Lines Matching full:security
3 * Security plug functions
57 * all security modules to use the same descriptions for auditing
337 /* Process "security=", if given. */ in ordered_lsm_parse()
342 * To match the original "security=" behavior, this in ordered_lsm_parse()
352 init_debug("security=%s disabled: %s (only one legacy major LSM)\n", in ordered_lsm_parse()
377 /* Process "security=", if given. */ in ordered_lsm_parse()
383 append_ordered_lsm(lsm, "security="); in ordered_lsm_parse()
454 pr_warn("security=%s is ignored because it is superseded by lsm=%s\n", in ordered_lsm_init()
517 * security_init - initializes the security framework
525 init_debug("legacy security=%s\n", chosen_major_lsm ? : " *unspecified*"); in security_init()
552 __setup("security=", choose_major_lsm);
610 * @lsmid: the identification information for the security module
620 * A security module may call security_add_hooks() more in security_add_hooks()
701 return lsm_blob_alloc(&cred->security, blob_sizes.lbs_cred, gfp); in lsm_cred_alloc()
771 return lsm_blob_alloc(&task->security, blob_sizes.lbs_task, GFP_KERNEL); in lsm_task_alloc()
784 return lsm_blob_alloc(&kip->security, blob_sizes.lbs_ipc, GFP_KERNEL); in lsm_ipc_alloc()
798 return lsm_blob_alloc(&key->security, blob_sizes.lbs_key, GFP_KERNEL); in lsm_key_alloc()
812 return lsm_blob_alloc(&mp->security, blob_sizes.lbs_msg_msg, in lsm_msg_msg_alloc()
985 /* Security operations */
1052 * process. Security modules may also want to perform a process tracing check
1055 * process is being traced and its security attributes would be changed by the
1133 * @opts contains options for the capable check <include/linux/security.h>.
1243 * If the setup in prepare_exec_creds did not setup @bprm->cred->security
1245 * @bprm->cred->security to be what commit_creds needs to install for the new
1247 * transitions between security domains). The hook must set @bprm->secureexec
1275 * transitions between security domains). The hook must set @bprm->secureexec
1293 * It allows a check against the @bprm->cred->security value which was set in
1309 * Prepare to install the new security attributes of a process being
1326 * Tidy up after the installation of the new security attributes of a process
1339 * security_fs_context_submount() - Initialise fc->security
1343 * Fill out the ->security field for a new fs_context.
1357 * Allocate and attach a security structure to sc->security. This pointer is
1401 * Allocate and attach a security structure to the sb->s_security field. The
1497 * Extracts security system specific mount options and verifies no changes are
1609 * Set the security relevant mount options used for a superblock.
1638 * Copy all security options from a given superblock to another.
1689 * Allocate and attach a security structure to @inode->i_security. The
1743 * @xattr_name: name of the security/LSM xattr
1794 * Obtain the security attribute name suffix and value to set on a newly
1795 * created inode and set up the incore security field for the new inode. This
1801 * lsm_get_xattr_slot() to retrieve the slots reserved by the security module
1806 * the security module does not use security attributes or does not wish to put
1807 * a security attribute on this particular inode, then it should return
1811 * security attributes that are required, negative values otherwise.
1867 * Set up the incore security field for the new anonymous inode and return
1868 * whether the inode creation is permitted by the security module or not.
1870 * Return: Returns 0 on success, -EACCES if the security module denies the
1904 * security_path_post_mknod() - Update inode security after reg file creation
1908 * Update inode security field after a regular file has been created.
2117 * security_inode_post_create_tmpfile() - Update inode security of new tmpfile
2121 * Update inode security data after a tmpfile has been created.
2312 * existing Linux permission function, so a security module can use it to
2355 * Update inode security field after successful setting file attributes.
2448 * security_inode_post_set_acl() - Update inode security from posix acls set
2453 * Update inode security data after successfully setting posix acls on @dentry.
2503 * security_inode_post_remove_acl() - Update inode security after rm posix acls
2508 * Update inode security data after successfully removing posix acls on
2527 * Update inode security field after successful setxattr operation.
2676 * The @dentry's setuid bit is being removed. Remove similar security labels.
2689 * security_inode_getsecurity() - Get the xattr security label of an inode
2693 * @buffer: security label buffer
2696 * Retrieve a copy of the extended attribute representation of the security
2698 * remainder of the attribute name after the security prefix has been removed.
2716 * security_inode_setsecurity() - Set the xattr security label of an inode
2719 * @value: security label
2720 * @size: length of security label
2723 * Set the security label associated with @name for @inode from the extended
2726 * remainder of the attribute name after the security. prefix has been removed.
