• R/O
  • SSH
  • HTTPS

akari: Commit


Commit MetaInfo

Revision589 (tree)
Zeit2018-04-01 19:55:44
Autorkumaneko

Log Message

1.0.38

Ändern Zusammenfassung

Diff

--- tags/patches/1.0.38/README (nonexistent)
+++ tags/patches/1.0.38/README (revision 589)
@@ -0,0 +1,319 @@
1+Notes for AKARI project
2+
3+AKARI is Access Keeping And Regulating Instrument for Linux 2.6 and later
4+kernels.
5+
6+You can use AKARI for analyzing your system's behavior (i.e. reports which
7+application accesses which resources like strace command does) and optionally
8+restricting your system's behavior (i.e. controls which application can
9+access which resources like TOMOYO/AppArmor does).
10+
11+AKARI is forked from TOMOYO 1.8 and made as a LKM (loadable kernel module)
12+so that you don't need to replace your kernels installed in your system.
13+
14+This patch is released under the GPLv2.
15+
16+Project URL: http://akari.osdn.jp/
17+
18+ChangeLog:
19+
20+Version 1.0 2010/10/10 First release.
21+
22+Version 1.0.1 2010/10/18 Minor update release.
23+
24+ Synchronize with TOMOYO revision 4069.
25+
26+ Fix off-by-two in ccs_check_unix_address().
27+
28+ Implement post accept() LSM hook.
29+
30+Version 1.0.2 2010/10/25 Minor update release.
31+
32+ Synchronize with TOMOYO revision 4090.
33+
34+ Add getattr() and readdir() checks.
35+
36+ Use "YYYY/MM/DD hh:mm:ss" format for /proc/ccs/ interface.
37+
38+ Do not automatically add / for umount().
39+
40+Version 1.0.3 2010/11/01 Minor update release.
41+
42+ Synchronize with TOMOYO revision 4104.
43+
44+ Fix pathname handling in ccs_unix_entry().
45+
46+Version 1.0.4 2010/11/11 Minor update release.
47+
48+ Synchronize with TOMOYO 1.8.0 release.
49+
50+ Add sysctl() check for 2.6.21 to 2.6.32 kernels.
51+
52+ Fix double new_decode_dev() bug for mknod().
53+
54+ Fix keyword typo.
55+
56+ Fix build failure on some kernels.
57+
58+ Changed pathname prefix priority.
59+
60+ Use hash table for faster scan.
61+
62+ Updated function comments.
63+
64+Version 1.0.5 2010/11/22 Minor update release.
65+
66+ Make ccs_domain_info/ccs_flags inheritable for 2.6.29 and later kernels.
67+
68+Version 1.0.6 2010/12/31 Minor update release.
69+
70+ Synchronize with TOMOYO revision 4280.
71+
72+ Use same interface for audit logs.
73+
74+ Split ccs_null_security into ccs_default_security and ccs_oom_security.
75+
76+Version 1.0.7 2011/01/21 Minor update release.
77+
78+ Synchronize with TOMOYO revision 4400.
79+
80+ Use filesystem name for unnamed devices when vfsmount is missing.
81+
82+Version 1.0.8 2011/02/07 Minor update release.
83+
84+ Synchronize with TOMOYO revision 4545.
85+
86+ Fix infinite loop bug when reading /proc/ccs/audit or /proc/ccs/query .
87+
88+Version 1.0.9 2011/02/14 Minor update release.
89+
90+ Fix missing permission check for interpreters in 2.6.30 and later kernels.
91+
92+Version 1.0.10 2011/02/15 Minor update release.
93+
94+ Fix missing permission check for interpreters in 2.6.23 and earlier kernels.
95+
96+ Fix wrong execute permission check and domain transition in 2.6.28 and earlier kernels.
97+
98+Version 1.0.11 2010/04/01 Minor update release.
99+
100+ Synchronize with TOMOYO 1.8.1 release.
101+
102+ Run garbage collector without waiting for /proc/ccs/ users.
103+
104+ Support built-in policy configuration.
105+
106+ Remove /proc/ccs/meminfo interface.
107+
108+ Pack policy when printing via /proc/ccs/ interface.
109+
110+ Fix conditional policy parsing.
111+
112+ Serialize updating profile's comment line.
113+
114+Version 1.0.12 2011/04/11 Minor update release.
115+
116+ Synchronize with TOMOYO revision 4874.
117+
118+ Fix fcntl(F_SETFL, O_APPEND) handling.
119+
120+Version 1.0.13 2011/05/05 Minor update release.
121+
122+ Synchronize with TOMOYO revision 4963.
123+
124+ Fix wrong profile number in audit logs for "misc env" permission.
125+
126+Version 1.0.14 2011/05/11 Minor update release.
127+
128+ Synchronize with TOMOYO revision 4978.
129+
130+ Fix wrong domainname validation.
131+
132+Version 1.0.15 2011/06/20 Minor update release.
133+
134+ Synchronize with TOMOYO 1.8.2 release.
135+
136+ Add policy namespace support.
137+
138+Version 1.0.16 2011/07/07 Minor update release.
139+
140+ Synchronize with TOMOYO revision 5235.
141+
142+ Remove /proc/ccs/.domain_status interface.
143+
144+Version 1.0.17 2011/07/13 Minor update release.
145+
146+ Synchronize with TOMOYO revision 5266.
147+
148+ Fix /proc/ccs/stat parser.
149+
150+ Accept "::" notation for IPv6 address.
151+
152+Version 1.0.18 2011/09/03 Minor update release.
153+
154+ Synchronize with TOMOYO revision 5401.
155+
156+ Avoid race when retrying "file execute" permission check.
157+
158+ Remove unneeded daemonize().
159+
160+ Fix load failure with !CONFIG_SMP && !CONFIG_DEBUG_SPINLOCK kernels.
161+
162+Version 1.0.19 2011/09/15 Minor update release.
163+
164+ Use akari/config.h for choosing build options.
165+
166+ Fix build error on CONFIG_CCSECURITY_OMIT_USERSPACE_LOADER=y case.
167+
168+ Use lookup_mnt() rather than __put_namespace(). (2.6.0 to 2.6.2 kernels)
169+
170+ Fix unbalanced spin_lock()/spin_unlock() pair in lsm_pin().
171+ (2.6.15 to 2.6.35 kernels)
172+
173+ Fix "struct task_struct" leaks of tasks created before loading akari.ko .
174+ (2.6.28 and earlier kernels)
175+
176+ Use "struct task_struct"->pids[PIDTYPE_PID].pid instead of
177+ "struct task_struct" for associating with per "struct task_struct" variables
178+ (i.e. "struct ccs_security") in order to reduce amount of dead memory
179+ waiting for garbage collection. (2.6.29 and later kernels)
180+
181+ Add akari_test.ko for checking whether akari.ko seems to work or not.
182+
183+ Add SH and ARM architectures support. (Needs more testing.)
184+
185+Version 1.0.20 2011/09/29 Minor update release.
186+
187+ Synchronize with TOMOYO 1.8.3 release.
188+
189+ Allow specifying domain transition preference.
190+
191+ Simplify garbage collector.
192+
193+Version 1.0.21 2011/10/25 Minor update release.
194+
195+ Synchronize with TOMOYO revision 5569.
196+
197+ Fix incomplete read after seek.
198+
199+ Use query id for reaching target process's domain policy.
200+
201+ Fix quota counting.
202+
203+Version 1.0.22 2011/11/11 Minor update release.
204+
205+ Synchronize with TOMOYO revision 5625.
206+
207+ Optimize for object's size.
208+
209+Version 1.0.23 2011/11/18 Minor update release.
210+
211+ Synchronize with TOMOYO revision 5646.
212+
213+ Fix kernel config mapping error.
214+
215+Version 1.0.24 2011/12/13 Minor update release.
216+
217+ Synchronize with TOMOYO revision 5711.
218+
219+ Follow __d_path() behavior change. (Only 2.6.36 and later)
220+
221+Version 1.0.25 2012/02/29 Minor update release.
222+
223+ Synchronize with TOMOYO revision 5893.
224+
225+ Follow UMH_WAIT_PROC constant renumbering.
226+
227+ Fix mount flags checking order.
228+
229+Version 1.0.26 2012/04/01 Minor update release.
230+
231+ Synchronize with TOMOYO revision 5973.
232+
233+ Return appropriate value to poll().
234+
235+Version 1.0.27 2012/05/05 Minor update release.
236+
237+ Synchronize with TOMOYO revision 6035.
238+
239+ Readd RHEL_MINOR/AX_MINOR checks.
240+
241+ Accept manager programs which do not start with / .
242+
243+Version 1.0.28 2012/10/20 Security update release.
244+
245+ Fix kernel panic caused by double kfree() bug when "struct ccs_execve"
246+ pointer was by error duplicated at __ccs_alloc_task_security().
247+ This bug affects only 2.6.28 and earlier kernels.
248+
249+Version 1.0.29 2012/11/04 Minor update release.
250+
251+ Use dummy pointer as needed in order to make sure that security_bprm_free()
252+ (which is used for making the caller of do_execve() return to previous
253+ domain when do_execve() failed after domain transition) is always called.
254+ Without this fix, domain transition history on 2.6.28 and earlier kernels
255+ becomes inaccurate.
256+
257+Version 1.0.30 2013/02/14 Minor update release.
258+
259+ Commit a2a8474c "exec: do not sleep in TASK_TRACED under ->cred_guard_mutex"
260+ moved "current->in_execve = 1;" from before prepare_bprm_creds() to after
261+ prepare_bprm_creds(). It turned out that, as an unexpected bonus, we can use
262+ security_prepare_creds() as a hook for emulating security_bprm_free() hook.
263+
264+ I updated the logic for security_bprm_free() emulation, and now AKARI should
265+ be able to coexist with other AKARI-like LKM-based LSM implementations (e.g.
266+ CaitSith) on all kernel versions other than 2.6.29 and 2.6.30.
267+
268+Version 1.0.31 2015/01/12 Minor update release.
269+
270+ Synchronize with TOMOYO revision 6373.
271+
272+ Fix missing chmod(-1) check in Linux 3.1 and later kernels.
273+
274+ Fix potentially using bogus attributes when stat() fails.
275+
276+Version 1.0.32 2015/04/08 Minor update release.
277+
278+ Synchronize with TOMOYO revision 6388.
279+
280+ Fix incorrect readdir() permission check.
281+
282+Version 1.0.33 2015/04/21 Minor update release.
283+
284+ Synchronize with TOMOYO revision 6407.
285+
286+ Fix incorrect retry request check.
287+
288+Version 1.0.34 2015/05/05 Minor update release.
289+
290+ Synchronize with TOMOYO 1.8.4 release.
291+
292+ Support multiple use_group entries.
293+
294+Version 1.0.35 2015/11/11 Minor update release.
295+
296+ Synchronize with TOMOYO 1.8.5 release.
297+
298+ Use memory allocation flags used by TOMOYO 2.x.
299+
300+ Limit wildcard recursion depth.
301+
302+Version 1.0.36 2017/02/20 Minor update release.
303+
304+ Synchronize with TOMOYO revision 6553.
305+
306+ The bug fixed in TOMOYO's GC does not affect AKARI because
307+ AKARI always uses CONFIG_CCSECURITY_USE_EXTERNAL_TASK_SECURITY.
308+
309+Version 1.0.37 2017/09/17 Minor update release.
310+
311+ Use smp_rmb() when waiting for hook readiness.
312+
313+Version 1.0.38 2018/04/01 Minor update release.
314+
315+ Synchronize with TOMOYO revision 6638.
316+
317+ Due to incorrect probe_kernel_write() usage, previously registered LSM
318+ hook (if any) was by error overwritten by this hook. This bug affects
319+ only 4.12 and later kernels.
--- tags/patches/1.0.38/lsm-2.6.0-vfs.c (nonexistent)
+++ tags/patches/1.0.38/lsm-2.6.0-vfs.c (revision 589)
@@ -0,0 +1,1588 @@
1+/*
2+ * lsm.c
3+ *
4+ * Copyright (C) 2010-2015 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
5+ *
6+ * Version: 1.0.38 2018/04/01
7+ */
8+
9+#include "internal.h"
10+#include "probe.h"
11+
12+/* Prototype definition. */
13+
14+static int __ccs_alloc_task_security(const struct task_struct *task);
15+static void __ccs_free_task_security(const struct task_struct *task);
16+
17+/* Dummy security context for avoiding NULL pointer dereference. */
18+static struct ccs_security ccs_oom_security = {
19+ .ccs_domain_info = &ccs_kernel_domain
20+};
21+
22+/* Dummy security context for avoiding NULL pointer dereference. */
23+static struct ccs_security ccs_default_security = {
24+ .ccs_domain_info = &ccs_kernel_domain
25+};
26+
27+/* List of "struct ccs_security". */
28+struct list_head ccs_task_security_list[CCS_MAX_TASK_SECURITY_HASH];
29+/* Lock for protecting ccs_task_security_list[]. */
30+static DEFINE_SPINLOCK(ccs_task_security_list_lock);
31+
32+/* Dummy marker for calling security_bprm_free(). */
33+static const unsigned long ccs_bprm_security;
34+
35+/* For exporting variables and functions. */
36+struct ccsecurity_exports ccsecurity_exports;
37+/* Members are updated by loadable kernel module. */
38+struct ccsecurity_operations ccsecurity_ops;
39+
40+/* Function pointers originally registered by register_security(). */
41+static struct security_operations original_security_ops /* = *security_ops; */;
42+
43+#ifdef CONFIG_AKARI_TRACE_EXECVE_COUNT
44+
45+/**
46+ * ccs_update_ee_counter - Update "struct ccs_execve" counter.
47+ *
48+ * @count: Count to increment or decrement.
49+ *
50+ * Returns updated counter.
51+ */
52+static unsigned int ccs_update_ee_counter(int count)
53+{
54+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 10) || defined(atomic_add_return)
55+ /* Debug counter for detecting "struct ccs_execve" memory leak. */
56+ static atomic_t ccs_ee_counter = ATOMIC_INIT(0);
57+ return atomic_add_return(count, &ccs_ee_counter);
58+#else
59+ static DEFINE_SPINLOCK(ccs_ee_lock);
60+ static unsigned int ccs_ee_counter;
61+ unsigned long flags;
62+ spin_lock_irqsave(&ccs_ee_lock, flags);
63+ ccs_ee_counter += count;
64+ count = ccs_ee_counter;
65+ spin_unlock_irqrestore(&ccs_ee_lock, flags);
66+ return count;
67+#endif
68+}
69+
70+/**
71+ * ccs_audit_alloc_execve - Audit allocation of "struct ccs_execve".
72+ *
73+ * @ee: Pointer to "struct ccs_execve".
74+ *
75+ * Returns nothing.
76+ */
77+void ccs_audit_alloc_execve(const struct ccs_execve * const ee)
78+{
79+ printk(KERN_INFO "AKARI: Allocated %p by pid=%u (count=%u)\n", ee,
80+ current->pid, ccs_update_ee_counter(1) - 1);
81+}
82+
83+/**
84+ * ccs_audit_free_execve - Audit release of "struct ccs_execve".
85+ *
86+ * @ee: Pointer to "struct ccs_execve".
87+ * @task: True if released by current task, false otherwise.
88+ *
89+ * Returns nothing.
90+ */
91+void ccs_audit_free_execve(const struct ccs_execve * const ee,
92+ const bool is_current)
93+{
94+ const unsigned int tmp = ccs_update_ee_counter(-1);
95+ if (is_current)
96+ printk(KERN_INFO "AKARI: Releasing %p by pid=%u (count=%u)\n",
97+ ee, current->pid, tmp);
98+ else
99+ printk(KERN_INFO "AKARI: Releasing %p by kernel (count=%u)\n",
100+ ee, tmp);
101+}
102+
103+#endif
104+
105+#if !defined(CONFIG_AKARI_DEBUG)
106+#define ccs_debug_trace(pos) do { } while (0)
107+#else
108+#define ccs_debug_trace(pos) \
109+ do { \
110+ static bool done; \
111+ if (!done) { \
112+ printk(KERN_INFO \
113+ "AKARI: Debug trace: " pos " of 4\n"); \
114+ done = true; \
115+ } \
116+ } while (0)
117+#endif
118+
119+/**
120+ * ccs_clear_execve - Release memory used by do_execve().
121+ *
122+ * @ret: 0 if do_execve() succeeded, negative value otherwise.
123+ * @security: Pointer to "struct ccs_security".
124+ *
125+ * Returns nothing.
126+ */
127+static void ccs_clear_execve(int ret, struct ccs_security *security)
128+{
129+ struct ccs_execve *ee;
130+ if (security == &ccs_default_security || security == &ccs_oom_security)
131+ return;
132+ ee = security->ee;
133+ security->ee = NULL;
134+ if (!ee)
135+ return;
136+ ccs_finish_execve(ret, ee);
137+}
138+
139+/**
140+ * ccs_task_alloc_security - Allocate memory for new tasks.
141+ *
142+ * @p: Pointer to "struct task_struct".
143+ *
144+ * Returns 0 on success, negative value otherwise.
145+ */
146+static int ccs_task_alloc_security(struct task_struct *p)
147+{
148+ int rc = __ccs_alloc_task_security(p);
149+ if (rc)
150+ return rc;
151+ while (!original_security_ops.task_alloc_security)
152+ smp_rmb();
153+ rc = original_security_ops.task_alloc_security(p);
154+ if (rc)
155+ __ccs_free_task_security(p);
156+ return rc;
157+}
158+
159+/**
160+ * ccs_task_free_security - Release memory for "struct task_struct".
161+ *
162+ * @p: Pointer to "struct task_struct".
163+ *
164+ * Returns nothing.
165+ */
166+static void ccs_task_free_security(struct task_struct *p)
167+{
168+ while (!original_security_ops.task_free_security)
169+ smp_rmb();
170+ original_security_ops.task_free_security(p);
171+ __ccs_free_task_security(p);
172+}
173+
174+/**
175+ * ccs_bprm_alloc_security - Allocate memory for "struct linux_binprm".
176+ *
177+ * @bprm: Pointer to "struct linux_binprm".
178+ *
179+ * Returns 0 on success, negative value otherwise.
180+ */
181+static int ccs_bprm_alloc_security(struct linux_binprm *bprm)
182+{
183+ int rc;
184+ while (!original_security_ops.bprm_alloc_security)
185+ smp_rmb();
186+ rc = original_security_ops.bprm_alloc_security(bprm);
187+ if (bprm->security || rc)
188+ return rc;
189+ /*
190+ * Update bprm->security to &ccs_bprm_security so that
191+ * security_bprm_free() is called even if do_execve() failed at
192+ * search_binary_handler() without allocating memory at
193+ * security_bprm_alloc(). This trick assumes that active LSM module
194+ * does not access bprm->security if that module did not allocate
195+ * memory at security_bprm_alloc().
196+ */
197+ bprm->security = (void *) &ccs_bprm_security;
198+ return 0;
199+}
200+
201+/**
202+ * ccs_bprm_free_security - Release memory for "struct linux_binprm".
203+ *
204+ * @bprm: Pointer to "struct linux_binprm".
205+ *
206+ * Returns nothing.
207+ */
208+static void ccs_bprm_free_security(struct linux_binprm *bprm)
209+{
210+ /*
211+ * If do_execve() succeeded, bprm->security will be updated to NULL at
212+ * security_bprm_compute_creds()/security_bprm_apply_creds() if
213+ * bprm->security was set to &ccs_bprm_security at
214+ * security_bprm_alloc().
215+ *
216+ * If do_execve() failed, bprm->security remains at &ccs_bprm_security
217+ * if bprm->security was set to &ccs_bprm_security at
218+ * security_bprm_alloc().
219+ *
220+ * And do_execve() does not call security_bprm_free() if do_execve()
221+ * failed and bprm->security == NULL. Therefore, do not call
222+ * original_security_ops.bprm_free_security() if bprm->security remains
223+ * at &ccs_bprm_security .
224+ */
225+ if (bprm->security != &ccs_bprm_security) {
226+ while (!original_security_ops.bprm_free_security)
227+ smp_rmb();
228+ original_security_ops.bprm_free_security(bprm);
229+ }
230+ /*
231+ * If do_execve() succeeded,
232+ * ccs_clear_execve(0, ccs_current_security());
233+ * is called before calling below one.
234+ * Thus, below call becomes no-op if do_execve() succeeded.
235+ */
236+ ccs_clear_execve(-1, ccs_current_security());
237+}
238+
239+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 6)
240+
241+/**
242+ * ccs_bprm_compute_creds - A hook which is called when do_execve() succeeded.
243+ *
244+ * @bprm: Pointer to "struct linux_binprm".
245+ *
246+ * Returns nothing.
247+ */
248+static void ccs_bprm_compute_creds(struct linux_binprm *bprm)
249+{
250+ if (bprm->security == &ccs_bprm_security)
251+ bprm->security = NULL;
252+ while (!original_security_ops.bprm_compute_creds)
253+ smp_rmb();
254+ original_security_ops.bprm_compute_creds(bprm);
255+ ccs_clear_execve(0, ccs_current_security());
256+}
257+
258+#else
259+
260+/**
261+ * ccs_bprm_apply_creds - A hook which is called when do_execve() succeeded.
262+ *
263+ * @bprm: Pointer to "struct linux_binprm".
264+ * @unsafe: Unsafe flag.
265+ *
266+ * Returns nothing.
267+ */
268+static void ccs_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
269+{
270+ if (bprm->security == &ccs_bprm_security)
271+ bprm->security = NULL;
272+ while (!original_security_ops.bprm_apply_creds)
273+ smp_rmb();
274+ original_security_ops.bprm_apply_creds(bprm, unsafe);
275+ ccs_clear_execve(0, ccs_current_security());
276+}
277+
278+#endif
279+
280+/**
281+ * ccs_bprm_check_security - Check permission for execve().
282+ *
283+ * @bprm: Pointer to "struct linux_binprm".
284+ *
285+ * Returns 0 on success, negative value otherwise.
286+ */
287+static int ccs_bprm_check_security(struct linux_binprm *bprm)
288+{
289+ struct ccs_security *security = ccs_current_security();
290+ if (security == &ccs_default_security || security == &ccs_oom_security)
291+ return -ENOMEM;
292+ if (!security->ee) {
293+ int rc;
294+#ifndef CONFIG_CCSECURITY_OMIT_USERSPACE_LOADER
295+ if (!ccs_policy_loaded)
296+ ccs_load_policy(bprm->filename);
297+#endif
298+ rc = ccs_start_execve(bprm, &security->ee);
299+ if (rc)
300+ return rc;
301+ }
302+ while (!original_security_ops.bprm_check_security)
303+ smp_rmb();
304+ return original_security_ops.bprm_check_security(bprm);
305+}
306+
307+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
308+
309+/**
310+ * ccs_open - Check permission for open().
311+ *
312+ * @f: Pointer to "struct file".
313+ *
314+ * Returns 0 on success, negative value otherwise.
315+ */
316+static int ccs_open(struct file *f)
317+{
318+ return ccs_open_permission(f->f_path.dentry, f->f_path.mnt,
319+ f->f_flags + 1);
320+}
321+
322+#endif
323+
324+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
325+
326+/**
327+ * ccs_dentry_open - Check permission for open().
328+ *
329+ * @f: Pointer to "struct file".
330+ *
331+ * Returns 0 on success, negative value otherwise.
332+ */
333+static int ccs_dentry_open(struct file *f)
334+{
335+ int rc = ccs_open(f);
336+ if (rc)
337+ return rc;
338+ while (!original_security_ops.dentry_open)
339+ smp_rmb();
340+ return original_security_ops.dentry_open(f);
341+}
342+
343+#else
344+
345+/**
346+ * ccs_open - Check permission for open().
347+ *
348+ * @inode: Pointer to "struct inode".
349+ * @mask: Open mode.
350+ * @nd: Pointer to "struct nameidata".
351+ *
352+ * Returns 0 on success, negative value otherwise.
353+ */
354+static int ccs_open(struct inode *inode, int mask, struct nameidata *nd)
355+{
356+ int flags;
357+ if (!nd || !nd->dentry)
358+ return 0;
359+ /* open_exec() passes MAY_EXEC . */
360+ if (mask == MAY_EXEC && inode && S_ISREG(inode->i_mode) &&
361+ (ccs_current_flags() & CCS_TASK_IS_IN_EXECVE))
362+ mask = MAY_READ;
363+ /*
364+ * This flags value is passed to ACC_MODE().
365+ * ccs_open_permission() for older versions uses old ACC_MODE().
366+ */
367+ switch (mask & (MAY_READ | MAY_WRITE)) {
368+ case MAY_READ:
369+ flags = 01;
370+ break;
371+ case MAY_WRITE:
372+ flags = 02;
373+ break;
374+ case MAY_READ | MAY_WRITE:
375+ flags = 03;
376+ break;
377+ default:
378+ return 0;
379+ }
380+ return ccs_open_permission(nd->dentry, nd->mnt, flags);
381+}
382+
383+/**
384+ * ccs_inode_permission - Check permission for open().
385+ *
386+ * @inode: Pointer to "struct inode".
387+ * @mask: Open mode.
388+ * @nd: Pointer to "struct nameidata".
389+ *
390+ * Returns 0 on success, negative value otherwise.
391+ *
392+ * Note that this hook is called from permission(), and may not be called for
393+ * open(). Maybe it is better to use security_file_permission().
394+ */
395+static int ccs_inode_permission(struct inode *inode, int mask,
396+ struct nameidata *nd)
397+{
398+ int rc = ccs_open(inode, mask, nd);
399+ if (rc)
400+ return rc;
401+ while (!original_security_ops.inode_permission)
402+ smp_rmb();
403+ return original_security_ops.inode_permission(inode, mask, nd);
404+}
405+
406+#endif
407+
408+/**
409+ * ccs_inode_setattr - Check permission for chown()/chgrp()/chmod()/truncate().
410+ *
411+ * @dentry: Pointer to "struct dentry".
412+ * @mnt: Pointer to "struct vfsmount". Maybe NULL.
413+ * @attr: Pointer to "struct iattr".
414+ *
415+ * Returns 0 on success, negative value otherwise.
416+ */
417+static int ccs_inode_setattr(struct dentry *dentry, struct vfsmount *mnt,
418+ struct iattr *attr)
419+{
420+ int rc = 0;
421+ if (attr->ia_valid & ATTR_UID)
422+ rc = ccs_chown_permission(dentry, mnt, attr->ia_uid, -1);
423+ if (!rc && (attr->ia_valid & ATTR_GID))
424+ rc = ccs_chown_permission(dentry, mnt, -1, attr->ia_gid);
425+ if (!rc && (attr->ia_valid & ATTR_MODE))
426+ rc = ccs_chmod_permission(dentry, mnt, attr->ia_mode);
427+ if (!rc && (attr->ia_valid & ATTR_SIZE))
428+ rc = ccs_truncate_permission(dentry, mnt);
429+ if (rc)
430+ return rc;
431+ while (!original_security_ops.inode_setattr)
432+ smp_rmb();
433+ return original_security_ops.inode_setattr(dentry, mnt, attr);
434+}
435+
436+/**
437+ * ccs_inode_getattr - Check permission for stat().
438+ *
439+ * @mnt: Pointer to "struct vfsmount".
440+ * @dentry: Pointer to "struct dentry".
441+ *
442+ * Returns 0 on success, negative value otherwise.
443+ */
444+static int ccs_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
445+{
446+ int rc = ccs_getattr_permission(mnt, dentry);
447+ if (rc)
448+ return rc;
449+ while (!original_security_ops.inode_getattr)
450+ smp_rmb();
451+ return original_security_ops.inode_getattr(mnt, dentry);
452+}
453+
454+/**
455+ * ccs_inode_mknod - Check permission for mknod().
456+ *
457+ * @dir: Pointer to "struct inode".
458+ * @dentry: Pointer to "struct dentry".
459+ * @mnt: Pointer to "struct vfsmount". Maybe NULL.
460+ * @mode: Create mode.
461+ * @dev: Device major/minor number.
462+ *
463+ * Returns 0 on success, negative value otherwise.
464+ */
465+static int ccs_inode_mknod(struct inode *dir, struct dentry *dentry,
466+ struct vfsmount *mnt, int mode, dev_t dev)
467+{
468+ int rc = ccs_mknod_permission(dentry, mnt, mode, dev);
469+ if (rc)
470+ return rc;
471+ while (!original_security_ops.inode_mknod)
472+ smp_rmb();
473+ return original_security_ops.inode_mknod(dir, dentry, mnt, mode, dev);
474+}
475+
476+/**
477+ * ccs_inode_mkdir - Check permission for mkdir().
478+ *
479+ * @dir: Pointer to "struct inode".
480+ * @dentry: Pointer to "struct dentry".
481+ * @mnt: Pointer to "struct vfsmount". Maybe NULL.
482+ * @mode: Create mode.
483+ *
484+ * Returns 0 on success, negative value otherwise.
485+ */
486+static int ccs_inode_mkdir(struct inode *dir, struct dentry *dentry,
487+ struct vfsmount *mnt, int mode)
488+{
489+ int rc = ccs_mkdir_permission(dentry, mnt, mode);
490+ if (rc)
491+ return rc;
492+ while (!original_security_ops.inode_mkdir)
493+ smp_rmb();
494+ return original_security_ops.inode_mkdir(dir, dentry, mnt, mode);
495+}
496+
497+/**
498+ * ccs_inode_rmdir - Check permission for rmdir().
499+ *
500+ * @dir: Pointer to "struct inode".
501+ * @dentry: Pointer to "struct dentry".
502+ * @mnt: Pointer to "struct vfsmount". Maybe NULL.
503+ *
504+ * Returns 0 on success, negative value otherwise.
505+ */
506+static int ccs_inode_rmdir(struct inode *dir, struct dentry *dentry,
507+ struct vfsmount *mnt)
508+{
509+ int rc = ccs_rmdir_permission(dentry, mnt);
510+ if (rc)
511+ return rc;
512+ while (!original_security_ops.inode_rmdir)
513+ smp_rmb();
514+ return original_security_ops.inode_rmdir(dir, dentry, mnt);
515+}
516+
517+/**
518+ * ccs_inode_unlink - Check permission for unlink().
519+ *
520+ * @dir: Pointer to "struct inode".
521+ * @dentry: Pointer to "struct dentry".
522+ * @mnt: Pointer to "struct vfsmount". Maybe NULL.
523+ *
524+ * Returns 0 on success, negative value otherwise.
525+ */
526+static int ccs_inode_unlink(struct inode *dir, struct dentry *dentry,
527+ struct vfsmount *mnt)
528+{
529+ int rc = ccs_unlink_permission(dentry, mnt);
530+ if (rc)
531+ return rc;
532+ while (!original_security_ops.inode_unlink)
533+ smp_rmb();
534+ return original_security_ops.inode_unlink(dir, dentry, mnt);
535+}
536+
537+/**
538+ * ccs_inode_symlink - Check permission for symlink().
539+ *
540+ * @dir: Pointer to "struct inode".
541+ * @dentry: Pointer to "struct dentry".
542+ * @mnt: Pointer to "struct vfsmount". Maybe NULL.
543+ * @old_name: Content of symbolic link.
544+ *
545+ * Returns 0 on success, negative value otherwise.
546+ */
547+static int ccs_inode_symlink(struct inode *dir, struct dentry *dentry,
548+ struct vfsmount *mnt, const char *old_name)
549+{
550+ int rc = ccs_symlink_permission(dentry, mnt, old_name);
551+ if (rc)
552+ return rc;
553+ while (!original_security_ops.inode_symlink)
554+ smp_rmb();
555+ return original_security_ops.inode_symlink(dir, dentry, mnt, old_name);
556+}
557+
558+/**
559+ * ccs_inode_rename - Check permission for rename().
560+ *
561+ * @old_dir: Pointer to "struct inode".
562+ * @old_dentry: Pointer to "struct dentry".
563+ * @old_mnt: Pointer to "struct vfsmount". Maybe NULL.
564+ * @new_dir: Pointer to "struct inode".
565+ * @new_dentry: Pointer to "struct dentry".
566+ * @new_mnt: Pointer to "struct vfsmount". Maybe NULL.
567+ *
568+ * Returns 0 on success, negative value otherwise.
569+ */
570+static int ccs_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
571+ struct vfsmount *old_mnt, struct inode *new_dir,
572+ struct dentry *new_dentry,
573+ struct vfsmount *new_mnt)
574+{
575+ int rc = ccs_rename_permission(old_dentry, new_dentry, new_mnt);
576+ if (rc)
577+ return rc;
578+ while (!original_security_ops.inode_rename)
579+ smp_rmb();
580+ return original_security_ops.inode_rename(old_dir, old_dentry, old_mnt,
581+ new_dir, new_dentry,
582+ new_mnt);
583+}
584+
585+/**
586+ * ccs_inode_link - Check permission for link().
587+ *
588+ * @old_dentry: Pointer to "struct dentry".
589+ * @old_mnt: Pointer to "struct vfsmount". Maybe NULL.
590+ * @dir: Pointer to "struct inode".
591+ * @new_dentry: Pointer to "struct dentry".
592+ * @new_mnt: Pointer to "struct vfsmount". Maybe NULL.
593+ *
594+ * Returns 0 on success, negative value otherwise.
595+ */
596+static int ccs_inode_link(struct dentry *old_dentry, struct vfsmount *old_mnt,
597+ struct inode *dir, struct dentry *new_dentry,
598+ struct vfsmount *new_mnt)
599+{
600+ int rc = ccs_link_permission(old_dentry, new_dentry, new_mnt);
601+ if (rc)
602+ return rc;
603+ while (!original_security_ops.inode_link)
604+ smp_rmb();
605+ return original_security_ops.inode_link(old_dentry, old_mnt, dir,
606+ new_dentry, new_mnt);
607+}
608+
609+/**
610+ * ccs_inode_create - Check permission for creat().
611+ *
612+ * @dir: Pointer to "struct inode".
613+ * @dentry: Pointer to "struct dentry".
614+ * @mnt: Pointer to "struct vfsmount". Maybe NULL.
615+ * @mode: Create mode.
616+ *
617+ * Returns 0 on success, negative value otherwise.
618+ */
619+static int ccs_inode_create(struct inode *dir, struct dentry *dentry,
620+ struct vfsmount *mnt, int mode)
621+{
622+ int rc = ccs_mknod_permission(dentry, mnt, mode, 0);
623+ if (rc)
624+ return rc;
625+ while (!original_security_ops.inode_create)
626+ smp_rmb();
627+ return original_security_ops.inode_create(dir, dentry, mnt, mode);
628+}
629+
630+#ifdef CONFIG_SECURITY_NETWORK
631+
632+#include <net/sock.h>
633+
634+/* Structure for remembering an accept()ed socket's status. */
635+struct ccs_socket_tag {
636+ struct list_head list;
637+ struct inode *inode;
638+ int status;
639+ struct rcu_head rcu;
640+};
641+
642+/*
643+ * List for managing accept()ed sockets.
644+ * Since we don't need to keep an accept()ed socket into this list after
645+ * once the permission was granted, the number of entries in this list is
646+ * likely small. Therefore, we don't use hash tables.
647+ */
648+static LIST_HEAD(ccs_accepted_socket_list);
649+/* Lock for protecting ccs_accepted_socket_list . */
650+static DEFINE_SPINLOCK(ccs_accepted_socket_list_lock);
651+
652+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 8)
653+
654+/**
655+ * ccs_socket_rcu_free - RCU callback for releasing "struct ccs_socket_tag".
656+ *
657+ * @rcu: Pointer to "struct rcu_head".
658+ *
659+ * Returns nothing.
660+ */
661+static void ccs_socket_rcu_free(struct rcu_head *rcu)
662+{
663+ struct ccs_socket_tag *ptr = container_of(rcu, typeof(*ptr), rcu);
664+ kfree(ptr);
665+}
666+
667+#else
668+
669+/**
670+ * ccs_socket_rcu_free - RCU callback for releasing "struct ccs_socket_tag".
671+ *
672+ * @arg: Pointer to "void".
673+ *
674+ * Returns nothing.
675+ */
676+static void ccs_socket_rcu_free(void *arg)
677+{
678+ struct ccs_socket_tag *ptr = arg;
679+ kfree(ptr);
680+}
681+
682+#endif
683+
684+/**
685+ * ccs_update_socket_tag - Update tag associated with accept()ed sockets.
686+ *
687+ * @inode: Pointer to "struct inode".
688+ * @status: New status.
689+ *
690+ * Returns nothing.
691+ *
692+ * If @status == 0, memory for that socket will be released after RCU grace
693+ * period.
694+ */
695+static void ccs_update_socket_tag(struct inode *inode, int status)
696+{
697+ struct ccs_socket_tag *ptr;
698+ /*
699+ * Protect whole section because multiple threads may call this
700+ * function with same "sock" via ccs_validate_socket().
701+ */
702+ spin_lock(&ccs_accepted_socket_list_lock);
703+ rcu_read_lock();
704+ list_for_each_entry_rcu(ptr, &ccs_accepted_socket_list, list) {
705+ if (ptr->inode != inode)
706+ continue;
707+ ptr->status = status;
708+ if (status)
709+ break;
710+ list_del_rcu(&ptr->list);
711+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 8)
712+ call_rcu(&ptr->rcu, ccs_socket_rcu_free);
713+#else
714+ call_rcu(&ptr->rcu, ccs_socket_rcu_free, ptr);
715+#endif
716+ break;
717+ }
718+ rcu_read_unlock();
719+ spin_unlock(&ccs_accepted_socket_list_lock);
720+}
721+
722+/**
723+ * ccs_validate_socket - Check post accept() permission if needed.
724+ *
725+ * @sock: Pointer to "struct socket".
726+ *
727+ * Returns 0 on success, negative value otherwise.
728+ */
729+static int ccs_validate_socket(struct socket *sock)
730+{
731+ struct inode *inode = SOCK_INODE(sock);
732+ struct ccs_socket_tag *ptr;
733+ int ret = 0;
734+ rcu_read_lock();
735+ list_for_each_entry_rcu(ptr, &ccs_accepted_socket_list, list) {
736+ if (ptr->inode != inode)
737+ continue;
738+ ret = ptr->status;
739+ break;
740+ }
741+ rcu_read_unlock();
742+ if (ret <= 0)
743+ /*
744+ * This socket is not an accept()ed socket or this socket is
745+ * an accept()ed socket and post accept() permission is done.
746+ */
747+ return ret;
748+ /*
749+ * Check post accept() permission now.
750+ *
751+ * Strictly speaking, we need to pass both listen()ing socket and
752+ * accept()ed socket to __ccs_socket_post_accept_permission().
753+ * But since socket's family and type are same for both sockets,
754+ * passing the accept()ed socket in place for the listen()ing socket
755+ * will work.
756+ */
757+ ret = ccs_socket_post_accept_permission(sock, sock);
758+ /*
759+ * If permission was granted, we forget that this is an accept()ed
760+ * socket. Otherwise, we remember that this socket needs to return
761+ * error for subsequent socketcalls.
762+ */
763+ ccs_update_socket_tag(inode, ret);
764+ return ret;
765+}
766+
767+/**
768+ * ccs_socket_accept - Check permission for accept().
769+ *
770+ * @sock: Pointer to "struct socket".
771+ * @newsock: Pointer to "struct socket".
772+ *
773+ * Returns 0 on success, negative value otherwise.
774+ *
775+ * This hook is used for setting up environment for doing post accept()
776+ * permission check. If dereferencing sock->ops->something() were ordered by
777+ * rcu_dereference(), we could replace sock->ops with "a copy of original
778+ * sock->ops with modified sock->ops->accept()" using rcu_assign_pointer()
779+ * in order to do post accept() permission check before returning to userspace.
780+ * If we make the copy in security_socket_post_create(), it would be possible
781+ * to safely replace sock->ops here, but we don't do so because we don't want
782+ * to allocate memory for sockets which do not call sock->ops->accept().
783+ * Therefore, we do post accept() permission check upon next socket syscalls
784+ * rather than between sock->ops->accept() and returning to userspace.
785+ * This means that if a socket was close()d before calling some socket
786+ * syscalls, post accept() permission check will not be done.
787+ */
788+static int ccs_socket_accept(struct socket *sock, struct socket *newsock)
789+{
790+ struct ccs_socket_tag *ptr;
791+ int rc = ccs_validate_socket(sock);
792+ if (rc < 0)
793+ return rc;
794+ ptr = kzalloc(sizeof(*ptr), GFP_KERNEL);
795+ if (!ptr)
796+ return -ENOMEM;
797+ while (!original_security_ops.socket_accept)
798+ smp_rmb();
799+ rc = original_security_ops.socket_accept(sock, newsock);
800+ if (rc) {
801+ kfree(ptr);
802+ return rc;
803+ }
804+ /*
805+ * Subsequent LSM hooks will receive "newsock". Therefore, I mark
806+ * "newsock" as "an accept()ed socket but post accept() permission
807+ * check is not done yet" by allocating memory using inode of the
808+ * "newsock" as a search key.
809+ */
810+ ptr->inode = SOCK_INODE(newsock);
811+ ptr->status = 1; /* Check post accept() permission later. */
812+ spin_lock(&ccs_accepted_socket_list_lock);
813+ list_add_tail_rcu(&ptr->list, &ccs_accepted_socket_list);
814+ spin_unlock(&ccs_accepted_socket_list_lock);
815+ return 0;
816+}
817+
818+/**
819+ * ccs_socket_listen - Check permission for listen().
