include/linux/lsmpmon.h | 178 ++ include/linux/lsmpmon_keys.h | 47 include/linux/lsmpmon_security.h | 1949 ++++++++++++++++++++++++++ include/linux/lsmpmon_security_network.h | 415 +++++ include/linux/lsmpmon_security_network_xfrm.h | 203 ++ include/linux/security.h | 24 security/Kconfig | 3 security/Makefile | 1 security/lsmpmon.c | 251 +++ security/lsmpmon.h | 278 +++ 10 files changed, 3348 insertions(+), 1 deletion(-) diff -Nur linux-2.6.19.7/include/linux/lsmpmon.h linux-lsmpmon/include/linux/lsmpmon.h --- linux-2.6.19.7/include/linux/lsmpmon.h 1970-01-01 09:00:00.000000000 +0900 +++ linux-lsmpmon/include/linux/lsmpmon.h 2007-11-15 11:05:28.000000000 +0900 @@ -0,0 +1,178 @@ +#define LSMPMON_NUM 163 +extern unsigned long + lsmpmon_min[LSMPMON_NUM], + lsmpmon_max[LSMPMON_NUM], + lsmpmon_count[LSMPMON_NUM]; +extern unsigned long long + lsmpmon_sum[LSMPMON_NUM]; +extern int lsmpmon_enable; + +enum lsm_name { + lsm_ptrace, + lsm_capget, + lsm_capset_check, + lsm_capset_set, + lsm_capable, + lsm_acct, + lsm_sysctl, + lsm_quotactl, + lsm_quota_on, + lsm_syslog, + lsm_settime, + lsm_vm_enough_memory, + lsm_bprm_alloc, + lsm_bprm_free, + lsm_bprm_apply_creds, + lsm_bprm_post_apply_creds, + lsm_bprm_set, + lsm_bprm_check, + lsm_bprm_secureexec, + lsm_sb_alloc, + lsm_sb_free, + lsm_sb_copy_data, + lsm_sb_kern_mount, + lsm_sb_statfs, + lsm_sb_mount, + lsm_sb_check_sb, + lsm_sb_umount, + lsm_sb_umount_close, + lsm_sb_umount_busy, + lsm_sb_post_remount, + lsm_sb_post_mountroot, + lsm_sb_post_addmount, + lsm_sb_pivotroot, + lsm_sb_post_pivotroot, + lsm_inode_alloc, + lsm_inode_free, + lsm_inode_init_security, + lsm_inode_create, + lsm_inode_link, + lsm_inode_unlink, + lsm_inode_symlink, + lsm_inode_mkdir, + lsm_inode_rmdir, + lsm_inode_mknod, + lsm_inode_rename, + lsm_inode_readlink, + lsm_inode_follow_link, + lsm_inode_permission, + lsm_inode_setattr, + lsm_inode_getattr, + lsm_inode_delete, + lsm_inode_setxattr, + lsm_inode_post_setxattr, + lsm_inode_getxattr, + lsm_inode_listxattr, + lsm_inode_removexattr, + lsm_inode_xattr_getsuffix, + lsm_inode_getsecurity, + lsm_inode_setsecurity, + lsm_inode_listsecurity, + lsm_file_permission, + lsm_file_alloc, + lsm_file_free, + lsm_file_ioctl, + lsm_file_mmap, + lsm_file_mprotect, + lsm_file_lock, + lsm_file_fcntl, + lsm_file_set_fowner, + lsm_file_send_sigiotask, + lsm_file_receive, + lsm_task_create, + lsm_task_alloc, + lsm_task_free, + lsm_task_setuid, + lsm_task_post_setuid, + lsm_task_setgid, + lsm_task_setpgid, + lsm_task_getpgid, + lsm_task_getsid, + lsm_task_getsecid, + lsm_task_setgroups, + lsm_task_setnice, + lsm_task_setioprio, + lsm_task_getioprio, + lsm_task_setrlimit, + lsm_task_setscheduler, + lsm_task_getscheduler, + lsm_task_movememory, + lsm_task_kill, + lsm_task_wait, + lsm_task_prctl, + lsm_task_reparent_to_init, + lsm_task_to_inode, + lsm_ipc_permission, + lsm_msg_msg_alloc, + lsm_msg_msg_free, + lsm_msg_queue_alloc, + lsm_msg_queue_free, + lsm_msg_queue_associate, + lsm_msg_queue_msgctl, + lsm_msg_queue_msgsnd, + lsm_msg_queue_msgrcv, + lsm_shm_alloc, + lsm_shm_free, + lsm_shm_associate, + lsm_shm_shmctl, + lsm_shm_shmat, + lsm_sem_alloc, + lsm_sem_free, + lsm_sem_associate, + lsm_sem_semctl, + lsm_sem_semop, + lsm_d_instantiate, + lsm_getprocattr, + lsm_setprocattr, + lsm_netlink_send, + lsm_netlink_recv, + lsm_secid_to_secctx, + lsm_release_secctx, + lsm_unix_stream_connect, + lsm_unix_may_send, + lsm_socket_create, + lsm_socket_post_create, + lsm_socket_bind, + lsm_socket_connect, + lsm_socket_listen, + lsm_socket_accept, + lsm_socket_post_accept, + lsm_socket_sendmsg, + lsm_socket_recvmsg, + lsm_socket_getsockname, + lsm_socket_getpeername, + lsm_socket_getsockopt, + lsm_socket_setsockopt, + lsm_socket_shutdown, + lsm_sock_rcv_skb, + lsm_socket_getpeersec_stream, + lsm_socket_getpeersec_dgram, + lsm_sk_alloc, + lsm_sk_free, + lsm_sk_clone, + lsm_sk_classify_flow, + lsm_req_classify_flow, + lsm_sock_graft, + lsm_inet_conn_request, + lsm_inet_csk_clone, + lsm_xfrm_policy_alloc, + lsm_xfrm_policy_clone, + lsm_xfrm_policy_free, + lsm_xfrm_policy_delete, + lsm_xfrm_state_alloc, + lsm_xfrm_state_alloc_acquire, + lsm_xfrm_state_delete, + lsm_xfrm_state_free, + lsm_xfrm_policy_lookup, + lsm_xfrm_state_pol_flow_match, + lsm_xfrm_flow_state_match, + lsm_xfrm_decode_session, + lsm_skb_classify_flow, + lsm_key_alloc, + lsm_key_free, + lsm_key_permission, +}; + +extern long long gettime(void); +extern long long difftime(long long before, long long after); +extern void lsmpmon_store(long long time, int offset); diff -Nur linux-2.6.19.7/include/linux/lsmpmon_keys.h linux-lsmpmon/include/linux/lsmpmon_keys.h --- linux-2.6.19.7/include/linux/lsmpmon_keys.h 1970-01-01 09:00:00.000000000 +0900 +++ linux-lsmpmon/include/linux/lsmpmon_keys.h 2007-11-15 11:05:28.000000000 +0900 @@ -0,0 +1,47 @@ +static inline int security_key_alloc(struct key *key, + struct task_struct *tsk, + unsigned long flags) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->key_alloc(key, tsk, flags); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_key_alloc); + return rc; + } else { + return security_ops->key_alloc(key, tsk, flags); + } +} +static inline void security_key_free(struct key *key) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->key_free(key); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_key_free); + } else { + security_ops->key_free(key); + } +} +static inline int security_key_permission(key_ref_t key_ref, + struct task_struct *context, + key_perm_t perm) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->key_permission(key_ref, context, perm); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_key_permission); + return rc; + } else { + return security_ops->key_permission(key_ref, context, perm); + } +} diff -Nur linux-2.6.19.7/include/linux/lsmpmon_security.h linux-lsmpmon/include/linux/lsmpmon_security.h --- linux-2.6.19.7/include/linux/lsmpmon_security.h 1970-01-01 09:00:00.000000000 +0900 +++ linux-lsmpmon/include/linux/lsmpmon_security.h 2007-11-15 11:05:28.000000000 +0900 @@ -0,0 +1,1949 @@ +static inline int security_ptrace (struct task_struct * parent, struct task_struct * child) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->ptrace (parent, child); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_ptrace); + return rc; + } else { + return security_ops->ptrace (parent, child); + } +} +static inline int security_capget (struct task_struct *target, + kernel_cap_t *effective, + kernel_cap_t *inheritable, + kernel_cap_t *permitted) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->capget (target, effective, inheritable, permitted); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_capget); + return rc; + } else { + return security_ops->capget (target, effective, inheritable, permitted); + } +} +static inline int security_capset_check (struct task_struct *target, + kernel_cap_t *effective, + kernel_cap_t *inheritable, + kernel_cap_t *permitted) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->capset_check (target, effective, inheritable, permitted); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_capset_check); + return rc; + } else { + return security_ops->capset_check (target, effective, inheritable, permitted); + } +} +static inline void security_capset_set (struct task_struct *target, + kernel_cap_t *effective, + kernel_cap_t *inheritable, + kernel_cap_t *permitted) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->capset_set (target, effective, inheritable, permitted); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_capset_set); + } else { + security_ops->capset_set (target, effective, inheritable, permitted); + } +} +static inline int security_capable(struct task_struct *tsk, int cap) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->capable(tsk, cap); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_capable); + return rc; + } else { + return security_ops->capable(tsk, cap); + } +} +static inline int security_acct (struct file *file) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->acct (file); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_acct); + return rc; + } else { + return security_ops->acct (file); + } +} +static inline int security_sysctl(struct ctl_table *table, int op) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->sysctl(table, op); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sysctl); + return rc; + } else { + return security_ops->sysctl(table, op); + } +} +static inline int security_quotactl (int cmds, int type, int id, + struct super_block *sb) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->quotactl (cmds, type, id, sb); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_quotactl); + return rc; + } else { + return security_ops->quotactl (cmds, type, id, sb); + } +} +static inline int security_quota_on (struct dentry * dentry) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->quota_on (dentry); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_quota_on); + return rc; + } else { + return security_ops->quota_on (dentry); + } +} +static inline int security_syslog(int type) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->syslog(type); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_syslog); + return rc; + } else { + return security_ops->syslog(type); + } +} +static inline int security_settime(struct timespec *ts, struct timezone *tz) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->settime(ts, tz); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_settime); + return rc; + } else { + return security_ops->settime(ts, tz); + } +} +static inline int security_vm_enough_memory(long pages) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->vm_enough_memory(pages); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_vm_enough_memory); + return rc; + } else { + return security_ops->vm_enough_memory(pages); + } +} +static inline int security_bprm_alloc (struct linux_binprm *bprm) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->bprm_alloc_security (bprm); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_bprm_alloc); + return rc; + } else { + return security_ops->bprm_alloc_security (bprm); + } +} +static inline void security_bprm_free (struct linux_binprm *bprm) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->bprm_free_security (bprm); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_bprm_free); + } else { + security_ops->bprm_free_security (bprm); + } +} +static inline void security_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->bprm_apply_creds (bprm, unsafe); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_bprm_apply_creds); + } else { + security_ops->bprm_apply_creds (bprm, unsafe); + } +} +static inline void security_bprm_post_apply_creds (struct linux_binprm *bprm) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->bprm_post_apply_creds (bprm); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_bprm_post_apply_creds); + } else { + security_ops->bprm_post_apply_creds (bprm); + } +} +static inline int security_bprm_set (struct linux_binprm *bprm) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->bprm_set_security (bprm); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_bprm_set); + return rc; + } else { + return security_ops->bprm_set_security (bprm); + } +} +static inline int security_bprm_check (struct linux_binprm *bprm) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->bprm_check_security (bprm); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_bprm_check); + return rc; + } else { + return security_ops->bprm_check_security (bprm); + } +} +static inline int security_bprm_secureexec (struct linux_binprm *bprm) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->bprm_secureexec (bprm); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_bprm_secureexec); + return rc; + } else { + return security_ops->bprm_secureexec (bprm); + } +} +static inline int security_sb_alloc (struct super_block *sb) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->sb_alloc_security (sb); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sb_alloc); + return rc; + } else { + return security_ops->sb_alloc_security (sb); + } +} +static inline void security_sb_free (struct super_block *sb) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->sb_free_security (sb); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sb_free); + } else { + security_ops->sb_free_security (sb); + } +} +static inline int security_sb_copy_data (struct file_system_type *type, + void *orig, void *copy) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->sb_copy_data (type, orig, copy); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sb_copy_data); + return rc; + } else { + return security_ops->sb_copy_data (type, orig, copy); + } +} +static inline int security_sb_kern_mount (struct super_block *sb, void *data) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->sb_kern_mount (sb, data); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sb_kern_mount); + return rc; + } else { + return security_ops->sb_kern_mount (sb, data); + } +} +static inline int security_sb_statfs (struct dentry *dentry) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->sb_statfs (dentry); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sb_statfs); + return rc; + } else { + return security_ops->sb_statfs (dentry); + } +} +static inline int security_sb_mount (char *dev_name, struct nameidata *nd, + char *type, unsigned long flags, + void *data) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->sb_mount (dev_name, nd, type, flags, data); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sb_mount); + return rc; + } else { + return security_ops->sb_mount (dev_name, nd, type, flags, data); + } +} +static inline int security_sb_check_sb (struct vfsmount *mnt, + struct nameidata *nd) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->sb_check_sb (mnt, nd); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sb_check_sb); + return rc; + } else { + return security_ops->sb_check_sb (mnt, nd); + } +} +static inline int security_sb_umount (struct vfsmount *mnt, int flags) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->sb_umount (mnt, flags); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sb_umount); + return rc; + } else { + return security_ops->sb_umount (mnt, flags); + } +} +static inline void security_sb_umount_close (struct vfsmount *mnt) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->sb_umount_close (mnt); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sb_umount_close); + } else { + security_ops->sb_umount_close (mnt); + } +} +static inline void security_sb_umount_busy (struct vfsmount *mnt) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->sb_umount_busy (mnt); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sb_umount_busy); + } else { + security_ops->sb_umount_busy (mnt); + } +} +static inline void security_sb_post_remount (struct vfsmount *mnt, + unsigned long flags, void *data) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->sb_post_remount (mnt, flags, data); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sb_post_remount); + } else { + security_ops->sb_post_remount (mnt, flags, data); + } +} +static inline void security_sb_post_mountroot (void) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->sb_post_mountroot (); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sb_post_mountroot); + } else { + security_ops->sb_post_mountroot (); + } +} +static inline void security_sb_post_addmount (struct vfsmount *mnt, + struct nameidata *mountpoint_nd) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->sb_post_addmount (mnt, mountpoint_nd); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sb_post_addmount); + } else { + security_ops->sb_post_addmount (mnt, mountpoint_nd); + } +} +static inline int security_sb_pivotroot (struct nameidata *old_nd, + struct nameidata *new_nd) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->sb_pivotroot (old_nd, new_nd); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sb_pivotroot); + return rc; + } else { + return security_ops->sb_pivotroot (old_nd, new_nd); + } +} +static inline void security_sb_post_pivotroot (struct nameidata *old_nd, + struct nameidata *new_nd) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->sb_post_pivotroot (old_nd, new_nd); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sb_post_pivotroot); + } else { + security_ops->sb_post_pivotroot (old_nd, new_nd); + } +} +static inline int security_inode_alloc (struct inode *inode) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + inode->i_security = NULL; + rc = security_ops->inode_alloc_security (inode); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_alloc); + return rc; + } else { + inode->i_security = NULL; + return security_ops->inode_alloc_security (inode); + } +} +static inline void security_inode_free (struct inode *inode) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->inode_free_security (inode); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_free); + } else { + security_ops->inode_free_security (inode); + } +} +static inline int security_inode_init_security (struct inode *inode, + struct inode *dir, + char **name, + void **value, + size_t *len) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + if (unlikely (IS_PRIVATE (inode))) + rc = -EOPNOTSUPP; + else + rc = security_ops->inode_init_security (inode, dir, name, value, len); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_init_security); + return rc; + } else { + if (unlikely (IS_PRIVATE (inode))) + return -EOPNOTSUPP; + return security_ops->inode_init_security (inode, dir, name, value, len); + } +} +static inline int security_inode_create (struct inode *dir, + struct dentry *dentry, + int mode) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + if (unlikely (IS_PRIVATE (dir))) + rc = 0; + else + rc = security_ops->inode_create (dir, dentry, mode); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_create); + return rc; + } else { + if (unlikely (IS_PRIVATE (dir))) + return 0; + return security_ops->inode_create (dir, dentry, mode); + } +} +static inline int security_inode_link (struct dentry *old_dentry, + struct inode *dir, + struct dentry *new_dentry) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + if (unlikely (IS_PRIVATE (old_dentry->d_inode))) + rc = 0; + else + rc = security_ops->inode_link (old_dentry, dir, new_dentry); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_link); + return rc; + } else { + if (unlikely (IS_PRIVATE (old_dentry->d_inode))) + return 0; + return security_ops->inode_link (old_dentry, dir, new_dentry); + } +} +static inline int security_inode_unlink (struct inode *dir, + struct dentry *dentry) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + if (unlikely (IS_PRIVATE (dentry->d_inode))) + rc = 0; + else + rc = security_ops->inode_unlink (dir, dentry); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_unlink); + return rc; + } else { + if (unlikely (IS_PRIVATE (dentry->d_inode))) + return 0; + return security_ops->inode_unlink (dir, dentry); + } +} +static inline int security_inode_symlink (struct inode *dir, + struct dentry *dentry, + const char *old_name) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + if (unlikely (IS_PRIVATE (dir))) + rc = 0; + else + rc = security_ops->inode_symlink (dir, dentry, old_name); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_symlink); + return rc; + } else { + if (unlikely (IS_PRIVATE (dir))) + return 0; + return security_ops->inode_symlink (dir, dentry, old_name); + } +} +static inline int security_inode_mkdir (struct inode *dir, + struct dentry *dentry, + int mode) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + if (unlikely (IS_PRIVATE (dir))) + rc = 0; + else + rc = security_ops->inode_mkdir (dir, dentry, mode); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_mkdir); + return rc; + } else { + if (unlikely (IS_PRIVATE (dir))) + return 0; + return security_ops->inode_mkdir (dir, dentry, mode); + } +} +static inline int security_inode_rmdir (struct inode *dir, + struct dentry *dentry) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + if (unlikely (IS_PRIVATE (dentry->d_inode))) + rc = 0; + else + rc = security_ops->inode_rmdir (dir, dentry); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_rmdir); + return rc; + } else { + if (unlikely (IS_PRIVATE (dentry->d_inode))) + return 0; + return security_ops->inode_rmdir (dir, dentry); + } +} +static inline int security_inode_mknod (struct inode *dir, + struct dentry *dentry, + int mode, dev_t dev) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + if (unlikely (IS_PRIVATE (dir))) + rc = 0; + else + rc = security_ops->inode_mknod (dir, dentry, mode, dev); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_mknod); + return rc; + } else { + if (unlikely (IS_PRIVATE (dir))) + return 0; + return security_ops->inode_mknod (dir, dentry, mode, dev); + } +} +static inline int security_inode_rename (struct inode *old_dir, + struct dentry *old_dentry, + struct inode *new_dir, + struct dentry *new_dentry) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + if (unlikely (IS_PRIVATE (old_dentry->d_inode) || + (new_dentry->d_inode && IS_PRIVATE (new_dentry->d_inode)))) + rc = 0; + else + rc = security_ops->inode_rename (old_dir, old_dentry, + new_dir, new_dentry); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_rename); + return rc; + } else { + if (unlikely (IS_PRIVATE (old_dentry->d_inode) || + (new_dentry->d_inode && IS_PRIVATE (new_dentry->d_inode)))) + return 0; + return security_ops->inode_rename (old_dir, old_dentry, + new_dir, new_dentry); + } +} +static inline int security_inode_readlink (struct dentry *dentry) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + if (unlikely (IS_PRIVATE (dentry->d_inode))) + rc = 0; + else + rc = security_ops->inode_readlink (dentry); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_readlink); + return rc; + } else { + if (unlikely (IS_PRIVATE (dentry->d_inode))) + return 0; + return security_ops->inode_readlink (dentry); + } +} +static inline int security_inode_follow_link (struct dentry *dentry, + struct nameidata *nd) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + if (unlikely (IS_PRIVATE (dentry->d_inode))) + rc = 0; + else + rc = security_ops->inode_follow_link (dentry, nd); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_follow_link); + return rc; + } else { + if (unlikely (IS_PRIVATE (dentry->d_inode))) + return 0; + return security_ops->inode_follow_link (dentry, nd); + } +} +static inline int security_inode_permission (struct inode *inode, int mask, + struct nameidata *nd) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + if (unlikely (IS_PRIVATE (inode))) + rc = 0; + else + rc = security_ops->inode_permission (inode, mask, nd); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_permission); + return rc; + } else { + if (unlikely (IS_PRIVATE (inode))) + return 0; + return security_ops->inode_permission (inode, mask, nd); + } +} +static inline int security_inode_setattr (struct dentry *dentry, + struct iattr *attr) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + if (unlikely (IS_PRIVATE (dentry->d_inode))) + rc = 0; + else + rc = security_ops->inode_setattr (dentry, attr); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_setattr); + return rc; + } else { + if (unlikely (IS_PRIVATE (dentry->d_inode))) + return 0; + return security_ops->inode_setattr (dentry, attr); + } +} +static inline int security_inode_getattr (struct vfsmount *mnt, + struct dentry *dentry) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + if (unlikely (IS_PRIVATE (dentry->d_inode))) + rc = 0; + else + rc = security_ops->inode_getattr (mnt, dentry); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_getattr); + return rc; + } else { + if (unlikely (IS_PRIVATE (dentry->d_inode))) + return 0; + return security_ops->inode_getattr (mnt, dentry); + } +} +static inline void security_inode_delete (struct inode *inode) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + if (unlikely (IS_PRIVATE (inode))) + { } + else + security_ops->inode_delete (inode); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_delete); + } else { + if (unlikely (IS_PRIVATE (inode))) + return; + security_ops->inode_delete (inode); + } +} +static inline int security_inode_setxattr (struct dentry *dentry, char *name, + void *value, size_t size, int flags) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + if (unlikely (IS_PRIVATE (dentry->d_inode))) + rc = 0; + else + rc = security_ops->inode_setxattr (dentry, name, value, size, flags); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_setxattr); + return rc; + } else { + if (unlikely (IS_PRIVATE (dentry->d_inode))) + return 0; + return security_ops->inode_setxattr (dentry, name, value, size, flags); + } +} +static inline void security_inode_post_setxattr (struct dentry *dentry, char *name, + void *value, size_t size, int flags) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + if (unlikely (IS_PRIVATE (dentry->d_inode))) + { } + else + security_ops->inode_post_setxattr (dentry, name, value, size, flags); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_post_setxattr); + } else { + if (unlikely (IS_PRIVATE (dentry->d_inode))) + return; + security_ops->inode_post_setxattr (dentry, name, value, size, flags); + } +} +static inline int security_inode_getxattr (struct dentry *dentry, char *name) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + if (unlikely (IS_PRIVATE (dentry->d_inode))) + rc = 0; + else + rc = security_ops->inode_getxattr (dentry, name); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_getxattr); + return rc; + } else { + if (unlikely (IS_PRIVATE (dentry->d_inode))) + return 0; + return security_ops->inode_getxattr (dentry, name); + } +} +static inline int security_inode_listxattr (struct dentry *dentry) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + if (unlikely (IS_PRIVATE (dentry->d_inode))) + rc = 0; + else + rc = security_ops->inode_listxattr (dentry); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_listxattr); + return rc; + } else { + if (unlikely (IS_PRIVATE (dentry->d_inode))) + return 0; + return security_ops->inode_listxattr (dentry); + } +} +static inline int security_inode_removexattr (struct dentry *dentry, char *name) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + if (unlikely (IS_PRIVATE (dentry->d_inode))) + rc = 0; + else + rc = security_ops->inode_removexattr (dentry, name); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_removexattr); + return rc; + } else { + if (unlikely (IS_PRIVATE (dentry->d_inode))) + return 0; + return security_ops->inode_removexattr (dentry, name); + } +} +static inline const char *security_inode_xattr_getsuffix(void) +{ + const char *rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->inode_xattr_getsuffix(); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_xattr_getsuffix); + return rc; + } else { + return security_ops->inode_xattr_getsuffix(); + } +} +static inline int security_inode_getsecurity(const struct inode *inode, const char *name, void *buffer, size_t size, int err) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + if (unlikely (IS_PRIVATE (inode))) + rc = 0; + else + rc = security_ops->inode_getsecurity(inode, name, buffer, size, err); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_getsecurity); + return rc; + } else { + if (unlikely (IS_PRIVATE (inode))) + return 0; + return security_ops->inode_getsecurity(inode, name, buffer, size, err); + } +} +static inline int security_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + if (unlikely (IS_PRIVATE (inode))) + rc = 0; + else + rc = security_ops->inode_setsecurity(inode, name, value, size, flags); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_setsecurity); + return rc; + } else { + if (unlikely (IS_PRIVATE (inode))) + return 0; + return security_ops->inode_setsecurity(inode, name, value, size, flags); + } +} +static inline int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + if (unlikely (IS_PRIVATE (inode))) + rc = 0; + else + rc = security_ops->inode_listsecurity(inode, buffer, buffer_size); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inode_listsecurity); + return rc; + } else { + if (unlikely (IS_PRIVATE (inode))) + return 0; + return security_ops->inode_listsecurity(inode, buffer, buffer_size); + } +} +static inline int security_file_permission (struct file *file, int mask) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->file_permission (file, mask); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_file_permission); + return rc; + } else { + return security_ops->file_permission (file, mask); + } +} +static inline int security_file_alloc (struct file *file) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->file_alloc_security (file); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_file_alloc); + return rc; + } else { + return security_ops->file_alloc_security (file); + } +} +static inline void security_file_free (struct file *file) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->file_free_security (file); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_file_free); + } else { + security_ops->file_free_security (file); + } +} +static inline int security_file_ioctl (struct file *file, unsigned int cmd, + unsigned long arg) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->file_ioctl (file, cmd, arg); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_file_ioctl); + return rc; + } else { + return security_ops->file_ioctl (file, cmd, arg); + } +} +static inline int security_file_mmap (struct file *file, unsigned long reqprot, + unsigned long prot, + unsigned long flags) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->file_mmap (file, reqprot, prot, flags); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_file_mmap); + return rc; + } else { + return security_ops->file_mmap (file, reqprot, prot, flags); + } +} +static inline int security_file_mprotect (struct vm_area_struct *vma, + unsigned long reqprot, + unsigned long prot) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->file_mprotect (vma, reqprot, prot); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_file_mprotect); + return rc; + } else { + return security_ops->file_mprotect (vma, reqprot, prot); + } +} +static inline int security_file_lock (struct file *file, unsigned int cmd) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->file_lock (file, cmd); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_file_lock); + return rc; + } else { + return security_ops->file_lock (file, cmd); + } +} +static inline int security_file_fcntl (struct file *file, unsigned int cmd, + unsigned long arg) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->file_fcntl (file, cmd, arg); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_file_fcntl); + return rc; + } else { + return security_ops->file_fcntl (file, cmd, arg); + } +} +static inline int security_file_set_fowner (struct file *file) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->file_set_fowner (file); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_file_set_fowner); + return rc; + } else { + return security_ops->file_set_fowner (file); + } +} +static inline int security_file_send_sigiotask (struct task_struct *tsk, + struct fown_struct *fown, + int sig) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->file_send_sigiotask (tsk, fown, sig); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_file_send_sigiotask); + return rc; + } else { + return security_ops->file_send_sigiotask (tsk, fown, sig); + } +} +static inline int security_file_receive (struct file *file) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->file_receive (file); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_file_receive); + return rc; + } else { + return security_ops->file_receive (file); + } +} +static inline int security_task_create (unsigned long clone_flags) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->task_create (clone_flags); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_task_create); + return rc; + } else { + return security_ops->task_create (clone_flags); + } +} +static inline int security_task_alloc (struct task_struct *p) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->task_alloc_security (p); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_task_alloc); + return rc; + } else { + return security_ops->task_alloc_security (p); + } +} +static inline void security_task_free (struct task_struct *p) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->task_free_security (p); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_task_free); + } else { + security_ops->task_free_security (p); + } +} +static inline int security_task_setuid (uid_t id0, uid_t id1, uid_t id2, + int flags) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->task_setuid (id0, id1, id2, flags); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_task_setuid); + return rc; + } else { + return security_ops->task_setuid (id0, id1, id2, flags); + } +} +static inline int security_task_post_setuid (uid_t old_ruid, uid_t old_euid, + uid_t old_suid, int flags) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->task_post_setuid (old_ruid, old_euid, old_suid, flags); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_task_post_setuid); + return rc; + } else { + return security_ops->task_post_setuid (old_ruid, old_euid, old_suid, flags); + } +} +static inline int security_task_setgid (gid_t id0, gid_t id1, gid_t id2, + int flags) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->task_setgid (id0, id1, id2, flags); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_task_setgid); + return rc; + } else { + return security_ops->task_setgid (id0, id1, id2, flags); + } +} +static inline int security_task_setpgid (struct task_struct *p, pid_t pgid) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->task_setpgid (p, pgid); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_task_setpgid); + return rc; + } else { + return security_ops->task_setpgid (p, pgid); + } +} +static inline int security_task_getpgid (struct