// SPDX-License-Identifier: GPL-2.0-or-later

/*

* Security plug functions

*

* Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com>

* Copyright (C) 2001-2002 Greg Kroah-Hartman <greg@kroah.com>

* Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com>

* Copyright (C) 2016 Mellanox Technologies

* Copyright (C) 2023 Microsoft Corporation <paul@paul-moore.com>

*/

#define pr_fmt(fmt) "LSM: " fmt

#include <linux/bpf.h>

#include <linux/capability.h>

#include <linux/dcache.h>

#include <linux/export.h>

#include <linux/init.h>

#include <linux/kernel.h>

#include <linux/kernel_read_file.h>

#include <linux/lsm_hooks.h>

#include <linux/mman.h>

#include <linux/mount.h>

#include <linux/personality.h>

#include <linux/backing-dev.h>

#include <linux/string.h>

#include <linux/xattr.h>

#include <linux/msg.h>

#include <linux/overflow.h>

#include <linux/perf_event.h>

#include <linux/fs.h>

#include <net/flow.h>

#include <net/sock.h>

#include "lsm.h"

/*

* These are descriptions of the reasons that can be passed to the

* security_locked_down() LSM hook. Placing this array here allows

* all security modules to use the same descriptions for auditing

* purposes.

*/

const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX + 1] = {

[LOCKDOWN_NONE] = "none",

[LOCKDOWN_MODULE_SIGNATURE] = "unsigned module loading",

[LOCKDOWN_DEV_MEM] = "/dev/mem,kmem,port",

[LOCKDOWN_EFI_TEST] = "/dev/efi_test access",

[LOCKDOWN_KEXEC] = "kexec of unsigned images",

[LOCKDOWN_HIBERNATION] = "hibernation",

[LOCKDOWN_PCI_ACCESS] = "direct PCI access",

[LOCKDOWN_IOPORT] = "raw io port access",

[LOCKDOWN_MSR] = "raw MSR access",

[LOCKDOWN_ACPI_TABLES] = "modifying ACPI tables",

[LOCKDOWN_DEVICE_TREE] = "modifying device tree contents",

[LOCKDOWN_PCMCIA_CIS] = "direct PCMCIA CIS storage",

[LOCKDOWN_TIOCSSERIAL] = "reconfiguration of serial port IO",

[LOCKDOWN_MODULE_PARAMETERS] = "unsafe module parameters",

[LOCKDOWN_MMIOTRACE] = "unsafe mmio",

[LOCKDOWN_DEBUGFS] = "debugfs access",

[LOCKDOWN_XMON_WR] = "xmon write access",

[LOCKDOWN_BPF_WRITE_USER] = "use of bpf to write user RAM",

[LOCKDOWN_DBG_WRITE_KERNEL] = "use of kgdb/kdb to write kernel RAM",

[LOCKDOWN_RTAS_ERROR_INJECTION] = "RTAS error injection",

[LOCKDOWN_XEN_USER_ACTIONS] = "Xen guest user action",

[LOCKDOWN_INTEGRITY_MAX] = "integrity",

[LOCKDOWN_KCORE] = "/proc/kcore access",

[LOCKDOWN_KPROBES] = "use of kprobes",

[LOCKDOWN_BPF_READ_KERNEL] = "use of bpf to read kernel RAM",

[LOCKDOWN_DBG_READ_KERNEL] = "use of kgdb/kdb to read kernel RAM",

[LOCKDOWN_PERF] = "unsafe use of perf",

[LOCKDOWN_TRACEFS] = "use of tracefs",

[LOCKDOWN_XMON_RW] = "xmon read and write access",

[LOCKDOWN_XFRM_SECRET] = "xfrm SA secret",

[LOCKDOWN_CONFIDENTIALITY_MAX] = "confidentiality",

};

bool lsm_debug __ro_after_init;

unsigned int lsm_active_cnt __ro_after_init;

const struct lsm_id *lsm_idlist[MAX_LSM_COUNT];

struct lsm_blob_sizes blob_sizes;

struct kmem_cache *lsm_file_cache;

struct kmem_cache *lsm_backing_file_cache;

struct kmem_cache *lsm_inode_cache;

#define SECURITY_HOOK_ACTIVE_KEY(HOOK, IDX) security_hook_active_##HOOK##_##IDX

/*

* Identifier for the LSM static calls.

