1 /*
2 * include/linux/ccsecurity.h
3 *
4 * Copyright (C) 2005-2012 NTT DATA CORPORATION
5 *
6 * Version: 1.8.11 2024/07/15
7 */
8
9 #ifndef _LINUX_CCSECURITY_H
10 #define _LINUX_CCSECURITY_H
11
12 #include <linux/version.h>
13
14 #ifndef __user
15 #define __user
16 #endif
17
18 struct nameidata;
19 struct path;
20 struct dentry;
21 struct vfsmount;
22 struct linux_binprm;
23 struct pt_regs;
24 struct file;
25 struct ctl_table;
26 struct socket;
27 struct sockaddr;
28 struct sock;
29 struct sk_buff;
30 struct msghdr;
31 struct pid_namespace;
32 struct ccs_execve;
33 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
34 /*
35 * Don't depend on prototype definition, for exec_binprm() is a static function
36 * which is implicitly inlined by compiler.
37 */
38 #elif LINUX_VERSION_CODE >= KERNEL_VERSION(3, 8, 0)
39 int search_binary_handler(struct linux_binprm *bprm);
40 #else
41 int search_binary_handler(struct linux_binprm *bprm, struct pt_regs *regs);
42 #endif
43
44 #if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 0, 0)
45 #include <linux/lsm2ccsecurity.h>
46 #endif
47
48 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
49 /* Obtain definition of kuid_t and kgid_t. */
50 #include <linux/uidgid.h>
51 #endif
52
53 #ifdef CONFIG_CCSECURITY
54
55 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36) && LINUX_VERSION_CODE < KERNEL_VERSION(3, 2, 0)
56 /* Obtain prototype of __d_path(). */
57 #include <linux/dcache.h>
58 #endif
59
60 /* For exporting variables and functions. */
61 struct ccsecurity_exports {
62 void (*load_policy) (const char *filename);
63 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 2, 0)
64 char * (*d_absolute_path) (const struct path *, char *, int);
65 #elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
66 typeof(__d_path) (*__d_path);
67 #elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 5, 0)
68 spinlock_t *vfsmount_lock;
69 #endif
70 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
71 struct task_struct * (*find_task_by_vpid) (pid_t nr);
72 struct task_struct * (*find_task_by_pid_ns) (pid_t nr,
73 struct pid_namespace *ns);
74 #endif
75 };
76
77 /* For doing access control. */
78 struct ccsecurity_operations {
79 void (*check_profile) (void);
80 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
81 int (*chroot_permission) (const struct path *path);
82 int (*pivot_root_permission) (const struct path *old_path,
83 const struct path *new_path);
84 int (*mount_permission) (const char *dev_name, const struct path *path,
85 const char *type, unsigned long flags,
86 void *data_page);
87 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0)
88 int (*move_mount_permission) (const struct path *from_path,
89 const struct path *to_path);
90 #endif
91 #else
92 int (*chroot_permission) (struct nameidata *nd);
93 int (*pivot_root_permission) (struct nameidata *old_nd,
94 struct nameidata *new_nd);
95 int (*mount_permission) (const char *dev_name, struct nameidata *nd,
96 const char *type, unsigned long flags,
97 void *data_page);
98 #endif
99 int (*umount_permission) (struct vfsmount *mnt, int flags);
100 _Bool (*lport_reserved) (const u16 port);
101 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 32)
102 void (*save_open_mode) (int mode);
103 void (*clear_open_mode) (void);
104 int (*open_permission) (struct dentry *dentry, struct vfsmount *mnt,
105 const int flag);
106 #else
107 int (*open_permission) (struct file *file);
108 #endif
109 int (*ptrace_permission) (long request, long pid);
110 int (*ioctl_permission) (struct file *filp, unsigned int cmd,