820+ *
821+ * @sock: Pointer to "struct socket".
822+ * @backlog: Backlog parameter.
823+ *
824+ * Returns 0 on success, negative value otherwise.
825+ */
826+static int ccs_socket_listen(struct socket *sock, int backlog)
827+{
828+ int rc = ccs_validate_socket(sock);
829+ if (rc < 0)
830+ return rc;
831+ rc = ccs_socket_listen_permission(sock);
832+ if (rc)
833+ return rc;
834+ while (!original_security_ops.socket_listen)
835+ smp_rmb();
836+ return original_security_ops.socket_listen(sock, backlog);
837+}
838+
839+/**
840+ * ccs_socket_connect - Check permission for connect().
841+ *
842+ * @sock: Pointer to "struct socket".
843+ * @addr: Pointer to "struct sockaddr".
844+ * @addr_len: Size of @addr.
845+ *
846+ * Returns 0 on success, negative value otherwise.
847+ */
848+static int ccs_socket_connect(struct socket *sock, struct sockaddr *addr,
849+ int addr_len)
850+{
851+ int rc = ccs_validate_socket(sock);
852+ if (rc < 0)
853+ return rc;
854+ rc = ccs_socket_connect_permission(sock, addr, addr_len);
855+ if (rc)
856+ return rc;
857+ while (!original_security_ops.socket_connect)
858+ smp_rmb();
859+ return original_security_ops.socket_connect(sock, addr, addr_len);
860+}
861+
862+/**
863+ * ccs_socket_bind - Check permission for bind().
864+ *
865+ * @sock: Pointer to "struct socket".
866+ * @addr: Pointer to "struct sockaddr".
867+ * @addr_len: Size of @addr.
868+ *
869+ * Returns 0 on success, negative value otherwise.
870+ */
871+static int ccs_socket_bind(struct socket *sock, struct sockaddr *addr,
872+ int addr_len)
873+{
874+ int rc = ccs_validate_socket(sock);
875+ if (rc < 0)
876+ return rc;
877+ rc = ccs_socket_bind_permission(sock, addr, addr_len);
878+ if (rc)
879+ return rc;
880+ while (!original_security_ops.socket_bind)
881+ smp_rmb();
882+ return original_security_ops.socket_bind(sock, addr, addr_len);
883+}
884+
885+/**
886+ * ccs_socket_sendmsg - Check permission for sendmsg().
887+ *
888+ * @sock: Pointer to "struct socket".
889+ * @msg: Pointer to "struct msghdr".
890+ * @size: Size of message.
891+ *
892+ * Returns 0 on success, negative value otherwise.
893+ */
894+static int ccs_socket_sendmsg(struct socket *sock, struct msghdr *msg,
895+ int size)
896+{
897+ int rc = ccs_validate_socket(sock);
898+ if (rc < 0)
899+ return rc;
900+ rc = ccs_socket_sendmsg_permission(sock, msg, size);
901+ if (rc)
902+ return rc;
903+ while (!original_security_ops.socket_sendmsg)
904+ smp_rmb();
905+ return original_security_ops.socket_sendmsg(sock, msg, size);
906+}
907+
908+/**
909+ * ccs_socket_recvmsg - Check permission for recvmsg().
910+ *
911+ * @sock: Pointer to "struct socket".
912+ * @msg: Pointer to "struct msghdr".
913+ * @size: Size of message.
914+ * @flags: Flags.
915+ *
916+ * Returns 0 on success, negative value otherwise.
917+ */
918+static int ccs_socket_recvmsg(struct socket *sock, struct msghdr *msg,
919+ int size, int flags)
920+{
921+ int rc = ccs_validate_socket(sock);
922+ if (rc < 0)
923+ return rc;
924+ while (!original_security_ops.socket_recvmsg)
925+ smp_rmb();
926+ return original_security_ops.socket_recvmsg(sock, msg, size, flags);
927+}
928+
929+/**
930+ * ccs_socket_getsockname - Check permission for getsockname().
931+ *
932+ * @sock: Pointer to "struct socket".
933+ *
934+ * Returns 0 on success, negative value otherwise.
935+ */
936+static int ccs_socket_getsockname(struct socket *sock)
937+{
938+ int rc = ccs_validate_socket(sock);
939+ if (rc < 0)
940+ return rc;
941+ while (!original_security_ops.socket_getsockname)
942+ smp_rmb();
943+ return original_security_ops.socket_getsockname(sock);
944+}
945+
946+/**
947+ * ccs_socket_getpeername - Check permission for getpeername().
948+ *
949+ * @sock: Pointer to "struct socket".
950+ *
951+ * Returns 0 on success, negative value otherwise.
952+ */
953+static int ccs_socket_getpeername(struct socket *sock)
954+{
955+ int rc = ccs_validate_socket(sock);
956+ if (rc < 0)
957+ return rc;
958+ while (!original_security_ops.socket_getpeername)
959+ smp_rmb();
960+ return original_security_ops.socket_getpeername(sock);
961+}
962+
963+/**
964+ * ccs_socket_getsockopt - Check permission for getsockopt().
965+ *
966+ * @sock: Pointer to "struct socket".
967+ * @level: Level.
968+ * @optname: Option's name,
969+ *
970+ * Returns 0 on success, negative value otherwise.
971+ */
972+static int ccs_socket_getsockopt(struct socket *sock, int level, int optname)
973+{
974+ int rc = ccs_validate_socket(sock);
975+ if (rc < 0)
976+ return rc;
977+ while (!original_security_ops.socket_getsockopt)
978+ smp_rmb();
979+ return original_security_ops.socket_getsockopt(sock, level, optname);
980+}
981+
982+/**
983+ * ccs_socket_setsockopt - Check permission for setsockopt().
984+ *
985+ * @sock: Pointer to "struct socket".
986+ * @level: Level.
987+ * @optname: Option's name,
988+ *
989+ * Returns 0 on success, negative value otherwise.
990+ */
991+static int ccs_socket_setsockopt(struct socket *sock, int level, int optname)
992+{
993+ int rc = ccs_validate_socket(sock);
994+ if (rc < 0)
995+ return rc;
996+ while (!original_security_ops.socket_setsockopt)
997+ smp_rmb();
998+ return original_security_ops.socket_setsockopt(sock, level, optname);
999+}
1000+
1001+/**
1002+ * ccs_socket_shutdown - Check permission for shutdown().
1003+ *
1004+ * @sock: Pointer to "struct socket".
1005+ * @how: Shutdown mode.
1006+ *
1007+ * Returns 0 on success, negative value otherwise.
1008+ */
1009+static int ccs_socket_shutdown(struct socket *sock, int how)
1010+{
1011+ int rc = ccs_validate_socket(sock);
1012+ if (rc < 0)
1013+ return rc;
1014+ while (!original_security_ops.socket_shutdown)
1015+ smp_rmb();
1016+ return original_security_ops.socket_shutdown(sock, how);
1017+}
1018+
1019+#define SOCKFS_MAGIC 0x534F434B
1020+
1021+/**
1022+ * ccs_inode_free_security - Release memory associated with an inode.
1023+ *
1024+ * @inode: Pointer to "struct inode".
1025+ *
1026+ * Returns nothing.
1027+ *
1028+ * We use this hook for releasing memory associated with an accept()ed socket.
1029+ */
1030+static void ccs_inode_free_security(struct inode *inode)
1031+{
1032+ while (!original_security_ops.inode_free_security)
1033+ smp_rmb();
1034+ original_security_ops.inode_free_security(inode);
1035+ if (inode->i_sb && inode->i_sb->s_magic == SOCKFS_MAGIC)
1036+ ccs_update_socket_tag(inode, 0);
1037+}
1038+
1039+#endif
1040+
1041+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24)
1042+
1043+/**
1044+ * ccs_sb_pivotroot - Check permission for pivot_root().
1045+ *
1046+ * @old_nd: Pointer to "struct nameidata".
1047+ * @new_nd: Pointer to "struct nameidata".
1048+ *
1049+ * Returns 0 on success, negative value otherwise.
1050+ */
1051+static int ccs_sb_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd)
1052+{
1053+ int rc = ccs_pivot_root_permission(old_nd, new_nd);
1054+ if (rc)
1055+ return rc;
1056+ while (!original_security_ops.sb_pivotroot)
1057+ smp_rmb();
1058+ return original_security_ops.sb_pivotroot(old_nd, new_nd);
1059+}
1060+
1061+/**
1062+ * ccs_sb_mount - Check permission for mount().
1063+ *
1064+ * @dev_name: Name of device file.
1065+ * @nd: Pointer to "struct nameidata".
1066+ * @type: Name of filesystem type. Maybe NULL.
1067+ * @flags: Mount options.
1068+ * @data_page: Optional data. Maybe NULL.
1069+ *
1070+ * Returns 0 on success, negative value otherwise.
1071+ */
1072+static int ccs_sb_mount(char *dev_name, struct nameidata *nd, char *type,
1073+ unsigned long flags, void *data_page)
1074+{
1075+ int rc = ccs_mount_permission(dev_name, nd, type, flags, data_page);
1076+ if (rc)
1077+ return rc;
1078+ while (!original_security_ops.sb_mount)
1079+ smp_rmb();
1080+ return original_security_ops.sb_mount(dev_name, nd, type, flags,
1081+ data_page);
1082+}
1083+
1084+#elif LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 26)
1085+
1086+/**
1087+ * ccs_sb_pivotroot - Check permission for pivot_root().
1088+ *
1089+ * @old_nd: Pointer to "struct nameidata".
1090+ * @new_nd: Pointer to "struct nameidata".
1091+ *
1092+ * Returns 0 on success, negative value otherwise.
1093+ */
1094+static int ccs_sb_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd)
1095+{
1096+ int rc = ccs_pivot_root_permission(&old_nd->path, &new_nd->path);
1097+ if (rc)
1098+ return rc;
1099+ while (!original_security_ops.sb_pivotroot)
1100+ smp_rmb();
1101+ return original_security_ops.sb_pivotroot(old_nd, new_nd);
1102+}
1103+
1104+/**
1105+ * ccs_sb_mount - Check permission for mount().
1106+ *
1107+ * @dev_name: Name of device file.
1108+ * @nd: Pointer to "struct nameidata".
1109+ * @type: Name of filesystem type. Maybe NULL.
1110+ * @flags: Mount options.
1111+ * @data_page: Optional data. Maybe NULL.
1112+ *
1113+ * Returns 0 on success, negative value otherwise.
1114+ */
1115+static int ccs_sb_mount(char *dev_name, struct nameidata *nd, char *type,
1116+ unsigned long flags, void *data_page)
1117+{
1118+ int rc = ccs_mount_permission(dev_name, &nd->path, type, flags,
1119+ data_page);
1120+ if (rc)
1121+ return rc;
1122+ while (!original_security_ops.sb_mount)
1123+ smp_rmb();
1124+ return original_security_ops.sb_mount(dev_name, nd, type, flags,
1125+ data_page);
1126+}
1127+
1128+#else
1129+
1130+/**
1131+ * ccs_sb_pivotroot - Check permission for pivot_root().
1132+ *
1133+ * @old_path: Pointer to "struct path".
1134+ * @new_path: Pointer to "struct path".
1135+ *
1136+ * Returns 0 on success, negative value otherwise.
1137+ */
1138+static int ccs_sb_pivotroot(struct path *old_path, struct path *new_path)
1139+{
1140+ int rc = ccs_pivot_root_permission(old_path, new_path);
1141+ if (rc)
1142+ return rc;
1143+ while (!original_security_ops.sb_pivotroot)
1144+ smp_rmb();
1145+ return original_security_ops.sb_pivotroot(old_path, new_path);
1146+}
1147+
1148+/**
1149+ * ccs_sb_mount - Check permission for mount().
1150+ *
1151+ * @dev_name: Name of device file.
1152+ * @path: Pointer to "struct path".
1153+ * @type: Name of filesystem type. Maybe NULL.
1154+ * @flags: Mount options.
1155+ * @data_page: Optional data. Maybe NULL.
1156+ *
1157+ * Returns 0 on success, negative value otherwise.
1158+ */
1159+static int ccs_sb_mount(char *dev_name, struct path *path, char *type,
1160+ unsigned long flags, void *data_page)
1161+{
1162+ int rc = ccs_mount_permission(dev_name, path, type, flags, data_page);
1163+ if (rc)
1164+ return rc;
1165+ while (!original_security_ops.sb_mount)
1166+ smp_rmb();
1167+ return original_security_ops.sb_mount(dev_name, path, type, flags,
1168+ data_page);
1169+}
1170+
1171+#endif
1172+
1173+/**
1174+ * ccs_sb_umount - Check permission for umount().
1175+ *
1176+ * @mnt: Pointer to "struct vfsmount".
1177+ * @flags: Unmount flags.
1178+ *
1179+ * Returns 0 on success, negative value otherwise.
1180+ */
1181+static int ccs_sb_umount(struct vfsmount *mnt, int flags)
1182+{
1183+ int rc = ccs_umount_permission(mnt, flags);
1184+ if (rc)
1185+ return rc;
1186+ while (!original_security_ops.sb_umount)
1187+ smp_rmb();
1188+ return original_security_ops.sb_umount(mnt, flags);
1189+}
1190+
1191+/**
1192+ * ccs_file_fcntl - Check permission for fcntl().
1193+ *
1194+ * @file: Pointer to "struct file".
1195+ * @cmd: Command number.
1196+ * @arg: Value for @cmd.
1197+ *
1198+ * Returns 0 on success, negative value otherwise.
1199+ */
1200+static int ccs_file_fcntl(struct file *file, unsigned int cmd,
1201+ unsigned long arg)
1202+{
1203+ int rc = ccs_fcntl_permission(file, cmd, arg);
1204+ if (rc)
1205+ return rc;
1206+ while (!original_security_ops.file_fcntl)
1207+ smp_rmb();
1208+ return original_security_ops.file_fcntl(file, cmd, arg);
1209+}
1210+
1211+/**
1212+ * ccs_file_ioctl - Check permission for ioctl().
1213+ *
1214+ * @filp: Pointer to "struct file".
1215+ * @cmd: Command number.
1216+ * @arg: Value for @cmd.
1217+ *
1218+ * Returns 0 on success, negative value otherwise.
1219+ */
1220+static int ccs_file_ioctl(struct file *filp, unsigned int cmd,
1221+ unsigned long arg)
1222+{
1223+ int rc = ccs_ioctl_permission(filp, cmd, arg);
1224+ if (rc)
1225+ return rc;
1226+ while (!original_security_ops.file_ioctl)
1227+ smp_rmb();
1228+ return original_security_ops.file_ioctl(filp, cmd, arg);
1229+}
1230+
1231+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21) && defined(CONFIG_SYSCTL_SYSCALL)
1232+int ccs_path_permission(struct ccs_request_info *r, u8 operation,
1233+ const struct ccs_path_info *filename);
1234+
1235+/**
1236+ * ccs_prepend - Copy of prepend() in fs/dcache.c.
1237+ *
1238+ * @buffer: Pointer to "struct char *".
1239+ * @buflen: Pointer to int which holds size of @buffer.
1240+ * @str: String to copy.
1241+ *
1242+ * Returns 0 on success, negative value otherwise.
1243+ *
1244+ * @buffer and @buflen are updated upon success.
1245+ */
1246+static int ccs_prepend(char **buffer, int *buflen, const char *str)
1247+{
1248+ int namelen = strlen(str);
1249+ if (*buflen < namelen)
1250+ return -ENOMEM;
1251+ *buflen -= namelen;
1252+ *buffer -= namelen;
1253+ memcpy(*buffer, str, namelen);
1254+ return 0;
1255+}
1256+
1257+/**
1258+ * ccs_sysctl_permission - Check permission for sysctl().
1259+ *
1260+ * @table: Pointer to "struct ctl_table".
1261+ * @op: Operation. (MAY_READ and/or MAY_WRITE)
1262+ *
1263+ * Returns 0 on success, negative value otherwise.
1264+ */
1265+static int ccs_sysctl(struct ctl_table *table, int op)
1266+{
1267+ int error;
1268+ struct ccs_path_info buf;
1269+ struct ccs_request_info r;
1270+ int buflen;
1271+ char *buffer;
1272+ int idx;
1273+ while (!original_security_ops.sysctl)
1274+ smp_rmb();
1275+ error = original_security_ops.sysctl(table, op);
1276+ if (error)
1277+ return error;
1278+ op &= MAY_READ | MAY_WRITE;
1279+ if (!op)
1280+ return 0;
1281+ buffer = NULL;
1282+ buf.name = NULL;
1283+ idx = ccs_read_lock();
1284+ if (ccs_init_request_info(&r, CCS_MAC_FILE_OPEN)
1285+ == CCS_CONFIG_DISABLED)
1286+ goto out;
1287+ error = -ENOMEM;
1288+ buflen = 4096;
1289+ buffer = kmalloc(buflen, CCS_GFP_FLAGS);
1290+ if (buffer) {
1291+ char *end = buffer + buflen;
1292+ *--end = '\0';
1293+ buflen--;
1294+ while (table) {
1295+ char num[32];
1296+ const char *sp = table->procname;
1297+ if (!sp) {
1298+ memset(num, 0, sizeof(num));
1299+ snprintf(num, sizeof(num) - 1, "=%d=",
1300+ table->ctl_name);
1301+ sp = num;
1302+ }
1303+ if (ccs_prepend(&end, &buflen, sp) ||
1304+ ccs_prepend(&end, &buflen, "/"))
1305+ goto out;
1306+ table = table->parent;
1307+ }
1308+ if (ccs_prepend(&end, &buflen, "proc:/sys"))
1309+ goto out;
1310+ buf.name = ccs_encode(end);
1311+ }
1312+ if (buf.name) {
1313+ ccs_fill_path_info(&buf);
1314+ if (op & MAY_READ)
1315+ error = ccs_path_permission(&r, CCS_TYPE_READ, &buf);
1316+ else
1317+ error = 0;
1318+ if (!error && (op & MAY_WRITE))
1319+ error = ccs_path_permission(&r, CCS_TYPE_WRITE, &buf);
1320+ }
1321+out:
1322+ ccs_read_unlock(idx);
1323+ kfree(buf.name);
1324+ kfree(buffer);
1325+ return error;
1326+}
1327+
1328+#endif
1329+
1330+/*
1331+ * Why not to copy all operations by "original_security_ops = *ops" ?
1332+ * Because copying byte array is not atomic. Reader checks
1333+ * original_security_ops.op != NULL before doing original_security_ops.op().
1334+ * Thus, modifying original_security_ops.op has to be atomic.
1335+ */
1336+#define swap_security_ops(op) \
1337+ original_security_ops.op = ops->op; smp_wmb(); ops->op = ccs_##op;
1338+
1339+/**
1340+ * ccs_update_security_ops - Overwrite original "struct security_operations".
1341+ *
1342+ * @ops: Pointer to "struct security_operations".
1343+ *
1344+ * Returns nothing.
1345+ */
1346+static void __init ccs_update_security_ops(struct security_operations *ops)
1347+{
1348+ /* Security context allocator. */
1349+ swap_security_ops(task_alloc_security);
1350+ swap_security_ops(task_free_security);
1351+ swap_security_ops(bprm_alloc_security);
1352+ swap_security_ops(bprm_free_security);
1353+ /* Security context updater for successful execve(). */
1354+ swap_security_ops(bprm_check_security);
1355+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 6)
1356+ swap_security_ops(bprm_compute_creds);
1357+#else
1358+ swap_security_ops(bprm_apply_creds);
1359+#endif
1360+ /* Various permission checker. */
1361+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
1362+ swap_security_ops(dentry_open);
1363+#else
1364+ swap_security_ops(inode_permission);
1365+#endif
1366+ swap_security_ops(file_fcntl);
1367+ swap_security_ops(file_ioctl);
1368+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21) && defined(CONFIG_SYSCTL_SYSCALL)
1369+ swap_security_ops(sysctl);
1370+#endif
1371+ swap_security_ops(sb_pivotroot);
1372+ swap_security_ops(sb_mount);
1373+ swap_security_ops(sb_umount);
1374+ swap_security_ops(inode_mknod);
1375+ swap_security_ops(inode_mkdir);
1376+ swap_security_ops(inode_rmdir);
1377+ swap_security_ops(inode_unlink);
1378+ swap_security_ops(inode_symlink);
1379+ swap_security_ops(inode_rename);
1380+ swap_security_ops(inode_link);
1381+ swap_security_ops(inode_create);
1382+ swap_security_ops(inode_setattr);
1383+ swap_security_ops(inode_getattr);
1384+#ifdef CONFIG_SECURITY_NETWORK
1385+ swap_security_ops(socket_bind);
1386+ swap_security_ops(socket_connect);
1387+ swap_security_ops(socket_listen);
1388+ swap_security_ops(socket_sendmsg);
1389+ swap_security_ops(socket_recvmsg);
1390+ swap_security_ops(socket_getsockname);
1391+ swap_security_ops(socket_getpeername);
1392+ swap_security_ops(socket_getsockopt);
1393+ swap_security_ops(socket_setsockopt);
1394+ swap_security_ops(socket_shutdown);
1395+ swap_security_ops(socket_accept);
1396+ swap_security_ops(inode_free_security);
1397+#endif
1398+}
1399+
1400+#undef swap_security_ops
1401+
1402+/**
1403+ * ccs_init - Initialize this module.
1404+ *
1405+ * Returns 0 on success, negative value otherwise.
1406+ */
1407+static int __init ccs_init(void)
1408+{
1409+ struct security_operations *ops = probe_security_ops();
1410+ if (!ops)
1411+ goto out;
1412+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
1413+ ccsecurity_exports.find_task_by_vpid = probe_find_task_by_vpid();
1414+ if (!ccsecurity_exports.find_task_by_vpid)
1415+ goto out;
1416+ ccsecurity_exports.find_task_by_pid_ns = probe_find_task_by_pid_ns();
1417+ if (!ccsecurity_exports.find_task_by_pid_ns)
1418+ goto out;
1419+#endif
1420+ ccsecurity_exports.vfsmount_lock = probe_vfsmount_lock();
1421+ if (!ccsecurity_exports.vfsmount_lock)
1422+ goto out;
1423+ ccs_main_init();
1424+ ccs_update_security_ops(ops);
1425+ printk(KERN_INFO "AKARI: 1.0.38 2018/04/01\n");
1426+ printk(KERN_INFO
1427+ "Access Keeping And Regulating Instrument registered.\n");
1428+ return 0;
1429+out:
1430+ return -EINVAL;
1431+}
1432+
1433+module_init(ccs_init);
1434+MODULE_LICENSE("GPL");
1435+
1436+/**
1437+ * ccs_used_by_cred - Check whether the given domain is in use or not.
1438+ *
1439+ * @domain: Pointer to "struct ccs_domain_info".
1440+ *
1441+ * Returns true if @domain is in use, false otherwise.
1442+ *
1443+ * Caller holds rcu_read_lock().
1444+ */
1445+bool ccs_used_by_cred(const struct ccs_domain_info *domain)
1446+{
1447+ return false;
1448+}
1449+
1450+/**
1451+ * ccs_add_task_security - Add "struct ccs_security" to list.
1452+ *
1453+ * @ptr: Pointer to "struct ccs_security".
1454+ * @list: Pointer to "struct list_head".
1455+ *
1456+ * Returns nothing.
1457+ */
1458+static void ccs_add_task_security(struct ccs_security *ptr,
1459+ struct list_head *list)
1460+{
1461+ unsigned long flags;
1462+ spin_lock_irqsave(&ccs_task_security_list_lock, flags);
1463+ list_add_rcu(&ptr->list, list);
1464+ spin_unlock_irqrestore(&ccs_task_security_list_lock, flags);
1465+}
1466+
1467+/**
1468+ * __ccs_alloc_task_security - Allocate memory for new tasks.
1469+ *
1470+ * @task: Pointer to "struct task_struct".
1471+ *
1472+ * Returns 0 on success, negative value otherwise.
1473+ */
1474+static int __ccs_alloc_task_security(const struct task_struct *task)
1475+{
1476+ struct ccs_security *old_security = ccs_current_security();
1477+ struct ccs_security *new_security = kzalloc(sizeof(*new_security),
1478+ GFP_KERNEL);
1479+ struct list_head *list = &ccs_task_security_list
1480+ [hash_ptr((void *) task, CCS_TASK_SECURITY_HASH_BITS)];
1481+ if (!new_security)
1482+ return -ENOMEM;
1483+ new_security->task = task;
1484+ new_security->ccs_domain_info = old_security->ccs_domain_info;
1485+ new_security->ccs_flags = old_security->ccs_flags;
1486+ ccs_add_task_security(new_security, list);
1487+ return 0;
1488+}
1489+
1490+/**
1491+ * ccs_find_task_security - Find "struct ccs_security" for given task.
1492+ *
1493+ * @task: Pointer to "struct task_struct".
1494+ *
1495+ * Returns pointer to "struct ccs_security" on success, &ccs_oom_security on
1496+ * out of memory, &ccs_default_security otherwise.
1497+ *
1498+ * If @task is current thread and "struct ccs_security" for current thread was
1499+ * not found, I try to allocate it. But if allocation failed, current thread
1500+ * will be killed by SIGKILL. Note that if current->pid == 1, sending SIGKILL
1501+ * won't work.
1502+ */
1503+struct ccs_security *ccs_find_task_security(const struct task_struct *task)
1504+{
1505+ struct ccs_security *ptr;
1506+ struct list_head *list = &ccs_task_security_list
1507+ [hash_ptr((void *) task, CCS_TASK_SECURITY_HASH_BITS)];
1508+ /* Make sure INIT_LIST_HEAD() in ccs_mm_init() takes effect. */
1509+ while (!list->next)
1510+ smp_rmb();
1511+ rcu_read_lock();
1512+ list_for_each_entry_rcu(ptr, list, list) {
1513+ if (ptr->task != task)
1514+ continue;
1515+ rcu_read_unlock();
1516+ return ptr;
1517+ }
1518+ rcu_read_unlock();
1519+ if (task != current)
1520+ return &ccs_default_security;
1521+ /* Use GFP_ATOMIC because caller may have called rcu_read_lock(). */
1522+ ptr = kzalloc(sizeof(*ptr), GFP_ATOMIC);
1523+ if (!ptr) {
1524+ printk(KERN_WARNING "Unable to allocate memory for pid=%u\n",
1525+ task->pid);
1526+ send_sig(SIGKILL, current, 0);
1527+ return &ccs_oom_security;
1528+ }
1529+ *ptr = ccs_default_security;
1530+ ptr->task = task;
1531+ ccs_add_task_security(ptr, list);
1532+ return ptr;
1533+}
1534+
1535+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 8)
1536+
1537+/**
1538+ * ccs_rcu_free - RCU callback for releasing "struct ccs_security".
1539+ *
1540+ * @rcu: Pointer to "struct rcu_head".
1541+ *
1542+ * Returns nothing.
1543+ */
1544+static void ccs_rcu_free(struct rcu_head *rcu)
1545+{
1546+ struct ccs_security *ptr = container_of(rcu, typeof(*ptr), rcu);
1547+ kfree(ptr);
1548+}
1549+
1550+#else
1551+
1552+/**
1553+ * ccs_rcu_free - RCU callback for releasing "struct ccs_security".
1554+ *
1555+ * @arg: Pointer to "void".
1556+ *
1557+ * Returns nothing.
1558+ */
1559+static void ccs_rcu_free(void *arg)
1560+{
1561+ struct ccs_security *ptr = arg;
1562+ kfree(ptr);
1563+}
1564+
1565+#endif
1566+
1567+/**
1568+ * __ccs_free_task_security - Release memory associated with "struct task_struct".
1569+ *
1570+ * @task: Pointer to "struct task_struct".
1571+ *
1572+ * Returns nothing.
1573+ */
1574+static void __ccs_free_task_security(const struct task_struct *task)
1575+{
1576+ unsigned long flags;
1577+ struct ccs_security *ptr = ccs_find_task_security(task);
1578+ if (ptr == &ccs_default_security || ptr == &ccs_oom_security)
1579+ return;
1580+ spin_lock_irqsave(&ccs_task_security_list_lock, flags);
1581+ list_del_rcu(&ptr->list);
1582+ spin_unlock_irqrestore(&ccs_task_security_list_lock, flags);
1583+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 8)
1584+ call_rcu(&ptr->rcu, ccs_rcu_free);
1585+#else
1586+ call_rcu(&ptr->rcu, ccs_rcu_free, ptr);
1587+#endif
1588+}
--- tags/patches/1.0.38/lsm-2.6.0.c (nonexistent)
+++ tags/patches/1.0.38/lsm-2.6.0.c (revision 589)
@@ -0,0 +1,1568 @@
1+/*
2+ * lsm.c
3+ *
4+ * Copyright (C) 2010-2015 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
5+ *
6+ * Version: 1.0.38 2018/04/01
7+ */
8+
9+#include "internal.h"
10+#include "probe.h"
11+
12+/* Prototype definition. */
13+
14+static int __ccs_alloc_task_security(const struct task_struct *task);
15+static void __ccs_free_task_security(const struct task_struct *task);
16+
17+/* Dummy security context for avoiding NULL pointer dereference. */
18+static struct ccs_security ccs_oom_security = {
19+ .ccs_domain_info = &ccs_kernel_domain
20+};
21+
22+/* Dummy security context for avoiding NULL pointer dereference. */
23+static struct ccs_security ccs_default_security = {
24+ .ccs_domain_info = &ccs_kernel_domain
25+};
26+
27+/* List of "struct ccs_security". */
28+struct list_head ccs_task_security_list[CCS_MAX_TASK_SECURITY_HASH];
29+/* Lock for protecting ccs_task_security_list[]. */
30+static DEFINE_SPINLOCK(ccs_task_security_list_lock);
31+
32+/* Dummy marker for calling security_bprm_free(). */
33+static const unsigned long ccs_bprm_security;
34+
35+/* For exporting variables and functions. */
36+struct ccsecurity_exports ccsecurity_exports;
37+/* Members are updated by loadable kernel module. */
38+struct ccsecurity_operations ccsecurity_ops;
39+
40+/* Function pointers originally registered by register_security(). */
41+static struct security_operations original_security_ops /* = *security_ops; */;
42+
43+#ifdef CONFIG_AKARI_TRACE_EXECVE_COUNT
44+
45+/**
46+ * ccs_update_ee_counter - Update "struct ccs_execve" counter.
47+ *
48+ * @count: Count to increment or decrement.
49+ *
50+ * Returns updated counter.
51+ */
52+static unsigned int ccs_update_ee_counter(int count)
53+{
54+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 10) || defined(atomic_add_return)
55+ /* Debug counter for detecting "struct ccs_execve" memory leak. */
56+ static atomic_t ccs_ee_counter = ATOMIC_INIT(0);
57+ return atomic_add_return(count, &ccs_ee_counter);
58+#else
59+ static DEFINE_SPINLOCK(ccs_ee_lock);
60+ static unsigned int ccs_ee_counter;
61+ unsigned long flags;
62+ spin_lock_irqsave(&ccs_ee_lock, flags);
63+ ccs_ee_counter += count;
64+ count = ccs_ee_counter;
65+ spin_unlock_irqrestore(&ccs_ee_lock, flags);
66+ return count;
67+#endif
68+}
69+
70+/**
71+ * ccs_audit_alloc_execve - Audit allocation of "struct ccs_execve".
72+ *
73+ * @ee: Pointer to "struct ccs_execve".
74+ *
75+ * Returns nothing.
76+ */
77+void ccs_audit_alloc_execve(const struct ccs_execve * const ee)
78+{
79+ printk(KERN_INFO "AKARI: Allocated %p by pid=%u (count=%u)\n", ee,
80+ current->pid, ccs_update_ee_counter(1) - 1);
81+}
82+
83+/**
84+ * ccs_audit_free_execve - Audit release of "struct ccs_execve".
85+ *
86+ * @ee: Pointer to "struct ccs_execve".
87+ * @task: True if released by current task, false otherwise.
88+ *
89+ * Returns nothing.
90+ */
91+void ccs_audit_free_execve(const struct ccs_execve * const ee,
92+ const bool is_current)
93+{
94+ const unsigned int tmp = ccs_update_ee_counter(-1);
95+ if (is_current)
96+ printk(KERN_INFO "AKARI: Releasing %p by pid=%u (count=%u)\n",
97+ ee, current->pid, tmp);
98+ else
99+ printk(KERN_INFO "AKARI: Releasing %p by kernel (count=%u)\n",
100+ ee, tmp);
101+}
102+
103+#endif
104+
105+#if !defined(CONFIG_AKARI_DEBUG)
106+#define ccs_debug_trace(pos) do { } while (0)
107+#else
108+#define ccs_debug_trace(pos) \
109+ do { \
110+ static bool done; \
111+ if (!done) { \
112+ printk(KERN_INFO \
113+ "AKARI: Debug trace: " pos " of 4\n"); \
114+ done = true; \
115+ } \
116+ } while (0)
117+#endif
118+
119+/**
120+ * ccs_clear_execve - Release memory used by do_execve().
121+ *
122+ * @ret: 0 if do_execve() succeeded, negative value otherwise.
123+ * @security: Pointer to "struct ccs_security".
124+ *
125+ * Returns nothing.
126+ */
127+static void ccs_clear_execve(int ret, struct ccs_security *security)
128+{
129+ struct ccs_execve *ee;
130+ if (security == &ccs_default_security || security == &ccs_oom_security)
131+ return;
132+ ee = security->ee;
133+ security->ee = NULL;
134+ if (!ee)
135+ return;
136+ ccs_finish_execve(ret, ee);
137+}
138+
139+/**
140+ * ccs_task_alloc_security - Allocate memory for new tasks.
141+ *
142+ * @p: Pointer to "struct task_struct".
143+ *
144+ * Returns 0 on success, negative value otherwise.
145+ */
146+static int ccs_task_alloc_security(struct task_struct *p)
147+{
148+ int rc = __ccs_alloc_task_security(p);
149+ if (rc)
150+ return rc;
151+ while (!original_security_ops.task_alloc_security)
152+ smp_rmb();
153+ rc = original_security_ops.task_alloc_security(p);
154+ if (rc)
155+ __ccs_free_task_security(p);
156+ return rc;
157+}
158+
159+/**
160+ * ccs_task_free_security - Release memory for "struct task_struct".
161+ *
162+ * @p: Pointer to "struct task_struct".
163+ *
164+ * Returns nothing.
165+ */
166+static void ccs_task_free_security(struct task_struct *p)
167+{
168+ while (!original_security_ops.task_free_security)
169+ smp_rmb();
170+ original_security_ops.task_free_security(p);
171+ __ccs_free_task_security(p);
172+}
173+
174+/**
175+ * ccs_bprm_alloc_security - Allocate memory for "struct linux_binprm".
176+ *
177+ * @bprm: Pointer to "struct linux_binprm".
178+ *
179+ * Returns 0 on success, negative value otherwise.
180+ */
181+static int ccs_bprm_alloc_security(struct linux_binprm *bprm)
182+{
183+ int rc;
184+ while (!original_security_ops.bprm_alloc_security)
185+ smp_rmb();
186+ rc = original_security_ops.bprm_alloc_security(bprm);
187+ if (bprm->security || rc)
188+ return rc;
189+ /*
190+ * Update bprm->security to &ccs_bprm_security so that
191+ * security_bprm_free() is called even if do_execve() failed at
192+ * search_binary_handler() without allocating memory at
193+ * security_bprm_alloc(). This trick assumes that active LSM module
194+ * does not access bprm->security if that module did not allocate
195+ * memory at security_bprm_alloc().
196+ */
197+ bprm->security = (void *) &ccs_bprm_security;
198+ return 0;
199+}
200+
201+/**
202+ * ccs_bprm_free_security - Release memory for "struct linux_binprm".
203+ *
204+ * @bprm: Pointer to "struct linux_binprm".
205+ *
206+ * Returns nothing.
207+ */
208+static void ccs_bprm_free_security(struct linux_binprm *bprm)
209+{
210+ /*
211+ * If do_execve() succeeded, bprm->security will be updated to NULL at
212+ * security_bprm_compute_creds()/security_bprm_apply_creds() if
213+ * bprm->security was set to &ccs_bprm_security at
214+ * security_bprm_alloc().
215+ *
216+ * If do_execve() failed, bprm->security remains at &ccs_bprm_security
217+ * if bprm->security was set to &ccs_bprm_security at
218+ * security_bprm_alloc().
219+ *
220+ * And do_execve() does not call security_bprm_free() if do_execve()
221+ * failed and bprm->security == NULL. Therefore, do not call
222+ * original_security_ops.bprm_free_security() if bprm->security remains
223+ * at &ccs_bprm_security .
224+ */
225+ if (bprm->security != &ccs_bprm_security) {
226+ while (!original_security_ops.bprm_free_security)
227+ smp_rmb();
228+ original_security_ops.bprm_free_security(bprm);
229+ }
230+ /*
231+ * If do_execve() succeeded,
232+ * ccs_clear_execve(0, ccs_current_security());
233+ * is called before calling below one.
234+ * Thus, below call becomes no-op if do_execve() succeeded.
235+ */
236+ ccs_clear_execve(-1, ccs_current_security());
237+}
238+
239+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 6)
240+
241+/**
242+ * ccs_bprm_compute_creds - A hook which is called when do_execve() succeeded.
243+ *
244+ * @bprm: Pointer to "struct linux_binprm".
245+ *
246+ * Returns nothing.
247+ */
248+static void ccs_bprm_compute_creds(struct linux_binprm *bprm)
249+{
250+ if (bprm->security == &ccs_bprm_security)
251+ bprm->security = NULL;
252+ while (!original_security_ops.bprm_compute_creds)
253+ smp_rmb();
254+ original_security_ops.bprm_compute_creds(bprm);
255+ ccs_clear_execve(0, ccs_current_security());
256+}
257+
258+#else
259+
260+/**
261+ * ccs_bprm_apply_creds - A hook which is called when do_execve() succeeded.
262+ *
263+ * @bprm: Pointer to "struct linux_binprm".
264+ * @unsafe: Unsafe flag.
265+ *
266+ * Returns nothing.
267+ */
268+static void ccs_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
269+{
270+ if (bprm->security == &ccs_bprm_security)
271+ bprm->security = NULL;
272+ while (!original_security_ops.bprm_apply_creds)
273+ smp_rmb();
274+ original_security_ops.bprm_apply_creds(bprm, unsafe);
275+ ccs_clear_execve(0, ccs_current_security());
276+}
277+
278+#endif
279+
280+/**
281+ * ccs_bprm_check_security - Check permission for execve().
282+ *
283+ * @bprm: Pointer to "struct linux_binprm".
284+ *
285+ * Returns 0 on success, negative value otherwise.
286+ */
287+static int ccs_bprm_check_security(struct linux_binprm *bprm)
288+{
289+ struct ccs_security *security = ccs_current_security();
290+ if (security == &ccs_default_security || security == &ccs_oom_security)
291+ return -ENOMEM;
292+ if (!security->ee) {
293+ int rc;
294+#ifndef CONFIG_CCSECURITY_OMIT_USERSPACE_LOADER
295+ if (!ccs_policy_loaded)
296+ ccs_load_policy(bprm->filename);
297+#endif
298+ rc = ccs_start_execve(bprm, &security->ee);
299+ if (rc)
300+ return rc;
301+ }
302+ while (!original_security_ops.bprm_check_security)
303+ smp_rmb();
304+ return original_security_ops.bprm_check_security(bprm);
305+}
306+
307+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
308+
309+/**
310+ * ccs_open - Check permission for open().
311+ *
312+ * @f: Pointer to "struct file".
313+ *
314+ * Returns 0 on success, negative value otherwise.
315+ */
316+static int ccs_open(struct file *f)
317+{
318+ return ccs_open_permission(f->f_path.dentry, f->f_path.mnt,
319+ f->f_flags + 1);
320+}
321+
322+#endif
323+
324+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
325+
326+/**
327+ * ccs_dentry_open - Check permission for open().
328+ *
329+ * @f: Pointer to "struct file".
330+ *
331+ * Returns 0 on success, negative value otherwise.
332+ */
333+static int ccs_dentry_open(struct file *f)
334+{
335+ int rc = ccs_open(f);
336+ if (rc)
337+ return rc;
338+ while (!original_security_ops.dentry_open)
339+ smp_rmb();
340+ return original_security_ops.dentry_open(f);
341+}
342+
343+#else
344+
345+/**
346+ * ccs_open - Check permission for open().
347+ *
348+ * @inode: Pointer to "struct inode".
349+ * @mask: Open mode.
350+ * @nd: Pointer to "struct nameidata".
351+ *
352+ * Returns 0 on success, negative value otherwise.
353+ */
354+static int ccs_open(struct inode *inode, int mask, struct nameidata *nd)
355+{
356+ int flags;
357+ if (!nd || !nd->dentry)
358+ return 0;
359+ /* open_exec() passes MAY_EXEC . */
360+ if (mask == MAY_EXEC && inode && S_ISREG(inode->i_mode) &&
361+ (ccs_current_flags() & CCS_TASK_IS_IN_EXECVE))
362+ mask = MAY_READ;
363+ /*
364+ * This flags value is passed to ACC_MODE().