* HOOK is an LSM hook as defined in linux/lsm_hookdefs.h

* IDX is the index of the static call. 0 <= NUM < MAX_LSM_COUNT

*/

#define LSM_STATIC_CALL(HOOK, IDX) lsm_static_call_##HOOK##_##IDX

/*

* Call the macro M for each LSM hook MAX_LSM_COUNT times.

*/

#define LSM_LOOP_UNROLL(M, ...) \

do { \

UNROLL(MAX_LSM_COUNT, M, __VA_ARGS__) \

} while (0)

#define LSM_DEFINE_UNROLL(M, ...) UNROLL(MAX_LSM_COUNT, M, __VA_ARGS__)

#ifdef CONFIG_HAVE_STATIC_CALL

#define LSM_HOOK_TRAMP(NAME, NUM) \

&STATIC_CALL_TRAMP(LSM_STATIC_CALL(NAME, NUM))

#else

#define LSM_HOOK_TRAMP(NAME, NUM) NULL

#endif

/*

* Define static calls and static keys for each LSM hook.

*/

#define DEFINE_LSM_STATIC_CALL(NUM, NAME, RET, ...) \

DEFINE_STATIC_CALL_NULL(LSM_STATIC_CALL(NAME, NUM), \

*((RET(*)(__VA_ARGS__))NULL)); \

static DEFINE_STATIC_KEY_FALSE(SECURITY_HOOK_ACTIVE_KEY(NAME, NUM));

#define LSM_HOOK(RET, DEFAULT, NAME, ...) \

LSM_DEFINE_UNROLL(DEFINE_LSM_STATIC_CALL, NAME, RET, __VA_ARGS__)

#include <linux/lsm_hook_defs.h>

#undef LSM_HOOK

#undef DEFINE_LSM_STATIC_CALL

/*

* Initialise a table of static calls for each LSM hook.

* DEFINE_STATIC_CALL_NULL invocation above generates a key (STATIC_CALL_KEY)

* and a trampoline (STATIC_CALL_TRAMP) which are used to call

* __static_call_update when updating the static call.

*

* The static calls table is used by early LSMs, some architectures can fault on

* unaligned accesses and the fault handling code may not be ready by then.

* Thus, the static calls table should be aligned to avoid any unhandled faults

* in early init.

*/

struct lsm_static_calls_table

static_calls_table __ro_after_init __aligned(sizeof(u64)) = {

#define INIT_LSM_STATIC_CALL(NUM, NAME) \

(struct lsm_static_call) { \

.key = &STATIC_CALL_KEY(LSM_STATIC_CALL(NAME, NUM)), \

.trampoline = LSM_HOOK_TRAMP(NAME, NUM), \

.active = &SECURITY_HOOK_ACTIVE_KEY(NAME, NUM), \

},

#define LSM_HOOK(RET, DEFAULT, NAME, ...) \

.NAME = { \

LSM_DEFINE_UNROLL(INIT_LSM_STATIC_CALL, NAME) \

},

#include <linux/lsm_hook_defs.h>

#undef LSM_HOOK

#undef INIT_LSM_STATIC_CALL

};

/**

* lsm_file_alloc - allocate a composite file blob

* @file: the file that needs a blob

*

* Allocate the file blob for all the modules

*

* Returns 0, or -ENOMEM if memory can't be allocated.

*/

static int lsm_file_alloc(struct file *file)

{

if (!lsm_file_cache) {

file->f_security = NULL;

return 0;

}

file->f_security = kmem_cache_zalloc(lsm_file_cache, GFP_KERNEL);

if (file->f_security == NULL)

return -ENOMEM;

return 0;

}

/**

* lsm_backing_file_alloc - allocate a composite backing file blob

* @backing_file: the backing file

*

* Allocate the backing file blob for all the modules.

*

* Returns 0, or -ENOMEM if memory can't be allocated.

