1 |
/* |
2 |
* include/linux/sakura.h |
3 |
* |
4 |
* Implementation of the Domain-Free Mandatory Access Control. |
5 |
* |
6 |
* Copyright (C) 2005-2008 NTT DATA CORPORATION |
7 |
* |
8 |
* Version: 1.6.2-rc 2008/06/12 |
9 |
* |
10 |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
11 |
* See README.ccs for ChangeLog. |
12 |
* |
13 |
*/ |
14 |
/* |
15 |
* A brief description about SAKURA: |
16 |
* |
17 |
* SAKURA stands for "Security Advancement Know-how Upon Read-only Approach". |
18 |
* As the name shows, SAKURA was originally a methodology to make root fs |
19 |
* read-only to avoid tampering the system files. |
20 |
* But now, SAKURA is not only a methodology but also a kernel patch |
21 |
* that improves the system security with less effort. |
22 |
* |
23 |
* SAKURA can restrict operations that affect systemwide. |
24 |
* SAKURA manages the filesystem's namespace related operations so that |
25 |
* files remains where the administrator expects. |
26 |
*/ |
27 |
|
28 |
#ifndef _LINUX_SAKURA_H |
29 |
#define _LINUX_SAKURA_H |
30 |
|
31 |
#ifndef __user |
32 |
#define __user |
33 |
#endif |
34 |
|
35 |
#if defined(CONFIG_SAKURA) |
36 |
|
37 |
/* Check whether the given pathname is allowed to chroot to. */ |
38 |
int ccs_check_chroot_permission(struct nameidata *nd); |
39 |
|
40 |
/* Check whether the mount operation with the given parameters is allowed. */ |
41 |
int ccs_check_mount_permission(char *dev_name, char *dir_name, char *type, |
42 |
const unsigned long *flags); |
43 |
|
44 |
/* Check whether the current process is allowed to pivot_root. */ |
45 |
int ccs_check_pivot_root_permission(struct nameidata *old_nd, |
46 |
struct nameidata *new_nd); |
47 |
|
48 |
/* Check whether the given mount operation hides an mounted partition. */ |
49 |
int ccs_may_mount(struct nameidata *nd); |
50 |
|
51 |
/* Check whether the given mountpoint is allowed to umount. */ |
52 |
int ccs_may_umount(struct vfsmount *mnt); |
53 |
|
54 |
/* Check whether the given port is allowed to autobind. */ |
55 |
int ccs_may_autobind(const u16 port); |
56 |
|
57 |
#else |
58 |
|
59 |
static inline int ccs_check_chroot_permission(struct nameidata *nd) |
60 |
{ |
61 |
return 0; |
62 |
} |
63 |
static inline int ccs_check_mount_permission(char *dev_name, char *dir_name, |
64 |
char *type, |
65 |
const unsigned long *flags) |
66 |
{ |
67 |
return 0; |
68 |
} |
69 |
static inline int ccs_check_pivot_root_permission(struct nameidata *old_nd, |
70 |
struct nameidata *new_nd) |
71 |
{ |
72 |
return 0; |
73 |
} |
74 |
static inline int ccs_may_mount(struct nameidata *nd) |
75 |
{ |
76 |
return 0; |
77 |
} |
78 |
static inline int ccs_may_umount(struct vfsmount *mnt) |
79 |
{ |
80 |
return 0; |
81 |
} |
82 |
static inline int ccs_may_autobind(const u16 port) |
83 |
{ |
84 |
return 0; |
85 |
} |
86 |
|
87 |
#endif |
88 |
|
89 |
/* For compatibility with 1.4.x/1.5.x patches */ |
90 |
#define CheckChRootPermission ccs_check_chroot_permission |
91 |
#define SAKURA_MayUmount ccs_may_umount |
92 |
#define SAKURA_MayMount ccs_may_mount |
93 |
#define CheckMountPermission ccs_check_mount_permission |
94 |
#define CheckPivotRootPermission ccs_check_pivot_root_permission |
95 |
#define SAKURA_MayAutobind ccs_may_autobind |
96 |
|
97 |
#endif |