365+ * ccs_open_permission() for older versions uses old ACC_MODE().
366+ */
367+ switch (mask & (MAY_READ | MAY_WRITE)) {
368+ case MAY_READ:
369+ flags = 01;
370+ break;
371+ case MAY_WRITE:
372+ flags = 02;
373+ break;
374+ case MAY_READ | MAY_WRITE:
375+ flags = 03;
376+ break;
377+ default:
378+ return 0;
379+ }
380+ return ccs_open_permission(nd->dentry, nd->mnt, flags);
381+}
382+
383+/**
384+ * ccs_inode_permission - Check permission for open().
385+ *
386+ * @inode: Pointer to "struct inode".
387+ * @mask: Open mode.
388+ * @nd: Pointer to "struct nameidata".
389+ *
390+ * Returns 0 on success, negative value otherwise.
391+ *
392+ * Note that this hook is called from permission(), and may not be called for
393+ * open(). Maybe it is better to use security_file_permission().
394+ */
395+static int ccs_inode_permission(struct inode *inode, int mask,
396+ struct nameidata *nd)
397+{
398+ int rc = ccs_open(inode, mask, nd);
399+ if (rc)
400+ return rc;
401+ while (!original_security_ops.inode_permission)
402+ smp_rmb();
403+ return original_security_ops.inode_permission(inode, mask, nd);
404+}
405+
406+#endif
407+
408+/**
409+ * ccs_inode_setattr - Check permission for chown()/chgrp()/chmod()/truncate().
410+ *
411+ * @dentry: Pointer to "struct dentry".
412+ * @attr: Pointer to "struct iattr".
413+ *
414+ * Returns 0 on success, negative value otherwise.
415+ */
416+static int ccs_inode_setattr(struct dentry *dentry, struct iattr *attr)
417+{
418+ int rc = 0;
419+ if (attr->ia_valid & ATTR_UID)
420+ rc = ccs_chown_permission(dentry, NULL, attr->ia_uid, -1);
421+ if (!rc && (attr->ia_valid & ATTR_GID))
422+ rc = ccs_chown_permission(dentry, NULL, -1, attr->ia_gid);
423+ if (!rc && (attr->ia_valid & ATTR_MODE))
424+ rc = ccs_chmod_permission(dentry, NULL, attr->ia_mode);
425+ if (!rc && (attr->ia_valid & ATTR_SIZE))
426+ rc = ccs_truncate_permission(dentry, NULL);
427+ if (rc)
428+ return rc;
429+ while (!original_security_ops.inode_setattr)
430+ smp_rmb();
431+ return original_security_ops.inode_setattr(dentry, attr);
432+}
433+
434+/**
435+ * ccs_inode_getattr - Check permission for stat().
436+ *
437+ * @mnt: Pointer to "struct vfsmount".
438+ * @dentry: Pointer to "struct dentry".
439+ *
440+ * Returns 0 on success, negative value otherwise.
441+ */
442+static int ccs_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
443+{
444+ int rc = ccs_getattr_permission(mnt, dentry);
445+ if (rc)
446+ return rc;
447+ while (!original_security_ops.inode_getattr)
448+ smp_rmb();
449+ return original_security_ops.inode_getattr(mnt, dentry);
450+}
451+
452+/**
453+ * ccs_inode_mknod - Check permission for mknod().
454+ *
455+ * @dir: Pointer to "struct inode".
456+ * @dentry: Pointer to "struct dentry".
457+ * @mode: Create mode.
458+ * @dev: Device major/minor number.
459+ *
460+ * Returns 0 on success, negative value otherwise.
461+ */
462+static int ccs_inode_mknod(struct inode *dir, struct dentry *dentry, int mode,
463+ dev_t dev)
464+{
465+ int rc = ccs_mknod_permission(dentry, NULL, mode, dev);
466+ if (rc)
467+ return rc;
468+ while (!original_security_ops.inode_mknod)
469+ smp_rmb();
470+ return original_security_ops.inode_mknod(dir, dentry, mode, dev);
471+}
472+
473+/**
474+ * ccs_inode_mkdir - Check permission for mkdir().
475+ *
476+ * @dir: Pointer to "struct inode".
477+ * @dentry: Pointer to "struct dentry".
478+ * @mode: Create mode.
479+ *
480+ * Returns 0 on success, negative value otherwise.
481+ */
482+static int ccs_inode_mkdir(struct inode *dir, struct dentry *dentry, int mode)
483+{
484+ int rc = ccs_mkdir_permission(dentry, NULL, mode);
485+ if (rc)
486+ return rc;
487+ while (!original_security_ops.inode_mkdir)
488+ smp_rmb();
489+ return original_security_ops.inode_mkdir(dir, dentry, mode);
490+}
491+
492+/**
493+ * ccs_inode_rmdir - Check permission for rmdir().
494+ *
495+ * @dir: Pointer to "struct inode".
496+ * @dentry: Pointer to "struct dentry".
497+ *
498+ * Returns 0 on success, negative value otherwise.
499+ */
500+static int ccs_inode_rmdir(struct inode *dir, struct dentry *dentry)
501+{
502+ int rc = ccs_rmdir_permission(dentry, NULL);
503+ if (rc)
504+ return rc;
505+ while (!original_security_ops.inode_rmdir)
506+ smp_rmb();
507+ return original_security_ops.inode_rmdir(dir, dentry);
508+}
509+
510+/**
511+ * ccs_inode_unlink - Check permission for unlink().
512+ *
513+ * @dir: Pointer to "struct inode".
514+ * @dentry: Pointer to "struct dentry".
515+ *
516+ * Returns 0 on success, negative value otherwise.
517+ */
518+static int ccs_inode_unlink(struct inode *dir, struct dentry *dentry)
519+{
520+ int rc = ccs_unlink_permission(dentry, NULL);
521+ if (rc)
522+ return rc;
523+ while (!original_security_ops.inode_unlink)
524+ smp_rmb();
525+ return original_security_ops.inode_unlink(dir, dentry);
526+}
527+
528+/**
529+ * ccs_inode_symlink - Check permission for symlink().
530+ *
531+ * @dir: Pointer to "struct inode".
532+ * @dentry: Pointer to "struct dentry".
533+ * @old_name: Content of symbolic link.
534+ *
535+ * Returns 0 on success, negative value otherwise.
536+ */
537+static int ccs_inode_symlink(struct inode *dir, struct dentry *dentry,
538+ const char *old_name)
539+{
540+ int rc = ccs_symlink_permission(dentry, NULL, old_name);
541+ if (rc)
542+ return rc;
543+ while (!original_security_ops.inode_symlink)
544+ smp_rmb();
545+ return original_security_ops.inode_symlink(dir, dentry, old_name);
546+}
547+
548+/**
549+ * ccs_inode_rename - Check permission for rename().
550+ *
551+ * @old_dir: Pointer to "struct inode".
552+ * @old_dentry: Pointer to "struct dentry".
553+ * @new_dir: Pointer to "struct inode".
554+ * @new_dentry: Pointer to "struct dentry".
555+ *
556+ * Returns 0 on success, negative value otherwise.
557+ */
558+static int ccs_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
559+ struct inode *new_dir, struct dentry *new_dentry)
560+{
561+ int rc = ccs_rename_permission(old_dentry, new_dentry, NULL);
562+ if (rc)
563+ return rc;
564+ while (!original_security_ops.inode_rename)
565+ smp_rmb();
566+ return original_security_ops.inode_rename(old_dir, old_dentry, new_dir,
567+ new_dentry);
568+}
569+
570+/**
571+ * ccs_inode_link - Check permission for link().
572+ *
573+ * @old_dentry: Pointer to "struct dentry".
574+ * @dir: Pointer to "struct inode".
575+ * @new_dentry: Pointer to "struct dentry".
576+ *
577+ * Returns 0 on success, negative value otherwise.
578+ */
579+static int ccs_inode_link(struct dentry *old_dentry, struct inode *dir,
580+ struct dentry *new_dentry)
581+{
582+ int rc = ccs_link_permission(old_dentry, new_dentry, NULL);
583+ if (rc)
584+ return rc;
585+ while (!original_security_ops.inode_link)
586+ smp_rmb();
587+ return original_security_ops.inode_link(old_dentry, dir, new_dentry);
588+}
589+
590+/**
591+ * ccs_inode_create - Check permission for creat().
592+ *
593+ * @dir: Pointer to "struct inode".
594+ * @dentry: Pointer to "struct dentry".
595+ * @mode: Create mode.
596+ *
597+ * Returns 0 on success, negative value otherwise.
598+ */
599+static int ccs_inode_create(struct inode *dir, struct dentry *dentry,
600+ int mode)
601+{
602+ int rc = ccs_mknod_permission(dentry, NULL, mode, 0);
603+ if (rc)
604+ return rc;
605+ while (!original_security_ops.inode_create)
606+ smp_rmb();
607+ return original_security_ops.inode_create(dir, dentry, mode);
608+}
609+
610+#ifdef CONFIG_SECURITY_NETWORK
611+
612+#include <net/sock.h>
613+
614+/* Structure for remembering an accept()ed socket's status. */
615+struct ccs_socket_tag {
616+ struct list_head list;
617+ struct inode *inode;
618+ int status;
619+ struct rcu_head rcu;
620+};
621+
622+/*
623+ * List for managing accept()ed sockets.
624+ * Since we don't need to keep an accept()ed socket into this list after
625+ * once the permission was granted, the number of entries in this list is
626+ * likely small. Therefore, we don't use hash tables.
627+ */
628+static LIST_HEAD(ccs_accepted_socket_list);
629+/* Lock for protecting ccs_accepted_socket_list . */
630+static DEFINE_SPINLOCK(ccs_accepted_socket_list_lock);
631+
632+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 8)
633+
634+/**
635+ * ccs_socket_rcu_free - RCU callback for releasing "struct ccs_socket_tag".
636+ *
637+ * @rcu: Pointer to "struct rcu_head".
638+ *
639+ * Returns nothing.
640+ */
641+static void ccs_socket_rcu_free(struct rcu_head *rcu)
642+{
643+ struct ccs_socket_tag *ptr = container_of(rcu, typeof(*ptr), rcu);
644+ kfree(ptr);
645+}
646+
647+#else
648+
649+/**
650+ * ccs_socket_rcu_free - RCU callback for releasing "struct ccs_socket_tag".
651+ *
652+ * @arg: Pointer to "void".
653+ *
654+ * Returns nothing.
655+ */
656+static void ccs_socket_rcu_free(void *arg)
657+{
658+ struct ccs_socket_tag *ptr = arg;
659+ kfree(ptr);
660+}
661+
662+#endif
663+
664+/**
665+ * ccs_update_socket_tag - Update tag associated with accept()ed sockets.
666+ *
667+ * @inode: Pointer to "struct inode".
668+ * @status: New status.
669+ *
670+ * Returns nothing.
671+ *
672+ * If @status == 0, memory for that socket will be released after RCU grace
673+ * period.
674+ */
675+static void ccs_update_socket_tag(struct inode *inode, int status)
676+{
677+ struct ccs_socket_tag *ptr;
678+ /*
679+ * Protect whole section because multiple threads may call this
680+ * function with same "sock" via ccs_validate_socket().
681+ */
682+ spin_lock(&ccs_accepted_socket_list_lock);
683+ rcu_read_lock();
684+ list_for_each_entry_rcu(ptr, &ccs_accepted_socket_list, list) {
685+ if (ptr->inode != inode)
686+ continue;
687+ ptr->status = status;
688+ if (status)
689+ break;
690+ list_del_rcu(&ptr->list);
691+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 8)
692+ call_rcu(&ptr->rcu, ccs_socket_rcu_free);
693+#else
694+ call_rcu(&ptr->rcu, ccs_socket_rcu_free, ptr);
695+#endif
696+ break;
697+ }
698+ rcu_read_unlock();
699+ spin_unlock(&ccs_accepted_socket_list_lock);
700+}
701+
702+/**
703+ * ccs_validate_socket - Check post accept() permission if needed.
704+ *
705+ * @sock: Pointer to "struct socket".
706+ *
707+ * Returns 0 on success, negative value otherwise.
708+ */
709+static int ccs_validate_socket(struct socket *sock)
710+{
711+ struct inode *inode = SOCK_INODE(sock);
712+ struct ccs_socket_tag *ptr;
713+ int ret = 0;
714+ rcu_read_lock();
715+ list_for_each_entry_rcu(ptr, &ccs_accepted_socket_list, list) {
716+ if (ptr->inode != inode)
717+ continue;
718+ ret = ptr->status;
719+ break;
720+ }
721+ rcu_read_unlock();
722+ if (ret <= 0)
723+ /*
724+ * This socket is not an accept()ed socket or this socket is
725+ * an accept()ed socket and post accept() permission is done.
726+ */
727+ return ret;
728+ /*
729+ * Check post accept() permission now.
730+ *
731+ * Strictly speaking, we need to pass both listen()ing socket and
732+ * accept()ed socket to __ccs_socket_post_accept_permission().
733+ * But since socket's family and type are same for both sockets,
734+ * passing the accept()ed socket in place for the listen()ing socket
735+ * will work.
736+ */
737+ ret = ccs_socket_post_accept_permission(sock, sock);
738+ /*
739+ * If permission was granted, we forget that this is an accept()ed
740+ * socket. Otherwise, we remember that this socket needs to return
741+ * error for subsequent socketcalls.
742+ */
743+ ccs_update_socket_tag(inode, ret);
744+ return ret;
745+}
746+
747+/**
748+ * ccs_socket_accept - Check permission for accept().
749+ *
750+ * @sock: Pointer to "struct socket".
751+ * @newsock: Pointer to "struct socket".
752+ *
753+ * Returns 0 on success, negative value otherwise.
754+ *
755+ * This hook is used for setting up environment for doing post accept()
756+ * permission check. If dereferencing sock->ops->something() were ordered by
757+ * rcu_dereference(), we could replace sock->ops with "a copy of original
758+ * sock->ops with modified sock->ops->accept()" using rcu_assign_pointer()
759+ * in order to do post accept() permission check before returning to userspace.
760+ * If we make the copy in security_socket_post_create(), it would be possible
761+ * to safely replace sock->ops here, but we don't do so because we don't want
762+ * to allocate memory for sockets which do not call sock->ops->accept().
763+ * Therefore, we do post accept() permission check upon next socket syscalls
764+ * rather than between sock->ops->accept() and returning to userspace.
765+ * This means that if a socket was close()d before calling some socket
766+ * syscalls, post accept() permission check will not be done.
767+ */
768+static int ccs_socket_accept(struct socket *sock, struct socket *newsock)
769+{
770+ struct ccs_socket_tag *ptr;
771+ int rc = ccs_validate_socket(sock);
772+ if (rc < 0)
773+ return rc;
774+ ptr = kzalloc(sizeof(*ptr), GFP_KERNEL);
775+ if (!ptr)
776+ return -ENOMEM;
777+ while (!original_security_ops.socket_accept)
778+ smp_rmb();
779+ rc = original_security_ops.socket_accept(sock, newsock);
780+ if (rc) {
781+ kfree(ptr);
782+ return rc;
783+ }
784+ /*
785+ * Subsequent LSM hooks will receive "newsock". Therefore, I mark
786+ * "newsock" as "an accept()ed socket but post accept() permission
787+ * check is not done yet" by allocating memory using inode of the
788+ * "newsock" as a search key.
789+ */
790+ ptr->inode = SOCK_INODE(newsock);
791+ ptr->status = 1; /* Check post accept() permission later. */
792+ spin_lock(&ccs_accepted_socket_list_lock);
793+ list_add_tail_rcu(&ptr->list, &ccs_accepted_socket_list);
794+ spin_unlock(&ccs_accepted_socket_list_lock);
795+ return 0;
796+}
797+
798+/**
799+ * ccs_socket_listen - Check permission for listen().
800+ *
801+ * @sock: Pointer to "struct socket".
802+ * @backlog: Backlog parameter.
803+ *
804+ * Returns 0 on success, negative value otherwise.
805+ */
806+static int ccs_socket_listen(struct socket *sock, int backlog)
807+{
808+ int rc = ccs_validate_socket(sock);
809+ if (rc < 0)
810+ return rc;
811+ rc = ccs_socket_listen_permission(sock);
812+ if (rc)
813+ return rc;
814+ while (!original_security_ops.socket_listen)
815+ smp_rmb();
816+ return original_security_ops.socket_listen(sock, backlog);
817+}
818+
819+/**
820+ * ccs_socket_connect - Check permission for connect().
821+ *
822+ * @sock: Pointer to "struct socket".
823+ * @addr: Pointer to "struct sockaddr".
824+ * @addr_len: Size of @addr.
825+ *
826+ * Returns 0 on success, negative value otherwise.
827+ */
828+static int ccs_socket_connect(struct socket *sock, struct sockaddr *addr,
829+ int addr_len)
830+{
831+ int rc = ccs_validate_socket(sock);
832+ if (rc < 0)
833+ return rc;
834+ rc = ccs_socket_connect_permission(sock, addr, addr_len);
835+ if (rc)
836+ return rc;
837+ while (!original_security_ops.socket_connect)
838+ smp_rmb();
839+ return original_security_ops.socket_connect(sock, addr, addr_len);
840+}
841+
842+/**
843+ * ccs_socket_bind - Check permission for bind().
844+ *
845+ * @sock: Pointer to "struct socket".
846+ * @addr: Pointer to "struct sockaddr".
847+ * @addr_len: Size of @addr.
848+ *
849+ * Returns 0 on success, negative value otherwise.
850+ */
851+static int ccs_socket_bind(struct socket *sock, struct sockaddr *addr,
852+ int addr_len)
853+{
854+ int rc = ccs_validate_socket(sock);
855+ if (rc < 0)
856+ return rc;
857+ rc = ccs_socket_bind_permission(sock, addr, addr_len);
858+ if (rc)
859+ return rc;
860+ while (!original_security_ops.socket_bind)
861+ smp_rmb();
862+ return original_security_ops.socket_bind(sock, addr, addr_len);
863+}
864+
865+/**
866+ * ccs_socket_sendmsg - Check permission for sendmsg().
867+ *
868+ * @sock: Pointer to "struct socket".
869+ * @msg: Pointer to "struct msghdr".
870+ * @size: Size of message.
871+ *
872+ * Returns 0 on success, negative value otherwise.
873+ */
874+static int ccs_socket_sendmsg(struct socket *sock, struct msghdr *msg,
875+ int size)
876+{
877+ int rc = ccs_validate_socket(sock);
878+ if (rc < 0)
879+ return rc;
880+ rc = ccs_socket_sendmsg_permission(sock, msg, size);
881+ if (rc)
882+ return rc;
883+ while (!original_security_ops.socket_sendmsg)
884+ smp_rmb();
885+ return original_security_ops.socket_sendmsg(sock, msg, size);
886+}
887+
888+/**
889+ * ccs_socket_recvmsg - Check permission for recvmsg().
890+ *
891+ * @sock: Pointer to "struct socket".
892+ * @msg: Pointer to "struct msghdr".
893+ * @size: Size of message.
894+ * @flags: Flags.
895+ *
896+ * Returns 0 on success, negative value otherwise.
897+ */
898+static int ccs_socket_recvmsg(struct socket *sock, struct msghdr *msg,
899+ int size, int flags)
900+{
901+ int rc = ccs_validate_socket(sock);
902+ if (rc < 0)
903+ return rc;
904+ while (!original_security_ops.socket_recvmsg)
905+ smp_rmb();
906+ return original_security_ops.socket_recvmsg(sock, msg, size, flags);
907+}
908+
909+/**
910+ * ccs_socket_getsockname - Check permission for getsockname().
911+ *
912+ * @sock: Pointer to "struct socket".
913+ *
914+ * Returns 0 on success, negative value otherwise.
915+ */
916+static int ccs_socket_getsockname(struct socket *sock)
917+{
918+ int rc = ccs_validate_socket(sock);
919+ if (rc < 0)
920+ return rc;
921+ while (!original_security_ops.socket_getsockname)
922+ smp_rmb();
923+ return original_security_ops.socket_getsockname(sock);
924+}
925+
926+/**
927+ * ccs_socket_getpeername - Check permission for getpeername().
928+ *
929+ * @sock: Pointer to "struct socket".
930+ *
931+ * Returns 0 on success, negative value otherwise.
932+ */
933+static int ccs_socket_getpeername(struct socket *sock)
934+{
935+ int rc = ccs_validate_socket(sock);
936+ if (rc < 0)
937+ return rc;
938+ while (!original_security_ops.socket_getpeername)
939+ smp_rmb();
940+ return original_security_ops.socket_getpeername(sock);
941+}
942+
943+/**
944+ * ccs_socket_getsockopt - Check permission for getsockopt().
945+ *
946+ * @sock: Pointer to "struct socket".
947+ * @level: Level.
948+ * @optname: Option's name,
949+ *
950+ * Returns 0 on success, negative value otherwise.
951+ */
952+static int ccs_socket_getsockopt(struct socket *sock, int level, int optname)
953+{
954+ int rc = ccs_validate_socket(sock);
955+ if (rc < 0)
956+ return rc;
957+ while (!original_security_ops.socket_getsockopt)
958+ smp_rmb();
959+ return original_security_ops.socket_getsockopt(sock, level, optname);
960+}
961+
962+/**
963+ * ccs_socket_setsockopt - Check permission for setsockopt().
964+ *
965+ * @sock: Pointer to "struct socket".
966+ * @level: Level.
967+ * @optname: Option's name,
968+ *
969+ * Returns 0 on success, negative value otherwise.
970+ */
971+static int ccs_socket_setsockopt(struct socket *sock, int level, int optname)
972+{
973+ int rc = ccs_validate_socket(sock);
974+ if (rc < 0)
975+ return rc;
976+ while (!original_security_ops.socket_setsockopt)
977+ smp_rmb();
978+ return original_security_ops.socket_setsockopt(sock, level, optname);
979+}
980+
981+/**
982+ * ccs_socket_shutdown - Check permission for shutdown().
983+ *
984+ * @sock: Pointer to "struct socket".
985+ * @how: Shutdown mode.
986+ *
987+ * Returns 0 on success, negative value otherwise.
988+ */
989+static int ccs_socket_shutdown(struct socket *sock, int how)
990+{
991+ int rc = ccs_validate_socket(sock);
992+ if (rc < 0)
993+ return rc;
994+ while (!original_security_ops.socket_shutdown)
995+ smp_rmb();
996+ return original_security_ops.socket_shutdown(sock, how);
997+}
998+
999+#define SOCKFS_MAGIC 0x534F434B
1000+
1001+/**
1002+ * ccs_inode_free_security - Release memory associated with an inode.
1003+ *
1004+ * @inode: Pointer to "struct inode".
1005+ *
1006+ * Returns nothing.
1007+ *
1008+ * We use this hook for releasing memory associated with an accept()ed socket.
1009+ */
1010+static void ccs_inode_free_security(struct inode *inode)
1011+{
1012+ while (!original_security_ops.inode_free_security)
1013+ smp_rmb();
1014+ original_security_ops.inode_free_security(inode);
1015+ if (inode->i_sb && inode->i_sb->s_magic == SOCKFS_MAGIC)
1016+ ccs_update_socket_tag(inode, 0);
1017+}
1018+
1019+#endif
1020+
1021+#if LINUX_VERSION_CODE <= KERNEL_VERSION(2, 6, 24)
1022+
1023+/**
1024+ * ccs_sb_pivotroot - Check permission for pivot_root().
1025+ *
1026+ * @old_nd: Pointer to "struct nameidata".
1027+ * @new_nd: Pointer to "struct nameidata".
1028+ *
1029+ * Returns 0 on success, negative value otherwise.
1030+ */
1031+static int ccs_sb_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd)
1032+{
1033+ int rc = ccs_pivot_root_permission(old_nd, new_nd);
1034+ if (rc)
1035+ return rc;
1036+ while (!original_security_ops.sb_pivotroot)
1037+ smp_rmb();
1038+ return original_security_ops.sb_pivotroot(old_nd, new_nd);
1039+}
1040+
1041+/**
1042+ * ccs_sb_mount - Check permission for mount().
1043+ *
1044+ * @dev_name: Name of device file.
1045+ * @nd: Pointer to "struct nameidata".
1046+ * @type: Name of filesystem type. Maybe NULL.
1047+ * @flags: Mount options.
1048+ * @data_page: Optional data. Maybe NULL.
1049+ *
1050+ * Returns 0 on success, negative value otherwise.
1051+ */
1052+static int ccs_sb_mount(char *dev_name, struct nameidata *nd, char *type,
1053+ unsigned long flags, void *data_page)
1054+{
1055+ int rc = ccs_mount_permission(dev_name, nd, type, flags, data_page);
1056+ if (rc)
1057+ return rc;
1058+ while (!original_security_ops.sb_mount)
1059+ smp_rmb();
1060+ return original_security_ops.sb_mount(dev_name, nd, type, flags,
1061+ data_page);
1062+}
1063+
1064+#elif LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 26)
1065+
1066+/**
1067+ * ccs_sb_pivotroot - Check permission for pivot_root().
1068+ *
1069+ * @old_nd: Pointer to "struct nameidata".
1070+ * @new_nd: Pointer to "struct nameidata".
1071+ *
1072+ * Returns 0 on success, negative value otherwise.
1073+ */
1074+static int ccs_sb_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd)
1075+{
1076+ int rc = ccs_pivot_root_permission(&old_nd->path, &new_nd->path);
1077+ if (rc)
1078+ return rc;
1079+ while (!original_security_ops.sb_pivotroot)
1080+ smp_rmb();
1081+ return original_security_ops.sb_pivotroot(old_nd, new_nd);
1082+}
1083+
1084+/**
1085+ * ccs_sb_mount - Check permission for mount().
1086+ *
1087+ * @dev_name: Name of device file.
1088+ * @nd: Pointer to "struct nameidata".
1089+ * @type: Name of filesystem type. Maybe NULL.
1090+ * @flags: Mount options.
1091+ * @data_page: Optional data. Maybe NULL.
1092+ *
1093+ * Returns 0 on success, negative value otherwise.
1094+ */
1095+static int ccs_sb_mount(char *dev_name, struct nameidata *nd, char *type,
1096+ unsigned long flags, void *data_page)
1097+{
1098+ int rc = ccs_mount_permission(dev_name, &nd->path, type, flags,
1099+ data_page);
1100+ if (rc)
1101+ return rc;
1102+ while (!original_security_ops.sb_mount)
1103+ smp_rmb();
1104+ return original_security_ops.sb_mount(dev_name, nd, type, flags,
1105+ data_page);
1106+}
1107+
1108+#else
1109+
1110+/**
1111+ * ccs_sb_pivotroot - Check permission for pivot_root().
1112+ *
1113+ * @old_path: Pointer to "struct path".
1114+ * @new_path: Pointer to "struct path".
1115+ *
1116+ * Returns 0 on success, negative value otherwise.
1117+ */
1118+static int ccs_sb_pivotroot(struct path *old_path, struct path *new_path)
1119+{
1120+ int rc = ccs_pivot_root_permission(old_path, new_path);
1121+ if (rc)
1122+ return rc;
1123+ while (!original_security_ops.sb_pivotroot)
1124+ smp_rmb();
1125+ return original_security_ops.sb_pivotroot(old_path, new_path);
1126+}
1127+
1128+/**
1129+ * ccs_sb_mount - Check permission for mount().
1130+ *
1131+ * @dev_name: Name of device file.
1132+ * @path: Pointer to "struct path".
1133+ * @type: Name of filesystem type. Maybe NULL.
1134+ * @flags: Mount options.
1135+ * @data_page: Optional data. Maybe NULL.
1136+ *
1137+ * Returns 0 on success, negative value otherwise.
1138+ */
1139+static int ccs_sb_mount(char *dev_name, struct path *path, char *type,
1140+ unsigned long flags, void *data_page)
1141+{
1142+ int rc = ccs_mount_permission(dev_name, path, type, flags, data_page);
1143+ if (rc)
1144+ return rc;
1145+ while (!original_security_ops.sb_mount)
1146+ smp_rmb();
1147+ return original_security_ops.sb_mount(dev_name, path, type, flags,
1148+ data_page);
1149+}
1150+
1151+#endif
1152+
1153+/**
1154+ * ccs_sb_umount - Check permission for umount().
1155+ *
1156+ * @mnt: Pointer to "struct vfsmount".
1157+ * @flags: Unmount flags.
1158+ *
1159+ * Returns 0 on success, negative value otherwise.
1160+ */
1161+static int ccs_sb_umount(struct vfsmount *mnt, int flags)
1162+{
1163+ int rc = ccs_umount_permission(mnt, flags);
1164+ if (rc)
1165+ return rc;
1166+ while (!original_security_ops.sb_umount)
1167+ smp_rmb();
1168+ return original_security_ops.sb_umount(mnt, flags);
1169+}
1170+
1171+/**
1172+ * ccs_file_fcntl - Check permission for fcntl().
1173+ *
1174+ * @file: Pointer to "struct file".
1175+ * @cmd: Command number.
1176+ * @arg: Value for @cmd.
1177+ *
1178+ * Returns 0 on success, negative value otherwise.
1179+ */
1180+static int ccs_file_fcntl(struct file *file, unsigned int cmd,
1181+ unsigned long arg)
1182+{
1183+ int rc = ccs_fcntl_permission(file, cmd, arg);
1184+ if (rc)
1185+ return rc;
1186+ while (!original_security_ops.file_fcntl)
1187+ smp_rmb();
1188+ return original_security_ops.file_fcntl(file, cmd, arg);
1189+}
1190+
1191+/**
1192+ * ccs_file_ioctl - Check permission for ioctl().
1193+ *
1194+ * @filp: Pointer to "struct file".
1195+ * @cmd: Command number.
1196+ * @arg: Value for @cmd.
1197+ *
1198+ * Returns 0 on success, negative value otherwise.
1199+ */
1200+static int ccs_file_ioctl(struct file *filp, unsigned int cmd,
1201+ unsigned long arg)
1202+{
1203+ int rc = ccs_ioctl_permission(filp, cmd, arg);
1204+ if (rc)
1205+ return rc;
1206+ while (!original_security_ops.file_ioctl)
1207+ smp_rmb();
1208+ return original_security_ops.file_ioctl(filp, cmd, arg);
1209+}
1210+
1211+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21) && defined(CONFIG_SYSCTL_SYSCALL)
1212+int ccs_path_permission(struct ccs_request_info *r, u8 operation,
1213+ const struct ccs_path_info *filename);
1214+
1215+/**
1216+ * ccs_prepend - Copy of prepend() in fs/dcache.c.
1217+ *
1218+ * @buffer: Pointer to "struct char *".
1219+ * @buflen: Pointer to int which holds size of @buffer.
1220+ * @str: String to copy.
1221+ *
1222+ * Returns 0 on success, negative value otherwise.
1223+ *
1224+ * @buffer and @buflen are updated upon success.
1225+ */
1226+static int ccs_prepend(char **buffer, int *buflen, const char *str)
1227+{
1228+ int namelen = strlen(str);
1229+ if (*buflen < namelen)
1230+ return -ENOMEM;
1231+ *buflen -= namelen;
1232+ *buffer -= namelen;
1233+ memcpy(*buffer, str, namelen);
1234+ return 0;
1235+}
1236+
1237+/**
1238+ * ccs_sysctl_permission - Check permission for sysctl().
1239+ *
1240+ * @table: Pointer to "struct ctl_table".
1241+ * @op: Operation. (MAY_READ and/or MAY_WRITE)
1242+ *
1243+ * Returns 0 on success, negative value otherwise.
1244+ */
1245+static int ccs_sysctl(struct ctl_table *table, int op)
1246+{
1247+ int error;
1248+ struct ccs_path_info buf;
1249+ struct ccs_request_info r;
1250+ int buflen;
1251+ char *buffer;
1252+ int idx;
1253+ while (!original_security_ops.sysctl)
1254+ smp_rmb();
1255+ error = original_security_ops.sysctl(table, op);
1256+ if (error)
1257+ return error;
1258+ op &= MAY_READ | MAY_WRITE;
1259+ if (!op)
1260+ return 0;
1261+ buffer = NULL;
1262+ buf.name = NULL;
1263+ idx = ccs_read_lock();
1264+ if (ccs_init_request_info(&r, CCS_MAC_FILE_OPEN)
1265+ == CCS_CONFIG_DISABLED)
1266+ goto out;
1267+ error = -ENOMEM;
1268+ buflen = 4096;
1269+ buffer = kmalloc(buflen, CCS_GFP_FLAGS);
1270+ if (buffer) {
1271+ char *end = buffer + buflen;
1272+ *--end = '\0';
1273+ buflen--;
1274+ while (table) {
1275+ char num[32];
1276+ const char *sp = table->procname;
1277+ if (!sp) {
1278+ memset(num, 0, sizeof(num));
1279+ snprintf(num, sizeof(num) - 1, "=%d=",
1280+ table->ctl_name);
1281+ sp = num;
1282+ }
1283+ if (ccs_prepend(&end, &buflen, sp) ||
1284+ ccs_prepend(&end, &buflen, "/"))
1285+ goto out;
1286+ table = table->parent;
1287+ }
1288+ if (ccs_prepend(&end, &buflen, "proc:/sys"))
1289+ goto out;
1290+ buf.name = ccs_encode(end);
1291+ }
1292+ if (buf.name) {
1293+ ccs_fill_path_info(&buf);
1294+ if (op & MAY_READ)
1295+ error = ccs_path_permission(&r, CCS_TYPE_READ, &buf);
1296+ else
1297+ error = 0;
1298+ if (!error && (op & MAY_WRITE))
1299+ error = ccs_path_permission(&r, CCS_TYPE_WRITE, &buf);
1300+ }
1301+out:
1302+ ccs_read_unlock(idx);
1303+ kfree(buf.name);
1304+ kfree(buffer);
1305+ return error;
1306+}
1307+
1308+#endif
1309+
1310+/*
1311+ * Why not to copy all operations by "original_security_ops = *ops" ?
1312+ * Because copying byte array is not atomic. Reader checks
1313+ * original_security_ops.op != NULL before doing original_security_ops.op().
1314+ * Thus, modifying original_security_ops.op has to be atomic.
1315+ */
1316+#define swap_security_ops(op) \
1317+ original_security_ops.op = ops->op; smp_wmb(); ops->op = ccs_##op;
1318+
1319+/**
1320+ * ccs_update_security_ops - Overwrite original "struct security_operations".
1321+ *
1322+ * @ops: Pointer to "struct security_operations".
1323+ *
1324+ * Returns nothing.
1325+ */
1326+static void __init ccs_update_security_ops(struct security_operations *ops)
1327+{
1328+ /* Security context allocator. */
1329+ swap_security_ops(task_alloc_security);
1330+ swap_security_ops(task_free_security);
1331+ swap_security_ops(bprm_alloc_security);
1332+ swap_security_ops(bprm_free_security);
1333+ /* Security context updater for successful execve(). */
1334+ swap_security_ops(bprm_check_security);
1335+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 6)
1336+ swap_security_ops(bprm_compute_creds);
1337+#else
1338+ swap_security_ops(bprm_apply_creds);
1339+#endif
1340+ /* Various permission checker. */
1341+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
1342+ swap_security_ops(dentry_open);
1343+#else
1344+ swap_security_ops(inode_permission);
1345+#endif
1346+ swap_security_ops(file_fcntl);
1347+ swap_security_ops(file_ioctl);
1348+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 21) && defined(CONFIG_SYSCTL_SYSCALL)
1349+ swap_security_ops(sysctl);
1350+#endif
1351+ swap_security_ops(sb_pivotroot);
1352+ swap_security_ops(sb_mount);
1353+ swap_security_ops(sb_umount);
1354+ swap_security_ops(inode_mknod);
1355+ swap_security_ops(inode_mkdir);
1356+ swap_security_ops(inode_rmdir);
1357+ swap_security_ops(inode_unlink);
1358+ swap_security_ops(inode_symlink);
1359+ swap_security_ops(inode_rename);
1360+ swap_security_ops(inode_link);
1361+ swap_security_ops(inode_create);
1362+ swap_security_ops(inode_setattr);
1363+ swap_security_ops(inode_getattr);
1364+#ifdef CONFIG_SECURITY_NETWORK
1365+ swap_security_ops(socket_bind);
1366+ swap_security_ops(socket_connect);
1367+ swap_security_ops(socket_listen);
1368+ swap_security_ops(socket_sendmsg);
1369+ swap_security_ops(socket_recvmsg);
1370+ swap_security_ops(socket_getsockname);
1371+ swap_security_ops(socket_getpeername);
1372+ swap_security_ops(socket_getsockopt);
1373+ swap_security_ops(socket_setsockopt);
1374+ swap_security_ops(socket_shutdown);
1375+ swap_security_ops(socket_accept);
1376+ swap_security_ops(inode_free_security);
1377+#endif
1378+}
1379+
1380+#undef swap_security_ops
1381+
1382+/**
1383+ * ccs_init - Initialize this module.
1384+ *
1385+ * Returns 0 on success, negative value otherwise.
1386+ */
1387+static int __init ccs_init(void)
1388+{
1389+ struct security_operations *ops = probe_security_ops();
1390+ if (!ops)
1391+ goto out;
1392+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 24)
1393+ ccsecurity_exports.find_task_by_vpid = probe_find_task_by_vpid();
1394+ if (!ccsecurity_exports.find_task_by_vpid)
1395+ goto out;
1396+ ccsecurity_exports.find_task_by_pid_ns = probe_find_task_by_pid_ns();
1397+ if (!ccsecurity_exports.find_task_by_pid_ns)
1398+ goto out;
1399+#endif
1400+ ccsecurity_exports.vfsmount_lock = probe_vfsmount_lock();
1401+ if (!ccsecurity_exports.vfsmount_lock)
1402+ goto out;
1403+ ccs_main_init();
1404+ ccs_update_security_ops(ops);
1405+ printk(KERN_INFO "AKARI: 1.0.38 2018/04/01\n");
1406+ printk(KERN_INFO
1407+ "Access Keeping And Regulating Instrument registered.\n");
1408+ return 0;
1409+out:
1410+ return -EINVAL;
1411+}
1412+
1413+module_init(ccs_init);
1414+MODULE_LICENSE("GPL");
1415+
1416+/**
1417+ * ccs_used_by_cred - Check whether the given domain is in use or not.
1418+ *
1419+ * @domain: Pointer to "struct ccs_domain_info".
1420+ *
1421+ * Returns true if @domain is in use, false otherwise.
1422+ *
1423+ * Caller holds rcu_read_lock().
1424+ */
1425+bool ccs_used_by_cred(const struct ccs_domain_info *domain)
1426+{
1427+ return false;
1428+}
1429+
1430+/**
1431+ * ccs_add_task_security - Add "struct ccs_security" to list.
1432+ *
1433+ * @ptr: Pointer to "struct ccs_security".
1434+ * @list: Pointer to "struct list_head".
1435+ *
1436+ * Returns nothing.
1437+ */
1438+static void ccs_add_task_security(struct ccs_security *ptr,
1439+ struct list_head *list)
1440+{
1441+ unsigned long flags;
1442+ spin_lock_irqsave(&ccs_task_security_list_lock, flags);
1443+ list_add_rcu(&ptr->list, list);
1444+ spin_unlock_irqrestore(&ccs_task_security_list_lock, flags);
1445+}
1446+
1447+/**
1448+ * __ccs_alloc_task_security - Allocate memory for new tasks.
1449+ *
1450+ * @task: Pointer to "struct task_struct".
1451+ *
1452+ * Returns 0 on success, negative value otherwise.
1453+ */
1454+static int __ccs_alloc_task_security(const struct task_struct *task)
1455+{
1456+ struct ccs_security *old_security = ccs_current_security();
1457+ struct ccs_security *new_security = kzalloc(sizeof(*new_security),
1458+ GFP_KERNEL);
1459+ struct list_head *list = &ccs_task_security_list
1460+ [hash_ptr((void *) task, CCS_TASK_SECURITY_HASH_BITS)];
1461+ if (!new_security)
1462+ return -ENOMEM;
1463+ new_security->task = task;
1464+ new_security->ccs_domain_info = old_security->ccs_domain_info;
1465+ new_security->ccs_flags = old_security->ccs_flags;
1466+ ccs_add_task_security(new_security, list);
1467+ return 0;
1468+}
1469+
1470+/**
1471+ * ccs_find_task_security - Find "struct ccs_security" for given task.
1472+ *
1473+ * @task: Pointer to "struct task_struct".
1474+ *
1475+ * Returns pointer to "struct ccs_security" on success, &ccs_oom_security on
1476+ * out of memory, &ccs_default_security otherwise.
1477+ *
1478+ * If @task is current thread and "struct ccs_security" for current thread was
1479+ * not found, I try to allocate it. But if allocation failed, current thread
1480+ * will be killed by SIGKILL. Note that if current->pid == 1, sending SIGKILL
1481+ * won't work.