*/

static int lsm_backing_file_alloc(struct file *backing_file)

{

void *blob;

if (!lsm_backing_file_cache) {

backing_file_set_security(backing_file, NULL);

return 0;

}

blob = kmem_cache_zalloc(lsm_backing_file_cache, GFP_KERNEL);

backing_file_set_security(backing_file, blob);

if (!blob)

return -ENOMEM;

return 0;

}

/**

* lsm_blob_alloc - allocate a composite blob

* @dest: the destination for the blob

* @size: the size of the blob

* @gfp: allocation type

*

* Allocate a blob for all the modules

*

* Returns 0, or -ENOMEM if memory can't be allocated.

*/

static int lsm_blob_alloc(void **dest, size_t size, gfp_t gfp)

{

if (size == 0) {

*dest = NULL;

return 0;

}

*dest = kzalloc(size, gfp);

if (*dest == NULL)

return -ENOMEM;

return 0;

}

/**

* lsm_cred_alloc - allocate a composite cred blob

* @cred: the cred that needs a blob

* @gfp: allocation type

*

* Allocate the cred blob for all the modules

*

* Returns 0, or -ENOMEM if memory can't be allocated.

*/

int lsm_cred_alloc(struct cred *cred, gfp_t gfp)

{

return lsm_blob_alloc(&cred->security, blob_sizes.lbs_cred, gfp);

}

/**

* lsm_inode_alloc - allocate a composite inode blob

* @inode: the inode that needs a blob

* @gfp: allocation flags

*

* Allocate the inode blob for all the modules

*

* Returns 0, or -ENOMEM if memory can't be allocated.

*/

static int lsm_inode_alloc(struct inode *inode, gfp_t gfp)

{

if (!lsm_inode_cache) {

inode->i_security = NULL;

return 0;

}

inode->i_security = kmem_cache_zalloc(lsm_inode_cache, gfp);

if (inode->i_security == NULL)

return -ENOMEM;

return 0;

}

/**

* lsm_task_alloc - allocate a composite task blob

* @task: the task that needs a blob

*

* Allocate the task blob for all the modules

*

* Returns 0, or -ENOMEM if memory can't be allocated.

*/

int lsm_task_alloc(struct task_struct *task)

{

return lsm_blob_alloc(&task->security, blob_sizes.lbs_task, GFP_KERNEL);

}

/**

* lsm_ipc_alloc - allocate a composite ipc blob

* @kip: the ipc that needs a blob

*

* Allocate the ipc blob for all the modules

*

* Returns 0, or -ENOMEM if memory can't be allocated.

*/

static int lsm_ipc_alloc(struct kern_ipc_perm *kip)

{

return lsm_blob_alloc(&kip->security, blob_sizes.lbs_ipc, GFP_KERNEL);

}

#ifdef CONFIG_KEYS

/**

* lsm_key_alloc - allocate a composite key blob

* @key: the key that needs a blob

*

* Allocate the key blob for all the modules

*

* Returns 0, or -ENOMEM if memory can't be allocated.

*/

static int lsm_key_alloc(struct key *key)

{

return lsm_blob_alloc(&key->security, blob_sizes.lbs_key, GFP_KERNEL);

}

#endif /* CONFIG_KEYS */

/**

* lsm_msg_msg_alloc - allocate a composite msg_msg blob

* @mp: the msg_msg that needs a blob

*

* Allocate the ipc blob for all the modules

*

* Returns 0, or -ENOMEM if memory can't be allocated.

*/

static int lsm_msg_msg_alloc(struct msg_msg *mp)

{

return lsm_blob_alloc(&mp->security, blob_sizes.lbs_msg_msg,

GFP_KERNEL);

}

/**

* lsm_bdev_alloc - allocate a composite block_device blob

* @bdev: the block_device that needs a blob

*

* Allocate the block_device blob for all the modules

*

* Returns 0, or -ENOMEM if memory can't be allocated.

*/

static int lsm_bdev_alloc(struct block_device *bdev)

{

return lsm_blob_alloc(&bdev->bd_security, blob_sizes.lbs_bdev,

GFP_KERNEL);

}

#ifdef CONFIG_BPF_SYSCALL

/**

* lsm_bpf_map_alloc - allocate a composite bpf_map blob

* @map: the bpf_map that needs a blob

*

* Allocate the bpf_map blob for all the modules

*

* Returns 0, or -ENOMEM if memory can't be allocated.

