/*
* grsecurity - access control and security hardening for Linux
* Copyright (C) 2001-2020 Bradley Spengler, Open Source Security, Inc.
* http://www.grsecurity.net [email protected]
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License version 2
* as published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
*/
#ifndef GR_SECURITY_H
#define GR_SECURITY_H
#include <linux/fs.h>
#include <linux/fs_struct.h>
#include <linux/binfmts.h>
#include <linux/gracl.h>
/* notify of brain-dead configs */
#if defined(CONFIG_DEBUG_FS) && defined(CONFIG_GRKERNSEC_KMEM)
#error "CONFIG_DEBUG_FS being enabled is a security risk when CONFIG_GRKERNSEC_KMEM is enabled"
#endif
#if defined(CONFIG_PROC_PAGE_MONITOR) && defined(CONFIG_GRKERNSEC)
#error "CONFIG_PROC_PAGE_MONITOR is a security risk"
#endif
#if defined(CONFIG_GRKERNSEC_PROC_USER) && defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
#error "CONFIG_GRKERNSEC_PROC_USER and CONFIG_GRKERNSEC_PROC_USERGROUP cannot both be enabled."
#endif
#if defined(CONFIG_GRKERNSEC_PROC) && !defined(CONFIG_GRKERNSEC_PROC_USER) && !defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
#error "CONFIG_GRKERNSEC_PROC enabled, but neither CONFIG_GRKERNSEC_PROC_USER nor CONFIG_GRKERNSEC_PROC_USERGROUP enabled"
#endif
#if defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_PAGEEXEC) && !defined(CONFIG_PAX_KERNEXEC)
#error "CONFIG_PAX_NOEXEC enabled, but PAGEEXEC and KERNEXEC are disabled."
#endif
#if defined(CONFIG_PAX_ASLR) && !defined(CONFIG_PAX_RANDKSTACK) && !defined(CONFIG_PAX_RANDUSTACK) && !defined(CONFIG_PAX_RANDMMAP)
#error "CONFIG_PAX_ASLR enabled, but RANDKSTACK, RANDUSTACK, and RANDMMAP are disabled."
#endif
#if defined(CONFIG_PAX) && !defined(CONFIG_PAX_NOEXEC) && !defined(CONFIG_PAX_ASLR)
#error "CONFIG_PAX enabled, but no PaX options are enabled."
#endif
/*
* arch/x86/kernel/cpu/bugs.c, grsecurity/grsec_tpe.c
*/
#ifdef CONFIG_GRKERNSEC_SUID_SPECTRE
void gr_handle_suid_spectre(struct task_struct *task);
extern int grsec_enable_suid_spectre __read_only;
#else
static inline void gr_handle_suid_spectre(struct task_struct *task)
{ }
#endif
/*
* kernel/cred.c
*/
void gr_delayed_cred_worker(void);
/*
* grsec_usb.c
*/
#ifdef CONFIG_GRKERNSEC_DENYUSB
int gr_handle_new_usb(void);
#else
static inline int gr_handle_new_usb(void)
{
return 0;
}
#endif
/*
* grsec_brute.c
*/
#ifdef CONFIG_GRKERNSEC_BRUTE
void gr_handle_brute_attach(int dumpable);
void gr_handle_brute_check(void);
int gr_process_sugid_exec_ban(const struct linux_binprm *bprm);
#else
static inline void gr_handle_brute_attach(int dumpable) { }
static inline void gr_handle_brute_check(void) { }
static inline int gr_process_sugid_exec_ban(const struct linux_binprm *bprm)
{
return 0;
}
#endif
/*
* grsec_lockout.c
*/
#ifdef CONFIG_GRKERNSEC_KERN_LOCKOUT
void gr_handle_kernel_exploit(void);
int gr_process_kernel_exec_ban(void);
int gr_process_kernel_setuid_ban(const struct user_struct *user);
#else
static inline void gr_handle_kernel_exploit(void) { }
static inline int gr_process_kernel_exec_ban(void)
{
return 0;
}
static inline int gr_process_kernel_setuid_ban(const struct user_struct *user)
{
return 0;
}
#endif
/*
* grsec_mem.c
*/
#ifdef CONFIG_GRKERNSEC
extern int grsec_disable_privio __read_only;
void gr_handle_msr_write(void);
void gr_handle_ioperm(void);
void gr_handle_iopl(void);
void gr_handle_vm86(void);
void gr_handle_mem_readwrite(u64 from, u64 to);
void gr_log_badprocpid(const char *entry);
#endif
/*
* grsec_tpe.c
*/
enum gr_tpe_op {
GR_TPE_EXEC,
GR_TPE_MMAP,
GR_TPE_MPROTECT
};
#ifdef CONFIG_GRKERNSEC
int gr_tpe_allow(const struct file *file, enum gr_tpe_op op);
#else
static inline int gr_tpe_allow(const struct file *file, enum gr_tpe_op op)
{
return 1;
}
#endif
#ifdef CONFIG_GRKERNSEC_SUID_NO_UNPRIV_EXEC