1482+ */
1483+struct ccs_security *ccs_find_task_security(const struct task_struct *task)
1484+{
1485+ struct ccs_security *ptr;
1486+ struct list_head *list = &ccs_task_security_list
1487+ [hash_ptr((void *) task, CCS_TASK_SECURITY_HASH_BITS)];
1488+ /* Make sure INIT_LIST_HEAD() in ccs_mm_init() takes effect. */
1489+ while (!list->next)
1490+ smp_rmb();
1491+ rcu_read_lock();
1492+ list_for_each_entry_rcu(ptr, list, list) {
1493+ if (ptr->task != task)
1494+ continue;
1495+ rcu_read_unlock();
1496+ return ptr;
1497+ }
1498+ rcu_read_unlock();
1499+ if (task != current)
1500+ return &ccs_default_security;
1501+ /* Use GFP_ATOMIC because caller may have called rcu_read_lock(). */
1502+ ptr = kzalloc(sizeof(*ptr), GFP_ATOMIC);
1503+ if (!ptr) {
1504+ printk(KERN_WARNING "Unable to allocate memory for pid=%u\n",
1505+ task->pid);
1506+ send_sig(SIGKILL, current, 0);
1507+ return &ccs_oom_security;
1508+ }
1509+ *ptr = ccs_default_security;
1510+ ptr->task = task;
1511+ ccs_add_task_security(ptr, list);
1512+ return ptr;
1513+}
1514+
1515+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 8)
1516+
1517+/**
1518+ * ccs_rcu_free - RCU callback for releasing "struct ccs_security".
1519+ *
1520+ * @rcu: Pointer to "struct rcu_head".
1521+ *
1522+ * Returns nothing.
1523+ */
1524+static void ccs_rcu_free(struct rcu_head *rcu)
1525+{
1526+ struct ccs_security *ptr = container_of(rcu, typeof(*ptr), rcu);
1527+ kfree(ptr);
1528+}
1529+
1530+#else
1531+
1532+/**
1533+ * ccs_rcu_free - RCU callback for releasing "struct ccs_security".
1534+ *
1535+ * @arg: Pointer to "void".
1536+ *
1537+ * Returns nothing.
1538+ */
1539+static void ccs_rcu_free(void *arg)
1540+{
1541+ struct ccs_security *ptr = arg;
1542+ kfree(ptr);
1543+}
1544+
1545+#endif
1546+
1547+/**
1548+ * __ccs_free_task_security - Release memory associated with "struct task_struct".
1549+ *
1550+ * @task: Pointer to "struct task_struct".
1551+ *
1552+ * Returns nothing.
1553+ */
1554+static void __ccs_free_task_security(const struct task_struct *task)
1555+{
1556+ unsigned long flags;
1557+ struct ccs_security *ptr = ccs_find_task_security(task);
1558+ if (ptr == &ccs_default_security || ptr == &ccs_oom_security)
1559+ return;
1560+ spin_lock_irqsave(&ccs_task_security_list_lock, flags);
1561+ list_del_rcu(&ptr->list);
1562+ spin_unlock_irqrestore(&ccs_task_security_list_lock, flags);
1563+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 8)
1564+ call_rcu(&ptr->rcu, ccs_rcu_free);
1565+#else
1566+ call_rcu(&ptr->rcu, ccs_rcu_free, ptr);
1567+#endif
1568+}
--- tags/patches/1.0.38/lsm-2.6.29.c (nonexistent)
+++ tags/patches/1.0.38/lsm-2.6.29.c (revision 589)
@@ -0,0 +1,2246 @@
1+/*
2+ * lsm.c
3+ *
4+ * Copyright (C) 2010-2015 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
5+ *
6+ * Version: 1.0.38 2018/04/01
7+ */
8+
9+#include "internal.h"
10+#include "probe.h"
11+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 3, 0)
12+#define USE_UMODE_T
13+#else
14+#include "check_umode_t.h"
15+#endif
16+
17+/* Prototype definition. */
18+static void ccs_task_security_gc(void);
19+static int ccs_copy_cred_security(const struct cred *new,
20+ const struct cred *old, gfp_t gfp);
21+static struct ccs_security *ccs_find_cred_security(const struct cred *cred);
22+static DEFINE_SPINLOCK(ccs_task_security_list_lock);
23+static atomic_t ccs_in_execve_tasks = ATOMIC_INIT(0);
24+/*
25+ * List of "struct ccs_security" for "struct pid".
26+ *
27+ * All instances on this list is guaranteed that "struct ccs_security"->pid !=
28+ * NULL. Also, instances on this list that are in execve() are guaranteed that
29+ * "struct ccs_security"->cred remembers "struct linux_binprm"->cred with a
30+ * refcount on "struct linux_binprm"->cred.
31+ */
32+struct list_head ccs_task_security_list[CCS_MAX_TASK_SECURITY_HASH];
33+/*
34+ * List of "struct ccs_security" for "struct cred".
35+ *
36+ * Since the number of "struct cred" is nearly equals to the number of
37+ * "struct pid", we allocate hash tables like ccs_task_security_list.
38+ *
39+ * All instances on this list are guaranteed that "struct ccs_security"->pid ==
40+ * NULL and "struct ccs_security"->cred != NULL.
41+ */
42+static struct list_head ccs_cred_security_list[CCS_MAX_TASK_SECURITY_HASH];
43+
44+/* Dummy security context for avoiding NULL pointer dereference. */
45+static struct ccs_security ccs_oom_security = {
46+ .ccs_domain_info = &ccs_kernel_domain
47+};
48+
49+/* Dummy security context for avoiding NULL pointer dereference. */
50+static struct ccs_security ccs_default_security = {
51+ .ccs_domain_info = &ccs_kernel_domain
52+};
53+
54+/* For exporting variables and functions. */
55+struct ccsecurity_exports ccsecurity_exports;
56+/* Members are updated by loadable kernel module. */
57+struct ccsecurity_operations ccsecurity_ops;
58+
59+/* Function pointers originally registered by register_security(). */
60+static struct security_operations original_security_ops /* = *security_ops; */;
61+
62+#ifdef CONFIG_AKARI_TRACE_EXECVE_COUNT
63+
64+/**
65+ * ccs_update_ee_counter - Update "struct ccs_execve" counter.
66+ *
67+ * @count: Count to increment or decrement.
68+ *
69+ * Returns updated counter.
70+ */
71+static unsigned int ccs_update_ee_counter(int count)
72+{
73+ /* Debug counter for detecting "struct ccs_execve" memory leak. */
74+ static atomic_t ccs_ee_counter = ATOMIC_INIT(0);
75+ return atomic_add_return(count, &ccs_ee_counter);
76+}
77+
78+/**
79+ * ccs_audit_alloc_execve - Audit allocation of "struct ccs_execve".
80+ *
81+ * @ee: Pointer to "struct ccs_execve".
82+ *
83+ * Returns nothing.
84+ */
85+void ccs_audit_alloc_execve(const struct ccs_execve * const ee)
86+{
87+ printk(KERN_INFO "AKARI: Allocated %p by pid=%u (count=%u)\n", ee,
88+ current->pid, ccs_update_ee_counter(1) - 1);
89+}
90+
91+/**
92+ * ccs_audit_free_execve - Audit release of "struct ccs_execve".
93+ *
94+ * @ee: Pointer to "struct ccs_execve".
95+ * @task: True if released by current task, false otherwise.
96+ *
97+ * Returns nothing.
98+ */
99+void ccs_audit_free_execve(const struct ccs_execve * const ee,
100+ const bool is_current)
101+{
102+ const unsigned int tmp = ccs_update_ee_counter(-1);
103+ if (is_current)
104+ printk(KERN_INFO "AKARI: Releasing %p by pid=%u (count=%u)\n",
105+ ee, current->pid, tmp);
106+ else
107+ printk(KERN_INFO "AKARI: Releasing %p by kernel (count=%u)\n",
108+ ee, tmp);
109+}
110+
111+#endif
112+
113+#if !defined(CONFIG_AKARI_DEBUG)
114+#define ccs_debug_trace(pos) do { } while (0)
115+#else
116+#define ccs_debug_trace(pos) \
117+ do { \
118+ static bool done; \
119+ if (!done) { \
120+ printk(KERN_INFO \
121+ "AKARI: Debug trace: " pos " of 4\n"); \
122+ done = true; \
123+ } \
124+ } while (0)
125+#endif
126+
127+/**
128+ * ccs_clear_execve - Release memory used by do_execve().
129+ *
130+ * @ret: 0 if do_execve() succeeded, negative value otherwise.
131+ * @security: Pointer to "struct ccs_security".
132+ *
133+ * Returns nothing.
134+ */
135+static void ccs_clear_execve(int ret, struct ccs_security *security)
136+{
137+ struct ccs_execve *ee;
138+ if (security == &ccs_default_security || security == &ccs_oom_security)
139+ return;
140+ ee = security->ee;
141+ security->ee = NULL;
142+ if (!ee)
143+ return;
144+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 31)
145+ /*
146+ * Drop refcount on "struct cred" in "struct linux_binprm" and forget
147+ * it.
148+ */
149+ put_cred(security->cred);
150+ security->cred = NULL;
151+#endif
152+ atomic_dec(&ccs_in_execve_tasks);
153+ ccs_finish_execve(ret, ee);
154+}
155+
156+/**
157+ * ccs_rcu_free - RCU callback for releasing "struct ccs_security".
158+ *
159+ * @rcu: Pointer to "struct rcu_head".
160+ *
161+ * Returns nothing.
162+ */
163+static void ccs_rcu_free(struct rcu_head *rcu)
164+{
165+ struct ccs_security *ptr = container_of(rcu, typeof(*ptr), rcu);
166+ struct ccs_execve *ee = ptr->ee;
167+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 31)
168+ /*
169+ * If this security context was associated with "struct pid" and
170+ * ptr->ccs_flags has CCS_TASK_IS_IN_EXECVE set, it indicates that a
171+ * "struct task_struct" associated with this security context exited
172+ * immediately after do_execve() has failed.
173+ */
174+ if (ptr->pid && (ptr->ccs_flags & CCS_TASK_IS_IN_EXECVE)) {
175+ ccs_debug_trace("1");
176+ atomic_dec(&ccs_in_execve_tasks);
177+ }
178+#else
179+ /*
180+ * If this security context was associated with "struct pid" and
181+ * remembers "struct cred" in "struct linux_binprm", it indicates that
182+ * a "struct task_struct" associated with this security context exited
183+ * immediately after do_execve() has failed.
184+ */
185+ if (ptr->pid && ptr->cred) {
186+ ccs_debug_trace("1");
187+ put_cred(ptr->cred);
188+ atomic_dec(&ccs_in_execve_tasks);
189+ }
190+#endif
191+ /*
192+ * If this security context was associated with "struct pid",
193+ * drop refcount obtained by get_pid() in ccs_find_task_security().
194+ */
195+ if (ptr->pid) {
196+ ccs_debug_trace("2");
197+ put_pid(ptr->pid);
198+ }
199+ if (ee) {
200+ ccs_debug_trace("3");
201+ ccs_audit_free_execve(ee, false);
202+ kfree(ee->handler_path);
203+ kfree(ee);
204+ }
205+ kfree(ptr);
206+}
207+
208+/**
209+ * ccs_del_security - Release "struct ccs_security".
210+ *
211+ * @ptr: Pointer to "struct ccs_security".
212+ *
213+ * Returns nothing.
214+ */
215+static void ccs_del_security(struct ccs_security *ptr)
216+{
217+ unsigned long flags;
218+ if (ptr == &ccs_default_security || ptr == &ccs_oom_security)
219+ return;
220+ spin_lock_irqsave(&ccs_task_security_list_lock, flags);
221+ list_del_rcu(&ptr->list);
222+ spin_unlock_irqrestore(&ccs_task_security_list_lock, flags);
223+ call_rcu(&ptr->rcu, ccs_rcu_free);
224+}
225+
226+/**
227+ * ccs_add_cred_security - Add "struct ccs_security" to list.
228+ *
229+ * @ptr: Pointer to "struct ccs_security".
230+ *
231+ * Returns nothing.
232+ */
233+static void ccs_add_cred_security(struct ccs_security *ptr)
234+{
235+ unsigned long flags;
236+ struct list_head *list = &ccs_cred_security_list
237+ [hash_ptr((void *) ptr->cred, CCS_TASK_SECURITY_HASH_BITS)];
238+#ifdef CONFIG_AKARI_DEBUG
239+ if (ptr->pid)
240+ printk(KERN_INFO "AKARI: \"struct ccs_security\"->pid != NULL"
241+ "\n");
242+#endif
243+ ptr->pid = NULL;
244+ spin_lock_irqsave(&ccs_task_security_list_lock, flags);
245+ list_add_rcu(&ptr->list, list);
246+ spin_unlock_irqrestore(&ccs_task_security_list_lock, flags);
247+}
248+
249+/**
250+ * ccs_task_create - Make snapshot of security context for new task.
251+ *
252+ * @clone_flags: Flags passed to clone().
253+ *
254+ * Returns 0 on success, negative value otherwise.
255+ */
256+static int ccs_task_create(unsigned long clone_flags)
257+{
258+ int rc;
259+ struct ccs_security *old_security;
260+ struct ccs_security *new_security;
261+ struct cred *cred = prepare_creds();
262+ if (!cred)
263+ return -ENOMEM;
264+ while (!original_security_ops.task_create)
265+ smp_rmb();
266+ rc = original_security_ops.task_create(clone_flags);
267+ if (rc) {
268+ abort_creds(cred);
269+ return rc;
270+ }
271+ old_security = ccs_find_task_security(current);
272+ new_security = ccs_find_cred_security(cred);
273+ new_security->ccs_domain_info = old_security->ccs_domain_info;
274+ new_security->ccs_flags = old_security->ccs_flags;
275+ return commit_creds(cred);
276+}
277+
278+/**
279+ * ccs_cred_prepare - Allocate memory for new credentials.
280+ *
281+ * @new: Pointer to "struct cred".
282+ * @old: Pointer to "struct cred".
283+ * @gfp: Memory allocation flags.
284+ *
285+ * Returns 0 on success, negative value otherwise.
286+ */
287+static int ccs_cred_prepare(struct cred *new, const struct cred *old,
288+ gfp_t gfp)
289+{
290+ int rc;
291+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 31)
292+ /*
293+ * For checking whether reverting domain transition is needed or not.
294+ *
295+ * See ccs_find_task_security() for reason.
296+ */
297+ if (gfp == GFP_KERNEL)
298+ ccs_find_task_security(current);
299+#endif
300+ rc = ccs_copy_cred_security(new, old, gfp);
301+ if (rc)
302+ return rc;
303+ if (gfp == GFP_KERNEL)
304+ ccs_task_security_gc();
305+ while (!original_security_ops.cred_prepare)
306+ smp_rmb();
307+ rc = original_security_ops.cred_prepare(new, old, gfp);
308+ if (rc)
309+ ccs_del_security(ccs_find_cred_security(new));
310+ return rc;
311+}
312+
313+/**
314+ * ccs_cred_free - Release memory used by credentials.
315+ *
316+ * @cred: Pointer to "struct cred".
317+ *
318+ * Returns nothing.
319+ */
320+static void ccs_cred_free(struct cred *cred)
321+{
322+ while (!original_security_ops.cred_free)
323+ smp_rmb();
324+ original_security_ops.cred_free(cred);
325+ ccs_del_security(ccs_find_cred_security(cred));
326+}
327+
328+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 32)
329+
330+/**
331+ * ccs_alloc_cred_security - Allocate memory for new credentials.
332+ *
333+ * @cred: Pointer to "struct cred".
334+ * @gfp: Memory allocation flags.
335+ *
336+ * Returns 0 on success, negative value otherwise.
337+ */
338+static int ccs_alloc_cred_security(const struct cred *cred, gfp_t gfp)
339+{
340+ struct ccs_security *new_security = kzalloc(sizeof(*new_security),
341+ gfp);
342+ if (!new_security)
343+ return -ENOMEM;
344+ new_security->cred = cred;
345+ ccs_add_cred_security(new_security);
346+ return 0;
347+}
348+
349+/**
350+ * ccs_cred_alloc_blank - Allocate memory for new credentials.
351+ *
352+ * @new: Pointer to "struct cred".
353+ * @gfp: Memory allocation flags.
354+ *
355+ * Returns 0 on success, negative value otherwise.
356+ */
357+static int ccs_cred_alloc_blank(struct cred *new, gfp_t gfp)
358+{
359+ int rc = ccs_alloc_cred_security(new, gfp);
360+ if (rc)
361+ return rc;
362+ while (!original_security_ops.cred_alloc_blank)
363+ smp_rmb();
364+ rc = original_security_ops.cred_alloc_blank(new, gfp);
365+ if (rc)
366+ ccs_del_security(ccs_find_cred_security(new));
367+ return rc;
368+}
369+
370+/**
371+ * ccs_cred_transfer - Transfer "struct ccs_security" between credentials.
372+ *
373+ * @new: Pointer to "struct cred".
374+ * @old: Pointer to "struct cred".
375+ *
376+ * Returns nothing.
377+ */
378+static void ccs_cred_transfer(struct cred *new, const struct cred *old)
379+{
380+ struct ccs_security *new_security;
381+ struct ccs_security *old_security;
382+ while (!original_security_ops.cred_transfer)
383+ smp_rmb();
384+ original_security_ops.cred_transfer(new, old);
385+ new_security = ccs_find_cred_security(new);
386+ old_security = ccs_find_cred_security(old);
387+ if (new_security == &ccs_default_security ||
388+ new_security == &ccs_oom_security ||
389+ old_security == &ccs_default_security ||
390+ old_security == &ccs_oom_security)
391+ return;
392+ new_security->ccs_flags = old_security->ccs_flags;
393+ new_security->ccs_domain_info = old_security->ccs_domain_info;
394+}
395+
396+#endif
397+
398+/**
399+ * ccs_bprm_committing_creds - A hook which is called when do_execve() succeeded.
400+ *
401+ * @bprm: Pointer to "struct linux_binprm".
402+ *
403+ * Returns nothing.
404+ */
405+static void ccs_bprm_committing_creds(struct linux_binprm *bprm)
406+{
407+ struct ccs_security *old_security;
408+ struct ccs_security *new_security;
409+ while (!original_security_ops.bprm_committing_creds)
410+ smp_rmb();
411+ original_security_ops.bprm_committing_creds(bprm);
412+ old_security = ccs_current_security();
413+ if (old_security == &ccs_default_security ||
414+ old_security == &ccs_oom_security)
415+ return;
416+ ccs_clear_execve(0, old_security);
417+ /* Update current task's cred's domain for future fork(). */
418+ new_security = ccs_find_cred_security(bprm->cred);
419+ new_security->ccs_flags = old_security->ccs_flags;
420+ new_security->ccs_domain_info = old_security->ccs_domain_info;
421+}
422+
423+/**
424+ * ccs_bprm_check_security - Check permission for execve().
425+ *
426+ * @bprm: Pointer to "struct linux_binprm".
427+ *
428+ * Returns 0 on success, negative value otherwise.
429+ */
430+static int ccs_bprm_check_security(struct linux_binprm *bprm)
431+{
432+ struct ccs_security *security = ccs_current_security();
433+ if (security == &ccs_default_security || security == &ccs_oom_security)
434+ return -ENOMEM;
435+ if (!security->ee) {
436+ int rc;
437+#ifndef CONFIG_CCSECURITY_OMIT_USERSPACE_LOADER
438+ if (!ccs_policy_loaded)
439+ ccs_load_policy(bprm->filename);
440+#endif
441+ rc = ccs_start_execve(bprm, &security->ee);
442+ if (security->ee) {
443+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 31)
444+ /*
445+ * Get refcount on "struct cred" in
446+ * "struct linux_binprm" and remember it.
447+ */
448+ get_cred(bprm->cred);
449+ security->cred = bprm->cred;
450+#endif
451+ atomic_inc(&ccs_in_execve_tasks);
452+ }
453+ if (rc)
454+ return rc;
455+ }
456+ while (!original_security_ops.bprm_check_security)
457+ smp_rmb();
458+ return original_security_ops.bprm_check_security(bprm);
459+}
460+
461+/**
462+ * ccs_open - Check permission for open().
463+ *
464+ * @f: Pointer to "struct file".
465+ *
466+ * Returns 0 on success, negative value otherwise.
467+ */
468+static int ccs_open(struct file *f)
469+{
470+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 33)
471+ return ccs_open_permission(f);
472+#elif defined(RHEL_MAJOR) && RHEL_MAJOR == 6
473+ return ccs_open_permission(f->f_path.dentry, f->f_path.mnt,
474+ f->f_flags);
475+#else
476+ return ccs_open_permission(f->f_path.dentry, f->f_path.mnt,
477+ f->f_flags + 1);
478+#endif
479+}
480+
481+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
482+
483+/**
484+ * ccs_file_open - Check permission for open().
485+ *
486+ * @f: Pointer to "struct file".
487+ * @cred: Pointer to "struct cred".
488+ *
489+ * Returns 0 on success, negative value otherwise.
490+ */
491+static int ccs_file_open(struct file *f, const struct cred *cred)
492+{
493+ int rc = ccs_open(f);
494+ if (rc)
495+ return rc;
496+ while (!original_security_ops.file_open)
497+ smp_rmb();
498+ return original_security_ops.file_open(f, cred);
499+}
500+
501+#else
502+
503+/**
504+ * ccs_dentry_open - Check permission for open().
505+ *
506+ * @f: Pointer to "struct file".
507+ * @cred: Pointer to "struct cred".
508+ *
509+ * Returns 0 on success, negative value otherwise.
510+ */
511+static int ccs_dentry_open(struct file *f, const struct cred *cred)
512+{
513+ int rc = ccs_open(f);
514+ if (rc)
515+ return rc;
516+ while (!original_security_ops.dentry_open)
517+ smp_rmb();
518+ return original_security_ops.dentry_open(f, cred);
519+}
520+
521+#endif
522+
523+#if defined(CONFIG_SECURITY_PATH)
524+
525+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
526+
527+/**
528+ * ccs_path_chown - Check permission for chown()/chgrp().
529+ *
530+ * @path: Pointer to "struct path".
531+ * @user: User ID.
532+ * @group: Group ID.
533+ *
534+ * Returns 0 on success, negative value otherwise.
535+ */
536+static int ccs_path_chown(struct path *path, kuid_t user, kgid_t group)
537+{
538+ int rc = ccs_chown_permission(path->dentry, path->mnt, user, group);
539+ if (rc)
540+ return rc;
541+ while (!original_security_ops.path_chown)
542+ smp_rmb();
543+ return original_security_ops.path_chown(path, user, group);
544+}
545+
546+/**
547+ * ccs_path_chmod - Check permission for chmod().
548+ *
549+ * @path: Pointer to "struct path".
550+ * @mode: Mode.
551+ *
552+ * Returns 0 on success, negative value otherwise.
553+ */
554+static int ccs_path_chmod(struct path *path, umode_t mode)
555+{
556+ int rc = ccs_chmod_permission(path->dentry, path->mnt, mode);
557+ if (rc)
558+ return rc;
559+ while (!original_security_ops.path_chmod)
560+ smp_rmb();
561+ return original_security_ops.path_chmod(path, mode);
562+}
563+
564+/**
565+ * ccs_path_chroot - Check permission for chroot().
566+ *
567+ * @path: Pointer to "struct path".
568+ *
569+ * Returns 0 on success, negative value otherwise.
570+ */
571+static int ccs_path_chroot(struct path *path)
572+{
573+ int rc = ccs_chroot_permission(path);
574+ if (rc)
575+ return rc;
576+ while (!original_security_ops.path_chroot)
577+ smp_rmb();
578+ return original_security_ops.path_chroot(path);
579+}
580+
581+#elif LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 33)
582+
583+/**
584+ * ccs_path_chown - Check permission for chown()/chgrp().
585+ *
586+ * @path: Pointer to "struct path".
587+ * @user: User ID.
588+ * @group: Group ID.
589+ *
590+ * Returns 0 on success, negative value otherwise.
591+ */
592+static int ccs_path_chown(struct path *path, uid_t user, gid_t group)
593+{
594+ int rc = ccs_chown_permission(path->dentry, path->mnt, user, group);
595+ if (rc)
596+ return rc;
597+ while (!original_security_ops.path_chown)
598+ smp_rmb();
599+ return original_security_ops.path_chown(path, user, group);
600+}
601+
602+#if defined(USE_UMODE_T)
603+
604+/**
605+ * ccs_path_chmod - Check permission for chmod().
606+ *
607+ * @path: Pointer to "struct path".
608+ * @mode: Mode.
609+ *
610+ * Returns 0 on success, negative value otherwise.
611+ */
612+static int ccs_path_chmod(struct path *path, umode_t mode)
613+{
614+ int rc = ccs_chmod_permission(path->dentry, path->mnt, mode);
615+ if (rc)
616+ return rc;
617+ while (!original_security_ops.path_chmod)
618+ smp_rmb();
619+ return original_security_ops.path_chmod(path, mode);
620+}
621+
622+#else
623+
624+/**
625+ * ccs_path_chmod - Check permission for chmod().
626+ *
627+ * @dentry: Pointer to "struct dentry".
628+ * @vfsmnt: Pointer to "struct vfsmount".
629+ * @mode: Mode.
630+ *
631+ * Returns 0 on success, negative value otherwise.
632+ */
633+static int ccs_path_chmod(struct dentry *dentry, struct vfsmount *vfsmnt,
634+ mode_t mode)
635+{
636+ int rc = ccs_chmod_permission(dentry, vfsmnt, mode);
637+ if (rc)
638+ return rc;
639+ while (!original_security_ops.path_chmod)
640+ smp_rmb();
641+ return original_security_ops.path_chmod(dentry, vfsmnt, mode);
642+}
643+
644+#endif
645+
646+/**
647+ * ccs_path_chroot - Check permission for chroot().
648+ *
649+ * @path: Pointer to "struct path".
650+ *
651+ * Returns 0 on success, negative value otherwise.
652+ */
653+static int ccs_path_chroot(struct path *path)
654+{
655+ int rc = ccs_chroot_permission(path);
656+ if (rc)
657+ return rc;
658+ while (!original_security_ops.path_chroot)
659+ smp_rmb();
660+ return original_security_ops.path_chroot(path);
661+}
662+
663+#endif
664+
665+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 36)
666+
667+/**
668+ * ccs_path_truncate - Check permission for truncate().
669+ *
670+ * @path: Pointer to "struct path".
671+ *
672+ * Returns 0 on success, negative value otherwise.
673+ */
674+static int ccs_path_truncate(struct path *path)
675+{
676+ int rc = ccs_truncate_permission(path->dentry, path->mnt);
677+ if (rc)
678+ return rc;
679+ while (!original_security_ops.path_truncate)
680+ smp_rmb();
681+ return original_security_ops.path_truncate(path);
682+}
683+
684+#else
685+
686+/**
687+ * ccs_path_truncate - Check permission for truncate().
688+ *
689+ * @path: Pointer to "struct path".
690+ * @length: New length.
691+ * @time_attrs: New time attributes.
692+ *
693+ * Returns 0 on success, negative value otherwise.
694+ */
695+static int ccs_path_truncate(struct path *path, loff_t length,
696+ unsigned int time_attrs)
697+{
698+ int rc = ccs_truncate_permission(path->dentry, path->mnt);
699+ if (rc)
700+ return rc;
701+ while (!original_security_ops.path_truncate)
702+ smp_rmb();
703+ return original_security_ops.path_truncate(path, length, time_attrs);
704+}
705+
706+#endif
707+
708+#endif
709+
710+/**
711+ * ccs_inode_setattr - Check permission for chown()/chgrp()/chmod()/truncate().
712+ *
713+ * @dentry: Pointer to "struct dentry".
714+ * @attr: Pointer to "struct iattr".
715+ *
716+ * Returns 0 on success, negative value otherwise.
717+ */
718+static int ccs_inode_setattr(struct dentry *dentry, struct iattr *attr)
719+{
720+ int rc = 0;
721+#if !defined(CONFIG_SECURITY_PATH) || LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 33)
722+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
723+ if (attr->ia_valid & ATTR_UID)
724+ rc = ccs_chown_permission(dentry, NULL, attr->ia_uid,
725+ INVALID_GID);
726+ if (!rc && (attr->ia_valid & ATTR_GID))
727+ rc = ccs_chown_permission(dentry, NULL, INVALID_UID,
728+ attr->ia_gid);
729+#else
730+ if (attr->ia_valid & ATTR_UID)
731+ rc = ccs_chown_permission(dentry, NULL, attr->ia_uid, -1);
732+ if (!rc && (attr->ia_valid & ATTR_GID))
733+ rc = ccs_chown_permission(dentry, NULL, -1, attr->ia_gid);
734+#endif
735+ if (!rc && (attr->ia_valid & ATTR_MODE))
736+ rc = ccs_chmod_permission(dentry, NULL, attr->ia_mode);
737+#endif
738+#if !defined(CONFIG_SECURITY_PATH)
739+ if (!rc && (attr->ia_valid & ATTR_SIZE))
740+ rc = ccs_truncate_permission(dentry, NULL);
741+#endif
742+ if (rc)
743+ return rc;
744+ while (!original_security_ops.inode_setattr)
745+ smp_rmb();
746+ return original_security_ops.inode_setattr(dentry, attr);
747+}
748+
749+#if LINUX_VERSION_CODE >= KERNEL_VERSION(4, 1, 0)
750+
751+/**
752+ * ccs_inode_getattr - Check permission for stat().
753+ *
754+ * @path: Pointer to "struct path".
755+ *
756+ * Returns 0 on success, negative value otherwise.
757+ */
758+static int ccs_inode_getattr(const struct path *path)
759+{
760+ int rc = ccs_getattr_permission(path->mnt, path->dentry);
761+ if (rc)
762+ return rc;
763+ while (!original_security_ops.inode_getattr)
764+ smp_rmb();
765+ return original_security_ops.inode_getattr(path);
766+}
767+
768+#else
769+
770+/**
771+ * ccs_inode_getattr - Check permission for stat().
772+ *
773+ * @mnt: Pointer to "struct vfsmount".
774+ * @dentry: Pointer to "struct dentry".
775+ *
776+ * Returns 0 on success, negative value otherwise.
777+ */
778+static int ccs_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
779+{
780+ int rc = ccs_getattr_permission(mnt, dentry);
781+ if (rc)
782+ return rc;
783+ while (!original_security_ops.inode_getattr)
784+ smp_rmb();
785+ return original_security_ops.inode_getattr(mnt, dentry);
786+}
787+
788+#endif
789+
790+#if defined(CONFIG_SECURITY_PATH)
791+
792+#if defined(USE_UMODE_T)
793+
794+/**
795+ * ccs_path_mknod - Check permission for mknod().
796+ *
797+ * @dir: Pointer to "struct path".
798+ * @dentry: Pointer to "struct dentry".
799+ * @mode: Create mode.
800+ * @dev: Device major/minor number.
801+ *
802+ * Returns 0 on success, negative value otherwise.
803+ */
804+static int ccs_path_mknod(struct path *dir, struct dentry *dentry,
805+ umode_t mode, unsigned int dev)
806+{
807+ int rc = ccs_mknod_permission(dentry, dir->mnt, mode, dev);
808+ if (rc)
809+ return rc;
810+ while (!original_security_ops.path_mknod)
811+ smp_rmb();
812+ return original_security_ops.path_mknod(dir, dentry, mode, dev);
813+}
814+
815+/**
816+ * ccs_path_mkdir - Check permission for mkdir().
817+ *
818+ * @dir: Pointer to "struct path".
819+ * @dentry: Pointer to "struct dentry".
820+ * @mode: Create mode.
821+ *
822+ * Returns 0 on success, negative value otherwise.
823+ */
824+static int ccs_path_mkdir(struct path *dir, struct dentry *dentry,
825+ umode_t mode)
826+{
827+ int rc = ccs_mkdir_permission(dentry, dir->mnt, mode);
828+ if (rc)
829+ return rc;
830+ while (!original_security_ops.path_mkdir)
831+ smp_rmb();
832+ return original_security_ops.path_mkdir(dir, dentry, mode);
833+}
834+
835+#else
836+
837+/**
838+ * ccs_path_mknod - Check permission for mknod().
839+ *
840+ * @dir: Pointer to "struct path".
841+ * @dentry: Pointer to "struct dentry".
842+ * @mode: Create mode.
843+ * @dev: Device major/minor number.
844+ *
845+ * Returns 0 on success, negative value otherwise.
846+ */
847+static int ccs_path_mknod(struct path *dir, struct dentry *dentry, int mode,
848+ unsigned int dev)
849+{
850+ int rc = ccs_mknod_permission(dentry, dir->mnt, mode, dev);
851+ if (rc)
852+ return rc;
853+ while (!original_security_ops.path_mknod)
854+ smp_rmb();
855+ return original_security_ops.path_mknod(dir, dentry, mode, dev);
856+}
857+
858+/**
859+ * ccs_path_mkdir - Check permission for mkdir().
860+ *
861+ * @dir: Pointer to "struct path".
862+ * @dentry: Pointer to "struct dentry".
863+ * @mode: Create mode.
864+ *
865+ * Returns 0 on success, negative value otherwise.
866+ */
867+static int ccs_path_mkdir(struct path *dir, struct dentry *dentry, int mode)
868+{
869+ int rc = ccs_mkdir_permission(dentry, dir->mnt, mode);
870+ if (rc)
871+ return rc;
872+ while (!original_security_ops.path_mkdir)
873+ smp_rmb();
874+ return original_security_ops.path_mkdir(dir, dentry, mode);
875+}
876+
877+#endif
878+
879+/**
880+ * ccs_path_rmdir - Check permission for rmdir().
881+ *
882+ * @dir: Pointer to "struct path".
883+ * @dentry: Pointer to "struct dentry".
884+ *
885+ * Returns 0 on success, negative value otherwise.
886+ */
887+static int ccs_path_rmdir(struct path *dir, struct dentry *dentry)
888+{
889+ int rc = ccs_rmdir_permission(dentry, dir->mnt);
890+ if (rc)
891+ return rc;
892+ while (!original_security_ops.path_rmdir)
893+ smp_rmb();
894+ return original_security_ops.path_rmdir(dir, dentry);
895+}
896+
897+/**
898+ * ccs_path_unlink - Check permission for unlink().
899+ *
900+ * @dir: Pointer to "struct path".
901+ * @dentry: Pointer to "struct dentry".
902+ *
903+ * Returns 0 on success, negative value otherwise.
904+ */
905+static int ccs_path_unlink(struct path *dir, struct dentry *dentry)
906+{
907+ int rc = ccs_unlink_permission(dentry, dir->mnt);
908+ if (rc)
909+ return rc;
910+ while (!original_security_ops.path_unlink)
911+ smp_rmb();
912+ return original_security_ops.path_unlink(dir, dentry);
913+}
914+
915+/**
916+ * ccs_path_symlink - Check permission for symlink().
917+ *
918+ * @dir: Pointer to "struct path".
919+ * @dentry: Pointer to "struct dentry".
920+ * @old_name: Content of symbolic link.
921+ *
922+ * Returns 0 on success, negative value otherwise.
923+ */
924+static int ccs_path_symlink(struct path *dir, struct dentry *dentry,
925+ const char *old_name)
926+{
927+ int rc = ccs_symlink_permission(dentry, dir->mnt, old_name);
928+ if (rc)
929+ return rc;
930+ while (!original_security_ops.path_symlink)
931+ smp_rmb();
932+ return original_security_ops.path_symlink(dir, dentry, old_name);
933+}
934+
935+/**
936+ * ccs_path_rename - Check permission for rename().
937+ *
938+ * @old_dir: Pointer to "struct path".
939+ * @old_dentry: Pointer to "struct dentry".
940+ * @new_dir: Pointer to "struct path".
941+ * @new_dentry: Pointer to "struct dentry".
942+ *
943+ * Returns 0 on success, negative value otherwise.
944+ */
945+static int ccs_path_rename(struct path *old_dir, struct dentry *old_dentry,
946+ struct path *new_dir, struct dentry *new_dentry)
947+{
948+ int rc = ccs_rename_permission(old_dentry, new_dentry, old_dir->mnt);
949+ if (rc)
950+ return rc;
951+ while (!original_security_ops.path_rename)
952+ smp_rmb();
953+ return original_security_ops.path_rename(old_dir, old_dentry, new_dir,
954+ new_dentry);
955+}
956+
957+/**
958+ * ccs_path_link - Check permission for link().
959+ *
960+ * @old_dentry: Pointer to "struct dentry".
961+ * @new_dir: Pointer to "struct path".
962+ * @new_dentry: Pointer to "struct dentry".
963+ *
964+ * Returns 0 on success, negative value otherwise.
965+ */
966+static int ccs_path_link(struct dentry *old_dentry, struct path *new_dir,
967+ struct dentry *new_dentry)
968+{
969+ int rc = ccs_link_permission(old_dentry, new_dentry, new_dir->mnt);
970+ if (rc)
971+ return rc;
972+ while (!original_security_ops.path_link)
973+ smp_rmb();
974+ return original_security_ops.path_link(old_dentry, new_dir,
975+ new_dentry);
976+}
977+
978+#else
979+
980+#if defined(USE_UMODE_T)
981+
982+/**
983+ * ccs_inode_mknod - Check permission for mknod().
984+ *
985+ * @dir: Pointer to "struct inode".
986+ * @dentry: Pointer to "struct dentry".
987+ * @mode: Create mode.
988+ * @dev: Device major/minor number.
989+ *
990+ * Returns 0 on success, negative value otherwise.
991+ */
992+static int ccs_inode_mknod(struct inode *dir, struct dentry *dentry,
993+ umode_t mode, dev_t dev)
994+{
995+ int rc = ccs_mknod_permission(dentry, NULL, mode, dev);
996+ if (rc)
997+ return rc;
998+ while (!original_security_ops.inode_mknod)
999+ smp_rmb();
1000+ return original_security_ops.inode_mknod(dir, dentry, mode, dev);
1001+}
1002+
1003+/**
1004+ * ccs_inode_mkdir - Check permission for mkdir().
1005+ *
1006+ * @dir: Pointer to "struct inode".
1007+ * @dentry: Pointer to "struct dentry".
1008+ * @mode: Create mode.
1009+ *
1010+ * Returns 0 on success, negative value otherwise.
1011+ */
1012+static int ccs_inode_mkdir(struct inode *dir, struct dentry *dentry,
1013+ umode_t mode)
1014+{
1015+ int rc = ccs_mkdir_permission(dentry, NULL, mode);
1016+ if (rc)
1017+ return rc;
1018+ while (!original_security_ops.inode_mkdir)
1019+ smp_rmb();
1020+ return original_security_ops.inode_mkdir(dir, dentry, mode);
1021+}
1022+
1023+#else
1024+
1025+/**
1026+ * ccs_inode_mknod - Check permission for mknod().
1027+ *
1028+ * @dir: Pointer to "struct inode".
1029+ * @dentry: Pointer to "struct dentry".
1030+ * @mode: Create mode.
1031+ * @dev: Device major/minor number.
1032+ *
1033+ * Returns 0 on success, negative value otherwise.
1034+ */
1035+static int ccs_inode_mknod(struct inode *dir, struct dentry *dentry, int mode,
1036+ dev_t dev)
1037+{
1038+ int rc = ccs_mknod_permission(dentry, NULL, mode, dev);
1039+ if (rc)
1040+ return rc;
1041+ while (!original_security_ops.inode_mknod)
1042+ smp_rmb();
1043+ return original_security_ops.inode_mknod(dir, dentry, mode, dev);
1044+}
1045+
1046+/**
1047+ * ccs_inode_mkdir - Check permission for mkdir().
1048+ *
1049+ * @dir: Pointer to "struct inode".
1050+ * @dentry: Pointer to "struct dentry".
1051+ * @mode: Create mode.
1052+ *
1053+ * Returns 0 on success, negative value otherwise.
1054+ */
1055+static int ccs_inode_mkdir(struct inode *dir, struct dentry *dentry, int mode)
1056+{
1057+ int rc = ccs_mkdir_permission(dentry, NULL, mode);
1058+ if (rc)
1059+ return rc;
1060+ while (!original_security_ops.inode_mkdir)
1061+ smp_rmb();
1062+ return original_security_ops.inode_mkdir(dir, dentry, mode);
1063+}
1064+
1065+#endif
1066+
1067+/**
1068+ * ccs_inode_rmdir - Check permission for rmdir().
1069+ *
1070+ * @dir: Pointer to "struct inode".
1071+ * @dentry: Pointer to "struct dentry".
1072+ *
1073+ * Returns 0 on success, negative value otherwise.
1074+ */
1075+static int ccs_inode_rmdir(struct inode *dir, struct dentry *dentry)
1076+{
1077+ int rc = ccs_rmdir_permission(dentry, NULL);
1078+ if (rc)
1079+ return rc;
1080+ while (!original_security_ops.inode_rmdir)
1081+ smp_rmb();
1082+ return original_security_ops.inode_rmdir(dir, dentry);
1083+}
1084+
1085+/**
1086+ * ccs_inode_unlink - Check permission for unlink().
1087+ *
1088+ * @dir: Pointer to "struct inode".
1089+ * @dentry: Pointer to "struct dentry".
1090+ *
1091+ * Returns 0 on success, negative value otherwise.
1092+ */
1093+static int ccs_inode_unlink(struct inode *dir, struct dentry *dentry)
1094+{
1095+ int rc = ccs_unlink_permission(dentry, NULL);
1096+ if (rc)
1097+ return rc;
1098+ while (!original_security_ops.inode_unlink)
1099+ smp_rmb();
1100+ return original_security_ops.inode_unlink(dir, dentry);
1101+}
1102+
1103+/**
1104+ * ccs_inode_symlink - Check permission for symlink().