111 unsigned long arg);
112 int (*parse_table) (int __user *name, int nlen, void __user *oldval,
113 void __user *newval, struct ctl_table *table);
114 _Bool (*capable) (const u8 operation);
115 int (*mknod_permission) (struct dentry *dentry, struct vfsmount *mnt,
116 unsigned int mode, unsigned int dev);
117 int (*mkdir_permission) (struct dentry *dentry, struct vfsmount *mnt,
118 unsigned int mode);
119 int (*rmdir_permission) (struct dentry *dentry, struct vfsmount *mnt);
120 int (*unlink_permission) (struct dentry *dentry, struct vfsmount *mnt);
121 int (*symlink_permission) (struct dentry *dentry, struct vfsmount *mnt,
122 const char *from);
123 int (*truncate_permission) (struct dentry *dentry,
124 struct vfsmount *mnt);
125 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 19, 0)
126 int (*rename_permission) (struct dentry *old_dentry,
127 struct dentry *new_dentry,
128 struct vfsmount *mnt,
129 const unsigned int flags);
130 #else
131 int (*rename_permission) (struct dentry *old_dentry,
132 struct dentry *new_dentry,
133 struct vfsmount *mnt);
134 #endif
135 int (*link_permission) (struct dentry *old_dentry,
136 struct dentry *new_dentry,
137 struct vfsmount *mnt);
138 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 30)
139 int (*open_exec_permission) (struct dentry *dentry,
140 struct vfsmount *mnt);
141 int (*uselib_permission) (struct dentry *dentry, struct vfsmount *mnt);
142 #endif
143 int (*fcntl_permission) (struct file *file, unsigned int cmd,
144 unsigned long arg);
145 int (*kill_permission) (pid_t pid, int sig);
146 int (*tgkill_permission) (pid_t tgid, pid_t pid, int sig);
147 int (*tkill_permission) (pid_t pid, int sig);
148 int (*socket_create_permission) (int family, int type, int protocol);
149 int (*socket_listen_permission) (struct socket *sock);
150 int (*socket_connect_permission) (struct socket *sock,
151 struct sockaddr *addr, int addr_len);
152 int (*socket_bind_permission) (struct socket *sock,
153 struct sockaddr *addr, int addr_len);
154 int (*socket_post_accept_permission) (struct socket *sock,
155 struct socket *newsock);
156 int (*socket_sendmsg_permission) (struct socket *sock,
157 struct msghdr *msg, int size);
158 int (*socket_post_recvmsg_permission) (struct sock *sk,
159 struct sk_buff *skb, int flags);
160 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
161 int (*chown_permission) (struct dentry *dentry, struct vfsmount *mnt,
162 kuid_t user, kgid_t group);
163 #else
164 int (*chown_permission) (struct dentry *dentry, struct vfsmount *mnt,
165 uid_t user, gid_t group);
166 #endif
167 int (*chmod_permission) (struct dentry *dentry, struct vfsmount *mnt,
168 mode_t mode);
169 int (*getattr_permission) (struct vfsmount *mnt,
170 struct dentry *dentry);
171 int (*sigqueue_permission) (pid_t pid, int sig);
172 int (*tgsigqueue_permission) (pid_t tgid, pid_t pid, int sig);
173 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
174 int (*start_execve) (struct linux_binprm *bprm, struct ccs_execve **eep);
175 void (*finish_execve) (int retval, struct ccs_execve *ep);
176 #elif LINUX_VERSION_CODE >= KERNEL_VERSION(3, 8, 0)
177 int (*search_binary_handler) (struct linux_binprm *bprm);
178 #else
179 int (*search_binary_handler) (struct linux_binprm *bprm,
180 struct pt_regs *regs);
181 #endif
182 #ifdef CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY
183 int (*alloc_task_security) (const struct task_struct *task);
184 void (*free_task_security) (const struct task_struct *task);
185 #endif
186 _Bool disabled;
187 };
188
189 extern struct ccsecurity_operations ccsecurity_ops;
