security.h

自己做的交叉编译工具！gcc-3.4.5,glibc-2.3.6在ubuntu8.04上做的面向kernel-2.6.28的交叉编译工具

 * Security hooks for System V Semaphores
 *
 * @sem_alloc_security:
 *	Allocate and attach a security structure to the sma->sem_perm.security
 *	field.  The security field is initialized to NULL when the structure is
 *	first created.
 *	@sma contains the semaphore structure
 *	Return 0 if operation was successful and permission is granted.
 * @sem_free_security:
 *	deallocate security struct for this semaphore
 *	@sma contains the semaphore structure.
 * @sem_associate:
 *	Check permission when a semaphore is requested through the semget
 *	system call.  This hook is only called when returning the semaphore
 *	identifier for an existing semaphore, not when a new one must be
 *	created.
 *	@sma contains the semaphore structure.
 *	@semflg contains the operation control flags.
 *	Return 0 if permission is granted.
 * @sem_semctl:
 *	Check permission when a semaphore operation specified by @cmd is to be
 *	performed on the semaphore @sma.  The @sma may be NULL, e.g. for 
 *	IPC_INFO or SEM_INFO.
 *	@sma contains the semaphore structure.  May be NULL.
 *	@cmd contains the operation to be performed.
 *	Return 0 if permission is granted.
 * @sem_semop
 *	Check permissions before performing operations on members of the
 *	semaphore set @sma.  If the @alter flag is nonzero, the semaphore set 
 *      may be modified.
 *	@sma contains the semaphore structure.
 *	@sops contains the operations to perform.
 *	@nsops contains the number of operations to perform.
 *	@alter contains the flag indicating whether changes are to be made.
 *	Return 0 if permission is granted.
 *
 * @ptrace:
 *	Check permission before allowing the @parent process to trace the
 *	@child process.
 *	Security modules may also want to perform a process tracing check
 *	during an execve in the set_security or apply_creds hooks of
 *	binprm_security_ops if the process is being traced and its security
 *	attributes would be changed by the execve.
 *	@parent contains the task_struct structure for parent process.
 *	@child contains the task_struct structure for child process.
 *	Return 0 if permission is granted.
 * @capget:
 *	Get the @effective, @inheritable, and @permitted capability sets for
 *	the @target process.  The hook may also perform permission checking to
 *	determine if the current process is allowed to see the capability sets
 *	of the @target process.
 *	@target contains the task_struct structure for target process.
 *	@effective contains the effective capability set.
 *	@inheritable contains the inheritable capability set.
 *	@permitted contains the permitted capability set.
 *	Return 0 if the capability sets were successfully obtained.
 * @capset_check:
 *	Check permission before setting the @effective, @inheritable, and
 *	@permitted capability sets for the @target process.
 *	Caveat:  @target is also set to current if a set of processes is
 *	specified (i.e. all processes other than current and init or a
 *	particular process group).  Hence, the capset_set hook may need to
 *	revalidate permission to the actual target process.
 *	@target contains the task_struct structure for target process.
 *	@effective contains the effective capability set.
 *	@inheritable contains the inheritable capability set.
 *	@permitted contains the permitted capability set.
 *	Return 0 if permission is granted.
 * @capset_set:
 *	Set the @effective, @inheritable, and @permitted capability sets for
 *	the @target process.  Since capset_check cannot always check permission
 *	to the real @target process, this hook may also perform permission
 *	checking to determine if the current process is allowed to set the
 *	capability sets of the @target process.  However, this hook has no way
 *	of returning an error due to the structure of the sys_capset code.
 *	@target contains the task_struct structure for target process.
 *	@effective contains the effective capability set.
 *	@inheritable contains the inheritable capability set.
 *	@permitted contains the permitted capability set.
 * @acct:
 *	Check permission before enabling or disabling process accounting.  If
 *	accounting is being enabled, then @file refers to the open file used to
 *	store accounting records.  If accounting is being disabled, then @file
 *	is NULL.
 *	@file contains the file structure for the accounting file (may be NULL).
 *	Return 0 if permission is granted.
 * @sysctl:
 *	Check permission before accessing the @table sysctl variable in the
 *	manner specified by @op.
 *	@table contains the ctl_table structure for the sysctl variable.
 *	@op contains the operation (001 = search, 002 = write, 004 = read).
 *	Return 0 if permission is granted.
 * @capable:
 *	Check whether the @tsk process has the @cap capability.
 *	@tsk contains the task_struct for the process.
 *	@cap contains the capability <include/linux/capability.h>.
 *	Return 0 if the capability is granted for @tsk.
 * @syslog:
 *	Check permission before accessing the kernel message ring or changing
 *	logging to the console.
 *	See the syslog(2) manual page for an explanation of the @type values.  
 *	@type contains the type of action.
 *	Return 0 if permission is granted.
 * @settime:
 *	Check permission to change the system time.
 *	struct timespec and timezone are defined in include/linux/time.h
 *	@ts contains new time
 *	@tz contains new timezone
 *	Return 0 if permission is granted.
 * @vm_enough_memory:
 *	Check permissions for allocating a new virtual mapping.
 *      @pages contains the number of pages.
 *	Return 0 if permission is granted.
 *
 * @register_security:
 * 	allow module stacking.
 * 	@name contains the name of the security module being stacked.
 * 	@ops contains a pointer to the struct security_operations of the module to stack.
 * @unregister_security:
 *	remove a stacked module.
 *	@name contains the name of the security module being unstacked.
 *	@ops contains a pointer to the struct security_operations of the module to unstack.
 * 
 * This is the main security structure.
 */
struct security_operations {
	int (*ptrace) (struct task_struct * parent, struct task_struct * child);
	int (*capget) (struct task_struct * target,
		       kernel_cap_t * effective,
		       kernel_cap_t * inheritable, kernel_cap_t * permitted);
	int (*capset_check) (struct task_struct * target,
			     kernel_cap_t * effective,
			     kernel_cap_t * inheritable,
			     kernel_cap_t * permitted);
	void (*capset_set) (struct task_struct * target,
			    kernel_cap_t * effective,
			    kernel_cap_t * inheritable,
			    kernel_cap_t * permitted);
	int (*acct) (struct file * file);
	int (*sysctl) (struct ctl_table * table, int op);
	int (*capable) (struct task_struct * tsk, int cap);
	int (*quotactl) (int cmds, int type, int id, struct super_block * sb);
	int (*quota_on) (struct dentry * dentry);
	int (*syslog) (int type);
	int (*settime) (struct timespec *ts, struct timezone *tz);
	int (*vm_enough_memory) (long pages);