1105+ *
1106+ * @dir: Pointer to "struct inode".
1107+ * @dentry: Pointer to "struct dentry".
1108+ * @old_name: Content of symbolic link.
1109+ *
1110+ * Returns 0 on success, negative value otherwise.
1111+ */
1112+static int ccs_inode_symlink(struct inode *dir, struct dentry *dentry,
1113+ const char *old_name)
1114+{
1115+ int rc = ccs_symlink_permission(dentry, NULL, old_name);
1116+ if (rc)
1117+ return rc;
1118+ while (!original_security_ops.inode_symlink)
1119+ smp_rmb();
1120+ return original_security_ops.inode_symlink(dir, dentry, old_name);
1121+}
1122+
1123+/**
1124+ * ccs_inode_rename - Check permission for rename().
1125+ *
1126+ * @old_dir: Pointer to "struct inode".
1127+ * @old_dentry: Pointer to "struct dentry".
1128+ * @new_dir: Pointer to "struct inode".
1129+ * @new_dentry: Pointer to "struct dentry".
1130+ *
1131+ * Returns 0 on success, negative value otherwise.
1132+ */
1133+static int ccs_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
1134+ struct inode *new_dir, struct dentry *new_dentry)
1135+{
1136+ int rc = ccs_rename_permission(old_dentry, new_dentry, NULL);
1137+ if (rc)
1138+ return rc;
1139+ while (!original_security_ops.inode_rename)
1140+ smp_rmb();
1141+ return original_security_ops.inode_rename(old_dir, old_dentry, new_dir,
1142+ new_dentry);
1143+}
1144+
1145+/**
1146+ * ccs_inode_link - Check permission for link().
1147+ *
1148+ * @old_dentry: Pointer to "struct dentry".
1149+ * @dir: Pointer to "struct inode".
1150+ * @new_dentry: Pointer to "struct dentry".
1151+ *
1152+ * Returns 0 on success, negative value otherwise.
1153+ */
1154+static int ccs_inode_link(struct dentry *old_dentry, struct inode *dir,
1155+ struct dentry *new_dentry)
1156+{
1157+ int rc = ccs_link_permission(old_dentry, new_dentry, NULL);
1158+ if (rc)
1159+ return rc;
1160+ while (!original_security_ops.inode_link)
1161+ smp_rmb();
1162+ return original_security_ops.inode_link(old_dentry, dir, new_dentry);
1163+}
1164+
1165+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 3, 0)
1166+
1167+/**
1168+ * ccs_inode_create - Check permission for creat().
1169+ *
1170+ * @dir: Pointer to "struct inode".
1171+ * @dentry: Pointer to "struct dentry".
1172+ * @mode: Create mode.
1173+ *
1174+ * Returns 0 on success, negative value otherwise.
1175+ */
1176+static int ccs_inode_create(struct inode *dir, struct dentry *dentry,
1177+ umode_t mode)
1178+{
1179+ int rc = ccs_mknod_permission(dentry, NULL, mode, 0);
1180+ if (rc)
1181+ return rc;
1182+ while (!original_security_ops.inode_create)
1183+ smp_rmb();
1184+ return original_security_ops.inode_create(dir, dentry, mode);
1185+}
1186+
1187+#else
1188+
1189+/**
1190+ * ccs_inode_create - Check permission for creat().
1191+ *
1192+ * @dir: Pointer to "struct inode".
1193+ * @dentry: Pointer to "struct dentry".
1194+ * @mode: Create mode.
1195+ *
1196+ * Returns 0 on success, negative value otherwise.
1197+ */
1198+static int ccs_inode_create(struct inode *dir, struct dentry *dentry,
1199+ int mode)
1200+{
1201+ int rc = ccs_mknod_permission(dentry, NULL, mode, 0);
1202+ if (rc)
1203+ return rc;
1204+ while (!original_security_ops.inode_create)
1205+ smp_rmb();
1206+ return original_security_ops.inode_create(dir, dentry, mode);
1207+}
1208+
1209+#endif
1210+
1211+#endif
1212+
1213+#ifdef CONFIG_SECURITY_NETWORK
1214+
1215+#include <net/sock.h>
1216+
1217+/* Structure for remembering an accept()ed socket's status. */
1218+struct ccs_socket_tag {
1219+ struct list_head list;
1220+ struct inode *inode;
1221+ int status;
1222+ struct rcu_head rcu;
1223+};
1224+
1225+/*
1226+ * List for managing accept()ed sockets.
1227+ * Since we don't need to keep an accept()ed socket into this list after
1228+ * once the permission was granted, the number of entries in this list is
1229+ * likely small. Therefore, we don't use hash tables.
1230+ */
1231+static LIST_HEAD(ccs_accepted_socket_list);
1232+/* Lock for protecting ccs_accepted_socket_list . */
1233+static DEFINE_SPINLOCK(ccs_accepted_socket_list_lock);
1234+
1235+/**
1236+ * ccs_socket_rcu_free - RCU callback for releasing "struct ccs_socket_tag".
1237+ *
1238+ * @rcu: Pointer to "struct rcu_head".
1239+ *
1240+ * Returns nothing.
1241+ */
1242+static void ccs_socket_rcu_free(struct rcu_head *rcu)
1243+{
1244+ struct ccs_socket_tag *ptr = container_of(rcu, typeof(*ptr), rcu);
1245+ kfree(ptr);
1246+}
1247+
1248+/**
1249+ * ccs_update_socket_tag - Update tag associated with accept()ed sockets.
1250+ *
1251+ * @inode: Pointer to "struct inode".
1252+ * @status: New status.
1253+ *
1254+ * Returns nothing.
1255+ *
1256+ * If @status == 0, memory for that socket will be released after RCU grace
1257+ * period.
1258+ */
1259+static void ccs_update_socket_tag(struct inode *inode, int status)
1260+{
1261+ struct ccs_socket_tag *ptr;
1262+ /*
1263+ * Protect whole section because multiple threads may call this
1264+ * function with same "sock" via ccs_validate_socket().
1265+ */
1266+ spin_lock(&ccs_accepted_socket_list_lock);
1267+ rcu_read_lock();
1268+ list_for_each_entry_rcu(ptr, &ccs_accepted_socket_list, list) {
1269+ if (ptr->inode != inode)
1270+ continue;
1271+ ptr->status = status;
1272+ if (status)
1273+ break;
1274+ list_del_rcu(&ptr->list);
1275+ call_rcu(&ptr->rcu, ccs_socket_rcu_free);
1276+ break;
1277+ }
1278+ rcu_read_unlock();
1279+ spin_unlock(&ccs_accepted_socket_list_lock);
1280+}
1281+
1282+/**
1283+ * ccs_validate_socket - Check post accept() permission if needed.
1284+ *
1285+ * @sock: Pointer to "struct socket".
1286+ *
1287+ * Returns 0 on success, negative value otherwise.
1288+ */
1289+static int ccs_validate_socket(struct socket *sock)
1290+{
1291+ struct inode *inode = SOCK_INODE(sock);
1292+ struct ccs_socket_tag *ptr;
1293+ int ret = 0;
1294+ rcu_read_lock();
1295+ list_for_each_entry_rcu(ptr, &ccs_accepted_socket_list, list) {
1296+ if (ptr->inode != inode)
1297+ continue;
1298+ ret = ptr->status;
1299+ break;
1300+ }
1301+ rcu_read_unlock();
1302+ if (ret <= 0)
1303+ /*
1304+ * This socket is not an accept()ed socket or this socket is
1305+ * an accept()ed socket and post accept() permission is done.
1306+ */
1307+ return ret;
1308+ /*
1309+ * Check post accept() permission now.
1310+ *
1311+ * Strictly speaking, we need to pass both listen()ing socket and
1312+ * accept()ed socket to __ccs_socket_post_accept_permission().
1313+ * But since socket's family and type are same for both sockets,
1314+ * passing the accept()ed socket in place for the listen()ing socket
1315+ * will work.
1316+ */
1317+ ret = ccs_socket_post_accept_permission(sock, sock);
1318+ /*
1319+ * If permission was granted, we forget that this is an accept()ed
1320+ * socket. Otherwise, we remember that this socket needs to return
1321+ * error for subsequent socketcalls.
1322+ */
1323+ ccs_update_socket_tag(inode, ret);
1324+ return ret;
1325+}
1326+
1327+/**
1328+ * ccs_socket_accept - Check permission for accept().
1329+ *
1330+ * @sock: Pointer to "struct socket".
1331+ * @newsock: Pointer to "struct socket".
1332+ *
1333+ * Returns 0 on success, negative value otherwise.
1334+ *
1335+ * This hook is used for setting up environment for doing post accept()
1336+ * permission check. If dereferencing sock->ops->something() were ordered by
1337+ * rcu_dereference(), we could replace sock->ops with "a copy of original
1338+ * sock->ops with modified sock->ops->accept()" using rcu_assign_pointer()
1339+ * in order to do post accept() permission check before returning to userspace.
1340+ * If we make the copy in security_socket_post_create(), it would be possible
1341+ * to safely replace sock->ops here, but we don't do so because we don't want
1342+ * to allocate memory for sockets which do not call sock->ops->accept().
1343+ * Therefore, we do post accept() permission check upon next socket syscalls
1344+ * rather than between sock->ops->accept() and returning to userspace.
1345+ * This means that if a socket was close()d before calling some socket
1346+ * syscalls, post accept() permission check will not be done.
1347+ */
1348+static int ccs_socket_accept(struct socket *sock, struct socket *newsock)
1349+{
1350+ struct ccs_socket_tag *ptr;
1351+ int rc = ccs_validate_socket(sock);
1352+ if (rc < 0)
1353+ return rc;
1354+ ptr = kzalloc(sizeof(*ptr), GFP_KERNEL);
1355+ if (!ptr)
1356+ return -ENOMEM;
1357+ while (!original_security_ops.socket_accept)
1358+ smp_rmb();
1359+ rc = original_security_ops.socket_accept(sock, newsock);
1360+ if (rc) {
1361+ kfree(ptr);
1362+ return rc;
1363+ }
1364+ /*
1365+ * Subsequent LSM hooks will receive "newsock". Therefore, I mark
1366+ * "newsock" as "an accept()ed socket but post accept() permission
1367+ * check is not done yet" by allocating memory using inode of the
1368+ * "newsock" as a search key.
1369+ */
1370+ ptr->inode = SOCK_INODE(newsock);
1371+ ptr->status = 1; /* Check post accept() permission later. */
1372+ spin_lock(&ccs_accepted_socket_list_lock);
1373+ list_add_tail_rcu(&ptr->list, &ccs_accepted_socket_list);
1374+ spin_unlock(&ccs_accepted_socket_list_lock);
1375+ return 0;
1376+}
1377+
1378+/**
1379+ * ccs_socket_listen - Check permission for listen().
1380+ *
1381+ * @sock: Pointer to "struct socket".
1382+ * @backlog: Backlog parameter.
1383+ *
1384+ * Returns 0 on success, negative value otherwise.
1385+ */
1386+static int ccs_socket_listen(struct socket *sock, int backlog)
1387+{
1388+ int rc = ccs_validate_socket(sock);
1389+ if (rc < 0)
1390+ return rc;
1391+ rc = ccs_socket_listen_permission(sock);
1392+ if (rc)
1393+ return rc;
1394+ while (!original_security_ops.socket_listen)
1395+ smp_rmb();
1396+ return original_security_ops.socket_listen(sock, backlog);
1397+}
1398+
1399+/**
1400+ * ccs_socket_connect - Check permission for connect().
1401+ *
1402+ * @sock: Pointer to "struct socket".
1403+ * @addr: Pointer to "struct sockaddr".
1404+ * @addr_len: Size of @addr.
1405+ *
1406+ * Returns 0 on success, negative value otherwise.
1407+ */
1408+static int ccs_socket_connect(struct socket *sock, struct sockaddr *addr,
1409+ int addr_len)
1410+{
1411+ int rc = ccs_validate_socket(sock);
1412+ if (rc < 0)
1413+ return rc;
1414+ rc = ccs_socket_connect_permission(sock, addr, addr_len);
1415+ if (rc)
1416+ return rc;
1417+ while (!original_security_ops.socket_connect)
1418+ smp_rmb();
1419+ return original_security_ops.socket_connect(sock, addr, addr_len);
1420+}
1421+
1422+/**
1423+ * ccs_socket_bind - Check permission for bind().
1424+ *
1425+ * @sock: Pointer to "struct socket".
1426+ * @addr: Pointer to "struct sockaddr".
1427+ * @addr_len: Size of @addr.
1428+ *
1429+ * Returns 0 on success, negative value otherwise.
1430+ */
1431+static int ccs_socket_bind(struct socket *sock, struct sockaddr *addr,
1432+ int addr_len)
1433+{
1434+ int rc = ccs_validate_socket(sock);
1435+ if (rc < 0)
1436+ return rc;
1437+ rc = ccs_socket_bind_permission(sock, addr, addr_len);
1438+ if (rc)
1439+ return rc;
1440+ while (!original_security_ops.socket_bind)
1441+ smp_rmb();
1442+ return original_security_ops.socket_bind(sock, addr, addr_len);
1443+}
1444+
1445+/**
1446+ * ccs_socket_sendmsg - Check permission for sendmsg().
1447+ *
1448+ * @sock: Pointer to "struct socket".
1449+ * @msg: Pointer to "struct msghdr".
1450+ * @size: Size of message.
1451+ *
1452+ * Returns 0 on success, negative value otherwise.
1453+ */
1454+static int ccs_socket_sendmsg(struct socket *sock, struct msghdr *msg,
1455+ int size)
1456+{
1457+ int rc = ccs_validate_socket(sock);
1458+ if (rc < 0)
1459+ return rc;
1460+ rc = ccs_socket_sendmsg_permission(sock, msg, size);
1461+ if (rc)
1462+ return rc;
1463+ while (!original_security_ops.socket_sendmsg)
1464+ smp_rmb();
1465+ return original_security_ops.socket_sendmsg(sock, msg, size);
1466+}
1467+
1468+/**
1469+ * ccs_socket_recvmsg - Check permission for recvmsg().
1470+ *
1471+ * @sock: Pointer to "struct socket".
1472+ * @msg: Pointer to "struct msghdr".
1473+ * @size: Size of message.
1474+ * @flags: Flags.
1475+ *
1476+ * Returns 0 on success, negative value otherwise.
1477+ */
1478+static int ccs_socket_recvmsg(struct socket *sock, struct msghdr *msg,
1479+ int size, int flags)
1480+{
1481+ int rc = ccs_validate_socket(sock);
1482+ if (rc < 0)
1483+ return rc;
1484+ while (!original_security_ops.socket_recvmsg)
1485+ smp_rmb();
1486+ return original_security_ops.socket_recvmsg(sock, msg, size, flags);
1487+}
1488+
1489+/**
1490+ * ccs_socket_getsockname - Check permission for getsockname().
1491+ *
1492+ * @sock: Pointer to "struct socket".
1493+ *
1494+ * Returns 0 on success, negative value otherwise.
1495+ */
1496+static int ccs_socket_getsockname(struct socket *sock)
1497+{
1498+ int rc = ccs_validate_socket(sock);
1499+ if (rc < 0)
1500+ return rc;
1501+ while (!original_security_ops.socket_getsockname)
1502+ smp_rmb();
1503+ return original_security_ops.socket_getsockname(sock);
1504+}
1505+
1506+/**
1507+ * ccs_socket_getpeername - Check permission for getpeername().
1508+ *
1509+ * @sock: Pointer to "struct socket".
1510+ *
1511+ * Returns 0 on success, negative value otherwise.
1512+ */
1513+static int ccs_socket_getpeername(struct socket *sock)
1514+{
1515+ int rc = ccs_validate_socket(sock);
1516+ if (rc < 0)
1517+ return rc;
1518+ while (!original_security_ops.socket_getpeername)
1519+ smp_rmb();
1520+ return original_security_ops.socket_getpeername(sock);
1521+}
1522+
1523+/**
1524+ * ccs_socket_getsockopt - Check permission for getsockopt().
1525+ *
1526+ * @sock: Pointer to "struct socket".
1527+ * @level: Level.
1528+ * @optname: Option's name,
1529+ *
1530+ * Returns 0 on success, negative value otherwise.
1531+ */
1532+static int ccs_socket_getsockopt(struct socket *sock, int level, int optname)
1533+{
1534+ int rc = ccs_validate_socket(sock);
1535+ if (rc < 0)
1536+ return rc;
1537+ while (!original_security_ops.socket_getsockopt)
1538+ smp_rmb();
1539+ return original_security_ops.socket_getsockopt(sock, level, optname);
1540+}
1541+
1542+/**
1543+ * ccs_socket_setsockopt - Check permission for setsockopt().
1544+ *
1545+ * @sock: Pointer to "struct socket".
1546+ * @level: Level.
1547+ * @optname: Option's name,
1548+ *
1549+ * Returns 0 on success, negative value otherwise.
1550+ */
1551+static int ccs_socket_setsockopt(struct socket *sock, int level, int optname)
1552+{
1553+ int rc = ccs_validate_socket(sock);
1554+ if (rc < 0)
1555+ return rc;
1556+ while (!original_security_ops.socket_setsockopt)
1557+ smp_rmb();
1558+ return original_security_ops.socket_setsockopt(sock, level, optname);
1559+}
1560+
1561+/**
1562+ * ccs_socket_shutdown - Check permission for shutdown().
1563+ *
1564+ * @sock: Pointer to "struct socket".
1565+ * @how: Shutdown mode.
1566+ *
1567+ * Returns 0 on success, negative value otherwise.
1568+ */
1569+static int ccs_socket_shutdown(struct socket *sock, int how)
1570+{
1571+ int rc = ccs_validate_socket(sock);
1572+ if (rc < 0)
1573+ return rc;
1574+ while (!original_security_ops.socket_shutdown)
1575+ smp_rmb();
1576+ return original_security_ops.socket_shutdown(sock, how);
1577+}
1578+
1579+#define SOCKFS_MAGIC 0x534F434B
1580+
1581+/**
1582+ * ccs_inode_free_security - Release memory associated with an inode.
1583+ *
1584+ * @inode: Pointer to "struct inode".
1585+ *
1586+ * Returns nothing.
1587+ *
1588+ * We use this hook for releasing memory associated with an accept()ed socket.
1589+ */
1590+static void ccs_inode_free_security(struct inode *inode)
1591+{
1592+ while (!original_security_ops.inode_free_security)
1593+ smp_rmb();
1594+ original_security_ops.inode_free_security(inode);
1595+ if (inode->i_sb && inode->i_sb->s_magic == SOCKFS_MAGIC)
1596+ ccs_update_socket_tag(inode, 0);
1597+}
1598+
1599+#endif
1600+
1601+#if LINUX_VERSION_CODE < KERNEL_VERSION(3, 7, 0)
1602+
1603+/**
1604+ * ccs_sb_pivotroot - Check permission for pivot_root().
1605+ *
1606+ * @old_path: Pointer to "struct path".
1607+ * @new_path: Pointer to "struct path".
1608+ *
1609+ * Returns 0 on success, negative value otherwise.
1610+ */
1611+static int ccs_sb_pivotroot(struct path *old_path, struct path *new_path)
1612+{
1613+ int rc = ccs_pivot_root_permission(old_path, new_path);
1614+ if (rc)
1615+ return rc;
1616+ while (!original_security_ops.sb_pivotroot)
1617+ smp_rmb();
1618+ return original_security_ops.sb_pivotroot(old_path, new_path);
1619+}
1620+
1621+/**
1622+ * ccs_sb_mount - Check permission for mount().
1623+ *
1624+ * @dev_name: Name of device file.
1625+ * @path: Pointer to "struct path".
1626+ * @type: Name of filesystem type. Maybe NULL.
1627+ * @flags: Mount options.
1628+ * @data_page: Optional data. Maybe NULL.
1629+ *
1630+ * Returns 0 on success, negative value otherwise.
1631+ */
1632+static int ccs_sb_mount(char *dev_name, struct path *path, char *type,
1633+ unsigned long flags, void *data_page)
1634+{
1635+ int rc = ccs_mount_permission(dev_name, path, type, flags, data_page);
1636+ if (rc)
1637+ return rc;
1638+ while (!original_security_ops.sb_mount)
1639+ smp_rmb();
1640+ return original_security_ops.sb_mount(dev_name, path, type, flags,
1641+ data_page);
1642+}
1643+
1644+#else
1645+
1646+/**
1647+ * ccs_sb_pivotroot - Check permission for pivot_root().
1648+ *
1649+ * @old_path: Pointer to "struct path".
1650+ * @new_path: Pointer to "struct path".
1651+ *
1652+ * Returns 0 on success, negative value otherwise.
1653+ */
1654+static int ccs_sb_pivotroot(struct path *old_path, struct path *new_path)
1655+{
1656+ int rc = ccs_pivot_root_permission(old_path, new_path);
1657+ if (rc)
1658+ return rc;
1659+ while (!original_security_ops.sb_pivotroot)
1660+ smp_rmb();
1661+ return original_security_ops.sb_pivotroot(old_path, new_path);
1662+}
1663+
1664+/**
1665+ * ccs_sb_mount - Check permission for mount().
1666+ *
1667+ * @dev_name: Name of device file.
1668+ * @path: Pointer to "struct path".
1669+ * @type: Name of filesystem type. Maybe NULL.
1670+ * @flags: Mount options.
1671+ * @data_page: Optional data. Maybe NULL.
1672+ *
1673+ * Returns 0 on success, negative value otherwise.
1674+ */
1675+static int ccs_sb_mount(const char *dev_name, struct path *path,
1676+ const char *type, unsigned long flags, void *data_page)
1677+{
1678+ int rc = ccs_mount_permission(dev_name, path, type, flags, data_page);
1679+ if (rc)
1680+ return rc;
1681+ while (!original_security_ops.sb_mount)
1682+ smp_rmb();
1683+ return original_security_ops.sb_mount(dev_name, path, type, flags,
1684+ data_page);
1685+}
1686+
1687+#endif
1688+
1689+/**
1690+ * ccs_sb_umount - Check permission for umount().
1691+ *
1692+ * @mnt: Pointer to "struct vfsmount".
1693+ * @flags: Unmount flags.
1694+ *
1695+ * Returns 0 on success, negative value otherwise.
1696+ */
1697+static int ccs_sb_umount(struct vfsmount *mnt, int flags)
1698+{
1699+ int rc = ccs_umount_permission(mnt, flags);
1700+ if (rc)
1701+ return rc;
1702+ while (!original_security_ops.sb_umount)
1703+ smp_rmb();
1704+ return original_security_ops.sb_umount(mnt, flags);
1705+}
1706+
1707+/**
1708+ * ccs_file_fcntl - Check permission for fcntl().
1709+ *
1710+ * @file: Pointer to "struct file".
1711+ * @cmd: Command number.
1712+ * @arg: Value for @cmd.
1713+ *
1714+ * Returns 0 on success, negative value otherwise.
1715+ */
1716+static int ccs_file_fcntl(struct file *file, unsigned int cmd,
1717+ unsigned long arg)
1718+{
1719+ int rc = ccs_fcntl_permission(file, cmd, arg);
1720+ if (rc)
1721+ return rc;
1722+ while (!original_security_ops.file_fcntl)
1723+ smp_rmb();
1724+ return original_security_ops.file_fcntl(file, cmd, arg);
1725+}
1726+
1727+/**
1728+ * ccs_file_ioctl - Check permission for ioctl().
1729+ *
1730+ * @filp: Pointer to "struct file".
1731+ * @cmd: Command number.
1732+ * @arg: Value for @cmd.
1733+ *
1734+ * Returns 0 on success, negative value otherwise.
1735+ */
1736+static int ccs_file_ioctl(struct file *filp, unsigned int cmd,
1737+ unsigned long arg)
1738+{
1739+ int rc = ccs_ioctl_permission(filp, cmd, arg);
1740+ if (rc)
1741+ return rc;
1742+ while (!original_security_ops.file_ioctl)
1743+ smp_rmb();
1744+ return original_security_ops.file_ioctl(filp, cmd, arg);
1745+}
1746+
1747+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 33) && defined(CONFIG_SYSCTL_SYSCALL)
1748+int ccs_path_permission(struct ccs_request_info *r, u8 operation,
1749+ const struct ccs_path_info *filename);
1750+
1751+/**
1752+ * ccs_prepend - Copy of prepend() in fs/dcache.c.
1753+ *
1754+ * @buffer: Pointer to "struct char *".
1755+ * @buflen: Pointer to int which holds size of @buffer.
1756+ * @str: String to copy.
1757+ *
1758+ * Returns 0 on success, negative value otherwise.
1759+ *
1760+ * @buffer and @buflen are updated upon success.
1761+ */
1762+static int ccs_prepend(char **buffer, int *buflen, const char *str)
1763+{
1764+ int namelen = strlen(str);
1765+ if (*buflen < namelen)
1766+ return -ENOMEM;
1767+ *buflen -= namelen;
1768+ *buffer -= namelen;
1769+ memcpy(*buffer, str, namelen);
1770+ return 0;
1771+}
1772+
1773+/**
1774+ * ccs_sysctl_permission - Check permission for sysctl().
1775+ *
1776+ * @table: Pointer to "struct ctl_table".
1777+ * @op: Operation. (MAY_READ and/or MAY_WRITE)
1778+ *
1779+ * Returns 0 on success, negative value otherwise.
1780+ */
1781+static int ccs_sysctl(struct ctl_table *table, int op)
1782+{
1783+ int error;
1784+ struct ccs_path_info buf;
1785+ struct ccs_request_info r;
1786+ int buflen;
1787+ char *buffer;
1788+ int idx;
1789+ while (!original_security_ops.sysctl)
1790+ smp_rmb();
1791+ error = original_security_ops.sysctl(table, op);
1792+ if (error)
1793+ return error;
1794+ op &= MAY_READ | MAY_WRITE;
1795+ if (!op)
1796+ return 0;
1797+ buffer = NULL;
1798+ buf.name = NULL;
1799+ idx = ccs_read_lock();
1800+ if (ccs_init_request_info(&r, CCS_MAC_FILE_OPEN)
1801+ == CCS_CONFIG_DISABLED)
1802+ goto out;
1803+ error = -ENOMEM;
1804+ buflen = 4096;
1805+ buffer = kmalloc(buflen, CCS_GFP_FLAGS);
1806+ if (buffer) {
1807+ char *end = buffer + buflen;
1808+ *--end = '\0';
1809+ buflen--;
1810+ while (table) {
1811+ char num[32];
1812+ const char *sp = table->procname;
1813+ if (!sp) {
1814+ memset(num, 0, sizeof(num));
1815+ snprintf(num, sizeof(num) - 1, "=%d=",
1816+ table->ctl_name);
1817+ sp = num;
1818+ }
1819+ if (ccs_prepend(&end, &buflen, sp) ||
1820+ ccs_prepend(&end, &buflen, "/"))
1821+ goto out;
1822+ table = table->parent;
1823+ }
1824+ if (ccs_prepend(&end, &buflen, "proc:/sys"))
1825+ goto out;
1826+ buf.name = ccs_encode(end);
1827+ }
1828+ if (buf.name) {
1829+ ccs_fill_path_info(&buf);
1830+ if (op & MAY_READ)
1831+ error = ccs_path_permission(&r, CCS_TYPE_READ, &buf);
1832+ else
1833+ error = 0;
1834+ if (!error && (op & MAY_WRITE))
1835+ error = ccs_path_permission(&r, CCS_TYPE_WRITE, &buf);
1836+ }
1837+out:
1838+ ccs_read_unlock(idx);
1839+ kfree(buf.name);
1840+ kfree(buffer);
1841+ return error;
1842+}
1843+
1844+#endif
1845+
1846+/*
1847+ * Why not to copy all operations by "original_security_ops = *ops" ?
1848+ * Because copying byte array is not atomic. Reader checks
1849+ * original_security_ops.op != NULL before doing original_security_ops.op().
1850+ * Thus, modifying original_security_ops.op has to be atomic.
1851+ */
1852+#define swap_security_ops(op) \
1853+ original_security_ops.op = ops->op; smp_wmb(); ops->op = ccs_##op;
1854+
1855+/**
1856+ * ccs_update_security_ops - Overwrite original "struct security_operations".
1857+ *
1858+ * @ops: Pointer to "struct security_operations".
1859+ *
1860+ * Returns nothing.
1861+ */
1862+static void __init ccs_update_security_ops(struct security_operations *ops)
1863+{
1864+ /* Security context allocator. */
1865+ swap_security_ops(task_create);
1866+ swap_security_ops(cred_prepare);
1867+ swap_security_ops(cred_free);
1868+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 32)
1869+ swap_security_ops(cred_alloc_blank);
1870+ swap_security_ops(cred_transfer);
1871+#endif
1872+ /* Security context updater for successful execve(). */
1873+ swap_security_ops(bprm_check_security);
1874+ swap_security_ops(bprm_committing_creds);
1875+ /* Various permission checker. */
1876+#if LINUX_VERSION_CODE >= KERNEL_VERSION(3, 5, 0)
1877+ swap_security_ops(file_open);
1878+#else
1879+ swap_security_ops(dentry_open);
1880+#endif
1881+ swap_security_ops(file_fcntl);
1882+ swap_security_ops(file_ioctl);
1883+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 33) && defined(CONFIG_SYSCTL_SYSCALL)
1884+ swap_security_ops(sysctl);
1885+#endif
1886+ swap_security_ops(sb_pivotroot);
1887+ swap_security_ops(sb_mount);
1888+ swap_security_ops(sb_umount);
1889+#if defined(CONFIG_SECURITY_PATH)
1890+ swap_security_ops(path_mknod);
1891+ swap_security_ops(path_mkdir);
1892+ swap_security_ops(path_rmdir);
1893+ swap_security_ops(path_unlink);
1894+ swap_security_ops(path_symlink);
1895+ swap_security_ops(path_rename);
1896+ swap_security_ops(path_link);
1897+ swap_security_ops(path_truncate);
1898+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 33)
1899+ swap_security_ops(path_chmod);
1900+ swap_security_ops(path_chown);
1901+ swap_security_ops(path_chroot);
1902+#endif
1903+#else
1904+ swap_security_ops(inode_mknod);
1905+ swap_security_ops(inode_mkdir);
1906+ swap_security_ops(inode_rmdir);
1907+ swap_security_ops(inode_unlink);
1908+ swap_security_ops(inode_symlink);
1909+ swap_security_ops(inode_rename);
1910+ swap_security_ops(inode_link);
1911+ swap_security_ops(inode_create);
1912+#endif
1913+ swap_security_ops(inode_setattr);
1914+ swap_security_ops(inode_getattr);
1915+#ifdef CONFIG_SECURITY_NETWORK
1916+ swap_security_ops(socket_bind);
1917+ swap_security_ops(socket_connect);
1918+ swap_security_ops(socket_listen);
1919+ swap_security_ops(socket_sendmsg);
1920+ swap_security_ops(socket_recvmsg);
1921+ swap_security_ops(socket_getsockname);
1922+ swap_security_ops(socket_getpeername);
1923+ swap_security_ops(socket_getsockopt);
1924+ swap_security_ops(socket_setsockopt);
1925+ swap_security_ops(socket_shutdown);
1926+ swap_security_ops(socket_accept);
1927+ swap_security_ops(inode_free_security);
1928+#endif
1929+}
1930+
1931+#undef swap_security_ops
1932+
1933+/**
1934+ * ccs_init - Initialize this module.
1935+ *
1936+ * Returns 0 on success, negative value otherwise.
1937+ */
1938+static int __init ccs_init(void)
1939+{
1940+ struct security_operations *ops = probe_security_ops();
1941+ if (!ops)
1942+ goto out;
1943+ ccsecurity_exports.find_task_by_vpid = probe_find_task_by_vpid();
1944+ if (!ccsecurity_exports.find_task_by_vpid)
1945+ goto out;
1946+ ccsecurity_exports.find_task_by_pid_ns = probe_find_task_by_pid_ns();
1947+ if (!ccsecurity_exports.find_task_by_pid_ns)
1948+ goto out;
1949+#if LINUX_VERSION_CODE < KERNEL_VERSION(2, 6, 36)
1950+ ccsecurity_exports.vfsmount_lock = probe_vfsmount_lock();
1951+ if (!ccsecurity_exports.vfsmount_lock)
1952+ goto out;
1953+#elif LINUX_VERSION_CODE < KERNEL_VERSION(3, 2, 0)
1954+ ccsecurity_exports.__d_path = probe___d_path();
1955+ if (!ccsecurity_exports.__d_path)
1956+ goto out;
1957+#else
1958+ ccsecurity_exports.d_absolute_path = probe_d_absolute_path();
1959+ if (!ccsecurity_exports.d_absolute_path)
1960+ goto out;
1961+#endif
1962+ {
1963+ int idx;
1964+ for (idx = 0; idx < CCS_MAX_TASK_SECURITY_HASH; idx++) {
1965+ INIT_LIST_HEAD(&ccs_cred_security_list[idx]);
1966+ INIT_LIST_HEAD(&ccs_task_security_list[idx]);
1967+ }
1968+ }
1969+ ccs_main_init();
1970+ ccs_update_security_ops(ops);
1971+ printk(KERN_INFO "AKARI: 1.0.38 2018/04/01\n");
1972+ printk(KERN_INFO
1973+ "Access Keeping And Regulating Instrument registered.\n");
1974+ return 0;
1975+out:
1976+ return -EINVAL;
1977+}
1978+
1979+module_init(ccs_init);
1980+MODULE_LICENSE("GPL");
1981+
1982+/**
1983+ * ccs_used_by_cred - Check whether the given domain is in use or not.
1984+ *
1985+ * @domain: Pointer to "struct ccs_domain_info".
1986+ *
1987+ * Returns true if @domain is in use, false otherwise.
1988+ *
1989+ * Caller holds rcu_read_lock().
1990+ */
1991+bool ccs_used_by_cred(const struct ccs_domain_info *domain)
1992+{
1993+ int idx;
1994+ struct ccs_security *ptr;
1995+ for (idx = 0; idx < CCS_MAX_TASK_SECURITY_HASH; idx++) {
1996+ struct list_head *list = &ccs_cred_security_list[idx];
1997+ list_for_each_entry_rcu(ptr, list, list) {
1998+ struct ccs_execve *ee = ptr->ee;
1999+ if (ptr->ccs_domain_info == domain ||
2000+ (ee && ee->previous_domain == domain)) {
2001+ return true;
2002+ }
2003+ }
2004+ }
2005+ return false;
2006+}
2007+
2008+/**
2009+ * ccs_add_task_security - Add "struct ccs_security" to list.
2010+ *
2011+ * @ptr: Pointer to "struct ccs_security".
2012+ * @list: Pointer to "struct list_head".
2013+ *
2014+ * Returns nothing.
2015+ */
2016+static void ccs_add_task_security(struct ccs_security *ptr,
2017+ struct list_head *list)
2018+{
2019+ unsigned long flags;
2020+ spin_lock_irqsave(&ccs_task_security_list_lock, flags);
2021+ list_add_rcu(&ptr->list, list);
2022+ spin_unlock_irqrestore(&ccs_task_security_list_lock, flags);
2023+}
2024+
2025+/**
2026+ * ccs_find_task_security - Find "struct ccs_security" for given task.
2027+ *
2028+ * @task: Pointer to "struct task_struct".
2029+ *
2030+ * Returns pointer to "struct ccs_security" on success, &ccs_oom_security on
2031+ * out of memory, &ccs_default_security otherwise.
2032+ *
2033+ * If @task is current thread and "struct ccs_security" for current thread was
2034+ * not found, I try to allocate it. But if allocation failed, current thread
2035+ * will be killed by SIGKILL. Note that if current->pid == 1, sending SIGKILL
2036+ * won't work.
2037+ */
2038+struct ccs_security *ccs_find_task_security(const struct task_struct *task)
2039+{
2040+ struct ccs_security *ptr;
2041+ struct list_head *list = &ccs_task_security_list
2042+ [hash_ptr((void *) task, CCS_TASK_SECURITY_HASH_BITS)];
2043+ /* Make sure INIT_LIST_HEAD() in ccs_mm_init() takes effect. */
2044+ while (!list->next)
2045+ smp_rmb();
2046+ rcu_read_lock();
2047+ list_for_each_entry_rcu(ptr, list, list) {
2048+ if (ptr->pid != task->pids[PIDTYPE_PID].pid)
2049+ continue;
2050+ rcu_read_unlock();
2051+#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 31)
2052+ /*
2053+ * Current thread needs to transit from old domain to new
2054+ * domain before do_execve() succeeds in order to check
2055+ * permission for interpreters and environment variables using
2056+ * new domain's ACL rules. The domain transition has to be
2057+ * visible from other CPU in order to allow interactive
2058+ * enforcing mode. Also, the domain transition has to be
2059+ * reverted if do_execve() failed. However, an LSM hook for
2060+ * reverting domain transition is missing.
2061+ *
2062+ * security_prepare_creds() is called from prepare_creds() from
2063+ * prepare_bprm_creds() from do_execve() before setting
2064+ * current->in_execve flag, and current->in_execve flag is
2065+ * cleared by the time next do_execve() request starts.
2066+ * This means that we can emulate the missing LSM hook for
2067+ * reverting domain transition, by calling this function from
2068+ * security_prepare_creds().
2069+ *
2070+ * If current->in_execve is not set but ptr->ccs_flags has
2071+ * CCS_TASK_IS_IN_EXECVE set, it indicates that do_execve()
2072+ * has failed and reverting domain transition is needed.
2073+ */
2074+ if (task == current &&
2075+ (ptr->ccs_flags & CCS_TASK_IS_IN_EXECVE) &&
2076+ !current->in_execve) {
2077+ ccs_debug_trace("4");
2078+ ccs_clear_execve(-1, ptr);
2079+ }
2080+#else
2081+ /*
2082+ * Current thread needs to transit from old domain to new
2083+ * domain before do_execve() succeeds in order to check
2084+ * permission for interpreters and environment variables using
2085+ * new domain's ACL rules. The domain transition has to be
2086+ * visible from other CPU in order to allow interactive
2087+ * enforcing mode. Also, the domain transition has to be
2088+ * reverted if do_execve() failed. However, an LSM hook for
2089+ * reverting domain transition is missing.
2090+ *
2091+ * When do_execve() failed, "struct cred" in
2092+ * "struct linux_binprm" is scheduled for destruction.
2093+ * But current thread returns to userspace without waiting for
2094+ * destruction. The security_cred_free() LSM hook is called
2095+ * after an RCU grace period has elapsed. Since some CPU may be
2096+ * doing long long RCU read side critical section, there is
2097+ * no guarantee that security_cred_free() is called before
2098+ * current thread again calls do_execve().
2099+ *
2100+ * To be able to revert domain transition before processing
2101+ * next do_execve() request, current thread gets a refcount on
2102+ * "struct cred" in "struct linux_binprm" and memorizes it.
2103+ * Current thread drops the refcount and forgets it when
2104+ * do_execve() succeeded.
2105+ *
2106+ * Therefore, if current thread hasn't forgotten it and
2107+ * current thread is the last one using that "struct cred",
2108+ * it indicates that do_execve() has failed and reverting
2109+ * domain transition is needed.
2110+ */
2111+ if (task == current && ptr->cred &&
2112+ atomic_read(&ptr->cred->usage) == 1) {
2113+ ccs_debug_trace("4");
2114+ ccs_clear_execve(-1, ptr);
2115+ }
2116+#endif
2117+ return ptr;
2118+ }
2119+ rcu_read_unlock();
2120+ if (task != current) {
2121+ /*
2122+ * If a thread does nothing after fork(), caller will reach
2123+ * here because "struct ccs_security" for that thread is not
2124+ * yet allocated. But that thread is keeping a snapshot of
2125+ * "struct ccs_security" taken as of ccs_task_create()
2126+ * associated with that thread's "struct cred".
2127+ *
2128+ * Since that snapshot will be used as initial data when that
2129+ * thread allocates "struct ccs_security" for that thread, we
2130+ * can return that snapshot rather than &ccs_default_security.
2131+ *
2132+ * Since this function is called by only ccs_select_one() and
2133+ * ccs_read_pid() (via ccs_task_domain() and ccs_task_flags()),
2134+ * it is guaranteed that caller has called rcu_read_lock()
2135+ * (via ccs_tasklist_lock()) before finding this thread and
2136+ * this thread is valid. Therefore, we can do __task_cred(task)
2137+ * like get_robust_list() does.
2138+ */
2139+ return ccs_find_cred_security(__task_cred(task));
2140+ }
2141+ /* Use GFP_ATOMIC because caller may have called rcu_read_lock(). */
2142+ ptr = kzalloc(sizeof(*ptr), GFP_ATOMIC);
2143+ if (!ptr) {
2144+ printk(KERN_WARNING "Unable to allocate memory for pid=%u\n",
2145+ task->pid);
2146+ send_sig(SIGKILL, current, 0);
2147+ return &ccs_oom_security;
2148+ }
2149+ *ptr = *ccs_find_cred_security(task->cred);
2150+ /* We can shortcut because task == current. */
2151+ ptr->pid = get_pid(((struct task_struct *) task)->
2152+ pids[PIDTYPE_PID].pid);
2153+ ptr->cred = NULL;
2154+ ccs_add_task_security(ptr, list);
2155+ return ptr;
2156+}
2157+
2158+/**
2159+ * ccs_copy_cred_security - Allocate memory for new credentials.
