diff options
| author | Linus Torvalds <torvalds@linux-foundation.org> | 2015-06-27 13:26:03 -0700 |
|---|---|---|
| committer | Linus Torvalds <torvalds@linux-foundation.org> | 2015-06-27 13:26:03 -0700 |
| commit | e22619a29fcdb513b7bc020e84225bb3b5914259 (patch) | |
| tree | 1d1d72a4c8cebad4f2d2bf738395ca4ececa95ec /security | |
| parent | 78c10e556ed904d5bfbd71e9cadd8ce8f25d6982 (diff) | |
| parent | b3bddffd35a0b77eee89760eb94cafa18dc431f5 (diff) | |
Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security
Pull security subsystem updates from James Morris:
"The main change in this kernel is Casey's generalized LSM stacking
work, which removes the hard-coding of Capabilities and Yama stacking,
allowing multiple arbitrary "small" LSMs to be stacked with a default
monolithic module (e.g. SELinux, Smack, AppArmor).
See
https://lwn.net/Articles/636056/
This will allow smaller, simpler LSMs to be incorporated into the
mainline kernel and arbitrarily stacked by users. Also, this is a
useful cleanup of the LSM code in its own right"
* 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security: (38 commits)
tpm, tpm_crb: fix le64_to_cpu conversions in crb_acpi_add()
vTPM: set virtual device before passing to ibmvtpm_reset_crq
tpm_ibmvtpm: remove unneccessary message level.
ima: update builtin policies
ima: extend "mask" policy matching support
ima: add support for new "euid" policy condition
ima: fix ima_show_template_data_ascii()
Smack: freeing an error pointer in smk_write_revoke_subj()
selinux: fix setting of security labels on NFS
selinux: Remove unused permission definitions
selinux: enable genfscon labeling for sysfs and pstore files
selinux: enable per-file labeling for debugfs files.
selinux: update netlink socket classes
signals: don't abuse __flush_signals() in selinux_bprm_committed_creds()
selinux: Print 'sclass' as string when unrecognized netlink message occurs
Smack: allow multiple labels in onlycap
Smack: fix seq operations in smackfs
ima: pass iint to ima_add_violation()
ima: wrap event related data to the new ima_event_data structure
integrity: add validity checks for 'path' parameter
...
Diffstat (limited to 'security')
28 files changed, 1767 insertions, 2427 deletions
diff --git a/security/Makefile b/security/Makefile index 05f1c934d74b..c9bfbc84ff50 100644 --- a/security/Makefile +++ b/security/Makefile @@ -14,7 +14,7 @@ obj-y += commoncap.o obj-$(CONFIG_MMU) += min_addr.o # Object file lists -obj-$(CONFIG_SECURITY) += security.o capability.o +obj-$(CONFIG_SECURITY) += security.o obj-$(CONFIG_SECURITYFS) += inode.o obj-$(CONFIG_SECURITY_SELINUX) += selinux/ obj-$(CONFIG_SECURITY_SMACK) += smack/ diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c index d97cba3e3849..dc0027b28b04 100644 --- a/security/apparmor/domain.c +++ b/security/apparmor/domain.c @@ -347,9 +347,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm) file_inode(bprm->file)->i_mode }; const char *name = NULL, *target = NULL, *info = NULL; - int error = cap_bprm_set_creds(bprm); - if (error) - return error; + int error = 0; if (bprm->cred_prepared) return 0; @@ -531,15 +529,13 @@ cleanup: */ int apparmor_bprm_secureexec(struct linux_binprm *bprm) { - int ret = cap_bprm_secureexec(bprm); - /* the decision to use secure exec is computed in set_creds * and stored in bprm->unsafe. */ - if (!ret && (bprm->unsafe & AA_SECURE_X_NEEDED)) - ret = 1; + if (bprm->unsafe & AA_SECURE_X_NEEDED) + return 1; - return ret; + return 0; } /** diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index e5f1561439db..5696874e8062 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -12,7 +12,7 @@ * License. */ -#include <linux/security.h> +#include <linux/lsm_hooks.h> #include <linux/moduleparam.h> #include <linux/mm.h> #include <linux/mman.h> @@ -96,19 +96,11 @@ static void apparmor_cred_transfer(struct cred *new, const struct cred *old) static int apparmor_ptrace_access_check(struct task_struct *child, unsigned