	int (*bprm_alloc_security) (struct linux_binprm * bprm);
	void (*bprm_free_security) (struct linux_binprm * bprm);
	void (*bprm_apply_creds) (struct linux_binprm * bprm, int unsafe);
	void (*bprm_post_apply_creds) (struct linux_binprm * bprm);
	int (*bprm_set_security) (struct linux_binprm * bprm);
	int (*bprm_check_security) (struct linux_binprm * bprm);
	int (*bprm_secureexec) (struct linux_binprm * bprm);

	int (*sb_alloc_security) (struct super_block * sb);
	void (*sb_free_security) (struct super_block * sb);
	int (*sb_copy_data)(struct file_system_type *type,
			    void *orig, void *copy);
	int (*sb_kern_mount) (struct super_block *sb, void *data);
	int (*sb_statfs) (struct super_block * sb);
	int (*sb_mount) (char *dev_name, struct nameidata * nd,
			 char *type, unsigned long flags, void *data);
	int (*sb_check_sb) (struct vfsmount * mnt, struct nameidata * nd);
	int (*sb_umount) (struct vfsmount * mnt, int flags);
	void (*sb_umount_close) (struct vfsmount * mnt);
	void (*sb_umount_busy) (struct vfsmount * mnt);
	void (*sb_post_remount) (struct vfsmount * mnt,
				 unsigned long flags, void *data);
	void (*sb_post_mountroot) (void);
	void (*sb_post_addmount) (struct vfsmount * mnt,
				  struct nameidata * mountpoint_nd);
	int (*sb_pivotroot) (struct nameidata * old_nd,
			     struct nameidata * new_nd);
	void (*sb_post_pivotroot) (struct nameidata * old_nd,
				   struct nameidata * new_nd);

	int (*inode_alloc_security) (struct inode *inode);	
	void (*inode_free_security) (struct inode *inode);
	int (*inode_create) (struct inode *dir,
	                     struct dentry *dentry, int mode);
	void (*inode_post_create) (struct inode *dir,
	                           struct dentry *dentry, int mode);
	int (*inode_link) (struct dentry *old_dentry,
	                   struct inode *dir, struct dentry *new_dentry);
	void (*inode_post_link) (struct dentry *old_dentry,
	                         struct inode *dir, struct dentry *new_dentry);
	int (*inode_unlink) (struct inode *dir, struct dentry *dentry);
	int (*inode_symlink) (struct inode *dir,
	                      struct dentry *dentry, const char *old_name);
	void (*inode_post_symlink) (struct inode *dir,
	                            struct dentry *dentry,
	                            const char *old_name);
	int (*inode_mkdir) (struct inode *dir, struct dentry *dentry, int mode);
	void (*inode_post_mkdir) (struct inode *dir, struct dentry *dentry, 
			    int mode);
	int (*inode_rmdir) (struct inode *dir, struct dentry *dentry);
	int (*inode_mknod) (struct inode *dir, struct dentry *dentry,
	                    int mode, dev_t dev);
	void (*inode_post_mknod) (struct inode *dir, struct dentry *dentry,
	                          int mode, dev_t dev);
	int (*inode_rename) (struct inode *old_dir, struct dentry *old_dentry,
	                     struct inode *new_dir, struct dentry *new_dentry);
	void (*inode_post_rename) (struct inode *old_dir,
	                           struct dentry *old_dentry,
	                           struct inode *new_dir,
	                           struct dentry *new_dentry);
	int (*inode_readlink) (struct dentry *dentry);
	int (*inode_follow_link) (struct dentry *dentry, struct nameidata *nd);
	int (*inode_permission) (struct inode *inode, int mask, struct nameidata *nd);
	int (*inode_setattr)	(struct dentry *dentry, struct iattr *attr);
	int (*inode_getattr) (struct vfsmount *mnt, struct dentry *dentry);
        void (*inode_delete) (struct inode *inode);
	int (*inode_setxattr) (struct dentry *dentry, char *name, void *value,
			       size_t size, int flags);
	void (*inode_post_setxattr) (struct dentry *dentry, char *name, void *value,
				     size_t size, int flags);
	int (*inode_getxattr) (struct dentry *dentry, char *name);
	int (*inode_listxattr) (struct dentry *dentry);
	int (*inode_removexattr) (struct dentry *dentry, char *name);
  	int (*inode_getsecurity)(struct inode *inode, const char *name, void *buffer, size_t size);
  	int (*inode_setsecurity)(struct inode *inode, const char *name, const void *value, size_t size, int flags);
  	int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t buffer_size);

