xref: /kernel/linux/linux-5.10/include/linux/lsm_hooks.h

33  * union security_list_options - Linux Security Module hook function list
41  *	new program.  This hook may also optionally check permissions
43  *	The hook must set @bprm->secureexec to 1 if AT_SECURE should be set to
46  *	Return 0 if the hook is successful and permission is granted.
54  *	hook may also optionally check permissions (e.g. for transitions
56  *	The hook must set @bprm->secureexec to 1 if AT_SECURE should be set to
58  *	The hook must add to @bprm->per_clear any personality flags that
61  *	Return 0 if the hook is successful and permission is granted.
63  *	This hook mediates the point when a search for a binary handler will
66  *	envp list are reliably available in @bprm.  This hook may be called
69  *	Return 0 if the hook is successful and permission is granted.
74  *	the bprm_creds_for_exec hook.  @bprm points to the linux_binprm
75  *	structure.  This hook is a good place to perform state changes on the
83  *	linux_binprm structure.  This hook is a good place to perform state
219  *	This hook is called by the fs code as part of the inode creation
221  *	the post_create/mkdir/... hooks called by the VFS.  The hook function
313  *	is being done for a regular file, then the create hook will be called
314  *	and not this hook.
321  *	Check permissions when creating a file. Note that this hook is called
374  *	Check permission before accessing an inode.  This hook is called by the
377  *	Notice that this hook is called when a file is opened (as well as many
378  *	other operations), whereas the file_security_ops permission hook is
471  *	and writing the xattrs as this hook is merely a filter.
491  *	Check file permissions before accessing an open file.  This hook is
493  *	module can use this hook to perform additional checking on these
495  *	bracketing or policy changes.  Notice that this hook is used when the
497  *	inode_security_ops hook is called when a file is opened (as well as
499  *	Caveat:  Although this hook can be used to revalidate permissions for
512  *	Return 0 if the hook is successful and permission is granted.
549  *	Note the hook mediates both flock and fcntl style locks.
566  *	file->f_security for later use by the send_sigiotask hook.
571  *	process @tsk.  Note that this hook is sometimes called from interrupt.
580  *	This hook allows security modules to control the ability of a process
673  *	indicates which of the set*uid system calls invoked this hook.  If
682  *	indicates which of the set*gid system calls invoked this hook.
758  *	SIGIO signals are handled separately by the send_sigiotask hook in
831  *	This hook allows a module to update or allocate a per-socket security
834  *	in the associated inode.  Typically, the inode alloc_security hook will
836  *	SOCK_INODE(sock)->i_security.  This hook may be used to update the
921  *	Check permissions on incoming network packets.  This hook is distinct
924  *	Must not sleep inside this hook because some callers hold spinlocks.
928  *	This hook allows the security module to provide peer socket security
941  *	This hook allows the security module to provide peer socket security
945  *	security state returned by this hook for a packet via the SCM_SECURITY
980  *	This hook allows a module to allocate a security structure for a TUN
985  *	This hook allows a module to free the security structure for a TUN
994  *	This hook can be used by the module to update any security state
999  *	This hook can be used by the module to update any security state
1105  *	XFRMs on a packet.  The hook is called when selecting either a
1190  *	msgget system call. This hook is only called when returning the
1235  *	shmget system call. This hook is only called when returning the shared
1270  *	system call. This hook is only called when returning the semaphore
1317  *	tracing check during an execve in the bprm_set_creds hook of
1331  *	the @target process.  The hook may also perform permission checking to
1446  *	this hook to initialize the security context in its incore inode to the
1459  *	this hook to change the security context in its incore inode and on the
1553  * Security module hook list structure.
1559 	union security_list_options	hook;
1588 	{ .head = &security_hook_heads.HEAD, .hook = { .HEAD = HOOK } }
1630  * module's hook list in a particular way, refusing to disable
1649 /* Currently required to handle SELinux runtime hook disable. */

Indexes created Thu Nov 07 10:32:03 CST 2024