I've attached a patch that adds documentation for the remaining hooks in the top-level security_operations structure. If there aren't any objections, I can commit it tomorrow. -- Stephen D. Smalley, NAI Labs ssmalleyat_private --- lsm-wirex/include/linux/security.h Tue Sep 11 13:20:25 2001 +++ lsm/include/linux/security.h Tue Sep 11 15:52:59 2001 @@ -540,36 +540,342 @@ struct security_operations { int version; - /* syscalls that are checked for permissions */ + /** + * sethostname - check permission when setting the hostname + * @hostname: new hostname + * + * called: sys_sethostname <kernel/sys.c> + * + * Check permission before the hostname is set to @hostname. + * Return 0 if permission is granted. + */ int (* sethostname) (char *hostname); + + /** + * setdomainname - check permission when setting the domainname + * @domainname: new domainname + * + * called: sys_setdomainname <kernel/sys.c> + * + * Check permission before the domainname is set to @domainname. + * Return 0 if permission is granted. + */ int (* setdomainname) (char *domainname); + + /** + * reboot - check permission when rebooting or enabling/disabling Ctrl-Alt-Del + * @cmd: reboot command + * + * called: sys_reboot <kernel/sys.c> + * + * Check permission before rebooting or enabling/disabling the + * Ctrl-Alt-Del key sequence. Return 0 if permission is granted. + * The values for @cmd are defined in the reboot(2) manual page. + */ int (* reboot) (unsigned int cmd); + + /** + * ioperm - check permission when setting port input/output permissions + * @from: starting port address + * @num: number of bytes starting from @from + * @turn_on: permissions value + * + * called: sys_ioperm <arch/i386/kernel/ioport.c> + * + * Check permission before setting port input/output permissions + * for the process for @num bytes starting from the port address + * @from to the value @turn_on. Return 0 if permission is granted. + */ int (* ioperm) (unsigned long from, unsigned long num, int turn_on); + + /** + * iopl - check permission when changing input/output privilege level + * @old: old level + * @level: new level + * + * called: sys_iopl <arch/i386/kernel/ioport.c> + * called: sys_iopl <arch/ia64/ia32/sys_ia32.c> + * + * Check permission before changing the I/O privilege level of the + * current process from @old to @level. Return 0 if permission is + * granted. + */ int (* iopl) (unsigned int old, unsigned int level); + /** + * ptrace - check permission when tracing a process + * @parent: task_struct structure for parent process + * @child: task_struct structure for child process + * + * called: ptrace_attach <kernel/ptrace.c> + * called: sys_ptrace <arch/i386/kernel/ptrace.c> + * called: sys_ptrace <arch/ia64/kernel/ptrace.c> + * called: MAY_PTRACE <fs/proc/base.c> + * + * locks: task_lock is called by ptrace_attach on the child task. + * The big kernel lock is held by sys_ptrace. + * + * Check permission before allowing the @parent process to trace + * the @child process. Return 0 if permission is granted. + * + * Security modules may also want to perform a process tracing + * check during an execve in the set_security or compute_creds + * hooks of binprm_security_ops if the process is being traced + * and its security attributes would be changed by the execve. + */ int (* ptrace) (struct task_struct *parent, struct task_struct *child); + + /** + * capget - get the capability sets for a process + * @target: task_struct structure for target process + * @effective: effective capability set + * @inheritable: inheritable capability set + * @permitted: permitted capability set + * + * called: sys_capget <kernel/capability.c> + * + * locks: The task_capability_lock is held by sys_capget. + * The tasklist_lock is read-locked by sys_capget + * unless @target is the current process. + * + * Get the @effective, @inheritable, and @permitted capability + * sets for the @target process. The hook may also perform + * permission checking to determine if the current process is + * allowed to see the capability sets of the @target process. + * Return 0 if the capability sets were successfully obtained. + */ int (*capget) (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); + + /** + * capset_check - check permission when setting capability sets + * @target: task_struct structure for target process + * @effective: effective capability set + * @inheritable: inheritable