projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
procfs: add smack subdir to attrs
[linux-2.6-block.git] / security / security.c
CommitLineData
1da177e4
LT		 1/*
2 * Security plug functions
3 *
4 * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com>
5 * Copyright (C) 2001-2002 Greg Kroah-Hartman <greg@kroah.com>
6 * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com>
d291f1a6 7 * Copyright (C) 2016 Mellanox Technologies
1da177e4
LT		 8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 */
14
9b8c7c14
KC		 15#define pr_fmt(fmt) "LSM: " fmt
16
afdb09c7 17#include <linux/bpf.h>
c59ede7b 18#include <linux/capability.h>
d47be3df 19#include <linux/dcache.h>
876979c9 20#include <linux/export.h>
1da177e4
LT		 21#include <linux/init.h>
22#include <linux/kernel.h>
3c4ed7bd 23#include <linux/lsm_hooks.h>
f381c272 24#include <linux/integrity.h>
6c21a7fb 25#include <linux/ima.h>
3e1be52d 26#include <linux/evm.h>
40401530 27#include <linux/fsnotify.h>
8b3ec681
AV		 28#include <linux/mman.h>
29#include <linux/mount.h>
30#include <linux/personality.h>
75331a59 31#include <linux/backing-dev.h>
3bb857e4 32#include <linux/string.h>
40401530 33#include <net/flow.h>
1da177e4 34
823eb1cc 35#define MAX_LSM_EVM_XATTR 2
1da177e4 36
2d4d5119
KC		 37/* How many LSMs were built into the kernel? */
38#define LSM_COUNT (__end_lsm_info - __start_lsm_info)
39
3dfc9b02 40struct security_hook_heads security_hook_heads __lsm_ro_after_init;
8f408ab6
DJ		 41static ATOMIC_NOTIFIER_HEAD(lsm_notifier_chain);
42
d69dece5 43char *lsm_names;
076c54c5 44/* Boot-time LSM user choice */
79f7865d 45static __initdata const char *chosen_lsm_order;
5ef4e419 46static __initdata const char *chosen_major_lsm;
1da177e4 47
13e735c0
KC		 48static __initconst const char * const builtin_lsm_order = CONFIG_LSM;
49
2d4d5119
KC		 50/* Ordered list of LSMs to initialize. */
51static __initdata struct lsm_info **ordered_lsms;
14bd99c8 52static __initdata struct lsm_info *exclusive;
2d4d5119 53
9b8c7c14
KC		 54static __initdata bool debug;
55#define init_debug(...) \
56 do { \
57 if (debug) \
58 pr_info(__VA_ARGS__); \
59 } while (0)
60
f4941d75
KC		 61static bool __init is_enabled(struct lsm_info *lsm)
62{
a8027fb0
KC		 63 if (!lsm->enabled)
64 return false;
f4941d75 65
a8027fb0 66 return *lsm->enabled;
f4941d75
KC		 67}
68
69/* Mark an LSM's enabled flag. */
70static int lsm_enabled_true __initdata = 1;
71static int lsm_enabled_false __initdata = 0;
72static void __init set_enabled(struct lsm_info *lsm, bool enabled)
73{
74 /*
75 * When an LSM hasn't configured an enable variable, we can use
76 * a hard-coded location for storing the default enabled state.
77 */
78 if (!lsm->enabled) {
79 if (enabled)
80 lsm->enabled = &lsm_enabled_true;
81 else
82 lsm->enabled = &lsm_enabled_false;
83 } else if (lsm->enabled == &lsm_enabled_true) {
84 if (!enabled)
85 lsm->enabled = &lsm_enabled_false;
86 } else if (lsm->enabled == &lsm_enabled_false) {
87 if (enabled)
88 lsm->enabled = &lsm_enabled_true;
89 } else {
90 *lsm->enabled = enabled;
91 }
92}
93
2d4d5119
KC		 94/* Is an LSM already listed in the ordered LSMs list? */
95static bool __init exists_ordered_lsm(struct lsm_info *lsm)
96{
97 struct lsm_info **check;
98
99 for (check = ordered_lsms; *check; check++)
100 if (*check == lsm)
101 return true;
102
103 return false;
104}
105
106/* Append an LSM to the list of ordered LSMs to initialize. */
107static int last_lsm __initdata;
108static void __init append_ordered_lsm(struct lsm_info *lsm, const char *from)
109{
110 /* Ignore duplicate selections. */
111 if (exists_ordered_lsm(lsm))
112 return;
113
114 if (WARN(last_lsm == LSM_COUNT, "%s: out of LSM slots!?\n", from))
115 return;
116
a8027fb0
KC		 117 /* Enable this LSM, if it is not already set. */
118 if (!lsm->enabled)
119 lsm->enabled = &lsm_enabled_true;
2d4d5119 120 ordered_lsms[last_lsm++] = lsm;
a8027fb0 121
2d4d5119
KC		 122 init_debug("%s ordering: %s (%sabled)\n", from, lsm->name,
123 is_enabled(lsm) ? "en" : "dis");
124}
125
f4941d75
KC		 126/* Is an LSM allowed to be initialized? */
127static bool __init lsm_allowed(struct lsm_info *lsm)
128{
129 /* Skip if the LSM is disabled. */
130 if (!is_enabled(lsm))
131 return false;
132
14bd99c8
KC		 133 /* Not allowed if another exclusive LSM already initialized. */
134 if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && exclusive) {
135 init_debug("exclusive disabled: %s\n", lsm->name);
136 return false;
137 }
138
f4941d75
KC		 139 return true;
140}
141
d8e9bbd4
KC		 142/* Prepare LSM for initialization. */
143static void __init prepare_lsm(struct lsm_info *lsm)
f4941d75
KC		 144{
145 int enabled = lsm_allowed(lsm);
146
147 /* Record enablement (to handle any following exclusive LSMs). */
148 set_enabled(lsm, enabled);
149
d8e9bbd4 150 /* If enabled, do pre-initialization work. */
f4941d75 151 if (enabled) {
14bd99c8
KC		 152 if ((lsm->flags & LSM_FLAG_EXCLUSIVE) && !exclusive) {
153 exclusive = lsm;
154 init_debug("exclusive chosen: %s\n", lsm->name);
155 }
d8e9bbd4
KC		 156 }
157}
158
159/* Initialize a given LSM, if it is enabled. */
160static void __init initialize_lsm(struct lsm_info *lsm)
161{
162 if (is_enabled(lsm)) {
163 int ret;
14bd99c8 164
f4941d75
KC		 165 init_debug("initializing %s\n", lsm->name);
166 ret = lsm->init();
167 WARN(ret, "%s failed to initialize: %d\n", lsm->name, ret);
168 }
169}
170
13e735c0 171/* Populate ordered LSMs list from comma-separated LSM name list. */
2d4d5119 172static void __init ordered_lsm_parse(const char *order, const char *origin)
657d910b
KC		 173{
174 struct lsm_info *lsm;
13e735c0
KC		 175 char *sep, *name, *next;
176
e2bc445b
KC		 177 /* LSM_ORDER_FIRST is always first. */
178 for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
179 if (lsm->order == LSM_ORDER_FIRST)
180 append_ordered_lsm(lsm, "first");
181 }
182
7e611486 183 /* Process "security=", if given. */
7e611486
KC		 184 if (chosen_major_lsm) {
185 struct lsm_info *major;
186
187 /*
188 * To match the original "security=" behavior, this
189 * explicitly does NOT fallback to another Legacy Major
190 * if the selected one was separately disabled: disable
191 * all non-matching Legacy Major LSMs.
192 */
193 for (major = __start_lsm_info; major < __end_lsm_info;
194 major++) {
195 if ((major->flags & LSM_FLAG_LEGACY_MAJOR) &&
196 strcmp(major->name, chosen_major_lsm) != 0) {
197 set_enabled(major, false);
198 init_debug("security=%s disabled: %s\n",
199 chosen_major_lsm, major->name);
200 }
201 }
202 }
5ef4e419 203
13e735c0
KC		 204 sep = kstrdup(order, GFP_KERNEL);
205 next = sep;
206 /* Walk the list, looking for matching LSMs. */
207 while ((name = strsep(&next, ",")) != NULL) {
208 bool found = false;
209
210 for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
e2bc445b
KC		 211 if (lsm->order == LSM_ORDER_MUTABLE &&
212 strcmp(lsm->name, name) == 0) {
13e735c0
KC		 213 append_ordered_lsm(lsm, origin);
214 found = true;
215 }
216 }
217
218 if (!found)
219 init_debug("%s ignored: %s\n", origin, name);
657d910b 220 }
c91d8106
CS		 221
222 /* Process "security=", if given. */
223 if (chosen_major_lsm) {
224 for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
225 if (exists_ordered_lsm(lsm))
226 continue;
227 if (strcmp(lsm->name, chosen_major_lsm) == 0)
228 append_ordered_lsm(lsm, "security=");
229 }
230 }
231
232 /* Disable all LSMs not in the ordered list. */
233 for (lsm = __start_lsm_info; lsm < __end_lsm_info; lsm++) {
234 if (exists_ordered_lsm(lsm))
235 continue;
236 set_enabled(lsm, false);
237 init_debug("%s disabled: %s\n", origin, lsm->name);
238 }
239
13e735c0 240 kfree(sep);
657d910b
KC		 241}
242
2d4d5119
KC		 243static void __init ordered_lsm_init(void)
244{
245 struct lsm_info **lsm;
246
247 ordered_lsms = kcalloc(LSM_COUNT + 1, sizeof(*ordered_lsms),
248 GFP_KERNEL);
249
79f7865d
KC		 250 if (chosen_lsm_order)
251 ordered_lsm_parse(chosen_lsm_order, "cmdline");
252 else
253 ordered_lsm_parse(builtin_lsm_order, "builtin");
2d4d5119
KC		 254
255 for (lsm = ordered_lsms; *lsm; lsm++)
d8e9bbd4
KC		 256 prepare_lsm(*lsm);
257
258 for (lsm = ordered_lsms; *lsm; lsm++)
259 initialize_lsm(*lsm);
2d4d5119
KC		 260
261 kfree(ordered_lsms);
262}
263
1da177e4
LT		 264/**
265 * security_init - initializes the security framework
266 *
267 * This should be called early in the kernel initialization sequence.