*/

static int lsm_bpf_map_alloc(struct bpf_map *map)

{

return lsm_blob_alloc(&map->security, blob_sizes.lbs_bpf_map, GFP_KERNEL);

}

/**

* lsm_bpf_prog_alloc - allocate a composite bpf_prog blob

* @prog: the bpf_prog that needs a blob

*

* Allocate the bpf_prog blob for all the modules

*

* Returns 0, or -ENOMEM if memory can't be allocated.

*/

static int lsm_bpf_prog_alloc(struct bpf_prog *prog)

{

return lsm_blob_alloc(&prog->aux->security, blob_sizes.lbs_bpf_prog, GFP_KERNEL);

}

/**

* lsm_bpf_token_alloc - allocate a composite bpf_token blob

* @token: the bpf_token that needs a blob

*

* Allocate the bpf_token blob for all the modules

*

* Returns 0, or -ENOMEM if memory can't be allocated.

*/

static int lsm_bpf_token_alloc(struct bpf_token *token)

{

return lsm_blob_alloc(&token->security, blob_sizes.lbs_bpf_token, GFP_KERNEL);

}

#endif /* CONFIG_BPF_SYSCALL */

/**

* lsm_superblock_alloc - allocate a composite superblock blob

* @sb: the superblock that needs a blob

*

* Allocate the superblock blob for all the modules

*

* Returns 0, or -ENOMEM if memory can't be allocated.

*/

static int lsm_superblock_alloc(struct super_block *sb)

{

return lsm_blob_alloc(&sb->s_security, blob_sizes.lbs_superblock,

GFP_KERNEL);

}

/**

* lsm_fill_user_ctx - Fill a user space lsm_ctx structure

* @uctx: a userspace LSM context to be filled

* @uctx_len: available uctx size (input), used uctx size (output)

* @val: the new LSM context value

* @val_len: the size of the new LSM context value

* @id: LSM id

* @flags: LSM defined flags

*

* Fill all of the fields in a userspace lsm_ctx structure. If @uctx is NULL

* simply calculate the required size to output via @utc_len and return

* success.

*

* Returns 0 on success, -E2BIG if userspace buffer is not large enough,

* -EFAULT on a copyout error, -ENOMEM if memory can't be allocated.

*/

int lsm_fill_user_ctx(struct lsm_ctx __user *uctx, u32 *uctx_len,

void *val, size_t val_len,

u64 id, u64 flags)

{

struct lsm_ctx *nctx = NULL;

size_t nctx_len;

int rc = 0;

nctx_len = ALIGN(struct_size(nctx, ctx, val_len), sizeof(void *));

if (nctx_len > *uctx_len) {

rc = -E2BIG;

goto out;

}

/* no buffer - return success/0 and set @uctx_len to the req size */

if (!uctx)

goto out;

nctx = kzalloc(nctx_len, GFP_KERNEL);

if (nctx == NULL) {

rc = -ENOMEM;

goto out;

}

nctx->id = id;

nctx->flags = flags;

nctx->len = nctx_len;

nctx->ctx_len = val_len;

memcpy(nctx->ctx, val, val_len);

if (copy_to_user(uctx, nctx, nctx_len))

rc = -EFAULT;

out:

kfree(nctx);

*uctx_len = nctx_len;

return rc;

}

/*

* The default value of the LSM hook is defined in linux/lsm_hook_defs.h and

* can be accessed with:

*

* LSM_RET_DEFAULT(<hook_name>)

*

* The macros below define static constants for the default value of each

* LSM hook.

*/

#define LSM_RET_DEFAULT(NAME) (NAME##_default)

#define DECLARE_LSM_RET_DEFAULT_void(DEFAULT, NAME)

#define DECLARE_LSM_RET_DEFAULT_int(DEFAULT, NAME) \

static const int __maybe_unused LSM_RET_DEFAULT(NAME) = (DEFAULT);

#define LSM_HOOK(RET, DEFAULT, NAME, ...) \

DECLARE_LSM_RET_DEFAULT_##RET(DEFAULT, NAME)

#include <linux/lsm_hook_defs.h>

#undef LSM_HOOK

/*

* Hook list operation macros.

*

* call_void_hook:

* This is a hook that does not return a value.