extern int grsec_enable_suid_no_unpriv_exec __read_only;
#endif
/*
* grsec_exec.c
*/
#ifdef CONFIG_GRKERNSEC_EXECLOG
void gr_handle_exec_args(struct linux_binprm *bprm,
struct user_arg_ptr *user_argv,
const char *const *kernel_argv);
#else
static inline void gr_handle_exec_args(struct linux_binprm *bprm,
struct user_arg_ptr *user_argv,
const char *const *kernel_argv)
{ }
#endif
#ifdef CONFIG_GRKERNSEC
void gr_log_proc_exe_interp(const struct file *file, const char *type);
#else
static inline void gr_log_proc_exe_interp(const struct file *file,
const char *type)
{ }
#endif
/*
* grsec_fork.c
*/
#ifdef CONFIG_GRKERNSEC_FORKFAIL
void gr_log_forkfail(int retval);
#else
static inline void gr_log_forkfail(int retval) { }
#endif
/*
* grsec_time.c
*/
#ifdef CONFIG_GRKERNSEC_TIME
void gr_log_timechange(void);
#else
static inline void gr_log_timechange(void) { }
#endif
/*
* grsec_sig.c
*/
#ifdef CONFIG_GRKERNSEC
int gr_handle_signal(const struct task_struct *p, int sig);
#else
static inline int gr_handle_signal(const struct task_struct *p, int sig)
{
return 0;
}
#endif
#ifdef CONFIG_GRKERNSEC
int gr_handle_bad_priv_descendant_coredump(int signr);
#else
static inline int gr_handle_bad_priv_descendant_coredump(int signr)
{
return 0;
}
#endif
#ifdef CONFIG_GRKERNSEC_SIGNAL
void gr_log_signal(int sig, const void *addr, struct task_struct *t);
#else
static inline
void gr_log_signal(int sig, const void *addr, struct task_struct *t) { }
#endif
/*
* grsec_chdir.c
*/
#ifdef CONFIG_GRKERNSEC_AUDIT_CHDIR
void gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt);
#else
static inline
void gr_log_chdir(const struct dentry *dentry, const struct vfsmount *mnt) { }
#endif
/*
* grsec_chroot.c
*/
#ifdef CONFIG_GRKERNSEC_CHROOT_INITRD
void gr_past_initrd(void);
#else
static inline void gr_past_initrd(void) { }
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT
#include <linux/sched.h>
void gr_set_chroot_entries(struct task_struct *task, const struct path *path);
static inline void gr_clear_chroot_entries(struct task_struct *task)
{
task->gr_is_chrooted = 0;
task->gr_chroot_dentry = NULL;
}
#else
static inline void gr_set_chroot_entries(struct task_struct *task,
const struct path *path)
{ }
static inline void gr_clear_chroot_entries(struct task_struct *task)
{ }
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_RENAME
void gr_inc_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt);
void gr_dec_chroot_refcnts(struct dentry *dentry, struct vfsmount *mnt);
int gr_bad_chroot_rename(struct dentry *olddentry, struct vfsmount *oldmnt,
struct dentry *newdentry, struct vfsmount *newmnt);
#else
static inline void gr_inc_chroot_refcnts(struct dentry *dentry,
struct vfsmount *mnt)
{ }
static inline void gr_dec_chroot_refcnts(struct dentry *dentry,
struct vfsmount *mnt)
{ }
static inline int gr_bad_chroot_rename(struct dentry *olddentry,
struct vfsmount *oldmnt,
struct dentry *newdentry,
struct vfsmount *newmnt)
{
return 0;
}
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_UNIX
int gr_handle_chroot_unix(pid_t pid);
#else
static inline int gr_handle_chroot_unix(pid_t pid)
{
return 1;
}
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_NICE
int gr_handle_chroot_nice(void);
int gr_handle_chroot_setpriority(struct task_struct *p, int niceval);
#else
static inline int gr_handle_chroot_nice(void)
{
return 0;
}
static inline int gr_handle_chroot_setpriority(struct task_struct *p,
int niceval)
{
return 0;
}
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_FINDTASK
extern int grsec_enable_chroot_findtask __read_only;
int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type);
int gr_pid_is_chrooted(const struct task_struct *pid);
#else
static inline int gr_handle_chroot_fowner(struct pid *pid, enum pid_type type)
{
return 0;
}
static inline int gr_pid_is_chrooted(const struct task_struct *pid)