268 */
269int __init security_init(void)
270{
3dfc9b02 271 int i;
df0ce173 272 struct hlist_head *list = (struct hlist_head *) &security_hook_heads;
3dfc9b02 273
98d29170
KC		 274 pr_info("Security Framework initializing\n");
275
df0ce173 276 for (i = 0; i < sizeof(security_hook_heads) / sizeof(struct hlist_head);
3dfc9b02 277 i++)
df0ce173 278 INIT_HLIST_HEAD(&list[i]);
1da177e4 279
657d910b
KC		 280 /* Load LSMs in specified order. */
281 ordered_lsm_init();
282
1da177e4
LT		 283 return 0;
284}
285
076c54c5 286/* Save user chosen LSM */
5ef4e419 287static int __init choose_major_lsm(char *str)
076c54c5 288{
5ef4e419 289 chosen_major_lsm = str;
076c54c5
AD		 290 return 1;
291}
5ef4e419 292__setup("security=", choose_major_lsm);
076c54c5 293
79f7865d
KC		 294/* Explicitly choose LSM initialization order. */
295static int __init choose_lsm_order(char *str)
296{
297 chosen_lsm_order = str;
298 return 1;
299}
300__setup("lsm=", choose_lsm_order);
301
9b8c7c14
KC		 302/* Enable LSM order debugging. */
303static int __init enable_debug(char *str)
304{
305 debug = true;
306 return 1;
307}
308__setup("lsm.debug", enable_debug);
309
3bb857e4
MS		 310static bool match_last_lsm(const char *list, const char *lsm)
311{
312 const char *last;
313
314 if (WARN_ON(!list || !lsm))
315 return false;
316 last = strrchr(list, ',');
317 if (last)
318 /* Pass the comma, strcmp() will check for '\0' */
319 last++;
320 else
321 last = list;
322 return !strcmp(last, lsm);
323}
324
d69dece5
CS		 325static int lsm_append(char *new, char **result)
326{
327 char *cp;
328
329 if (*result == NULL) {
330 *result = kstrdup(new, GFP_KERNEL);
87ea5843
EB		 331 if (*result == NULL)
332 return -ENOMEM;
d69dece5 333 } else {
3bb857e4
MS		 334 /* Check if it is the last registered name */
335 if (match_last_lsm(*result, new))
336 return 0;
d69dece5
CS		 337 cp = kasprintf(GFP_KERNEL, "%s,%s", *result, new);
338 if (cp == NULL)
339 return -ENOMEM;
340 kfree(*result);
341 *result = cp;
342 }
343 return 0;
344}
345
d69dece5
CS		 346/**
347 * security_add_hooks - Add a modules hooks to the hook lists.
348 * @hooks: the hooks to add
349 * @count: the number of hooks to add
350 * @lsm: the name of the security module
351 *
352 * Each LSM has to register its hooks with the infrastructure.
353 */
354void __init security_add_hooks(struct security_hook_list *hooks, int count,
355 char *lsm)
356{
357 int i;
358
359 for (i = 0; i < count; i++) {
360 hooks[i].lsm = lsm;
df0ce173 361 hlist_add_tail_rcu(&hooks[i].list, hooks[i].head);
d69dece5
CS		 362 }
363 if (lsm_append(lsm, &lsm_names) < 0)
364 panic("%s - Cannot get early memory.\n", __func__);
365}
366
8f408ab6
DJ		 367int call_lsm_notifier(enum lsm_event event, void *data)
368{
369 return atomic_notifier_call_chain(&lsm_notifier_chain, event, data);
370}
371EXPORT_SYMBOL(call_lsm_notifier);
372
373int register_lsm_notifier(struct notifier_block *nb)
374{
375 return atomic_notifier_chain_register(&lsm_notifier_chain, nb);
376}
377EXPORT_SYMBOL(register_lsm_notifier);
378
379int unregister_lsm_notifier(struct notifier_block *nb)
380{
381 return atomic_notifier_chain_unregister(&lsm_notifier_chain, nb);
382}
383EXPORT_SYMBOL(unregister_lsm_notifier);
384
f25fce3e 385/*
b1d9e6b0 386 * Hook list operation macros.
1da177e4 387 *
f25fce3e
CS		 388 * call_void_hook:
389 * This is a hook that does not return a value.
1da177e4 390 *
f25fce3e
CS		 391 * call_int_hook:
392 * This is a hook that returns a value.
1da177e4 393 */
1da177e4 394
b1d9e6b0
CS		 395#define call_void_hook(FUNC, ...) \
396 do { \
397 struct security_hook_list *P; \
398 \
df0ce173 399 hlist_for_each_entry(P, &security_hook_heads.FUNC, list) \
b1d9e6b0
CS		 400 P->hook.FUNC(__VA_ARGS__); \
401 } while (0)
402
403#define call_int_hook(FUNC, IRC, ...) ({ \
404 int RC = IRC; \
405 do { \
406 struct security_hook_list *P; \
407 \
df0ce173 408 hlist_for_each_entry(P, &security_hook_heads.FUNC, list) { \
b1d9e6b0
CS		 409 RC = P->hook.FUNC(__VA_ARGS__); \
410 if (RC != 0) \
411 break; \
412 } \
413 } while (0); \
414 RC; \
415})
1da177e4 416
20510f2f
JM		 417/* Security operations */
418
79af7307
SS		 419int security_binder_set_context_mgr(struct task_struct *mgr)
420{
f25fce3e 421 return call_int_hook(binder_set_context_mgr, 0, mgr);
79af7307
SS		 422}
423
424int security_binder_transaction(struct task_struct *from,
425 struct task_struct *to)
426{
f25fce3e 427 return call_int_hook(binder_transaction, 0, from, to);
79af7307
SS		 428}
429
430int security_binder_transfer_binder(struct task_struct *from,
431 struct task_struct *to)
432{
f25fce3e 433 return call_int_hook(binder_transfer_binder, 0, from, to);
79af7307
SS		 434}
435
436int security_binder_transfer_file(struct task_struct *from,
437 struct task_struct *to, struct file *file)
438{
f25fce3e 439 return call_int_hook(binder_transfer_file, 0, from, to, file);
79af7307
SS		 440}
441
9e48858f 442int security_ptrace_access_check(struct task_struct *child, unsigned int mode)
20510f2f 443{
f25fce3e 444 return call_int_hook(ptrace_access_check, 0, child, mode);
5cd9c58f
DH		 445}
446
447int security_ptrace_traceme(struct task_struct *parent)
448{
f25fce3e 449 return call_int_hook(ptrace_traceme, 0, parent);
20510f2f
JM		 450}
451
452int security_capget(struct task_struct *target,
453 kernel_cap_t *effective,
454 kernel_cap_t *inheritable,
455 kernel_cap_t *permitted)
456{
f25fce3e
CS		 457 return call_int_hook(capget, 0, target,
458 effective, inheritable, permitted);
20510f2f
JM		 459}
460
d84f4f99
DH		 461int security_capset(struct cred *new, const struct cred *old,
462 const kernel_cap_t *effective,
463 const kernel_cap_t *inheritable,
464 const kernel_cap_t *permitted)
20510f2f 465{
f25fce3e
CS		 466 return call_int_hook(capset, 0, new, old,
467 effective, inheritable, permitted);
20510f2f
JM		 468}
469
b7e724d3 470int security_capable(const struct cred *cred, struct user_namespace *ns,
3486740a 471 int cap)
20510f2f 472{
f25fce3e 473 return call_int_hook(capable, 0, cred, ns, cap, SECURITY_CAP_AUDIT);
06112163
EP		 474}
475
c7eba4a9
EP		 476int security_capable_noaudit(const struct cred *cred, struct user_namespace *ns,
477 int cap)
06112163 478{
f25fce3e 479 return call_int_hook(capable, 0, cred, ns, cap, SECURITY_CAP_NOAUDIT);
20510f2f
JM		 480}
481
20510f2f
JM		 482int security_quotactl(int cmds, int type, int id, struct super_block *sb)
483{
f25fce3e 484 return call_int_hook(quotactl, 0, cmds, type, id, sb);
20510f2f
JM		 485}
486
487int security_quota_on(struct dentry *dentry)
488{
f25fce3e 489 return call_int_hook(quota_on, 0, dentry);
20510f2f
JM		 490}
491
12b3052c 492int security_syslog(int type)
20510f2f 493{
f25fce3e 494 return call_int_hook(syslog, 0, type);
20510f2f
JM		 495}
496
457db29b 497int security_settime64(const struct timespec64 *ts, const struct timezone *tz)
20510f2f 498{
f25fce3e 499 return call_int_hook(settime, 0, ts, tz);
20510f2f
JM		 500}
501
20510f2f
JM		 502int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)
503{
b1d9e6b0
CS		 504 struct security_hook_list *hp;
505 int cap_sys_admin = 1;
506 int rc;
507
508 /*
509 * The module will respond with a positive value if
510 * it thinks the __vm_enough_memory() call should be
511 * made with the cap_sys_admin set. If all of the modules
512 * agree that it should be set it will. If any module
513 * thinks it should not be set it won't.