2160+ *
2161+ * @new: Pointer to "struct cred".
2162+ * @old: Pointer to "struct cred".
2163+ * @gfp: Memory allocation flags.
2164+ *
2165+ * Returns 0 on success, negative value otherwise.
2166+ */
2167+static int ccs_copy_cred_security(const struct cred *new,
2168+ const struct cred *old, gfp_t gfp)
2169+{
2170+ struct ccs_security *old_security = ccs_find_cred_security(old);
2171+ struct ccs_security *new_security =
2172+ kzalloc(sizeof(*new_security), gfp);
2173+ if (!new_security)
2174+ return -ENOMEM;
2175+ *new_security = *old_security;
2176+ new_security->cred = new;
2177+ ccs_add_cred_security(new_security);
2178+ return 0;
2179+}
2180+
2181+/**
2182+ * ccs_find_cred_security - Find "struct ccs_security" for given credential.
2183+ *
2184+ * @cred: Pointer to "struct cred".
2185+ *
2186+ * Returns pointer to "struct ccs_security" on success, &ccs_default_security
2187+ * otherwise.
2188+ */
2189+static struct ccs_security *ccs_find_cred_security(const struct cred *cred)
2190+{
2191+ struct ccs_security *ptr;
2192+ struct list_head *list = &ccs_cred_security_list
2193+ [hash_ptr((void *) cred, CCS_TASK_SECURITY_HASH_BITS)];
2194+ rcu_read_lock();
2195+ list_for_each_entry_rcu(ptr, list, list) {
2196+ if (ptr->cred != cred)
2197+ continue;
2198+ rcu_read_unlock();
2199+ return ptr;
2200+ }
2201+ rcu_read_unlock();
2202+ return &ccs_default_security;
2203+}
2204+
2205+/**
2206+ * ccs_task_security_gc - Do garbage collection for "struct task_struct".
2207+ *
2208+ * Returns nothing.
2209+ *
2210+ * Since security_task_free() is missing, I can't release memory associated
2211+ * with "struct task_struct" when a task dies. Therefore, I hold a reference on
2212+ * "struct pid" and runs garbage collection when associated
2213+ * "struct task_struct" has gone.
2214+ */
2215+static void ccs_task_security_gc(void)
2216+{
2217+ static DEFINE_SPINLOCK(lock);
2218+ static atomic_t gc_counter = ATOMIC_INIT(0);
2219+ unsigned int idx;
2220+ /*
2221+ * If some process is doing execve(), try to garbage collection now.
2222+ * We should kfree() memory associated with "struct ccs_security"->ee
2223+ * as soon as execve() has completed in order to compensate for lack of
2224+ * security_bprm_free() and security_task_free() hooks.
2225+ *
2226+ * Otherwise, reduce frequency for performance reason.
2227+ */
2228+ if (!atomic_read(&ccs_in_execve_tasks) &&
2229+ atomic_inc_return(&gc_counter) < 1024)
2230+ return;
2231+ if (!spin_trylock(&lock))
2232+ return;
2233+ atomic_set(&gc_counter, 0);
2234+ rcu_read_lock();
2235+ for (idx = 0; idx < CCS_MAX_TASK_SECURITY_HASH; idx++) {
2236+ struct ccs_security *ptr;
2237+ struct list_head *list = &ccs_task_security_list[idx];
2238+ list_for_each_entry_rcu(ptr, list, list) {
2239+ if (pid_task(ptr->pid, PIDTYPE_PID))
2240+ continue;
2241+ ccs_del_security(ptr);
2242+ }
2243+ }
2244+ rcu_read_unlock();
2245+ spin_unlock(&lock);
2246+}
--- tags/patches/1.0.38/lsm-4.12.c (nonexistent)
+++ tags/patches/1.0.38/lsm-4.12.c (revision 589)
@@ -0,0 +1,1300 @@
1+/*
2+ * lsm.c
3+ *
4+ * Copyright (C) 2010-2015 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
5+ *
6+ * Version: 1.0.38 2018/04/01
7+ */
8+
9+#include "internal.h"
10+#include "probe.h"
11+
12+/* Prototype definition. */
13+static int __ccs_alloc_task_security(const struct task_struct *task);
14+static void __ccs_free_task_security(const struct task_struct *task);
15+
16+/* Dummy security context for avoiding NULL pointer dereference. */
17+static struct ccs_security ccs_oom_security = {
18+ .ccs_domain_info = &ccs_kernel_domain
19+};
20+
21+/* Dummy security context for avoiding NULL pointer dereference. */
22+static struct ccs_security ccs_default_security = {
23+ .ccs_domain_info = &ccs_kernel_domain
24+};
25+
26+/* List of "struct ccs_security". */
27+struct list_head ccs_task_security_list[CCS_MAX_TASK_SECURITY_HASH];
28+/* Lock for protecting ccs_task_security_list[]. */
29+static DEFINE_SPINLOCK(ccs_task_security_list_lock);
30+
31+/* For exporting variables and functions. */
32+struct ccsecurity_exports ccsecurity_exports;
33+/* Members are updated by loadable kernel module. */
34+struct ccsecurity_operations ccsecurity_ops;
35+
36+/* Original hooks. */
37+static union security_list_options original_cred_prepare;
38+static union security_list_options original_task_alloc;
39+static union security_list_options original_task_free;
40+
41+#ifdef CONFIG_AKARI_TRACE_EXECVE_COUNT
42+
43+/**
44+ * ccs_update_ee_counter - Update "struct ccs_execve" counter.
45+ *
46+ * @count: Count to increment or decrement.
47+ *
48+ * Returns updated counter.
49+ */
50+static unsigned int ccs_update_ee_counter(int count)
51+{
52+ /* Debug counter for detecting "struct ccs_execve" memory leak. */
53+ static atomic_t ccs_ee_counter = ATOMIC_INIT(0);
54+ return atomic_add_return(count, &ccs_ee_counter);
55+}
56+
57+/**
58+ * ccs_audit_alloc_execve - Audit allocation of "struct ccs_execve".
59+ *
60+ * @ee: Pointer to "struct ccs_execve".
61+ *
62+ * Returns nothing.
63+ */
64+void ccs_audit_alloc_execve(const struct ccs_execve * const ee)
65+{
66+ printk(KERN_INFO "AKARI: Allocated %p by pid=%u (count=%u)\n", ee,
67+ current->pid, ccs_update_ee_counter(1) - 1);
68+}
69+
70+/**
71+ * ccs_audit_free_execve - Audit release of "struct ccs_execve".
72+ *
73+ * @ee: Pointer to "struct ccs_execve".
74+ * @task: True if released by current task, false otherwise.
75+ *
76+ * Returns nothing.
77+ */
78+void ccs_audit_free_execve(const struct ccs_execve * const ee,
79+ const bool is_current)
80+{
81+ const unsigned int tmp = ccs_update_ee_counter(-1);
82+ if (is_current)
83+ printk(KERN_INFO "AKARI: Releasing %p by pid=%u (count=%u)\n",
84+ ee, current->pid, tmp);
85+ else
86+ printk(KERN_INFO "AKARI: Releasing %p by kernel (count=%u)\n",
87+ ee, tmp);
88+}
89+
90+#endif
91+
92+#if !defined(CONFIG_AKARI_DEBUG)
93+#define ccs_debug_trace(pos) do { } while (0)
94+#else
95+#define ccs_debug_trace(pos) \
96+ do { \
97+ static bool done; \
98+ if (!done) { \
99+ printk(KERN_INFO \
100+ "AKARI: Debug trace: " pos " of 2\n"); \
101+ done = true; \
102+ } \
103+ } while (0)
104+#endif
105+
106+/**
107+ * ccs_clear_execve - Release memory used by do_execve().
108+ *
109+ * @ret: 0 if do_execve() succeeded, negative value otherwise.
110+ * @security: Pointer to "struct ccs_security".
111+ *
112+ * Returns nothing.
113+ */
114+static void ccs_clear_execve(int ret, struct ccs_security *security)
115+{
116+ struct ccs_execve *ee = security->ee;
117+ if (security == &ccs_default_security || security == &ccs_oom_security
118+ || !ee)
119+ return;
120+ security->ee = NULL;
121+ ccs_finish_execve(ret, ee);
122+}
123+
124+/**
125+ * ccs_task_alloc_security - Allocate memory for new tasks.
126+ *
127+ * @p: Pointer to "struct task_struct".
128+ * @clone_flags: Flags passed to clone().
129+ *
130+ * Returns 0 on success, negative value otherwise.
131+ */
132+static int ccs_task_alloc_security(struct task_struct *p,
133+ unsigned long clone_flags)
134+{
135+ int rc = __ccs_alloc_task_security(p);
136+ if (rc)
137+ return rc;
138+ if (original_task_alloc.task_alloc) {
139+ rc = original_task_alloc.task_alloc(p, clone_flags);
140+ if (rc)
141+ __ccs_free_task_security(p);
142+ }
143+ return rc;
144+}
145+
146+/**
147+ * ccs_task_free_security - Release memory for "struct task_struct".
148+ *
149+ * @p: Pointer to "struct task_struct".
150+ *
151+ * Returns nothing.
152+ */
153+static void ccs_task_free_security(struct task_struct *p)
154+{
155+ struct ccs_security *ptr = ccs_find_task_security(p);
156+ struct ccs_execve *ee = ptr->ee;
157+ if (original_task_free.task_free)
158+ original_task_free.task_free(p);
159+ /*
160+ * Since an LSM hook for reverting domain transition is missing,
161+ * ccs_finish_execve() is not called if exited immediately after
162+ * execve() failed.
163+ */
164+ if (ee) {
165+ ccs_debug_trace("2");
166+ ccs_audit_free_execve(ee, false);
167+ kfree(ee->handler_path);
168+ kfree(ee);
169+ ptr->ee = NULL;
170+ }
171+ __ccs_free_task_security(p);
172+}
173+
174+/**
175+ * ccs_bprm_committing_creds - A hook which is called when do_execve() succeeded.
176+ *
177+ * @bprm: Pointer to "struct linux_binprm".
178+ *
179+ * Returns nothing.
180+ */
181+static void ccs_bprm_committing_creds(struct linux_binprm *bprm)
182+{
183+ ccs_clear_execve(0, ccs_current_security());
184+}
185+
186+/**
187+ * ccs_cred_prepare - Allocate memory for new credentials.
188+ *
189+ * @new: Pointer to "struct cred".
190+ * @old: Pointer to "struct cred".
191+ * @gfp: Memory allocation flags.
192+ *
193+ * Returns 0 on success, negative value otherwise.
194+ */
195+static int ccs_cred_prepare(struct cred *new, const struct cred *old,
196+ gfp_t gfp)
197+{
198+ /*
199+ * For checking whether reverting domain transition is needed or not.
200+ *
201+ * See ccs_find_task_security() for reason.
202+ */
203+ if (gfp == GFP_KERNEL)
204+ ccs_find_task_security(current);
205+ if (original_cred_prepare.cred_prepare)
206+ return original_cred_prepare.cred_prepare(new, old, gfp);
207+ return 0;
208+}
209+
210+/**
211+ * ccs_bprm_check_security - Check permission for execve().
212+ *
213+ * @bprm: Pointer to "struct linux_binprm".
214+ *
215+ * Returns 0 on success, negative value otherwise.
216+ */
217+static int ccs_bprm_check_security(struct linux_binprm *bprm)
218+{
219+ struct ccs_security *security = ccs_current_security();
220+ if (security == &ccs_default_security || security == &ccs_oom_security)
221+ return -ENOMEM;
222+ if (security->ee)
223+ return 0;
224+#ifndef CONFIG_CCSECURITY_OMIT_USERSPACE_LOADER
225+ if (!ccs_policy_loaded)
226+ ccs_load_policy(bprm->filename);
227+#endif
228+ return ccs_start_execve(bprm, &security->ee);
229+}
230+
231+/**
232+ * ccs_file_open - Check permission for open().
233+ *
234+ * @f: Pointer to "struct file".
235+ * @cred: Pointer to "struct cred".
236+ *
237+ * Returns 0 on success, negative value otherwise.
238+ */
239+static int ccs_file_open(struct file *f, const struct cred *cred)
240+{
241+ return ccs_open_permission(f);
242+}
243+
244+#ifdef CONFIG_SECURITY_PATH
245+
246+/**
247+ * ccs_path_chown - Check permission for chown()/chgrp().
248+ *
249+ * @path: Pointer to "struct path".
250+ * @user: User ID.
251+ * @group: Group ID.
252+ *
253+ * Returns 0 on success, negative value otherwise.
254+ */
255+static int ccs_path_chown(const struct path *path, kuid_t user, kgid_t group)
256+{
257+ return ccs_chown_permission(path->dentry, path->mnt, user, group);
258+}
259+
260+/**
261+ * ccs_path_chmod - Check permission for chmod().
262+ *
263+ * @path: Pointer to "struct path".
264+ * @mode: Mode.
265+ *
266+ * Returns 0 on success, negative value otherwise.
267+ */
268+static int ccs_path_chmod(const struct path *path, umode_t mode)
269+{
270+ return ccs_chmod_permission(path->dentry, path->mnt, mode);
271+}
272+
273+/**
274+ * ccs_path_chroot - Check permission for chroot().
275+ *
276+ * @path: Pointer to "struct path".
277+ *
278+ * Returns 0 on success, negative value otherwise.
279+ */
280+static int ccs_path_chroot(const struct path *path)
281+{
282+ return ccs_chroot_permission(path);
283+}
284+
285+/**
286+ * ccs_path_truncate - Check permission for truncate().
287+ *
288+ * @path: Pointer to "struct path".
289+ *
290+ * Returns 0 on success, negative value otherwise.
291+ */
292+static int ccs_path_truncate(const struct path *path)
293+{
294+ return ccs_truncate_permission(path->dentry, path->mnt);
295+}
296+
297+#else
298+
299+/**
300+ * ccs_inode_setattr - Check permission for chown()/chgrp()/chmod()/truncate().
301+ *
302+ * @dentry: Pointer to "struct dentry".
303+ * @attr: Pointer to "struct iattr".
304+ *
305+ * Returns 0 on success, negative value otherwise.
306+ */
307+static int ccs_inode_setattr(struct dentry *dentry, struct iattr *attr)
308+{
309+ const int rc1 = (attr->ia_valid & ATTR_UID) ?
310+ ccs_chown_permission(dentry, NULL, attr->ia_uid, INVALID_GID) :
311+ 0;
312+ const int rc2 = (attr->ia_valid & ATTR_GID) ?
313+ ccs_chown_permission(dentry, NULL, INVALID_UID, attr->ia_gid) :
314+ 0;
315+ const int rc3 = (attr->ia_valid & ATTR_MODE) ?
316+ ccs_chmod_permission(dentry, NULL, attr->ia_mode) : 0;
317+ const int rc4 = (attr->ia_valid & ATTR_SIZE) ?
318+ ccs_truncate_permission(dentry, NULL) : 0;
319+ if (rc4)
320+ return rc4;
321+ if (rc3)
322+ return rc3;
323+ if (rc2)
324+ return rc2;
325+ return rc1;
326+}
327+
328+#endif
329+
330+/**
331+ * ccs_inode_getattr - Check permission for stat().
332+ *
333+ * @path: Pointer to "struct path".
334+ *
335+ * Returns 0 on success, negative value otherwise.
336+ */
337+static int ccs_inode_getattr(const struct path *path)
338+{
339+ return ccs_getattr_permission(path->mnt, path->dentry);
340+}
341+
342+#ifdef CONFIG_SECURITY_PATH
343+
344+/**
345+ * ccs_path_mknod - Check permission for mknod().
346+ *
347+ * @dir: Pointer to "struct path".
348+ * @dentry: Pointer to "struct dentry".
349+ * @mode: Create mode.
350+ * @dev: Device major/minor number.
351+ *
352+ * Returns 0 on success, negative value otherwise.
353+ */
354+static int ccs_path_mknod(const struct path *dir, struct dentry *dentry,
355+ umode_t mode, unsigned int dev)
356+{
357+ return ccs_mknod_permission(dentry, dir->mnt, mode, dev);
358+}
359+
360+/**
361+ * ccs_path_mkdir - Check permission for mkdir().
362+ *
363+ * @dir: Pointer to "struct path".
364+ * @dentry: Pointer to "struct dentry".
365+ * @mode: Create mode.
366+ *
367+ * Returns 0 on success, negative value otherwise.
368+ */
369+static int ccs_path_mkdir(const struct path *dir, struct dentry *dentry,
370+ umode_t mode)
371+{
372+ return ccs_mkdir_permission(dentry, dir->mnt, mode);
373+}
374+
375+/**
376+ * ccs_path_rmdir - Check permission for rmdir().
377+ *
378+ * @dir: Pointer to "struct path".
379+ * @dentry: Pointer to "struct dentry".
380+ *
381+ * Returns 0 on success, negative value otherwise.
382+ */
383+static int ccs_path_rmdir(const struct path *dir, struct dentry *dentry)
384+{
385+ return ccs_rmdir_permission(dentry, dir->mnt);
386+}
387+
388+/**
389+ * ccs_path_unlink - Check permission for unlink().
390+ *
391+ * @dir: Pointer to "struct path".
392+ * @dentry: Pointer to "struct dentry".
393+ *
394+ * Returns 0 on success, negative value otherwise.
395+ */
396+static int ccs_path_unlink(const struct path *dir, struct dentry *dentry)
397+{
398+ return ccs_unlink_permission(dentry, dir->mnt);
399+}
400+
401+/**
402+ * ccs_path_symlink - Check permission for symlink().
403+ *
404+ * @dir: Pointer to "struct path".
405+ * @dentry: Pointer to "struct dentry".
406+ * @old_name: Content of symbolic link.
407+ *
408+ * Returns 0 on success, negative value otherwise.
409+ */
410+static int ccs_path_symlink(const struct path *dir, struct dentry *dentry,
411+ const char *old_name)
412+{
413+ return ccs_symlink_permission(dentry, dir->mnt, old_name);
414+}
415+
416+/**
417+ * ccs_path_rename - Check permission for rename().
418+ *
419+ * @old_dir: Pointer to "struct path".
420+ * @old_dentry: Pointer to "struct dentry".
421+ * @new_dir: Pointer to "struct path".
422+ * @new_dentry: Pointer to "struct dentry".
423+ *
424+ * Returns 0 on success, negative value otherwise.
425+ */
426+static int ccs_path_rename(const struct path *old_dir,
427+ struct dentry *old_dentry,
428+ const struct path *new_dir,
429+ struct dentry *new_dentry)
430+{
431+ return ccs_rename_permission(old_dentry, new_dentry, old_dir->mnt);
432+}
433+
434+/**
435+ * ccs_path_link - Check permission for link().
436+ *
437+ * @old_dentry: Pointer to "struct dentry".
438+ * @new_dir: Pointer to "struct path".
439+ * @new_dentry: Pointer to "struct dentry".
440+ *
441+ * Returns 0 on success, negative value otherwise.
442+ */
443+static int ccs_path_link(struct dentry *old_dentry, const struct path *new_dir,
444+ struct dentry *new_dentry)
445+{
446+ return ccs_link_permission(old_dentry, new_dentry, new_dir->mnt);
447+}
448+
449+#else
450+
451+/**
452+ * ccs_inode_mknod - Check permission for mknod().
453+ *
454+ * @dir: Pointer to "struct inode".
455+ * @dentry: Pointer to "struct dentry".
456+ * @mode: Create mode.
457+ * @dev: Device major/minor number.
458+ *
459+ * Returns 0 on success, negative value otherwise.
460+ */
461+static int ccs_inode_mknod(struct inode *dir, struct dentry *dentry,
462+ umode_t mode, dev_t dev)
463+{
464+ return ccs_mknod_permission(dentry, NULL, mode, dev);
465+}
466+
467+/**
468+ * ccs_inode_mkdir - Check permission for mkdir().
469+ *
470+ * @dir: Pointer to "struct inode".
471+ * @dentry: Pointer to "struct dentry".
472+ * @mode: Create mode.
473+ *
474+ * Returns 0 on success, negative value otherwise.
475+ */
476+static int ccs_inode_mkdir(struct inode *dir, struct dentry *dentry,
477+ umode_t mode)
478+{
479+ return ccs_mkdir_permission(dentry, NULL, mode);
480+}
481+
482+/**
483+ * ccs_inode_rmdir - Check permission for rmdir().
484+ *
485+ * @dir: Pointer to "struct inode".
486+ * @dentry: Pointer to "struct dentry".
487+ *
488+ * Returns 0 on success, negative value otherwise.
489+ */
490+static int ccs_inode_rmdir(struct inode *dir, struct dentry *dentry)
491+{
492+ return ccs_rmdir_permission(dentry, NULL);
493+}
494+
495+/**
496+ * ccs_inode_unlink - Check permission for unlink().
497+ *
498+ * @dir: Pointer to "struct inode".
499+ * @dentry: Pointer to "struct dentry".
500+ *
501+ * Returns 0 on success, negative value otherwise.
502+ */
503+static int ccs_inode_unlink(struct inode *dir, struct dentry *dentry)
504+{
505+ return ccs_unlink_permission(dentry, NULL);
506+}
507+
508+/**
509+ * ccs_inode_symlink - Check permission for symlink().
510+ *
511+ * @dir: Pointer to "struct inode".
512+ * @dentry: Pointer to "struct dentry".
513+ * @old_name: Content of symbolic link.
514+ *
515+ * Returns 0 on success, negative value otherwise.
516+ */
517+static int ccs_inode_symlink(struct inode *dir, struct dentry *dentry,
518+ const char *old_name)
519+{
520+ return ccs_symlink_permission(dentry, NULL, old_name);
521+}
522+
523+/**
524+ * ccs_inode_rename - Check permission for rename().
525+ *
526+ * @old_dir: Pointer to "struct inode".
527+ * @old_dentry: Pointer to "struct dentry".
528+ * @new_dir: Pointer to "struct inode".
529+ * @new_dentry: Pointer to "struct dentry".
530+ *
531+ * Returns 0 on success, negative value otherwise.
532+ */
533+static int ccs_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
534+ struct inode *new_dir, struct dentry *new_dentry)
535+{
536+ return ccs_rename_permission(old_dentry, new_dentry, NULL);
537+}
538+
539+/**
540+ * ccs_inode_link - Check permission for link().
541+ *
542+ * @old_dentry: Pointer to "struct dentry".
543+ * @dir: Pointer to "struct inode".
544+ * @new_dentry: Pointer to "struct dentry".
545+ *
546+ * Returns 0 on success, negative value otherwise.
547+ */
548+static int ccs_inode_link(struct dentry *old_dentry, struct inode *dir,
549+ struct dentry *new_dentry)
550+{
551+ return ccs_link_permission(old_dentry, new_dentry, NULL);
552+}
553+
554+/**
555+ * ccs_inode_create - Check permission for creat().
556+ *
557+ * @dir: Pointer to "struct inode".
558+ * @dentry: Pointer to "struct dentry".
559+ * @mode: Create mode.
560+ *
561+ * Returns 0 on success, negative value otherwise.
562+ */
563+static int ccs_inode_create(struct inode *dir, struct dentry *dentry,
564+ umode_t mode)
565+{
566+ return ccs_mknod_permission(dentry, NULL, mode, 0);
567+}
568+
569+#endif
570+
571+#ifdef CONFIG_SECURITY_NETWORK
572+
573+#include <net/sock.h>
574+
575+/* Structure for remembering an accept()ed socket's status. */
576+struct ccs_socket_tag {
577+ struct list_head list;
578+ struct inode *inode;
579+ int status;
580+ struct rcu_head rcu;
581+};
582+
583+/*
584+ * List for managing accept()ed sockets.
585+ * Since we don't need to keep an accept()ed socket into this list after
586+ * once the permission was granted, the number of entries in this list is
587+ * likely small. Therefore, we don't use hash tables.
588+ */
589+static LIST_HEAD(ccs_accepted_socket_list);
590+/* Lock for protecting ccs_accepted_socket_list . */
591+static DEFINE_SPINLOCK(ccs_accepted_socket_list_lock);
592+
593+/**
594+ * ccs_update_socket_tag - Update tag associated with accept()ed sockets.
595+ *
596+ * @inode: Pointer to "struct inode".
597+ * @status: New status.
598+ *
599+ * Returns nothing.
600+ *
601+ * If @status == 0, memory for that socket will be released after RCU grace
602+ * period.
603+ */
604+static void ccs_update_socket_tag(struct inode *inode, int status)
605+{
606+ struct ccs_socket_tag *ptr;
607+ /*
608+ * Protect whole section because multiple threads may call this
609+ * function with same "sock" via ccs_validate_socket().
610+ */
611+ spin_lock(&ccs_accepted_socket_list_lock);
612+ rcu_read_lock();
613+ list_for_each_entry_rcu(ptr, &ccs_accepted_socket_list, list) {
614+ if (ptr->inode != inode)
615+ continue;
616+ ptr->status = status;
617+ if (status)
618+ break;
619+ list_del_rcu(&ptr->list);
620+ kfree_rcu(ptr, rcu);
621+ break;
622+ }
623+ rcu_read_unlock();
624+ spin_unlock(&ccs_accepted_socket_list_lock);
625+}
626+
627+/**
628+ * ccs_validate_socket - Check post accept() permission if needed.
629+ *
630+ * @sock: Pointer to "struct socket".
631+ *
632+ * Returns 0 on success, negative value otherwise.
633+ */
634+static int ccs_validate_socket(struct socket *sock)
635+{
636+ struct inode *inode = SOCK_INODE(sock);
637+ struct ccs_socket_tag *ptr;
638+ int ret = 0;
639+ rcu_read_lock();
640+ list_for_each_entry_rcu(ptr, &ccs_accepted_socket_list, list) {
641+ if (ptr->inode != inode)
642+ continue;
643+ ret = ptr->status;
644+ break;
645+ }
646+ rcu_read_unlock();
647+ if (ret <= 0)
648+ /*
649+ * This socket is not an accept()ed socket or this socket is
650+ * an accept()ed socket and post accept() permission is done.
651+ */
652+ return ret;
653+ /*
654+ * Check post accept() permission now.
655+ *
656+ * Strictly speaking, we need to pass both listen()ing socket and
657+ * accept()ed socket to __ccs_socket_post_accept_permission().
658+ * But since socket's family and type are same for both sockets,
659+ * passing the accept()ed socket in place for the listen()ing socket
660+ * will work.
661+ */
662+ ret = ccs_socket_post_accept_permission(sock, sock);
663+ /*
664+ * If permission was granted, we forget that this is an accept()ed
665+ * socket. Otherwise, we remember that this socket needs to return
666+ * error for subsequent socketcalls.
667+ */
668+ ccs_update_socket_tag(inode, ret);
669+ return ret;
670+}
671+
672+/**
673+ * ccs_socket_accept - Check permission for accept().
674+ *
675+ * @sock: Pointer to "struct socket".
676+ * @newsock: Pointer to "struct socket".
677+ *
678+ * Returns 0 on success, negative value otherwise.
679+ *
680+ * This hook is used for setting up environment for doing post accept()
681+ * permission check. If dereferencing sock->ops->something() were ordered by
682+ * rcu_dereference(), we could replace sock->ops with "a copy of original
683+ * sock->ops with modified sock->ops->accept()" using rcu_assign_pointer()
684+ * in order to do post accept() permission check before returning to userspace.
685+ * If we make the copy in security_socket_post_create(), it would be possible
686+ * to safely replace sock->ops here, but we don't do so because we don't want
687+ * to allocate memory for sockets which do not call sock->ops->accept().
688+ * Therefore, we do post accept() permission check upon next socket syscalls
689+ * rather than between sock->ops->accept() and returning to userspace.
690+ * This means that if a socket was close()d before calling some socket
691+ * syscalls, post accept() permission check will not be done.
692+ */
693+static int ccs_socket_accept(struct socket *sock, struct socket *newsock)
694+{
695+ struct ccs_socket_tag *ptr;
696+ const int rc = ccs_validate_socket(sock);
697+ if (rc < 0)
698+ return rc;
699+ ptr = kzalloc(sizeof(*ptr), GFP_KERNEL);
700+ if (!ptr)
701+ return -ENOMEM;
702+ /*
703+ * Subsequent LSM hooks will receive "newsock". Therefore, I mark
704+ * "newsock" as "an accept()ed socket but post accept() permission
705+ * check is not done yet" by allocating memory using inode of the
706+ * "newsock" as a search key.
707+ */
708+ ptr->inode = SOCK_INODE(newsock);
709+ ptr->status = 1; /* Check post accept() permission later. */
710+ spin_lock(&ccs_accepted_socket_list_lock);
711+ list_add_tail_rcu(&ptr->list, &ccs_accepted_socket_list);
712+ spin_unlock(&ccs_accepted_socket_list_lock);
713+ return 0;
714+}
715+
716+/**
717+ * ccs_socket_listen - Check permission for listen().
718+ *
719+ * @sock: Pointer to "struct socket".
720+ * @backlog: Backlog parameter.
721+ *
722+ * Returns 0 on success, negative value otherwise.
723+ */
724+static int ccs_socket_listen(struct socket *sock, int backlog)
725+{
726+ const int rc = ccs_validate_socket(sock);
727+ if (rc < 0)
728+ return rc;
729+ return ccs_socket_listen_permission(sock);
730+}
731+
732+/**
733+ * ccs_socket_connect - Check permission for connect().
734+ *
735+ * @sock: Pointer to "struct socket".
736+ * @addr: Pointer to "struct sockaddr".
737+ * @addr_len: Size of @addr.
738+ *
739+ * Returns 0 on success, negative value otherwise.
740+ */
741+static int ccs_socket_connect(struct socket *sock, struct sockaddr *addr,
742+ int addr_len)
743+{
744+ const int rc = ccs_validate_socket(sock);
745+ if (rc < 0)
746+ return rc;
747+ return ccs_socket_connect_permission(sock, addr, addr_len);
748+}
749+
750+/**
751+ * ccs_socket_bind - Check permission for bind().
752+ *
753+ * @sock: Pointer to "struct socket".
754+ * @addr: Pointer to "struct sockaddr".
755+ * @addr_len: Size of @addr.
756+ *
757+ * Returns 0 on success, negative value otherwise.
758+ */
759+static int ccs_socket_bind(struct socket *sock, struct sockaddr *addr,
760+ int addr_len)
761+{
762+ const int rc = ccs_validate_socket(sock);
763+ if (rc < 0)
764+ return rc;
765+ return ccs_socket_bind_permission(sock, addr, addr_len);
766+}
767+
768+/**
769+ * ccs_socket_sendmsg - Check permission for sendmsg().
770+ *
771+ * @sock: Pointer to "struct socket".
772+ * @msg: Pointer to "struct msghdr".
773+ * @size: Size of message.
774+ *
775+ * Returns 0 on success, negative value otherwise.
776+ */
777+static int ccs_socket_sendmsg(struct socket *sock, struct msghdr *msg,
778+ int size)
779+{
780+ const int rc = ccs_validate_socket(sock);
781+ if (rc < 0)
782+ return rc;
783+ return ccs_socket_sendmsg_permission(sock, msg, size);
784+}
785+
786+/**
787+ * ccs_socket_recvmsg - Check permission for recvmsg().
788+ *
789+ * @sock: Pointer to "struct socket".
790+ * @msg: Pointer to "struct msghdr".
791+ * @size: Size of message.
792+ * @flags: Flags.
793+ *
794+ * Returns 0 on success, negative value otherwise.
795+ */
796+static int ccs_socket_recvmsg(struct socket *sock, struct msghdr *msg,
797+ int size, int flags)
798+{
799+ return ccs_validate_socket(sock);
800+}
801+
802+/**
803+ * ccs_socket_getsockname - Check permission for getsockname().
804+ *
805+ * @sock: Pointer to "struct socket".
806+ *
807+ * Returns 0 on success, negative value otherwise.
808+ */
809+static int ccs_socket_getsockname(struct socket *sock)
810+{
811+ return ccs_validate_socket(sock);
812+}
813+
814+/**
815+ * ccs_socket_getpeername - Check permission for getpeername().
816+ *
817+ * @sock: Pointer to "struct socket".
818+ *
819+ * Returns 0 on success, negative value otherwise.
820+ */
821+static int ccs_socket_getpeername(struct socket *sock)
822+{
823+ return ccs_validate_socket(sock);
824+}
825+
826+/**
827+ * ccs_socket_getsockopt - Check permission for getsockopt().
828+ *
829+ * @sock: Pointer to "struct socket".
830+ * @level: Level.
831+ * @optname: Option's name,
832+ *
833+ * Returns 0 on success, negative value otherwise.
834+ */
835+static int ccs_socket_getsockopt(struct socket *sock, int level, int optname)
836+{
837+ return ccs_validate_socket(sock);
838+}
839+
840+/**
841+ * ccs_socket_setsockopt - Check permission for setsockopt().
842+ *
843+ * @sock: Pointer to "struct socket".
844+ * @level: Level.
845+ * @optname: Option's name,
846+ *
847+ * Returns 0 on success, negative value otherwise.
848+ */
849+static int ccs_socket_setsockopt(struct socket *sock, int level, int optname)
850+{
851+ return ccs_validate_socket(sock);
852+}
853+
854+/**
855+ * ccs_socket_shutdown - Check permission for shutdown().
856+ *
857+ * @sock: Pointer to "struct socket".
858+ * @how: Shutdown mode.
859+ *
860+ * Returns 0 on success, negative value otherwise.
861+ */
862+static int ccs_socket_shutdown(struct socket *sock, int how)
863+{
864+ return ccs_validate_socket(sock);
865+}
866+
867+#define SOCKFS_MAGIC 0x534F434B
868+
869+/**
870+ * ccs_inode_free_security - Release memory associated with an inode.
871+ *
872+ * @inode: Pointer to "struct inode".
873+ *
874+ * Returns nothing.
875+ *
876+ * We use this hook for releasing memory associated with an accept()ed socket.
877+ */
878+static void ccs_inode_free_security(struct inode *inode)
879+{
880+ if (inode->i_sb && inode->i_sb->s_magic == SOCKFS_MAGIC)
881+ ccs_update_socket_tag(inode, 0);
882+}
883+
884+#endif
885+
886+/**
887+ * ccs_sb_pivotroot - Check permission for pivot_root().
888+ *
889+ * @old_path: Pointer to "struct path".
890+ * @new_path: Pointer to "struct path".
891+ *
892+ * Returns 0 on success, negative value otherwise.
893+ */
894+static int ccs_sb_pivotroot(const struct path *old_path,
895+ const struct path *new_path)
896+{
897+ return ccs_pivot_root_permission(old_path, new_path);
898+}
899+
900+/**
901+ * ccs_sb_mount - Check permission for mount().
902+ *
903+ * @dev_name: Name of device file.
904+ * @path: Pointer to "struct path".
905+ * @type: Name of filesystem type. Maybe NULL.
906+ * @flags: Mount options.
907+ * @data_page: Optional data. Maybe NULL.
908+ *
909+ * Returns 0 on success, negative value otherwise.
910+ */
911+static int ccs_sb_mount(const char *dev_name, const struct path *path,
912+ const char *type, unsigned long flags, void *data_page)
913+{
914+ return ccs_mount_permission(dev_name, path, type, flags, data_page);
915+}
916+
917+/**
918+ * ccs_sb_umount - Check permission for umount().
919+ *
920+ * @mnt: Pointer to "struct vfsmount".
921+ * @flags: Unmount flags.
922+ *
923+ * Returns 0 on success, negative value otherwise.
924+ */
925+static int ccs_sb_umount(struct vfsmount *mnt, int flags)
926+{
927+ return ccs_umount_permission(mnt, flags);
928+}
929+
930+/**
931+ * ccs_file_fcntl - Check permission for fcntl().
932+ *
933+ * @file: Pointer to "struct file".
934+ * @cmd: Command number.
935+ * @arg: Value for @cmd.
936+ *
937+ * Returns 0 on success, negative value otherwise.
938+ */
939+static int ccs_file_fcntl(struct file *file, unsigned int cmd,
940+ unsigned long arg)
941+{
942+ return ccs_fcntl_permission(file, cmd, arg);
943+}
944+
945+/**
946+ * ccs_file_ioctl - Check permission for ioctl().
947+ *
948+ * @filp: Pointer to "struct file".
949+ * @cmd: Command number.
950+ * @arg: Value for @cmd.
951+ *
952+ * Returns 0 on success, negative value otherwise.
953+ */
954+static int ccs_file_ioctl(struct file *filp, unsigned int cmd,
955+ unsigned long arg)
956+{
957+ return ccs_ioctl_permission(filp, cmd, arg);
958+}
959+
960+#define MY_HOOK_INIT(HEAD, HOOK) \
961+ { .head = &probe_dummy_security_hook_heads.HEAD, \
962+ .hook = { .HEAD = HOOK } }
963+
964+static struct security_hook_list akari_hooks[] = {
965+ /* Security context allocator. */
966+ MY_HOOK_INIT(task_free, ccs_task_free_security),
967+ MY_HOOK_INIT(cred_prepare, ccs_cred_prepare),
968+ MY_HOOK_INIT(task_alloc, ccs_task_alloc_security),
969+ /* Security context updater for successful execve(). */
970+ MY_HOOK_INIT(bprm_check_security, ccs_bprm_check_security),
971+ MY_HOOK_INIT(bprm_committing_creds, ccs_bprm_committing_creds),
972+ /* Various permission checker. */
973+ MY_HOOK_INIT(file_open, ccs_file_open),
974+ MY_HOOK_INIT(file_fcntl, ccs_file_fcntl),
975+ MY_HOOK_INIT(file_ioctl, ccs_file_ioctl),
976+ MY_HOOK_INIT(sb_pivotroot, ccs_sb_pivotroot),
977+ MY_HOOK_INIT(sb_mount, ccs_sb_mount),
978+ MY_HOOK_INIT(sb_umount, ccs_sb_umount),
979+#ifdef CONFIG_SECURITY_PATH
980+ MY_HOOK_INIT(path_mknod, ccs_path_mknod),
981+ MY_HOOK_INIT(path_mkdir, ccs_path_mkdir),
982+ MY_HOOK_INIT(path_rmdir, ccs_path_rmdir),
983+ MY_HOOK_INIT(path_unlink, ccs_path_unlink),
984+ MY_HOOK_INIT(path_symlink, ccs_path_symlink),
985+ MY_HOOK_INIT(path_rename, ccs_path_rename),
986+ MY_HOOK_INIT(path_link, ccs_path_link),
987+ MY_HOOK_INIT(path_truncate, ccs_path_truncate),
988+ MY_HOOK_INIT(path_chmod, ccs_path_chmod),
989+ MY_HOOK_INIT(path_chown, ccs_path_chown),
990+ MY_HOOK_INIT(path_chroot, ccs_path_chroot),
991+#else
992+ MY_HOOK_INIT(inode_mknod, ccs_inode_mknod),
993+ MY_HOOK_INIT(inode_mkdir, ccs_inode_mkdir),
994+ MY_HOOK_INIT(inode_rmdir, ccs_inode_rmdir),
995+ MY_HOOK_INIT(inode_unlink, ccs_inode_unlink),
996+ MY_HOOK_INIT(inode_symlink, ccs_inode_symlink),
997+ MY_HOOK_INIT(inode_rename, ccs_inode_rename),
998+ MY_HOOK_INIT(inode_link, ccs_inode_link),
999+ MY_HOOK_INIT(inode_create, ccs_inode_create),
1000+ MY_HOOK_INIT(inode_setattr, ccs_inode_setattr),
1001+#endif
1002+ MY_HOOK_INIT(inode_getattr, ccs_inode_getattr),
1003+#ifdef CONFIG_SECURITY_NETWORK
1004+ MY_HOOK_INIT(socket_bind, ccs_socket_bind),
1005+ MY_HOOK_INIT(socket_connect, ccs_socket_connect),
1006+ MY_HOOK_INIT(socket_listen, ccs_socket_listen),
1007+ MY_HOOK_INIT(socket_sendmsg, ccs_socket_sendmsg),
1008+ MY_HOOK_INIT(socket_recvmsg, ccs_socket_recvmsg),
1009+ MY_HOOK_INIT(socket_getsockname, ccs_socket_getsockname),
1010+ MY_HOOK_INIT(socket_getpeername, ccs_socket_getpeername),
1011+ MY_HOOK_INIT(socket_getsockopt, ccs_socket_getsockopt),
1012+ MY_HOOK_INIT(socket_setsockopt, ccs_socket_setsockopt),
1013+ MY_HOOK_INIT(socket_shutdown, ccs_socket_shutdown),
1014+ MY_HOOK_INIT(socket_accept, ccs_socket_accept),
1015+ MY_HOOK_INIT(inode_free_security, ccs_inode_free_security),
1016+#endif
1017+};
1018+
1019+static inline void add_hook(struct security_hook_list *hook)
1020+{
1021+ list_add_tail_rcu(&hook->list, hook->head);
1022+}
1023+
1024+static void __init swap_hook(struct security_hook_list *hook,
1025+ union security_list_options *original)
1026+{
1027+ struct list_head *list = hook->head;
1028+ if (list_empty(list)) {
1029+ add_hook(hook);
1030+ } else {
1031+ struct security_hook_list *shp =
1032+ list_last_entry(list, struct security_hook_list, list);
1033+ *original = shp->hook;
1034+ smp_wmb();
1035+ shp->hook = hook->hook;
1036+ }
1037+}
1038+
1039+#if defined(CONFIG_STRICT_KERNEL_RWX) && !defined(SECURITY_WRITABLE_HOOKS)
1040+#include <linux/uaccess.h> /* probe_kernel_write() */
1041+#define NEED_TO_CHECK_HOOKS_ARE_WRITABLE
1042+
1043+#if defined(CONFIG_X86)
1044+#define MAX_RO_PAGES 1024
1045+static struct page *ro_pages[MAX_RO_PAGES] __initdata;
1046+static unsigned int ro_pages_len __initdata;
1047+
1048+static bool __init lsm_test_page_ro(void *addr)
1049+{
1050+ unsigned int i;
1051+ int unused;
1052+ struct page *page;
1053+
1054+ page = (struct page *) lookup_address((unsigned long) addr, &unused);
1055+ if (!page)
1056+ return false;
1057+ if (test_bit(_PAGE_BIT_RW, &(page->flags)))
1058+ return true;
1059+ for (i = 0; i < ro_pages_len; i++)
1060+ if (page == ro_pages[i])
1061+ return true;
1062+ if (ro_pages_len == MAX_RO_PAGES)
1063+ return false;
1064+ ro_pages[ro_pages_len++] = page;
1065+ return true;
1066+}
1067+
1068+static bool __init check_ro_pages(struct security_hook_heads *hooks)
1069+{
1070+ int i;
1071+ struct list_head *list = &hooks->capable;
1072+
1073+ if (!probe_kernel_write(list, list, sizeof(void *)))
1074+ return true;
1075+ for (i = 0; i < ARRAY_SIZE(akari_hooks); i++) {
1076+ struct list_head *head = akari_hooks[i].head;
1077+ struct security_hook_list *shp;
1078+
1079+ if (!lsm_test_page_ro(&head->next) ||
1080+ !lsm_test_page_ro(&head->prev))
1081+ return false;
1082+ list_for_each_entry(shp, head, list)
1083+ if (!lsm_test_page_ro(&shp->list.next) ||
1084+ !lsm_test_page_ro(&shp->list.prev))
1085+ return false;
1086+ }
1087+ return true;
1088+}
1089+#else
1090+static bool __init check_ro_pages(struct security_hook_heads *hooks)
1091+{
1092+ struct list_head *list = &hooks->capable;
1093+
1094+ return !probe_kernel_write(list, list, sizeof(void *));
1095+}
1096+#endif
1097+#endif
1098+
1099+/**
1100+ * ccs_init - Initialize this module.
