|
Linux Kernel
3.7.1
|
All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
|
Linux Kernel
3.7.1
|
Go to the source code of this file.
Data Structures | |
| struct | security_mnt_opts |
Macros | |
| #define | SECURITY_NAME_MAX 10 |
| #define | SECURITY_CAP_NOAUDIT 0 |
| #define | SECURITY_CAP_AUDIT 1 |
| #define | mmap_min_addr 0UL |
| #define | dac_mmap_min_addr 0UL |
| #define | LSM_SETID_ID 1 |
| #define | LSM_SETID_RE 2 |
| #define | LSM_SETID_RES 4 |
| #define | LSM_SETID_FS 8 |
| #define | LSM_UNSAFE_SHARE 1 |
| #define | LSM_UNSAFE_PTRACE 2 |
| #define | LSM_UNSAFE_PTRACE_CAP 4 |
| #define | LSM_UNSAFE_NO_NEW_PRIVS 8 |
Typedefs | |
| typedef int(* | initxattrs )(struct inode *inode, const struct xattr *xattr_array, void *fs_data) |
| #define dac_mmap_min_addr 0UL |
Definition at line 122 of file security.h.
| #define LSM_SETID_FS 8 |
Definition at line 138 of file security.h.
| #define LSM_SETID_ID 1 |
Definition at line 129 of file security.h.
| #define LSM_SETID_RE 2 |
Definition at line 132 of file security.h.
| #define LSM_SETID_RES 4 |
Definition at line 135 of file security.h.
| #define LSM_UNSAFE_NO_NEW_PRIVS 8 |
Definition at line 148 of file security.h.
| #define LSM_UNSAFE_PTRACE 2 |
Definition at line 146 of file security.h.
| #define LSM_UNSAFE_PTRACE_CAP 4 |
Definition at line 147 of file security.h.
| #define LSM_UNSAFE_SHARE 1 |
Definition at line 145 of file security.h.
| #define mmap_min_addr 0UL |
Definition at line 121 of file security.h.
| #define SECURITY_CAP_AUDIT 1 |
Definition at line 61 of file security.h.
| #define SECURITY_CAP_NOAUDIT 0 |
Definition at line 60 of file security.h.
| #define SECURITY_NAME_MAX 10 |
Definition at line 57 of file security.h.
Definition at line 156 of file security.h.
| int cap_bprm_secureexec | ( | struct linux_binprm * | bprm | ) |
cap_bprm_secureexec - Determine whether a secure execution is required : The execution parameters
Determine whether a secure execution is required, return 1 if it is, and 0 if it is not.
The credentials have been committed by this point, and so are no longer available through ->cred.
Definition at line 581 of file commoncap.c.
| int cap_bprm_set_creds | ( | struct linux_binprm * | bprm | ) |
cap_bprm_set_creds - Set up the proposed credentials for execve(). : The execution parameters, including the proposed creds
Set up the proposed credentials for a new execution context being constructed by execve(). The proposed creds in ->cred is altered, which won't take effect immediately. Returns 0 if successful, -ve on error.
Definition at line 470 of file commoncap.c.
cap_capable - Determine whether a task has a particular effective capability : The credentials to use : The user namespace in which we need the capability : The capability to check for : Whether to write an audit message or not
Determine whether the nominated task has the specified capability amongst its effective set, returning 0 if it does, -ve if it does not.
NOTE WELL: cap_has_capability() cannot be used like the kernel's capable() and has_capability() functions. That is, it has the reverse semantics: cap_has_capability() returns 0 when a task has a capability, but the kernel's capable() and has_capability() returns 1 for this case.
Definition at line 76 of file commoncap.c.
| int cap_capget | ( | struct task_struct * | target, |
| kernel_cap_t * | effective, | ||
| kernel_cap_t * | inheritable, | ||
| kernel_cap_t * | permitted | ||
| ) |
cap_capget - Retrieve a task's capability sets : The task from which to retrieve the capability sets : The place to record the effective set : The place to record the inheritable set : The place to record the permitted set
This function retrieves the capabilities of the nominated task and returns them to the caller.
Definition at line 193 of file commoncap.c.
| int cap_capset | ( | struct cred * | new, |
| const struct cred * | old, | ||
| const kernel_cap_t * | effective, | ||
| const kernel_cap_t * | inheritable, | ||
| const kernel_cap_t * | permitted | ||
| ) |
cap_capset - Validate and apply proposed changes to current's capabilities : The proposed new credentials; alterations should be made here : The current task's current credentials : A pointer to the proposed new effective capabilities set : A pointer to the proposed new inheritable capabilities set : A pointer to the proposed new permitted capabilities set
This function validates and applies a proposed mass change to the current process's capability sets. The changes are made to the proposed new credentials, and assuming no error, will be committed by the caller of LSM.