514 */
df0ce173 515 hlist_for_each_entry(hp, &security_hook_heads.vm_enough_memory, list) {
b1d9e6b0
CS		 516 rc = hp->hook.vm_enough_memory(mm, pages);
517 if (rc <= 0) {
518 cap_sys_admin = 0;
519 break;
520 }
521 }
522 return __vm_enough_memory(mm, pages, cap_sys_admin);
20510f2f
JM		 523}
524
a6f76f23 525int security_bprm_set_creds(struct linux_binprm *bprm)
20510f2f 526{
f25fce3e 527 return call_int_hook(bprm_set_creds, 0, bprm);
20510f2f
JM		 528}
529
a6f76f23 530int security_bprm_check(struct linux_binprm *bprm)
20510f2f 531{
6c21a7fb
MZ		 532 int ret;
533
f25fce3e 534 ret = call_int_hook(bprm_check_security, 0, bprm);
6c21a7fb
MZ		 535 if (ret)
536 return ret;
537 return ima_bprm_check(bprm);
20510f2f
JM		 538}
539
a6f76f23 540void security_bprm_committing_creds(struct linux_binprm *bprm)
20510f2f 541{
f25fce3e 542 call_void_hook(bprm_committing_creds, bprm);
20510f2f
JM		 543}
544
a6f76f23 545void security_bprm_committed_creds(struct linux_binprm *bprm)
20510f2f 546{
f25fce3e 547 call_void_hook(bprm_committed_creds, bprm);
20510f2f
JM		 548}
549
20510f2f
JM		 550int security_sb_alloc(struct super_block *sb)
551{
f25fce3e 552 return call_int_hook(sb_alloc_security, 0, sb);
20510f2f
JM		 553}
554
555void security_sb_free(struct super_block *sb)
556{
f25fce3e 557 call_void_hook(sb_free_security, sb);
20510f2f
JM		 558}
559
204cc0cc 560void security_free_mnt_opts(void **mnt_opts)
20510f2f 561{
204cc0cc
AV		 562 if (!*mnt_opts)
563 return;
564 call_void_hook(sb_free_mnt_opts, *mnt_opts);
565 *mnt_opts = NULL;
20510f2f 566}
204cc0cc 567EXPORT_SYMBOL(security_free_mnt_opts);
20510f2f 568
204cc0cc 569int security_sb_eat_lsm_opts(char *options, void **mnt_opts)
ff36fe2c 570{
204cc0cc 571 return call_int_hook(sb_eat_lsm_opts, 0, options, mnt_opts);
ff36fe2c 572}
f5c0c26d 573EXPORT_SYMBOL(security_sb_eat_lsm_opts);
ff36fe2c 574
c039bc3c 575int security_sb_remount(struct super_block *sb,
204cc0cc 576 void *mnt_opts)
20510f2f 577{
204cc0cc 578 return call_int_hook(sb_remount, 0, sb, mnt_opts);
ff36fe2c 579}
a65001e8 580EXPORT_SYMBOL(security_sb_remount);
ff36fe2c 581
a10d7c22 582int security_sb_kern_mount(struct super_block *sb)
20510f2f 583{
a10d7c22 584 return call_int_hook(sb_kern_mount, 0, sb);
20510f2f
JM		 585}
586
2069f457
EP		 587int security_sb_show_options(struct seq_file *m, struct super_block *sb)
588{
f25fce3e 589 return call_int_hook(sb_show_options, 0, m, sb);
2069f457
EP		 590}
591
20510f2f
JM		 592int security_sb_statfs(struct dentry *dentry)
593{
f25fce3e 594 return call_int_hook(sb_statfs, 0, dentry);
20510f2f
JM		 595}
596
8a04c43b 597int security_sb_mount(const char *dev_name, const struct path *path,
808d4e3c 598 const char *type, unsigned long flags, void *data)
20510f2f 599{
f25fce3e 600 return call_int_hook(sb_mount, 0, dev_name, path, type, flags, data);
20510f2f
JM		 601}
602
20510f2f
JM		 603int security_sb_umount(struct vfsmount *mnt, int flags)
604{
f25fce3e 605 return call_int_hook(sb_umount, 0, mnt, flags);
20510f2f
JM		 606}
607
3b73b68c 608int security_sb_pivotroot(const struct path *old_path, const struct path *new_path)
20510f2f 609{
f25fce3e 610 return call_int_hook(sb_pivotroot, 0, old_path, new_path);
20510f2f
JM		 611}
612
c9180a57 613int security_sb_set_mnt_opts(struct super_block *sb,
204cc0cc 614 void *mnt_opts,
649f6e77
DQ		 615 unsigned long kern_flags,
616 unsigned long *set_kern_flags)
c9180a57 617{
b1d9e6b0 618 return call_int_hook(sb_set_mnt_opts,
204cc0cc
AV		 619 mnt_opts ? -EOPNOTSUPP : 0, sb,
620 mnt_opts, kern_flags, set_kern_flags);
c9180a57 621}
e0007529 622EXPORT_SYMBOL(security_sb_set_mnt_opts);
c9180a57 623
094f7b69 624int security_sb_clone_mnt_opts(const struct super_block *oldsb,
0b4d3452
SM		 625 struct super_block *newsb,
626 unsigned long kern_flags,
627 unsigned long *set_kern_flags)
c9180a57 628{
0b4d3452
SM		 629 return call_int_hook(sb_clone_mnt_opts, 0, oldsb, newsb,
630 kern_flags, set_kern_flags);
c9180a57 631}
e0007529
EP		 632EXPORT_SYMBOL(security_sb_clone_mnt_opts);
633
757cbe59
AV		 634int security_add_mnt_opt(const char *option, const char *val, int len,
635 void **mnt_opts)
e0007529 636{
757cbe59
AV		 637 return call_int_hook(sb_add_mnt_opt, -EINVAL,
638 option, val, len, mnt_opts);
e0007529 639}
757cbe59 640EXPORT_SYMBOL(security_add_mnt_opt);
c9180a57 641
20510f2f
JM		 642int security_inode_alloc(struct inode *inode)
643{
644 inode->i_security = NULL;
f25fce3e 645 return call_int_hook(inode_alloc_security, 0, inode);
20510f2f
JM		 646}
647
648void security_inode_free(struct inode *inode)
649{
f381c272 650 integrity_inode_free(inode);
f25fce3e 651 call_void_hook(inode_free_security, inode);
20510f2f
JM		 652}
653
d47be3df 654int security_dentry_init_security(struct dentry *dentry, int mode,
4f3ccd76 655 const struct qstr *name, void **ctx,
d47be3df
DQ		 656 u32 *ctxlen)
657{
b1d9e6b0
CS		 658 return call_int_hook(dentry_init_security, -EOPNOTSUPP, dentry, mode,
659 name, ctx, ctxlen);
d47be3df
DQ		 660}
661EXPORT_SYMBOL(security_dentry_init_security);
662
2602625b
VG		 663int security_dentry_create_files_as(struct dentry *dentry, int mode,
664 struct qstr *name,
665 const struct cred *old, struct cred *new)
666{
667 return call_int_hook(dentry_create_files_as, 0, dentry, mode,
668 name, old, new);
669}
670EXPORT_SYMBOL(security_dentry_create_files_as);
671
20510f2f 672int security_inode_init_security(struct inode *inode, struct inode *dir,
9d8f13ba
MZ		 673 const struct qstr *qstr,
674 const initxattrs initxattrs, void *fs_data)
20510f2f 675{
823eb1cc
MZ		 676 struct xattr new_xattrs[MAX_LSM_EVM_XATTR + 1];
677 struct xattr *lsm_xattr, *evm_xattr, *xattr;
9d8f13ba
MZ		 678 int ret;
679
20510f2f 680 if (unlikely(IS_PRIVATE(inode)))
fb88c2b6 681 return 0;
9d8f13ba 682
9d8f13ba 683 if (!initxattrs)
e308fd3b
JB		 684 return call_int_hook(inode_init_security, -EOPNOTSUPP, inode,
685 dir, qstr, NULL, NULL, NULL);
9548906b 686 memset(new_xattrs, 0, sizeof(new_xattrs));
9d8f13ba 687 lsm_xattr = new_xattrs;
b1d9e6b0 688 ret = call_int_hook(inode_init_security, -EOPNOTSUPP, inode, dir, qstr,
9d8f13ba
MZ		 689 &lsm_xattr->name,
690 &lsm_xattr->value,
691 &lsm_xattr->value_len);
692 if (ret)
693 goto out;
823eb1cc
MZ		 694
695 evm_xattr = lsm_xattr + 1;
696 ret = evm_inode_init_security(inode, lsm_xattr, evm_xattr);
697 if (ret)
698 goto out;
9d8f13ba
MZ		 699 ret = initxattrs(inode, new_xattrs, fs_data);
700out:
9548906b 701 for (xattr = new_xattrs; xattr->value != NULL; xattr++)
823eb1cc 702 kfree(xattr->value);
9d8f13ba
MZ		 703 return (ret == -EOPNOTSUPP) ? 0 : ret;
704}
705EXPORT_SYMBOL(security_inode_init_security);
706
707int security_old_inode_init_security(struct inode *inode, struct inode *dir,
9548906b 708 const struct qstr *qstr, const char **name,
9d8f13ba 709 void **value, size_t *len)
20510f2f
JM		 710{
711 if (unlikely(IS_PRIVATE(inode)))
30e05324 712 return -EOPNOTSUPP;
e308fd3b
JB		 713 return call_int_hook(inode_init_security, -EOPNOTSUPP, inode, dir,
714 qstr, name, value, len);
20510f2f 715}
9d8f13ba 716EXPORT_SYMBOL(security_old_inode_init_security);
20510f2f 717
be6d3e56 718#ifdef CONFIG_SECURITY_PATH
d3607752 719int security_path_mknod(const struct path *dir, struct dentry *dentry, umode_t mode,
be6d3e56
KT		 720 unsigned int dev)
721{
c6f493d6 722 if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))
be6d3e56 723 return 0;
f25fce3e 724 return call_int_hook(path_mknod, 0, dir, dentry, mode, dev);
be6d3e56
KT		 725}
726EXPORT_SYMBOL(security_path_mknod);
727
d3607752 728int security_path_mkdir(const struct path *dir, struct dentry *dentry, umode_t mode)
be6d3e56 729{
c6f493d6 730 if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))
be6d3e56 731 return 0;
f25fce3e 732 return call_int_hook(path_mkdir, 0, dir, dentry, mode);
be6d3e56 733}
82140443 734EXPORT_SYMBOL(security_path_mkdir);
be6d3e56 735
989f74e0 736int security_path_rmdir(const struct path *dir, struct dentry *dentry)
be6d3e56 737{
c6f493d6 738 if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))
be6d3e56 739 return 0;
f25fce3e 740 return call_int_hook(path_rmdir, 0, dir, dentry);
be6d3e56
KT		 741}
742
989f74e0 743int security_path_unlink(const struct path *dir, struct dentry *dentry)
be6d3e56 744{
c6f493d6 745 if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))
be6d3e56 746 return 0;
f25fce3e 747 return call_int_hook(path_unlink, 0, dir, dentry);
be6d3e56 748}
82140443 749EXPORT_SYMBOL(security_path_unlink);
be6d3e56 750
d3607752 751int security_path_symlink(const struct path *dir, struct dentry *dentry,
be6d3e56
KT		 752 const char *old_name)
753{
c6f493d6 754 if (unlikely(IS_PRIVATE(d_backing_inode(dir->dentry))))
be6d3e56 755 return 0;
f25fce3e 756 return call_int_hook(path_symlink, 0, dir, dentry, old_name);
be6d3e56
KT		 757}
758
3ccee46a 759int security_path_link(struct dentry *old_dentry, const struct path *new_dir,
be6d3e56
KT		 760 struct dentry *new_dentry)
761{
c6f493d6 762 if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry))))
be6d3e56 763 return 0;
f25fce3e 764 return call_int_hook(path_link, 0, old_dentry, new_dir, new_dentry);
be6d3e56
KT		 765}
766
3ccee46a
AV		 767int security_path_rename(const struct path *old_dir, struct dentry *old_dentry,
768 const struct path *new_dir, struct dentry *new_dentry,
0b3974eb 769 unsigned int flags)
be6d3e56 770{