190
191 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
192
193 static inline int ccs_chroot_permission(const struct path *path)
194 {
195 int (*func) (const struct path *) = ccsecurity_ops.chroot_permission;
196 return func ? func(path) : 0;
197 }
198
199 static inline int ccs_pivot_root_permission(const struct path *old_path,
200 const struct path *new_path)
201 {
202 int (*func) (const struct path *, const struct path *)
203 = ccsecurity_ops.pivot_root_permission;
204 return func ? func(old_path, new_path) : 0;
205 }
206
207 static inline int ccs_mount_permission(const char *dev_name,
208 const struct path *path,
209 const char *type, unsigned long flags,
210 void *data_page)
211 {
212 int (*func) (const char *, const struct path *, const char *,
213 unsigned long, void *) = ccsecurity_ops.mount_permission;
214 return func ? func(dev_name, path, type, flags, data_page) : 0;
215 }
216
217 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0)
218 static inline int ccs_move_mount_permission(const struct path *from_path,
219 const struct path *to_path)
220 {
221 int (*func) (const struct path *, const struct path *) =
222 ccsecurity_ops.move_mount_permission;
223 return func ? func(from_path, to_path) : 0;
224 }
225 #endif
226
227 #else
228
229 static inline int ccs_chroot_permission(struct nameidata *nd)
230 {
231 int (*func) (struct nameidata *) = ccsecurity_ops.chroot_permission;
232 return func ? func(nd) : 0;
233 }
234
235 static inline int ccs_pivot_root_permission(struct nameidata *old_nd,
236 struct nameidata *new_nd)
237 {
238 int (*func) (struct nameidata *, struct nameidata *)
239 = ccsecurity_ops.pivot_root_permission;
240 return func ? func(old_nd, new_nd) : 0;
241 }
242
243 static inline int ccs_mount_permission(const char *dev_name,
244 struct nameidata *nd, const char *type,
245 unsigned long flags, void *data_page)
246 {
247 int (*func) (const char *, struct nameidata *, const char *,
248 unsigned long, void *) = ccsecurity_ops.mount_permission;
249 return func ? func(dev_name, nd, type, flags, data_page) : 0;
250 }
251
252 #endif
253
254 static inline int ccs_umount_permission(struct vfsmount *mnt, int flags)
255 {
256 int (*func) (struct vfsmount *, int)
257 = ccsecurity_ops.umount_permission;
258 return func ? func(mnt, flags) : 0;
259 }
260
261 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 32)
262
263 static inline void ccs_save_open_mode(int mode)
264 {
265 void (*func) (int) = ccsecurity_ops.save_open_mode;
266 if (func)
267 func(mode);
268 }
269
270 static inline void ccs_clear_open_mode(void)
271 {
272 void (*func) (void) = ccsecurity_ops.clear_open_mode;
273 if (func)
274 func();
275 }
276
277 static inline int ccs_open_permission(struct dentry *dentry,
278 struct vfsmount *mnt, const int flag)
279 {
280 int (*func) (struct dentry *, struct vfsmount *, const int)
281 = ccsecurity_ops.open_permission;
282 return func ? func(dentry, mnt, flag) : 0;
283 }
284
285 #else
286
287 static inline int ccs_open_permission(struct file *filp)
288 {
289 int (*func) (struct file *) = ccsecurity_ops.open_permission;
290 return func ? func(filp) : 0;
291 }
292
293 #endif
294
295 static inline int ccs_fcntl_permission(struct file *file, unsigned int cmd,
296 unsigned long arg)
297 {
298 int (*func) (struct file *, unsigned int, unsigned long)
299 = ccsecurity_ops.fcntl_permission;
300 return func ? func(file, cmd, arg) : 0;
301 }
302
303 static inline int ccs_ioctl_permission(struct file *filp, unsigned int cmd,
304 unsigned long arg)
305 {
306 int (*func) (struct file *, unsigned int, unsigned long)