int mode) { - int error = cap_ptrace_access_check(child, mode); - if (error) - return error; - return aa_ptrace(current, child, mode); } static int apparmor_ptrace_traceme(struct task_struct *parent) { - int error = cap_ptrace_traceme(parent); - if (error) - return error; - return aa_ptrace(parent, current, PTRACE_MODE_ATTACH); } @@ -123,10 +115,10 @@ static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective, cred = __task_cred(target); profile = aa_cred_profile(cred); - *effective = cred->cap_effective; - *inheritable = cred->cap_inheritable; - *permitted = cred->cap_permitted; - + /* + * cap_capget is stacked ahead of this and will + * initialize effective and permitted. + */ if (!unconfined(profile) && !COMPLAIN_MODE(profile)) { *effective = cap_intersect(*effective, profile->caps.allow); *permitted = cap_intersect(*permitted, profile->caps.allow); @@ -140,13 +132,11 @@ static int apparmor_capable(const struct cred *cred, struct user_namespace *ns, int cap, int audit) { struct aa_profile *profile; - /* cap_capable returns 0 on success, else -EPERM */ - int error = cap_capable(cred, ns, cap, audit); - if (!error) { - profile = aa_cred_profile(cred); - if (!unconfined(profile)) - error = aa_capable(profile, cap, audit); - } + int error = 0; + + profile = aa_cred_profile(cred); + if (!unconfined(profile)) + error = aa_capable(profile, cap, audit); return error; } @@ -615,49 +605,46 @@ static int apparmor_task_setrlimit(struct task_struct *task, return error; } -static struct security_operations apparmor_ops = { - .name = "apparmor", - - .ptrace_access_check = apparmor_ptrace_access_check, - .ptrace_traceme = apparmor_ptrace_traceme, - .capget = apparmor_capget, - .capable = apparmor_capable, - - .path_link = apparmor_path_link, - .path_unlink = apparmor_path_unlink, - .path_symlink = apparmor_path_symlink, - .path_mkdir = apparmor_path_mkdir, - .path_rmdir = apparmor_path_rmdir, - .path_mknod = apparmor_path_mknod, - .path_rename = apparmor_path_rename, - .path_chmod = apparmor_path_chmod, - .path_chown = apparmor_path_chown, - .path_truncate = apparmor_path_truncate, - .inode_getattr = apparmor_inode_getattr, - - .file_open = apparmor_file_open, - .file_permission = apparmor_file_permission, - .file_alloc_security = apparmor_file_alloc_security, - .file_free_security = apparmor_file_free_security, - .mmap_file = apparmor_mmap_file, - .mmap_addr = cap_mmap_addr, - .file_mprotect = apparmor_file_mprotect, - .file_lock = apparmor_file_lock, - - .getprocattr = apparmor_getprocattr, - .setprocattr = apparmor_setprocattr, - - .cred_alloc_blank = apparmor_cred_alloc_blank, - .cred_free = apparmor_cred_free, - .cred_prepare = apparmor_cred_prepare, - .cred_transfer = apparmor_cred_transfer, - - .bprm_set_creds = apparmor_bprm_set_creds, - .bprm_committing_creds = apparmor_bprm_committing_creds, - .bprm_committed_creds = apparmor_bprm_committed_creds, - .bprm_secureexec = apparmor_bprm_secureexec, - - .task_setrlimit = apparmor_task_setrlimit, +static struct security_hook_list apparmor_hooks[] = { + LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), + LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), + LSM_HOOK_INIT(capget, apparmor_capget), + LSM_HOOK_INIT(capable, apparmor_capable), + + LSM_HOOK_INIT(path_link, apparmor_path_link), + LSM_HOOK_INIT(path_unlink, apparmor_path_unlink), + LSM_HOOK_INIT(path_symlink, apparmor_path_symlink), + LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir), + LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir), + LSM_HOOK_INIT(path_mknod, apparmor_path_mknod), + LSM_HOOK_INIT(path_rename, apparmor_path_rename), + LSM_HOOK_INIT(path_chmod, apparmor_path_chmod), + LSM_HOOK_INIT(path_chown, apparmor_path_chown), + LSM_HOOK_INIT(path_truncate, apparmor_path_truncate), + LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr), + + LSM_HOOK_INIT(file_open, apparmor_file_open), + LSM_HOOK_INIT(file_permission, apparmor_file