm_builtin_hooks, ARRAY_SIZE(mod_lsm_builtin_hooks), "mod_lsm"); + return 0; +} + +DEFINE_LSM(mod_lsm) = { + .name = "mod_lsm", + .enabled = &mod_lsm_enabled, + .flags = 0, + .blobs = &mod_lsm_blob_sizes, + .init = mod_lsm_init, +}; + +/* The only exported function for registering modular callbacks. */ +int mod_lsm_add_hooks(const struct security_hook_mappings *maps) +{ + struct security_hook_list *entry; + int count = 0; + + if (!mod_lsm_enabled) { + pr_info_once("Loadable LSM support is not enabled.\n"); + return -EOPNOTSUPP; + } + + /* Count how meny callbacks are implemented. */ +#define LSM_HOOK(RET, DEFAULT, NAME, ...) do { if (maps->NAME) count++; } while (0); +#include + if (!count) + return -EINVAL; + /* Allocate memory for registering implemented callbacks. */ + entry = kmalloc_array(count, sizeof(struct security_hook_list), GFP_KERNEL); + if (!entry) + return -ENOMEM; + /* Registering imdividual callbacks. */ + count = 0; +#define LSM_HOOK(RET, DEFAULT, NAME, ...) do { if (maps->NAME) { \ + entry[count].hook.NAME = maps->NAME; \ + hlist_add_tail_rcu(&entry[count].list, &mod_lsm_dynamic_hooks.NAME); \ + count++; \ + } } while (0); +#include + return 0; +} +EXPORT_SYMBOL_GPL(mod_lsm_add_hooks); diff --git a/security/security.c b/security/security.c index d35d50b218c6..b455bfa62afc 100644 --- a/security/security.c +++ b/security/security.c @@ -746,9 +746,6 @@ static int lsm_superblock_alloc(struct super_block *sb) #define DECLARE_LSM_RET_DEFAULT_void(DEFAULT, NAME) #define DECLARE_LSM_RET_DEFAULT_int(DEFAULT, NAME) \ static const int __maybe_unused LSM_RET_DEFAULT(NAME) = (DEFAULT); -#define LSM_HOOK(RET, DEFAULT, NAME, ...) \ - DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME) -#include /* * Hook list operation macros. @@ -782,6 +779,34 @@ static int lsm_superblock_alloc(struct super_block *sb) RC; \ }) +#include +#define LSM_PLAIN_INT_HOOK(RET, DEFAULT, NAME, ...) \ + int security_##NAME(__VA_ARGS__) \ + { \ + struct security_hook_list *P; \ + \ + hlist_for_each_entry(P, &security_hook_heads.NAME, list) { \ + int RC = P->hook.NAME(LSM_CALL_ARGS_##NAME); \ + \ + if (RC != DEFAULT) \ + return RC; \ + } \ + return DEFAULT; \ + } +#define LSM_CUSTOM_INT_HOOK(RET, DEFAULT, NAME, ...) DECLARE_LSM_RET_DEFAULT_int(DEFAULT, NAME) +#define LSM_SPECIAL_INT_HOOK(RET, DEFAULT, NAME, ...) DECLARE_LSM_RET_DEFAULT_int(DEFAULT, NAME) +#define LSM_PLAIN_VOID_HOOK(RET, DEFAULT, NAME, ...) \ + void security_##NAME(__VA_ARGS__) \ + { \ + struct security_hook_list *P; \ + \ + hlist_for_each_entry(P, &security_hook_heads.NAME, list) \ + P->hook.NAME(LSM_CALL_ARGS_##NAME); \ + } +#define LSM_CUSTOM_VOID_HOOK(RET, DEFAULT, NAME, ...) +#define LSM_SPECIAL_VOID_HOOK(RET, DEFAULT, NAME, ...) +#include + /* Security operations */ /** @@ -792,10 +817,6 @@ static int lsm_superblock_alloc(struct super_block *sb) * * Return: Return 0 if permission is granted. */ -int security_binder_set_context_mgr(const struct cred *mgr) -{ - return call_int_hook(binder_set_context_mgr, 0, mgr); -} /** * security_binder_transaction() - Check if a binder transaction is allowed @@ -806,11 +827,6 @@ int security_binder_set_context_mgr(const struct cred *mgr) * * Return: Returns 0 if permission is granted. */ -int security_binder_transaction(const struct cred *from, - const struct cred *to) -{ - return call_int_hook(binder_transaction, 0, from, to); -} /** * security_binder_transfer_binder() - Check if a binder transfer is allowed @@ -821,11 +837,6 @@ int security_binder_transaction(const struct cred *from, * * Return: Returns 0 if permission is granted. */ -int security_binder_transfer_binder(const struct cred *from, - const struct cred *to) -{ - return call_int_hook(binder_transfer_binder, 0, from, to); -} /** * security_binder_transfer_file() - Check if a binder file xfer is allowed @@ -837,11 +848,6 @@ int security_binder_transfer_binder(const struct cred *from, * * Return: Returns 0 if permission is granted. */ -int security_binder_transfer_file(const struct cred *from, - const struct cred *to, const struct file *file) -{ - return call_int_hook(binder_transfer_file, 0, from, to, file); -} /** * security_ptrace_access_check() - Check if tracing is allowed @@ -857,10 +863,6 @@ int security_binder_transfer_file(const struct cred *from, * * Return: Returns 0 if permission is granted. */ -int security_ptrace_access_check(struct task_struct *child, unsigned int mode) -{ - return call_int_hook(ptrace_access_check, 0, child, mode); -} /** * security_ptrace_traceme() - Check if tracing is allowed @@ -872,10 +874,6 @@ int security_ptrace_access_check(struct task_struct *child, unsigned int mode) * * Return: Returns 0 if permission is granted. */ -int security_ptrace_traceme(struct task_struct *parent) -{ - return call_int_hook(ptrace_traceme, 0, parent); -} /** * security_capget() - Get the capability sets for a process @@ -891,14 +889,6 @@ int security_ptrace_traceme(struct task_struct *parent) * * Return: Returns 0 if the capability sets were successfully obtained. */ -int security_capget(const struct task_struct *target, - kernel_cap_t *effective, - kernel_cap_t *inheritable, - kernel_cap_t *permitted) -{ - return call_int_hook(capget, 0, target, - effective, inheritable, permitted); -} /** * security_capset() - Set the capability sets for a process @@ -913,14 +903,6 @@ int security_capget(const struct task_struct *target, * * Return: Returns 0 and update @new if permission is granted. */ -int security_capset(struct cred *new, const struct cred *old, - const kernel_cap_t *effective, - const kernel_cap_t *inheritable, - const kernel_cap_t *permitted) -{ - return call_int_hook(capset, 0, new, old, - effective, inheritable, permitted); -} /** * security_capable() - Check if a process has the necessary capability @@ -935,13 +917,6 @@ int security_capset(struct cred *new, const struct cred *old, * * Return: Returns 0 if the capability is granted. */ -int security_capable(const struct cred *cred, - struct user_namespace *ns, - int cap, - unsigned int opts) -{ - return call_int_hook(capable, 0, cred, ns, cap, opts); -} /** * security_quotactl() - Check if a quotactl() syscall is allowed for this fs @@ -954,10 +929,6 @@ int security_capable(const struct cred *cred, * * Return: Returns 0 if permission is granted. */ -int security_quotactl(int cmds, int type, int id, const struct super_block *sb) -{ - return call_int_hook(quotactl, 0, cmds, type, id, sb); -} /** * security_quota_on() - Check if QUOTAON is allowed for a dentry @@ -967,10 +938,6 @@ int security_quotactl(int cmds, int type, int id, const struct super_block *sb) * * Return: Returns 0 if permission is granted. */ -int security_quota_on(struct dentry *dentry) -{ - return call_int_hook(quota_on, 0, dentry); -} /** * security_syslog() - Check if accessing the kernel message ring is allowed @@ -982,10 +949,6 @@ int security_quota_on(struct dentry *dentry) * * Return: Return 0 if permission is granted. */ -int security_syslog(int type) -{ - return call_int_hook(syslog, 0, type); -} /** * security_settime64() - Check if changing the system time is allowed @@ -1052,10 +1015,6 @@ int security_vm_enough_memory_mm(struct mm_struct *mm, long pages) * * Return: Returns 0 if the hook is successful and permission is granted. */ -int security_bprm_creds_for_exec(struct linux_binprm *bprm) -{ - return call_int_hook(bprm_creds_for_exec, 0, bprm); -} /** * security_bprm_creds_from_file() - Update linux_binprm creds based on file @@ -1076,10 +1035,6 @@ int security_bprm_creds_for_exec(struct linux_binprm *bprm) * * Return: Returns 0 if the hook is successful and permission is granted. */ -int security_bprm_creds_from_file(struct linux_binprm *bprm, const struct file *file) -{ - return call_int_hook(bprm_creds_from_file, 0, bprm, file); -} /** * security_bprm_check() - Mediate binary handler search @@ -1115,10 +1070,6 @@ int security_bprm_check(struct linux_binprm *bprm) * open file descriptors to which access will no longer be granted when the * attributes are changed. This is called immediately before commit_creds(). */ -void security_bprm_committing_creds(const struct linux_binprm *bprm) -{ - call_void_hook(bprm_committing_creds, bprm); -} /** * security_bprm_committed_creds() - Tidy up after cred install during exec() @@ -1131,10 +1082,6 @@ void security_bprm_committing_creds(const struct linux_binprm *bprm) * process such as clearing out non-inheritable signal state. This is called * immediately after commit_creds(). */ -void security_bprm_committed_creds(const struct linux_binprm *bprm) -{ - call_void_hook(bprm_committed_creds, bprm); -} /** * security_fs_context_submount() - Initialise fc->security @@ -1145,10 +1092,6 @@ void security_bprm_committed_creds(const struct linux_binprm *bprm) * * Return: Returns 0 on success or negative error code on failure. */ -int security_fs_context_submount(struct fs_context *fc, struct super_block *reference) -{ - return call_int_hook(fs_context_submount, 0, fc, reference); -} /** * security_fs_context_dup() - Duplicate a fs_context LSM blob @@ -1161,10 +1104,6 @@ int security_fs_context_submount(struct fs_context *fc, struct super_block *refe * * Return: Returns 0 on success or a negative error code on failure. */ -int security_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc) -{ - return call_int_hook(fs_context_dup, 0, fc, src_fc); -} /** * security_fs_context_parse_param() - Configure a filesystem context @@ -1225,10 +1164,6 @@ int security_sb_alloc(struct super_block *sb) * Release objects tied to a superblock (e.g. inodes). @sb contains the * super_block structure being released. */ -void security_sb_delete(struct super_block *sb) -{ - call_void_hook(sb_delete, sb); -} /** * security_sb_free() - Free a super_block LSM blob @@ -1268,10 +1203,6 @@ EXPORT_SYMBOL(security_free_mnt_opts); * * Return: Returns 0 on success, negative values on failure. */ -int security_sb_eat_lsm_opts(char *options, void **mnt_opts) -{ - return call_int_hook(sb_eat_lsm_opts, 0, options, mnt_opts); -} EXPORT_SYMBOL(security_sb_eat_lsm_opts); /** @@ -1284,11 +1215,6 @@ EXPORT_SYMBOL(security_sb_eat_lsm_opts); * * Return: Returns 0 if options are compatible. */ -int security_sb_mnt_opts_compat(struct super_block *sb, - void *mnt_opts) -{ - return call_int_hook(sb_mnt_opts_compat, 0, sb, mnt_opts); -} EXPORT_SYMBOL(security_sb_mnt_opts_compat); /** @@ -1301,11 +1227,6 @@ EXPORT_SYMBOL(security_sb_mnt_opts_compat); * * Return: Returns 0 if permission is granted. */ -int security_sb_remount(struct super_block *sb, - void *mnt_opts) -{ - return call_int_hook(sb_remount, 0, sb, mnt_opts); -} EXPORT_SYMBOL(security_sb_remount); /** @@ -1316,10 +1237,6 @@ EXPORT_SYMBOL(security_sb_remount); * * Return: Returns 0 if permission is granted. */ -int security_sb_kern_mount(const struct super_block *sb) -{ - return call_int_hook(sb_kern_mount, 0, sb); -} /** * security_sb_show_options() - Output the mount options for a superblock @@ -1330,10 +1247,6 @@ int security_sb_kern_mount(const struct super_block *sb) * * Return: Returns 0 on success, negative values on failure. */ -int security_sb_show_options(struct seq_file *m, struct super_block *sb) -{ - return call_int_hook(sb_show_options, 0, m, sb); -} /** * security_sb_statfs() - Check if accessing fs stats is allowed @@ -1344,10 +1257,6 @@ int security_sb_show_options(struct seq_file *m, struct super_block *sb) * * Return: Returns 0 if permission is granted. */ -int security_sb_statfs(struct dentry *dentry) -{ - return call_int_hook(sb_statfs, 0, dentry); -} /** * security_sb_mount() - Check permission for mounting a filesystem @@ -1366,11 +1275,6 @@ int security_sb_statfs(struct dentry *dentry) * * Return: Returns 0 if permission is granted. */ -int security_sb_mount(const char *dev_name, const struct path *path, - const char *type, unsigned long flags, void *data) -{ - return call_int_hook(sb_mount, 0, dev_name, path, type, flags, data); -} /** * security_sb_umount() - Check permission for unmounting a filesystem @@ -1381,10 +1285,6 @@ int security_sb_mount(const char *dev_name, const struct path *path, * * Return: Returns 0 if permission is granted. */ -int security_sb_umount(struct vfsmount *mnt, int flags) -{ - return call_int_hook(sb_umount, 0, mnt, flags); -} /** * security_sb_pivotroot() - Check permissions for pivoting the rootfs @@ -1395,11 +1295,6 @@ int security_sb_umount(struct vfsmount *mnt, int flags) * * Return: Returns 0 if permission is granted. */ -int security_sb_pivotroot(const struct path *old_path, - const struct path *new_path) -{ - return call_int_hook(sb_pivotroot, 0, old_path, new_path); -} /** * security_sb_set_mnt_opts() - Set the mount options for a filesystem @@ -1434,14 +1329,6 @@ EXPORT_SYMBOL(security_sb_set_mnt_opts); * * Return: Returns 0 on success, error on failure. */ -int security_sb_clone_mnt_opts(const struct super_block *oldsb, - struct super_block *newsb, - unsigned long kern_flags, - unsigned long *set_kern_flags) -{ - return call_int_hook(sb_clone_mnt_opts, 0, oldsb, newsb, - kern_flags, set_kern_flags); -} EXPORT_SYMBOL(security_sb_clone_mnt_opts); /** @@ -1453,11 +1340,6 @@ EXPORT_SYMBOL(security_sb_clone_mnt_opts); * * Return: Returns 0 if permission is granted. */ -int security_move_mount(const struct path *from_path, - const struct path *to_path) -{ - return call_int_hook(move_mount, 0, from_path, to_path); -} /** * security_path_notify() - Check if setting a watch is allowed @@ -1470,11 +1352,6 @@ int security_move_mount(const struct path *from_path, * * Return: Returns 0 if permission is granted. */ -int security_path_notify(const struct path *path, u64 mask, - unsigned int obj_type) -{ - return call_int_hook(path_notify, 0, path, mask, obj_type); -} /** * security_inode_alloc() - Allocate an inode LSM blob @@ -1545,26 +1422,6 @@ void security_inode_free(struct inode *inode) * * Return: Returns 0 on success, negative values on failure. */ -int security_dentry_init_security(struct