c6f493d6
DH		 771 if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry)) ||
772 (d_is_positive(new_dentry) && IS_PRIVATE(d_backing_inode(new_dentry)))))
be6d3e56 773 return 0;
da1ce067
MS		 774
775 if (flags & RENAME_EXCHANGE) {
f25fce3e
CS		 776 int err = call_int_hook(path_rename, 0, new_dir, new_dentry,
777 old_dir, old_dentry);
da1ce067
MS		 778 if (err)
779 return err;
780 }
781
f25fce3e
CS		 782 return call_int_hook(path_rename, 0, old_dir, old_dentry, new_dir,
783 new_dentry);
be6d3e56 784}
82140443 785EXPORT_SYMBOL(security_path_rename);
be6d3e56 786
81f4c506 787int security_path_truncate(const struct path *path)
be6d3e56 788{
c6f493d6 789 if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))
be6d3e56 790 return 0;
f25fce3e 791 return call_int_hook(path_truncate, 0, path);
be6d3e56 792}
89eda068 793
be01f9f2 794int security_path_chmod(const struct path *path, umode_t mode)
89eda068 795{
c6f493d6 796 if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))
89eda068 797 return 0;
f25fce3e 798 return call_int_hook(path_chmod, 0, path, mode);
89eda068
TH		 799}
800
7fd25dac 801int security_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
89eda068 802{
c6f493d6 803 if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))
89eda068 804 return 0;
f25fce3e 805 return call_int_hook(path_chown, 0, path, uid, gid);
89eda068 806}
8b8efb44 807
77b286c0 808int security_path_chroot(const struct path *path)
8b8efb44 809{
f25fce3e 810 return call_int_hook(path_chroot, 0, path);
8b8efb44 811}
be6d3e56
KT		 812#endif
813
4acdaf27 814int security_inode_create(struct inode *dir, struct dentry *dentry, umode_t mode)
20510f2f
JM		 815{
816 if (unlikely(IS_PRIVATE(dir)))
817 return 0;
f25fce3e 818 return call_int_hook(inode_create, 0, dir, dentry, mode);
20510f2f 819}
800a9647 820EXPORT_SYMBOL_GPL(security_inode_create);
20510f2f
JM		 821
822int security_inode_link(struct dentry *old_dentry, struct inode *dir,
823 struct dentry *new_dentry)
824{
c6f493d6 825 if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry))))
20510f2f 826 return 0;
f25fce3e 827 return call_int_hook(inode_link, 0, old_dentry, dir, new_dentry);
20510f2f
JM		 828}
829
830int security_inode_unlink(struct inode *dir, struct dentry *dentry)
831{
c6f493d6 832 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
20510f2f 833 return 0;
f25fce3e 834 return call_int_hook(inode_unlink, 0, dir, dentry);
20510f2f
JM		 835}
836
837int security_inode_symlink(struct inode *dir, struct dentry *dentry,
838 const char *old_name)
839{
840 if (unlikely(IS_PRIVATE(dir)))
841 return 0;
f25fce3e 842 return call_int_hook(inode_symlink, 0, dir, dentry, old_name);
20510f2f
JM		 843}
844
18bb1db3 845int security_inode_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
20510f2f
JM		 846{
847 if (unlikely(IS_PRIVATE(dir)))
848 return 0;
f25fce3e 849 return call_int_hook(inode_mkdir, 0, dir, dentry, mode);
20510f2f 850}
800a9647 851EXPORT_SYMBOL_GPL(security_inode_mkdir);
20510f2f
JM		 852
853int security_inode_rmdir(struct inode *dir, struct dentry *dentry)
854{
c6f493d6 855 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
20510f2f 856 return 0;
f25fce3e 857 return call_int_hook(inode_rmdir, 0, dir, dentry);
20510f2f
JM		 858}
859
1a67aafb 860int security_inode_mknod(struct inode *dir, struct dentry *dentry, umode_t mode, dev_t dev)
20510f2f
JM		 861{
862 if (unlikely(IS_PRIVATE(dir)))
863 return 0;
f25fce3e 864 return call_int_hook(inode_mknod, 0, dir, dentry, mode, dev);
20510f2f
JM		 865}
866
867int security_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
0b3974eb
MS		 868 struct inode *new_dir, struct dentry *new_dentry,
869 unsigned int flags)
20510f2f 870{
c6f493d6
DH		 871 if (unlikely(IS_PRIVATE(d_backing_inode(old_dentry)) ||
872 (d_is_positive(new_dentry) && IS_PRIVATE(d_backing_inode(new_dentry)))))
20510f2f 873 return 0;
da1ce067
MS		 874
875 if (flags & RENAME_EXCHANGE) {
f25fce3e 876 int err = call_int_hook(inode_rename, 0, new_dir, new_dentry,
da1ce067
MS		 877 old_dir, old_dentry);
878 if (err)
879 return err;
880 }
881
f25fce3e 882 return call_int_hook(inode_rename, 0, old_dir, old_dentry,
20510f2f
JM		 883 new_dir, new_dentry);
884}
885
886int security_inode_readlink(struct dentry *dentry)
887{
c6f493d6 888 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
20510f2f 889 return 0;
f25fce3e 890 return call_int_hook(inode_readlink, 0, dentry);
20510f2f
JM		 891}
892
bda0be7a
N		 893int security_inode_follow_link(struct dentry *dentry, struct inode *inode,
894 bool rcu)
20510f2f 895{
bda0be7a 896 if (unlikely(IS_PRIVATE(inode)))
20510f2f 897 return 0;
e22619a2 898 return call_int_hook(inode_follow_link, 0, dentry, inode, rcu);
20510f2f
JM		 899}
900
b77b0646 901int security_inode_permission(struct inode *inode, int mask)
20510f2f
JM		 902{
903 if (unlikely(IS_PRIVATE(inode)))
904 return 0;
f25fce3e 905 return call_int_hook(inode_permission, 0, inode, mask);
20510f2f
JM		 906}
907
908int security_inode_setattr(struct dentry *dentry, struct iattr *attr)
909{
817b54aa
MZ		 910 int ret;
911
c6f493d6 912 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
20510f2f 913 return 0;
f25fce3e 914 ret = call_int_hook(inode_setattr, 0, dentry, attr);
817b54aa
MZ		 915 if (ret)
916 return ret;
917 return evm_inode_setattr(dentry, attr);
20510f2f 918}
b1da47e2 919EXPORT_SYMBOL_GPL(security_inode_setattr);
20510f2f 920
3f7036a0 921int security_inode_getattr(const struct path *path)
20510f2f 922{
c6f493d6 923 if (unlikely(IS_PRIVATE(d_backing_inode(path->dentry))))
20510f2f 924 return 0;
f25fce3e 925 return call_int_hook(inode_getattr, 0, path);
20510f2f
JM		 926}
927
8f0cfa52
DH		 928int security_inode_setxattr(struct dentry *dentry, const char *name,
929 const void *value, size_t size, int flags)
20510f2f 930{
3e1be52d
MZ		 931 int ret;
932
c6f493d6 933 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
20510f2f 934 return 0;
b1d9e6b0
CS		 935 /*
936 * SELinux and Smack integrate the cap call,
937 * so assume that all LSMs supplying this call do so.
938 */
939 ret = call_int_hook(inode_setxattr, 1, dentry, name, value, size,
f25fce3e 940 flags);
b1d9e6b0
CS		 941
942 if (ret == 1)
943 ret = cap_inode_setxattr(dentry, name, value, size, flags);
42c63330
MZ		 944 if (ret)
945 return ret;
946 ret = ima_inode_setxattr(dentry, name, value, size);
3e1be52d
MZ		 947 if (ret)
948 return ret;
949 return evm_inode_setxattr(dentry, name, value, size);
20510f2f
JM		 950}
951
8f0cfa52
DH		 952void security_inode_post_setxattr(struct dentry *dentry, const char *name,
953 const void *value, size_t size, int flags)
20510f2f 954{
c6f493d6 955 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
20510f2f 956 return;
f25fce3e 957 call_void_hook(inode_post_setxattr, dentry, name, value, size, flags);
3e1be52d 958 evm_inode_post_setxattr(dentry, name, value, size);
20510f2f
JM		 959}
960
8f0cfa52 961int security_inode_getxattr(struct dentry *dentry, const char *name)
20510f2f 962{
c6f493d6 963 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
20510f2f 964 return 0;
f25fce3e 965 return call_int_hook(inode_getxattr, 0, dentry, name);
20510f2f
JM		 966}
967
968int security_inode_listxattr(struct dentry *dentry)
969{
c6f493d6 970 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
20510f2f 971 return 0;
f25fce3e 972 return call_int_hook(inode_listxattr, 0, dentry);
20510f2f
JM		 973}
974
8f0cfa52 975int security_inode_removexattr(struct dentry *dentry, const char *name)
20510f2f 976{
3e1be52d
MZ		 977 int ret;
978
c6f493d6 979 if (unlikely(IS_PRIVATE(d_backing_inode(dentry))))
20510f2f 980 return 0;
b1d9e6b0
CS		 981 /*
982 * SELinux and Smack integrate the cap call,
983 * so assume that all LSMs supplying this call do so.
984 */
985 ret = call_int_hook(inode_removexattr, 1, dentry, name);
986 if (ret == 1)
987 ret = cap_inode_removexattr(dentry, name);
42c63330
MZ		 988 if (ret)
989 return ret;
990 ret = ima_inode_removexattr(dentry, name);
3e1be52d
MZ		 991 if (ret)
992 return ret;
993 return evm_inode_removexattr(dentry, name);
20510f2f
JM		 994}
995
b5376771
SH		 996int security_inode_need_killpriv(struct dentry *dentry)
997{
f25fce3e 998 return call_int_hook(inode_need_killpriv, 0, dentry);
b5376771
SH		 999}
1000
1001int security_inode_killpriv(struct dentry *dentry)
1002{
f25fce3e 1003 return call_int_hook(inode_killpriv, 0, dentry);
b5376771
SH		 1004}
1005
ea861dfd 1006int security_inode_getsecurity(struct inode *inode, const char *name, void **buffer, bool alloc)
20510f2f 1007{
2885c1e3
CS		 1008 struct security_hook_list *hp;
1009 int rc;
1010
20510f2f 1011 if (unlikely(IS_PRIVATE(inode)))
8d952504 1012 return -EOPNOTSUPP;
2885c1e3
CS		 1013 /*
1014 * Only one module will provide an attribute with a given name.
1015 */
df0ce173 1016 hlist_for_each_entry(hp, &security_hook_heads.inode_getsecurity, list) {
2885c1e3
CS		 1017 rc = hp->hook.inode_getsecurity(inode, name, buffer, alloc);
1018 if (rc != -EOPNOTSUPP)
1019 return rc;
1020 }
1021 return -EOPNOTSUPP;
20510f2f
JM		 1022}
1023
1024int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
1025{
2885c1e3
CS		 1026 struct security_hook_list *hp;
1027 int rc;
1028
20510f2f 1029 if (unlikely(IS_PRIVATE(inode)))
8d952504 1030 return -EOPNOTSUPP;
2885c1e3
CS		 1031 /*
1032 * Only one module will provide an attribute with a given name.