*

* call_int_hook:

* This is a hook that returns a value.

*/

#define __CALL_STATIC_VOID(NUM, HOOK, ...) \

do { \

if (static_branch_unlikely(&SECURITY_HOOK_ACTIVE_KEY(HOOK, NUM))) { \

static_call(LSM_STATIC_CALL(HOOK, NUM))(__VA_ARGS__); \

} \

} while (0);

#define call_void_hook(HOOK, ...) \

do { \

LSM_LOOP_UNROLL(__CALL_STATIC_VOID, HOOK, __VA_ARGS__); \

} while (0)

#define __CALL_STATIC_INT(NUM, R, HOOK, LABEL, ...) \

do { \

if (static_branch_unlikely(&SECURITY_HOOK_ACTIVE_KEY(HOOK, NUM))) { \

R = static_call(LSM_STATIC_CALL(HOOK, NUM))(__VA_ARGS__); \

if (R != LSM_RET_DEFAULT(HOOK)) \

goto LABEL; \

} \

} while (0);

#define call_int_hook(HOOK, ...) \

({ \

__label__ OUT; \

int RC = LSM_RET_DEFAULT(HOOK); \

\

LSM_LOOP_UNROLL(__CALL_STATIC_INT, RC, HOOK, OUT, __VA_ARGS__); \

OUT: \

RC; \

})

#define lsm_for_each_hook(scall, NAME) \

for (scall = static_calls_table.NAME; \

scall - static_calls_table.NAME < MAX_LSM_COUNT; scall++) \

if (static_key_enabled(&scall->active->key))

/* Security operations */

/**

* security_binder_set_context_mgr() - Check if becoming binder ctx mgr is ok

* @mgr: task credentials of current binder process

*

* Check whether @mgr is allowed to be the binder context manager.

*

* Return: Return 0 if permission is granted.

*/

int security_binder_set_context_mgr(const struct cred *mgr)

{

return call_int_hook(binder_set_context_mgr, mgr);

}

/**

* security_binder_transaction() - Check if a binder transaction is allowed

* @from: sending process

* @to: receiving process

*

* Check whether @from is allowed to invoke a binder transaction call to @to.

*

* Return: Returns 0 if permission is granted.

*/

int security_binder_transaction(const struct cred *from,

const struct cred *to)

{

return call_int_hook(binder_transaction, from, to);

}

/**

* security_binder_transfer_binder() - Check if a binder transfer is allowed

* @from: sending process

* @to: receiving process

*

* Check whether @from is allowed to transfer a binder reference to @to.

*

* Return: Returns 0 if permission is granted.

*/

int security_binder_transfer_binder(const struct cred *from,

const struct cred *to)

{

return call_int_hook(binder_transfer_binder, from, to);

}

/**

* security_binder_transfer_file() - Check if a binder file xfer is allowed

* @from: sending process

* @to: receiving process

* @file: file being transferred

*

* Check whether @from is allowed to transfer @file to @to.

*

* Return: Returns 0 if permission is granted.

*/

int security_binder_transfer_file(const struct cred *from,

const struct cred *to, const struct file *file)

{

return call_int_hook(binder_transfer_file, from, to, file);

}

/**

* security_ptrace_access_check() - Check if tracing is allowed

* @child: target process

* @mode: PTRACE_MODE flags

*

* Check permission before allowing the current process to trace the @child

* process. Security modules may also want to perform a process tracing check

* during an execve in the set_security or apply_creds hooks of tracing check

* during an execve in the bprm_set_creds hook of binprm_security_ops if the

* process is being traced and its security attributes would be changed by the

* execve.

*

* Return: Returns 0 if permission is granted.

*/

int security_ptrace_access_check(struct task_struct *child, unsigned int mode)

{

return call_int_hook(ptrace_access_check, child, mode);

}

/**

* security_ptrace_traceme() - Check if tracing is allowed

* @parent: tracing process

*

* Check that the @parent process has sufficient permission to trace the

* current process before allowing the current process to present itself to the

* @parent process for tracing.

*

* Return: Returns 0 if permission is granted.

