Lines Matching refs:file
468 init_debug("file blob size = %d\n", blob_sizes.lbs_file);
719 * lsm_file_alloc - allocate a composite file blob
720 * @file: the file that needs a blob
722 * Allocate the file blob for all the modules
726 static int lsm_file_alloc(struct file *file)
729 file->f_security = NULL;
733 file->f_security = kmem_cache_zalloc(lsm_file_cache, GFP_KERNEL);
734 if (file->f_security == NULL)
1031 * security_binder_transfer_file() - Check if a binder file xfer is allowed
1034 * @file: file being transferred
1036 * Check whether @from is allowed to transfer @file to @to.
1041 const struct cred *to, const struct file *file)
1043 return call_int_hook(binder_transfer_file, from, to, file);
1244 * properly for executing @bprm->file, update the LSM's portion of
1265 * security_bprm_creds_from_file() - Update linux_binprm creds based on file
1267 * @file: associated file
1269 * If @file is setpcap, suid, sgid or otherwise marked to change privilege upon
1274 * different file. This hook may also optionally check permissions (e.g. for
1283 int security_bprm_creds_from_file(struct linux_binprm *bprm, const struct file *file)
1285 return call_int_hook(bprm_creds_from_file, bprm, file);
1314 * open file descriptors to which access will no longer be granted when the
1524 * @m: output file
1560 * device if the file system type requires a device. For a remount
1578 * Check permission before the @mnt file system is unmounted.
1669 * @path: file path
1671 * @obj_type: file path type
1883 * security_path_mknod() - Check if creating a special file is allowed
1885 * @dentry: new file
1886 * @mode: new file mode
1889 * Check permissions when creating a file. Note that this hook is called even
1890 * if mknod operation is being done for a regular file.
1904 * security_path_post_mknod() - Update inode security after reg file creation
1906 * @dentry: new file
1908 * Update inode security field after a regular file has been created.
1955 * @dentry: file
1957 * Check the permission to remove a hard link to a file.
1973 * @old_name: file pathname
1975 * Check the permission to create a symbolic link to a file.
1989 * @old_dentry: existing file
1993 * Check permission before creating a new hard link to a file.
2006 * security_path_rename() - Check if renaming a file is allowed
2007 * @old_dir: parent directory of the old file
2008 * @old_dentry: the old file
2009 * @new_dir: parent directory of the new file
2010 * @new_dentry: the new file
2013 * Check for permission to rename a file or directory.
2032 * security_path_truncate() - Check if truncating a file is allowed
2033 * @path: file
2035 * Check permission before truncating the file indicated by path. Note that
2049 * security_path_chmod() - Check if changing the file's mode is allowed
2050 * @path: file
2053 * Check for permission to change a mode of the file @path. The new mode is
2067 * security_path_chown() - Check if changing the file's owner/group is allowed
2068 * @path: file
2069 * @uid: file owner
2070 * @gid: file group
2072 * Check for permission to change owner/group of a file or directory.
2098 * security_inode_create() - Check if creating a file is allowed
2100 * @dentry: the file being created
2101 * @mode: requested file mode
2103 * Check permission to create a regular file.
2133 * @old_dentry: existing file
2137 * Check permission before creating a new hard link to a file.
2152 * @dentry: file
2154 * Check the permission to remove a hard link to a file.
2171 * Check the permission to create a symbolic link to a file.
2219 * security_inode_mknod() - Check if creating a special file is allowed
2221 * @dentry: new file
2222 * @mode: new file mode
2225 * Check permissions when creating a special file (or a socket or a fifo file
2227 * done for a regular file, then the create hook will be called and not this
2241 * security_inode_rename() - Check if renaming a file is allowed
2242 * @old_dir: parent directory of the old file
2243 * @old_dentry: the old file
2244 * @new_dir: parent directory of the new file
2245 * @new_dentry: the new file
2248 * Check for permission to rename a file or directory.
2314 * that this hook is called when a file is opened (as well as many other
2328 * security_inode_setattr() - Check if setting file attributes is allowed
2330 * @dentry: file
2333 * Check permission before setting file attributes. Note that the kernel call
2334 * to notify_change is performed from several locations, whenever file
2335 * attributes change (such as when a file is truncated, chown/chmod operations,
2352 * @dentry: file
2353 * @ia_valid: file attributes set
2355 * Update inode security field after successful setting file attributes.
2366 * security_inode_getattr() - Check if getting file attributes is allowed
2367 * @path: file
2369 * Check permission before obtaining file attributes.
2381 * security_inode_setxattr() - Check if setting file xattrs is allowed
2383 * @dentry: file
2429 * @dentry: file
2449 * @dentry: file
2467 * @dentry: file
2486 * @dentry: file
2505 * @dentry: file
2521 * @dentry: file
2539 * @dentry: file
2556 * @dentry: file
2573 * @dentry: file
2613 * @dentry: file
2627 * @dentry: file to set filesystem extended attributes on
2642 * @dentry: file to retrieve filesystem extended attributes from
2776 * @src: union dentry of copy-up file
2779 * A file is about to be copied up from lower layer to upper layer of overlay
2782 * create new file and release newly allocated creds.
2794 * @src: union dentry of copy-up file
2797 * Filter the xattrs being copied up when a unioned file is copied up from a
2854 * security_file_permission() - Check file permissions
2855 * @file: file
2858 * Check file permissions before accessing an open file. This hook is called
2864 * a file is opened (as well as many other operations). Although this hook can
2872 int security_file_permission(struct file *file, int mask)
2874 return call_int_hook(file_permission, file, mask);
2878 * security_file_alloc() - Allocate and init a file's LSM blob
2879 * @file: the file
2881 * Allocate and attach a security structure to the file->f_security field. The
2886 int security_file_alloc(struct file *file)
2888 int rc = lsm_file_alloc(file);
2892 rc = call_int_hook(file_alloc_security, file);
2894 security_file_free(file);
2899 * security_file_release() - Perform actions before releasing the file ref
2900 * @file: the file
2902 * Perform actions before releasing the last reference to a file.
