Lines Matching full:hook
39 * security_locked_down() LSM hook. Placing this array here allows
86 #define SECURITY_HOOK_ACTIVE_KEY(HOOK, IDX) security_hook_active_##HOOK##_##IDX argument
90 * HOOK is an LSM hook as defined in linux/lsm_hookdefs.h
93 #define LSM_STATIC_CALL(HOOK, IDX) lsm_static_call_##HOOK##_##IDX argument
96 * Call the macro M for each LSM hook MAX_LSM_COUNT times.
113 * Define static calls and static keys for each LSM hook.
127 * Initialise a table of static calls for each LSM hook.
413 * The default value of the LSM hook is defined in linux/lsm_hook_defs.h and
419 * LSM hook.
432 * Hook list operation macros.
435 * This is a hook that does not return a value.
438 * This is a hook that returns a value.
440 #define __CALL_STATIC_VOID(NUM, HOOK, ...) \ argument
442 if (static_branch_unlikely(&SECURITY_HOOK_ACTIVE_KEY(HOOK, NUM))) { \
443 static_call(LSM_STATIC_CALL(HOOK, NUM))(__VA_ARGS__); \
447 #define call_void_hook(HOOK, ...) \ argument
449 LSM_LOOP_UNROLL(__CALL_STATIC_VOID, HOOK, __VA_ARGS__); \
453 #define __CALL_STATIC_INT(NUM, R, HOOK, LABEL, ...) \ argument
455 if (static_branch_unlikely(&SECURITY_HOOK_ACTIVE_KEY(HOOK, NUM))) { \
456 R = static_call(LSM_STATIC_CALL(HOOK, NUM))(__VA_ARGS__); \
457 if (R != LSM_RET_DEFAULT(HOOK)) \
462 #define call_int_hook(HOOK, ...) \ argument
465 int RC = LSM_RET_DEFAULT(HOOK); \
467 LSM_LOOP_UNROLL(__CALL_STATIC_INT, RC, HOOK, OUT, __VA_ARGS__); \
546 * during an execve in the bprm_set_creds hook of binprm_security_ops if the
580 * @target process. The hook may also perform permission checking to determine
722 rc = scall->hl->hook.vm_enough_memory(mm, pages); in security_vm_enough_memory_mm()
738 * program. This hook may also optionally check permissions (e.g. for
739 * transitions between security domains). The hook must set @bprm->secureexec
747 * This hook must not change current->cred, only @bprm->cred.
749 * Return: Returns 0 if the hook is successful and permission is granted.
766 * different file. This hook may also optionally check permissions (e.g. for
767 * transitions between security domains). The hook must set @bprm->secureexec
769 * hook must add to @bprm->per_clear any personality flags that should be
773 * Return: Returns 0 if the hook is successful and permission is granted.
784 * This hook mediates the point when a search for a binary handler will begin.
787 * available in @bprm. This hook may be called multiple times during a single
790 * Return: Returns 0 if the hook is successful and permission is granted.
804 * bprm_creds_for_exec hook. @bprm points to the linux_binprm structure. This
805 * hook is a good place to perform state changes on the process such as closing
821 * structure. This hook is a good place to perform state changes on the
880 trc = scall->hl->hook.fs_context_parse_param(fc, param); in security_fs_context_parse_param()
1114 rc = scall->hl->hook.sb_set_mnt_opts(sb, mnt_opts, kern_flags, in security_sb_set_mnt_opts()
1220 * release that state in the inode_free_security_rcu() LSM hook callback.
1288 * hook is called by the fs code as part of the inode creation transaction and
1292 * The hook function is expected to populate the xattrs array, by calling
1295 * slot, the hook function should set ->name to the attribute name suffix
1328 ret = scall->hl->hook.inode_init_security(inode, dir, qstr, new_xattrs, in security_inode_init_security()
1381 * Check permissions when creating a file. Note that this hook is called even
1529 * using the security_file_truncate() hook.
1719 * done for a regular file, then the create hook will be called and not this
1720 * hook.
