5 |
* |
* |
6 |
* Copyright (C) 2005-2008 NTT DATA CORPORATION |
* Copyright (C) 2005-2008 NTT DATA CORPORATION |
7 |
* |
* |
8 |
* Version: 1.6.0-pre 2008/01/03 |
* Version: 1.6.0-pre 2008/03/24 |
9 |
* |
* |
10 |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
* This file is applicable to both 2.4.30 and 2.6.11 and later. |
11 |
* See README.ccs for ChangeLog. |
* See README.ccs for ChangeLog. |
15 |
* A brief description about SAKURA: |
* A brief description about SAKURA: |
16 |
* |
* |
17 |
* SAKURA stands for "Security Advancement Know-how Upon Read-only Approach". |
* SAKURA stands for "Security Advancement Know-how Upon Read-only Approach". |
18 |
* As the name shows, SAKURA was originally a methodology to make root fs read-only |
* As the name shows, SAKURA was originally a methodology to make root fs |
19 |
* to avoid tampering the system files. |
* read-only to avoid tampering the system files. |
20 |
* But now, SAKURA is not only a methodology but also a kernel patch |
* But now, SAKURA is not only a methodology but also a kernel patch |
21 |
* that improves the system security with less effort. |
* that improves the system security with less effort. |
22 |
* |
* |
23 |
* SAKURA can restrict operations that affect systemwide. |
* SAKURA can restrict operations that affect systemwide. |
24 |
|
* SAKURA manages the filesystem's namespace related operations so that |
25 |
|
* files remains where the administrator expects. |
26 |
*/ |
*/ |
27 |
|
|
28 |
#ifndef _LINUX_SAKURA_H |
#ifndef _LINUX_SAKURA_H |
32 |
#define __user |
#define __user |
33 |
#endif |
#endif |
34 |
|
|
|
/***** SAKURA Linux start. *****/ |
|
|
|
|
35 |
#if defined(CONFIG_SAKURA) |
#if defined(CONFIG_SAKURA) |
36 |
|
|
37 |
/* Check whether the given pathname is allowed to chroot to. */ |
/* Check whether the given pathname is allowed to chroot to. */ |
38 |
int CheckChRootPermission(struct nameidata *nd); |
int ccs_check_chroot_permission(struct nameidata *nd); |
39 |
|
|
40 |
/* Check whether the mount operation with the given parameters is allowed. */ |
/* Check whether the mount operation with the given parameters is allowed. */ |
41 |
int CheckMountPermission(char *dev_name, char *dir_name, char *type, const unsigned long *flags); |
int ccs_check_mount_permission(char *dev_name, char *dir_name, char *type, |
42 |
|
const unsigned long *flags); |
43 |
|
|
44 |
/* Check whether the current process is allowed to pivot_root. */ |
/* Check whether the current process is allowed to pivot_root. */ |
45 |
int CheckPivotRootPermission(struct nameidata *old_nd, struct nameidata *new_nd); |
int ccs_check_pivot_root_permission(struct nameidata *old_nd, |
46 |
|
struct nameidata *new_nd); |
47 |
|
|
48 |
/* Check whether the given mount operation hides an mounted partition. */ |
/* Check whether the given mount operation hides an mounted partition. */ |
49 |
int SAKURA_MayMount(struct nameidata *nd); |
int ccs_may_mount(struct nameidata *nd); |
50 |
|
|
51 |
/* Check whether the given mountpoint is allowed to umount. */ |
/* Check whether the given mountpoint is allowed to umount. */ |
52 |
int SAKURA_MayUmount(struct vfsmount *mnt); |
int ccs_may_umount(struct vfsmount *mnt); |
53 |
|
|
54 |
/* Check whether the given port is allowed to autobind. */ |
/* Check whether the given port is allowed to autobind. */ |
55 |
int SAKURA_MayAutobind(const u16 port); |
int ccs_may_autobind(const u16 port); |
56 |
|
|
57 |
#else |
#else |
58 |
|
|
59 |
static inline int CheckChRootPermission(struct nameidata *nd) { return 0; } |
static inline int ccs_check_chroot_permission(struct nameidata *nd) |
60 |
static inline int CheckMountPermission(char *dev_name, char *dir_name, char *type, const unsigned long *flags) { return 0; } |
{ |
61 |
static inline int CheckPivotRootPermission(struct nameidata *old_nd, struct nameidata *new_nd) { return 0; } |
return 0; |
62 |
static inline int SAKURA_MayMount(struct nameidata *nd) { return 0; } |
} |
63 |
static inline int SAKURA_MayUmount(struct vfsmount *mnt) { return 0; } |
static inline int ccs_check_mount_permission(char *dev_name, char *dir_name, |
64 |
static inline int SAKURA_MayAutobind(const u16 port) { return 0; } |
char *type, |
65 |
|
const unsigned long *flags) |
66 |
|
{ |
67 |
|
return 0; |
68 |
|
} |
69 |
|
static inline int ccs_check_pivot_root_permission(struct nameidata *old_nd, |
70 |
|
struct nameidata *new_nd) |
71 |
|
{ |
72 |
|
return 0; |
73 |
|
} |
74 |
|
static inline int ccs_may_mount(struct nameidata *nd) |
75 |
|
{ |
76 |
|
return 0; |
77 |
|
} |
78 |
|
static inline int ccs_may_umount(struct vfsmount *mnt) |
79 |
|
{ |
80 |
|
return 0; |
81 |
|
} |
82 |
|
static inline int ccs_may_autobind(const u16 port) |
83 |
|
{ |
84 |
|
return 0; |
85 |
|
} |
86 |
|
|
87 |
#endif |
#endif |
88 |
|
|
89 |
/***** SAKURA Linux end. *****/ |
/* For compatibility with 1.4.x/1.5.x patches */ |
90 |
|
#define CheckChRootPermission ccs_check_chroot_permission |
91 |
|
#define SAKURA_MayUmount ccs_may_umount |
92 |
|
#define SAKURA_MayMount ccs_may_mount |
93 |
|
#define CheckMountPermission ccs_check_mount_permission |
94 |
|
#define CheckPivotRootPermission ccs_check_pivot_root_permission |
95 |
|
#define SAKURA_MayAutobind ccs_may_autobind |
96 |
|
|
97 |
#endif |
#endif |