307 = ccsecurity_ops.ioctl_permission;
308 return func ? func(filp, cmd, arg) : 0;
309 }
310
311 static inline int ccs_parse_table(int __user *name, int nlen,
312 void __user *oldval, void __user *newval,
313 struct ctl_table *table)
314 {
315 int (*func) (int __user *, int, void __user *, void __user *,
316 struct ctl_table *) = ccsecurity_ops.parse_table;
317 return func ? func(name, nlen, oldval, newval, table) : 0;
318 }
319
320 static inline int ccs_mknod_permission(struct dentry *dentry,
321 struct vfsmount *mnt, unsigned int mode,
322 unsigned int dev)
323 {
324 int (*func) (struct dentry *, struct vfsmount *, unsigned int,
325 unsigned int) = ccsecurity_ops.mknod_permission;
326 return func ? func(dentry, mnt, mode, dev) : 0;
327 }
328
329 static inline int ccs_mkdir_permission(struct dentry *dentry,
330 struct vfsmount *mnt, unsigned int mode)
331 {
332 int (*func) (struct dentry *, struct vfsmount *, unsigned int)
333 = ccsecurity_ops.mkdir_permission;
334 return func ? func(dentry, mnt, mode) : 0;
335 }
336
337 static inline int ccs_rmdir_permission(struct dentry *dentry,
338 struct vfsmount *mnt)
339 {
340 int (*func) (struct dentry *, struct vfsmount *)
341 = ccsecurity_ops.rmdir_permission;
342 return func ? func(dentry, mnt) : 0;
343 }
344
345 static inline int ccs_unlink_permission(struct dentry *dentry,
346 struct vfsmount *mnt)
347 {
348 int (*func) (struct dentry *, struct vfsmount *)
349 = ccsecurity_ops.unlink_permission;
350 return func ? func(dentry, mnt) : 0;
351 }
352
353 static inline int ccs_symlink_permission(struct dentry *dentry,
354 struct vfsmount *mnt,
355 const char *from)
356 {
357 int (*func) (struct dentry *, struct vfsmount *, const char *)
358 = ccsecurity_ops.symlink_permission;
359 return func ? func(dentry, mnt, from) : 0;
360 }
361
362 static inline int ccs_truncate_permission(struct dentry *dentry,
363 struct vfsmount *mnt)
364 {
365 int (*func) (struct dentry *, struct vfsmount *)
366 = ccsecurity_ops.truncate_permission;
367 return func ? func(dentry, mnt) : 0;
368 }
369
370 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 19, 0)
371 static inline int ccs_rename_permission(struct dentry *old_dentry,
372 struct dentry *new_dentry,
373 struct vfsmount *mnt,
374 const unsigned int flags)
375 {
376 int (*func) (struct dentry *, struct dentry *, struct vfsmount *,
377 const unsigned int) = ccsecurity_ops.rename_permission;
378 return func ? func(old_dentry, new_dentry, mnt, flags) : 0;
379 }
380 #else
381 static inline int ccs_rename_permission(struct dentry *old_dentry,
382 struct dentry *new_dentry,
383 struct vfsmount *mnt)
384 {
385 int (*func) (struct dentry *, struct dentry *, struct vfsmount *)
386 = ccsecurity_ops.rename_permission;
387 return func ? func(old_dentry, new_dentry, mnt) : 0;
388 }
389 #endif
390
391 static inline int ccs_link_permission(struct dentry *old_dentry,
392 struct dentry *new_dentry,
393 struct vfsmount *mnt)
394 {
395 int (*func) (struct dentry *, struct dentry *, struct vfsmount *)
396 = ccsecurity_ops.link_permission;
397 return func ? func(old_dentry, new_dentry, mnt) : 0;
398 }
399
400 #if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 30)
401
402 static inline int ccs_open_exec_permission(struct dentry *dentry,
403 struct vfsmount *mnt)
404 {
405 int (*func) (struct dentry *, struct vfsmount *)
406 = ccsecurity_ops.open_exec_permission;
407 return func ? func(dentry, mnt) : 0;
408 }
409
410 static inline int ccs_uselib_permission(struct dentry *dentry,
411 struct vfsmount *mnt)
412 {