2741 * security_inode_listsecurity() - List the xattr security label names
2746 * Copy the extended attribute names for the security labels associated with
2780 * filesystem. Security module can prepare a set of new creds and modify as
2802 * -EOPNOTSUPP if the security module does not know about attribute,
2842 * Initialize the security context of a newly created kernfs node based on its
2859 * by various operations that read or write files. A security module can use
2867 * memory-mapped files. Security modules must handle this separately if they
2881 * Allocate and attach a security structure to the file->f_security field. The
2882 * security field is initialized to NULL when the structure is first created.
2913 * Deallocate and free any security structures stored in file->f_security.
2937 * by the security module.
3070 * security module.
3083 * Save owner security information (typically from current->security) in
3104 * so the file structure (and associated security information) can always be
3119 * This hook allows security modules to control the ability of a process to
3211 kfree(task->security); in security_task_free()
3212 task->security = NULL; in security_task_free()
3242 * Deallocate and clear the cred->security field in a set of credentials.
3248 * may result in a call here with ->security being NULL. in security_cred_free()
3250 if (unlikely(cred->security == NULL)) in security_cred_free()
3255 kfree(cred->security); in security_cred_free()
3256 cred->security = NULL; in security_cred_free()
3299 * Retrieve the security identifier of the cred structure @c. In case of
3314 * Retrieve the security data of the cred structure @c. In case of
3546 * Retrieve the subjective security identifier of the current task and return
3561 * Retrieve the objective security identifier of the task_struct in @p and
3741 * security_task_to_inode() - Set the security attributes of a task's inode
3745 * Set the security attributes for an inode based on an associated task's
3746 * security attributes, e.g. for /proc/pid inodes.
3798 * Allocate and attach a security structure to the msg->security field. The
3799 * security field is initialized to NULL when the structure is first created.
3819 * Deallocate the security structure for this message.
3824 kfree(msg->security); in security_msg_msg_free()
3825 msg->security = NULL; in security_msg_msg_free()
3832 * Allocate and attach a security structure to @msg. The security field is
3853 * Deallocate security field @perm->security for the message queue.
3858 kfree(msq->security); in security_msg_queue_free()
3859 msq->security = NULL; in security_msg_queue_free()
3935 * Allocate and attach a security structure to the @shp security field. The
3936 * security field is initialized to NULL when the structure is first created.
3956 * Deallocate the security structure @perm->security for the memory segment.
3961 kfree(shp->security); in security_shm_free()
3962 shp->security = NULL; in security_shm_free()
4019 * Allocate and attach a security structure to the @sma security field. The
4020 * security field is initialized to NULL when the structure is first created.
4040 * Deallocate security structure @sma->security for the semaphore.
4045 kfree(sma->security); in security_sem_free()
4046 sma->security = NULL; in security_sem_free()
4103 * Fill in @inode security information for a @dentry if allowed.
4114 * Please keep this in sync with it's counterpart in security/lsm_syscalls.c
4207 * Please keep this in sync with it's counterpart in security/lsm_syscalls.c
4328 * Convert secid to security context. If @cp is NULL the length of the
4346 * Convert a @prop entry to security context. If @cp is NULL the
4365 * Convert security context to secid.
4378 * @cp: the security context
4380 * Release the security context.
4390 * security_inode_invalidate_secctx() - Invalidate an inode's security label
4393 * Notify the security module that it must revalidate the security context of
4403 * security_inode_notifysecctx() - Notify the LSM of an inode's security label
4408 * Notify the security module of what the security context of an inode should
4409 * be. Initializes the incore security context managed by the security module
4411 * the security context in its incore inode to the value provided by the server
4424 * security_inode_setsecctx() - Change the security label of an inode
4429 * Change the security context of an inode. Updates the incore security
4430 * context managed by the security module and invokes the fs code as needed
4432 * context. Example usage: NFS server invokes this hook to change the security
4446 * security_inode_getsecctx() - Get the security label of an inode
4448 * @cp: security context
4450 * On success, returns 0 and fills out @cp with the security context
4503 * Save security information for a netlink message so that permission checking
4504 * can be performed when the message is processed. The security information
4594 * This hook allows a module to update or allocate a per-socket security
4595 * structure. Note that the security field was not added directly to the socket
4596 * structure, but rather, the socket security information is stored in the
4598 * and attach security information to SOCK_INODE(sock)->i_security. This hook
4822 * This hook allows the security module to provide peer socket security state
4843 * This hook allows the security module to provide peer socket security state
4846 * option via getsockopt. It can then retrieve the security state returned by
4878 * Allocate and attach a security structure to the sk->sk_security field, which
4879 * is used to copy security attributes between local stream sockets.