task_struct *p) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->task_getpgid (p); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_task_getpgid); + return rc; + } else { + return security_ops->task_getpgid (p); + } +} +static inline int security_task_getsid (struct task_struct *p) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->task_getsid (p); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_task_getsid); + return rc; + } else { + return security_ops->task_getsid (p); + } +} +static inline void security_task_getsecid (struct task_struct *p, u32 *secid) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->task_getsecid (p, secid); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_task_getsecid); + } else { + security_ops->task_getsecid (p, secid); + } +} +static inline int security_task_setgroups (struct group_info *group_info) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->task_setgroups (group_info); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_task_setgroups); + return rc; + } else { + return security_ops->task_setgroups (group_info); + } +} +static inline int security_task_setnice (struct task_struct *p, int nice) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->task_setnice (p, nice); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_task_setnice); + return rc; + } else { + return security_ops->task_setnice (p, nice); + } +} +static inline int security_task_setioprio (struct task_struct *p, int ioprio) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->task_setioprio (p, ioprio); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_task_setioprio); + return rc; + } else { + return security_ops->task_setioprio (p, ioprio); + } +} +static inline int security_task_getioprio (struct task_struct *p) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->task_getioprio (p); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_task_getioprio); + return rc; + } else { + return security_ops->task_getioprio (p); + } +} +static inline int security_task_setrlimit (unsigned int resource, + struct rlimit *new_rlim) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->task_setrlimit (resource, new_rlim); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_task_setrlimit); + return rc; + } else { + return security_ops->task_setrlimit (resource, new_rlim); + } +} +static inline int security_task_setscheduler (struct task_struct *p, + int policy, + struct sched_param *lp) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->task_setscheduler (p, policy, lp); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_task_setscheduler); + return rc; + } else { + return security_ops->task_setscheduler (p, policy, lp); + } +} +static inline int security_task_getscheduler (struct task_struct *p) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->task_getscheduler (p); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_task_getscheduler); + return rc; + } else { + return security_ops->task_getscheduler (p); + } +} +static inline int security_task_movememory (struct task_struct *p) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->task_movememory (p); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_task_movememory); + return rc; + } else { + return security_ops->task_movememory (p); + } +} +static inline int security_task_kill (struct task_struct *p, + struct siginfo *info, int sig, + u32 secid) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->task_kill (p, info, sig, secid); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_task_kill); + return rc; + } else { + return security_ops->task_kill (p, info, sig, secid); + } +} +static inline int security_task_wait (struct task_struct *p) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->task_wait (p); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_task_wait); + return rc; + } else { + return security_ops->task_wait (p); + } +} +static inline int security_task_prctl (int option, unsigned long arg2, + unsigned long arg3, + unsigned long arg4, + unsigned long arg5) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->task_prctl (option, arg2, arg3, arg4, arg5); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_task_prctl); + return rc; + } else { + return security_ops->task_prctl (option, arg2, arg3, arg4, arg5); + } +} +static inline void security_task_reparent_to_init (struct task_struct *p) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->task_reparent_to_init (p); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_task_reparent_to_init); + } else { + security_ops->task_reparent_to_init (p); + } +} +static inline void security_task_to_inode(struct task_struct *p, struct inode *inode) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->task_to_inode(p, inode); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_task_to_inode); + } else { + security_ops->task_to_inode(p, inode); + } +} +static inline int security_ipc_permission (struct kern_ipc_perm *ipcp, + short flag) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->ipc_permission (ipcp, flag); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_ipc_permission); + return rc; + } else { + return security_ops->ipc_permission (ipcp, flag); + } +} +static inline int security_msg_msg_alloc (struct msg_msg * msg) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->msg_msg_alloc_security (msg); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_msg_msg_alloc); + return rc; + } else { + return security_ops->msg_msg_alloc_security (msg); + } +} +static inline void security_msg_msg_free (struct msg_msg * msg) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->msg_msg_free_security(msg); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_msg_msg_free); + } else { + security_ops->msg_msg_free_security(msg); + } +} +static inline int security_msg_queue_alloc (struct msg_queue *msq) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->msg_queue_alloc_security (msq); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_msg_queue_alloc); + return rc; + } else { + return security_ops->msg_queue_alloc_security (msq); + } +} +static inline void security_msg_queue_free (struct msg_queue *msq) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->msg_queue_free_security (msq); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_msg_queue_free); + } else { + security_ops->msg_queue_free_security (msq); + } +} +static inline int security_msg_queue_associate (struct msg_queue * msq, + int msqflg) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->msg_queue_associate (msq, msqflg); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_msg_queue_associate); + return rc; + } else { + return security_ops->msg_queue_associate (msq, msqflg); + } +} +static inline int security_msg_queue_msgctl (struct msg_queue * msq, int cmd) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->msg_queue_msgctl (msq, cmd); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_msg_queue_msgctl); + return rc; + } else { + return security_ops->msg_queue_msgctl (msq, cmd); + } +} +static inline int security_msg_queue_msgsnd (struct msg_queue * msq, + struct msg_msg * msg, int msqflg) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->msg_queue_msgsnd (msq, msg, msqflg); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_msg_queue_msgsnd); + return rc; + } else { + return security_ops->msg_queue_msgsnd (msq, msg, msqflg); + } +} +static inline int security_msg_queue_msgrcv (struct msg_queue * msq, + struct msg_msg * msg, + struct task_struct * target, + long type, int mode) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->msg_queue_msgrcv (msq, msg, target, type, mode); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_msg_queue_msgrcv); + return rc; + } else { + return security_ops->msg_queue_msgrcv (msq, msg, target, type, mode); + } +} +static inline int security_shm_alloc (struct shmid_kernel *shp) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->shm_alloc_security (shp); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_shm_alloc); + return rc; + } else { + return security_ops->shm_alloc_security (shp); + } +} +static inline void security_shm_free (struct shmid_kernel *shp) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->shm_free_security (shp); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_shm_free); + } else { + security_ops->shm_free_security (shp); + } +} +static inline int security_shm_associate (struct shmid_kernel * shp, + int