2904 void security_file_release(struct file *file)
2906 call_void_hook(file_release, file);
2910 * security_file_free() - Free a file's LSM blob
2911 * @file: the file
2913 * Deallocate and free any security structures stored in file->f_security.
2915 void security_file_free(struct file *file)
2919 call_void_hook(file_free_security, file);
2921 blob = file->f_security;
2923 file->f_security = NULL;
2930 * @file: associated file
2934 * Check permission for an ioctl operation on @file. Note that @arg sometimes
2941 int security_file_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
2943 return call_int_hook(file_ioctl, file, cmd, arg);
2949 * @file: associated file
2958 int security_file_ioctl_compat(struct file *file, unsigned int cmd,
2961 return call_int_hook(file_ioctl_compat, file, cmd, arg);
2965 static inline unsigned long mmap_prot(struct file *file, unsigned long prot)
2978 if (!file)
2984 if (!path_noexec(&file->f_path)) {
2986 if (file->f_op->mmap_capabilities) {
2987 unsigned caps = file->f_op->mmap_capabilities(file);
2999 * security_mmap_file() - Check if mmap'ing a file is allowed
3000 * @file: file
3004 * Check permissions for a mmap operation. The @file may be NULL, e.g. if
3009 int security_mmap_file(struct file *file, unsigned long prot,
3012 return call_int_hook(mmap_file, file, prot, mmap_prot(file, prot),
3046 * security_file_lock() - Check if a file lock is allowed
3047 * @file: file
3050 * Check permission before performing file locking operations. Note the hook
3055 int security_file_lock(struct file *file, unsigned int cmd)
3057 return call_int_hook(file_lock, file, cmd);
3062 * @file: file
3066 * Check permission before allowing the file operation specified by @cmd from
3067 * being performed on the file @file. Note that @arg sometimes represents a
3074 int security_file_fcntl(struct file *file, unsigned int cmd, unsigned long arg)
3076 return call_int_hook(file_fcntl, file, cmd, arg);
3080 * security_file_set_fowner() - Set the file owner info in the LSM blob
3081 * @file: the file
3084 * file->f_security for later use by the send_sigiotask hook.
3086 * This hook is called with file->f_owner.lock held.
3090 void security_file_set_fowner(struct file *file)
3092 call_void_hook(file_set_fowner, file);
3101 * Check permission for the file owner @fown to send SIGIO or SIGURG to the
3103 * that the fown_struct, @fown, is never outside the context of a struct file,
3104 * so the file structure (and associated security information) can always be
3105 * obtained: container_of(fown, struct file, f_owner).
3116 * security_file_receive() - Check if receiving a file via IPC is allowed
3117 * @file: file being received
3120 * receive an open file descriptor via socket IPC.
3124 int security_file_receive(struct file *file)
3126 return call_int_hook(file_receive, file);
3131 * @file:
3136 * We can check if a file is opened for execution (e.g. execve(2) call), either
3137 * directly or indirectly (e.g. ELF's ld.so) by checking file->f_flags &
3142 int security_file_open(struct file *file)
3144 return call_int_hook(file_open, file);
3148 * security_file_post_open() - Evaluate a file after it has been opened
3149 * @file: the file
3152 * Evaluate an opened file and the access mask requested with open(). The hook
3153 * is useful for LSMs that require the file content to be available in order to
3158 int security_file_post_open(struct file *file, int mask)
3160 return call_int_hook(file_post_open, file, mask);
3165 * security_file_truncate() - Check if truncating a file is allowed
3166 * @file: file
3168 * Check permission before truncating a file, i.e. using ftruncate. Note that
3174 int security_file_truncate(struct file *file)
3176 return call_int_hook(file_truncate, file);
3340 * security_kernel_create_files_as() - Set file creation context using an inode
3344 * Set the file creation context in a set of credentials to be the same as the
3370 * security_kernel_read_file() - Read a file specified by userspace
3371 * @file: file
3372 * @id: file identifier
3375 * Read a file specified by userspace.
3379 int security_kernel_read_file(struct file *file, enum kernel_read_file_id id,
3382 return call_int_hook(kernel_read_file, file, id, contents);
3387 * security_kernel_post_read_file() - Read a file specified by userspace
3388 * @file: file
3389 * @buf: file contents
3390 * @size: size of file contents
3391 * @id: file identifier
3393 * Read a file specified by userspace. This must be paired with a prior call
3399 int security_kernel_post_read_file(struct file *file, char *buf, loff_t size,
3402 return call_int_hook(kernel_post_read_file, file, buf, size, id);
3422 * security_kernel_post_load_data() - Load userspace data from a non-file source
3428 * Load data provided by a non-file source (usually userspace buffer). This
4412 * for the file when the server returned the file's attributes to the client.
4526 * Linux provides an alternative to the conventional file name space for Unix
4527 * domain sockets. Whereas binding and connecting to sockets in the file name
4528 * space is mediated by the typical file permissions (and caught by the mknod
4553 * Linux provides an alternative to the conventional file name space for Unix
4554 * domain sockets. Whereas binding and connecting to sockets in the file name
4555 * space is mediated by the typical file permissions (and caught by the mknod
5678 * Do a check when the kernel generates and returns a file descriptor for eBPF
5692 * Do a check when the kernel generates and returns a file descriptor for eBPF