_permission), + LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security), + LSM_HOOK_INIT(file_free_security, apparmor_file_free_security), + LSM_HOOK_INIT(mmap_file, apparmor_mmap_file), + LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect), + LSM_HOOK_INIT(file_lock, apparmor_file_lock), + + LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), + LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), + + LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank), + LSM_HOOK_INIT(cred_free, apparmor_cred_free), + LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare), + LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer), + + LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds), + LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds), + LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds), + LSM_HOOK_INIT(bprm_secureexec, apparmor_bprm_secureexec), + + LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit), }; /* @@ -898,7 +885,7 @@ static int __init apparmor_init(void) { int error; - if (!apparmor_enabled || !security_module_enable(&apparmor_ops)) { + if (!apparmor_enabled || !security_module_enable("apparmor")) { aa_info_message("AppArmor disabled by boot time parameter"); apparmor_enabled = 0; return 0; @@ -913,17 +900,10 @@ static int __init apparmor_init(void) error = set_init_cxt(); if (error) { AA_ERROR("Failed to set context on init task\n"); - goto register_security_out; - } - - error = register_security(&apparmor_ops); - if (error) { - struct cred *cred = (struct cred *)current->real_cred; - aa_free_task_context(cred_cxt(cred)); - cred_cxt(cred) = NULL; - AA_ERROR("Unable to register AppArmor\n"); - goto register_security_out; + aa_free_root_ns(); + goto alloc_out; } + security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks)); /* Report that AppArmor successfully initialized */ apparmor_initialized = 1; @@ -936,9 +916,6 @@ static int __init apparmor_init(void) return error; -register_security_out: - aa_free_root_ns(); - alloc_out: aa_destroy_aafs(); diff --git a/security/capability.c b/security/capability.c deleted file mode 100644 index 7d3f38fe02ba..000000000000 --- a/security/capability.c +++ /dev/null @@ -1,1158 +0,0 @@ -/* - * Capabilities Linux Security Module - * - * This is the default security module in case no other module is loaded. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - */ - -#include <linux/security.h> - -static int cap_binder_set_context_mgr(struct task_struct *mgr) -{ - return 0; -} - -static int cap_binder_transaction(struct task_struct *from, - struct task_struct *to) -{ - return 0; -} - -static int cap_binder_transfer_binder(struct task_struct *from, - struct task_struct *to) -{ - return 0; -} - -static int cap_binder_transfer_file(struct task_struct *from, - struct task_struct *to, struct file *file) -{ - return 0; -} - -static int cap_syslog(int type) -{ - return 0; -} - -static int cap_quotactl(int cmds, int type, int id, struct super_block *sb) -{ - return 0; -} - -static int cap_quota_on(struct dentry *dentry) -{ - return 0; -} - -static int cap_bprm_check_security(struct linux_binprm *bprm) -{ - return 0; -} - -static void cap_bprm_committing_creds(struct linux_binprm *bprm) -{ -} - -static void cap_bprm_committed_creds(struct linux_binprm *bprm) -{ -} - -static int cap_sb_alloc_security(struct super_block *sb) -{ - return 0; -} - -static void cap_sb_free_security(struct super_block *sb) -{ -} - -static int cap_sb_copy_data(char *orig, char *copy) -{ - return 0; -} - -static int cap_sb_remount(struct super_block *sb, void *data) -{ - return 0; -} - -static int cap_sb_kern_mount(struct super_block *sb, int flags, void *data) -{ - return 0; -} - -static int cap_sb_show_options(struct seq_file *m, struct super_block *sb) -{ - return 0; -} - -static int cap_sb_statfs(struct dentry *dentry) -{ - return 0; -} - -static int cap_sb_mount(const char *dev_name, struct path *path, - const char *type, unsigned long flags, void *data) -{ - return 0; -} - -static int cap_sb_umount(struct vfsmount *mnt, int flags) -{ - return 0; -} - -static int cap_sb_pivotroot(struct path *old_path, struct path *new_path) -{ - return 0; -} - -static int cap_sb_set_mnt_opts(struct super_block *sb, - struct security_mnt_opts *opts, - unsigned long kern_flags, - unsigned long *set_kern_flags) - -{ - if (unlikely(opts->num_mnt_opts)) - return -EOPNOTSUPP; - return 0; -} - -static int cap_sb_clone_mnt_opts(const struct super_block *oldsb, - struct super_block *newsb) -{ - return 0; -} - -static int cap_sb_parse_opts_str(char *options, struct security_mnt_opts *opts) -{ - return 0; -} - -static int cap_dentry_init_security(struct dentry *dentry, int mode, - struct qstr *name, void **ctx, - u32 *ctxlen) -{ - return -EOPNOTSUPP; -} - -static int cap_inode_alloc_security(struct inode *inode) -{ - return 0; -} - -static void cap_inode_free_security(struct inode *inode) -{ -} - -static int cap_inode_init_security(struct inode *inode, struct inode *dir, - const struct qstr *qstr, const char **name, - void **value, size_t *len) -{ - return -EOPNOTSUPP; -} - -static int cap_inode_create(struct inode *inode, struct dentry *dentry, - umode_t mask) -{ - return 0; -} - -static int cap_inode_link(struct dentry *old_dentry, struct inode *inode, - struct dentry *new_dentry) -{ - return 0; -} - -static int cap_inode_unlink(struct inode *inode, struct dentry *dentry) -{ - return 0; -} - -static int cap_inode_symlink(struct inode *inode, struct dentry *dentry, - const char *name) -{ - return 0; -} - -static int cap_inode_mkdir(struct inode *inode, struct dentry *dentry, - umode_t mask) -{ - return 0; -} - -static int cap_inode_rmdir(struct inode *inode, struct dentry *dentry) -{ - return 0; -} - -static int cap_inode_mknod(struct inode *inode, struct dentry *dentry, - umode_t mode, dev_t dev) -{ - return 0; -} - -static int cap_inode_rename(struct inode *old_inode, struct dentry *old_dentry, - struct inode *new_inode, struct dentry *new_dentry) -{ - return 0; -} - -static int cap_inode_readlink(struct dentry *dentry) -{ - return 0; -} - -static int cap_inode_follow_link(struct dentry *dentry, struct inode *inode, - bool rcu) -{ - return 0; -} - -static int cap_inode_permission(struct inode *inode, int mask) -{ - return 0; -} - -static int cap_inode_setattr(struct dentry *dentry, struct iattr *iattr) -{ - return 0; -} - -static int cap_inode_getattr(const struct path *path) -{ - return 0; -} - -static void cap_inode_post_setxattr(struct dentry *dentry, const char *name, - const void *value, size_t size, int flags) -{ -} - -static int cap_inode_getxattr(struct dentry *dentry, const char *name) -{ - return 0; -} - -static int cap_inode_listxattr(struct dentry *dentry) -{ - return 0; -} - -static int cap_inode_getsecurity(const struct inode *inode, const char *name, - void **buffer, bool alloc) -{ - return -EOPNOTSUPP; -} - -static int cap_inode_setsecurity(struct inode *inode, const char *name, - const void *value, size_t size, int flags) -{ - return -EOPNOTSUPP; -} - -static int cap_inode_listsecurity(struct inode *inode, char *buffer, - size_t buffer_size) -{ - return 0; -} - -static void cap_inode_getsecid(const struct inode *inode, u32 *secid) -{ - *secid = 0; -} - -#ifdef CONFIG_SECURITY_PATH -static int cap_path_mknod(struct path *dir, struct dentry *dentry, umode_t mode, - unsigned int dev) -{ - return 0; -} - -static int cap_path_mkdir(struct path *dir, struct dentry *dentry, umode_t mode) -{ - return 0; -} - -static int cap_path_rmdir(struct path *dir, struct dentry *dentry) -{ - return 0; -} - -static int cap_path_unlink(struct path *dir, struct dentry *dentry) -{ - return 0; -} - -static int cap_path_symlink(struct path *dir, struct dentry *dentry, - const char *old_name) -{ - return 0; -} - -static int cap_path_link(struct dentry *old_dentry, struct path *new_dir, - struct dentry *new_dentry) -{ - return 