shmflg) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->shm_associate(shp, shmflg); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_shm_associate); + return rc; + } else { + return security_ops->shm_associate(shp, shmflg); + } +} +static inline int security_shm_shmctl (struct shmid_kernel * shp, int cmd) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->shm_shmctl (shp, cmd); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_shm_shmctl); + return rc; + } else { + return security_ops->shm_shmctl (shp, cmd); + } +} +static inline int security_shm_shmat (struct shmid_kernel * shp, + char __user *shmaddr, int shmflg) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->shm_shmat(shp, shmaddr, shmflg); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_shm_shmat); + return rc; + } else { + return security_ops->shm_shmat(shp, shmaddr, shmflg); + } +} +static inline int security_sem_alloc (struct sem_array *sma) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->sem_alloc_security (sma); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sem_alloc); + return rc; + } else { + return security_ops->sem_alloc_security (sma); + } +} +static inline void security_sem_free (struct sem_array *sma) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->sem_free_security (sma); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sem_free); + } else { + security_ops->sem_free_security (sma); + } +} +static inline int security_sem_associate (struct sem_array * sma, int semflg) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->sem_associate (sma, semflg); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sem_associate); + return rc; + } else { + return security_ops->sem_associate (sma, semflg); + } +} +static inline int security_sem_semctl (struct sem_array * sma, int cmd) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->sem_semctl(sma, cmd); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sem_semctl); + return rc; + } else { + return security_ops->sem_semctl(sma, cmd); + } +} +static inline int security_sem_semop (struct sem_array * sma, + struct sembuf * sops, unsigned nsops, + int alter) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->sem_semop(sma, sops, nsops, alter); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sem_semop); + return rc; + } else { + return security_ops->sem_semop(sma, sops, nsops, alter); + } +} +static inline void security_d_instantiate (struct dentry *dentry, struct inode *inode) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + if (unlikely (inode && IS_PRIVATE (inode))) + { } + else + security_ops->d_instantiate (dentry, inode); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_d_instantiate); + } else { + if (unlikely (inode && IS_PRIVATE (inode))) + return; + security_ops->d_instantiate (dentry, inode); + } +} +static inline int security_getprocattr(struct task_struct *p, char *name, void *value, size_t size) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->getprocattr(p, name, value, size); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_getprocattr); + return rc; + } else { + return security_ops->getprocattr(p, name, value, size); + } +} +static inline int security_setprocattr(struct task_struct *p, char *name, void *value, size_t size) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->setprocattr(p, name, value, size); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_setprocattr); + return rc; + } else { + return security_ops->setprocattr(p, name, value, size); + } +} +static inline int security_netlink_send(struct sock *sk, struct sk_buff * skb) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->netlink_send(sk, skb); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_netlink_send); + return rc; + } else { + return security_ops->netlink_send(sk, skb); + } +} +static inline int security_netlink_recv(struct sk_buff * skb, int cap) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->netlink_recv(skb, cap); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_netlink_recv); + return rc; + } else { + return security_ops->netlink_recv(skb, cap); + } +} +static inline int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->secid_to_secctx(secid, secdata, seclen); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_secid_to_secctx); + return rc; + } else { + return security_ops->secid_to_secctx(secid, secdata, seclen); + } +} +static inline void security_release_secctx(char *secdata, u32 seclen) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->release_secctx(secdata, seclen); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_release_secctx); + } else { + return security_ops->release_secctx(secdata, seclen); + } +} + diff -Nur linux-2.6.19.7/include/linux/lsmpmon_security_network.h linux-lsmpmon/include/linux/lsmpmon_security_network.h --- linux-2.6.19.7/include/linux/lsmpmon_security_network.h 1970-01-01 09:00:00.000000000 +0900 +++ linux-lsmpmon/include/linux/lsmpmon_security_network.h 2007-11-15 13:37:42.000000000 +0900 @@ -0,0 +1,415 @@ +static inline int security_unix_stream_connect(struct socket * sock, + struct socket * other, + struct sock * newsk) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->unix_stream_connect(sock, other, newsk); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_unix_stream_connect); + return rc; + } else { + return security_ops->unix_stream_connect(sock, other, newsk); + } +} +static inline int security_unix_may_send(struct socket * sock, + struct socket * other) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->unix_may_send(sock, other); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_unix_may_send); + return rc; + } else { + return security_ops->unix_may_send(sock, other); + } +} +static inline int security_socket_create (int family, int type, + int protocol, int kern) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->socket_create(family, type, protocol, kern); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_socket_create); + return rc; + } else { + return security_ops->socket_create(family, type, protocol, kern); + } +} +static inline int security_socket_post_create(struct socket * sock, + int family, + int type, + int protocol, int kern) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->socket_post_create(sock, family, type, + protocol, kern); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_socket_post_create); + return rc; + } else { + return security_ops->socket_post_create(sock, family, type, + protocol, kern); + } +} +static inline int security_socket_bind(struct socket * sock, + struct sockaddr * address, + int addrlen) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->socket_bind(sock, address, addrlen); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_socket_bind); + return rc; + } else { + return security_ops->socket_bind(sock, address, addrlen); + } +} +static inline int security_socket_connect(struct socket * sock, + struct sockaddr * address, + int addrlen) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->socket_connect(sock, address, addrlen); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_socket_connect); + return rc; + } else { + return security_ops->socket_connect(sock, address, addrlen); + } +} +static inline int security_socket_listen(struct socket * sock, int backlog) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->socket_listen(sock, backlog); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_socket_listen); + return rc; + } else { + return security_ops->socket_listen(sock, backlog); + } +} +static inline int security_socket_accept(struct socket * sock, + struct socket * newsock) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->socket_accept(sock, newsock); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_socket_accept); + return rc; + } else { + return security_ops->socket_accept(sock, newsock); + } +} +static inline void security_socket_post_accept(struct socket * sock, + struct socket * newsock) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->socket_post_accept(sock, newsock); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_socket_post_accept); + } else { + security_ops->socket_post_accept(sock, newsock); + } +} +static inline int security_socket_sendmsg(struct socket * sock, + struct msghdr * msg, int size) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->socket_sendmsg(sock, msg, size); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_socket_sendmsg); + return rc; + } else { + return security_ops->socket_sendmsg(sock, msg, size); + } +} +static inline int security_socket_recvmsg(struct socket * sock, + struct