[TOMOYO #7 05/30] External functions prototypes for SAKURA.

From: Tetsuo Handa
Date: Fri Apr 04 2008 - 08:49:52 EST

Next message: Tetsuo Handa: "[TOMOYO #7 06/30] External functions prototypes for TOMOYO."
Previous message: Tetsuo Handa: "[TOMOYO #7 04/30] Prototypes of realpath."
In reply to: Tetsuo Handa: "[TOMOYO #7 04/30] Prototypes of realpath."
Next in thread: Tetsuo Handa: "[TOMOYO #7 06/30] External functions prototypes for TOMOYO."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This file defines prototypes and constants that are needed by hooks.

Signed-off-by: Kentaro Takeda <takedakn@xxxxxxxxxxxxx>
Signed-off-by: Tetsuo Handa <penguin-kernel@xxxxxxxxxxxxxxxxxxx>
Signed-off-by: Toshiharu Harada <haradats@xxxxxxxxxxxxx>
---
include/linux/sakura.h | 82 +++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 82 insertions(+)

--- /dev/null
+++ linux-2.6.25-rc8-mm1/include/linux/sakura.h
@@ -0,0 +1,82 @@
+/*
+ * include/linux/sakura.h
+ *
+ * Implementation of the Domain-Free Mandatory Access Control.
+ *
+ * Copyright (C) 2005-2008 NTT DATA CORPORATION
+ *
+ * Version: 1.6.0 2008/04/01
+ *
+ */
+/*
+ * A brief description about SAKURA:
+ *
+ * SAKURA stands for "Security Advancement Know-how Upon Read-only Approach".
+ * As the name shows, SAKURA was originally a methodology to make root fs
+ * read-only to avoid tampering the system files.
+ * But now, SAKURA is not only a methodology but also a kernel patch
+ * that improves the system security with less effort.
+ *
+ * SAKURA can restrict operations that affect systemwide.
+ * SAKURA manages the filesystem's namespace related operations so that
+ * files remains where the administrator expects.
+ */
+
+#ifndef _LINUX_SAKURA_H
+#define _LINUX_SAKURA_H
+
+#if defined(CONFIG_SAKURA)
+
+/* Check whether the given pathname is allowed to chroot to. */
+int ccs_check_chroot_permission(struct nameidata *nd);
+
+/* Check whether the mount operation with the given parameters is allowed. */
+int ccs_check_mount_permission(char *dev_name, char *dir_name, char *type,
+ const unsigned long *flags);
+
+/* Check whether the current process is allowed to pivot_root. */
+int ccs_check_pivot_root_permission(struct nameidata *old_nd,
+ struct nameidata *new_nd);
+
+/* Check whether the given mount operation hides an mounted partition. */
+int ccs_may_mount(struct nameidata *nd);
+
+/* Check whether the given mountpoint is allowed to umount. */
+int ccs_may_umount(struct vfsmount *mnt);
+
+/* Check whether the given port is allowed to autobind. */
+int ccs_may_autobind(const u16 port);
+
+#else
+
+static inline int ccs_check_chroot_permission(struct nameidata *nd)
+{
+ return 0;
+}
+static inline int ccs_check_mount_permission(char *dev_name, char *dir_name,
+ char *type,
+ const unsigned long *flags)
+{
+ return 0;
+}
+static inline int ccs_check_pivot_root_permission(struct nameidata *old_nd,
+ struct nameidata *new_nd)
+{
+ return 0;
+}
+static inline int ccs_may_mount(struct nameidata *nd)
+{
+ return 0;
+}
+static inline int ccs_may_umount(struct vfsmount *mnt)
+{
+ return 0;
+}
+static inline int ccs_may_autobind(const u16 port)
+{
+ return 0;
+}
+
+#endif
+
+#endif

--
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Tetsuo Handa: "[TOMOYO #7 06/30] External functions prototypes for TOMOYO."
Previous message: Tetsuo Handa: "[TOMOYO #7 04/30] Prototypes of realpath."
In reply to: Tetsuo Handa: "[TOMOYO #7 04/30] Prototypes of realpath."
Next in thread: Tetsuo Handa: "[TOMOYO #7 06/30] External functions prototypes for TOMOYO."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]