0; -} - -static int cap_path_rename(struct path *old_path, struct dentry *old_dentry, - struct path *new_path, struct dentry *new_dentry) -{ - return 0; -} - -static int cap_path_truncate(struct path *path) -{ - return 0; -} - -static int cap_path_chmod(struct path *path, umode_t mode) -{ - return 0; -} - -static int cap_path_chown(struct path *path, kuid_t uid, kgid_t gid) -{ - return 0; -} - -static int cap_path_chroot(struct path *root) -{ - return 0; -} -#endif - -static int cap_file_permission(struct file *file, int mask) -{ - return 0; -} - -static int cap_file_alloc_security(struct file *file) -{ - return 0; -} - -static void cap_file_free_security(struct file *file) -{ -} - -static int cap_file_ioctl(struct file *file, unsigned int command, - unsigned long arg) -{ - return 0; -} - -static int cap_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, - unsigned long prot) -{ - return 0; -} - -static int cap_file_lock(struct file *file, unsigned int cmd) -{ - return 0; -} - -static int cap_file_fcntl(struct file *file, unsigned int cmd, - unsigned long arg) -{ - return 0; -} - -static void cap_file_set_fowner(struct file *file) -{ - return; -} - -static int cap_file_send_sigiotask(struct task_struct *tsk, - struct fown_struct *fown, int sig) -{ - return 0; -} - -static int cap_file_receive(struct file *file) -{ - return 0; -} - -static int cap_file_open(struct file *file, const struct cred *cred) -{ - return 0; -} - -static int cap_task_create(unsigned long clone_flags) -{ - return 0; -} - -static void cap_task_free(struct task_struct *task) -{ -} - -static int cap_cred_alloc_blank(struct cred *cred, gfp_t gfp) -{ - return 0; -} - -static void cap_cred_free(struct cred *cred) -{ -} - -static int cap_cred_prepare(struct cred *new, const struct cred *old, gfp_t gfp) -{ - return 0; -} - -static void cap_cred_transfer(struct cred *new, const struct cred *old) -{ -} - -static int cap_kernel_act_as(struct cred *new, u32 secid) -{ - return 0; -} - -static int cap_kernel_create_files_as(struct cred *new, struct inode *inode) -{ - return 0; -} - -static int cap_kernel_fw_from_file(struct file *file, char *buf, size_t size) -{ - return 0; -} - -static int cap_kernel_module_request(char *kmod_name) -{ - return 0; -} - -static int cap_kernel_module_from_file(struct file *file) -{ - return 0; -} - -static int cap_task_setpgid(struct task_struct *p, pid_t pgid) -{ - return 0; -} - -static int cap_task_getpgid(struct task_struct *p) -{ - return 0; -} - -static int cap_task_getsid(struct task_struct *p) -{ - return 0; -} - -static void cap_task_getsecid(struct task_struct *p, u32 *secid) -{ - *secid = 0; -} - -static int cap_task_getioprio(struct task_struct *p) -{ - return 0; -} - -static int cap_task_setrlimit(struct task_struct *p, unsigned int resource, - struct rlimit *new_rlim) -{ - return 0; -} - -static int cap_task_getscheduler(struct task_struct *p) -{ - return 0; -} - -static int cap_task_movememory(struct task_struct *p) -{ - return 0; -} - -static int cap_task_wait(struct task_struct *p) -{ - return 0; -} - -static int cap_task_kill(struct task_struct *p, struct siginfo *info, - int sig, u32 secid) -{ - return 0; -} - -static void cap_task_to_inode(struct task_struct *p, struct inode *inode) -{ -} - -static int cap_ipc_permission(struct kern_ipc_perm *ipcp, short flag) -{ - return 0; -} - -static void cap_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) -{ - *secid = 0; -} - -static int cap_msg_msg_alloc_security(struct msg_msg *msg) -{ - return 0; -} - -static void cap_msg_msg_free_security(struct msg_msg *msg) -{ -} - -static int cap_msg_queue_alloc_security(struct msg_queue *msq) -{ - return 0; -} - -static void cap_msg_queue_free_security(struct msg_queue *msq) -{ -} - -static int cap_msg_queue_associate(struct msg_queue *msq, int msqflg) -{ - return 0; -} - -static int cap_msg_queue_msgctl(struct msg_queue *msq, int cmd) -{ - return 0; -} - -static int