security.h

linux 内核源代码

 *	@target contains the task_struct structure for target process.
 *	@effective contains the effective capability set.
 *	@inheritable contains the inheritable capability set.
 *	@permitted contains the permitted capability set.
 *	Return 0 if permission is granted.
 * @capset_set:
 *	Set the @effective, @inheritable, and @permitted capability sets for
 *	the @target process.  Since capset_check cannot always check permission
 *	to the real @target process, this hook may also perform permission
 *	checking to determine if the current process is allowed to set the
 *	capability sets of the @target process.  However, this hook has no way
 *	of returning an error due to the structure of the sys_capset code.
 *	@target contains the task_struct structure for target process.
 *	@effective contains the effective capability set.
 *	@inheritable contains the inheritable capability set.
 *	@permitted contains the permitted capability set.
 * @capable:
 *	Check whether the @tsk process has the @cap capability.
 *	@tsk contains the task_struct for the process.
 *	@cap contains the capability <include/linux/capability.h>.
 *	Return 0 if the capability is granted for @tsk.
 * @acct:
 *	Check permission before enabling or disabling process accounting.  If
 *	accounting is being enabled, then @file refers to the open file used to
 *	store accounting records.  If accounting is being disabled, then @file
 *	is NULL.
 *	@file contains the file structure for the accounting file (may be NULL).
 *	Return 0 if permission is granted.
 * @sysctl:
 *	Check permission before accessing the @table sysctl variable in the
 *	manner specified by @op.
 *	@table contains the ctl_table structure for the sysctl variable.
 *	@op contains the operation (001 = search, 002 = write, 004 = read).
 *	Return 0 if permission is granted.
 * @syslog:
 *	Check permission before accessing the kernel message ring or changing
 *	logging to the console.
 *	See the syslog(2) manual page for an explanation of the @type values.  
 *	@type contains the type of action.
 *	Return 0 if permission is granted.
 * @settime:
 *	Check permission to change the system time.
 *	struct timespec and timezone are defined in include/linux/time.h
 *	@ts contains new time
 *	@tz contains new timezone
 *	Return 0 if permission is granted.
 * @vm_enough_memory:
 *	Check permissions for allocating a new virtual mapping.
 *	@mm contains the mm struct it is being added to.
 *      @pages contains the number of pages.
 *	Return 0 if permission is granted.
 *
 * @register_security:
 * 	allow module stacking.
 * 	@name contains the name of the security module being stacked.
 * 	@ops contains a pointer to the struct security_operations of the module to stack.
 * 
 * @secid_to_secctx:
 *	Convert secid to security context.
 *	@secid contains the security ID.
 *	@secdata contains the pointer that stores the converted security context.
 *
 * @release_secctx:
 *	Release the security context.
 *	@secdata contains the security context.
 *	@seclen contains the length of the security context.
 *
 * This is the main security structure.
 */
struct security_operations {
	int (*ptrace) (struct task_struct * parent, struct task_struct * child);
	int (*capget) (struct task_struct * target,
		       kernel_cap_t * effective,
		       kernel_cap_t * inheritable, kernel_cap_t * permitted);
	int (*capset_check) (struct task_struct * target,
			     kernel_cap_t * effective,
			     kernel_cap_t * inheritable,
			     kernel_cap_t * permitted);
	void (*capset_set) (struct task_struct * target,
			    kernel_cap_t * effective,
			    kernel_cap_t * inheritable,
			    kernel_cap_t * permitted);
	int (*capable) (struct task_struct * tsk, int cap);
	int (*acct) (struct file * file);
	int (*sysctl) (struct ctl_table * table, int op);
	int (*quotactl) (int cmds, int type, int id, struct super_block * sb);
	int (*quota_on) (struct dentry * dentry);
	int (*syslog) (int type);
	int (*settime) (struct timespec *ts, struct timezone *tz);
	int (*vm_enough_memory) (struct mm_struct *mm, long pages);

	int (*bprm_alloc_security) (struct linux_binprm * bprm);
	void (*bprm_free_security) (struct linux_binprm * bprm);
	void (*bprm_apply_creds) (struct linux_binprm * bprm, int unsafe);
	void (*bprm_post_apply_creds) (struct linux_binprm * bprm);
	int (*bprm_set_security) (struct linux_binprm * bprm);
	int (*bprm_check_security) (struct linux_binprm * bprm);
	int (*bprm_secureexec) (struct linux_binprm * bprm);