{
return 0;
}
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_FCHDIR
int gr_chroot_fchdir(struct dentry *u_dentry, struct vfsmount *u_mnt);
int gr_chroot_pathat(int dfd, struct dentry *u_dentry, struct vfsmount *u_mnt,
unsigned int flags);
int gr_chroot_fhandle(void);
#else
static inline int gr_chroot_fchdir(struct dentry *u_dentry,
struct vfsmount *u_mnt)
{
return 1;
}
static inline int gr_chroot_pathat(int dfd, struct dentry *u_dentry,
struct vfsmount *u_mnt, unsigned int flags)
{
return 0;
}
static inline int gr_chroot_fhandle(void)
{
return 1;
}
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_SHMAT
int gr_chroot_shmat(struct pid *shm_cprid, struct pid *shm_lapid,
u64 shm_createtime);
#else
static inline int gr_chroot_shmat(struct pid *shm_cprid,
struct pid *shm_lapid, u64 shm_createtime)
{
return 1;
}
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_EXECLOG
void gr_log_chroot_exec(const struct dentry *dentry,
const struct vfsmount *mnt);
#else
static inline void gr_log_chroot_exec(const struct dentry *dentry,
const struct vfsmount *mnt)
{ }
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_MKNOD
int gr_handle_chroot_mknod(const struct dentry *dentry,
const struct vfsmount *mnt, int mode);
#else
static inline int gr_handle_chroot_mknod(const struct dentry *dentry,
const struct vfsmount *mnt, int mode)
{
return 0;
}
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_MOUNT
int gr_handle_chroot_mount(const struct dentry *dentry,
const struct vfsmount *mnt, const char *dev_name);
#else
static inline int gr_handle_chroot_mount(const struct dentry *dentry,
const struct vfsmount *mnt,
const char *dev_name)
{
return 0;
}
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_PIVOT
int gr_handle_chroot_pivot(void);
#else
static inline int gr_handle_chroot_pivot(void)
{
return 0;
}
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_DOUBLE
int gr_handle_chroot_chroot(struct dentry *dentry, struct vfsmount *mnt);
#else
static inline int gr_handle_chroot_chroot(struct dentry *dentry, struct vfsmount *mnt)
{
return 0;
}
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_SYSCTL
int gr_handle_chroot_sysctl(int op);
#else
static inline int gr_handle_chroot_sysctl(int op)
{
return 0;
}
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_CHDIR
void gr_handle_chroot_chdir(const struct path *path);
#else
static inline void gr_handle_chroot_chdir(const struct path *path) { }
#endif
#ifdef CONFIG_GRKERNSEC_CHROOT_CHMOD
int gr_handle_chroot_chmod(const struct dentry *dentry,
const struct vfsmount *mnt, int mode);
#else
static inline int gr_handle_chroot_chmod(const struct dentry *dentry,
const struct vfsmount *mnt, int mode)
{
return 0;
}
#endif
/*
* grsec_ipc.c
*/
struct ipc_namespace;
struct kern_ipc_perm;
#ifdef CONFIG_GRKERNSEC_HARDEN_IPC
int gr_ipc_permitted(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp,
int requested_mode, int granted_mode);
#else
static inline
int gr_ipc_permitted(struct ipc_namespace *ns, struct kern_ipc_perm *ipcp,
int requested_mode, int granted_mode)
{
return 1;
}
#endif
/*
* grsec_sysctl.c
*/
#ifdef CONFIG_GRKERNSEC_SYSCTL
int gr_handle_sysctl_mod(const char *dirname, const char *name, int op);
void gr_log_sysctl_mod(const char *dirname, const char *name, unsigned int *value);
#else
static inline
int gr_handle_sysctl_mod(const char *dirname, const char *name, int op)
{
return 0;
}
static inline
void gr_log_sysctl_mod(const char *dirname, const char *name, unsigned int *value)
{ }
#endif
/*
* grsec_mount.c
*/
#ifdef CONFIG_GRKERNSEC_AUDIT_MOUNT
void gr_log_remount(const char *devname);
void gr_log_unmount(const char *devname);
void gr_log_mount(const char *from, const struct path *to);
#else
static inline void gr_log_remount(const char *devname) { }