1803 * Check permission before accessing an inode. This hook is called by the
1806 * that this hook is called when a file is opened (as well as many other
1807 * operations), whereas the file_security_ops permission hook is called when
1881 * This hook performs the desired permission checks before setting the extended
1887 * hook implementations, but if a LSM wants to avoid this capability check,
1888 * it can register a 'inode_xattr_skipcap' hook and return a value of 1 for
1891 * of the enabled LSMs refrain from registering a 'inode_xattr_skipcap' hook,
2068 * This hook performs the desired permission checks before setting the extended
2074 * hook implementations, but if a LSM wants to avoid this capability check,
2075 * it can register a 'inode_xattr_skipcap' hook and return a value of 1 for
2078 * of the enabled LSMs refrain from registering a 'inode_xattr_skipcap' hook,
2291 * reading and writing the xattrs, this hook is merely a filter.
2350 * Check file permissions before accessing an open file. This hook is called
2352 * this hook to perform additional checking on these operations, e.g. to
2354 * changes. Notice that this hook is used when the actual read/write
2355 * operations are performed, whereas the inode_security_ops hook is called when
2356 * a file is opened (as well as many other operations). Although this hook can
2376 * Return: Return 0 if the hook is successful and permission is granted.
2542 * Check permission before performing file locking operations. Note the hook
2576 * file->f_security for later use by the send_sigiotask hook.
2578 * This hook is called with file->f_owner.lock held.
2594 * process @tsk. Note that this hook is sometimes called from interrupt. Note
2611 * This hook allows security modules to control the ability of a process to
2644 * Evaluate an opened file and the access mask requested with open(). The hook
2662 * @path_truncate hook.
2886 * to security_kernel_read_file() call that indicated this hook would also be
2922 * this hook would also be called, see security_kernel_load_data() for more
2943 * the set*uid system calls invoked this hook. If @new is the set of
2963 * the set*gid system calls invoked this hook. @new is the set of credentials
3190 * separately by the send_sigiotask hook in file_security_ops.
3222 thisrc = scall->hl->hook.task_prctl(option, arg2, arg3, arg4, arg5); in security_task_prctl()
3360 * call. This hook is only called when returning the message queue identifier
3463 * system call. This hook is only called when returning the shared memory
3547 * call. This hook is only called when returning the semaphore identifier for
3672 rc = scall->hl->hook.getselfattr(attr, uctx, &entrysize, flags); in security_getselfattr()
3744 rc = scall->hl->hook.setselfattr(attr, lctx, size, flags); in security_setselfattr()
3772 return scall->hl->hook.getprocattr(p, name, value); in security_getprocattr()
3796 return scall->hl->hook.setprocattr(name, value, size); in security_setprocattr()
3846 * the hook should be used. This is used in cases where the
3859 return scall->hl->hook.lsmprop_to_secctx(prop, cp); in security_lsmprop_to_secctx()
3916 * for this inode. Example usage: NFS client invokes this hook to initialize
3938 * context. Example usage: NFS server invokes this hook to change the security
4100 * This hook allows a module to update or allocate a per-socket security
4103 * associated inode. Typically, the inode alloc_security hook will allocate
4104 * and attach security information to SOCK_INODE(sock)->i_security. This hook
4308 * Check permissions on incoming network packets. This hook is distinct from
4311 * sleep inside this hook because some callers hold spinlocks.
4328 * This hook allows the security module to provide peer socket security state
4349 * This hook allows the security module to provide peer socket security state
4353 * this hook for a packet via the SCM_SECURITY ancillary message type.
4552 * This hook allows a module to allocate a security structure for a TUN device,
4578 * This hook allows a module to free the security structure for a TUN device.
4618 * This hook can be used by the module to update any security state associated
4633 * This hook can be used by the module to update any security state associated
4721 * owning MPTCP socket. This hook has to be called after the socket creation and
4934 * packet. The hook is called when selecting either a per-socket policy or a
4972 rc = scall->hl->hook.xfrm_state_pol_flow_match(x, xp, flic); in security_xfrm_state_pol_flow_match()
5243 * allocates associated BPF program object. This hook is also responsible for
5429 * Please note that the new hook should be invoked every time the security
5434 * hook to refresh these data and ensure they are up to date. This necessity