1033 */
df0ce173 1034 hlist_for_each_entry(hp, &security_hook_heads.inode_setsecurity, list) {
2885c1e3
CS		 1035 rc = hp->hook.inode_setsecurity(inode, name, value, size,
1036 flags);
1037 if (rc != -EOPNOTSUPP)
1038 return rc;
1039 }
1040 return -EOPNOTSUPP;
20510f2f
JM		 1041}
1042
1043int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
1044{
1045 if (unlikely(IS_PRIVATE(inode)))
1046 return 0;
f25fce3e 1047 return call_int_hook(inode_listsecurity, 0, inode, buffer, buffer_size);
20510f2f 1048}
c9bccef6 1049EXPORT_SYMBOL(security_inode_listsecurity);
20510f2f 1050
d6335d77 1051void security_inode_getsecid(struct inode *inode, u32 *secid)
8a076191 1052{
f25fce3e 1053 call_void_hook(inode_getsecid, inode, secid);
8a076191
AD		 1054}
1055
d8ad8b49
VG		 1056int security_inode_copy_up(struct dentry *src, struct cred **new)
1057{
1058 return call_int_hook(inode_copy_up, 0, src, new);
1059}
1060EXPORT_SYMBOL(security_inode_copy_up);
1061
121ab822
VG		 1062int security_inode_copy_up_xattr(const char *name)
1063{
1064 return call_int_hook(inode_copy_up_xattr, -EOPNOTSUPP, name);
1065}
1066EXPORT_SYMBOL(security_inode_copy_up_xattr);
1067
20510f2f
JM		 1068int security_file_permission(struct file *file, int mask)
1069{
c4ec54b4
EP		 1070 int ret;
1071
f25fce3e 1072 ret = call_int_hook(file_permission, 0, file, mask);
c4ec54b4
EP		 1073 if (ret)
1074 return ret;
1075
1076 return fsnotify_perm(file, mask);
20510f2f
JM		 1077}
1078
1079int security_file_alloc(struct file *file)
1080{
f25fce3e 1081 return call_int_hook(file_alloc_security, 0, file);
20510f2f
JM		 1082}
1083
1084void security_file_free(struct file *file)
1085{
f25fce3e 1086 call_void_hook(file_free_security, file);
20510f2f
JM		 1087}
1088
1089int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
1090{
f25fce3e 1091 return call_int_hook(file_ioctl, 0, file, cmd, arg);
20510f2f
JM		 1092}
1093
98de59bf 1094static inline unsigned long mmap_prot(struct file *file, unsigned long prot)
20510f2f 1095{
8b3ec681 1096 /*
98de59bf
AV		 1097 * Does we have PROT_READ and does the application expect
1098 * it to imply PROT_EXEC? If not, nothing to talk about...
8b3ec681 1099 */
98de59bf
AV		 1100 if ((prot & (PROT_READ | PROT_EXEC)) != PROT_READ)
1101 return prot;
8b3ec681 1102 if (!(current->personality & READ_IMPLIES_EXEC))
98de59bf
AV		 1103 return prot;
1104 /*
1105 * if that's an anonymous mapping, let it.
1106 */
1107 if (!file)
1108 return prot | PROT_EXEC;
1109 /*
1110 * ditto if it's not on noexec mount, except that on !MMU we need
b4caecd4 1111 * NOMMU_MAP_EXEC (== VM_MAYEXEC) in this case
98de59bf 1112 */
90f8572b 1113 if (!path_noexec(&file->f_path)) {
8b3ec681 1114#ifndef CONFIG_MMU
b4caecd4
CH		 1115 if (file->f_op->mmap_capabilities) {
1116 unsigned caps = file->f_op->mmap_capabilities(file);
1117 if (!(caps & NOMMU_MAP_EXEC))
1118 return prot;
1119 }
8b3ec681 1120#endif
98de59bf 1121 return prot | PROT_EXEC;
8b3ec681 1122 }
98de59bf
AV		 1123 /* anything on noexec mount won't get PROT_EXEC */
1124 return prot;
1125}
1126
1127int security_mmap_file(struct file *file, unsigned long prot,
1128 unsigned long flags)
1129{
1130 int ret;
f25fce3e 1131 ret = call_int_hook(mmap_file, 0, file, prot,
98de59bf 1132 mmap_prot(file, prot), flags);
6c21a7fb
MZ		 1133 if (ret)
1134 return ret;
1135 return ima_file_mmap(file, prot);
20510f2f
JM		 1136}
1137
e5467859
AV		 1138int security_mmap_addr(unsigned long addr)
1139{
f25fce3e 1140 return call_int_hook(mmap_addr, 0, addr);
e5467859
AV		 1141}
1142
20510f2f
JM		 1143int security_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
1144 unsigned long prot)
1145{
f25fce3e 1146 return call_int_hook(file_mprotect, 0, vma, reqprot, prot);
20510f2f
JM		 1147}
1148
1149int security_file_lock(struct file *file, unsigned int cmd)
1150{
f25fce3e 1151 return call_int_hook(file_lock, 0, file, cmd);
20510f2f
JM		 1152}
1153
1154int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
1155{
f25fce3e 1156 return call_int_hook(file_fcntl, 0, file, cmd, arg);
20510f2f
JM		 1157}
1158
e0b93edd 1159void security_file_set_fowner(struct file *file)
20510f2f 1160{
f25fce3e 1161 call_void_hook(file_set_fowner, file);
20510f2f
JM		 1162}
1163
1164int security_file_send_sigiotask(struct task_struct *tsk,
1165 struct fown_struct *fown, int sig)
1166{
f25fce3e 1167 return call_int_hook(file_send_sigiotask, 0, tsk, fown, sig);
20510f2f
JM		 1168}
1169
1170int security_file_receive(struct file *file)
1171{
f25fce3e 1172 return call_int_hook(file_receive, 0, file);
20510f2f
JM		 1173}
1174
e3f20ae2 1175int security_file_open(struct file *file)
20510f2f 1176{
c4ec54b4
EP		 1177 int ret;
1178
94817692 1179 ret = call_int_hook(file_open, 0, file);
c4ec54b4
EP		 1180 if (ret)
1181 return ret;
1182
1183 return fsnotify_perm(file, MAY_OPEN);
20510f2f
JM		 1184}
1185
e4e55b47
TH		 1186int security_task_alloc(struct task_struct *task, unsigned long clone_flags)
1187{
1188 return call_int_hook(task_alloc, 0, task, clone_flags);
1189}
1190
1a2a4d06
KC		 1191void security_task_free(struct task_struct *task)
1192{
f25fce3e 1193 call_void_hook(task_free, task);
1a2a4d06
KC		 1194}
1195
ee18d64c
DH		 1196int security_cred_alloc_blank(struct cred *cred, gfp_t gfp)
1197{
f25fce3e 1198 return call_int_hook(cred_alloc_blank, 0, cred, gfp);
ee18d64c
DH		 1199}
1200
d84f4f99 1201void security_cred_free(struct cred *cred)
20510f2f 1202{
f25fce3e 1203 call_void_hook(cred_free, cred);
20510f2f
JM		 1204}
1205
d84f4f99 1206int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp)
20510f2f 1207{
f25fce3e 1208 return call_int_hook(cred_prepare, 0, new, old, gfp);
d84f4f99
DH		 1209}
1210
ee18d64c
DH		 1211void security_transfer_creds(struct cred *new, const struct cred *old)
1212{
f25fce3e 1213 call_void_hook(cred_transfer, new, old);
ee18d64c
DH		 1214}
1215
3ec30113
MG		 1216void security_cred_getsecid(const struct cred *c, u32 *secid)
1217{
1218 *secid = 0;
1219 call_void_hook(cred_getsecid, c, secid);
1220}
1221EXPORT_SYMBOL(security_cred_getsecid);
1222
3a3b7ce9
DH		 1223int security_kernel_act_as(struct cred *new, u32 secid)
1224{
f25fce3e 1225 return call_int_hook(kernel_act_as, 0, new, secid);
3a3b7ce9
DH		 1226}
1227
1228int security_kernel_create_files_as(struct cred *new, struct inode *inode)
1229{
f25fce3e 1230 return call_int_hook(kernel_create_files_as, 0, new, inode);
3a3b7ce9
DH		 1231}
1232
dd8dbf2e 1233int security_kernel_module_request(char *kmod_name)
9188499c 1234{
6eb864c1
MK		 1235 int ret;
1236
1237 ret = call_int_hook(kernel_module_request, 0, kmod_name);
1238 if (ret)
1239 return ret;
1240 return integrity_kernel_module_request(kmod_name);
9188499c
EP		 1241}
1242
39eeb4fb
MZ		 1243int security_kernel_read_file(struct file *file, enum kernel_read_file_id id)
1244{
1245 int ret;
1246
1247 ret = call_int_hook(kernel_read_file, 0, file, id);
1248 if (ret)
1249 return ret;
1250 return ima_read_file(file, id);
1251}
1252EXPORT_SYMBOL_GPL(security_kernel_read_file);
1253
bc8ca5b9
MZ		 1254int security_kernel_post_read_file(struct file *file, char *buf, loff_t size,
1255 enum kernel_read_file_id id)
b44a7dfc 1256{
cf222217
MZ		 1257 int ret;
1258
1259 ret = call_int_hook(kernel_post_read_file, 0, file, buf, size, id);
1260 if (ret)
1261 return ret;
1262 return ima_post_read_file(file, buf, size, id);
b44a7dfc
MZ		 1263}
1264EXPORT_SYMBOL_GPL(security_kernel_post_read_file);
1265
377179cd
MZ		 1266int security_kernel_load_data(enum kernel_load_data_id id)
1267{
16c267aa
MZ		 1268 int ret;
1269
1270 ret = call_int_hook(kernel_load_data, 0, id);
1271 if (ret)
1272 return ret;
1273 return ima_load_data(id);
377179cd 1274}
83a68a06 1275EXPORT_SYMBOL_GPL(security_kernel_load_data);
377179cd 1276
d84f4f99
DH		 1277int security_task_fix_setuid(struct cred *new, const struct cred *old,
1278 int flags)
20510f2f 1279{
f25fce3e 1280 return call_int_hook(task_fix_setuid, 0, new, old, flags);
20510f2f
JM		 1281}
1282
20510f2f
JM		 1283int security_task_setpgid(struct task_struct *p, pid_t pgid)
1284{
f25fce3e 1285 return call_int_hook(task_setpgid, 0, p, pgid);
20510f2f
JM		 1286}
1287
1288int security_task_getpgid(struct task_struct *p)
1289{
f25fce3e 1290 return call_int_hook(task_getpgid, 0, p);
