* all security modules to use the same descriptions for auditing
* purposes.
*/
-const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1] = {
+const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX + 1] = {
[LOCKDOWN_NONE] = "none",
[LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading",
[LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port",
static __initdata const char *chosen_lsm_order;
static __initdata const char *chosen_major_lsm;
-static __initconst const char * const builtin_lsm_order = CONFIG_LSM;
+static __initconst const char *const builtin_lsm_order = CONFIG_LSM;
/* Ordered list of LSMs to initialize. */
static __initdata struct lsm_info **ordered_lsms;
pr_info("initializing lsm=");
/* Report each enabled LSM name, comma separated. */
- for (early = __start_early_lsm_info; early < __end_early_lsm_info; early++)
+ for (early = __start_early_lsm_info;
+ early < __end_early_lsm_info; early++)
if (is_enabled(early))
pr_cont("%s%s", first++ == 0 ? "" : ",", early->name);
for (lsm = ordered_lsms; *lsm; lsm++)
struct lsm_info **lsm;
ordered_lsms = kcalloc(LSM_COUNT + 1, sizeof(*ordered_lsms),
- GFP_KERNEL);
+ GFP_KERNEL);
if (chosen_lsm_order) {
if (chosen_major_lsm) {
{
struct lsm_info *lsm;
- init_debug("legacy security=%s\n", chosen_major_lsm ?: " *unspecified*");
+ init_debug("legacy security=%s\n", chosen_major_lsm ? : " *unspecified*");
init_debug(" CONFIG_LSM=%s\n", builtin_lsm_order);
- init_debug("boot arg lsm=%s\n", chosen_lsm_order ?: " *unspecified*");
+ init_debug("boot arg lsm=%s\n", chosen_lsm_order ? : " *unspecified*");
/*
* Append the names of the early LSM modules now that kmalloc() is
* Each LSM has to register its hooks with the infrastructure.
*/
void __init security_add_hooks(struct security_hook_list *hooks, int count,
- const char *lsm)
+ const char *lsm)
{
int i;
* Return: Returns 0 if the capability sets were successfully obtained.
*/
int security_capget(struct task_struct *target,
- kernel_cap_t *effective,
- kernel_cap_t *inheritable,
- kernel_cap_t *permitted)
+ kernel_cap_t *effective,
+ kernel_cap_t *inheritable,
+ kernel_cap_t *permitted)
{
return call_int_hook(capget, 0, target,
- effective, inheritable, permitted);
+ effective, inheritable, permitted);
}
/**
const kernel_cap_t *permitted)
{
return call_int_hook(capset, 0, new, old,
- effective, inheritable, permitted);
+ effective, inheritable, permitted);
}
/**
* Return: Returns 0 if permission is granted.
*/
int security_sb_mount(const char *dev_name, const struct path *path,
- const char *type, unsigned long flags, void *data)
+ const char *type, unsigned long flags, void *data)
{
return call_int_hook(sb_mount, 0, dev_name, path, type, flags, data);
}
*
* Return: Returns 0 if permission is granted.
*/
-int security_sb_pivotroot(const struct path *old_path, const struct path *new_path)
+int security_sb_pivotroot(const struct path *old_path,
+ const struct path *new_path)
{
return call_int_hook(sb_pivotroot, 0, old_path, new_path);
}
* Return: Returns 0 on success, error on failure.
*/
int security_sb_set_mnt_opts(struct super_block *sb,
- void *mnt_opts,
- unsigned long kern_flags,
- unsigned long *set_kern_flags)
+ void *mnt_opts,
+ unsigned long kern_flags,
+ unsigned long *set_kern_flags)
{
return call_int_hook(sb_set_mnt_opts,
- mnt_opts ? -EOPNOTSUPP : 0, sb,
- mnt_opts, kern_flags, set_kern_flags);
+ mnt_opts ? -EOPNOTSUPP : 0, sb,
+ mnt_opts, kern_flags, set_kern_flags);
}
EXPORT_SYMBOL(security_sb_set_mnt_opts);
* Return: Returns 0 on success, error on failure.
*/
int security_sb_clone_mnt_opts(const struct super_block *oldsb,
- struct super_block *newsb,
- unsigned long kern_flags,
- unsigned long *set_kern_flags)
+ struct super_block *newsb,
+ unsigned long kern_flags,
+ unsigned long *set_kern_flags)
{
return call_int_hook(sb_clone_mnt_opts, 0, oldsb, newsb,
- kern_flags, set_kern_flags);
+ kern_flags, set_kern_flags);
}
EXPORT_SYMBOL(security_sb_clone_mnt_opts);
*
* Return: Returns 0 if permission is granted.
