1 |
/* |
2 |
* include/linux/sakura.h |
3 |
* |
4 |
* Implementation of the Domain-Free Mandatory Access Control. |
5 |
* |
6 |
* Copyright (C) 2005-2008 NTT DATA CORPORATION |
7 |
* |
8 |
* Version: 1.6.6-pre 2008/12/01 |
9 |
* |
10 |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
11 |
* See README.ccs for ChangeLog. |
12 |
* |
13 |
*/ |
14 |
/* |
15 |
* A brief description about SAKURA: |
16 |
* |
17 |
* SAKURA stands for "Security Advancement Know-how Upon Read-only Approach". |
18 |
* As the name shows, SAKURA was originally a methodology to make root fs |
19 |
* read-only to avoid tampering the system files. |
20 |
* But now, SAKURA is not only a methodology but also a kernel patch |
21 |
* that improves the system security with less effort. |
22 |
* |
23 |
* SAKURA can restrict operations that affect systemwide. |
24 |
* SAKURA manages the filesystem's namespace related operations so that |
25 |
* files remains where the administrator expects. |
26 |
*/ |
27 |
|
28 |
#ifndef _LINUX_SAKURA_H |
29 |
#define _LINUX_SAKURA_H |
30 |
|
31 |
#include <linux/version.h> |
32 |
|
33 |
#ifndef __user |
34 |
#define __user |
35 |
#endif |
36 |
|
37 |
#if defined(CONFIG_SAKURA) |
38 |
|
39 |
/* Check whether the given pathname is allowed to chroot to. */ |
40 |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27) |
41 |
int ccs_check_chroot_permission(struct path *path); |
42 |
#else |
43 |
int ccs_check_chroot_permission(struct nameidata *nd); |
44 |
#endif |
45 |
|
46 |
/* Check whether the mount operation with the given parameters is allowed. */ |
47 |
int ccs_check_mount_permission(char *dev_name, char *dir_name, char *type, |
48 |
const unsigned long *flags); |
49 |
|
50 |
/* Check whether the current process is allowed to pivot_root. */ |
51 |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27) |
52 |
int ccs_check_pivot_root_permission(struct path *old_path, |
53 |
struct path *new_path); |
54 |
#else |
55 |
int ccs_check_pivot_root_permission(struct nameidata *old_nd, |
56 |
struct nameidata *new_nd); |
57 |
#endif |
58 |
|
59 |
/* Check whether the given mount operation hides an mounted partition. */ |
60 |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27) |
61 |
int ccs_may_mount(struct path *path); |
62 |
#else |
63 |
int ccs_may_mount(struct nameidata *nd); |
64 |
#endif |
65 |
|
66 |
/* Check whether the given mountpoint is allowed to umount. */ |
67 |
int ccs_may_umount(struct vfsmount *mnt); |
68 |
|
69 |
/* Check whether the given port is allowed to autobind. */ |
70 |
int ccs_may_autobind(const u16 port); |
71 |
|
72 |
#else |
73 |
|
74 |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27) |
75 |
static inline int ccs_check_chroot_permission(struct path *path) |
76 |
{ |
77 |
return 0; |
78 |
} |
79 |
#else |
80 |
static inline int ccs_check_chroot_permission(struct nameidata *nd) |
81 |
{ |
82 |
return 0; |
83 |
} |
84 |
#endif |
85 |
static inline int ccs_check_mount_permission(char *dev_name, char *dir_name, |
86 |
char *type, |
87 |
const unsigned long *flags) |
88 |
{ |
89 |
return 0; |
90 |
} |
91 |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27) |
92 |
static inline int ccs_check_pivot_root_permission(struct path *old_path, |
93 |
struct path *new_path) |
94 |
{ |
95 |
return 0; |
96 |
} |
97 |
#else |
98 |
static inline int ccs_check_pivot_root_permission(struct nameidata *old_nd, |
99 |
struct nameidata *new_nd) |
100 |
{ |
101 |
return 0; |
102 |
} |
103 |
#endif |
104 |
#if LINUX_VERSION_CODE >= KERNEL_VERSION(2, 6, 27) |
105 |
static inline int ccs_may_mount(struct path *path) |
106 |
{ |
107 |
return 0; |
108 |
} |
109 |
#else |
110 |
static inline int ccs_may_mount(struct nameidata *nd) |
111 |
{ |
112 |
return 0; |
113 |
} |
114 |
#endif |
115 |
static inline int ccs_may_umount(struct vfsmount *mnt) |
116 |
{ |
117 |
return 0; |
118 |
} |
119 |
static inline int ccs_may_autobind(const u16 port) |
120 |
{ |
121 |
return 0; |
122 |
} |
123 |
|
124 |
#endif |
125 |
|
126 |
#endif |