From: Paul Moore <paul@paul-moore.com>
To: linux-security-module@vger.kernel.org
Subject: [PATCH 17/22] lsm: move the audit hook comments to security/security.c
Date: Thu, 16 Feb 2023 22:26:20 -0500 [thread overview]
Message-ID: <20230217032625.678457-18-paul@paul-moore.com> (raw)
In-Reply-To: <20230217032625.678457-1-paul@paul-moore.com>
This patch relocates the LSM hook function comments to the function
definitions, in keeping with the current kernel conventions. This
should make the hook descriptions more easily discoverable and easier
to maintain.
While formatting changes have been done to better fit the kernel-doc
style, content changes have been kept to a minimum and limited to
text which was obviously incorrect and/or outdated. It is expected
the future patches will improve the quality of the function header
comments.
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
include/linux/lsm_hooks.h | 32 ------------------------------
security/security.c | 41 +++++++++++++++++++++++++++++++++++++++
2 files changed, 41 insertions(+), 32 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index 0a5b3b46fc2b..e36387f88083 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -135,38 +135,6 @@
* @secdata contains the security context.
* @seclen contains the length of the security context.
*
- * Security hooks for Audit
- *
- * @audit_rule_init:
- * Allocate and initialize an LSM audit rule structure.
- * @field contains the required Audit action.
- * Fields flags are defined in <include/linux/audit.h>
- * @op contains the operator the rule uses.
- * @rulestr contains the context where the rule will be applied to.
- * @lsmrule contains a pointer to receive the result.
- * Return 0 if @lsmrule has been successfully set,
- * -EINVAL in case of an invalid rule.
- *
- * @audit_rule_known:
- * Specifies whether given @krule contains any fields related to
- * current LSM.
- * @krule contains the audit rule of interest.
- * Return 1 in case of relation found, 0 otherwise.
- *
- * @audit_rule_match:
- * Determine if given @secid matches a rule previously approved
- * by @audit_rule_known.
- * @secid contains the security id in question.
- * @field contains the field which relates to current LSM.
- * @op contains the operator that will be used for matching.
- * @lrule points to the audit rule that will be checked against.
- * Return 1 if secid matches the rule, 0 if it does not, -ERRNO on failure.
- *
- * @audit_rule_free:
- * Deallocate the LSM audit rule structure previously allocated by
- * audit_rule_init.
- * @lsmrule contains the allocated rule.
- *
* @inode_invalidate_secctx:
* Notify the security module that it must revalidate the security context
* of an inode.
diff --git a/security/security.c b/security/security.c
index d7a07264fb73..4a2eff06f418 100644
--- a/security/security.c
+++ b/security/security.c
@@ -4761,21 +4761,62 @@ int security_key_getsecurity(struct key *key, char **_buffer)
#ifdef CONFIG_AUDIT
+/**
+ * security_audit_rule_init() - Allocate and init an LSM audit rule struct
+ * @field: audit action
+ * @op: rule operator
+ * @rulestr: rule context
+ * @lsmrule: receive buffer for audit rule struct
+ *
+ * Allocate and initialize an LSM audit rule structure.
+ *
+ * Return: Return 0 if @lsmrule has been successfully set, -EINVAL in case of
+ * an invalid rule.
+ */
int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
{
return call_int_hook(audit_rule_init, 0, field, op, rulestr, lsmrule);
}
+/**
+ * security_audit_rule_known() - Check if an audit rule contains LSM fields
+ * @krule: audit rule
+ *
+ * Specifies whether given @krule contains any fields related to the current
+ * LSM.
+ *
+ * Return: Returns 1 in case of relation found, 0 otherwise.
+ */
int security_audit_rule_known(struct audit_krule *krule)
{
return call_int_hook(audit_rule_known, 0, krule);
}
+/**
+ * security_audit_rule_free() - Free an LSM audit rule struct
+ * @lsmrule: audit rule struct
+ *
+ * Deallocate the LSM audit rule structure previously allocated by
+ * audit_rule_init().