*/
-int security_move_mount(const struct path *from_path, const struct path *to_path)
+int security_move_mount(const struct path *from_path,
+ const struct path *to_path)
{
return call_int_hook(move_mount, 0, from_path, to_path);
}
* Return: Returns 0 if permission is granted.
*/
int security_path_notify(const struct path *path, u64 mask,
- unsigned int obj_type)
+ unsigned int obj_type)
{
return call_int_hook(path_notify, 0, path, mask, obj_type);
}
*/
if (inode->i_security)
call_rcu((struct rcu_head *)inode->i_security,
- inode_free_by_rcu);
+ inode_free_by_rcu);
}
/**
/*
* Only one module will provide a security context.
*/
- hlist_for_each_entry(hp, &security_hook_heads.dentry_init_security, list) {
+ hlist_for_each_entry(hp, &security_hook_heads.dentry_init_security,
+ list) {
rc = hp->hook.dentry_init_security(dentry, mode, name,
xattr_name, ctx, ctxlen);
if (rc != LSM_RET_DEFAULT(dentry_init_security))
const struct cred *old, struct cred *new)
{
return call_int_hook(dentry_create_files_as, 0, dentry, mode,
- name, old, new);
+ name, old, new);
}
EXPORT_SYMBOL(security_dentry_create_files_as);
memset(new_xattrs, 0, sizeof(new_xattrs));
lsm_xattr = new_xattrs;
ret = call_int_hook(inode_init_security, -EOPNOTSUPP, inode, dir, qstr,
- &lsm_xattr->name,
- &lsm_xattr->value,
- &lsm_xattr->value_len);
+ &lsm_xattr->name,
+ &lsm_xattr->value,
+ &lsm_xattr->value_len);
if (ret)
goto out;
*
* Return: Returns 0 if permission is granted.
*/
-int security_path_mknod(const struct path *dir, struct dentry *dentry, umode_t mode,
- unsigned int dev)
+int security_path_mknod(const struct path *dir, struct dentry *dentry,
+ umode_t mode, unsigned int dev)
{
if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))
return 0;
*
* Return: Returns 0 if permission is granted.
*/
-int security_path_mkdir(const struct path *dir, struct dentry *dentry, umode_t mode)
+int security_path_mkdir(const struct path *dir, struct dentry *dentry,
+ umode_t mode)
{
if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))
return 0;
unsigned int flags)
{
if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry)) ||
- (d_is_positive(new_dentry) && IS_PRIVATE(d_backing_inode(new_dentry)))))
+ (d_is_positive(new_dentry) &&
+ IS_PRIVATE(d_backing_inode(new_dentry)))))
return 0;
return call_int_hook(path_rename, 0, old_dir, old_dentry, new_dir,
- new_dentry, flags);
+ new_dentry, flags);
}
EXPORT_SYMBOL(security_path_rename);
{
return call_int_hook(path_chroot, 0, path);
}
-#endif
+#endif /* CONFIG_SECURITY_PATH */
/**
* security_inode_create() - Check if creating a file is allowed
*
* Return: Returns 0 if permission is granted.
*/
-int security_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
+int security_inode_create(struct inode *dir, struct dentry *dentry,
+ umode_t mode)
{
if (unlikely(IS_PRIVATE(dir)))
return 0;
* Return: Returns 0 if permission is granted.
*/
int security_inode_link(struct dentry *old_dentry, struct inode *dir,
- struct dentry *new_dentry)
+ struct dentry *new_dentry)
{
if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry))))
return 0;
* Return: Returns 0 if permission is granted.
*/
int security_inode_symlink(struct inode *dir, struct dentry *dentry,
- const char *old_name)
+ const char *old_name)
{
if (unlikely(IS_PRIVATE(dir)))
return 0;
*
* Return: Returns 0 if permission is granted.
*/
-int security_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
+int security_inode_mknod(struct inode *dir, struct dentry *dentry,
+ umode_t mode, dev_t dev)
{
if (unlikely(IS_PRIVATE(dir)))
return 0;
* Return: Returns 0 if permission is granted.
*/
int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
- struct inode *new_dir, struct dentry *new_dentry,
- unsigned int flags)
+ struct inode *new_dir, struct dentry *new_dentry,
+ unsigned int flags)
{
- if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry)) ||
- (d_is_positive(new_dentry) && IS_PRIVATE(d_backing_inode(new_dentry)))))
+ if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry)) ||
+ (d_is_positive(new_dentry) &&
+ IS_PRIVATE(d_backing_inode(new_dentry)))))
return 0;
if (flags & RENAME_EXCHANGE) {
int err = call_int_hook(inode_rename, 0, new_dir, new_dentry,
- old_dir, old_dentry);
+ old_dir, old_dentry);
if (err)
return err;
}
return call_int_hook(inode_rename, 0, old_dir, old_dentry,
- new_dir, new_dentry);
+ new_dir, new_dentry);
}
/**
* Only one module will provide an attribute with a given name.