20510f2f
JM		 1291}
1292
1293int security_task_getsid(struct task_struct *p)
1294{
f25fce3e 1295 return call_int_hook(task_getsid, 0, p);
20510f2f
JM		 1296}
1297
1298void security_task_getsecid(struct task_struct *p, u32 *secid)
1299{
b1d9e6b0 1300 *secid = 0;
f25fce3e 1301 call_void_hook(task_getsecid, p, secid);
20510f2f
JM		 1302}
1303EXPORT_SYMBOL(security_task_getsecid);
1304
20510f2f
JM		 1305int security_task_setnice(struct task_struct *p, int nice)
1306{
f25fce3e 1307 return call_int_hook(task_setnice, 0, p, nice);
20510f2f
JM		 1308}
1309
1310int security_task_setioprio(struct task_struct *p, int ioprio)
1311{
f25fce3e 1312 return call_int_hook(task_setioprio, 0, p, ioprio);
20510f2f
JM		 1313}
1314
1315int security_task_getioprio(struct task_struct *p)
1316{
f25fce3e 1317 return call_int_hook(task_getioprio, 0, p);
20510f2f
JM		 1318}
1319
791ec491
SS		 1320int security_task_prlimit(const struct cred *cred, const struct cred *tcred,
1321 unsigned int flags)
1322{
1323 return call_int_hook(task_prlimit, 0, cred, tcred, flags);
1324}
1325
8fd00b4d
JS		 1326int security_task_setrlimit(struct task_struct *p, unsigned int resource,
1327 struct rlimit *new_rlim)
20510f2f 1328{
f25fce3e 1329 return call_int_hook(task_setrlimit, 0, p, resource, new_rlim);
20510f2f
JM		 1330}
1331
b0ae1981 1332int security_task_setscheduler(struct task_struct *p)
20510f2f 1333{
f25fce3e 1334 return call_int_hook(task_setscheduler, 0, p);
20510f2f
JM		 1335}
1336
1337int security_task_getscheduler(struct task_struct *p)
1338{
f25fce3e 1339 return call_int_hook(task_getscheduler, 0, p);
20510f2f
JM		 1340}
1341
1342int security_task_movememory(struct task_struct *p)
1343{
f25fce3e 1344 return call_int_hook(task_movememory, 0, p);
20510f2f
JM		 1345}
1346
ae7795bc 1347int security_task_kill(struct task_struct *p, struct kernel_siginfo *info,
6b4f3d01 1348 int sig, const struct cred *cred)
20510f2f 1349{
6b4f3d01 1350 return call_int_hook(task_kill, 0, p, info, sig, cred);
20510f2f
JM		 1351}
1352
20510f2f 1353int security_task_prctl(int option, unsigned long arg2, unsigned long arg3,
d84f4f99 1354 unsigned long arg4, unsigned long arg5)
20510f2f 1355{
b1d9e6b0
CS		 1356 int thisrc;
1357 int rc = -ENOSYS;
1358 struct security_hook_list *hp;
1359
df0ce173 1360 hlist_for_each_entry(hp, &security_hook_heads.task_prctl, list) {
b1d9e6b0
CS		 1361 thisrc = hp->hook.task_prctl(option, arg2, arg3, arg4, arg5);
1362 if (thisrc != -ENOSYS) {
1363 rc = thisrc;
1364 if (thisrc != 0)
1365 break;
1366 }
1367 }
1368 return rc;
20510f2f
JM		 1369}
1370
1371void security_task_to_inode(struct task_struct *p, struct inode *inode)
1372{
f25fce3e 1373 call_void_hook(task_to_inode, p, inode);
20510f2f
JM		 1374}
1375
1376int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
1377{
f25fce3e 1378 return call_int_hook(ipc_permission, 0, ipcp, flag);
20510f2f
JM		 1379}
1380
8a076191
AD		 1381void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
1382{
b1d9e6b0 1383 *secid = 0;
f25fce3e 1384 call_void_hook(ipc_getsecid, ipcp, secid);
8a076191
AD		 1385}
1386
20510f2f
JM		 1387int security_msg_msg_alloc(struct msg_msg *msg)
1388{
f25fce3e 1389 return call_int_hook(msg_msg_alloc_security, 0, msg);
20510f2f
JM		 1390}
1391
1392void security_msg_msg_free(struct msg_msg *msg)
1393{
f25fce3e 1394 call_void_hook(msg_msg_free_security, msg);
20510f2f
JM		 1395}
1396
d8c6e854 1397int security_msg_queue_alloc(struct kern_ipc_perm *msq)
20510f2f 1398{
f25fce3e 1399 return call_int_hook(msg_queue_alloc_security, 0, msq);
20510f2f
JM		 1400}
1401
d8c6e854 1402void security_msg_queue_free(struct kern_ipc_perm *msq)
20510f2f 1403{
f25fce3e 1404 call_void_hook(msg_queue_free_security, msq);
20510f2f
JM		 1405}
1406
d8c6e854 1407int security_msg_queue_associate(struct kern_ipc_perm *msq, int msqflg)
20510f2f 1408{
f25fce3e 1409 return call_int_hook(msg_queue_associate, 0, msq, msqflg);
20510f2f
JM		 1410}
1411
d8c6e854 1412int security_msg_queue_msgctl(struct kern_ipc_perm *msq, int cmd)
20510f2f 1413{
f25fce3e 1414 return call_int_hook(msg_queue_msgctl, 0, msq, cmd);
20510f2f
JM		 1415}
1416
d8c6e854 1417int security_msg_queue_msgsnd(struct kern_ipc_perm *msq,
20510f2f
JM		 1418 struct msg_msg *msg, int msqflg)
1419{
f25fce3e 1420 return call_int_hook(msg_queue_msgsnd, 0, msq, msg, msqflg);
20510f2f
JM		 1421}
1422
d8c6e854 1423int security_msg_queue_msgrcv(struct kern_ipc_perm *msq, struct msg_msg *msg,
20510f2f
JM		 1424 struct task_struct *target, long type, int mode)
1425{
f25fce3e 1426 return call_int_hook(msg_queue_msgrcv, 0, msq, msg, target, type, mode);
20510f2f
JM		 1427}
1428
7191adff 1429int security_shm_alloc(struct kern_ipc_perm *shp)
20510f2f 1430{
f25fce3e 1431 return call_int_hook(shm_alloc_security, 0, shp);
20510f2f
JM		 1432}
1433
7191adff 1434void security_shm_free(struct kern_ipc_perm *shp)
20510f2f 1435{
f25fce3e 1436 call_void_hook(shm_free_security, shp);
20510f2f
JM		 1437}
1438
7191adff 1439int security_shm_associate(struct kern_ipc_perm *shp, int shmflg)
20510f2f 1440{
f25fce3e 1441 return call_int_hook(shm_associate, 0, shp, shmflg);
20510f2f
JM		 1442}
1443
7191adff 1444int security_shm_shmctl(struct kern_ipc_perm *shp, int cmd)
20510f2f 1445{
f25fce3e 1446 return call_int_hook(shm_shmctl, 0, shp, cmd);
20510f2f
JM		 1447}
1448
7191adff 1449int security_shm_shmat(struct kern_ipc_perm *shp, char __user *shmaddr, int shmflg)
20510f2f 1450{
f25fce3e 1451 return call_int_hook(shm_shmat, 0, shp, shmaddr, shmflg);
20510f2f
JM		 1452}
1453
aefad959 1454int security_sem_alloc(struct kern_ipc_perm *sma)
20510f2f 1455{
f25fce3e 1456 return call_int_hook(sem_alloc_security, 0, sma);
20510f2f
JM		 1457}
1458
aefad959 1459void security_sem_free(struct kern_ipc_perm *sma)
20510f2f 1460{
f25fce3e 1461 call_void_hook(sem_free_security, sma);
20510f2f
JM		 1462}
1463
aefad959 1464int security_sem_associate(struct kern_ipc_perm *sma, int semflg)
20510f2f 1465{
f25fce3e 1466 return call_int_hook(sem_associate, 0, sma, semflg);
20510f2f
JM		 1467}
1468
aefad959 1469int security_sem_semctl(struct kern_ipc_perm *sma, int cmd)
20510f2f 1470{
f25fce3e 1471 return call_int_hook(sem_semctl, 0, sma, cmd);
20510f2f
JM		 1472}
1473
aefad959 1474int security_sem_semop(struct kern_ipc_perm *sma, struct sembuf *sops,
20510f2f
JM		 1475 unsigned nsops, int alter)
1476{
f25fce3e 1477 return call_int_hook(sem_semop, 0, sma, sops, nsops, alter);
20510f2f
JM		 1478}
1479
1480void security_d_instantiate(struct dentry *dentry, struct inode *inode)
1481{
1482 if (unlikely(inode && IS_PRIVATE(inode)))
1483 return;
f25fce3e 1484 call_void_hook(d_instantiate, dentry, inode);
20510f2f
JM		 1485}
1486EXPORT_SYMBOL(security_d_instantiate);
1487
6d9c939d
CS		 1488int security_getprocattr(struct task_struct *p, const char *lsm, char *name,
1489 char **value)
20510f2f 1490{
6d9c939d
CS		 1491 struct security_hook_list *hp;
1492
1493 hlist_for_each_entry(hp, &security_hook_heads.getprocattr, list) {
1494 if (lsm != NULL && strcmp(lsm, hp->lsm))
1495 continue;
1496 return hp->hook.getprocattr(p, name, value);
1497 }
1498 return -EINVAL;
20510f2f
JM		 1499}
1500
6d9c939d
CS		 1501int security_setprocattr(const char *lsm, const char *name, void *value,
1502 size_t size)
20510f2f 1503{
6d9c939d
CS		 1504 struct security_hook_list *hp;
1505
1506 hlist_for_each_entry(hp, &security_hook_heads.setprocattr, list) {
1507 if (lsm != NULL && strcmp(lsm, hp->lsm))
1508 continue;
1509 return hp->hook.setprocattr(name, value, size);
1510 }
1511 return -EINVAL;
20510f2f
JM		 1512}
1513
1514int security_netlink_send(struct sock *sk, struct sk_buff *skb)
1515{
f25fce3e 1516 return call_int_hook(netlink_send, 0, sk, skb);
20510f2f 1517}
20510f2f 1518
746df9b5
DQ		 1519int security_ismaclabel(const char *name)
1520{
f25fce3e 1521 return call_int_hook(ismaclabel, 0, name);
746df9b5
DQ		 1522}
1523EXPORT_SYMBOL(security_ismaclabel);
1524
20510f2f
JM		 1525int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
1526{
b1d9e6b0
CS		 1527 return call_int_hook(secid_to_secctx, -EOPNOTSUPP, secid, secdata,
1528 seclen);
20510f2f
JM		 1529}
1530EXPORT_SYMBOL(security_secid_to_secctx);
1531
7bf570dc 1532int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