*/

int security_ptrace_traceme(struct task_struct *parent)

{

return call_int_hook(ptrace_traceme, parent);

}

/**

* security_capget() - Get the capability sets for a process

* @target: target process

* @effective: effective capability set

* @inheritable: inheritable capability set

* @permitted: permitted capability set

*

* Get the @effective, @inheritable, and @permitted capability sets for the

* @target process. The hook may also perform permission checking to determine

* if the current process is allowed to see the capability sets of the @target

* process.

*

* Return: Returns 0 if the capability sets were successfully obtained.

*/

int security_capget(const struct task_struct *target,

kernel_cap_t *effective,

kernel_cap_t *inheritable,

kernel_cap_t *permitted)

{

return call_int_hook(capget, target, effective, inheritable, permitted);

}

/**

* security_capset() - Set the capability sets for a process

* @new: new credentials for the target process

* @old: current credentials of the target process

* @effective: effective capability set

* @inheritable: inheritable capability set

* @permitted: permitted capability set

*

* Set the @effective, @inheritable, and @permitted capability sets for the

* current process.

*

* Return: Returns 0 and update @new if permission is granted.

*/

int security_capset(struct cred *new, const struct cred *old,

const kernel_cap_t *effective,

const kernel_cap_t *inheritable,

const kernel_cap_t *permitted)

{

return call_int_hook(capset, new, old, effective, inheritable,

permitted);

}

/**

* security_capable() - Check if a process has the necessary capability

* @cred: credentials to examine

* @ns: user namespace

* @cap: capability requested

* @opts: capability check options

*

* Check whether the @tsk process has the @cap capability in the indicated

* credentials. @cap contains the capability <include/linux/capability.h>.

* @opts contains options for the capable check <include/linux/security.h>.

*

* Return: Returns 0 if the capability is granted.

*/

int security_capable(const struct cred *cred,

struct user_namespace *ns,

int cap,

unsigned int opts)

{

return call_int_hook(capable, cred, ns, cap, opts);

}

/**

* security_quotactl() - Check if a quotactl() syscall is allowed for this fs

* @cmds: commands

* @type: type

* @id: id

* @sb: filesystem

*

* Check whether the quotactl syscall is allowed for this @sb.

*

* Return: Returns 0 if permission is granted.

*/

int security_quotactl(int cmds, int type, int id, const struct super_block *sb)

{

return call_int_hook(quotactl, cmds, type, id, sb);

}

/**

* security_quota_on() - Check if QUOTAON is allowed for a dentry

* @dentry: dentry

*

* Check whether QUOTAON is allowed for @dentry.

*

* Return: Returns 0 if permission is granted.

*/

int security_quota_on(struct dentry *dentry)

{

return call_int_hook(quota_on, dentry);

}

/**

* security_syslog() - Check if accessing the kernel message ring is allowed

* @type: SYSLOG_ACTION_* type

*

* Check permission before accessing the kernel message ring or changing

* logging to the console. See the syslog(2) manual page for an explanation of

* the @type values.

*

* Return: Return 0 if permission is granted.

*/

int security_syslog(int type)

{

return call_int_hook(syslog, type);

}

/**

* security_settime64() - Check if changing the system time is allowed

* @ts: new time

* @tz: timezone

*

* Check permission to change the system time, struct timespec64 is defined in

* <include/linux/time64.h> and timezone is defined in <include/linux/time.h>.

*

* Return: Returns 0 if permission is granted.

*/

int security_settime64(const struct timespec64 *ts, const struct timezone *tz)

{

return call_int_hook(settime, ts, tz);

}

/**

* security_vm_enough_memory_mm() - Check if allocating a new mem map is allowed

* @mm: mm struct

* @pages: number of pages

*

* Check permissions for allocating a new virtual mapping. If all LSMs return

* a positive value, __vm_enough_memory() will be called with cap_sys_admin

* set. If at least one LSM returns 0 or negative, __vm_enough_memory() will be

* called with cap_sys_admin cleared.

*

* Return: Returns 0 if permission is granted by the LSM infrastructure to the

* caller.

*/

int security_vm_enough_memory_mm(struct mm_struct *mm, long pages)

{

struct lsm_static_call *scall;

int cap_sys_admin = 1;

int rc;

/*

* The module will respond with 0 if it thinks the __vm_enough_memory()

* call should be made with the cap_sys_admin set. If all of the modules

* agree that it should be set it will. If any module thinks it should

* not be set it won't.