dentry *dentry, int mode, - const struct qstr *name, - const char **xattr_name, void **ctx, - u32 *ctxlen) -{ - struct security_hook_list *hp; - int rc; - - /* - * Only one module will provide a security context. - */ - hlist_for_each_entry(hp, &security_hook_heads.dentry_init_security, - list) { - rc = hp->hook.dentry_init_security(dentry, mode, name, - xattr_name, ctx, ctxlen); - if (rc != LSM_RET_DEFAULT(dentry_init_security)) - return rc; - } - return LSM_RET_DEFAULT(dentry_init_security); -} EXPORT_SYMBOL(security_dentry_init_security); /** @@ -1582,13 +1439,6 @@ EXPORT_SYMBOL(security_dentry_init_security); * * Return: Returns 0 on success, error on failure. */ -int security_dentry_create_files_as(struct dentry *dentry, int mode, - struct qstr *name, - const struct cred *old, struct cred *new) -{ - return call_int_hook(dentry_create_files_as, 0, dentry, mode, - name, old, new); -} EXPORT_SYMBOL(security_dentry_create_files_as); /** @@ -1683,13 +1533,6 @@ EXPORT_SYMBOL(security_inode_init_security); * Return: Returns 0 on success, -EACCES if the security module denies the * creation of this inode, or another -errno upon other errors. */ -int security_inode_init_security_anon(struct inode *inode, - const struct qstr *name, - const struct inode *context_inode) -{ - return call_int_hook(inode_init_security_anon, 0, inode, name, - context_inode); -} #ifdef CONFIG_SECURITY_PATH /** @@ -1887,10 +1730,6 @@ int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid) * * Return: Returns 0 if permission is granted. */ -int security_path_chroot(const struct path *path) -{ - return call_int_hook(path_chroot, 0, path); -} #endif /* CONFIG_SECURITY_PATH */ /** @@ -2360,10 +2199,6 @@ int security_inode_removexattr(struct mnt_idmap *idmap, * security_inode_killpriv() does not need to be called, return >0 if * security_inode_killpriv() does need to be called. */ -int security_inode_need_killpriv(struct dentry *dentry) -{ - return call_int_hook(inode_need_killpriv, 0, dentry); -} /** * security_inode_killpriv() - The setuid bit is removed, update LSM state @@ -2376,11 +2211,6 @@ int security_inode_need_killpriv(struct dentry *dentry) * Return: Return 0 on success. If error is returned, then the operation * causing setuid bit removal is failed. */ -int security_inode_killpriv(struct mnt_idmap *idmap, - struct dentry *dentry) -{ - return call_int_hook(inode_killpriv, 0, idmap, dentry); -} /** * security_inode_getsecurity() - Get the xattr security label of an inode @@ -2484,10 +2314,6 @@ EXPORT_SYMBOL(security_inode_listsecurity); * Get the secid associated with the node. In case of failure, @secid will be * set to zero. */ -void security_inode_getsecid(struct inode *inode, u32 *secid) -{ - call_void_hook(inode_getsecid, inode, secid); -} /** * security_inode_copy_up() - Create new creds for an overlayfs copy-up op @@ -2501,10 +2327,6 @@ void security_inode_getsecid(struct inode *inode, u32 *secid) * * Return: Returns 0 on success or a negative error code on error. */ -int security_inode_copy_up(struct dentry *src, struct cred **new) -{ - return call_int_hook(inode_copy_up, 0, src, new); -} EXPORT_SYMBOL(security_inode_copy_up); /** @@ -2550,11 +2372,6 @@ EXPORT_SYMBOL(security_inode_copy_up_xattr); * * Return: Returns 0 if permission is granted. */ -int security_kernfs_init_security(struct kernfs_node *kn_dir, - struct kernfs_node *kn) -{ - return call_int_hook(kernfs_init_security, 0, kn_dir, kn); -} /** * security_file_permission() - Check file permissions @@ -2639,10 +2456,6 @@ void security_file_free(struct file *file) * * Return: Returns 0 if permission is granted. */ -int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg) -{ - return call_int_hook(file_ioctl, 0, file, cmd, arg); -} EXPORT_SYMBOL_GPL(security_file_ioctl); static inline unsigned long mmap_prot(struct file *file, unsigned long prot) @@ -2709,10 +2522,6 @@ int security_mmap_file(struct file *file, unsigned long prot, * * Return: Returns 0 if permission is granted. */ -int security_mmap_addr(unsigned long addr) -{ - return call_int_hook(mmap_addr, 0, addr); -} /** * security_file_mprotect() - Check if changing memory protections is allowed @@ -2745,10 +2554,6 @@ int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, * * Return: Returns 0 if permission is granted. */ -int security_file_lock(struct file *file, unsigned int cmd) -{ - return call_int_hook(file_lock, 0, file, cmd); -} /** * security_file_fcntl() - Check if fcntl() op is allowed @@ -2764,10 +2569,6 @@ int security_file_lock(struct file *file, unsigned int cmd) * * Return: Returns 0 if permission is granted. */ -int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg) -{ - return call_int_hook(file_fcntl, 0, file, cmd, arg); -} /** * security_file_set_fowner() - Set the file owner info in the LSM blob @@ -2778,10 +2579,6 @@ int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg) * * Return: Returns 0 on success. */ -void security_file_set_fowner(struct file *file) -{ - call_void_hook(file_set_fowner, file); -} /** * security_file_send_sigiotask() - Check if sending SIGIO/SIGURG is allowed @@ -2797,11 +2594,6 @@ void security_file_set_fowner(struct file *file) * * Return: Returns 0 if permission is granted. */ -int security_file_send_sigiotask(struct task_struct *tsk, - struct fown_struct *fown, int sig) -{ - return call_int_hook(file_send_sigiotask, 0, tsk, fown, sig); -} /** * security_file_receive() - Check is receiving a file via IPC is allowed @@ -2812,10 +2604,6 @@ int security_file_send_sigiotask(struct task_struct *tsk, * * Return: Returns 0 if permission is granted. */ -int security_file_receive(struct file *file) -{ - return call_int_hook(file_receive, 0, file); -} /** * security_file_open() - Save open() time state for late use by the LSM @@ -2847,10 +2635,6 @@ int security_file_open(struct file *file) * * Return: Returns 0 if permission is granted. */ -int security_file_truncate(struct file *file) -{ - return call_int_hook(file_truncate, 0, file); -} /** * security_task_alloc() - Allocate a task's LSM blob @@ -2992,10 +2776,6 @@ EXPORT_SYMBOL(security_cred_getsecid); * * Return: Returns 0 if successful. */ -int security_kernel_act_as(struct cred *new, u32 secid) -{ - return call_int_hook(kernel_act_as, 0, new, secid); -} /** * security_kernel_create_files_as() - Set file creation context using an inode @@ -3008,10 +2788,6 @@ int security_kernel_act_as(struct cred *new, u32 secid) * * Return: Returns 0 if successful. */ -int security_kernel_create_files_as(struct cred *new, struct inode *inode) -{ - return call_int_hook(kernel_create_files_as, 0, new, inode); -} /** * security_kernel_module_request() - Check is loading a module is allowed @@ -3141,11 +2917,6 @@ EXPORT_SYMBOL_GPL(security_kernel_post_load_data); * * Return: Returns 0 on success. */ -int security_task_fix_setuid(struct cred *new, const struct cred *old, - int flags) -{ - return call_int_hook(task_fix_setuid, 0, new, old, flags); -} /** * security_task_fix_setgid() - Update