1101+ *
1102+ * Returns 0 on success, negative value otherwise.
1103+ */
1104+static int __init ccs_init(void)
1105+{
1106+ int idx;
1107+ struct security_hook_heads *hooks = probe_security_hook_heads();
1108+ if (!hooks)
1109+ goto out;
1110+ for (idx = 0; idx < ARRAY_SIZE(akari_hooks); idx++)
1111+ akari_hooks[idx].head = ((void *) hooks)
1112+ + ((unsigned long) akari_hooks[idx].head)
1113+ - ((unsigned long) &probe_dummy_security_hook_heads);
1114+#if defined(NEED_TO_CHECK_HOOKS_ARE_WRITABLE)
1115+ if (!check_ro_pages(hooks)) {
1116+ printk(KERN_INFO "Can't update security_hook_heads due to write protected. Retry with rodata=0 kernel command line option added.\n");
1117+ return -EINVAL;
1118+ }
1119+#endif
1120+ ccsecurity_exports.find_task_by_vpid = probe_find_task_by_vpid();
1121+ if (!ccsecurity_exports.find_task_by_vpid)
1122+ goto out;
1123+ ccsecurity_exports.find_task_by_pid_ns = probe_find_task_by_pid_ns();
1124+ if (!ccsecurity_exports.find_task_by_pid_ns)
1125+ goto out;
1126+ ccsecurity_exports.d_absolute_path = probe_d_absolute_path();
1127+ if (!ccsecurity_exports.d_absolute_path)
1128+ goto out;
1129+ for (idx = 0; idx < CCS_MAX_TASK_SECURITY_HASH; idx++)
1130+ INIT_LIST_HEAD(&ccs_task_security_list[idx]);
1131+ ccs_main_init();
1132+#if defined(NEED_TO_CHECK_HOOKS_ARE_WRITABLE) && defined(CONFIG_X86)
1133+ for (idx = 0; idx < ro_pages_len; idx++)
1134+ set_bit(_PAGE_BIT_RW, &(ro_pages[idx]->flags));
1135+#endif
1136+ swap_hook(&akari_hooks[0], &original_task_free);
1137+ swap_hook(&akari_hooks[1], &original_cred_prepare);
1138+ swap_hook(&akari_hooks[2], &original_task_alloc);
1139+ for (idx = 3; idx < ARRAY_SIZE(akari_hooks); idx++)
1140+ add_hook(&akari_hooks[idx]);
1141+#if defined(NEED_TO_CHECK_HOOKS_ARE_WRITABLE) && defined(CONFIG_X86)
1142+ for (idx = 0; idx < ro_pages_len; idx++)
1143+ clear_bit(_PAGE_BIT_RW, &(ro_pages[idx]->flags));
1144+#endif
1145+ printk(KERN_INFO "AKARI: 1.0.38 2018/04/01\n");
1146+ printk(KERN_INFO
1147+ "Access Keeping And Regulating Instrument registered.\n");
1148+ return 0;
1149+out:
1150+ return -EINVAL;
1151+}
1152+
1153+module_init(ccs_init);
1154+MODULE_LICENSE("GPL");
1155+
1156+/**
1157+ * ccs_used_by_cred - Check whether the given domain is in use or not.
1158+ *
1159+ * @domain: Pointer to "struct ccs_domain_info".
1160+ *
1161+ * Returns true if @domain is in use, false otherwise.
1162+ *
1163+ * Caller holds rcu_read_lock().
1164+ */
1165+bool ccs_used_by_cred(const struct ccs_domain_info *domain)
1166+{
1167+ return false;
1168+}
1169+
1170+/**
1171+ * ccs_add_task_security - Add "struct ccs_security" to list.
1172+ *
1173+ * @ptr: Pointer to "struct ccs_security".
1174+ * @list: Pointer to "struct list_head".
1175+ *
1176+ * Returns nothing.
1177+ */
1178+static void ccs_add_task_security(struct ccs_security *ptr,
1179+ struct list_head *list)
1180+{
1181+ unsigned long flags;
1182+ spin_lock_irqsave(&ccs_task_security_list_lock, flags);
1183+ list_add_rcu(&ptr->list, list);
1184+ spin_unlock_irqrestore(&ccs_task_security_list_lock, flags);
1185+}
1186+
1187+/**
1188+ * __ccs_alloc_task_security - Allocate memory for new tasks.
1189+ *
1190+ * @task: Pointer to "struct task_struct".
1191+ *
1192+ * Returns 0 on success, negative value otherwise.
1193+ */
1194+static int __ccs_alloc_task_security(const struct task_struct *task)
1195+{
1196+ struct ccs_security *old_security = ccs_current_security();
1197+ struct ccs_security *new_security = kzalloc(sizeof(*new_security),
1198+ GFP_KERNEL);
1199+ struct list_head *list = &ccs_task_security_list
1200+ [hash_ptr((void *) task, CCS_TASK_SECURITY_HASH_BITS)];
1201+ if (!new_security)
1202+ return -ENOMEM;
1203+ new_security->task = task;
1204+ new_security->ccs_domain_info = old_security->ccs_domain_info;
1205+ new_security->ccs_flags = old_security->ccs_flags;
1206+ ccs_add_task_security(new_security, list);
1207+ return 0;
1208+}
1209+
1210+/**
1211+ * ccs_find_task_security - Find "struct ccs_security" for given task.
1212+ *
1213+ * @task: Pointer to "struct task_struct".
1214+ *
1215+ * Returns pointer to "struct ccs_security" on success, &ccs_oom_security on
1216+ * out of memory, &ccs_default_security otherwise.
1217+ *
1218+ * If @task is current thread and "struct ccs_security" for current thread was
1219+ * not found, I try to allocate it. But if allocation failed, current thread
1220+ * will be killed by SIGKILL. Note that if current->pid == 1, sending SIGKILL
1221+ * won't work.
1222+ */
1223+struct ccs_security *ccs_find_task_security(const struct task_struct *task)
1224+{
1225+ struct ccs_security *ptr;
1226+ struct list_head *list = &ccs_task_security_list
1227+ [hash_ptr((void *) task, CCS_TASK_SECURITY_HASH_BITS)];
1228+ /* Make sure INIT_LIST_HEAD() in ccs_mm_init() takes effect. */
1229+ while (!list->next)
1230+ smp_rmb();
1231+ rcu_read_lock();
1232+ list_for_each_entry_rcu(ptr, list, list) {
1233+ if (ptr->task != task)
1234+ continue;
1235+ rcu_read_unlock();
1236+ /*
1237+ * Current thread needs to transit from old domain to new
1238+ * domain before do_execve() succeeds in order to check
1239+ * permission for interpreters and environment variables using
1240+ * new domain's ACL rules. The domain transition has to be
1241+ * visible from other CPU in order to allow interactive
1242+ * enforcing mode. Also, the domain transition has to be
1243+ * reverted if do_execve() failed. However, an LSM hook for
1244+ * reverting domain transition is missing.
1245+ *
1246+ * security_prepare_creds() is called from prepare_creds() from
1247+ * prepare_bprm_creds() from do_execve() before setting
1248+ * current->in_execve flag, and current->in_execve flag is
1249+ * cleared by the time next do_execve() request starts.
1250+ * This means that we can emulate the missing LSM hook for
1251+ * reverting domain transition, by calling this function from
1252+ * security_prepare_creds().
1253+ *
1254+ * If current->in_execve is not set but ptr->ccs_flags has
1255+ * CCS_TASK_IS_IN_EXECVE set, it indicates that do_execve()
1256+ * has failed and reverting domain transition is needed.
1257+ */
1258+ if (task == current &&
1259+ (ptr->ccs_flags & CCS_TASK_IS_IN_EXECVE) &&
1260+ !current->in_execve) {
1261+ ccs_debug_trace("1");
1262+ ccs_clear_execve(-1, ptr);
1263+ }
1264+ return ptr;
1265+ }
1266+ rcu_read_unlock();
1267+ if (task != current)
1268+ return &ccs_default_security;
1269+ /* Use GFP_ATOMIC because caller may have called rcu_read_lock(). */
1270+ ptr = kzalloc(sizeof(*ptr), GFP_ATOMIC);
1271+ if (!ptr) {
1272+ printk(KERN_WARNING "Unable to allocate memory for pid=%u\n",
1273+ task->pid);
1274+ send_sig(SIGKILL, current, 0);
1275+ return &ccs_oom_security;
1276+ }
1277+ *ptr = ccs_default_security;
1278+ ptr->task = task;
1279+ ccs_add_task_security(ptr, list);
1280+ return ptr;
1281+}
1282+
1283+/**
1284+ * __ccs_free_task_security - Release memory associated with "struct task_struct".
1285+ *
1286+ * @task: Pointer to "struct task_struct".
1287+ *
1288+ * Returns nothing.
1289+ */
1290+static void __ccs_free_task_security(const struct task_struct *task)
1291+{
1292+ unsigned long flags;
1293+ struct ccs_security *ptr = ccs_find_task_security(task);
1294+ if (ptr == &ccs_default_security || ptr == &ccs_oom_security)
1295+ return;
1296+ spin_lock_irqsave(&ccs_task_security_list_lock, flags);
1297+ list_del_rcu(&ptr->list);
1298+ spin_unlock_irqrestore(&ccs_task_security_list_lock, flags);
1299+ kfree_rcu(ptr, rcu);
1300+}
--- tags/patches/1.0.38/lsm-4.2.c (nonexistent)
+++ tags/patches/1.0.38/lsm-4.2.c (revision 589)
@@ -0,0 +1,1479 @@
1+/*
2+ * lsm.c
3+ *
4+ * Copyright (C) 2010-2015 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
5+ *
6+ * Version: 1.0.38 2018/04/01
7+ */
8+
9+#include "internal.h"
10+#include "probe.h"
11+
12+/* Prototype definition. */
13+static void ccs_task_security_gc(void);
14+static int ccs_copy_cred_security(const struct cred *new,
15+ const struct cred *old, gfp_t gfp);
16+static struct ccs_security *ccs_find_cred_security(const struct cred *cred);
17+static DEFINE_SPINLOCK(ccs_task_security_list_lock);
18+static atomic_t ccs_in_execve_tasks = ATOMIC_INIT(0);
19+/*
20+ * List of "struct ccs_security" for "struct pid".
21+ *
22+ * All instances on this list is guaranteed that "struct ccs_security"->pid !=
23+ * NULL. Also, instances on this list that are in execve() are guaranteed that
24+ * "struct ccs_security"->cred remembers "struct linux_binprm"->cred with a
25+ * refcount on "struct linux_binprm"->cred.
26+ */
27+struct list_head ccs_task_security_list[CCS_MAX_TASK_SECURITY_HASH];
28+/*
29+ * List of "struct ccs_security" for "struct cred".
30+ *
31+ * Since the number of "struct cred" is nearly equals to the number of
32+ * "struct pid", we allocate hash tables like ccs_task_security_list.
33+ *
34+ * All instances on this list are guaranteed that "struct ccs_security"->pid ==
35+ * NULL and "struct ccs_security"->cred != NULL.
36+ */
37+static struct list_head ccs_cred_security_list[CCS_MAX_TASK_SECURITY_HASH];
38+
39+/* Dummy security context for avoiding NULL pointer dereference. */
40+static struct ccs_security ccs_oom_security = {
41+ .ccs_domain_info = &ccs_kernel_domain
42+};
43+
44+/* Dummy security context for avoiding NULL pointer dereference. */
45+static struct ccs_security ccs_default_security = {
46+ .ccs_domain_info = &ccs_kernel_domain
47+};
48+
49+/* For exporting variables and functions. */
50+struct ccsecurity_exports ccsecurity_exports;
51+/* Members are updated by loadable kernel module. */
52+struct ccsecurity_operations ccsecurity_ops;
53+
54+/* Original hooks. */
55+static union security_list_options original_cred_prepare;
56+static union security_list_options original_cred_free;
57+static union security_list_options original_cred_alloc_blank;
58+
59+#ifdef CONFIG_AKARI_TRACE_EXECVE_COUNT
60+
61+/**
62+ * ccs_update_ee_counter - Update "struct ccs_execve" counter.
63+ *
64+ * @count: Count to increment or decrement.
65+ *
66+ * Returns updated counter.
67+ */
68+static unsigned int ccs_update_ee_counter(int count)
69+{
70+ /* Debug counter for detecting "struct ccs_execve" memory leak. */
71+ static atomic_t ccs_ee_counter = ATOMIC_INIT(0);
72+ return atomic_add_return(count, &ccs_ee_counter);
73+}
74+
75+/**
76+ * ccs_audit_alloc_execve - Audit allocation of "struct ccs_execve".
77+ *
78+ * @ee: Pointer to "struct ccs_execve".
79+ *
80+ * Returns nothing.
81+ */
82+void ccs_audit_alloc_execve(const struct ccs_execve * const ee)
83+{
84+ printk(KERN_INFO "AKARI: Allocated %p by pid=%u (count=%u)\n", ee,
85+ current->pid, ccs_update_ee_counter(1) - 1);
86+}
87+
88+/**
89+ * ccs_audit_free_execve - Audit release of "struct ccs_execve".
90+ *
91+ * @ee: Pointer to "struct ccs_execve".
92+ * @task: True if released by current task, false otherwise.
93+ *
94+ * Returns nothing.
95+ */
96+void ccs_audit_free_execve(const struct ccs_execve * const ee,
97+ const bool is_current)
98+{
99+ const unsigned int tmp = ccs_update_ee_counter(-1);
100+ if (is_current)
101+ printk(KERN_INFO "AKARI: Releasing %p by pid=%u (count=%u)\n",
102+ ee, current->pid, tmp);
103+ else
104+ printk(KERN_INFO "AKARI: Releasing %p by kernel (count=%u)\n",
105+ ee, tmp);
106+}
107+
108+#endif
109+
110+#if !defined(CONFIG_AKARI_DEBUG)
111+#define ccs_debug_trace(pos) do { } while (0)
112+#else
113+#define ccs_debug_trace(pos) \
114+ do { \
115+ static bool done; \
116+ if (!done) { \
117+ printk(KERN_INFO \
118+ "AKARI: Debug trace: " pos " of 4\n"); \
119+ done = true; \
120+ } \
121+ } while (0)
122+#endif
123+
124+/**
125+ * ccs_clear_execve - Release memory used by do_execve().
126+ *
127+ * @ret: 0 if do_execve() succeeded, negative value otherwise.
128+ * @security: Pointer to "struct ccs_security".
129+ *
130+ * Returns nothing.
131+ */
132+static void ccs_clear_execve(int ret, struct ccs_security *security)
133+{
134+ struct ccs_execve *ee;
135+ if (security == &ccs_default_security || security == &ccs_oom_security)
136+ return;
137+ ee = security->ee;
138+ security->ee = NULL;
139+ if (!ee)
140+ return;
141+ atomic_dec(&ccs_in_execve_tasks);
142+ ccs_finish_execve(ret, ee);
143+}
144+
145+/**
146+ * ccs_rcu_free - RCU callback for releasing "struct ccs_security".
147+ *
148+ * @rcu: Pointer to "struct rcu_head".
149+ *
150+ * Returns nothing.
151+ */
152+static void ccs_rcu_free(struct rcu_head *rcu)
153+{
154+ struct ccs_security *ptr = container_of(rcu, typeof(*ptr), rcu);
155+ struct ccs_execve *ee = ptr->ee;
156+ /*
157+ * If this security context was associated with "struct pid" and
158+ * ptr->ccs_flags has CCS_TASK_IS_IN_EXECVE set, it indicates that a
159+ * "struct task_struct" associated with this security context exited
160+ * immediately after do_execve() has failed.
161+ */
162+ if (ptr->pid && (ptr->ccs_flags & CCS_TASK_IS_IN_EXECVE)) {
163+ ccs_debug_trace("1");
164+ atomic_dec(&ccs_in_execve_tasks);
165+ }
166+ /*
167+ * If this security context was associated with "struct pid",
168+ * drop refcount obtained by get_pid() in ccs_find_task_security().
169+ */
170+ if (ptr->pid) {
171+ ccs_debug_trace("2");
172+ put_pid(ptr->pid);
173+ }
174+ if (ee) {
175+ ccs_debug_trace("3");
176+ ccs_audit_free_execve(ee, false);
177+ kfree(ee->handler_path);
178+ kfree(ee);
179+ }
180+ kfree(ptr);
181+}
182+
183+/**
184+ * ccs_del_security - Release "struct ccs_security".
185+ *
186+ * @ptr: Pointer to "struct ccs_security".
187+ *
188+ * Returns nothing.
189+ */
190+static void ccs_del_security(struct ccs_security *ptr)
191+{
192+ unsigned long flags;
193+ if (ptr == &ccs_default_security || ptr == &ccs_oom_security)
194+ return;
195+ spin_lock_irqsave(&ccs_task_security_list_lock, flags);
196+ list_del_rcu(&ptr->list);
197+ spin_unlock_irqrestore(&ccs_task_security_list_lock, flags);
198+ call_rcu(&ptr->rcu, ccs_rcu_free);
199+}
200+
201+/**
202+ * ccs_add_cred_security - Add "struct ccs_security" to list.
203+ *
204+ * @ptr: Pointer to "struct ccs_security".
205+ *
206+ * Returns nothing.
207+ */
208+static void ccs_add_cred_security(struct ccs_security *ptr)
209+{
210+ unsigned long flags;
211+ struct list_head *list = &ccs_cred_security_list
212+ [hash_ptr((void *) ptr->cred, CCS_TASK_SECURITY_HASH_BITS)];
213+#ifdef CONFIG_AKARI_DEBUG
214+ if (ptr->pid)
215+ printk(KERN_INFO "AKARI: \"struct ccs_security\"->pid != NULL"
216+ "\n");
217+#endif
218+ ptr->pid = NULL;
219+ spin_lock_irqsave(&ccs_task_security_list_lock, flags);
220+ list_add_rcu(&ptr->list, list);
221+ spin_unlock_irqrestore(&ccs_task_security_list_lock, flags);
222+}
223+
224+/**
225+ * ccs_task_create - Make snapshot of security context for new task.
226+ *
227+ * @clone_flags: Flags passed to clone().
228+ *
229+ * Returns 0 on success, negative value otherwise.
230+ */
231+static int ccs_task_create(unsigned long clone_flags)
232+{
233+ struct ccs_security *old_security;
234+ struct ccs_security *new_security;
235+ struct cred *cred = prepare_creds();
236+ if (!cred)
237+ return -ENOMEM;
238+ old_security = ccs_find_task_security(current);
239+ new_security = ccs_find_cred_security(cred);
240+ new_security->ccs_domain_info = old_security->ccs_domain_info;
241+ new_security->ccs_flags = old_security->ccs_flags;
242+ return commit_creds(cred);
243+}
244+
245+/**
246+ * ccs_cred_prepare - Allocate memory for new credentials.
247+ *
248+ * @new: Pointer to "struct cred".
249+ * @old: Pointer to "struct cred".
250+ * @gfp: Memory allocation flags.
251+ *
252+ * Returns 0 on success, negative value otherwise.
253+ */
254+static int ccs_cred_prepare(struct cred *new, const struct cred *old,
255+ gfp_t gfp)
256+{
257+ int rc1;
258+ /*
259+ * For checking whether reverting domain transition is needed or not.
260+ *
261+ * See ccs_find_task_security() for reason.
262+ */
263+ if (gfp == GFP_KERNEL)
264+ ccs_find_task_security(current);
265+ rc1 = ccs_copy_cred_security(new, old, gfp);
266+ if (gfp == GFP_KERNEL)
267+ ccs_task_security_gc();
268+ if (original_cred_prepare.cred_prepare) {
269+ const int rc2 = original_cred_prepare.cred_prepare(new, old,
270+ gfp);
271+ if (rc2) {
272+ ccs_del_security(ccs_find_cred_security(new));
273+ return rc2;
274+ }
275+ }
276+ return rc1;
277+}
278+
279+/**
280+ * ccs_cred_free - Release memory used by credentials.
281+ *
282+ * @cred: Pointer to "struct cred".
283+ *
284+ * Returns nothing.
285+ */
286+static void ccs_cred_free(struct cred *cred)
287+{
288+ if (original_cred_free.cred_free)
289+ original_cred_free.cred_free(cred);
290+ ccs_del_security(ccs_find_cred_security(cred));
291+}
292+
293+/**
294+ * ccs_alloc_cred_security - Allocate memory for new credentials.
295+ *
296+ * @cred: Pointer to "struct cred".
297+ * @gfp: Memory allocation flags.
298+ *
299+ * Returns 0 on success, negative value otherwise.
300+ */
301+static int ccs_alloc_cred_security(const struct cred *cred, gfp_t gfp)
302+{
303+ struct ccs_security *new_security = kzalloc(sizeof(*new_security),
304+ gfp);
305+ if (!new_security)
306+ return -ENOMEM;
307+ new_security->cred = cred;
308+ ccs_add_cred_security(new_security);
309+ return 0;
310+}
311+
312+/**
313+ * ccs_cred_alloc_blank - Allocate memory for new credentials.
314+ *
315+ * @new: Pointer to "struct cred".
316+ * @gfp: Memory allocation flags.
317+ *
318+ * Returns 0 on success, negative value otherwise.
319+ */
320+static int ccs_cred_alloc_blank(struct cred *new, gfp_t gfp)
321+{
322+ const int rc1 = ccs_alloc_cred_security(new, gfp);
323+ if (original_cred_alloc_blank.cred_alloc_blank) {
324+ const int rc2 = original_cred_alloc_blank.
325+ cred_alloc_blank(new, gfp);
326+ if (rc2) {
327+ ccs_del_security(ccs_find_cred_security(new));
328+ return rc2;
329+ }
330+ }
331+ return rc1;
332+}
333+
334+/**
335+ * ccs_cred_transfer - Transfer "struct ccs_security" between credentials.
336+ *
337+ * @new: Pointer to "struct cred".
338+ * @old: Pointer to "struct cred".
339+ *
340+ * Returns nothing.
341+ */
342+static void ccs_cred_transfer(struct cred *new, const struct cred *old)
343+{
344+ struct ccs_security *new_security = ccs_find_cred_security(new);
345+ struct ccs_security *old_security = ccs_find_cred_security(old);
346+ if (new_security == &ccs_default_security ||
347+ new_security == &ccs_oom_security ||
348+ old_security == &ccs_default_security ||
349+ old_security == &ccs_oom_security)
350+ return;
351+ new_security->ccs_flags = old_security->ccs_flags;
352+ new_security->ccs_domain_info = old_security->ccs_domain_info;
353+}
354+
355+/**
356+ * ccs_bprm_committing_creds - A hook which is called when do_execve() succeeded.
357+ *
358+ * @bprm: Pointer to "struct linux_binprm".
359+ *
360+ * Returns nothing.
361+ */
362+static void ccs_bprm_committing_creds(struct linux_binprm *bprm)
363+{
364+ struct ccs_security *old_security = ccs_current_security();
365+ struct ccs_security *new_security;
366+ if (old_security == &ccs_default_security ||
367+ old_security == &ccs_oom_security)
368+ return;
369+ ccs_clear_execve(0, old_security);
370+ /* Update current task's cred's domain for future fork(). */
371+ new_security = ccs_find_cred_security(bprm->cred);
372+ new_security->ccs_flags = old_security->ccs_flags;
373+ new_security->ccs_domain_info = old_security->ccs_domain_info;
374+}
375+
376+/**
377+ * ccs_bprm_check_security - Check permission for execve().
378+ *
379+ * @bprm: Pointer to "struct linux_binprm".
380+ *
381+ * Returns 0 on success, negative value otherwise.
382+ */
383+static int ccs_bprm_check_security(struct linux_binprm *bprm)
384+{
385+ struct ccs_security *security = ccs_current_security();
386+ int rc;
387+ if (security == &ccs_default_security || security == &ccs_oom_security)
388+ return -ENOMEM;
389+ if (security->ee)
390+ return 0;
391+#ifndef CONFIG_CCSECURITY_OMIT_USERSPACE_LOADER
392+ if (!ccs_policy_loaded)
393+ ccs_load_policy(bprm->filename);
394+#endif
395+ rc = ccs_start_execve(bprm, &security->ee);
396+ if (security->ee)
397+ atomic_inc(&ccs_in_execve_tasks);
398+ return rc;
399+}
400+
401+/**
402+ * ccs_file_open - Check permission for open().
403+ *
404+ * @f: Pointer to "struct file".
405+ * @cred: Pointer to "struct cred".
406+ *
407+ * Returns 0 on success, negative value otherwise.
408+ */
409+static int ccs_file_open(struct file *f, const struct cred *cred)
410+{
411+ return ccs_open_permission(f);
412+}
413+
414+#ifdef CONFIG_SECURITY_PATH
415+
416+/**
417+ * ccs_path_chown - Check permission for chown()/chgrp().
418+ *
419+ * @path: Pointer to "struct path".
420+ * @user: User ID.
421+ * @group: Group ID.
422+ *
423+ * Returns 0 on success, negative value otherwise.
424+ */
425+static int ccs_path_chown(struct path *path, kuid_t user, kgid_t group)
426+{
427+ return ccs_chown_permission(path->dentry, path->mnt, user, group);
428+}
429+
430+/**
431+ * ccs_path_chmod - Check permission for chmod().
432+ *
433+ * @path: Pointer to "struct path".
434+ * @mode: Mode.
435+ *
436+ * Returns 0 on success, negative value otherwise.
437+ */
438+static int ccs_path_chmod(struct path *path, umode_t mode)
439+{
440+ return ccs_chmod_permission(path->dentry, path->mnt, mode);
441+}
442+
443+/**
444+ * ccs_path_chroot - Check permission for chroot().
445+ *
446+ * @path: Pointer to "struct path".
447+ *
448+ * Returns 0 on success, negative value otherwise.
449+ */
450+static int ccs_path_chroot(struct path *path)
451+{
452+ return ccs_chroot_permission(path);
453+}
454+
455+/**
456+ * ccs_path_truncate - Check permission for truncate().
457+ *
458+ * @path: Pointer to "struct path".
459+ *
460+ * Returns 0 on success, negative value otherwise.
461+ */
462+static int ccs_path_truncate(struct path *path)
463+{
464+ return ccs_truncate_permission(path->dentry, path->mnt);
465+}
466+
467+#else
468+
469+/**
470+ * ccs_inode_setattr - Check permission for chown()/chgrp()/chmod()/truncate().
471+ *
472+ * @dentry: Pointer to "struct dentry".
473+ * @attr: Pointer to "struct iattr".
474+ *
475+ * Returns 0 on success, negative value otherwise.
476+ */
477+static int ccs_inode_setattr(struct dentry *dentry, struct iattr *attr)
478+{
479+ const int rc1 = (attr->ia_valid & ATTR_UID) ?
480+ ccs_chown_permission(dentry, NULL, attr->ia_uid, INVALID_GID) :
481+ 0;
482+ const int rc2 = (attr->ia_valid & ATTR_GID) ?
483+ ccs_chown_permission(dentry, NULL, INVALID_UID, attr->ia_gid) :
484+ 0;
485+ const int rc3 = (attr->ia_valid & ATTR_MODE) ?
486+ ccs_chmod_permission(dentry, NULL, attr->ia_mode) : 0;
487+ const int rc4 = (attr->ia_valid & ATTR_SIZE) ?
488+ ccs_truncate_permission(dentry, NULL) : 0;
489+ if (rc4)
490+ return rc4;
491+ if (rc3)
492+ return rc3;
493+ if (rc2)
494+ return rc2;
495+ return rc1;
496+}
497+
498+#endif
499+
500+/**
501+ * ccs_inode_getattr - Check permission for stat().
502+ *
503+ * @path: Pointer to "struct path".
504+ *
505+ * Returns 0 on success, negative value otherwise.
506+ */
507+static int ccs_inode_getattr(const struct path *path)
508+{
509+ return ccs_getattr_permission(path->mnt, path->dentry);
510+}
511+
512+#ifdef CONFIG_SECURITY_PATH
513+
514+/**
515+ * ccs_path_mknod - Check permission for mknod().
516+ *
517+ * @dir: Pointer to "struct path".
518+ * @dentry: Pointer to "struct dentry".
519+ * @mode: Create mode.
520+ * @dev: Device major/minor number.
521+ *
522+ * Returns 0 on success, negative value otherwise.
523+ */
524+static int ccs_path_mknod(struct path *dir, struct dentry *dentry,
525+ umode_t mode, unsigned int dev)
526+{
527+ return ccs_mknod_permission(dentry, dir->mnt, mode, dev);
528+}
529+
530+/**
531+ * ccs_path_mkdir - Check permission for mkdir().
532+ *
533+ * @dir: Pointer to "struct path".
534+ * @dentry: Pointer to "struct dentry".
535+ * @mode: Create mode.
536+ *
537+ * Returns 0 on success, negative value otherwise.
538+ */
539+static int ccs_path_mkdir(struct path *dir, struct dentry *dentry,
540+ umode_t mode)
541+{
542+ return ccs_mkdir_permission(dentry, dir->mnt, mode);
543+}
544+
545+/**
546+ * ccs_path_rmdir - Check permission for rmdir().
547+ *
548+ * @dir: Pointer to "struct path".
549+ * @dentry: Pointer to "struct dentry".
550+ *
551+ * Returns 0 on success, negative value otherwise.
552+ */
553+static int ccs_path_rmdir(struct path *dir, struct dentry *dentry)
554+{
555+ return ccs_rmdir_permission(dentry, dir->mnt);
556+}
557+
558+/**
559+ * ccs_path_unlink - Check permission for unlink().
560+ *
561+ * @dir: Pointer to "struct path".
562+ * @dentry: Pointer to "struct dentry".
563+ *
564+ * Returns 0 on success, negative value otherwise.
565+ */
566+static int ccs_path_unlink(struct path *dir, struct dentry *dentry)
567+{
568+ return ccs_unlink_permission(dentry, dir->mnt);
569+}
570+
571+/**
572+ * ccs_path_symlink - Check permission for symlink().
573+ *
574+ * @dir: Pointer to "struct path".
575+ * @dentry: Pointer to "struct dentry".
576+ * @old_name: Content of symbolic link.
577+ *
578+ * Returns 0 on success, negative value otherwise.
579+ */
580+static int ccs_path_symlink(struct path *dir, struct dentry *dentry,
581+ const char *old_name)
582+{
583+ return ccs_symlink_permission(dentry, dir->mnt, old_name);
584+}
585+
586+/**
587+ * ccs_path_rename - Check permission for rename().
588+ *
589+ * @old_dir: Pointer to "struct path".
590+ * @old_dentry: Pointer to "struct dentry".
591+ * @new_dir: Pointer to "struct path".
592+ * @new_dentry: Pointer to "struct dentry".
593+ *
594+ * Returns 0 on success, negative value otherwise.
595+ */
596+static int ccs_path_rename(struct path *old_dir, struct dentry *old_dentry,
597+ struct path *new_dir, struct dentry *new_dentry)
598+{
599+ return ccs_rename_permission(old_dentry, new_dentry, old_dir->mnt);
600+}
601+
602+/**
603+ * ccs_path_link - Check permission for link().
604+ *
605+ * @old_dentry: Pointer to "struct dentry".
606+ * @new_dir: Pointer to "struct path".
607+ * @new_dentry: Pointer to "struct dentry".
608+ *
609+ * Returns 0 on success, negative value otherwise.
610+ */
611+static int ccs_path_link(struct dentry *old_dentry, struct path *new_dir,
612+ struct dentry *new_dentry)
613+{
614+ return ccs_link_permission(old_dentry, new_dentry, new_dir->mnt);
615+}
616+
617+#else
618+
619+/**
620+ * ccs_inode_mknod - Check permission for mknod().
621+ *
622+ * @dir: Pointer to "struct inode".
623+ * @dentry: Pointer to "struct dentry".
624+ * @mode: Create mode.
625+ * @dev: Device major/minor number.
626+ *
627+ * Returns 0 on success, negative value otherwise.
628+ */
629+static int ccs_inode_mknod(struct inode *dir, struct dentry *dentry,
630+ umode_t mode, dev_t dev)
631+{
632+ return ccs_mknod_permission(dentry, NULL, mode, dev);
633+}
634+
635+/**
636+ * ccs_inode_mkdir - Check permission for mkdir().
637+ *
638+ * @dir: Pointer to "struct inode".
639+ * @dentry: Pointer to "struct dentry".
640+ * @mode: Create mode.
641+ *
642+ * Returns 0 on success, negative value otherwise.
643+ */
644+static int ccs_inode_mkdir(struct inode *dir, struct dentry *dentry,
645+ umode_t mode)
646+{
647+ return ccs_mkdir_permission(dentry, NULL, mode);
648+}
649+
650+/**
651+ * ccs_inode_rmdir - Check permission for rmdir().
652+ *
653+ * @dir: Pointer to "struct inode".
654+ * @dentry: Pointer to "struct dentry".
655+ *
656+ * Returns 0 on success, negative value otherwise.
657+ */
658+static int ccs_inode_rmdir(struct inode *dir, struct dentry *dentry)
659+{
660+ return ccs_rmdir_permission(dentry, NULL);
661+}
662+
663+/**
664+ * ccs_inode_unlink - Check permission for unlink().
665+ *
666+ * @dir: Pointer to "struct inode".
667+ * @dentry: Pointer to "struct dentry".
668+ *
669+ * Returns 0 on success, negative value otherwise.
670+ */
671+static int ccs_inode_unlink(struct inode *dir, struct dentry *dentry)
672+{
673+ return ccs_unlink_permission(dentry, NULL);
674+}
675+
676+/**
677+ * ccs_inode_symlink - Check permission for symlink().
678+ *
679+ * @dir: Pointer to "struct inode".
680+ * @dentry: Pointer to "struct dentry".
681+ * @old_name: Content of symbolic link.
682+ *
683+ * Returns 0 on success, negative value otherwise.
684+ */
685+static int ccs_inode_symlink(struct inode *dir, struct dentry *dentry,
686+ const char *old_name)
687+{
688+ return ccs_symlink_permission(dentry, NULL, old_name);
689+}
690+
691+/**
692+ * ccs_inode_rename - Check permission for rename().
693+ *
694+ * @old_dir: Pointer to "struct inode".
695+ * @old_dentry: Pointer to "struct dentry".
696+ * @new_dir: Pointer to "struct inode".
697+ * @new_dentry: Pointer to "struct dentry".
698+ *
699+ * Returns 0 on success, negative value otherwise.
700+ */
701+static int ccs_inode_rename(struct inode *old_dir, struct dentry *old_dentry,
702+ struct inode *new_dir, struct dentry *new_dentry)
703+{
704+ return ccs_rename_permission(old_dentry, new_dentry, NULL);
705+}
706+
707+/**
708+ * ccs_inode_link - Check permission for link().
709+ *
710+ * @old_dentry: Pointer to "struct dentry".
711+ * @dir: Pointer to "struct inode".
712+ * @new_dentry: Pointer to "struct dentry".
713+ *
714+ * Returns 0 on success, negative value otherwise.
715+ */
716+static int ccs_inode_link(struct dentry *old_dentry, struct inode *dir,
717+ struct dentry *new_dentry)
718+{
719+ return ccs_link_permission(old_dentry, new_dentry, NULL);
720+}
721+
722+/**
723+ * ccs_inode_create - Check permission for creat().
724+ *
725+ * @dir: Pointer to "struct inode".
726+ * @dentry: Pointer to "struct dentry".
727+ * @mode: Create mode.
728+ *
729+ * Returns 0 on success, negative value otherwise.
730+ */
731+static int ccs_inode_create(struct inode *dir, struct dentry *dentry,
732+ umode_t mode)
733+{
734+ return ccs_mknod_permission(dentry, NULL, mode, 0);
735+}
736+
737+#endif
738+
739+#ifdef CONFIG_SECURITY_NETWORK
740+
741+#include <net/sock.h>
742+
743+/* Structure for remembering an accept()ed socket's status. */
744+struct ccs_socket_tag {
745+ struct list_head list;
746+ struct inode *inode;
747+ int status;
748+ struct rcu_head rcu;
749+};
750+
751+/*
752+ * List for managing accept()ed sockets.
753+ * Since we don't need to keep an accept()ed socket into this list after
754+ * once the permission was granted, the number of entries in this list is
755+ * likely small. Therefore, we don't use hash tables.
756+ */
757+static LIST_HEAD(ccs_accepted_socket_list);
758+/* Lock for protecting ccs_accepted_socket_list . */
759+static DEFINE_SPINLOCK(ccs_accepted_socket_list_lock);
760+
761+/**
762+ * ccs_update_socket_tag - Update tag associated with accept()ed sockets.
763+ *
764+ * @inode: Pointer to "struct inode".
765+ * @status: New status.
766+ *
767+ * Returns nothing.
768+ *
769+ * If @status == 0, memory for that socket will be released after RCU grace
770+ * period.
771+ */
772+static void ccs_update_socket_tag(struct inode *inode, int status)
773+{
774+ struct ccs_socket_tag *ptr;
775+ /*
776+ * Protect whole section because multiple threads may call this
777+ * function with same "sock" via ccs_validate_socket().
778+ */
779+ spin_lock(&ccs_accepted_socket_list_lock);
780+ rcu_read_lock();
781+ list_for_each_entry_rcu(ptr, &ccs_accepted_socket_list, list) {
782+ if (ptr->inode != inode)
783+ continue;
784+ ptr->status = status;
785+ if (status)
786+ break;
787+ list_del_rcu(&ptr->list);
788+ kfree_rcu(ptr, rcu);
789+ break;
790+ }
791+ rcu_read_unlock();
792+ spin_unlock(&ccs_accepted_socket_list_lock);
793+}
794+
795+/**
796+ * ccs_validate_socket - Check post accept() permission if needed.
797+ *
798+ * @sock: Pointer to "struct socket".
799+ *
800+ * Returns 0 on success, negative value otherwise.
801+ */
802+static int ccs_validate_socket(struct socket *sock)
803+{
804+ struct inode *inode = SOCK_INODE(sock);
805+ struct ccs_socket_tag *ptr;
806+ int ret = 0;
807+ rcu_read_lock();
808+ list_for_each_entry_rcu(ptr, &ccs_accepted_socket_list, list) {
809+ if (ptr->inode != inode)
810+ continue;
811+ ret = ptr->status;
812+ break;
813+ }
814+ rcu_read_unlock();
815+ if (ret <= 0)
816+ /*
817+ * This socket is not an accept()ed socket or this socket is
818+ * an accept()ed socket and post accept() permission is done.
819+ */
820+ return ret;
821+ /*
822+ * Check post accept() permission now.