	int (*sb_alloc_security) (struct super_block * sb);
	void (*sb_free_security) (struct super_block * sb);
	int (*sb_copy_data)(struct file_system_type *type,
			    void *orig, void *copy);
	int (*sb_kern_mount) (struct super_block *sb, void *data);
	int (*sb_statfs) (struct dentry *dentry);
	int (*sb_mount) (char *dev_name, struct nameidata * nd,
			 char *type, unsigned long flags, void *data);
	int (*sb_check_sb) (struct vfsmount * mnt, struct nameidata * nd);
	int (*sb_umount) (struct vfsmount * mnt, int flags);
	void (*sb_umount_close) (struct vfsmount * mnt);
	void (*sb_umount_busy) (struct vfsmount * mnt);
	void (*sb_post_remount) (struct vfsmount * mnt,
				 unsigned long flags, void *data);
	void (*sb_post_mountroot) (void);
	void (*sb_post_addmount) (struct vfsmount * mnt,
				  struct nameidata * mountpoint_nd);
	int (*sb_pivotroot) (struct nameidata * old_nd,
			     struct nameidata * new_nd);
	void (*sb_post_pivotroot) (struct nameidata * old_nd,
				   struct nameidata * new_nd);

	int (*inode_alloc_security) (struct inode *inode);	
	void (*inode_free_security) (struct inode *inode);
	int (*inode_init_security) (struct inode *inode, struct inode *dir,
				    char **name, void **value, size_t *len);
	int (*inode_create) (struct inode *dir,
	                     struct dentry *dentry, int mode);
	int (*inode_link) (struct dentry *old_dentry,
	                   struct inode *dir, struct dentry *new_dentry);
	int (*inode_unlink) (struct inode *dir, struct dentry *dentry);
	int (*inode_symlink) (struct inode *dir,
	                      struct dentry *dentry, const char *old_name);
	int (*inode_mkdir) (struct inode *dir, struct dentry *dentry, int mode);
	int (*inode_rmdir) (struct inode *dir, struct dentry *dentry);
	int (*inode_mknod) (struct inode *dir, struct dentry *dentry,
	                    int mode, dev_t dev);
	int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry,
	                     struct inode *new_dir, struct dentry *new_dentry);
	int (*inode_readlink) (struct dentry *dentry);
	int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd);
	int (*inode_permission) (struct inode *inode, int mask, struct nameidata *nd);
	int (*inode_setattr)	(struct dentry *dentry, struct iattr *attr);
	int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry);
        void (*inode_delete) (struct inode *inode);
	int (*inode_setxattr) (struct dentry *dentry, char *name, void *value,
			       size_t size, int flags);
	void (*inode_post_setxattr) (struct dentry *dentry, char *name, void *value,
				     size_t size, int flags);
	int (*inode_getxattr) (struct dentry *dentry, char *name);
	int (*inode_listxattr) (struct dentry *dentry);
	int (*inode_removexattr) (struct dentry *dentry, char *name);
	int (*inode_need_killpriv) (struct dentry *dentry);
	int (*inode_killpriv) (struct dentry *dentry);
  	int (*inode_getsecurity)(const struct inode *inode, const char *name, void *buffer, size_t size, int err);
  	int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags);
  	int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size);

	int (*file_permission) (struct file * file, int mask);
	int (*file_alloc_security) (struct file * file);
	void (*file_free_security) (struct file * file);
	int (*file_ioctl) (struct file * file, unsigned int cmd,
			   unsigned long arg);
	int (*file_mmap) (struct file * file,
			  unsigned long reqprot, unsigned long prot,
			  unsigned long flags, unsigned long addr,
			  unsigned long addr_only);
	int (*file_mprotect) (struct vm_area_struct * vma,
			      unsigned long reqprot,
			      unsigned long prot);
	int (*file_lock) (struct file * file, unsigned int cmd);
	int (*file_fcntl) (struct file * file, unsigned int cmd,
			   unsigned long arg);
	int (*file_set_fowner) (struct file * file);
	int (*file_send_sigiotask) (struct task_struct * tsk,
				    struct fown_struct * fown, int sig);
	int (*file_receive) (struct file * file);
	int (*dentry_open)  (struct file *file);