static inline void gr_log_unmount(const char *devname) { }
static inline void gr_log_mount(const char *from, const struct path *to) { }
#endif
/*
* grsec_rofs.c
*/
#ifdef CONFIG_GRKERNSEC_ROFS
int gr_handle_rofs_mount(const struct dentry *dentry,
const struct vfsmount *mnt, int mnt_flags);
int gr_handle_rofs_blockwrite(const struct dentry *dentry,
const struct vfsmount *mnt, int acc_mode);
#else
static inline
int gr_handle_rofs_mount(const struct dentry *dentry,
const struct vfsmount *mnt, int mnt_flags)
{
return 0;
}
static inline
int gr_handle_rofs_blockwrite(const struct dentry *dentry,
const struct vfsmount *mnt, int acc_mode)
{
return 0;
}
#endif
/*
* grsec_pax.c
*/
#ifdef CONFIG_GRKERNSEC_RWXMAP_LOG
extern int grsec_enable_log_rwxmaps __read_only;
void gr_log_textrel(struct vm_area_struct *vma, bool is_textrel_rw);
void gr_log_ptgnustack(struct file *file);
void gr_log_rwxmmap(struct file *file);
void gr_log_rwxmprotect(struct vm_area_struct *vma);
#else
static inline void gr_log_textrel(struct vm_area_struct *vma, bool is_textrel_rw)
{ }
static inline void gr_log_ptgnustack(struct file *file) { }
static inline void gr_log_rwxmmap(struct file *file) { }
static inline void gr_log_rwxmprotect(struct vm_area_struct *vma) { }
#endif
/*
* grsec_fifo.c
*/
#ifdef CONFIG_GRKERNSEC_FIFO
int gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
umode_t dir_mode, vfsuid_t dir_uid, int flag, int acc_mode);
#else
static inline
int gr_handle_fifo(const struct dentry *dentry, const struct vfsmount *mnt,
umode_t dir_mode, vfsuid_t dir_uid, int flag, int acc_mode)
{
return 0;
}
#endif
/*
* grsec_fuse.c
*/
#ifdef CONFIG_GRKERNSEC_FUSE_RESTRICT
int gr_check_unprivileged_fuse(void);
#else
static inline
int gr_check_unprivileged_fuse(void)
{
return 0;
}
#endif
/*
* grsec_link.c
*/
#ifdef CONFIG_GRKERNSEC_SYMLINKOWN
int gr_get_symlinkown_enabled(void);
int gr_handle_symlink_owner(const struct path *link,
const struct path *target_path,
const struct inode *target);
#else
static inline int gr_get_symlinkown_enabled(void)
{
return 0;
}
static inline int gr_handle_symlink_owner(const struct path *link,
const struct path *target_path,
const struct inode *target)
{
return 0;
}
#endif
#ifdef CONFIG_GRKERNSEC_LINK
int gr_handle_follow_link(struct dentry *dentry,
const struct vfsmount *mnt, const struct inode *inode,
const struct inode *dir_inode);
int gr_handle_hardlink(const struct dentry *dentry, const struct vfsmount *mnt,
const struct filename *to);
#else
static inline int gr_handle_follow_link(struct dentry *dentry,
const struct vfsmount *mnt,
const struct inode *inode,
const struct inode *dir_inode)
{
return 0;
}
static inline int gr_handle_hardlink(const struct dentry *dentry,
const struct vfsmount *mnt,
const struct filename *to)
{
return 0;
}
#endif
/*
* grsec_cap.c
*/
#ifdef CONFIG_GRKERNSEC
int gr_is_capable(int cap);
int gr_is_capable_nolog(int cap);
int gr_task_is_capable(const struct task_struct *task, const struct cred *cred, int cap);
int gr_task_is_capable_nolog(const struct task_struct *task, const struct cred *cred, int cap);
#else
static inline int gr_is_capable(int cap)
{
return 1;
}
static inline int gr_is_capable_nolog(int cap)
{
return 1;
}
static inline int gr_task_is_capable(const struct task_struct *task,
const struct cred *cred, int cap)
{
return 1;
}
static inline int gr_task_is_capable_nolog(const struct task_struct *task,
const struct cred *cred, int cap)
{
return 1;
}
#endif
/*
* gracl_cap.c
*/
#ifdef CONFIG_GRKERNSEC
int gr_learn_cap(const struct task_struct *task, const struct cred *cred,
int cap, bool log);
#else
static inline int gr_learn_cap(const struct task_struct *task,
const struct cred *cred, int cap, bool log)
{
return 0;
}
#endif
/*
* gracl_fs.c
*/
#ifdef CONFIG_GRKERNSEC
umode_t gr_acl_umask(void);