413 int (*func) (struct dentry *, struct vfsmount *)
414 = ccsecurity_ops.uselib_permission;
415 return func ? func(dentry, mnt) : 0;
416 }
417
418 #endif
419
420 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
421
422 static inline int ccs_chown_permission(struct dentry *dentry,
423 struct vfsmount *mnt, kuid_t user,
424 kgid_t group)
425 {
426 int (*func) (struct dentry *, struct vfsmount *, kuid_t, kgid_t)
427 = ccsecurity_ops.chown_permission;
428 return func ? func(dentry, mnt, user, group) : 0;
429 }
430
431 #else
432
433 static inline int ccs_chown_permission(struct dentry *dentry,
434 struct vfsmount *mnt, uid_t user,
435 gid_t group)
436 {
437 int (*func) (struct dentry *, struct vfsmount *, uid_t, gid_t)
438 = ccsecurity_ops.chown_permission;
439 return func ? func(dentry, mnt, user, group) : 0;
440 }
441
442 #endif
443
444 static inline int ccs_chmod_permission(struct dentry *dentry,
445 struct vfsmount *mnt, mode_t mode)
446 {
447 int (*func) (struct dentry *, struct vfsmount *, mode_t)
448 = ccsecurity_ops.chmod_permission;
449 return func ? func(dentry, mnt, mode) : 0;
450 }
451
452 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
453
454 /* Define as a macro here, for exec_binprm() is a static function. */
455 #define ccs_exec_binprm(bprm) \
456 ({ \
457 struct ccs_execve *ee = NULL; \
458 void (*func) (int, struct ccs_execve *); \
459 int retval = ccsecurity_ops.start_execve(bprm, &ee); \
460 if (!retval) \
461 retval = exec_binprm(bprm); \
462 func = ccsecurity_ops.finish_execve; \
463 if (func) \
464 func(retval, ee); \
465 retval; \
466 })
467
468 #elif LINUX_VERSION_CODE >= KERNEL_VERSION(3, 8, 0)
469
470 static inline int ccs_search_binary_handler(struct linux_binprm *bprm)
471 {
472 return ccsecurity_ops.search_binary_handler(bprm);
473 }
474
475 #else
476
477 static inline int ccs_search_binary_handler(struct linux_binprm *bprm,
478 struct pt_regs *regs)
479 {
480 return ccsecurity_ops.search_binary_handler(bprm, regs);
481 }
482
483 #endif
484
485 #else
486
487 #if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 25)
488
489 static inline int ccs_chroot_permission(const struct path *path)
490 {
491 return 0;
492 }
493
494 static inline int ccs_pivot_root_permission(const struct path *old_path,
495 const struct path *new_path)
496 {
497 return 0;
498 }
499
500 static inline int ccs_mount_permission(const char *dev_name,
501 const struct path *path,
502 const char *type, unsigned long flags,
503 void *data_page)
504 {
505 return 0;
506 }
507
508 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 2, 0)
509 static inline int ccs_move_mount_permission(const struct path *from_path,
510 const struct path *to_path)
511 {
512 return 0;
513 }
514 #endif
515
516 #else
517
518 static inline int ccs_chroot_permission(struct nameidata *nd)
519 {
520 return 0;
521 }
522
523 static inline int ccs_pivot_root_permission(struct nameidata *old_nd,
524 struct nameidata *new_nd)
525 {
526 return 0;
527 }
528
529 static inline int ccs_mount_permission(const char *dev_name,
530 struct nameidata *nd, const char *type,
531 unsigned long flags, void *data_page)
532 {
533 return 0;
534 }
535
536 #endif
537
538 static inline int ccs_umount_permission(struct vfsmount *mnt, int flags)
539 {
540 return 0;
541 }
542
543 static inline void ccs_save_open_mode(int mode)
544 {
545 }
546
547 static inline void ccs_clear_open_mode(void)
548 {
549 }
550
551 #if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 32)
552
553 static inline int ccs_open_permission(struct dentry *dentry,
554 struct vfsmount *mnt, const int flag)