LSM with new group id attributes @@ -3161,11 +2932,6 @@ int security_task_fix_setuid(struct cred *new, const struct cred *old, * * Return: Returns 0 on success. */ -int security_task_fix_setgid(struct cred *new, const struct cred *old, - int flags) -{ - return call_int_hook(task_fix_setgid, 0, new, old, flags); -} /** * security_task_fix_setgroups() - Update LSM with new supplementary groups @@ -3179,10 +2945,6 @@ int security_task_fix_setgid(struct cred *new, const struct cred *old, * * Return: Returns 0 on success. */ -int security_task_fix_setgroups(struct cred *new, const struct cred *old) -{ - return call_int_hook(task_fix_setgroups, 0, new, old); -} /** * security_task_setpgid() - Check if setting the pgid is allowed @@ -3194,10 +2956,6 @@ int security_task_fix_setgroups(struct cred *new, const struct cred *old) * * Return: Returns 0 if permission is granted. */ -int security_task_setpgid(struct task_struct *p, pid_t pgid) -{ - return call_int_hook(task_setpgid, 0, p, pgid); -} /** * security_task_getpgid() - Check if getting the pgid is allowed @@ -3208,10 +2966,6 @@ int security_task_setpgid(struct task_struct *p, pid_t pgid) * * Return: Returns 0 if permission is granted. */ -int security_task_getpgid(struct task_struct *p) -{ - return call_int_hook(task_getpgid, 0, p); -} /** * security_task_getsid() - Check if getting the session id is allowed @@ -3221,10 +2975,6 @@ int security_task_getpgid(struct task_struct *p) * * Return: Returns 0 if permission is granted. */ -int security_task_getsid(struct task_struct *p) -{ - return call_int_hook(task_getsid, 0, p); -} /** * security_current_getsecid_subj() - Get the current task's subjective secid @@ -3264,10 +3014,6 @@ EXPORT_SYMBOL(security_task_getsecid_obj); * * Return: Returns 0 if permission is granted. */ -int security_task_setnice(struct task_struct *p, int nice) -{ - return call_int_hook(task_setnice, 0, p, nice); -} /** * security_task_setioprio() - Check if setting a task's ioprio is allowed @@ -3278,10 +3024,6 @@ int security_task_setnice(struct task_struct *p, int nice) * * Return: Returns 0 if permission is granted. */ -int security_task_setioprio(struct task_struct *p, int ioprio) -{ - return call_int_hook(task_setioprio, 0, p, ioprio); -} /** * security_task_getioprio() - Check if getting a task's ioprio is allowed @@ -3291,10 +3033,6 @@ int security_task_setioprio(struct task_struct *p, int ioprio) * * Return: Returns 0 if permission is granted. */ -int security_task_getioprio(struct task_struct *p) -{ - return call_int_hook(task_getioprio, 0, p); -} /** * security_task_prlimit() - Check if get/setting resources limits is allowed @@ -3307,11 +3045,6 @@ int security_task_getioprio(struct task_struct *p) * * Return: Returns 0 if permission is granted. */ -int security_task_prlimit(const struct cred *cred, const struct cred *tcred, - unsigned int flags) -{ - return call_int_hook(task_prlimit, 0, cred, tcred, flags); -} /** * security_task_setrlimit() - Check if setting a new rlimit value is allowed @@ -3325,11 +3058,6 @@ int security_task_prlimit(const struct cred *cred, const struct cred *tcred, * * Return: Returns 0 if permission is granted. */ -int security_task_setrlimit(struct task_struct *p, unsigned int resource, - struct rlimit *new_rlim) -{ - return call_int_hook(task_setrlimit, 0, p, resource, new_rlim); -} /** * security_task_setscheduler() - Check if setting sched policy/param is allowed @@ -3340,10 +3068,6 @@ int security_task_setrlimit(struct task_struct *p, unsigned int resource, * * Return: Returns 0 if permission is granted. */ -int security_task_setscheduler(struct task_struct *p) -{ - return call_int_hook(task_setscheduler, 0, p); -} /** * security_task_getscheduler() - Check if getting scheduling info is allowed @@ -3353,10 +3077,6 @@ int security_task_setscheduler(struct task_struct *p) * * Return: Returns 0 if permission is granted. */ -int security_task_getscheduler(struct task_struct *p) -{ - return call_int_hook(task_getscheduler, 0, p); -} /** * security_task_movememory() - Check if moving memory is allowed @@ -3366,10 +3086,6 @@ int security_task_getscheduler(struct task_struct *p) * * Return: Returns 0 if permission is granted. */ -int security_task_movememory(struct task_struct *p) -{ - return call_int_hook(task_movememory, 0, p); -} /** * security_task_kill() - Check if sending a signal is allowed @@ -3386,11 +3102,6 @@ int security_task_movememory(struct task_struct *p) * * Return: Returns 0 if permission is granted. */ -int security_task_kill(struct task_struct *p, struct kernel_siginfo *info, - int sig, const struct cred *cred) -{ - return call_int_hook(task_kill, 0, p, info, sig, cred); -} /** * security_task_prctl() - Check if a prctl op is allowed @@ -3432,10 +3143,6 @@ int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, * Set the security attributes for an inode based on an associated task's * security attributes, e.g. for /proc/pid inodes. */ -void security_task_to_inode(struct task_struct *p, struct inode *inode) -{ - call_void_hook(task_to_inode, p, inode); -} /** * security_create_user_ns() - Check if creating a new userns is allowed @@ -3459,10 +3166,6 @@ int security_create_user_ns(const struct cred *cred) * * Return: Returns 0 if permission is granted. */ -int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag) -{ - return call_int_hook(ipc_permission, 0, ipcp, flag); -} /** * security_ipc_getsecid() - Get the sysv ipc object's secid @@ -3557,10 +3260,6 @@ void security_msg_queue_free(struct kern_ipc_perm *msq) * * Return: Return 0 if permission is granted. */ -int security_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) -{ - return call_int_hook(msg_queue_associate, 0, msq, msqflg); -} /** * security_msg_queue_msgctl() - Check if a msg queue operation is allowed @@ -3572,10 +3271,6 @@ int security_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg) * * Return: Returns 0 if permission is granted. */ -int security_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) -{ - return call_int_hook(msg_queue_msgctl, 0, msq, cmd); -} /** * security_msg_queue_msgsnd() - Check if sending a sysv ipc message is allowed @@ -3588,11 +3283,6 @@ int security_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd) * * Return: Returns 0 if permission is granted. */ -int security_msg_queue_msgsnd(struct kern_ipc_perm *msq, - struct msg_msg *msg, int msqflg) -{ - return call_int_hook(msg_queue_msgsnd, 0, msq, msg, msqflg); -} /** * security_msg_queue_msgrcv() - Check if receiving a sysv ipc msg is allowed @@ -3609,11 +3299,6 @@ int security_msg_queue_msgsnd(struct kern_ipc_perm *msq, * * Return: Returns 0 if permission is granted. */ -int security_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg, - struct task_struct *target, long type, int mode) -{ - return call_int_hook(msg_queue_msgrcv, 0, msq, msg, target, type, mode); -} /** * security_shm_alloc() - Allocate a sysv shm LSM blob @@ -3661,10 +3346,6 @@ void security_shm_free(struct kern_ipc_perm *shp) * * Return: Returns 0 if permission is granted. */ -int security_shm_associate(struct kern_ipc_perm *shp, int shmflg) -{ - return call_int_hook(shm_associate, 0, shp, shmflg); -} /** * security_shm_shmctl() - Check if a sysv shm operation is allowed @@ -3676,10 +3357,6 @@ int security_shm_associate(struct kern_ipc_perm *shp, int shmflg) * * Return: Return 0 if permission is granted. */ -int security_shm_shmctl(struct kern_ipc_perm *shp, int cmd) -{ - return call_int_hook(shm_shmctl, 0, shp, cmd); -} /** * security_shm_shmat() - Check if a sysv shm attach operation is allowed @@ -3693,11 +3370,6 @@ int security_shm_shmctl(struct kern_ipc_perm *shp, int cmd) * * Return: Returns 0 if permission is granted. */ -int security_shm_shmat(struct kern_ipc_perm *shp, - char __user *shmaddr, int shmflg) -{ - return call_int_hook(shm_shmat, 0, shp, shmaddr, shmflg); -} /** * security_sem_alloc() - Allocate a sysv semaphore LSM blob @@ -3744,10 +3416,6 @@ void security_sem_free(struct kern_ipc_perm *sma) * * Return: Returns 0 if permission is granted. */ -int security_sem_associate(struct kern_ipc_perm *sma, int semflg) -{ - return call_int_hook(sem_associate, 0, sma, semflg); -} /** * security_sem_semctl() - Check if a sysv semaphore operation is allowed @@ -3759,10 +3427,6 @@ int security_sem_associate(struct kern_ipc_perm *sma, int semflg) * * Return: Returns 0 if permission is granted. */ -int security_sem_semctl(struct kern_ipc_perm *sma, int cmd) -{ - return call_int_hook(sem_semctl, 0, sma, cmd); -} /** * security_sem_semop() - Check if a sysv semaphore operation is allowed @@ -3776,11 +3440,6 @@ int security_sem_semctl(struct kern_ipc_perm *sma, int cmd) * * Return: Returns 0 if permission is granted. */ -int security_sem_semop(struct kern_ipc_perm *sma, struct sembuf *sops, - unsigned nsops, int alter) -{ - return call_int_hook(sem_semop, 0, sma, sops, nsops, alter); -} /** * security_d_instantiate() - Populate an inode's LSM state based on a dentry @@ -3859,10 +3518,6 @@ int security_setprocattr(const char *lsm, const char *name, void *value, * Return: Returns 0 if the information was successfully saved and message is * allowed to be transmitted. */ -int security_netlink_send(struct sock *sk, struct sk_buff *skb) -{ - return call_int_hook(netlink_send, 0, sk, skb); -} /** * security_ismaclabel() - Check is the named attribute is a MAC label @@ -3872,10 +3527,6 @@ int security_netlink_send(struct sock *sk, struct sk_buff *skb) * * Return: Returns 1 if name is a MAC attribute otherwise returns 0. */ -int security_ismaclabel(const char *name) -{ - return call_int_hook(ismaclabel, 0, name); -} EXPORT_SYMBOL(security_ismaclabel); /** @@ -3891,23 +3542,6 @@ EXPORT_SYMBOL(security_ismaclabel); * * Return: Return 0 on success, error on failure. */ -int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) -{ - struct security_hook_list *hp; - int rc; - - /* - * Currently, only one LSM can implement secid_to_secctx (i.e this - * LSM hook is not "stackable"). - */ - hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) { - rc = hp->hook.secid_to_secctx(secid, secdata, seclen); - if (rc != LSM_RET_DEFAULT(secid_to_secctx)) - return rc; - } - - return LSM_RET_DEFAULT(secid_to_secctx); -} EXPORT_SYMBOL(security_secid_to_secctx); /** @@ -3968,10 +3602,6 @@ EXPORT_SYMBOL(security_inode_invalidate_secctx); * * Return: Returns 0 on success, error on failure. */ -int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) -{ - return call_int_hook(inode_notifysecctx, 0, inode, ctx, ctxlen); -} EXPORT_SYMBOL(security_inode_notifysecctx); /** @@ -3990,10 +3620,6 @@ EXPORT_SYMBOL(security_inode_notifysecctx); * * Return: Returns 0 on success, error on failure. */ -int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) -{ - return call_int_hook(inode_setsecctx, 0, dentry, ctx, ctxlen); -} EXPORT_SYMBOL(security_inode_setsecctx); /** @@ -4024,12 +3650,6 @@ EXPORT_SYMBOL(security_inode_getsecctx); * * Return: Returns 0 if permission is granted. */ -int security_post_notification(const struct cred *w_cred, - const struct cred *cred, - struct watch_notification *n) -{ - return call_int_hook(post_notification, 0, w_cred, cred, n); -} #endif /* CONFIG_WATCH_QUEUE */ #ifdef CONFIG_KEY_NOTIFICATIONS @@ -4042,10 +3662,6 @@ int security_post_notification(const struct cred *w_cred, * * Return: Returns 0 if permission is granted. */ -int security_watch_key(struct key *key) -{ - return call_int_hook(watch_key, 0, key); -} #endif /* CONFIG_KEY_NOTIFICATIONS */ #ifdef CONFIG_SECURITY_NETWORK @@ -4070,11 +3686,6 @@ int security_watch_key(struct key *key) * * Return: Returns 0 if permission is granted. */ -int security_unix_stream_connect(struct sock *sock, struct sock *other, - struct sock *newsk) -{ - return call_int_hook(unix_stream_connect, 0, sock, other, newsk); -} EXPORT_SYMBOL(security_unix_stream_connect); /** @@ -4097,10 +3708,6 @@ EXPORT_SYMBOL(security_unix_stream_connect); * * Return: Returns 0 if permission is granted. */ -int security_unix_may_send(struct socket *sock, struct socket *other) -{ - return call_int_hook(unix_may_send, 0, sock, other); -} EXPORT_SYMBOL(security_unix_may_send); /** @@ -4114,10 +3721,6 @@ EXPORT_SYMBOL(security_unix_may_send); * * Return: Returns 0 if permission is granted. */ -int security_socket_create(int family, int type, int protocol, int kern) -{ - return call_int_hook(socket_create, 0, family, type, protocol, kern); -} /** * security_socket_post_create() - Initialize a newly created socket @@ -4137,12 +3740,6 @@ int security_socket_create(int family, int type, int protocol, int kern) * * Return: Returns 0 if permission is granted. */ -int security_socket_post_create(struct socket *sock, int family, - int type, int protocol, int kern) -{ - return call_int_hook(socket_post_create, 0, sock, family, type, - protocol, kern); -} /** * security_socket_socketpair() - Check if creating a socketpair is allowed @@ -4154,10 +3751,6 @@ int security_socket_post_create(struct socket *sock, int family, * Return: Returns 0 if permission is granted and the connection was * established. */ -int security_socket_socketpair(struct socket *socka, struct socket *sockb) -{ - return call_int_hook(socket_socketpair, 0, socka, sockb); -} EXPORT_SYMBOL(security_socket_socketpair); /** @@ -4172,11 +3765,6 @@ EXPORT_SYMBOL(security_socket_socketpair); * * Return: Returns 0 if permission is granted. */ -int security_socket_bind(struct socket *sock, - struct sockaddr *address, int addrlen) -{ - return call_int_hook(socket_bind, 0, sock, address, addrlen); -} /** * security_socket_connect() - Check if a socket connect operation is allowed @@ -4189,11 +3777,6 @@ int security_socket_bind(struct socket *sock, * * Return: Returns 0 if permission is granted. */ -int security_socket_connect(struct socket *sock, - struct sockaddr *address, int addrlen) -{ - return call_int_hook(socket_connect, 