__u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
const struct vfsmount *mnt);
__u32 gr_acl_handle_open(const struct dentry *dentry,
const struct vfsmount *mnt, int acc_mode,
fmode_t fmode);
__u32 gr_acl_handle_creat(const struct dentry *dentry,
const struct dentry *p_dentry,
const struct vfsmount *p_mnt,
int open_flags, int acc_mode, int imode);
__u32 gr_acl_handle_access(const struct dentry *dentry,
const struct vfsmount *mnt, int fmode);
__u32 gr_acl_handle_rmdir(const struct dentry *dentry,
const struct vfsmount *mnt);
__u32 gr_acl_handle_unlink(const struct dentry *dentry,
const struct vfsmount *mnt);
__u32 gr_acl_handle_truncate(const struct dentry *dentry,
const struct vfsmount *mnt);
__u32 gr_acl_handle_utime(const struct dentry *dentry,
const struct vfsmount *mnt);
__u32 gr_acl_handle_chmod(const struct dentry *dentry,
const struct vfsmount *mnt, umode_t *mode);
__u32 gr_acl_handle_chown(const struct dentry *dentry,
const struct vfsmount *mnt);
__u32 gr_acl_handle_setxattr(const struct dentry *dentry,
const struct vfsmount *mnt);
__u32 gr_acl_handle_removexattr(const struct dentry *dentry,
const struct vfsmount *mnt);
__u32 gr_acl_handle_execve(const struct dentry *dentry,
const struct vfsmount *mnt);
__u32 gr_acl_handle_unix(const struct dentry *dentry,
const struct vfsmount *mnt);
__u32 gr_acl_handle_link(const struct dentry *new_dentry,
const struct dentry *parent_dentry,
const struct vfsmount *parent_mnt,
const struct dentry *old_dentry,
const struct vfsmount *old_mnt,
const struct filename *to);
__u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
const struct dentry *parent_dentry,
const struct vfsmount *parent_mnt,
const struct filename *from);
__u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
const struct dentry *parent_dentry,
const struct vfsmount *parent_mnt, int mode);
__u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
const struct dentry *parent_dentry,
const struct vfsmount *parent_mnt);
int gr_acl_handle_rename(struct dentry *new_dentry,
struct dentry *parent_dentry,
const struct vfsmount *parent_mnt,
struct dentry *old_dentry,
struct inode *old_parent_inode,
struct vfsmount *old_mnt,
const struct filename *newname, unsigned int flags);
void gr_acl_handle_exit(void);
int gr_acl_handle_procpidmem(const struct task_struct *task);
#else
static inline umode_t gr_acl_umask(void)
{
return 0;
}
static inline __u32 gr_acl_handle_hidden_file(const struct dentry *dentry,
const struct vfsmount *mnt)
{
return 1;
}
static inline __u32 gr_acl_handle_open(const struct dentry *dentry,
const struct vfsmount *mnt,
int acc_mode, fmode_t fmode)
{
return 1;
}
static inline __u32 gr_acl_handle_creat(const struct dentry *dentry,
const struct dentry *p_dentry,
const struct vfsmount *p_mnt,
int open_flags, int acc_mode, int imode)
{
return 1;
}
static inline __u32 gr_acl_handle_access(const struct dentry *dentry,
const struct vfsmount *mnt, int fmode)
{
return 1;
}
static inline __u32 gr_acl_handle_rmdir(const struct dentry *dentry,
const struct vfsmount *mnt)
{
return 1;
}
static inline __u32 gr_acl_handle_unlink(const struct dentry *dentry,
const struct vfsmount *mnt)
{
return 1;
}
static inline __u32 gr_acl_handle_truncate(const struct dentry *dentry,
const struct vfsmount *mnt)
{
return 1;
}
static inline __u32 gr_acl_handle_utime(const struct dentry *dentry,
const struct vfsmount *mnt)
{
return 1;
}
static inline __u32 gr_acl_handle_chmod(const struct dentry *dentry,
const struct vfsmount *mnt,
umode_t *mode)
{
return 1;
}
static inline __u32 gr_acl_handle_chown(const struct dentry *dentry,
const struct vfsmount *mnt)
{
return 1;
}
static inline __u32 gr_acl_handle_setxattr(const struct dentry *dentry,
const struct vfsmount *mnt)
{
return 1;
}
static inline __u32 gr_acl_handle_removexattr(const struct dentry *dentry,
const struct vfsmount *mnt)