capability set + * @permitted: permitted capability set + * + * called: sys_capset <kernel/capability.c> + * + * locks: The task_capability_lock is held by sys_capset. + * The tasklist_lock is read-locked by sys_capset if + * a single target process other than current was + * specified. + * + * Check permission before setting the @effective, @inheritable, and + * @permitted capability sets for the @target process. Return 0 + * if permission is granted. + * + * Caveat: @target is also set to current if a set of processes + * is specified (i.e. all processes other than current and init or + * a particular process group). Hence, the capset_set hook may need + * to revalidate permission to the actual target process. + */ int (*capset_check) (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); + + /** + * capset_set - Set the capability sets for a process + * @target: task_struct structure for target process + * @effective: effective capability set + * @inheritable: inheritable capability set + * @permitted: permitted capability set + * + * called: sys_capset <kernel/capability.c> + * called: cap_set_pg <kernel/capability.c> + * called: cap_set_all <kernel/capability.c> + * + * locks: The task_capability_lock is held by sys_capset. + * The tasklist_lock is read-locked unless only the + * capability sets for current are being set. + * + * Set the @effective, @inheritable, and @permitted capability sets + * for the @target process. Since capset_check cannot always check + * permission to the real @target process, this hook may also perform + * permission checking to determine if the current process is + * allowed to set the capability sets of the @target process. + * However, this hook has no way of returning an error due to + * the structure of the sys_capset code. + */ void (*capset_set) (struct task_struct *target, kernel_cap_t *effective, kernel_cap_t *inheritable, kernel_cap_t *permitted); + + /** + * acct - Check permission when enabling or disabling process accounting + * @file: file structure for the accounting file (may be NULL) + * + * called: sys_acct <kernel/acct.c> + * + * Check permission before enabling or disabling process accounting. + * If accounting is being enabled, then @file refers to the open + * file used to store accounting records. If accounting is being + * disabled, then @file is NULL. Return 0 if permission is granted. + */ int (* acct) (struct file *file); + + /** + * sysctl - Check permission when accessing a sysctl variable + * @table: the ctl_table structure for the sysctl variable + * @op: the operation (001 = search, 002 = write, 004 = read) + * + * called: ctl_perm <kernel/sysctl.c> + * + * Check permission before accessing the @table sysctl variable + * in the manner specified by @op. Return 0 if permission is granted. + */ int (* sysctl) (ctl_table * table, int op); + + /** + * capable - Check a particular capability for a process + * @tsk: the task_struct for the process + * @cap: the capability <include/linux/capability.h> + * + * called: capable <security/security.c> + * called: must_not_trace_exec <fs/exec.c> + * called: badness <mm/oom_kill.c> + * called: oom_kill_task <mm/oom_kill.c> + * + * Check whether the @tsk process has the @cap capability. + * Return 0 if the capability is granted for @tsk. + */ int (* capable) (struct task_struct *tsk, int cap); - /* security syscall multiplexor. app can use id to identify module */ + /** + * sys_security - Security system call multiplexor + * @id: security module identifier + * @call: call value + * @args: call arguments (user space pointer) + * + * called: sys_security <security/security.c> + * + * Security modules may use this hook to implement new system + * calls for security-aware applications. The interface is similar + * to socketcall, but with an @id parameter to help identify the + * security module whose call is being invoked. The module is + * responsible for interpreting the parameters, and must copy in the + * @args array from user space if it is used. The module should + * return -ENOSYS if it does not implement any new system calls. + */ int (* sys_security) (unsigned int id, unsigned call, unsigned long *args); - /* - * swapon/swapoff: parm dentry is a pointer to the dir entry for the - * swap file or swap device. + /** + * swapon - Check permission before enabling swapping to a file/device. + * @dentry: dentry structure