0, sock, address, addrlen); -} /** * security_socket_listen() - Check if a socket is allowed to listen @@ -4204,10 +3787,6 @@ int security_socket_connect(struct socket *sock, * * Return: Returns 0 if permission is granted. */ -int security_socket_listen(struct socket *sock, int backlog) -{ - return call_int_hook(socket_listen, 0, sock, backlog); -} /** * security_socket_accept() - Check if a socket is allowed to accept connections @@ -4220,10 +3799,6 @@ int security_socket_listen(struct socket *sock, int backlog) * * Return: Returns 0 if permission is granted. */ -int security_socket_accept(struct socket *sock, struct socket *newsock) -{ - return call_int_hook(socket_accept, 0, sock, newsock); -} /** * security_socket_sendmsg() - Check is sending a message is allowed @@ -4235,10 +3810,6 @@ int security_socket_accept(struct socket *sock, struct socket *newsock) * * Return: Returns 0 if permission is granted. */ -int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size) -{ - return call_int_hook(socket_sendmsg, 0, sock, msg, size); -} /** * security_socket_recvmsg() - Check if receiving a message is allowed @@ -4251,11 +3822,6 @@ int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size) * * Return: Returns 0 if permission is granted. */ -int security_socket_recvmsg(struct socket *sock, struct msghdr *msg, - int size, int flags) -{ - return call_int_hook(socket_recvmsg, 0, sock, msg, size, flags); -} /** * security_socket_getsockname() - Check if reading the socket addr is allowed @@ -4266,10 +3832,6 @@ int security_socket_recvmsg(struct socket *sock, struct msghdr *msg, * * Return: Returns 0 if permission is granted. */ -int security_socket_getsockname(struct socket *sock) -{ - return call_int_hook(socket_getsockname, 0, sock); -} /** * security_socket_getpeername() - Check if reading the peer's addr is allowed @@ -4279,10 +3841,6 @@ int security_socket_getsockname(struct socket *sock) * * Return: Returns 0 if permission is granted. */ -int security_socket_getpeername(struct socket *sock) -{ - return call_int_hook(socket_getpeername, 0, sock); -} /** * security_socket_getsockopt() - Check if reading a socket option is allowed @@ -4295,10 +3853,6 @@ int security_socket_getpeername(struct socket *sock) * * Return: Returns 0 if permission is granted. */ -int security_socket_getsockopt(struct socket *sock, int level, int optname) -{ - return call_int_hook(socket_getsockopt, 0, sock, level, optname); -} /** * security_socket_setsockopt() - Check if setting a socket option is allowed @@ -4310,10 +3864,6 @@ int security_socket_getsockopt(struct socket *sock, int level, int optname) * * Return: Returns 0 if permission is granted. */ -int security_socket_setsockopt(struct socket *sock, int level, int optname) -{ - return call_int_hook(socket_setsockopt, 0, sock, level, optname); -} /** * security_socket_shutdown() - Checks if shutting down the socket is allowed @@ -4325,10 +3875,6 @@ int security_socket_setsockopt(struct socket *sock, int level, int optname) * * Return: Returns 0 if permission is granted. */ -int security_socket_shutdown(struct socket *sock, int how) -{ - return call_int_hook(socket_shutdown, 0, sock, how); -} /** * security_sock_rcv_skb() - Check if an incoming network packet is allowed @@ -4452,11 +3998,6 @@ EXPORT_SYMBOL(security_sk_classify_flow); * * Sets @flic's secid to @req's secid. */ -void security_req_classify_flow(const struct request_sock *req, - struct flowi_common *flic) -{ - call_void_hook(req_classify_flow, req, flic); -} EXPORT_SYMBOL(security_req_classify_flow); /** @@ -4467,10 +4008,6 @@ EXPORT_SYMBOL(security_req_classify_flow); * Sets @parent's inode secid to @sk's secid and update @sk with any necessary * LSM state from @parent. */ -void security_sock_graft(struct sock *sk, struct socket *parent) -{ - call_void_hook(sock_graft, sk, parent); -} EXPORT_SYMBOL(security_sock_graft); /** @@ -4483,11 +4020,6 @@ EXPORT_SYMBOL(security_sock_graft); * * Return: Returns 0 if permission is granted. */ -int security_inet_conn_request(const struct sock *sk, - struct sk_buff *skb, struct request_sock *req) -{ - return call_int_hook(inet_conn_request, 0, sk, skb, req); -} EXPORT_SYMBOL(security_inet_conn_request); /** @@ -4497,11 +4029,6 @@ EXPORT_SYMBOL(security_inet_conn_request); * * Set that LSM state of @sock using the LSM state from @req. */ -void security_inet_csk_clone(struct sock *newsk, - const struct request_sock *req) -{ - call_void_hook(inet_csk_clone, newsk, req); -} /** * security_inet_conn_established() - Update sock's LSM state with connection @@ -4510,11 +4037,6 @@ void security_inet_csk_clone(struct sock *newsk, * * Update @sock's LSM state to represent a new connection from @skb. */ -void security_inet_conn_established(struct sock *sk, - struct sk_buff *skb) -{ - call_void_hook(inet_conn_established, sk, skb); -} EXPORT_SYMBOL(security_inet_conn_established); /** @@ -4525,10 +4047,6 @@ EXPORT_SYMBOL(security_inet_conn_established); * * Return: Returns 0 if permission is granted. */ -int security_secmark_relabel_packet(u32 secid) -{ - return call_int_hook(secmark_relabel_packet, 0, secid); -} EXPORT_SYMBOL(security_secmark_relabel_packet); /** @@ -4536,10 +4054,6 @@ EXPORT_SYMBOL(security_secmark_relabel_packet); * * Tells the LSM to increment the number of secmark labeling rules loaded. */ -void security_secmark_refcount_inc(void) -{ - call_void_hook(secmark_refcount_inc); -} EXPORT_SYMBOL(security_secmark_refcount_inc); /** @@ -4547,10 +4061,6 @@ EXPORT_SYMBOL(security_secmark_refcount_inc); * * Tells the LSM to decrement the number of secmark labeling rules loaded. */ -void security_secmark_refcount_dec(void) -{ - call_void_hook(secmark_refcount_dec); -} EXPORT_SYMBOL(security_secmark_refcount_dec); /** @@ -4562,10 +4072,6 @@ EXPORT_SYMBOL(security_secmark_refcount_dec); * * Return: Returns a zero on success, negative values on failure. */ -int security_tun_dev_alloc_security(void **security) -{ - return call_int_hook(tun_dev_alloc_security, 0, security); -} EXPORT_SYMBOL(security_tun_dev_alloc_security); /** @@ -4574,10 +4080,6 @@ EXPORT_SYMBOL(security_tun_dev_alloc_security); * * This hook allows a module to free the security structure for a TUN device. */ -void security_tun_dev_free_security(void *security) -{ - call_void_hook(tun_dev_free_security, security); -} EXPORT_SYMBOL(security_tun_dev_free_security); /** @@ -4587,10 +4089,6 @@ EXPORT_SYMBOL(security_tun_dev_free_security); * * Return: Returns 0 if permission is granted. */ -int security_tun_dev_create(void) -{ - return call_int_hook(tun_dev_create, 0); -} EXPORT_SYMBOL(security_tun_dev_create); /** @@ -4601,10 +4099,6 @@ EXPORT_SYMBOL(security_tun_dev_create); * * Return: Returns 0 if permission is granted. */ -int security_tun_dev_attach_queue(void *security) -{ - return call_int_hook(tun_dev_attach_queue, 0, security); -} EXPORT_SYMBOL(security_tun_dev_attach_queue); /** @@ -4617,10 +4111,6 @@ EXPORT_SYMBOL(security_tun_dev_attach_queue); * * Return: Returns 0 if