{
return 1;
}
static inline __u32 gr_acl_handle_execve(const struct dentry *dentry,
const struct vfsmount *mnt)
{
return 1;
}
static inline __u32 gr_acl_handle_unix(const struct dentry *dentry,
const struct vfsmount *mnt)
{
return 1;
}
static inline __u32 gr_acl_handle_link(const struct dentry *new_dentry,
const struct dentry *parent_dentry,
const struct vfsmount *parent_mnt,
const struct dentry *old_dentry,
const struct vfsmount *old_mnt,
const struct filename *to)
{
return 1;
}
static inline __u32 gr_acl_handle_symlink(const struct dentry *new_dentry,
const struct dentry *parent_dentry,
const struct vfsmount *parent_mnt,
const struct filename *from)
{
return 1;
}
static inline __u32 gr_acl_handle_mknod(const struct dentry *new_dentry,
const struct dentry *parent_dentry,
const struct vfsmount *parent_mnt,
int mode)
{
return 1;
}
static inline __u32 gr_acl_handle_mkdir(const struct dentry *new_dentry,
const struct dentry *parent_dentry,
const struct vfsmount *parent_mnt)
{
return 1;
}
static inline int gr_acl_handle_rename(const struct dentry *new_dentry,
const struct dentry *parent_dentry,
const struct vfsmount *parent_mnt,
const struct dentry *old_dentry,
const struct inode *old_parent_inode,
const struct vfsmount *old_mnt,
const struct filename *newname,
unsigned int flags)
{
return 0;
}
static inline void gr_acl_handle_exit(void) { }
static inline int gr_acl_handle_procpidmem(const struct task_struct *task)
{
return 0;
}
#endif
/*
* gracl_segv.c
*/
#ifdef CONFIG_GRKERNSEC
void gr_handle_crash(struct task_struct *task, int sig);
int gr_check_crash_uid(kuid_t uid);
int gr_check_crash_exec(const struct file *filp);
#else
static inline void gr_handle_crash(struct task_struct *task, int sig) { }
static inline int gr_check_crash_uid(kuid_t uid)
{
return 0;
}
static inline int gr_check_crash_exec(const struct file *filp)
{
return 0;
}
#endif
/*
* gracl_shm.c
*/
#ifdef CONFIG_GRKERNSEC
int gr_handle_shmat(struct pid *shm_cprid, struct pid *shm_lapid,
u64 shm_createtime, kuid_t cuid, int shmid);
#else
static inline
int gr_handle_shmat(struct pid *shm_cprid, struct pid *shm_lapid,
u64 shm_createtime, kuid_t cuid, int shmid)
{
return 1;
}
#endif
/*
* gracl.c
*/
#ifdef CONFIG_GRKERNSEC
int gr_glob_match(const char *p, const char *n);
void gr_copy_label(struct task_struct *tsk);
int gr_check_protected_task_fowner(struct pid *pid, enum pid_type type);
int gr_acl_handle_mmap(const struct file *file, unsigned long prot);
int gr_acl_handle_mprotect(const struct file *file, unsigned long prot);
int gr_check_hidden_task(const struct task_struct *tsk);
int gr_handle_ptrace(struct task_struct *task, long request);
int gr_handle_proc_ptrace(struct task_struct *task);
dev_t gr_get_dev_from_dentry(const struct dentry *dentry);
u64 gr_get_ino_from_dentry(const struct dentry *dentry);
int gr_handle_rawio(const struct inode *inode);
void gr_acl_handle_psacct(struct task_struct *task, long code);
void gr_put_exec_file(struct task_struct *task);
void gr_save_rbac_exec_state(struct gr_rbac_exec_state *state);
void task_grsec_rbac(struct seq_file *m, struct task_struct *p);
void gr_restore_rbac_exec_state(struct gr_rbac_exec_state *state);
int gr_is_taskstats_denied(void);
int gr_acl_is_enabled(void);
void gr_set_role_label(struct task_struct *task, kuid_t uid, kgid_t gid);
int gr_acl_enable_at_secure(void);
int gr_check_user_change(kuid_t real, kuid_t effective, kuid_t fs);
int gr_check_group_change(kgid_t real, kgid_t effective, kgid_t fs);
int gr_set_proc_label(const struct dentry *dentry, const struct vfsmount *mnt,
int unsafe_flags);
void gr_set_proc_res(struct task_struct *task);
void gr_handle_create(const struct dentry *dentry, const struct vfsmount *mnt);
void gr_handle_proc_create(const struct dentry *dentry,
const struct inode *inode);