555 {
556 return 0;
557 }
558
559 #else
560
561 static inline int ccs_open_permission(struct file *filp)
562 {
563 return 0;
564 }
565
566 #endif
567
568 static inline int ccs_ioctl_permission(struct file *filp, unsigned int cmd,
569 unsigned long arg)
570 {
571 return 0;
572 }
573
574 static inline int ccs_parse_table(int __user *name, int nlen,
575 void __user *oldval, void __user *newval,
576 struct ctl_table *table)
577 {
578 return 0;
579 }
580
581 static inline int ccs_mknod_permission(struct dentry *dentry,
582 struct vfsmount *mnt, unsigned int mode,
583 unsigned int dev)
584 {
585 return 0;
586 }
587
588 static inline int ccs_mkdir_permission(struct dentry *dentry,
589 struct vfsmount *mnt, unsigned int mode)
590 {
591 return 0;
592 }
593
594 static inline int ccs_rmdir_permission(struct dentry *dentry,
595 struct vfsmount *mnt)
596 {
597 return 0;
598 }
599
600 static inline int ccs_unlink_permission(struct dentry *dentry,
601 struct vfsmount *mnt)
602 {
603 return 0;
604 }
605
606 static inline int ccs_symlink_permission(struct dentry *dentry,
607 struct vfsmount *mnt,
608 const char *from)
609 {
610 return 0;
611 }
612
613 static inline int ccs_truncate_permission(struct dentry *dentry,
614 struct vfsmount *mnt)
615 {
616 return 0;
617 }
618
619 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 19, 0)
620 static inline int ccs_rename_permission(struct dentry *old_dentry,
621 struct dentry *new_dentry,
622 struct vfsmount *mnt,
623 const unsigned int flafs)
624 {
625 return 0;
626 }
627 #else
628 static inline int ccs_rename_permission(struct dentry *old_dentry,
629 struct dentry *new_dentry,
630 struct vfsmount *mnt)
631 {
632 return 0;
633 }
634 #endif
635
636 static inline int ccs_link_permission(struct dentry *old_dentry,
637 struct dentry *new_dentry,
638 struct vfsmount *mnt)
639 {
640 return 0;
641 }
642
643 static inline int ccs_open_exec_permission(struct dentry *dentry,
644 struct vfsmount *mnt)
645 {
646 return 0;
647 }
648
649 static inline int ccs_uselib_permission(struct dentry *dentry,
650 struct vfsmount *mnt)
651 {
652 return 0;
653 }
654
655 static inline int ccs_fcntl_permission(struct file *file, unsigned int cmd,
656 unsigned long arg)
657 {
658 return 0;
659 }
660
661 #if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
662
663 static inline int ccs_chown_permission(struct dentry *dentry,
664 struct vfsmount *mnt, kuid_t user,
665 kgid_t group)
666 {
667 return 0;
668 }
669
670 #else
671
672 static inline int ccs_chown_permission(struct dentry *dentry,
673 struct vfsmount *mnt, uid_t user,
674 gid_t group)
675 {
676 return 0;
677 }
678
679 #endif
680
681 static inline int ccs_chmod_permission(struct dentry *dentry,
682 struct vfsmount *mnt, mode_t mode)
683 {
684 return 0;
685 }
686
687 #if LINUX_VERSION_CODE >= KERNEL_VERSION(5, 8, 0)
688
689 /* Define as a macro here, for exec_binprm() is a static function. */
690 #define ccs_exec_binprm(bprm) exec_binprm(bprm)
691
692 #elif LINUX_VERSION_CODE >= KERNEL_VERSION(3, 8, 0)
693
694 static inline int ccs_search_binary_handler(struct linux_binprm *bprm)
695 {
696 return search_binary_handler(bprm);
697 }
698
699 #else
700
701 static inline int ccs_search_binary_handler(struct linux_binprm *bprm,
702 struct pt_regs *regs)
703 {
704 return search_binary_handler(bprm, regs);
705 }
706
707 #endif
708
709 #endif
710
711 #ifdef CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY
712
713 static inline int ccs_alloc_task_security(const struct task_struct *task)
714 {
715 int (*func) (const struct task_struct *)