permission is granted. */ -int security_tun_dev_attach(struct sock *sk, void *security) -{ - return call_int_hook(tun_dev_attach, 0, sk, security); -} EXPORT_SYMBOL(security_tun_dev_attach); /** @@ -4632,10 +4122,6 @@ EXPORT_SYMBOL(security_tun_dev_attach); * * Return: Returns 0 if permission is granted. */ -int security_tun_dev_open(void *security) -{ - return call_int_hook(tun_dev_open, 0, security); -} EXPORT_SYMBOL(security_tun_dev_open); /** @@ -4647,11 +4133,6 @@ EXPORT_SYMBOL(security_tun_dev_open); * * Return: Returns 0 on success, error on failure. */ -int security_sctp_assoc_request(struct sctp_association *asoc, - struct sk_buff *skb) -{ - return call_int_hook(sctp_assoc_request, 0, asoc, skb); -} EXPORT_SYMBOL(security_sctp_assoc_request); /** @@ -4668,12 +4149,6 @@ EXPORT_SYMBOL(security_sctp_assoc_request); * * Return: Returns 0 on success, error on failure. */ -int security_sctp_bind_connect(struct sock *sk, int optname, - struct sockaddr *address, int addrlen) -{ - return call_int_hook(sctp_bind_connect, 0, sk, optname, - address, addrlen); -} EXPORT_SYMBOL(security_sctp_bind_connect); /** @@ -4686,11 +4161,6 @@ EXPORT_SYMBOL(security_sctp_bind_connect); * socket) or when a socket is 'peeled off' e.g userspace calls * sctp_peeloff(3). */ -void security_sctp_sk_clone(struct sctp_association *asoc, struct sock *sk, - struct sock *newsk) -{ - call_void_hook(sctp_sk_clone, asoc, sk, newsk); -} EXPORT_SYMBOL(security_sctp_sk_clone); /** @@ -4703,11 +4173,6 @@ EXPORT_SYMBOL(security_sctp_sk_clone); * * Return: Returns 0 if permission is granted. */ -int security_sctp_assoc_established(struct sctp_association *asoc, - struct sk_buff *skb) -{ - return call_int_hook(sctp_assoc_established, 0, asoc, skb); -} EXPORT_SYMBOL(security_sctp_assoc_established); /** @@ -4722,10 +4187,6 @@ EXPORT_SYMBOL(security_sctp_assoc_established); * * Return: Returns 0 on success or a negative error code on failure. */ -int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk) -{ - return call_int_hook(mptcp_add_subflow, 0, sk, ssk); -} #endif /* CONFIG_SECURITY_NETWORK */ @@ -4740,10 +4201,6 @@ int security_mptcp_add_subflow(struct sock *sk, struct sock *ssk) * * Return: Returns 0 if permission is granted. */ -int security_ib_pkey_access(void *sec, u64 subnet_prefix, u16 pkey) -{ - return call_int_hook(ib_pkey_access, 0, sec, subnet_prefix, pkey); -} EXPORT_SYMBOL(security_ib_pkey_access); /** @@ -4756,12 +4213,6 @@ EXPORT_SYMBOL(security_ib_pkey_access); * * Return: Returns 0 if permission is granted. */ -int security_ib_endport_manage_subnet(void *sec, - const char *dev_name, u8 port_num) -{ - return call_int_hook(ib_endport_manage_subnet, 0, sec, - dev_name, port_num); -} EXPORT_SYMBOL(security_ib_endport_manage_subnet); /** @@ -4772,10 +4223,6 @@ EXPORT_SYMBOL(security_ib_endport_manage_subnet); * * Return: Returns 0 on success, non-zero on failure. */ -int security_ib_alloc_security(void **sec) -{ - return call_int_hook(ib_alloc_security, 0, sec); -} EXPORT_SYMBOL(security_ib_alloc_security); /** @@ -4784,10 +4231,6 @@ EXPORT_SYMBOL(security_ib_alloc_security); * * Deallocate an Infiniband security structure. */ -void security_ib_free_security(void *sec) -{ - call_void_hook(ib_free_security, sec); -} EXPORT_SYMBOL(security_ib_free_security); #endif /* CONFIG_SECURITY_INFINIBAND */ @@ -4803,12 +4246,6 @@ EXPORT_SYMBOL(security_ib_free_security); * * Return: Return 0 if operation was successful. */ -int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, - struct xfrm_user_sec_ctx *sec_ctx, - gfp_t gfp) -{ - return call_int_hook(xfrm_policy_alloc_security, 0, ctxp, sec_ctx, gfp); -} EXPORT_SYMBOL(security_xfrm_policy_alloc); /** @@ -4821,11 +4258,6 @@ EXPORT_SYMBOL(security_xfrm_policy_alloc); * * Return: Return 0 if operation was successful. */ -int security_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, - struct xfrm_sec_ctx **new_ctxp) -{ - return call_int_hook(xfrm_policy_clone_security, 0, old_ctx, new_ctxp); -} /** * security_xfrm_policy_free() - Free a xfrm security context @@ -4833,10 +4265,6 @@ int security_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, * * Free LSM resources associated with @ctx. */ -void security_xfrm_policy_free(struct xfrm_sec_ctx *ctx) -{ - call_void_hook(xfrm_policy_free_security, ctx); -} EXPORT_SYMBOL(security_xfrm_policy_free); /** @@ -4847,10 +4275,6 @@ EXPORT_SYMBOL(security_xfrm_policy_free); * * Return: Returns 0 if permission is granted. */ -int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) -{ - return call_int_hook(xfrm_policy_delete_security, 0, ctx); -} /** * security_xfrm_state_alloc() - Allocate a xfrm state LSM blob @@ -4863,11 +4287,6 @@ int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) * * Return: Return 0 if operation was successful. */ -int security_xfrm_state_alloc(struct xfrm_state *x, - struct xfrm_user_sec_ctx *sec_ctx) -{ - return call_int_hook(xfrm_state_alloc, 0, x, sec_ctx); -} EXPORT_SYMBOL(security_xfrm_state_alloc); /** @@ -4882,11 +4301,6 @@ EXPORT_SYMBOL(security_xfrm_state_alloc); * * Return: Returns 0 if operation was successful. */ -int security_xfrm_state_alloc_acquire(struct xfrm_state *x, - struct xfrm_sec_ctx *polsec, u32 secid) -{ - return call_int_hook(xfrm_state_alloc_acquire, 0, x, polsec, secid); -} /** * security_xfrm_state_delete() - Check if deleting a xfrm state is allowed @@ -4896,10 +4310,6 @@ int security_xfrm_state_alloc_acquire(struct xfrm_state *x, * * Return: Returns 0 if permission is granted. */ -int security_xfrm_state_delete(struct xfrm_state *x) -{ - return call_int_hook(xfrm_state_delete_security, 0, x); -} EXPORT_SYMBOL(security_xfrm_state_delete); /** @@ -4908,10 +4318,6 @@ EXPORT_SYMBOL(security_xfrm_state_delete); * * Deallocate x->security. */ -void security_xfrm_state_free(struct xfrm_state *x) -{ - call_void_hook(xfrm_state_free_security, x); -} /** * security_xfrm_policy_lookup() - Check if using a xfrm policy is allowed @@ -4925,10 +4331,6 @@ void security_xfrm_state_free(struct xfrm_state *x) * Return: Return 0 if permission is granted, -ESRCH otherwise, or -errno on * other errors. */ -int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid) -{ - return call_int_hook(xfrm_policy_lookup, 0, ctx, fl_secid); -} /** * security_xfrm_state_pol_flow_match() - Check for a xfrm match @@ -4973,10 +4375,6 @@ int security_xfrm_state_pol_flow_match(struct xfrm_state *x, * * Return: Return 0 if all xfrms used have the same secid. */ -int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid) -{ - return call_int_hook(xfrm_decode_session, 0, skb, secid, 1); -} void security_skb_classify_flow(struct sk_buff *skb, struct flowi_common *flic) { @@ -5000,11 +4398,6 @@ EXPORT_SYMBOL(security_skb_classify_flow); * * Return: Return 0 if permission is granted, -ve error otherwise. */ -int security_key_alloc(struct key *key, const struct cred *cred, - unsigned long flags) -{ - return call_int_hook(key_alloc, 0, key, cred, flags); -} /** * security_key_free() - Free