Definition at line 236 of file commoncap.c.
cap_inode_killpriv - Erase the security markings on an inode : The inode/dentry to alter
Erase the privilege-enhancing security markings on an inode.
Returns 0 if successful, -ve on error.
Definition at line 311 of file commoncap.c.
cap_inode_need_killpriv - Determine if inode change affects privileges : The inode/dentry in being changed with change marked ATTR_KILL_PRIV
Determine if an inode having a change applied that's marked ATTR_KILL_PRIV affects the security markings on that inode, and if it is, should inode_killpriv() be invoked or the change rejected?
Returns 0 if granted; +ve if granted, but inode_killpriv() is required; and -ve to deny the change.
Definition at line 289 of file commoncap.c.
Definition at line 638 of file commoncap.c.
| int cap_inode_setxattr | ( | struct dentry * | dentry, |
| const char * | name, | ||
| const void * | value, | ||
| size_t | size, | ||
| int | flags | ||
| ) |
Definition at line 611 of file commoncap.c.
Definition at line 969 of file commoncap.c.
| int cap_mmap_file | ( | struct file * | file, |
| unsigned long | reqprot, | ||
| unsigned long | prot, | ||
| unsigned long | flags | ||
| ) |
Definition at line 983 of file commoncap.c.
Definition at line 56 of file commoncap.c.
| int cap_ptrace_access_check | ( | struct task_struct * | child, |
| unsigned int | mode | ||
| ) |
cap_ptrace_access_check - Determine whether the current process may access another : The process to be accessed : The mode of attachment.
If we are in the same or an ancestor user_ns and have all the target task's capabilities, then ptrace access is allowed. If we have the ptrace capability to the target user_ns, then ptrace access is allowed. Else denied.
Determine whether a process may access another, returning 0 if permission granted, -ve if denied.
Definition at line 132 of file commoncap.c.
| int cap_ptrace_traceme | ( | struct task_struct * | parent | ) |
cap_ptrace_traceme - Determine whether another process may trace the current : The task proposed to be the tracer
If parent is in the same or an ancestor user_ns and has all current's capabilities, then ptrace access is allowed. If parent has the ptrace capability to current's user_ns, then ptrace access is allowed. Else denied.
Determine whether the nominated task is permitted to trace the current process, returning 0 if permission is granted, -ve if denied.
Definition at line 164 of file commoncap.c.
cap_task_fix_setuid - Fix up the results of setuid() call : The proposed credentials : The current task's current credentials : Indications of what has changed
Fix up the results of setuid() call before the credential changes are actually applied, returning 0 to grant the changes, -ve to deny them.
Definition at line 711 of file commoncap.c.
| int cap_task_prctl | ( | int | option, |
| unsigned long | arg2, | ||
| unsigned long | arg3, | ||
| unsigned long | arg4, | ||
| unsigned long | arg5 | ||
| ) |
cap_task_prctl - Implement process control functions for this security module : The process control function requested , , , : The argument data for this function
Allow process control functions (sys_prctl()) to alter capabilities; may also deny access to other functions not otherwise implemented here.
Returns 0 or +ve on success, -ENOSYS if this function is not implemented here, other -ve on error. If -ENOSYS is returned, sys_prctl() and other LSM modules will consider performing the function.
Definition at line 839 of file commoncap.c.
| int cap_task_setioprio | ( | struct task_struct * | p, |
| int | ioprio | ||
| ) |
| int cap_task_setnice | ( | struct task_struct * | p, |
| int | nice | ||
| ) |
| int cap_task_setscheduler | ( | struct task_struct * | p | ) |
cap_task_setscheduler - Detemine if scheduler policy change is permitted : The task to affect
Detemine if the requested scheduler policy change is permitted for the specified task, returning 0 if permission is granted, -ve if denied.
Definition at line 781 of file commoncap.c.
cap_vm_enough_memory - Determine whether a new virtual mapping is permitted : The VM space in which the new mapping is to be made : The size of the mapping
Determine whether the allocation of a new virtual mapping by the current task is permitted, returning 0 if permission is granted, -ve if not.
Definition at line 950 of file commoncap.c.
Definition at line 75 of file security.c.
1.8.2