for the swap file or device + * + * called: sys_swapon <mm/swapfile.c> + * + * lock: The big kernel lock is held by sys_swapon. + * + * Check permission before enabling swapping to the file + * or block device identified by @dentry. Return 0 if + * permission is granted. */ int (* swapon) (struct dentry *dentry); + + /** + * swapoff - Check permission before disabling swapping to a file/device. + * @dentry: dentry structure for the swap file or device + * + * called: sys_swapoff <mm/swapfile.c> + * + * Check permission before disabling swapping to the file + * or block device identified by @dentry. Return 0 if + * permission is granted. + */ int (* swapoff) (struct dentry *dentry); + + /** + * nfsservctl - Check permission before accessing the kernel NFS daemon + * @cmd: command value + * @arg: command arguments + * + * called: handle_sys_nfsservctl <fs/nfsd/nfsctl.c> + * + * lock: The big kernel lock is held. + * + * Check permission before having the kernel NFS daemon + * perform command @cmd with arguments @arg. Return 0 if + * permission is granted. See the nfsservctl(2) manual page + * for an explanation of @cmd and @arg values. + */ int (* nfsservctl) (int cmd, struct nfsctl_arg *arg); + + /** + * quotactl - Check permission before manipulating disk quotas + * @cmd: command value + * @type: type of quota (USRQUOTA or GRPQUOTA) + * @id: user or group identifier + * @sb: super_block structure for the filesystem (may be NULL) + * + * called: sys_quotactl <fs/dquot.c> + * + * Check permission before performing the quota operation + * identified by @cmd for the specified @type, @id, and + * @sb. The @sb parameter may be NULL, e.g. for the Q_SYNC + * and Q_GETSTATS commands. Return 0 if permission is granted. + */ int (* quotactl) (int cmds, int type, int id, struct super_block *sb); + + /** + * quota_on - Check permission when enabling quotas + * @f: the open file for storing quotas + * + * called: quota_on <fs/dquot.c> + * + * Check permission before enabling quotas for a file + * system using @f as the quota file. Return 0 if permission + * is granted. + */ int (* quota_on) (struct file *f); + + /** + * bdflush - Check permission before tuning the bdflush daemon + * @func: the tuning function + * @data: tuning parameter pointer (user space pointer) or value + * + * called: sys_bdflush <fs/buffer.c> + * + * Check permission before tuning the bdflush parameter. + * See the bdflush(2) manual page for an explanation of + * the @func and @data parameters. The @data parameter + * should only be used by the module if it is an input + * value. Return 0 if permission is granted. + */ int (* bdflush) (int func, long data); + + /** + * syslog - Check permission before accessing the kernel message ring + * @type: the type of action + * + * called: do_syslog <kernel/printk.c> + * + * Check permission before accessing the kernel message ring or + * changing logging to the console. Return 0 if permission is + * granted. See the syslog(2) manual page for an explanation of + * the @type values. + */ int (* syslog) (int type); + /** + * netlink_send - Save security information for a netlink message. + * @skb: the sk_buff structure for the netlink message + * + * called: netlink_sendmsg <net/netlink/af_netlink.c> + * + * Save security information for a netlink message so that + * permission checking can be performed when the message + * is processed. The security information can either be + * saved using the existing eff_cap field of the netlink_skb_parms + * structure or it can be saved using the skbuff lsm_security field. + * Return 0 if the information was successfully saved. + */ int (* netlink_send) (struct sk_buff *skb); + + /** + * netlink_recv - Check permission when receiving a netlink message + * @skb: the sk_buff structure for the netlink message + * + * called: rtnetlink_rcv_msg <net/core/rtnetlink.c> + * called: netlink_receive_user_skb <net/ipv4/netfilter/ip_queue.c> + * + * Check permission before processing the received netlink message + * in @skb. Return 0 if permission is granted. + */ int (* netlink_recv) (struct sk_buff *skb); struct binprm_security_ops * bprm_ops; _______________________________________________ linux-security-module mailing list linux-security-moduleat_private http://mail.wirex.com/mailman/listinfo/linux-security-module
This archive was generated by hypermail 2b30 : Tue Sep 11 2001 - 13:04:26 PDT