823+ *
824+ * Strictly speaking, we need to pass both listen()ing socket and
825+ * accept()ed socket to __ccs_socket_post_accept_permission().
826+ * But since socket's family and type are same for both sockets,
827+ * passing the accept()ed socket in place for the listen()ing socket
828+ * will work.
829+ */
830+ ret = ccs_socket_post_accept_permission(sock, sock);
831+ /*
832+ * If permission was granted, we forget that this is an accept()ed
833+ * socket. Otherwise, we remember that this socket needs to return
834+ * error for subsequent socketcalls.
835+ */
836+ ccs_update_socket_tag(inode, ret);
837+ return ret;
838+}
839+
840+/**
841+ * ccs_socket_accept - Check permission for accept().
842+ *
843+ * @sock: Pointer to "struct socket".
844+ * @newsock: Pointer to "struct socket".
845+ *
846+ * Returns 0 on success, negative value otherwise.
847+ *
848+ * This hook is used for setting up environment for doing post accept()
849+ * permission check. If dereferencing sock->ops->something() were ordered by
850+ * rcu_dereference(), we could replace sock->ops with "a copy of original
851+ * sock->ops with modified sock->ops->accept()" using rcu_assign_pointer()
852+ * in order to do post accept() permission check before returning to userspace.
853+ * If we make the copy in security_socket_post_create(), it would be possible
854+ * to safely replace sock->ops here, but we don't do so because we don't want
855+ * to allocate memory for sockets which do not call sock->ops->accept().
856+ * Therefore, we do post accept() permission check upon next socket syscalls
857+ * rather than between sock->ops->accept() and returning to userspace.
858+ * This means that if a socket was close()d before calling some socket
859+ * syscalls, post accept() permission check will not be done.
860+ */
861+static int ccs_socket_accept(struct socket *sock, struct socket *newsock)
862+{
863+ struct ccs_socket_tag *ptr;
864+ const int rc = ccs_validate_socket(sock);
865+ if (rc < 0)
866+ return rc;
867+ ptr = kzalloc(sizeof(*ptr), GFP_KERNEL);
868+ if (!ptr)
869+ return -ENOMEM;
870+ /*
871+ * Subsequent LSM hooks will receive "newsock". Therefore, I mark
872+ * "newsock" as "an accept()ed socket but post accept() permission
873+ * check is not done yet" by allocating memory using inode of the
874+ * "newsock" as a search key.
875+ */
876+ ptr->inode = SOCK_INODE(newsock);
877+ ptr->status = 1; /* Check post accept() permission later. */
878+ spin_lock(&ccs_accepted_socket_list_lock);
879+ list_add_tail_rcu(&ptr->list, &ccs_accepted_socket_list);
880+ spin_unlock(&ccs_accepted_socket_list_lock);
881+ return 0;
882+}
883+
884+/**
885+ * ccs_socket_listen - Check permission for listen().
886+ *
887+ * @sock: Pointer to "struct socket".
888+ * @backlog: Backlog parameter.
889+ *
890+ * Returns 0 on success, negative value otherwise.
891+ */
892+static int ccs_socket_listen(struct socket *sock, int backlog)
893+{
894+ const int rc = ccs_validate_socket(sock);
895+ if (rc < 0)
896+ return rc;
897+ return ccs_socket_listen_permission(sock);
898+}
899+
900+/**
901+ * ccs_socket_connect - Check permission for connect().
902+ *
903+ * @sock: Pointer to "struct socket".
904+ * @addr: Pointer to "struct sockaddr".
905+ * @addr_len: Size of @addr.
906+ *
907+ * Returns 0 on success, negative value otherwise.
908+ */
909+static int ccs_socket_connect(struct socket *sock, struct sockaddr *addr,
910+ int addr_len)
911+{
912+ const int rc = ccs_validate_socket(sock);
913+ if (rc < 0)
914+ return rc;
915+ return ccs_socket_connect_permission(sock, addr, addr_len);
916+}
917+
918+/**
919+ * ccs_socket_bind - Check permission for bind().
920+ *
921+ * @sock: Pointer to "struct socket".
922+ * @addr: Pointer to "struct sockaddr".
923+ * @addr_len: Size of @addr.
924+ *
925+ * Returns 0 on success, negative value otherwise.
926+ */
927+static int ccs_socket_bind(struct socket *sock, struct sockaddr *addr,
928+ int addr_len)
929+{
930+ const int rc = ccs_validate_socket(sock);
931+ if (rc < 0)
932+ return rc;
933+ return ccs_socket_bind_permission(sock, addr, addr_len);
934+}
935+
936+/**
937+ * ccs_socket_sendmsg - Check permission for sendmsg().
938+ *
939+ * @sock: Pointer to "struct socket".
940+ * @msg: Pointer to "struct msghdr".
941+ * @size: Size of message.
942+ *
943+ * Returns 0 on success, negative value otherwise.
944+ */
945+static int ccs_socket_sendmsg(struct socket *sock, struct msghdr *msg,
946+ int size)
947+{
948+ const int rc = ccs_validate_socket(sock);
949+ if (rc < 0)
950+ return rc;
951+ return ccs_socket_sendmsg_permission(sock, msg, size);
952+}
953+
954+/**
955+ * ccs_socket_recvmsg - Check permission for recvmsg().
956+ *
957+ * @sock: Pointer to "struct socket".
958+ * @msg: Pointer to "struct msghdr".
959+ * @size: Size of message.
960+ * @flags: Flags.
961+ *
962+ * Returns 0 on success, negative value otherwise.
963+ */
964+static int ccs_socket_recvmsg(struct socket *sock, struct msghdr *msg,
965+ int size, int flags)
966+{
967+ return ccs_validate_socket(sock);
968+}
969+
970+/**
971+ * ccs_socket_getsockname - Check permission for getsockname().
972+ *
973+ * @sock: Pointer to "struct socket".
974+ *
975+ * Returns 0 on success, negative value otherwise.
976+ */
977+static int ccs_socket_getsockname(struct socket *sock)
978+{
979+ return ccs_validate_socket(sock);
980+}
981+
982+/**
983+ * ccs_socket_getpeername - Check permission for getpeername().
984+ *
985+ * @sock: Pointer to "struct socket".
986+ *
987+ * Returns 0 on success, negative value otherwise.
988+ */
989+static int ccs_socket_getpeername(struct socket *sock)
990+{
991+ return ccs_validate_socket(sock);
992+}
993+
994+/**
995+ * ccs_socket_getsockopt - Check permission for getsockopt().
996+ *
997+ * @sock: Pointer to "struct socket".
998+ * @level: Level.
999+ * @optname: Option's name,
1000+ *
1001+ * Returns 0 on success, negative value otherwise.
1002+ */
1003+static int ccs_socket_getsockopt(struct socket *sock, int level, int optname)
1004+{
1005+ return ccs_validate_socket(sock);
1006+}
1007+
1008+/**
1009+ * ccs_socket_setsockopt - Check permission for setsockopt().
1010+ *
1011+ * @sock: Pointer to "struct socket".
1012+ * @level: Level.
1013+ * @optname: Option's name,
1014+ *
1015+ * Returns 0 on success, negative value otherwise.
1016+ */
1017+static int ccs_socket_setsockopt(struct socket *sock, int level, int optname)
1018+{
1019+ return ccs_validate_socket(sock);
1020+}
1021+
1022+/**
1023+ * ccs_socket_shutdown - Check permission for shutdown().
1024+ *
1025+ * @sock: Pointer to "struct socket".
1026+ * @how: Shutdown mode.
1027+ *
1028+ * Returns 0 on success, negative value otherwise.
1029+ */
1030+static int ccs_socket_shutdown(struct socket *sock, int how)
1031+{
1032+ return ccs_validate_socket(sock);
1033+}
1034+
1035+#define SOCKFS_MAGIC 0x534F434B
1036+
1037+/**
1038+ * ccs_inode_free_security - Release memory associated with an inode.
1039+ *
1040+ * @inode: Pointer to "struct inode".
1041+ *
1042+ * Returns nothing.
1043+ *
1044+ * We use this hook for releasing memory associated with an accept()ed socket.
1045+ */
1046+static void ccs_inode_free_security(struct inode *inode)
1047+{
1048+ if (inode->i_sb && inode->i_sb->s_magic == SOCKFS_MAGIC)
1049+ ccs_update_socket_tag(inode, 0);
1050+}
1051+
1052+#endif
1053+
1054+/**
1055+ * ccs_sb_pivotroot - Check permission for pivot_root().
1056+ *
1057+ * @old_path: Pointer to "struct path".
1058+ * @new_path: Pointer to "struct path".
1059+ *
1060+ * Returns 0 on success, negative value otherwise.
1061+ */
1062+static int ccs_sb_pivotroot(struct path *old_path, struct path *new_path)
1063+{
1064+ return ccs_pivot_root_permission(old_path, new_path);
1065+}
1066+
1067+/**
1068+ * ccs_sb_mount - Check permission for mount().
1069+ *
1070+ * @dev_name: Name of device file.
1071+ * @path: Pointer to "struct path".
1072+ * @type: Name of filesystem type. Maybe NULL.
1073+ * @flags: Mount options.
1074+ * @data_page: Optional data. Maybe NULL.
1075+ *
1076+ * Returns 0 on success, negative value otherwise.
1077+ */
1078+static int ccs_sb_mount(const char *dev_name, struct path *path,
1079+ const char *type, unsigned long flags, void *data_page)
1080+{
1081+ return ccs_mount_permission(dev_name, path, type, flags, data_page);
1082+}
1083+
1084+/**
1085+ * ccs_sb_umount - Check permission for umount().
1086+ *
1087+ * @mnt: Pointer to "struct vfsmount".
1088+ * @flags: Unmount flags.
1089+ *
1090+ * Returns 0 on success, negative value otherwise.
1091+ */
1092+static int ccs_sb_umount(struct vfsmount *mnt, int flags)
1093+{
1094+ return ccs_umount_permission(mnt, flags);
1095+}
1096+
1097+/**
1098+ * ccs_file_fcntl - Check permission for fcntl().
1099+ *
1100+ * @file: Pointer to "struct file".
1101+ * @cmd: Command number.
1102+ * @arg: Value for @cmd.
1103+ *
1104+ * Returns 0 on success, negative value otherwise.
1105+ */
1106+static int ccs_file_fcntl(struct file *file, unsigned int cmd,
1107+ unsigned long arg)
1108+{
1109+ return ccs_fcntl_permission(file, cmd, arg);
1110+}
1111+
1112+/**
1113+ * ccs_file_ioctl - Check permission for ioctl().
1114+ *
1115+ * @filp: Pointer to "struct file".
1116+ * @cmd: Command number.
1117+ * @arg: Value for @cmd.
1118+ *
1119+ * Returns 0 on success, negative value otherwise.
1120+ */
1121+static int ccs_file_ioctl(struct file *filp, unsigned int cmd,
1122+ unsigned long arg)
1123+{
1124+ return ccs_ioctl_permission(filp, cmd, arg);
1125+}
1126+
1127+#define MY_HOOK_INIT(HEAD, HOOK) \
1128+ { .head = &probe_dummy_security_hook_heads.HEAD, \
1129+ .hook = { .HEAD = HOOK } }
1130+
1131+static struct security_hook_list akari_hooks[] = {
1132+ /* Security context allocator. */
1133+ MY_HOOK_INIT(cred_free, ccs_cred_free),
1134+ MY_HOOK_INIT(cred_prepare, ccs_cred_prepare),
1135+ MY_HOOK_INIT(cred_alloc_blank, ccs_cred_alloc_blank),
1136+ MY_HOOK_INIT(cred_transfer, ccs_cred_transfer),
1137+ MY_HOOK_INIT(task_create, ccs_task_create),
1138+ /* Security context updater for successful execve(). */
1139+ MY_HOOK_INIT(bprm_check_security, ccs_bprm_check_security),
1140+ MY_HOOK_INIT(bprm_committing_creds, ccs_bprm_committing_creds),
1141+ /* Various permission checker. */
1142+ MY_HOOK_INIT(file_open, ccs_file_open),
1143+ MY_HOOK_INIT(file_fcntl, ccs_file_fcntl),
1144+ MY_HOOK_INIT(file_ioctl, ccs_file_ioctl),
1145+ MY_HOOK_INIT(sb_pivotroot, ccs_sb_pivotroot),
1146+ MY_HOOK_INIT(sb_mount, ccs_sb_mount),
1147+ MY_HOOK_INIT(sb_umount, ccs_sb_umount),
1148+#ifdef CONFIG_SECURITY_PATH
1149+ MY_HOOK_INIT(path_mknod, ccs_path_mknod),
1150+ MY_HOOK_INIT(path_mkdir, ccs_path_mkdir),
1151+ MY_HOOK_INIT(path_rmdir, ccs_path_rmdir),
1152+ MY_HOOK_INIT(path_unlink, ccs_path_unlink),
1153+ MY_HOOK_INIT(path_symlink, ccs_path_symlink),
1154+ MY_HOOK_INIT(path_rename, ccs_path_rename),
1155+ MY_HOOK_INIT(path_link, ccs_path_link),
1156+ MY_HOOK_INIT(path_truncate, ccs_path_truncate),
1157+ MY_HOOK_INIT(path_chmod, ccs_path_chmod),
1158+ MY_HOOK_INIT(path_chown, ccs_path_chown),
1159+ MY_HOOK_INIT(path_chroot, ccs_path_chroot),
1160+#else
1161+ MY_HOOK_INIT(inode_mknod, ccs_inode_mknod),
1162+ MY_HOOK_INIT(inode_mkdir, ccs_inode_mkdir),
1163+ MY_HOOK_INIT(inode_rmdir, ccs_inode_rmdir),
1164+ MY_HOOK_INIT(inode_unlink, ccs_inode_unlink),
1165+ MY_HOOK_INIT(inode_symlink, ccs_inode_symlink),
1166+ MY_HOOK_INIT(inode_rename, ccs_inode_rename),
1167+ MY_HOOK_INIT(inode_link, ccs_inode_link),
1168+ MY_HOOK_INIT(inode_create, ccs_inode_create),
1169+ MY_HOOK_INIT(inode_setattr, ccs_inode_setattr),
1170+#endif
1171+ MY_HOOK_INIT(inode_getattr, ccs_inode_getattr),
1172+#ifdef CONFIG_SECURITY_NETWORK
1173+ MY_HOOK_INIT(socket_bind, ccs_socket_bind),
1174+ MY_HOOK_INIT(socket_connect, ccs_socket_connect),
1175+ MY_HOOK_INIT(socket_listen, ccs_socket_listen),
1176+ MY_HOOK_INIT(socket_sendmsg, ccs_socket_sendmsg),
1177+ MY_HOOK_INIT(socket_recvmsg, ccs_socket_recvmsg),
1178+ MY_HOOK_INIT(socket_getsockname, ccs_socket_getsockname),
1179+ MY_HOOK_INIT(socket_getpeername, ccs_socket_getpeername),
1180+ MY_HOOK_INIT(socket_getsockopt, ccs_socket_getsockopt),
1181+ MY_HOOK_INIT(socket_setsockopt, ccs_socket_setsockopt),
1182+ MY_HOOK_INIT(socket_shutdown, ccs_socket_shutdown),
1183+ MY_HOOK_INIT(socket_accept, ccs_socket_accept),
1184+ MY_HOOK_INIT(inode_free_security, ccs_inode_free_security),
1185+#endif
1186+};
1187+
1188+static inline void add_hook(struct security_hook_list *hook)
1189+{
1190+ list_add_tail_rcu(&hook->list, hook->head);
1191+}
1192+
1193+static void __init swap_hook(struct security_hook_list *hook,
1194+ union security_list_options *original)
1195+{
1196+ struct list_head *list = hook->head;
1197+ if (list_empty(list)) {
1198+ add_hook(hook);
1199+ } else {
1200+ struct security_hook_list *shp =
1201+ list_last_entry(list, struct security_hook_list, list);
1202+ *original = shp->hook;
1203+ smp_wmb();
1204+ shp->hook = hook->hook;
1205+ }
1206+}
1207+
1208+/**
1209+ * ccs_init - Initialize this module.
1210+ *
1211+ * Returns 0 on success, negative value otherwise.
1212+ */
1213+static int __init ccs_init(void)
1214+{
1215+ int idx;
1216+ struct security_hook_heads *hooks = probe_security_hook_heads();
1217+ if (!hooks)
1218+ goto out;
1219+ for (idx = 0; idx < ARRAY_SIZE(akari_hooks); idx++)
1220+ akari_hooks[idx].head = ((void *) hooks)
1221+ + ((unsigned long) akari_hooks[idx].head)
1222+ - ((unsigned long) &probe_dummy_security_hook_heads);
1223+ ccsecurity_exports.find_task_by_vpid = probe_find_task_by_vpid();
1224+ if (!ccsecurity_exports.find_task_by_vpid)
1225+ goto out;
1226+ ccsecurity_exports.find_task_by_pid_ns = probe_find_task_by_pid_ns();
1227+ if (!ccsecurity_exports.find_task_by_pid_ns)
1228+ goto out;
1229+ ccsecurity_exports.d_absolute_path = probe_d_absolute_path();
1230+ if (!ccsecurity_exports.d_absolute_path)
1231+ goto out;
1232+ for (idx = 0; idx < CCS_MAX_TASK_SECURITY_HASH; idx++) {
1233+ INIT_LIST_HEAD(&ccs_cred_security_list[idx]);
1234+ INIT_LIST_HEAD(&ccs_task_security_list[idx]);
1235+ }
1236+ ccs_main_init();
1237+ swap_hook(&akari_hooks[0], &original_cred_free);
1238+ swap_hook(&akari_hooks[1], &original_cred_prepare);
1239+ swap_hook(&akari_hooks[2], &original_cred_alloc_blank);
1240+ for (idx = 3; idx < ARRAY_SIZE(akari_hooks); idx++)
1241+ add_hook(&akari_hooks[idx]);
1242+ printk(KERN_INFO "AKARI: 1.0.38 2018/04/01\n");
1243+ printk(KERN_INFO
1244+ "Access Keeping And Regulating Instrument registered.\n");
1245+ return 0;
1246+out:
1247+ return -EINVAL;
1248+}
1249+
1250+module_init(ccs_init);
1251+MODULE_LICENSE("GPL");
1252+
1253+/**
1254+ * ccs_used_by_cred - Check whether the given domain is in use or not.
1255+ *
1256+ * @domain: Pointer to "struct ccs_domain_info".
1257+ *
1258+ * Returns true if @domain is in use, false otherwise.
1259+ *
1260+ * Caller holds rcu_read_lock().
1261+ */
1262+bool ccs_used_by_cred(const struct ccs_domain_info *domain)
1263+{
1264+ int idx;
1265+ struct ccs_security *ptr;
1266+ for (idx = 0; idx < CCS_MAX_TASK_SECURITY_HASH; idx++) {
1267+ struct list_head *list = &ccs_cred_security_list[idx];
1268+ list_for_each_entry_rcu(ptr, list, list) {
1269+ struct ccs_execve *ee = ptr->ee;
1270+ if (ptr->ccs_domain_info == domain ||
1271+ (ee && ee->previous_domain == domain)) {
1272+ return true;
1273+ }
1274+ }
1275+ }
1276+ return false;
1277+}
1278+
1279+/**
1280+ * ccs_add_task_security - Add "struct ccs_security" to list.
1281+ *
1282+ * @ptr: Pointer to "struct ccs_security".
1283+ * @list: Pointer to "struct list_head".
1284+ *
1285+ * Returns nothing.
1286+ */
1287+static void ccs_add_task_security(struct ccs_security *ptr,
1288+ struct list_head *list)
1289+{
1290+ unsigned long flags;
1291+ spin_lock_irqsave(&ccs_task_security_list_lock, flags);
1292+ list_add_rcu(&ptr->list, list);
1293+ spin_unlock_irqrestore(&ccs_task_security_list_lock, flags);
1294+}
1295+
1296+/**
1297+ * ccs_find_task_security - Find "struct ccs_security" for given task.
1298+ *
1299+ * @task: Pointer to "struct task_struct".
1300+ *
1301+ * Returns pointer to "struct ccs_security" on success, &ccs_oom_security on
1302+ * out of memory, &ccs_default_security otherwise.
1303+ *
1304+ * If @task is current thread and "struct ccs_security" for current thread was
1305+ * not found, I try to allocate it. But if allocation failed, current thread
1306+ * will be killed by SIGKILL. Note that if current->pid == 1, sending SIGKILL
1307+ * won't work.
1308+ */
1309+struct ccs_security *ccs_find_task_security(const struct task_struct *task)
1310+{
1311+ struct ccs_security *ptr;
1312+ struct list_head *list = &ccs_task_security_list
1313+ [hash_ptr((void *) task, CCS_TASK_SECURITY_HASH_BITS)];
1314+ /* Make sure INIT_LIST_HEAD() in ccs_mm_init() takes effect. */
1315+ while (!list->next)
1316+ smp_rmb();
1317+ rcu_read_lock();
1318+ list_for_each_entry_rcu(ptr, list, list) {
1319+ if (ptr->pid != task->pids[PIDTYPE_PID].pid)
1320+ continue;
1321+ rcu_read_unlock();
1322+ /*
1323+ * Current thread needs to transit from old domain to new
1324+ * domain before do_execve() succeeds in order to check
1325+ * permission for interpreters and environment variables using
1326+ * new domain's ACL rules. The domain transition has to be
1327+ * visible from other CPU in order to allow interactive
1328+ * enforcing mode. Also, the domain transition has to be
1329+ * reverted if do_execve() failed. However, an LSM hook for
1330+ * reverting domain transition is missing.
1331+ *
1332+ * security_prepare_creds() is called from prepare_creds() from
1333+ * prepare_bprm_creds() from do_execve() before setting
1334+ * current->in_execve flag, and current->in_execve flag is
1335+ * cleared by the time next do_execve() request starts.
1336+ * This means that we can emulate the missing LSM hook for
1337+ * reverting domain transition, by calling this function from
1338+ * security_prepare_creds().
1339+ *
1340+ * If current->in_execve is not set but ptr->ccs_flags has
1341+ * CCS_TASK_IS_IN_EXECVE set, it indicates that do_execve()
1342+ * has failed and reverting domain transition is needed.
1343+ */
1344+ if (task == current &&
1345+ (ptr->ccs_flags & CCS_TASK_IS_IN_EXECVE) &&
1346+ !current->in_execve) {
1347+ ccs_debug_trace("4");
1348+ ccs_clear_execve(-1, ptr);
1349+ }
1350+ return ptr;
1351+ }
1352+ rcu_read_unlock();
1353+ if (task != current) {
1354+ /*
1355+ * If a thread does nothing after fork(), caller will reach
1356+ * here because "struct ccs_security" for that thread is not
1357+ * yet allocated. But that thread is keeping a snapshot of
1358+ * "struct ccs_security" taken as of ccs_task_create()
1359+ * associated with that thread's "struct cred".
1360+ *
1361+ * Since that snapshot will be used as initial data when that
1362+ * thread allocates "struct ccs_security" for that thread, we
1363+ * can return that snapshot rather than &ccs_default_security.
1364+ *
1365+ * Since this function is called by only ccs_select_one() and
1366+ * ccs_read_pid() (via ccs_task_domain() and ccs_task_flags()),
1367+ * it is guaranteed that caller has called rcu_read_lock()
1368+ * (via ccs_tasklist_lock()) before finding this thread and
1369+ * this thread is valid. Therefore, we can do __task_cred(task)
1370+ * like get_robust_list() does.
1371+ */
1372+ return ccs_find_cred_security(__task_cred(task));
1373+ }
1374+ /* Use GFP_ATOMIC because caller may have called rcu_read_lock(). */
1375+ ptr = kzalloc(sizeof(*ptr), GFP_ATOMIC);
1376+ if (!ptr) {
1377+ printk(KERN_WARNING "Unable to allocate memory for pid=%u\n",
1378+ task->pid);
1379+ send_sig(SIGKILL, current, 0);
1380+ return &ccs_oom_security;
1381+ }
1382+ *ptr = *ccs_find_cred_security(task->cred);
1383+ /* We can shortcut because task == current. */
1384+ ptr->pid = get_pid(((struct task_struct *) task)->
1385+ pids[PIDTYPE_PID].pid);
1386+ ptr->cred = NULL;
1387+ ccs_add_task_security(ptr, list);
1388+ return ptr;
1389+}
1390+
1391+/**
1392+ * ccs_copy_cred_security - Allocate memory for new credentials.
1393+ *
1394+ * @new: Pointer to "struct cred".
1395+ * @old: Pointer to "struct cred".
1396+ * @gfp: Memory allocation flags.
1397+ *
1398+ * Returns 0 on success, negative value otherwise.
1399+ */
1400+static int ccs_copy_cred_security(const struct cred *new,
1401+ const struct cred *old, gfp_t gfp)
1402+{
1403+ struct ccs_security *old_security = ccs_find_cred_security(old);
1404+ struct ccs_security *new_security =
1405+ kzalloc(sizeof(*new_security), gfp);
1406+ if (!new_security)
1407+ return -ENOMEM;
1408+ *new_security = *old_security;
1409+ new_security->cred = new;
1410+ ccs_add_cred_security(new_security);
1411+ return 0;
1412+}
1413+
1414+/**
1415+ * ccs_find_cred_security - Find "struct ccs_security" for given credential.
1416+ *
1417+ * @cred: Pointer to "struct cred".
1418+ *
1419+ * Returns pointer to "struct ccs_security" on success, &ccs_default_security
1420+ * otherwise.
1421+ */
1422+static struct ccs_security *ccs_find_cred_security(const struct cred *cred)
1423+{
1424+ struct ccs_security *ptr;
1425+ struct list_head *list = &ccs_cred_security_list
1426+ [hash_ptr((void *) cred, CCS_TASK_SECURITY_HASH_BITS)];
1427+ rcu_read_lock();
1428+ list_for_each_entry_rcu(ptr, list, list) {
1429+ if (ptr->cred != cred)
1430+ continue;
1431+ rcu_read_unlock();
1432+ return ptr;
1433+ }
1434+ rcu_read_unlock();
1435+ return &ccs_default_security;
1436+}
1437+
1438+/**
1439+ * ccs_task_security_gc - Do garbage collection for "struct task_struct".
1440+ *
1441+ * Returns nothing.
1442+ *
1443+ * Since security_task_free() is missing, I can't release memory associated
1444+ * with "struct task_struct" when a task dies. Therefore, I hold a reference on
1445+ * "struct pid" and runs garbage collection when associated
1446+ * "struct task_struct" has gone.
1447+ */
1448+static void ccs_task_security_gc(void)
1449+{
1450+ static DEFINE_SPINLOCK(lock);
1451+ static atomic_t gc_counter = ATOMIC_INIT(0);
1452+ unsigned int idx;
1453+ /*
1454+ * If some process is doing execve(), try to garbage collection now.
1455+ * We should kfree() memory associated with "struct ccs_security"->ee
1456+ * as soon as execve() has completed in order to compensate for lack of
1457+ * security_bprm_free() and security_task_free() hooks.
1458+ *
1459+ * Otherwise, reduce frequency for performance reason.
1460+ */
1461+ if (!atomic_read(&ccs_in_execve_tasks) &&
1462+ atomic_inc_return(&gc_counter) < 1024)
1463+ return;
1464+ if (!spin_trylock(&lock))
1465+ return;
1466+ atomic_set(&gc_counter, 0);
1467+ rcu_read_lock();
1468+ for (idx = 0; idx < CCS_MAX_TASK_SECURITY_HASH; idx++) {
1469+ struct ccs_security *ptr;
1470+ struct list_head *list = &ccs_task_security_list[idx];
1471+ list_for_each_entry_rcu(ptr, list, list) {
1472+ if (pid_task(ptr->pid, PIDTYPE_PID))
1473+ continue;
1474+ ccs_del_security(ptr);
1475+ }
1476+ }
1477+ rcu_read_unlock();
1478+ spin_unlock(&lock);
1479+}
--- tags/patches/1.0.38/lsm-4.7.c (nonexistent)
+++ tags/patches/1.0.38/lsm-4.7.c (revision 589)
@@ -0,0 +1,1482 @@
1+/*
2+ * lsm.c
3+ *
4+ * Copyright (C) 2010-2015 Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
5+ *
6+ * Version: 1.0.38 2018/04/01
7+ */
8+
9+#include "internal.h"
10+#include "probe.h"
11+
12+/* Prototype definition. */
13+static void ccs_task_security_gc(void);
14+static int ccs_copy_cred_security(const struct cred *new,
15+ const struct cred *old, gfp_t gfp);
16+static struct ccs_security *ccs_find_cred_security(const struct cred *cred);
17+static DEFINE_SPINLOCK(ccs_task_security_list_lock);
18+static atomic_t ccs_in_execve_tasks = ATOMIC_INIT(0);
19+/*
20+ * List of "struct ccs_security" for "struct pid".
21+ *
22+ * All instances on this list is guaranteed that "struct ccs_security"->pid !=
23+ * NULL. Also, instances on this list that are in execve() are guaranteed that
24+ * "struct ccs_security"->cred remembers "struct linux_binprm"->cred with a
25+ * refcount on "struct linux_binprm"->cred.
26+ */
27+struct list_head ccs_task_security_list[CCS_MAX_TASK_SECURITY_HASH];
28+/*
29+ * List of "struct ccs_security" for "struct cred".
30+ *
31+ * Since the number of "struct cred" is nearly equals to the number of
32+ * "struct pid", we allocate hash tables like ccs_task_security_list.
33+ *
34+ * All instances on this list are guaranteed that "struct ccs_security"->pid ==
35+ * NULL and "struct ccs_security"->cred != NULL.
36+ */
37+static struct list_head ccs_cred_security_list[CCS_MAX_TASK_SECURITY_HASH];
38+
39+/* Dummy security context for avoiding NULL pointer dereference. */
40+static struct ccs_security ccs_oom_security = {
41+ .ccs_domain_info = &ccs_kernel_domain
42+};
43+
44+/* Dummy security context for avoiding NULL pointer dereference. */
45+static struct ccs_security ccs_default_security = {
46+ .ccs_domain_info = &ccs_kernel_domain
47+};
48+
49+/* For exporting variables and functions. */
50+struct ccsecurity_exports ccsecurity_exports;
51+/* Members are updated by loadable kernel module. */
52+struct ccsecurity_operations ccsecurity_ops;
53+
54+/* Original hooks. */
55+static union security_list_options original_cred_prepare;
56+static union security_list_options original_cred_free;
57+static union security_list_options original_cred_alloc_blank;
58+
59+#ifdef CONFIG_AKARI_TRACE_EXECVE_COUNT
60+
61+/**
62+ * ccs_update_ee_counter - Update "struct ccs_execve" counter.
63+ *
64+ * @count: Count to increment or decrement.
65+ *
66+ * Returns updated counter.
67+ */
68+static unsigned int ccs_update_ee_counter(int count)
69+{
70+ /* Debug counter for detecting "struct ccs_execve" memory leak. */
71+ static atomic_t ccs_ee_counter = ATOMIC_INIT(0);
72+ return atomic_add_return(count, &ccs_ee_counter);
73+}
74+
75+/**
76+ * ccs_audit_alloc_execve - Audit allocation of "struct ccs_execve".
77+ *
78+ * @ee: Pointer to "struct ccs_execve".
79+ *
80+ * Returns nothing.
81+ */
82+void ccs_audit_alloc_execve(const struct ccs_execve * const ee)
83+{
84+ printk(KERN_INFO "AKARI: Allocated %p by pid=%u (count=%u)\n", ee,
85+ current->pid, ccs_update_ee_counter(1) - 1);
86+}
87+
88+/**
89+ * ccs_audit_free_execve - Audit release of "struct ccs_execve".
90+ *
91+ * @ee: Pointer to "struct ccs_execve".
92+ * @task: True if released by current task, false otherwise.
93+ *
94+ * Returns nothing.
95+ */
96+void ccs_audit_free_execve(const struct ccs_execve * const ee,
97+ const bool is_current)
98+{
99+ const unsigned int tmp = ccs_update_ee_counter(-1);
100+ if (is_current)
101+ printk(KERN_INFO "AKARI: Releasing %p by pid=%u (count=%u)\n",
102+ ee, current->pid, tmp);
103+ else
104+ printk(KERN_INFO "AKARI: Releasing %p by kernel (count=%u)\n",
105+ ee, tmp);
106+}
107+
108+#endif
109+
110+#if !defined(CONFIG_AKARI_DEBUG)
111+#define ccs_debug_trace(pos) do { } while (0)
112+#else
113+#define ccs_debug_trace(pos) \
114+ do { \
115+ static bool done; \
116+ if (!done) { \
117+ printk(KERN_INFO \
118+ "AKARI: Debug trace: " pos " of 4\n"); \
119+ done = true; \
120+ } \
121+ } while (0)
122+#endif
123+
124+/**
125+ * ccs_clear_execve - Release memory used by do_execve().
126+ *
127+ * @ret: 0 if do_execve() succeeded, negative value otherwise.
128+ * @security: Pointer to "struct ccs_security".
129+ *
130+ * Returns nothing.
131+ */
132+static void ccs_clear_execve(int ret, struct ccs_security *security)
133+{
134+ struct ccs_execve *ee;
135+ if (security == &ccs_default_security || security == &ccs_oom_security)
136+ return;
137+ ee = security->ee;
138+ security->ee = NULL;
139+ if (!ee)
140+ return;
141+ atomic_dec(&ccs_in_execve_tasks);
142+ ccs_finish_execve(ret, ee);
143+}
144+
145+/**
146+ * ccs_rcu_free - RCU callback for releasing "struct ccs_security".
147+ *
148+ * @rcu: Pointer to "struct rcu_head".
149+ *
150+ * Returns nothing.
151+ */
152+static void ccs_rcu_free(struct rcu_head *rcu)
153+{
154+ struct ccs_security *ptr = container_of(rcu, typeof(*ptr), rcu);
155+ struct ccs_execve *ee = ptr->ee;
156+ /*
157+ * If this security context was associated with "struct pid" and
158+ * ptr->ccs_flags has CCS_TASK_IS_IN_EXECVE set, it indicates that a
159+ * "struct task_struct" associated with this security context exited
160+ * immediately after do_execve() has failed.
161+ */
162+ if (ptr->pid && (ptr->ccs_flags & CCS_TASK_IS_IN_EXECVE)) {
163+ ccs_debug_trace("1");
164+ atomic_dec(&ccs_in_execve_tasks);
165+ }
166+ /*
167+ * If this security context was associated with "struct pid",
168+ * drop refcount obtained by get_pid() in ccs_find_task_security().
169+ */
170+ if (ptr->pid) {
171+ ccs_debug_trace("2");
172+ put_pid(ptr->pid);
173+ }
174+ if (ee) {
175+ ccs_debug_trace("3");
176+ ccs_audit_free_execve(ee, false);
177+ kfree(ee->handler_path);
178+ kfree(ee);
179+ }
180+ kfree(ptr);
181+}
182+
183+/**
184+ * ccs_del_security - Release "struct ccs_security".
185+ *
186+ * @ptr: Pointer to "struct ccs_security".
187+ *
188+ * Returns nothing.
189+ */
190+static void ccs_del_security(struct ccs_security *ptr)
191+{
192+ unsigned long flags;
193+ if (ptr == &ccs_default_security || ptr == &ccs_oom_security)
194+ return;
195+ spin_lock_irqsave(&ccs_task_security_list_lock, flags);
196+ list_del_rcu(&ptr->list);
197+ spin_unlock_irqrestore(&ccs_task_security_list_lock, flags);
198+ call_rcu(&ptr->rcu, ccs_rcu_free);
199+}
200+
201+/**
202+ * ccs_add_cred_security - Add "struct ccs_security" to list.
203+ *
204+ * @ptr: Pointer to "struct ccs_security".
205+ *
206+ * Returns nothing.
207+ */
208+static void ccs_add_cred_security(struct ccs_security *ptr)
209+{
210+ unsigned long flags;
211+ struct list_head *list = &ccs_cred_security_list
212+ [hash_ptr((void *) ptr->cred, CCS_TASK_SECURITY_HASH_BITS)];
213+#ifdef CONFIG_AKARI_DEBUG
214+ if (ptr->pid)
215+ printk(KERN_INFO "AKARI: \"struct ccs_security\"->pid != NULL"
216+ "\n");
217+#endif
218+ ptr->pid = NULL;
219+ spin_lock_irqsave(&ccs_task_security_list_lock, flags);
220+ list_add_rcu(&ptr->list, list);
221+ spin_unlock_irqrestore(&ccs_task_security_list_lock, flags);
222+}
223+
224+/**
225+ * ccs_task_create - Make snapshot of security context for new task.
226+ *
227+ * @clone_flags: Flags passed to clone().
228+ *
229+ * Returns 0 on success, negative value otherwise.
230+ */
231+static int ccs_task_create(unsigned long clone_flags)
232+{
233+ struct ccs_security *old_security;
234+ struct ccs_security *new_security;
235+ struct cred *cred = prepare_creds();
236+ if (!cred)
237+ return -ENOMEM;
238+ old_security = ccs_find_task_security(current);
239+ new_security = ccs_find_cred_security(cred);
240+ new_security->ccs_domain_info = old_security->ccs_domain_info;
241+ new_security->ccs_flags = old_security->ccs_flags;
242+ return commit_creds(cred);
243+}
244+
245+/**
246+ * ccs_cred_prepare - Allocate memory for new credentials.
247+ *
248+ * @new: Pointer to "struct cred".
249+ * @old: Pointer to "struct cred".
250+ * @gfp: Memory allocation flags.
251+ *
252+ * Returns 0 on success, negative value otherwise.
253+ */
254+static int ccs_cred_prepare(struct cred *new, const struct cred *old,
255+ gfp_t gfp)
256+{
257+ int rc1;
258+ /*
259+ * For checking whether reverting domain transition is needed or not.
260+ *
261+ * See ccs_find_task_security() for reason.
262+ */
263+ if (gfp == GFP_KERNEL)
264+ ccs_find_task_security(current);
265+ rc1 = ccs_copy_cred_security(new, old, gfp);
266+ if (gfp == GFP_KERNEL)
267+ ccs_task_security_gc();
268+ if (original_cred_prepare.cred_prepare) {
269+ const int rc2 = original_cred_prepare.cred_prepare(new, old,
270+ gfp);
271+ if (rc2) {
272+ ccs_del_security(ccs_find_cred_security(new));
273+ return rc2;
274+ }
275+ }
276+ return rc1;
277+}
278+
279+/**
280+ * ccs_cred_free - Release memory used by credentials.
281+ *
282+ * @cred: Pointer to "struct cred".
283+ *
284+ * Returns nothing.
285+ */
286+static void ccs_cred_free(struct cred *cred)
287+{
288+ if (original_cred_free.cred_free)
289+ original_cred_free.cred_free(cred);
290+ ccs_del_security(ccs_find_cred_security(cred));
291+}
292+
293+/**
294+ * ccs_alloc_cred_security - Allocate memory for new credentials.
295+ *
296+ * @cred: Pointer to "struct cred".
297+ * @gfp: Memory allocation flags.
298+ *
299+ * Returns 0 on success, negative value otherwise.
300+ */
301+static int ccs_alloc_cred_security(const struct cred *cred, gfp_t gfp)
302+{
303+ struct ccs_security *new_security = kzalloc(sizeof(*new_security),
304+ gfp);
305+ if (!new_security)
306+ return -ENOMEM;
307+ new_security->cred = cred;
308+ ccs_add_cred_security(new_security);
309+ return 0;
310+}
311+
312+/**
313+ * ccs_cred_alloc_blank - Allocate memory for new credentials.
314+ *
315+ * @new: Pointer to "struct cred".
316+ * @gfp: Memory allocation flags.
317+ *
318+ * Returns 0 on success, negative value otherwise.
319+ */
320+static int ccs_cred_alloc_blank(struct cred *new, gfp_t gfp)
321+{
322+ const int rc1 = ccs_alloc_cred_security(new, gfp);
323+ if (original_cred_alloc_blank.cred_alloc_blank) {
324+ const int rc2 = original_cred_alloc_blank.
325+ cred_alloc_blank(new, gfp);
326+ if (rc2) {
327+ ccs_del_security(ccs_find_cred_security(new));
328+ return rc2;
329+ }
330+ }
331+ return rc1;
332+}
333+
334+/**
335+ * ccs_cred_transfer - Transfer "struct ccs_security" between credentials.
336+ *
337+ * @new: Pointer to "struct cred".
338+ * @old: Pointer to "struct cred".
339+ *
340+ * Returns nothing.
341+ */
342+static void ccs_cred_transfer(struct cred *new, const struct cred *old)
343+{
344+ struct ccs_security *new_security = ccs_find_cred_security(new);
345+ struct ccs_security *old_security = ccs_find_cred_security(old);
346+ if (new_security == &ccs_default_security ||
347+ new_security == &ccs_oom_security ||
348+ old_security == &ccs_default_security ||
349+ old_security == &ccs_oom_security)
350+ return;
351+ new_security->ccs_flags = old_security->ccs_flags;
352+ new_security->ccs_domain_info = old_security->ccs_domain_info;
353+}
354+
355+/**
356+ * ccs_bprm_committing_creds - A hook which is called when do_execve() succeeded.