	int (*file_permission) (struct file * file, int mask);
	int (*file_alloc_security) (struct file * file);
	void (*file_free_security) (struct file * file);
	int (*file_ioctl) (struct file * file, unsigned int cmd,
			   unsigned long arg);
	int (*file_mmap) (struct file * file,
			  unsigned long reqprot,
			  unsigned long prot, unsigned long flags);
	int (*file_mprotect) (struct vm_area_struct * vma,
			      unsigned long reqprot,
			      unsigned long prot);
	int (*file_lock) (struct file * file, unsigned int cmd);
	int (*file_fcntl) (struct file * file, unsigned int cmd,
			   unsigned long arg);
	int (*file_set_fowner) (struct file * file);
	int (*file_send_sigiotask) (struct task_struct * tsk,
				    struct fown_struct * fown, int sig);
	int (*file_receive) (struct file * file);

	int (*task_create) (unsigned long clone_flags);
	int (*task_alloc_security) (struct task_struct * p);
	void (*task_free_security) (struct task_struct * p);
	int (*task_setuid) (uid_t id0, uid_t id1, uid_t id2, int flags);
	int (*task_post_setuid) (uid_t old_ruid /* or fsuid */ ,
				 uid_t old_euid, uid_t old_suid, int flags);
	int (*task_setgid) (gid_t id0, gid_t id1, gid_t id2, int flags);
	int (*task_setpgid) (struct task_struct * p, pid_t pgid);
	int (*task_getpgid) (struct task_struct * p);
	int (*task_getsid) (struct task_struct * p);
	int (*task_setgroups) (struct group_info *group_info);
	int (*task_setnice) (struct task_struct * p, int nice);
	int (*task_setrlimit) (unsigned int resource, struct rlimit * new_rlim);
	int (*task_setscheduler) (struct task_struct * p, int policy,
				  struct sched_param * lp);
	int (*task_getscheduler) (struct task_struct * p);
	int (*task_kill) (struct task_struct * p,
			  struct siginfo * info, int sig);
	int (*task_wait) (struct task_struct * p);
	int (*task_prctl) (int option, unsigned long arg2,
			   unsigned long arg3, unsigned long arg4,
			   unsigned long arg5);
	void (*task_reparent_to_init) (struct task_struct * p);
	void (*task_to_inode)(struct task_struct *p, struct inode *inode);

	int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag);

	int (*msg_msg_alloc_security) (struct msg_msg * msg);
	void (*msg_msg_free_security) (struct msg_msg * msg);

	int (*msg_queue_alloc_security) (struct msg_queue * msq);
	void (*msg_queue_free_security) (struct msg_queue * msq);
	int (*msg_queue_associate) (struct msg_queue * msq, int msqflg);
	int (*msg_queue_msgctl) (struct msg_queue * msq, int cmd);
	int (*msg_queue_msgsnd) (struct msg_queue * msq,
				 struct msg_msg * msg, int msqflg);
	int (*msg_queue_msgrcv) (struct msg_queue * msq,
				 struct msg_msg * msg,
				 struct task_struct * target,
				 long type, int mode);

	int (*shm_alloc_security) (struct shmid_kernel * shp);
	void (*shm_free_security) (struct shmid_kernel * shp);
	int (*shm_associate) (struct shmid_kernel * shp, int shmflg);
	int (*shm_shmctl) (struct shmid_kernel * shp, int cmd);
	int (*shm_shmat) (struct shmid_kernel * shp, 
			  char *shmaddr, int shmflg);

	int (*sem_alloc_security) (struct sem_array * sma);
	void (*sem_free_security) (struct sem_array * sma);
	int (*sem_associate) (struct sem_array * sma, int semflg);
	int (*sem_semctl) (struct sem_array * sma, int cmd);
	int (*sem_semop) (struct sem_array * sma, 
			  struct sembuf * sops, unsigned nsops, int alter);

	int (*netlink_send) (struct sock * sk, struct sk_buff * skb);
	int (*netlink_recv) (struct sk_buff * skb);