716 = ccsecurity_ops.alloc_task_security;
717 return func ? func(task) : 0;
718 }
719
720 static inline void ccs_free_task_security(const struct task_struct *task)
721 {
722 void (*func) (const struct task_struct *)
723 = ccsecurity_ops.free_task_security;
724 if (func)
725 func(task);
726 }
727
728 #else
729
730 static inline int ccs_alloc_task_security(const struct task_struct *task)
731 {
732 return 0;
733 }
734
735 static inline void ccs_free_task_security(const struct task_struct *task)
736 {
737 }
738
739 #endif
740
741 #ifdef CONFIG_CCSECURITY_FILE_GETATTR
742
743 static inline int ccs_getattr_permission(struct vfsmount *mnt,
744 struct dentry *dentry)
745 {
746 int (*func) (struct vfsmount *, struct dentry *)
747 = ccsecurity_ops.getattr_permission;
748 return func ? func(mnt, dentry) : 0;
749 }
750
751 #else
752
753 static inline int ccs_getattr_permission(struct vfsmount *mnt,
754 struct dentry *dentry)
755 {
756 return 0;
757 }
758
759 #endif
760
761 #ifdef CONFIG_CCSECURITY_NETWORK
762
763 static inline int ccs_socket_listen_permission(struct socket *sock)
764 {
765 int (*func) (struct socket *)
766 = ccsecurity_ops.socket_listen_permission;
767 return func ? func(sock) : 0;
768 }
769
770 static inline int ccs_socket_connect_permission(struct socket *sock,
771 struct sockaddr *addr,
772 int addr_len)
773 {
774 int (*func) (struct socket *, struct sockaddr *, int)
775 = ccsecurity_ops.socket_connect_permission;
776 return func ? func(sock, addr, addr_len) : 0;
777 }
778
779 static inline int ccs_socket_bind_permission(struct socket *sock,
780 struct sockaddr *addr,
781 int addr_len)
782 {
783 int (*func) (struct socket *, struct sockaddr *, int)
784 = ccsecurity_ops.socket_bind_permission;
785 return func ? func(sock, addr, addr_len) : 0;
786 }
787
788 static inline int ccs_socket_post_accept_permission(struct socket *sock,
789 struct socket *newsock)
790 {
791 int (*func) (struct socket *, struct socket *)
792 = ccsecurity_ops.socket_post_accept_permission;
793 return func ? func(sock, newsock) : 0;
794 }
795
796 static inline int ccs_socket_sendmsg_permission(struct socket *sock,
797 struct msghdr *msg,
798 int size)
799 {
800 int (*func) (struct socket *, struct msghdr *, int)
801 = ccsecurity_ops.socket_sendmsg_permission;
802 return func ? func(sock, msg, size) : 0;
803 }
804
805 #else
806
807 static inline int ccs_socket_listen_permission(struct socket *sock)
808 {
809 return 0;
810 }
811
812 static inline int ccs_socket_connect_permission(struct socket *sock,
813 struct sockaddr *addr,
814 int addr_len)
815 {
816 return 0;
817 }
818
819 static inline int ccs_socket_bind_permission(struct socket *sock,
820 struct sockaddr *addr,
821 int addr_len)
822 {
823 return 0;
824 }
825
826 static inline int ccs_socket_post_accept_permission(struct socket *sock,
827 struct socket *newsock)
828 {
829 return 0;
830 }
831
832 static inline int ccs_socket_sendmsg_permission(struct socket *sock,
833 struct msghdr *msg,
834 int size)
835 {
836 return 0;
837 }
838
839 #endif
840
841 #ifdef CONFIG_CCSECURITY_NETWORK_RECVMSG
842
843 static inline int ccs_socket_post_recvmsg_permission(struct sock *sk,
844 struct sk_buff *skb,
845 int flags)
846 {
847 int (*func) (struct sock *, struct sk_buff *, int)
848 = ccsecurity_ops.socket_post_recvmsg_permission;
849 return func ? func(sk, skb, flags) : 0;
850 }
851
852 #else
853
854 static inline int ccs_socket_post_recvmsg_permission(struct sock *sk,
855 struct sk_buff *skb,
856 int flags)
857 {
858 return 0;
859 }
860
861 #endif
862
863 #ifdef CONFIG_CCSECURITY_PORTRESERVE
864