*/
hlist_for_each_entry(hp, &security_hook_heads.inode_getsecurity, list) {
- rc = hp->hook.inode_getsecurity(idmap, inode, name, buffer, alloc);
+ rc = hp->hook.inode_getsecurity(idmap, inode, name, buffer,
+ alloc);
if (rc != LSM_RET_DEFAULT(inode_getsecurity))
return rc;
}
*
* Return: Returns 0 on success.
*/
-int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
+int security_inode_setsecurity(struct inode *inode, const char *name,
+ const void *value, size_t size, int flags)
{
struct security_hook_list *hp;
int rc;
*/
hlist_for_each_entry(hp, &security_hook_heads.inode_setsecurity, list) {
rc = hp->hook.inode_setsecurity(inode, name, value, size,
- flags);
+ flags);
if (rc != LSM_RET_DEFAULT(inode_setsecurity))
return rc;
}
*
* Return: Returns number of bytes used/required on success.
*/
-int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
+int security_inode_listsecurity(struct inode *inode,
+ char *buffer, size_t buffer_size)
{
if (unlikely(IS_PRIVATE(inode)))
return 0;
* any other error code incase of an error.
*/
hlist_for_each_entry(hp,
- &security_hook_heads.inode_copy_up_xattr, list) {
+ &security_hook_heads.inode_copy_up_xattr, list) {
rc = hp->hook.inode_copy_up_xattr(name);
if (rc != LSM_RET_DEFAULT(inode_copy_up_xattr))
return rc;
* Return: Returns 0 if permission is granted.
*/
int security_mmap_file(struct file *file, unsigned long prot,
- unsigned long flags)
+ unsigned long flags)
{
unsigned long prot_adj = mmap_prot(file, prot);
int ret;
* Return: Returns 0 if permission is granted.
*/
int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
- unsigned long prot)
+ unsigned long prot)
{
int ret;
* Return: Returns 0 if permission is granted.
*/
int security_file_send_sigiotask(struct task_struct *tsk,
- struct fown_struct *fown, int sig)
+ struct fown_struct *fown, int sig)
{
return call_int_hook(file_send_sigiotask, 0, tsk, fown, sig);
}
* Return: Returns 0 on success.
*/
int security_task_fix_setgid(struct cred *new, const struct cred *old,
- int flags)
+ int flags)
{
return call_int_hook(task_fix_setgid, 0, new, old, flags);
}
* Return: Returns 0 if permission is granted.
*/
int security_task_setrlimit(struct task_struct *p, unsigned int resource,
- struct rlimit *new_rlim)
+ struct rlimit *new_rlim)
{
return call_int_hook(task_setrlimit, 0, p, resource, new_rlim);
}
* Return: Returns 0 if permission is granted.
*/
int security_task_kill(struct task_struct *p, struct kernel_siginfo *info,
- int sig, const struct cred *cred)
+ int sig, const struct cred *cred)
{
return call_int_hook(task_kill, 0, p, info, sig, cred);
}
* to cause prctl() to return immediately with that value.
*/
int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
- unsigned long arg4, unsigned long arg5)
+ unsigned long arg4, unsigned long arg5)
{
int thisrc;
int rc = LSM_RET_DEFAULT(task_prctl);
* Return: Returns 0 if permission is granted.
*/
int security_msg_queue_msgsnd(struct kern_ipc_perm *msq,
- struct msg_msg *msg, int msqflg)
+ struct msg_msg *msg, int msqflg)
{
return call_int_hook(msg_queue_msgsnd, 0, msq, msg, msqflg);
}
* Return: Returns 0 if permission is granted.
*/
int security_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
- struct task_struct *target, long type, int mode)
+ struct task_struct *target, long type, int mode)
{
return call_int_hook(msg_queue_msgrcv, 0, msq, msg, target, type, mode);
}
*
* Return: Returns 0 if permission is granted.
*/
-int security_shm_shmat(struct kern_ipc_perm *shp, char __user *shmaddr, int shmflg)
+int security_shm_shmat(struct kern_ipc_perm *shp,
+ char __user *shmaddr, int shmflg)
{
return call_int_hook(shm_shmat, 0, shp, shmaddr, shmflg);
}
* Return: Returns 0 if permission is granted.
*/
int security_sem_semop(struct kern_ipc_perm *sma, struct sembuf *sops,
- unsigned nsops, int alter)
+ unsigned nsops, int alter)
{
return call_int_hook(sem_semop, 0, sma, sops, nsops, alter);
}
{
return call_int_hook(watch_key, 0, key);
}
-#endif
+#endif /* CONFIG_KEY_NOTIFICATIONS */
#ifdef CONFIG_SECURITY_NETWORK
/**
*
* Return: Returns 0 if permission is granted.