4899 * Deallocate security structure.
4913 * Clone/copy security structure.
5044 * @security: pointer to the LSM blob
5046 * This hook allows a module to allocate a security structure for a TUN device,
5047 * returning the pointer in @security.
5051 int security_tun_dev_alloc_security(void **security) in security_tun_dev_alloc_security() argument
5055 rc = lsm_blob_alloc(security, blob_sizes.lbs_tun_dev, GFP_KERNEL); in security_tun_dev_alloc_security()
5059 rc = call_int_hook(tun_dev_alloc_security, *security); in security_tun_dev_alloc_security()
5061 kfree(*security); in security_tun_dev_alloc_security()
5062 *security = NULL; in security_tun_dev_alloc_security()
5070 * @security: LSM blob
5072 * This hook allows a module to free the security structure for a TUN device.
5074 void security_tun_dev_free_security(void *security) in security_tun_dev_free_security() argument
5076 kfree(security); in security_tun_dev_free_security()
5095 * @security: TUN device LSM blob
5101 int security_tun_dev_attach_queue(void *security) in security_tun_dev_attach_queue() argument
5103 return call_int_hook(tun_dev_attach_queue, security); in security_tun_dev_attach_queue()
5110 * @security: TUN device LSM blob
5112 * This hook can be used by the module to update any security state associated
5117 int security_tun_dev_attach(struct sock *sk, void *security) in security_tun_dev_attach() argument
5119 return call_int_hook(tun_dev_attach, sk, security); in security_tun_dev_attach()
5125 * @security: TUN device LSM blob
5127 * This hook can be used by the module to update any security state associated
5128 * with the TUN device's security structure.
5132 int security_tun_dev_open(void *security) in security_tun_dev_open() argument
5134 return call_int_hook(tun_dev_open, security); in security_tun_dev_open()
5198 * security module.
5266 * Allocate a security structure for Infiniband objects.
5291 * Deallocate an Infiniband security structure.
5303 * @ctxp: xfrm security context being added to the SPD
5304 * @sec_ctx: security label provided by userspace
5307 * Allocate a security structure to the xp->security field; the security field
5322 * @old_ctx: xfrm security context
5323 * @new_ctxp: target xfrm security context
5325 * Allocate a security structure in new_ctxp that contains the information from
5337 * security_xfrm_policy_free() - Free a xfrm security context
5338 * @ctx: xfrm security context
5350 * @ctx: xfrm security context
5364 * @sec_ctx: security label provided by userspace
5366 * Allocate a security structure to the @x->security field; the security field
5382 * @polsec: associated policy's security context
5385 * Allocate a security structure to the x->security field; the security field
5401 * Authorize deletion of x->security.
5415 * Deallocate x->security.
5424 * @ctx: target xfrm security context
5477 * Decode the packet in @skb and return the security label in @secid.
5503 * Permit allocation of a key and assign security data. Note that key does not
5525 * Notification of destruction; free security data.
5529 kfree(key->security); in security_key_free()
5530 key->security = NULL; in security_key_free()
5550 * security_key_getsecurity() - Get the key's security label
5552 * @buffer: security label buffer
5554 * Get a textual representation of the security context attached to a key for
5560 * there is no security label assigned to the key.
5636 * @prop: security label
5663 * the kernel. The actual security module can implement their own rules to
5792 * Clean up the security information stored inside bpf map.
5803 * Clean up the security information stored inside BPF program.
5814 * Clean up the security information stored inside BPF token.
5841 * Allocate and attach a security structure to @bdev->bd_security. The
5842 * security field is initialized to NULL when the bdev structure is
5867 * Deallocate the bdev security structure and set @bdev->bd_security to NULL.
5890 * Please note that the new hook should be invoked every time the security
5934 * Allocate and save perf_event security info.
5942 rc = lsm_blob_alloc(&event->security, blob_sizes.lbs_perf_event, in security_perf_event_alloc()
5949 kfree(event->security); in security_perf_event_alloc()
5950 event->security = NULL; in security_perf_event_alloc()
5959 * Release (free) perf_event security info.
5963 kfree(event->security); in security_perf_event_free()
5964 event->security = NULL; in security_perf_event_free()
5971 * Read perf_event security info if allowed.
5984 * Write perf_event security info if allowed.