63cb3449 1533{
b1d9e6b0 1534 *secid = 0;
f25fce3e 1535 return call_int_hook(secctx_to_secid, 0, secdata, seclen, secid);
63cb3449
DH		 1536}
1537EXPORT_SYMBOL(security_secctx_to_secid);
1538
20510f2f
JM		 1539void security_release_secctx(char *secdata, u32 seclen)
1540{
f25fce3e 1541 call_void_hook(release_secctx, secdata, seclen);
20510f2f
JM		 1542}
1543EXPORT_SYMBOL(security_release_secctx);
1544
6f3be9f5
AG		 1545void security_inode_invalidate_secctx(struct inode *inode)
1546{
1547 call_void_hook(inode_invalidate_secctx, inode);
1548}
1549EXPORT_SYMBOL(security_inode_invalidate_secctx);
1550
1ee65e37
DQ		 1551int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
1552{
f25fce3e 1553 return call_int_hook(inode_notifysecctx, 0, inode, ctx, ctxlen);
1ee65e37
DQ		 1554}
1555EXPORT_SYMBOL(security_inode_notifysecctx);
1556
1557int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
1558{
f25fce3e 1559 return call_int_hook(inode_setsecctx, 0, dentry, ctx, ctxlen);
1ee65e37
DQ		 1560}
1561EXPORT_SYMBOL(security_inode_setsecctx);
1562
1563int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
1564{
b1d9e6b0 1565 return call_int_hook(inode_getsecctx, -EOPNOTSUPP, inode, ctx, ctxlen);
1ee65e37
DQ		 1566}
1567EXPORT_SYMBOL(security_inode_getsecctx);
1568
20510f2f
JM		 1569#ifdef CONFIG_SECURITY_NETWORK
1570
3610cda5 1571int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk)
20510f2f 1572{
f25fce3e 1573 return call_int_hook(unix_stream_connect, 0, sock, other, newsk);
20510f2f
JM		 1574}
1575EXPORT_SYMBOL(security_unix_stream_connect);
1576
1577int security_unix_may_send(struct socket *sock, struct socket *other)
1578{
f25fce3e 1579 return call_int_hook(unix_may_send, 0, sock, other);
20510f2f
JM		 1580}
1581EXPORT_SYMBOL(security_unix_may_send);
1582
1583int security_socket_create(int family, int type, int protocol, int kern)
1584{
f25fce3e 1585 return call_int_hook(socket_create, 0, family, type, protocol, kern);
20510f2f
JM		 1586}
1587
1588int security_socket_post_create(struct socket *sock, int family,
1589 int type, int protocol, int kern)
1590{
f25fce3e 1591 return call_int_hook(socket_post_create, 0, sock, family, type,
20510f2f
JM		 1592 protocol, kern);
1593}
1594
aae7cfcb
DH		 1595int security_socket_socketpair(struct socket *socka, struct socket *sockb)
1596{
1597 return call_int_hook(socket_socketpair, 0, socka, sockb);
1598}
1599EXPORT_SYMBOL(security_socket_socketpair);
1600
20510f2f
JM		 1601int security_socket_bind(struct socket *sock, struct sockaddr *address, int addrlen)
1602{
f25fce3e 1603 return call_int_hook(socket_bind, 0, sock, address, addrlen);
20510f2f
JM		 1604}
1605
1606int security_socket_connect(struct socket *sock, struct sockaddr *address, int addrlen)
1607{
f25fce3e 1608 return call_int_hook(socket_connect, 0, sock, address, addrlen);
20510f2f
JM		 1609}
1610
1611int security_socket_listen(struct socket *sock, int backlog)
1612{
f25fce3e 1613 return call_int_hook(socket_listen, 0, sock, backlog);
20510f2f
JM		 1614}
1615
1616int security_socket_accept(struct socket *sock, struct socket *newsock)
1617{
f25fce3e 1618 return call_int_hook(socket_accept, 0, sock, newsock);
20510f2f
JM		 1619}
1620
20510f2f
JM		 1621int security_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
1622{
f25fce3e 1623 return call_int_hook(socket_sendmsg, 0, sock, msg, size);
20510f2f
JM		 1624}
1625
1626int security_socket_recvmsg(struct socket *sock, struct msghdr *msg,
1627 int size, int flags)
1628{
f25fce3e 1629 return call_int_hook(socket_recvmsg, 0, sock, msg, size, flags);
20510f2f
JM		 1630}
1631
1632int security_socket_getsockname(struct socket *sock)
1633{
f25fce3e 1634 return call_int_hook(socket_getsockname, 0, sock);
20510f2f
JM		 1635}
1636
1637int security_socket_getpeername(struct socket *sock)
1638{
f25fce3e 1639 return call_int_hook(socket_getpeername, 0, sock);
20510f2f
JM		 1640}
1641
1642int security_socket_getsockopt(struct socket *sock, int level, int optname)
1643{
f25fce3e 1644 return call_int_hook(socket_getsockopt, 0, sock, level, optname);
20510f2f
JM		 1645}
1646
1647int security_socket_setsockopt(struct socket *sock, int level, int optname)
1648{
f25fce3e 1649 return call_int_hook(socket_setsockopt, 0, sock, level, optname);
20510f2f
JM		 1650}
1651
1652int security_socket_shutdown(struct socket *sock, int how)
1653{
f25fce3e 1654 return call_int_hook(socket_shutdown, 0, sock, how);
20510f2f
JM		 1655}
1656
1657int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
1658{
f25fce3e 1659 return call_int_hook(socket_sock_rcv_skb, 0, sk, skb);
20510f2f
JM		 1660}
1661EXPORT_SYMBOL(security_sock_rcv_skb);
1662
1663int security_socket_getpeersec_stream(struct socket *sock, char __user *optval,
1664 int __user *optlen, unsigned len)
1665{
b1d9e6b0
CS		 1666 return call_int_hook(socket_getpeersec_stream, -ENOPROTOOPT, sock,
1667 optval, optlen, len);
20510f2f
JM		 1668}
1669
1670int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
1671{
e308fd3b
JB		 1672 return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock,
1673 skb, secid);
20510f2f
JM		 1674}
1675EXPORT_SYMBOL(security_socket_getpeersec_dgram);
1676
1677int security_sk_alloc(struct sock *sk, int family, gfp_t priority)
1678{
f25fce3e 1679 return call_int_hook(sk_alloc_security, 0, sk, family, priority);
20510f2f
JM		 1680}
1681
1682void security_sk_free(struct sock *sk)
1683{
f25fce3e 1684 call_void_hook(sk_free_security, sk);
20510f2f
JM		 1685}
1686
1687void security_sk_clone(const struct sock *sk, struct sock *newsk)
1688{
f25fce3e 1689 call_void_hook(sk_clone_security, sk, newsk);
20510f2f 1690}
6230c9b4 1691EXPORT_SYMBOL(security_sk_clone);
20510f2f
JM		 1692
1693void security_sk_classify_flow(struct sock *sk, struct flowi *fl)
1694{
f25fce3e 1695 call_void_hook(sk_getsecid, sk, &fl->flowi_secid);
20510f2f
JM		 1696}
1697EXPORT_SYMBOL(security_sk_classify_flow);
1698
1699void security_req_classify_flow(const struct request_sock *req, struct flowi *fl)
1700{
f25fce3e 1701 call_void_hook(req_classify_flow, req, fl);
20510f2f
JM		 1702}
1703EXPORT_SYMBOL(security_req_classify_flow);
1704
1705void security_sock_graft(struct sock *sk, struct socket *parent)
1706{
f25fce3e 1707 call_void_hook(sock_graft, sk, parent);
20510f2f
JM		 1708}
1709EXPORT_SYMBOL(security_sock_graft);
1710
1711int security_inet_conn_request(struct sock *sk,
1712 struct sk_buff *skb, struct request_sock *req)
1713{
f25fce3e 1714 return call_int_hook(inet_conn_request, 0, sk, skb, req);
20510f2f
JM		 1715}
1716EXPORT_SYMBOL(security_inet_conn_request);
1717
1718void security_inet_csk_clone(struct sock *newsk,
1719 const struct request_sock *req)
1720{
f25fce3e 1721 call_void_hook(inet_csk_clone, newsk, req);
20510f2f
JM		 1722}
1723
1724void security_inet_conn_established(struct sock *sk,
1725 struct sk_buff *skb)
1726{
f25fce3e 1727 call_void_hook(inet_conn_established, sk, skb);
20510f2f 1728}
72e89f50 1729EXPORT_SYMBOL(security_inet_conn_established);
20510f2f 1730
2606fd1f
EP		 1731int security_secmark_relabel_packet(u32 secid)
1732{
f25fce3e 1733 return call_int_hook(secmark_relabel_packet, 0, secid);
2606fd1f
EP		 1734}
1735EXPORT_SYMBOL(security_secmark_relabel_packet);
1736
1737void security_secmark_refcount_inc(void)
1738{
f25fce3e 1739 call_void_hook(secmark_refcount_inc);
2606fd1f
EP		 1740}
1741EXPORT_SYMBOL(security_secmark_refcount_inc);
1742
1743void security_secmark_refcount_dec(void)
1744{
f25fce3e 1745 call_void_hook(secmark_refcount_dec);
2606fd1f
EP		 1746}
1747EXPORT_SYMBOL(security_secmark_refcount_dec);
1748
5dbbaf2d
PM		 1749int security_tun_dev_alloc_security(void **security)
1750{
f25fce3e 1751 return call_int_hook(tun_dev_alloc_security, 0, security);
5dbbaf2d
PM		 1752}
1753EXPORT_SYMBOL(security_tun_dev_alloc_security);
1754
1755void security_tun_dev_free_security(void *security)
1756{
f25fce3e 1757 call_void_hook(tun_dev_free_security, security);
5dbbaf2d
PM		 1758}
1759EXPORT_SYMBOL(security_tun_dev_free_security);
1760
2b980dbd
PM		 1761int security_tun_dev_create(void)
1762{
f25fce3e 1763 return call_int_hook(tun_dev_create, 0);
2b980dbd
PM		 1764}
1765EXPORT_SYMBOL(security_tun_dev_create);
1766