*/

lsm_for_each_hook(scall, vm_enough_memory) {

rc = scall->hl->hook.vm_enough_memory(mm, pages);

if (rc < 0) {

cap_sys_admin = 0;

break;

}

}

return __vm_enough_memory(mm, pages, cap_sys_admin);

}

/**

* security_bprm_creds_for_exec() - Prepare the credentials for exec()

* @bprm: binary program information

*

* If the setup in prepare_exec_creds did not setup @bprm->cred->security

* properly for executing @bprm->file, update the LSM's portion of

* @bprm->cred->security to be what commit_creds needs to install for the new

* program. This hook may also optionally check permissions (e.g. for

* transitions between security domains). The hook must set @bprm->secureexec

* to 1 if AT_SECURE should be set to request libc enable secure mode. @bprm

* contains the linux_binprm structure.

*

* If execveat(2) is called with the AT_EXECVE_CHECK flag, bprm->is_check is

* set. The result must be the same as without this flag even if the execution

* will never really happen and @bprm will always be dropped.

*

* This hook must not change current->cred, only @bprm->cred.

*

* Return: Returns 0 if the hook is successful and permission is granted.

*/

int security_bprm_creds_for_exec(struct linux_binprm *bprm)

{

return call_int_hook(bprm_creds_for_exec, bprm);

}

/**

* security_bprm_creds_from_file() - Update linux_binprm creds based on file

* @bprm: binary program information

* @file: associated file

*

* If @file is setpcap, suid, sgid or otherwise marked to change privilege upon

* exec, update @bprm->cred to reflect that change. This is called after

* finding the binary that will be executed without an interpreter. This

* ensures that the credentials will not be derived from a script that the

* binary will need to reopen, which when reopend may end up being a completely

* different file. This hook may also optionally check permissions (e.g. for

* transitions between security domains). The hook must set @bprm->secureexec

* to 1 if AT_SECURE should be set to request libc enable secure mode. The

* hook must add to @bprm->per_clear any personality flags that should be

* cleared from current->personality. @bprm contains the linux_binprm

* structure.

*

* Return: Returns 0 if the hook is successful and permission is granted.

*/

int security_bprm_creds_from_file(struct linux_binprm *bprm, const struct file *file)

{

return call_int_hook(bprm_creds_from_file, bprm, file);

}

/**

* security_bprm_check() - Mediate binary handler search

* @bprm: binary program information

*

* This hook mediates the point when a search for a binary handler will begin.

* It allows a check against the @bprm->cred->security value which was set in

* the preceding creds_for_exec call. The argv list and envp list are reliably

* available in @bprm. This hook may be called multiple times during a single

* execve. @bprm contains the linux_binprm structure.

*

* Return: Returns 0 if the hook is successful and permission is granted.

*/

int security_bprm_check(struct linux_binprm *bprm)

{

return call_int_hook(bprm_check_security, bprm);

}

/**

* security_bprm_committing_creds() - Install creds for a process during exec()

* @bprm: binary program information

*

* Prepare to install the new security attributes of a process being

* transformed by an execve operation, based on the old credentials pointed to

* by @current->cred and the information set in @bprm->cred by the

* bprm_creds_for_exec hook. @bprm points to the linux_binprm structure. This

* hook is a good place to perform state changes on the process such as closing

* open file descriptors to which access will no longer be granted when the

* attributes are changed. This is called immediately before commit_creds().

*/

void security_bprm_committing_creds(const struct linux_binprm *bprm)

{

call_void_hook(bprm_committing_creds, bprm);

}

/**

* security_bprm_committed_creds() - Tidy up after cred install during exec()

* @bprm: binary program information

*

* Tidy up after the installation of the new security attributes of a process

* being transformed by an execve operation. The new credentials have, by this

* point, been set to @current->cred. @bprm points to the linux_binprm

* structure. This hook is a good place to perform state changes on the

* process such as clearing out non-inheritable signal state. This is called

* immediately after commit_creds().

*/

void security_bprm_committed_creds(const struct linux_binprm *bprm)

{

call_void_hook(bprm_committed_creds, bprm);

}

/**

* security_fs_context_submount() - Initialise fc->security

* @fc: new filesystem context

* @reference: dentry reference for submount/remount

*

* Fill out the ->security field for a new fs_context.