void gr_handle_delete(u64 ino, dev_t dev);
void gr_handle_rename(const struct dentry *old_dentry,
const struct dentry *new_dentry,
const struct vfsmount *mnt, __u8 replace,
unsigned int flags);
int gr_acl_handle_filldir(const struct file *file, const char *name,
unsigned int namelen, u64 ino);
#else
#include <linux/dcache.h>
static inline void gr_copy_label(struct task_struct *tsk) { }
static inline int gr_check_protected_task_fowner(struct pid *pid,
enum pid_type type)
{
return 0;
}
static inline int gr_acl_handle_mmap(const struct file *file,
unsigned long prot)
{
return 1;
}
static inline int gr_acl_handle_mprotect(const struct file *file,
unsigned long prot)
{
return 1;
}
static inline int gr_check_hidden_task(const struct task_struct *tsk)
{
return 0;
}
static inline int gr_handle_ptrace(struct task_struct *task, long request)
{
return 0;
}
static inline int gr_handle_proc_ptrace(struct task_struct *task)
{
return 0;
}
static inline dev_t gr_get_dev_from_dentry(const struct dentry *dentry)
{
return d_backing_inode(dentry)->i_sb->s_dev;
}
static inline u64 gr_get_ino_from_dentry(const struct dentry *dentry)
{
return d_backing_inode(dentry)->i_ino;
}
static inline int gr_handle_rawio(const struct inode *inode)
{
return 0;
}
static inline void gr_acl_handle_psacct(struct task_struct *task, long code) { }
static inline void gr_put_exec_file(struct task_struct *task) { }
static inline int gr_is_taskstats_denied(void)
{
return 0;
}
static inline int gr_acl_is_enabled(void)
{
return 0;
}
static inline
void gr_set_role_label(struct task_struct *task, kuid_t uid, kgid_t gid) { }
static inline int gr_acl_enable_at_secure(void)
{
return 0;
}
static inline int gr_check_user_change(kuid_t real, kuid_t eff, kuid_t fs)
{
return 0;
}
static inline int gr_check_group_change(kgid_t real, kgid_t eff, kgid_t fs)
{
return 0;
}
static inline int gr_set_proc_label(const struct dentry *dentry,
const struct vfsmount *mnt,
int unsafe_share)
{
return 0;
}
static inline void gr_set_proc_res(struct task_struct *task) { }
static inline void gr_handle_create(const struct dentry *dentry,
const struct vfsmount *mnt)
{ }
static inline void gr_handle_proc_create(const struct dentry *dentry,
const struct inode *inode)
{ }
static inline void gr_handle_delete(u64 ino, dev_t dev) { }
static inline void gr_handle_rename(const struct dentry *old_dentry,
const struct dentry *new_dentry,
const struct vfsmount *mnt, __u8 replace,
unsigned int flags)
{ }
static inline int gr_acl_handle_filldir(const struct file *file,
const char *name, unsigned int namelen,
u64 ino)
{
return 1;
}
#endif
#if defined(CONFIG_GRKERNSEC) && (defined(CONFIG_GRKERNSEC_RESLOG) || !defined(CONFIG_GRKERNSEC_NO_RBAC))
void gr_learn_resource(const struct task_struct *task, const int res,
const unsigned long wanted, const int gt);
#else
static inline void gr_learn_resource(const struct task_struct *task, const int res,
const unsigned long wanted, const int gt)
{
}
#endif
/*
* grsec_init.c
*/
#ifdef CONFIG_GRKERNSEC
extern int grsec_enable_dmesg __read_only;
extern int grsec_enable_setxid __read_only;
void grsecurity_init(void) __init;
#else
static inline void grsecurity_init(void) { }
#endif
/*
* grsec_proc.c
*/
#ifdef CONFIG_GRKERNSEC_PROC_USERGROUP
extern kgid_t grsec_proc_gid __read_only;
#endif
#if defined(CONFIG_GRKERNSEC_PROC_USER) || defined(CONFIG_GRKERNSEC_PROC_USERGROUP)
int gr_proc_is_restricted(void);
#else
static inline int gr_proc_is_restricted(void)
{
return 0;
}
#endif
/*
* grsec_ptrace.c
*/
#ifdef CONFIG_GRKERNSEC_AUDIT_PTRACE
void gr_audit_ptrace(struct task_struct *task);
#else
static inline void gr_audit_ptrace(struct task_struct *task) { }
#endif
#ifdef CONFIG_GRKERNSEC_PTRACE_READEXEC
int gr_ptrace_readexec(struct file *file, int unsafe_flags);
#else
