xref: /kernel/linux/linux-6.6/security/security.c

331 static int lsm_append(const char *new, char **result);
491 static int lsm_append(const char *new, char **result)
496 		*result = kstrdup(new, GFP_KERNEL);
501 		if (match_last_lsm(*result, new))
503 		cp = kasprintf(GFP_KERNEL, "%s,%s", *result, new);
908  * @new: new credentials for the target process
917  * Return: Returns 0 and update @new if permission is granted.
919 int security_capset(struct cred *new, const struct cred *old,
924 	return call_int_hook(capset, 0, new, old,
995  * @ts: new time
1009  * security_vm_enough_memory_mm() - Check if allocating a new mem map is allowed
1013  * Check permissions for allocating a new virtual mapping.  If all LSMs return
1050  * @bprm->cred->security to be what commit_creds needs to install for the new
1113  * Prepare to install the new security attributes of a process being
1130  * Tidy up after the installation of the new security attributes of a process
1131  * being transformed by an execve operation.  The new credentials have, by this
1144  * @fc: new filesystem context
1147  * Fill out the ->security field for a new fs_context.
1162  * initialised to NULL by the caller.  @fc indicates the new filesystem context.
1281  * security_sb_mnt_opts_compat() - Check if new mount options are allowed
1283  * @mnt_opts: new mount options
1285  * Determine if the new mount options in @mnt_opts are allowed given the
1394  * @old_path: new location for current rootfs
1395  * @new_path: location of the new rootfs
1579  * @new: creds to modify
1582  * that context in passed in creds so that new files are created using that
1590 				    const struct cred *old, struct cred *new)
1593 			     name, old, new);
1606  * created inode and set up the incore security field for the new inode.  This
1683  * Set up the incore security field for the new anonymous inode and return
1701  * @dentry: new file
1702  * @mode: new file mode
1720  * security_path_mkdir() - Check if creating a new directory is allowed
1722  * @dentry: new directory
1723  * @mode: new directory mode
1725  * Check permissions to create a new directory in the existing directory.
1792  * @new_dir: new parent directory
1793  * @new_dentry: new link
1795  * Check permission before creating a new hard link to a file.
1811  * @new_dir: parent directory of the new file
1812  * @new_dentry: the new file
1853  * @mode: new mode
1855  * Check for permission to change a mode of the file @path. The new mode is
1921  * @dir: new parent directory
1922  * @new_dentry: new link
1924  * Check permission before creating a new hard link to a file.
1971  * security_inode_mkdir() - Check if creation a new director is allowed
1973  * @dentry: new directory
1974  * @mode: new directory mode
1976  * Check permissions to create a new directory in the existing directory
2008  * @dentry: new file
2009  * @mode: new file mode
2031  * @new_dir: parent directory of the new file
2032  * @new_dentry: the new file
2118  * @attr: new attributes
2496  * security_inode_copy_up() - Create new creds for an overlayfs copy-up op
2498  * @new: newly created creds
2501  * filesystem. Security module can prepare a set of new creds and modify as
2502  * need be and return new creds. Caller will switch to new creds temporarily to
2503  * create new file and release newly allocated creds.
2507 int security_inode_copy_up(struct dentry *src, struct cred **new)
2509 	return call_int_hook(inode_copy_up, 0, src, new);
2957  * security_prepare_creds() - Prepare a new set of credentials
2958  * @new: new credentials
2962  * Prepare a new set of credentials by copying the data from the old set.
2966 int security_prepare_creds(struct cred *new, const struct cred *old, gfp_t gfp)
2968 	int rc = lsm_cred_alloc(new, gfp);
2973 	rc = call_int_hook(cred_prepare, 0, new, old, gfp);
2975 		security_cred_free(new);
2981  * @new: target credentials
2984  * Transfer data from original creds to new creds.
2986 void security_transfer_creds(struct cred *new, const struct cred *old)
2988 	call_void_hook(cred_transfer, new, old);
3008  * @new: credentials
3016 int security_kernel_act_as(struct cred *new, u32 secid)
3018 	return call_int_hook(kernel_act_as, 0, new, secid);
3023  * @new: target credentials
3032 int security_kernel_create_files_as(struct cred *new, struct inode *inode)
3034 	return call_int_hook(kernel_create_files_as, 0, new, inode);
3152  * security_task_fix_setuid() - Update LSM with new user id attributes
3153  * @new: updated credentials
3159  * the set*uid system calls invoked this hook.  If @new is the set of
3165 int security_task_fix_setuid(struct cred *new, const struct cred *old,
3168 	return call_int_hook(task_fix_setuid, 0, new, old, flags);
3172  * security_task_fix_setgid() - Update LSM with new group id attributes
3173  * @new: updated credentials
3179  * the set*gid system calls invoked this hook.  @new is the set of credentials
3185 int security_task_fix_setgid(struct cred *new, const struct cred *old,
3188 	return call_int_hook(task_fix_setgid, 0, new, old, flags);
3192  * security_task_fix_setgroups() - Update LSM with new supplementary groups
3193  * @new: updated credentials
3197  * attributes of the current process.  @new is the set of credentials that will
3203 int security_task_fix_setgroups(struct cred *new, const struct cred *old)
3205 	return call_int_hook(task_fix_setgroups, 0, new, old);
3211  * @pgid: new pgid
3338  * security_task_setrlimit() - Check if setting a new rlimit value is allowed
3341  * @new_rlim: new resource limit
3462  * security_create_user_ns() - Check if creating a new userns is allowed
3465  * Check permission prior to creating a new user namespace.
3577  * for an existing message queue, not when a new message queue is created.
3680  * region identifier for an existing region, not when a new shared memory
3764  * an existing semaphore, not when a new one must be created.
4089  * @newsk: new sock
4140  * security_socket_create() - Check if creating a new socket is allowed
4146  * Check permissions prior to creating a new socket.
4250  * Check permission before accepting a new connection.  Note that the new
4536  * @req: new request_sock
4550  * security_inet_csk_clone() - Set new sock LSM state based on request_sock
4551  * @newsk: new sock
4567  * Update @sock's LSM state to represent a new connection from @skb.
4578  * @secid: new secmark value
4642  * Check permissions prior to creating a new TUN device.
4741  * Called whenever a new socket is created by accept(2) (i.e. a TCP style
4772  * @ssk: the new subflow
5370  * @new: new credentials
5373  * override it's credentials with @new.
5377 int security_uring_override_creds(const struct cred *new)
5379 	return call_int_hook(uring_override_creds, 0, new);

Indexes created Thu Nov 07 10:32:03 CST 2024