5dbbaf2d 1767int security_tun_dev_attach_queue(void *security)
2b980dbd 1768{
f25fce3e 1769 return call_int_hook(tun_dev_attach_queue, 0, security);
2b980dbd 1770}
5dbbaf2d 1771EXPORT_SYMBOL(security_tun_dev_attach_queue);
2b980dbd 1772
5dbbaf2d 1773int security_tun_dev_attach(struct sock *sk, void *security)
2b980dbd 1774{
f25fce3e 1775 return call_int_hook(tun_dev_attach, 0, sk, security);
2b980dbd
PM		 1776}
1777EXPORT_SYMBOL(security_tun_dev_attach);
1778
5dbbaf2d
PM		 1779int security_tun_dev_open(void *security)
1780{
f25fce3e 1781 return call_int_hook(tun_dev_open, 0, security);
5dbbaf2d
PM		 1782}
1783EXPORT_SYMBOL(security_tun_dev_open);
1784
72e89f50
RH		 1785int security_sctp_assoc_request(struct sctp_endpoint *ep, struct sk_buff *skb)
1786{
1787 return call_int_hook(sctp_assoc_request, 0, ep, skb);
1788}
1789EXPORT_SYMBOL(security_sctp_assoc_request);
1790
1791int security_sctp_bind_connect(struct sock *sk, int optname,
1792 struct sockaddr *address, int addrlen)
1793{
1794 return call_int_hook(sctp_bind_connect, 0, sk, optname,
1795 address, addrlen);
1796}
1797EXPORT_SYMBOL(security_sctp_bind_connect);
1798
1799void security_sctp_sk_clone(struct sctp_endpoint *ep, struct sock *sk,
1800 struct sock *newsk)
1801{
1802 call_void_hook(sctp_sk_clone, ep, sk, newsk);
1803}
1804EXPORT_SYMBOL(security_sctp_sk_clone);
1805
20510f2f
JM		 1806#endif /* CONFIG_SECURITY_NETWORK */
1807
d291f1a6
DJ		 1808#ifdef CONFIG_SECURITY_INFINIBAND
1809
1810int security_ib_pkey_access(void *sec, u64 subnet_prefix, u16 pkey)
1811{
1812 return call_int_hook(ib_pkey_access, 0, sec, subnet_prefix, pkey);
1813}
1814EXPORT_SYMBOL(security_ib_pkey_access);
1815
47a2b338
DJ		 1816int security_ib_endport_manage_subnet(void *sec, const char *dev_name, u8 port_num)
1817{
1818 return call_int_hook(ib_endport_manage_subnet, 0, sec, dev_name, port_num);
1819}
1820EXPORT_SYMBOL(security_ib_endport_manage_subnet);
1821
d291f1a6
DJ		 1822int security_ib_alloc_security(void **sec)
1823{
1824 return call_int_hook(ib_alloc_security, 0, sec);
1825}
1826EXPORT_SYMBOL(security_ib_alloc_security);
1827
1828void security_ib_free_security(void *sec)
1829{
1830 call_void_hook(ib_free_security, sec);
1831}
1832EXPORT_SYMBOL(security_ib_free_security);
1833#endif /* CONFIG_SECURITY_INFINIBAND */
1834
20510f2f
JM		 1835#ifdef CONFIG_SECURITY_NETWORK_XFRM
1836
52a4c640
NA		 1837int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp,
1838 struct xfrm_user_sec_ctx *sec_ctx,
1839 gfp_t gfp)
20510f2f 1840{
f25fce3e 1841 return call_int_hook(xfrm_policy_alloc_security, 0, ctxp, sec_ctx, gfp);
20510f2f
JM		 1842}
1843EXPORT_SYMBOL(security_xfrm_policy_alloc);
1844
03e1ad7b
PM		 1845int security_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx,
1846 struct xfrm_sec_ctx **new_ctxp)
20510f2f 1847{
f25fce3e 1848 return call_int_hook(xfrm_policy_clone_security, 0, old_ctx, new_ctxp);
20510f2f
JM		 1849}
1850
03e1ad7b 1851void security_xfrm_policy_free(struct xfrm_sec_ctx *ctx)
20510f2f 1852{
f25fce3e 1853 call_void_hook(xfrm_policy_free_security, ctx);
20510f2f
JM		 1854}
1855EXPORT_SYMBOL(security_xfrm_policy_free);
1856
03e1ad7b 1857int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx)
20510f2f 1858{
f25fce3e 1859 return call_int_hook(xfrm_policy_delete_security, 0, ctx);
20510f2f
JM		 1860}
1861
2e5aa866
PM		 1862int security_xfrm_state_alloc(struct xfrm_state *x,
1863 struct xfrm_user_sec_ctx *sec_ctx)
20510f2f 1864{
f25fce3e 1865 return call_int_hook(xfrm_state_alloc, 0, x, sec_ctx);
20510f2f
JM		 1866}
1867EXPORT_SYMBOL(security_xfrm_state_alloc);
1868
1869int security_xfrm_state_alloc_acquire(struct xfrm_state *x,
1870 struct xfrm_sec_ctx *polsec, u32 secid)
1871{
f25fce3e 1872 return call_int_hook(xfrm_state_alloc_acquire, 0, x, polsec, secid);
20510f2f
JM		 1873}
1874
1875int security_xfrm_state_delete(struct xfrm_state *x)
1876{
f25fce3e 1877 return call_int_hook(xfrm_state_delete_security, 0, x);
20510f2f
JM		 1878}
1879EXPORT_SYMBOL(security_xfrm_state_delete);
1880
1881void security_xfrm_state_free(struct xfrm_state *x)
1882{
f25fce3e 1883 call_void_hook(xfrm_state_free_security, x);
20510f2f
JM		 1884}
1885
03e1ad7b 1886int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir)
20510f2f 1887{
f25fce3e 1888 return call_int_hook(xfrm_policy_lookup, 0, ctx, fl_secid, dir);
20510f2f
JM		 1889}
1890
1891int security_xfrm_state_pol_flow_match(struct xfrm_state *x,
e33f7704
DM		 1892 struct xfrm_policy *xp,
1893 const struct flowi *fl)
20510f2f 1894{
b1d9e6b0
CS		 1895 struct security_hook_list *hp;
1896 int rc = 1;
1897
1898 /*
1899 * Since this function is expected to return 0 or 1, the judgment
1900 * becomes difficult if multiple LSMs supply this call. Fortunately,
1901 * we can use the first LSM's judgment because currently only SELinux
1902 * supplies this call.
1903 *
1904 * For speed optimization, we explicitly break the loop rather than
1905 * using the macro
1906 */
df0ce173 1907 hlist_for_each_entry(hp, &security_hook_heads.xfrm_state_pol_flow_match,
b1d9e6b0
CS		 1908 list) {
1909 rc = hp->hook.xfrm_state_pol_flow_match(x, xp, fl);
1910 break;
1911 }
1912 return rc;
20510f2f
JM		 1913}
1914
1915int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid)
1916{
f25fce3e 1917 return call_int_hook(xfrm_decode_session, 0, skb, secid, 1);
20510f2f
JM		 1918}
1919
1920void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl)
1921{
f25fce3e
CS		 1922 int rc = call_int_hook(xfrm_decode_session, 0, skb, &fl->flowi_secid,
1923 0);
20510f2f
JM		 1924
1925 BUG_ON(rc);
1926}
1927EXPORT_SYMBOL(security_skb_classify_flow);
1928
1929#endif /* CONFIG_SECURITY_NETWORK_XFRM */
1930
1931#ifdef CONFIG_KEYS
1932
d84f4f99
DH		 1933int security_key_alloc(struct key *key, const struct cred *cred,
1934 unsigned long flags)
20510f2f 1935{
f25fce3e 1936 return call_int_hook(key_alloc, 0, key, cred, flags);
20510f2f
JM		 1937}
1938
1939void security_key_free(struct key *key)
1940{
f25fce3e 1941 call_void_hook(key_free, key);
20510f2f
JM		 1942}
1943
1944int security_key_permission(key_ref_t key_ref,
f5895943 1945 const struct cred *cred, unsigned perm)
20510f2f 1946{
f25fce3e 1947 return call_int_hook(key_permission, 0, key_ref, cred, perm);
20510f2f
JM		 1948}
1949
70a5bb72
DH		 1950int security_key_getsecurity(struct key *key, char **_buffer)
1951{
b1d9e6b0 1952 *_buffer = NULL;
f25fce3e 1953 return call_int_hook(key_getsecurity, 0, key, _buffer);
70a5bb72
DH		 1954}
1955
20510f2f 1956#endif /* CONFIG_KEYS */
03d37d25
AD		 1957
1958#ifdef CONFIG_AUDIT
1959
1960int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
1961{
f25fce3e 1962 return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule);
03d37d25
AD		 1963}
1964
1965int security_audit_rule_known(struct audit_krule *krule)
1966{
f25fce3e 1967 return call_int_hook(audit_rule_known, 0, krule);
03d37d25
AD		 1968}
1969
1970void security_audit_rule_free(void *lsmrule)
1971{
f25fce3e 1972 call_void_hook(audit_rule_free, lsmrule);
03d37d25
AD		 1973}
1974
1975int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
1976 struct audit_context *actx)
1977{
f25fce3e
CS		 1978 return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule,
1979 actx);
03d37d25 1980}
b1d9e6b0 1981#endif /* CONFIG_AUDIT */
afdb09c7
CF		 1982
1983#ifdef CONFIG_BPF_SYSCALL
1984int security_bpf(int cmd, union bpf_attr *attr, unsigned int size)
1985{
1986 return call_int_hook(bpf, 0, cmd, attr, size);
1987}
1988int security_bpf_map(struct bpf_map *map, fmode_t fmode)
1989{
1990 return call_int_hook(bpf_map, 0, map, fmode);
1991}
1992int security_bpf_prog(struct bpf_prog *prog)
1993{
1994 return call_int_hook(bpf_prog, 0, prog);
1995}
1996int security_bpf_map_alloc(struct bpf_map *map)
1997{
1998 return call_int_hook(bpf_map_alloc_security, 0, map);
1999}
2000int security_bpf_prog_alloc(struct bpf_prog_aux *aux)
2001{
2002 return call_int_hook(bpf_prog_alloc_security, 0, aux);
2003}
2004void security_bpf_map_free(struct bpf_map *map)
2005{
2006 call_void_hook(bpf_map_free_security, map);
2007}
2008void security_bpf_prog_free(struct bpf_prog_aux *aux)
2009{
2010 call_void_hook(bpf_prog_free_security, aux);
2011}
2012#endif /* CONFIG_BPF_SYSCALL */
Linux 6.x block layer and io_uring tree(s)