a kernel key LSM blob @@ -5012,10 +4405,6 @@ int security_key_alloc(struct key *key, const struct cred *cred, * * Notification of destruction; free security data. */ -void security_key_free(struct key *key) -{ - call_void_hook(key_free, key); -} /** * security_key_permission() - Check if a kernel key operation is allowed @@ -5027,11 +4416,6 @@ void security_key_free(struct key *key) * * Return: Return 0 if permission is granted, -ve error otherwise. */ -int security_key_permission(key_ref_t key_ref, const struct cred *cred, - enum key_need_perm need_perm) -{ - return call_int_hook(key_permission, 0, key_ref, cred, need_perm); -} /** * security_key_getsecurity() - Get the key's security label @@ -5066,10 +4450,6 @@ int security_key_getsecurity(struct key *key, char **buffer) * Return: Return 0 if @lsmrule has been successfully set, -EINVAL in case of * an invalid rule. */ -int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) -{ - return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule); -} /** * security_audit_rule_known() - Check if an audit rule contains LSM fields @@ -5080,10 +4460,6 @@ int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) * * Return: Returns 1 in case of relation found, 0 otherwise. */ -int security_audit_rule_known(struct audit_krule *krule) -{ - return call_int_hook(audit_rule_known, 0, krule); -} /** * security_audit_rule_free() - Free an LSM audit rule struct @@ -5092,10 +4468,6 @@ int security_audit_rule_known(struct audit_krule *krule) * Deallocate the LSM audit rule structure previously allocated by * audit_rule_init(). */ -void security_audit_rule_free(void *lsmrule) -{ - call_void_hook(audit_rule_free, lsmrule); -} /** * security_audit_rule_match() - Check if a label matches an audit rule @@ -5110,10 +4482,6 @@ void security_audit_rule_free(void *lsmrule) * Return: Returns 1 if secid matches the rule, 0 if it does not, -ERRNO on * failure. */ -int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule) -{ - return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule); -} #endif /* CONFIG_AUDIT */ #ifdef CONFIG_BPF_SYSCALL @@ -5129,10 +4497,6 @@ int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule) * * Return: Returns 0 if permission is granted. */ -int security_bpf(int cmd, union bpf_attr *attr, unsigned int size) -{ - return call_int_hook(bpf, 0, cmd, attr, size); -} /** * security_bpf_map() - Check if access to a bpf map is allowed @@ -5144,10 +4508,6 @@ int security_bpf(int cmd, union bpf_attr *attr, unsigned int size) * * Return: Returns 0 if permission is granted. */ -int security_bpf_map(struct bpf_map *map, fmode_t fmode) -{ - return call_int_hook(bpf_map, 0, map, fmode); -} /** * security_bpf_prog() - Check if access to a bpf program is allowed @@ -5158,10 +4518,6 @@ int security_bpf_map(struct bpf_map *map, fmode_t fmode) * * Return: Returns 0 if permission is granted. */ -int security_bpf_prog(struct bpf_prog *prog) -{ - return call_int_hook(bpf_prog, 0, prog); -} /** * security_bpf_map_alloc() - Allocate a bpf map LSM blob @@ -5171,10 +4527,6 @@ int security_bpf_prog(struct bpf_prog *prog) * * Return: Returns 0 on success, error on failure. */ -int security_bpf_map_alloc(struct bpf_map *map) -{ - return call_int_hook(bpf_map_alloc_security, 0, map); -} /** * security_bpf_prog_alloc() - Allocate a bpf program LSM blob @@ -5184,10 +4536,6 @@ int security_bpf_map_alloc(struct bpf_map *map) * * Return: Returns 0 on success, error on failure. */ -int security_bpf_prog_alloc(struct bpf_prog_aux *aux) -{ - return call_int_hook(bpf_prog_alloc_security, 0, aux); -} /** * security_bpf_map_free() - Free a bpf map's LSM blob @@ -5195,10 +4543,6 @@ int security_bpf_prog_alloc(struct bpf_prog_aux *aux) * * Clean up the security information stored inside bpf map. */ -void security_bpf_map_free(struct bpf_map *map) -{ - call_void_hook(bpf_map_free_security, map); -} /** * security_bpf_prog_free() - Free a bpf program's LSM blob @@ -5206,10 +4550,6 @@ void security_bpf_map_free(struct bpf_map *map) * * Clean up the security information stored inside bpf prog. */ -void security_bpf_prog_free(struct bpf_prog_aux *aux) -{ - call_void_hook(bpf_prog_free_security, aux); -} #endif /* CONFIG_BPF_SYSCALL */ /** @@ -5221,10 +4561,6 @@ void security_bpf_prog_free(struct bpf_prog_aux *aux) * * Return: Returns 0 if permission is granted. */ -int security_locked_down(enum lockdown_reason what) -{ - return call_int_hook(locked_down, 0, what); -} EXPORT_SYMBOL(security_locked_down); #ifdef CONFIG_PERF_EVENTS @@ -5237,10 +4573,6 @@ EXPORT_SYMBOL(security_locked_down); * * Return: Returns 0 if permission is granted. */ -int security_perf_event_open(struct perf_event_attr *attr, int type) -{ - return call_int_hook(perf_event_open, 0, attr, type); -} /** * security_perf_event_alloc() - Allocate a perf event LSM blob @@ -5250,10 +4582,6 @@ int security_perf_event_open(struct perf_event_attr *attr, int type) * * Return: Returns 0 on success, error on failure. */ -int security_perf_event_alloc(struct perf_event *event) -{ - return call_int_hook(perf_event_alloc, 0, event); -} /** * security_perf_event_free() - Free a perf event LSM blob @@ -5261,10 +4589,6 @@ int security_perf_event_alloc(struct perf_event *event) * * Release (free) perf_event security info. */ -void security_perf_event_free(struct perf_event *event) -{ - call_void_hook(perf_event_free, event); -} /** * security_perf_event_read() - Check if reading a perf event label is allowed @@ -5274,10 +4598,6 @@ void security_perf_event_free(struct perf_event *event) * * Return: Returns 0 if permission is granted. */ -int security_perf_event_read(struct perf_event *event) -{ - return call_int_hook(perf_event_read, 0, event); -} /** * security_perf_event_write() - Check if writing a perf event label is allowed @@ -5287,10 +4607,6 @@ int security_perf_event_read(struct perf_event *event) * * Return: Returns 0 if permission is granted. */ -int security_perf_event_write(struct perf_event *event) -{ - return call_int_hook(perf_event_write, 0, event); -} #endif /* CONFIG_PERF_EVENTS */ #ifdef CONFIG_IO_URING @@ -5303,10 +4619,6 @@ int security_perf_event_write(struct perf_event *event) * * Return: Returns 0 if permission is granted. */ -int security_uring_override_creds(const struct cred *new) -{ - return call_int_hook(uring_override_creds, 0, new); -} /** * security_uring_sqpoll() - Check if IORING_SETUP_SQPOLL is allowed @@ -5316,10 +4628,6 @@ int security_uring_override_creds(const struct cred *new) * * Return: Returns 0 if permission is granted. */ -int security_uring_sqpoll(void) -{ - return call_int_hook(uring_sqpoll, 0); -} /** * security_uring_cmd() - Check if a io_uring passthrough command is allowed @@ -5329,8 +4637,4 @@ int security_uring_sqpoll(void) * * Return: Returns 0 if permission is granted. */ -int security_uring_cmd(struct io_uring_cmd *ioucmd) -{ - return call_int_hook(uring_cmd, 0, ioucmd); -} #endif /* CONFIG_IO_URING */