	int (*task_create) (unsigned long clone_flags);
	int (*task_alloc_security) (struct task_struct * p);
	void (*task_free_security) (struct task_struct * p);
	int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags);
	int (*task_post_setuid) (uid_t old_ruid /* or fsuid */ ,
				 uid_t old_euid, uid_t old_suid, int flags);
	int (*task_setgid) (gid_t id0, gid_t id1, gid_t id2, int flags);
	int (*task_setpgid) (struct task_struct * p, pid_t pgid);
	int (*task_getpgid) (struct task_struct * p);
	int (*task_getsid) (struct task_struct * p);
	void (*task_getsecid) (struct task_struct * p, u32 * secid);
	int (*task_setgroups) (struct group_info *group_info);
	int (*task_setnice) (struct task_struct * p, int nice);
	int (*task_setioprio) (struct task_struct * p, int ioprio);
	int (*task_getioprio) (struct task_struct * p);
	int (*task_setrlimit) (unsigned int resource, struct rlimit * new_rlim);
	int (*task_setscheduler) (struct task_struct * p, int policy,
				  struct sched_param * lp);
	int (*task_getscheduler) (struct task_struct * p);
	int (*task_movememory) (struct task_struct * p);
	int (*task_kill) (struct task_struct * p,
			  struct siginfo * info, int sig, u32 secid);
	int (*task_wait) (struct task_struct * p);
	int (*task_prctl) (int option, unsigned long arg2,
			   unsigned long arg3, unsigned long arg4,
			   unsigned long arg5);
	void (*task_reparent_to_init) (struct task_struct * p);
	void (*task_to_inode)(struct task_struct *p, struct inode *inode);

	int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag);

	int (*msg_msg_alloc_security) (struct msg_msg * msg);
	void (*msg_msg_free_security) (struct msg_msg * msg);

	int (*msg_queue_alloc_security) (struct msg_queue * msq);
	void (*msg_queue_free_security) (struct msg_queue * msq);
	int (*msg_queue_associate) (struct msg_queue * msq, int msqflg);
	int (*msg_queue_msgctl) (struct msg_queue * msq, int cmd);
	int (*msg_queue_msgsnd) (struct msg_queue * msq,
				 struct msg_msg * msg, int msqflg);
	int (*msg_queue_msgrcv) (struct msg_queue * msq,
				 struct msg_msg * msg,
				 struct task_struct * target,
				 long type, int mode);

	int (*shm_alloc_security) (struct shmid_kernel * shp);
	void (*shm_free_security) (struct shmid_kernel * shp);
	int (*shm_associate) (struct shmid_kernel * shp, int shmflg);
	int (*shm_shmctl) (struct shmid_kernel * shp, int cmd);
	int (*shm_shmat) (struct shmid_kernel * shp, 
			  char __user *shmaddr, int shmflg);

	int (*sem_alloc_security) (struct sem_array * sma);
	void (*sem_free_security) (struct sem_array * sma);
	int (*sem_associate) (struct sem_array * sma, int semflg);
	int (*sem_semctl) (struct sem_array * sma, int cmd);
	int (*sem_semop) (struct sem_array * sma, 
			  struct sembuf * sops, unsigned nsops, int alter);

	int (*netlink_send) (struct sock * sk, struct sk_buff * skb);
	int (*netlink_recv) (struct sk_buff * skb, int cap);

	/* allow module stacking */
	int (*register_security) (const char *name,
	                          struct security_operations *ops);

	void (*d_instantiate) (struct dentry *dentry, struct inode *inode);

 	int (*getprocattr)(struct task_struct *p, char *name, char **value);
 	int (*setprocattr)(struct task_struct *p, char *name, void *value, size_t size);
	int (*secid_to_secctx)(u32 secid, char **secdata, u32 *seclen);
	void (*release_secctx)(char *secdata, u32 seclen);

#ifdef CONFIG_SECURITY_NETWORK
	int (*unix_stream_connect) (struct socket * sock,
				    struct socket * other, struct sock * newsk);
	int (*unix_may_send) (struct socket * sock, struct socket * other);

	int (*socket_create) (int family, int type, int protocol, int kern);
	int (*socket_post_create) (struct socket * sock, int family,
				   int type, int protocol, int kern);
	int (*socket_bind) (struct socket * sock,
			    struct sockaddr * address, int addrlen);
	int (*socket_connect) (struct socket * sock,
			       struct sockaddr * address, int addrlen);
	int (*socket_listen) (struct socket * sock, int backlog);
	int (*socket_accept) (struct socket * sock, struct socket * newsock);
	void (*socket_post_accept) (struct socket * sock,
				    struct socket * newsock);
	int (*socket_sendmsg) (struct socket * sock,
			       struct msghdr * msg, int size);
	int (*socket_recvmsg) (struct socket * sock,
			       struct msghdr * msg, int size, int flags);
	int (*socket_getsockname) (struct socket * sock);
	int (*socket_getpeername) (struct socket * sock);
	int (*socket_getsockopt) (struct socket * sock, int level, int optname);
	int (*socket_setsockopt) (struct socket * sock, int level, int optname);
	int (*socket_shutdown) (struct socket * sock, int how);
	int (*socket_sock_rcv_skb) (struct sock * sk, struct sk_buff * skb);