*/
-int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk)
+int security_unix_stream_connect(struct sock *sock, struct sock *other,
+ struct sock *newsk)
{
return call_int_hook(unix_stream_connect, 0, sock, other, newsk);
}
int type, int protocol, int kern)
{
return call_int_hook(socket_post_create, 0, sock, family, type,
- protocol, kern);
+ protocol, kern);
}
/**
*
* Return: Returns 0 if permission is granted.
*/
-int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
+int security_socket_bind(struct socket *sock,
+ struct sockaddr *address, int addrlen)
{
return call_int_hook(socket_bind, 0, sock, address, addrlen);
}
*
* Return: Returns 0 if permission is granted.
*/
-int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
+int security_socket_connect(struct socket *sock,
+ struct sockaddr *address, int addrlen)
{
return call_int_hook(socket_connect, 0, sock, address, addrlen);
}
*
* Return: Returns 0 on success, error on failure.
*/
-int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
+int security_socket_getpeersec_dgram(struct socket *sock,
+ struct sk_buff *skb, u32 *secid)
{
return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock,
skb, secid);
* Return: Returns 0 if permission is granted.
*/
int security_inet_conn_request(const struct sock *sk,
- struct sk_buff *skb, struct request_sock *req)
+ struct sk_buff *skb, struct request_sock *req)
{
return call_int_hook(inet_conn_request, 0, sk, skb, req);
}
* Set that LSM state of @sock using the LSM state from @req.
*/
void security_inet_csk_clone(struct sock *newsk,
- const struct request_sock *req)
+ const struct request_sock *req)
{
call_void_hook(inet_csk_clone, newsk, req);
}
* Update @sock's LSM state to represent a new connection from @skb.
*/
void security_inet_conn_established(struct sock *sk,
- struct sk_buff *skb)
+ struct sk_buff *skb)
{
call_void_hook(inet_conn_established, sk, skb);
}
*
* Return: Returns 0 on success, error on failure.
*/
-int security_sctp_assoc_request(struct sctp_association *asoc, struct sk_buff *skb)
+int security_sctp_assoc_request(struct sctp_association *asoc,
+ struct sk_buff *skb)
{
return call_int_hook(sctp_assoc_request, 0, asoc, skb);
}
#endif /* CONFIG_SECURITY_NETWORK */
#ifdef CONFIG_SECURITY_INFINIBAND
-
/**
* security_ib_pkey_access() - Check if access to an IB pkey is allowed
* @sec: LSM blob
*
* Return: Returns 0 if permission is granted.
*/
-int security_ib_endport_manage_subnet(void *sec, const char *dev_name, u8 port_num)
+int security_ib_endport_manage_subnet(void *sec,
+ const char *dev_name, u8 port_num)
{
- return call_int_hook(ib_endport_manage_subnet, 0, sec, dev_name, port_num);
+ return call_int_hook(ib_endport_manage_subnet, 0, sec,
+ dev_name, port_num);
}
EXPORT_SYMBOL(security_ib_endport_manage_subnet);
#endif /* CONFIG_SECURITY_INFINIBAND */
#ifdef CONFIG_SECURITY_NETWORK_XFRM
-
/**
* security_xfrm_policy_alloc() - Allocate a xfrm policy LSM blob
* @ctxp: xfrm security context being added to the SPD
* Return: Return 0 if operation was successful.
*/
int security_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
- struct xfrm_sec_ctx **new_ctxp)
+ struct xfrm_sec_ctx **new_ctxp)
{
return call_int_hook(xfrm_policy_clone_security, 0, old_ctx, new_ctxp);
}
* using the macro
*/
hlist_for_each_entry(hp, &security_hook_heads.xfrm_state_pol_flow_match,
- list) {
+ list) {
rc = hp->hook.xfrm_state_pol_flow_match(x, xp, flic);
break;
}
void security_skb_classify_flow(struct sk_buff *skb, struct flowi_common *flic)
{
int rc = call_int_hook(xfrm_decode_session, 0, skb, &flic->flowic_secid,
- 0);
+ 0);
BUG_ON(rc);
}
EXPORT_SYMBOL(security_skb_classify_flow);
-
#endif /* CONFIG_SECURITY_NETWORK_XFRM */
#ifdef CONFIG_KEYS
-
/**
* security_key_alloc() - Allocate and initialize a kernel key LSM blob
* @key: key
*_buffer = NULL;
return call_int_hook(key_getsecurity, 0, key, _buffer);
}
-
#endif /* CONFIG_KEYS */
#ifdef CONFIG_AUDIT
-
/**
* security_audit_rule_init() - Allocate and init an LSM audit rule struct
* @field: audit action