*

* Return: Returns 0 on success or negative error code on failure.

*/

int security_fs_context_submount(struct fs_context *fc, struct super_block *reference)

{

return call_int_hook(fs_context_submount, fc, reference);

}

/**

* security_fs_context_dup() - Duplicate a fs_context LSM blob

* @fc: destination filesystem context

* @src_fc: source filesystem context

*

* Allocate and attach a security structure to sc->security. This pointer is

* initialised to NULL by the caller. @fc indicates the new filesystem context.

* @src_fc indicates the original filesystem context.

*

* Return: Returns 0 on success or a negative error code on failure.

*/

int security_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc)

{

return call_int_hook(fs_context_dup, fc, src_fc);

}

/**

* security_fs_context_parse_param() - Configure a filesystem context

* @fc: filesystem context

* @param: filesystem parameter

*

* Userspace provided a parameter to configure a superblock. The LSM can

* consume the parameter or return it to the caller for use elsewhere.

*

* Return: If the parameter is used by the LSM it should return 0, if it is

* returned to the caller -ENOPARAM is returned, otherwise a negative

* error code is returned.

*/

int security_fs_context_parse_param(struct fs_context *fc,

struct fs_parameter *param)

{

struct lsm_static_call *scall;

int trc;

int rc = -ENOPARAM;

lsm_for_each_hook(scall, fs_context_parse_param) {

trc = scall->hl->hook.fs_context_parse_param(fc, param);

if (trc == 0)

rc = 0;

else if (trc != -ENOPARAM)

return trc;

}

return rc;

}

/**

* security_sb_alloc() - Allocate a super_block LSM blob

* @sb: filesystem superblock

*

* Allocate and attach a security structure to the sb->s_security field. The

* s_security field is initialized to NULL when the structure is allocated.

* @sb contains the super_block structure to be modified.

*

* Return: Returns 0 if operation was successful.

*/

int security_sb_alloc(struct super_block *sb)

{

int rc = lsm_superblock_alloc(sb);

if (unlikely(rc))

return rc;

rc = call_int_hook(sb_alloc_security, sb);

if (unlikely(rc))

security_sb_free(sb);

return rc;

}

/**

* security_sb_delete() - Release super_block LSM associated objects

* @sb: filesystem superblock

*

* Release objects tied to a superblock (e.g. inodes). @sb contains the

* super_block structure being released.

*/

void security_sb_delete(struct super_block *sb)

{

call_void_hook(sb_delete, sb);

}

/**

* security_sb_free() - Free a super_block LSM blob

* @sb: filesystem superblock

*

* Deallocate and clear the sb->s_security field. @sb contains the super_block

* structure to be modified.

*/

void security_sb_free(struct super_block *sb)

{

call_void_hook(sb_free_security, sb);

kfree(sb->s_security);

sb->s_security = NULL;

}

/**

* security_free_mnt_opts() - Free memory associated with mount options

* @mnt_opts: LSM processed mount options

*

* Free memory associated with @mnt_ops.

*/

void security_free_mnt_opts(void **mnt_opts)

{

if (!*mnt_opts)

return;

call_void_hook(sb_free_mnt_opts, *mnt_opts);

*mnt_opts = NULL;

}

EXPORT_SYMBOL(security_free_mnt_opts);

/**

* security_sb_eat_lsm_opts() - Consume LSM mount options

* @options: mount options

* @mnt_opts: LSM processed mount options

*

* Eat (scan @options) and save them in @mnt_opts.

*

* Return: Returns 0 on success, negative values on failure.

*/

int security_sb_eat_lsm_opts(char *options, void **mnt_opts)

{

return call_int_hook(sb_eat_lsm_opts, options, mnt_opts);

}

EXPORT_SYMBOL(security_sb_eat_lsm_opts);

/**

* security_sb_mnt_opts_compat() - Check if new mount options are allowed

* @sb: filesystem superblock

* @mnt_opts: new mount options

*

* Determine if the new mount options in @mnt_opts are allowed given the

* existing mounted filesystem at @sb. @sb superblock being compared.

*