+ */
void security_audit_rule_free(void *lsmrule)
{
call_void_hook(audit_rule_free, lsmrule);
}
+/**
+ * security_audit_rule_match() - Check if a label matches an audit rule
+ * @secid: security label
+ * @field: LSM audit field
+ * @op: matching operator
+ * @lsmrule: audit rule
+ *
+ * Determine if given @secid matches a rule previously approved by
+ * security_audit_rule_known().
+ *
+ * Return: Returns 1 if secid matches the rule, 0 if it does not, -ERRNO on
+ * failure.
+ */
int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule)
{
return call_int_hook(audit_rule_match, 0, secid, field, op, lsmrule);
--
2.39.2
next prev parent reply other threads:[~2023-02-17 3:27 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-02-17 3:26 [PATCH 00/22] Move LSM hook comments into security/security.c Paul Moore
2023-02-17 3:26 ` [PATCH 01/22] lsm: move the program execution hook comments to security/security.c Paul Moore
2023-02-17 3:26 ` [PATCH 02/22] lsm: move the fs_context " Paul Moore
2023-02-17 3:26 ` [PATCH 03/22] lsm: move the filesystem " Paul Moore
2023-02-17 3:26 ` [PATCH 04/22] lsm: move the inode " Paul Moore
2023-02-17 3:26 ` [PATCH 05/22] lsm: move the kernfs " Paul Moore
2023-02-17 3:26 ` [PATCH 06/22] lsm: move the file " Paul Moore
2023-02-17 3:26 ` [PATCH 07/22] lsm: move the task " Paul Moore
2023-02-17 3:26 ` [PATCH 08/22] lsm: move the netlink " Paul Moore
2023-02-17 3:26 ` [PATCH 09/22] lsm: move the AF_UNIX " Paul Moore
2023-02-17 3:26 ` [PATCH 10/22] lsm: move the socket " Paul Moore
2023-02-17 3:26 ` [PATCH 11/22] lsm: move the SCTP " Paul Moore
2023-02-17 3:26 ` [PATCH 12/22] lsm: move the Infiniband " Paul Moore
2023-02-17 3:26 ` [PATCH 13/22] lsm: move the xfrm " Paul Moore
2023-02-17 3:26 ` [PATCH 14/22] lsm: move the key " Paul Moore
2023-02-17 3:26 ` [PATCH 15/22] lsm: move the sysv " Paul Moore
2023-02-17 3:26 ` [PATCH 16/22] lsm: move the binder " Paul Moore
2023-02-17 3:26 ` Paul Moore [this message]
2023-02-17 3:26 ` [PATCH 18/22] lsm: move the bpf " Paul Moore
2023-02-17 3:26 ` [PATCH 19/22] lsm: move the perf " Paul Moore
2023-02-17 3:26 ` [PATCH 20/22] lsm: move the io_uring " Paul Moore
2023-02-17 3:26 ` [PATCH 21/22] lsm: move the remaining LSM " Paul Moore
2023-02-17 3:26 ` [PATCH 22/22] lsm: styling fixes " Paul Moore
2023-02-17 14:07 ` [PATCH 00/22] Move LSM hook comments into security/security.c Paul Moore
2023-02-17 17:22 ` Casey Schaufler
2023-02-17 19:04 ` Paul Moore
2023-03-06 18:49 ` Paul Moore
2023-03-07 8:08 ` Roberto Sassu
2023-03-07 16:33 ` Paul Moore
2023-03-07 16:38 ` Roberto Sassu
2023-03-08 17:09 ` Paul Moore
2023-03-08 17:14 ` Roberto Sassu
2023-03-08 17:20 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230217032625.678457-18-paul@paul-moore.com \
--to=paul@paul-moore.com \
--cc=linux-security-module@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).