865 static inline _Bool ccs_lport_reserved(const u16 port)
866 {
867 _Bool (*func) (const u16) = ccsecurity_ops.lport_reserved;
868 return func ? func(port) : 0;
869 }
870
871 #else
872
873 static inline _Bool ccs_lport_reserved(const u16 port)
874 {
875 return 0;
876 }
877
878 #endif
879
880 #ifdef CONFIG_CCSECURITY_CAPABILITY
881
882 static inline _Bool ccs_capable(const u8 operation)
883 {
884 _Bool (*func) (const u8) = ccsecurity_ops.capable;
885 return func ? func(operation) : 1;
886 }
887
888 static inline int ccs_socket_create_permission(int family, int type,
889 int protocol)
890 {
891 int (*func) (int, int, int) = ccsecurity_ops.socket_create_permission;
892 return func ? func(family, type, protocol) : 0;
893 }
894
895 static inline int ccs_ptrace_permission(long request, long pid)
896 {
897 int (*func) (long, long) = ccsecurity_ops.ptrace_permission;
898 return func ? func(request, pid) : 0;
899 }
900
901 #else
902
903 static inline _Bool ccs_capable(const u8 operation)
904 {
905 return 1;
906 }
907
908 static inline int ccs_socket_create_permission(int family, int type,
909 int protocol)
910 {
911 return 0;
912 }
913
914 static inline int ccs_ptrace_permission(long request, long pid)
915 {
916 return 0;
917 }
918
919 #endif
920
921 #ifdef CONFIG_CCSECURITY_IPC
922
923 static inline int ccs_kill_permission(pid_t pid, int sig)
924 {
925 int (*func) (pid_t, int) = ccsecurity_ops.kill_permission;
926 return func ? func(pid, sig) : 0;
927 }
928
929 static inline int ccs_tgkill_permission(pid_t tgid, pid_t pid, int sig)
930 {
931 int (*func) (pid_t, pid_t, int) = ccsecurity_ops.tgkill_permission;
932 return func ? func(tgid, pid, sig) : 0;
933 }
934
935 static inline int ccs_tkill_permission(pid_t pid, int sig)
936 {
937 int (*func) (pid_t, int) = ccsecurity_ops.tkill_permission;
938 return func ? func(pid, sig) : 0;
939 }
940
941 static inline int ccs_sigqueue_permission(pid_t pid, int sig)
942 {
943 int (*func) (pid_t, int) = ccsecurity_ops.sigqueue_permission;
944 return func ? func(pid, sig) : 0;
945 }
946
947 static inline int ccs_tgsigqueue_permission(pid_t tgid, pid_t pid, int sig)
948 {
949 int (*func) (pid_t, pid_t, int) = ccsecurity_ops.tgsigqueue_permission;
950 return func ? func(tgid, pid, sig) : 0;
951 }
952
953 #else
954
955 static inline int ccs_kill_permission(pid_t pid, int sig)
956 {
957 return 0;
958 }
959
960 static inline int ccs_tgkill_permission(pid_t tgid, pid_t pid, int sig)
961 {
962 return 0;
963 }
964
965 static inline int ccs_tkill_permission(pid_t pid, int sig)
966 {
967 return 0;
968 }
969
970 static inline int ccs_sigqueue_permission(pid_t pid, int sig)
971 {
972 return 0;
973 }
974
975 static inline int ccs_tgsigqueue_permission(pid_t tgid, pid_t pid, int sig)
976 {
977 return 0;
978 }
979
980 #endif
981
982 /* Index numbers for Capability Controls. */
983 enum ccs_capability_acl_index {
984 /* socket(PF_ROUTE, *, *) */
985 CCS_USE_ROUTE_SOCKET,
986 /* socket(PF_PACKET, *, *) */
987 CCS_USE_PACKET_SOCKET,
988 /* sys_reboot() */
989 CCS_SYS_REBOOT,
990 /* sys_vhangup() */
991 CCS_SYS_VHANGUP,
992 /* do_settimeofday(), sys_adjtimex() */
993 CCS_SYS_SETTIME,
994 /* sys_nice(), sys_setpriority() */
995 CCS_SYS_NICE,
996 /* sys_sethostname(), sys_setdomainname() */
997 CCS_SYS_SETHOSTNAME,
998 /* sys_create_module(), sys_init_module(), sys_delete_module() */
999 CCS_USE_KERNEL_MODULE,
1000 /* sys_kexec_load() */
1001 CCS_SYS_KEXEC_LOAD,
1002 /* sys_ptrace() */
1003 CCS_SYS_PTRACE,
1004 CCS_MAX_CAPABILITY_INDEX
1005 };
1006
1007 #endif
1008
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.