static inline int gr_ptrace_readexec(struct file *file, int unsafe_flags)
{
return 0;
}
#endif
/*
* grsec_sock.c
*/
struct sock;
struct socket;
struct inet_sock;
struct sockaddr_in;
struct sockaddr;
struct sk_buff;
#if defined(CONFIG_GRKERNSEC) && defined(CONFIG_NET)
extern int grsec_enable_blackhole __read_only;
extern int grsec_lastack_retries __read_only;
void gr_attach_curr_ip(const struct sock *sk);
void gr_update_task_in_ip_table(const struct inet_sock *inet);
void gr_del_task_from_ip_table(struct task_struct *p);
int gr_search_socket(int domain, int type, int protocol);
int gr_search_connect(struct socket *sock, struct sockaddr_in *addr);
int gr_search_bind(struct socket *sock, struct sockaddr_in *addr);
int gr_search_listen(struct socket *sock);
int gr_search_accept(struct socket *sock);
int gr_search_udp_recvmsg(struct sock *sk, const struct sk_buff *skb);
int gr_search_udp_sendmsg(struct sock *sk, struct sockaddr_in *addr);
#else
static inline void gr_attach_curr_ip(const struct sock *sk) { }
static inline void gr_update_task_in_ip_table(const struct inet_sock *inet) { }
static inline void gr_del_task_from_ip_table(struct task_struct *p) { }
static inline int gr_search_socket(int family, int type, int protocol)
{
return 1;
}
static inline int gr_search_connect(struct socket *sock,
struct sockaddr_in *addr)
{
return 0;
}
static inline int gr_search_bind(struct socket *sock,
struct sockaddr_in *addr)
{
return 0;
}
static inline int gr_search_listen(struct socket *sock)
{
return 0;
}
static inline int gr_search_accept(struct socket *sock)
{
return 0;
}
static inline int gr_search_udp_recvmsg(struct sock *sk,
const struct sk_buff *skb)
{
return 0;
}
static inline int gr_search_udp_sendmsg(struct sock *sk,
struct sockaddr_in *addr)
{
return 0;
}
#endif
#ifdef CONFIG_GRKERNSEC_SOCKET_ALL
int gr_handle_sock_all(int family, int type, int protocol);
#else
static inline int gr_handle_sock_all(int family, int type, int protocol)
{
return 0;
}
#endif
#ifdef CONFIG_GRKERNSEC_SOCKET_SERVER
int gr_handle_sock_server(const struct sockaddr *sck);
int gr_handle_sock_server_other(const struct sock *sck);
#else
static inline int gr_handle_sock_server(const struct sockaddr *sck)
{
return 0;
}
static inline int gr_handle_sock_server_other(const struct sock *sck)
{
return 0;
}
#endif
#ifdef CONFIG_GRKERNSEC_SOCKET_CLIENT
int gr_handle_sock_client(const struct sockaddr *sck);
#else
static inline int gr_handle_sock_client(const struct sockaddr *sck)
{
return 0;
}
#endif
/*
* grsec_sysfs.c
*/
struct kernfs_open_file;
#ifdef CONFIG_GRKERNSEC_SYSFS_RESTRICT
extern int grsec_sysfs_restrict_disabled_at_boot __read_only;
int gr_handle_sysfs_access(struct kernfs_open_file *of);
#else
static inline int gr_handle_sysfs_access(struct kernfs_open_file *of)
{
return 0;
}
#endif
/*
* grsec_tty.c
*/
struct tty_struct;
#ifdef CONFIG_GRKERNSEC_HARDEN_TTY
int gr_handle_tiocsti(struct tty_struct *tty);
int gr_handle_tioclinux(void);
#else
static inline int gr_handle_tiocsti(struct tty_struct *tty)
{
return 0;
}
static inline int gr_handle_tioclinux(void)
{
return 0;
}
#endif
/*
* gracl_res.c
*/
#ifdef CONFIG_GRKERNSEC_RESLOG
void gr_log_resource(const struct task_struct *task, int res,
unsigned long wanted, int gt);
#else
static inline void gr_log_resource(const struct task_struct *task, int res,
unsigned long wanted, int gt)
{ }
#endif
#ifdef CONFIG_GRKERNSEC
__printf(2, 3)
void __gr_log_pax_msg(const char *loglvl, const char *partial_fmt, ...);
#define gr_log_pax_msg(loglvl, partial_fmt, ...) \
do { \
BUILD_BUG_ON(!__builtin_constant_p(partial_fmt)); \
BUILD_BUG_ON(2 + 5 + 3 + 64 + 7 + 15 + sizeof(partial_fmt) > 199); \
__gr_log_pax_msg(loglvl, partial_fmt, __VA_ARGS__); \
} while (0)
#else
#define gr_log_pax_msg(loglvl, fmt, ...) \
printk(loglvl ## "PAX: " ## fmt, __VA_ARGS__)
#endif
#endif