cap_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, - int msgflg) -{ - return 0; -} - -static int cap_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, - struct task_struct *target, long type, int mode) -{ - return 0; -} - -static int cap_shm_alloc_security(struct shmid_kernel *shp) -{ - return 0; -} - -static void cap_shm_free_security(struct shmid_kernel *shp) -{ -} - -static int cap_shm_associate(struct shmid_kernel *shp, int shmflg) -{ - return 0; -} - -static int cap_shm_shmctl(struct shmid_kernel *shp, int cmd) -{ - return 0; -} - -static int cap_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, - int shmflg) -{ - return 0; -} - -static int cap_sem_alloc_security(struct sem_array *sma) -{ - return 0; -} - -static void cap_sem_free_security(struct sem_array *sma) -{ -} - -static int cap_sem_associate(struct sem_array *sma, int semflg) -{ - return 0; -} - -static int cap_sem_semctl(struct sem_array *sma, int cmd) -{ - return 0; -} - -static int cap_sem_semop(struct sem_array *sma, struct sembuf *sops, - unsigned nsops, int alter) -{ - return 0; -} - -#ifdef CONFIG_SECURITY_NETWORK -static int cap_unix_stream_connect(struct sock *sock, struct sock *other, - struct sock *newsk) -{ - return 0; -} - -static int cap_unix_may_send(struct socket *sock, struct socket *other) -{ - return 0; -} - -static int cap_socket_create(int family, int type, int protocol, int kern) -{ - return 0; -} - -static int cap_socket_post_create(struct socket *sock, int family, int type, - int protocol, int kern) -{ - return 0; -} - -static int cap_socket_bind(struct socket *sock, struct sockaddr *address, - int addrlen) -{ - return 0; -} - -static int cap_socket_connect(struct socket *sock, struct sockaddr *address, - int addrlen) -{ - return 0; -} - -static int cap_socket_listen(struct socket *sock, int backlog) -{ - return 0; -} - -static int cap_socket_accept(struct socket *sock, struct socket *newsock) -{ - return 0; -} - -static int cap_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size) -{ - return 0; -} - -static int cap_socket_recvmsg(struct socket *sock, struct msghdr *msg, - int size, int flags) -{ - return 0; -} - -static int cap_socket_getsockname(struct socket *sock) -{ - return 0; -} - -static int cap_socket_getpeername(struct socket *sock) -{ - return 0; -} - -static int cap_socket_setsockopt(struct socket *sock, int level, int optname) -{ - return 0; -} - -static int cap_socket_getsockopt(struct socket *sock, int level, int optname) -{ - return 0; -} - -static int cap_socket_shutdown(struct socket *sock, int how) -{ - return 0; -} - -static int cap_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) -{ - return 0; -} - -static int cap_socket_getpeersec_stream(struct socket *sock, - char __user *optval, - int __user *optlen, unsigned len) -{ - return -ENOPROTOOPT; -} - -static int cap_socket_getpeersec_dgram(struct socket *sock, - struct sk_buff *skb, u32 *secid) -{ - return -ENOPROTOOPT; -} - -static int cap_sk_alloc_security(struct sock *sk, int family, gfp_t priority) -{ - return 0; -} - -static void cap_sk_free_security(struct sock *sk) -{ -} - -static void cap_sk_clone_security(const struct sock *sk, struct sock *newsk) -{ -} - -static void cap_sk_getsecid(struct sock *sk, u32 *secid) -{ -} - -static void cap_sock_graft(struct sock *sk, struct socket *parent) -{ -} - -static int cap_inet_conn_request(struct sock *sk, struct sk_buff *skb, - struct request_sock *req) -{ - return 0; -} - -static void cap_inet_csk_clone(struct sock *newsk, - const struct request_sock *req) -{ -} - -static void cap_inet_conn_established(struct sock *sk, struct sk_buff *skb) -{ -} - -static int cap_secmark_relabel_packet(u32 secid) -{ - return 0; -} - -static void cap_secmark_refcount_inc(void) -{ -} - -static void cap_secmark_refcount_dec(void) -{ -} - -static void cap_req_classify_flow(const struct request_sock *req, - struct flowi *fl) -{ -} - -static int cap_tun_dev_alloc_security(void **security) |