msghdr * msg, int size, + int flags) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->socket_recvmsg(sock, msg, size, flags); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_socket_recvmsg); + return rc; + } else { + return security_ops->socket_recvmsg(sock, msg, size, flags); + } +} +static inline int security_socket_getsockname(struct socket * sock) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->socket_getsockname(sock); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_socket_getsockname); + return rc; + } else { + return security_ops->socket_getsockname(sock); + } +} +static inline int security_socket_getpeername(struct socket * sock) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->socket_getpeername(sock); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_socket_getpeername); + return rc; + } else { + return security_ops->socket_getpeername(sock); + } +} +static inline int security_socket_getsockopt(struct socket * sock, + int level, int optname) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->socket_getsockopt(sock, level, optname); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_socket_getsockopt); + return rc; + } else { + return security_ops->socket_getsockopt(sock, level, optname); + } +} +static inline int security_socket_setsockopt(struct socket * sock, + int level, int optname) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->socket_setsockopt(sock, level, optname); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_socket_setsockopt); + return rc; + } else { + return security_ops->socket_setsockopt(sock, level, optname); + } +} +static inline int security_socket_shutdown(struct socket * sock, int how) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->socket_shutdown(sock, how); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_socket_shutdown); + return rc; + } else { + return security_ops->socket_shutdown(sock, how); + } +} +static inline int security_sock_rcv_skb (struct sock * sk, + struct sk_buff * skb) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->socket_sock_rcv_skb (sk, skb); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sock_rcv_skb); + return rc; + } else { + return security_ops->socket_sock_rcv_skb (sk, skb); + } +} +static inline int security_socket_getpeersec_stream(struct socket *sock, char __user *optval, + int __user *optlen, unsigned len) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->socket_getpeersec_stream(sock, optval, optlen, len); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_socket_getpeersec_stream); + return rc; + } else { + return security_ops->socket_getpeersec_stream(sock, optval, optlen, len); + } +} +static inline int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->socket_getpeersec_dgram(sock, skb, secid); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_socket_getpeersec_dgram); + return rc; + } else { + return security_ops->socket_getpeersec_dgram(sock, skb, secid); + } +} +static inline int security_sk_alloc(struct sock *sk, int family, gfp_t priority) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->sk_alloc_security(sk, family, priority); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sk_alloc); + return rc; + } else { + return security_ops->sk_alloc_security(sk, family, priority); + } +} +static inline void security_sk_free(struct sock *sk) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->sk_free_security(sk); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sk_free); + } else { + return security_ops->sk_free_security(sk); + } +} +static inline void security_sk_clone(const struct sock *sk, struct sock *newsk) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->sk_clone_security(sk, newsk); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sk_clone); + } else { + return security_ops->sk_clone_security(sk, newsk); + } +} +static inline void security_sk_classify_flow(struct sock *sk, struct flowi *fl) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->sk_getsecid(sk, &fl->secid); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sk_classify_flow); + } else { + security_ops->sk_getsecid(sk, &fl->secid); + } +} +static inline void security_req_classify_flow(const struct request_sock *req, struct flowi *fl) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->req_classify_flow(req, fl); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_req_classify_flow); + } else { + security_ops->req_classify_flow(req, fl); + } +} +static inline void security_sock_graft(struct sock* sk, struct socket *parent) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->sock_graft(sk, parent); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_sock_graft); + } else { + security_ops->sock_graft(sk, parent); + } +} +static inline int security_inet_conn_request(struct sock *sk, + struct sk_buff *skb, struct request_sock *req) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->inet_conn_request(sk, skb, req); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inet_conn_request); + return rc; + } else { + return security_ops->inet_conn_request(sk, skb, req); + } +} +static inline void security_inet_csk_clone(struct sock *newsk, + const struct request_sock *req) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->inet_csk_clone(newsk, req); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_inet_csk_clone); + } else { + security_ops->inet_csk_clone(newsk, req); + } +} diff -Nur linux-2.6.19.7/include/linux/lsmpmon_security_network_xfrm.h linux-lsmpmon/include/linux/lsmpmon_security_network_xfrm.h --- linux-2.6.19.7/include/linux/lsmpmon_security_network_xfrm.h 1970-01-01 09:00:00.000000000 +0900 +++ linux-lsmpmon/include/linux/lsmpmon_security_network_xfrm.h 2007-11-15 11:05:28.000000000 +0900 @@ -0,0 +1,203 @@ +static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->xfrm_policy_alloc_security(xp, sec_ctx, NULL); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_xfrm_policy_alloc); + return rc; + } else { + return security_ops->xfrm_policy_alloc_security(xp, sec_ctx, NULL); + } +} +static inline int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->xfrm_policy_clone_security(old, new); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_xfrm_policy_clone); + return rc; + } else { + return security_ops->xfrm_policy_clone_security(old, new); + } +} +static inline void security_xfrm_policy_free(struct xfrm_policy *xp) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->xfrm_policy_free_security(xp); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_xfrm_policy_free); + } else { + security_ops->xfrm_policy_free_security(xp); + } +} +static inline int security_xfrm_policy_delete(struct xfrm_policy *xp) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->xfrm_policy_delete_security(xp); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_xfrm_policy_delete); + return rc; + } else { + return security_ops->xfrm_policy_delete_security(xp); + } +} +static inline int security_xfrm_state_alloc(struct xfrm_state *x, + struct xfrm_user_sec_ctx *sec_ctx) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->xfrm_state_alloc_security(x, sec_ctx, NULL, 0); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_xfrm_state_alloc); + return rc; + } else { + return security_ops->xfrm_state_alloc_security(x, sec_ctx, NULL, 0); + } +} +static inline int security_xfrm_state_alloc_acquire(struct xfrm_state *x, + struct xfrm_sec_ctx *polsec, u32 secid) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + if (!polsec) + rc = 0; + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_xfrm_state_alloc_acquire); + return rc; + } else { + if (!polsec) + return 0; + return security_ops->xfrm_state_alloc_security(x, NULL, polsec, secid); + } +} +static inline int security_xfrm_state_delete(struct xfrm_state *x) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->xfrm_state_delete_security(x); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_xfrm_state_delete); + return rc; + } else { + return security_ops->xfrm_state_delete_security(x); + } +} +static inline void security_xfrm_state_free(struct xfrm_state *x) +{ + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + security_ops->xfrm_state_free_security(x); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_xfrm_state_free); + } else { + security_ops->xfrm_state_free_security(x); + } +} +static inline int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->xfrm_policy_lookup(xp, fl_secid, dir); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_xfrm_policy_lookup); + return rc; + } else { + return security_ops->xfrm_policy_lookup(xp, fl_secid, dir); + } +} +static inline int security_xfrm_state_pol_flow_match(struct xfrm_state *x, + struct xfrm_policy *xp, struct flowi *fl) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->xfrm_state_pol_flow_match(x, xp, fl); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_xfrm_state_pol_flow_match); + return rc; + } else { + return security_ops->xfrm_state_pol_flow_match(x, xp, fl); + } +} +static inline int security_xfrm_flow_state_match(struct flowi *fl, + struct xfrm_state *xfrm, struct xfrm_policy *xp) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->xfrm_flow_state_match(fl, xfrm, xp); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_xfrm_flow_state_match); + return rc; + } else { + return security_ops->xfrm_flow_state_match(fl, xfrm, xp); + } +} +static inline int security_xfrm_decode_session(struct sk_buff *skb, u32 *secid) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->xfrm_decode_session(skb, secid, 1); + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_xfrm_decode_session); + return rc; + } else { + return security_ops->xfrm_decode_session(skb, secid, 1); + } +} + +static inline void security_skb_classify_flow(struct sk_buff *skb, struct flowi *fl) +{ + int rc; + unsigned long long start, end; + + if (lsmpmon_enable) { + start = gettime(); + rc = security_ops->xfrm_decode_session(skb, &fl->secid, 0); + + BUG_ON(rc); + + end = gettime(); + lsmpmon_store(difftime(start, end), lsm_skb_classify_flow); + } else { + rc = security_ops->xfrm_decode_session(skb, &fl->secid, 0); + + BUG_ON(rc); + } +} diff -Nur linux-2.6.19.7/include/linux/security.h linux-lsmpmon/include/linux/security.h --- linux-2.6.19.7/include/linux/security.h 2007-03-03 14:14:54.000000000 +0900 +++ linux-lsmpmon/include/linux/security.h 2007-12-07 13:39:52.000000000 +0900 @@ -34,6 +34,10 @@ #include #include +#ifdef CONFIG_LSMPMON +#include +#endif + struct ctl_table; /* @@ -1411,6 +1415,9 @@ extern struct security_operations *security_ops; /* inline stuff */ +#ifdef CONFIG_LSMPMON +#include +#else static inline int security_ptrace (struct task_struct * parent, struct task_struct * child) { return security_ops->ptrace (parent, child); @@ -2131,6 +2138,8 @@ return security_ops->release_secctx(secdata, seclen); } +#endif /* lsmpmon */ + /* prototypes */ extern int security_init (void); extern int register_security (struct security_operations *ops); @@ -2143,7 +2152,6 @@ extern struct dentry *securityfs_create_dir(const char *name, struct dentry *parent); extern void securityfs_remove(struct dentry *dentry); - #else /* CONFIG_SECURITY */ /* @@ -2808,6 +2816,9 @@ #endif /* CONFIG_SECURITY */ #ifdef CONFIG_SECURITY_NETWORK +#ifdef CONFIG_LSMPMON +#include +#else static inline int security_unix_stream_connect(struct socket * sock, struct socket * other, struct sock * newsk) @@ -2966,6 +2977,8 @@ { security_ops->inet_csk_clone(newsk, req); } + +#endif /* lsmpmon */ #else /* CONFIG_SECURITY_NETWORK */ static inline int security_unix_stream_connect(struct socket * sock, struct socket * other, @@ -3118,6 +3131,9 @@ #endif /* CONFIG_SECURITY_NETWORK */ #ifdef CONFIG_SECURITY_NETWORK_XFRM +#ifdef CONFIG_LSMPMON +#include +#else static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx) { return security_ops->xfrm_policy_alloc_security(xp, sec_ctx, NULL); @@ -3190,6 +3206,8 @@ BUG_ON(rc); } + +#endif /* lsmpmon */ #else /* CONFIG_SECURITY_NETWORK_XFRM */ static inline int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx) { @@ -3261,6 +3279,9 @@ #ifdef CONFIG_KEYS #ifdef CONFIG_SECURITY +#ifdef CONFIG_LSMPMON +#include +#else static inline int security_key_alloc(struct key *key, struct task_struct *tsk, unsigned long flags) @@ -3280,6 +3301,7 @@ return security_ops->key_permission(key_ref, context, perm); } +#endif /* lsmpmon */ #else static inline int security_key_alloc(struct key *key, diff -Nur linux-2.6.19.7/security/Kconfig linux-lsmpmon/security/Kconfig --- linux-2.6.19.7/security/Kconfig 2007-03-03 14:14:54.000000000 +0900 +++ linux-lsmpmon/security/Kconfig 2007-11-15 11:05:28.000000000 +0900 @@ -95,5 +95,8 @@ source security/selinux/Kconfig +config LSMPMON + bool "LSM Performance Monitor" + endmenu diff -Nur linux-2.6.19.7/security/Makefile linux-lsmpmon/security/Makefile --- linux-2.6.19.7/security/Makefile 2007-03-03 14:14:54.000000000 +0900 +++ linux-lsmpmon/security/Makefile 2007-11-15 11:05:28.000000000 +0900 @@ -16,3 +16,4 @@ obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o obj-$(CONFIG_SECURITY_CAPABILITIES) += commoncap.o capability.o obj-$(CONFIG_SECURITY_ROOTPLUG) += commoncap.o root_plug.o +obj-$(CONFIG_LSMPMON) += lsmpmon.o diff -Nur linux-2.6.19.7/security/lsmpmon.c linux-lsmpmon/security/lsmpmon.c --- linux-2.6.19.7/security/lsmpmon.c 1970-01-01 09:00:00.000000000 +0900 +++ linux-lsmpmon/security/lsmpmon.c 2007-12-07 13:39:02.000000000 +0900 @@ -0,0 +1,251 @@ +#include +#include +#include +#include +#include +#include + +#include "lsmpmon.h" + + +/* + * CONTROLファイルへの読み込み処理用関数 + */ +static ssize_t lsmpmon_control_read(struct file *file, char __user *buf, + size_t size, loff_t *pos) +{ + char result[2] = "0\n"; + + if (lsmpmon_enable == 1) + result[0] = '1'; + else + result[0] = '0'; + + return simple_read_from_buffer(buf, size, pos, &result, 2); +} + +/* + * CONTROLファイルへの書き込み処理用関数 + * 1: start LSMPMON logging + * 0: stop LSMPMON logging + * reset: clear log data + */ +static ssize_t lsmpmon_control_write(struct file *file, const char __user *buf, + size_t size, loff_t *pos) +{ + char *data; + + data = lsmpmon_get_user_data(buf, size, size, pos); + + if(data[0] == '1') + lsmpmon_enable = 1; + else if (data[0] == '0') + lsmpmon_enable = 0; + else if (strncmp(data, "reset", 5) == 0) + lsmpmon_reset_counter(); + + return size; +} + + +/* + * 結果の保存用変数を初期化 + * CONTROLファイルに"reset"という文字列が書き込まれた場合に呼び出される + */ +static void lsmpmon_reset_counter(void) +{ + int i; + for (i = 0; i < LSMPMON_NUM; i++) { + lsmpmon_min[i] = -1; + lsmpmon_max[i] = lsmpmon_count[i] = lsmpmon_sum[i] = 0; + } +} + +/* + * ユーザ空間のデータ取得用関数 + */ +static char *lsmpmon_get_user_data(const char __user *userbuf, + size_t alloc_size, size_t copy_size, loff_t *pos) +{ + char *data; + + if (*pos != 0) { + data = ERR_PTR(-ESPIPE); + goto out; + } + + data = vmalloc(alloc_size); + if (data == NULL) { + data = ERR_PTR(-EPERM); + goto out; + } + + if(copy_from_user(data, userbuf, copy_size)) { + vfree(data); + data = ERR_PTR(-EFAULT); + goto out; + } + +out: + return data; +} + + +/* + * LSMPMONの初期化用関数 + * securityfsによる擬似ファイルシステムを構築する + * 最小値を-1にする. + */ +static int __init lsmpmon_init(void) +{ + int i; + + printk("LSMPMON: ready\n"); + parent = securityfs_create_dir("lsmpmon", NULL); + if (parent == NULL) + return -1; + result = securityfs_create_file("result", 0400, parent, NULL, &result_ops); + if (result == NULL) + return -2; + control = securityfs_create_file("control", 0600, parent, NULL, &control_ops); + if (control == NULL) + return -3; + + for (i = 0; i < LSMPMON_NUM; i++) + lsmpmon_min[i] = -1; + + return lsmpmon_enable; +} + + +/* + * LSMPMONの終了用関数 + * 構築したsecurityfsを解放する + */ +static void __exit lsmpmon_exit(void) +{ + securityfs_remove(control); + securityfs_remove(result); + securityfs_remove(parent); + + printk("LSMPMON: exit\n"); +} + +__initcall(lsmpmon_init); +__exitcall(lsmpmon_exit); + + +/* + * ブートコマンドライン処理用関数 + * カーネル起動時に,"lsmpmon=XXX"というコマンドラインを受け付ける + * XXX == 0: LSMPMON無効 + * XXX != 0: LSMPMON有効 + */ +static int __init lsmpmon_enable_setup(char *str) +{ + lsmpmon_enable = simple_strtol(str, NULL, 0); + return 1; +} +__setup("lsmpmon=", lsmpmon_enable_setup); + + +/* + * RESULTファイルopen時の処理用関数 + */ +static int lsmpmon_result_open(struct inode *inode, struct file *file) +{ + return seq_open(file, &result_ops_seq); +} + +/* + * seq_file機構のための関数群 + * RESULTファイルへの読み込み要求に対し,以下の処理を行う + * 1. lsmpmon_startが呼び出される.lsmpmon_startはヘッダを表示 + * 2. lsmpmon_show_resultが呼び出される. + * lsmpmon_show_resultは,LSMPMONによって取得されたフック関数の結果 + * のうち,オフセットposに対応したデータを表示する. + * pos: 0~162 + * 3. lsmpmon_nextが呼び出される.lsmpmon_nextは,オフセット値をインク + * リメントする. + * 4. 2, 3の処理をLSMPMON_NUM回繰り返す. + */ +static void *lsmpmon_start(struct seq_file *m, loff_t *pos) +{ + /* print header */ + if (*pos == 0) { + seq_printf(m, "hook min\tmax\tave\tcount\n"); + seq_printf(m, "------------------------------------------------------------\n"); + } else if (*pos == LSMPMON_NUM) + return NULL; + + return pos; +} + +static void *lsmpmon_next(struct seq_file *m, void *p, loff_t *pos) +{ + ++*pos; + if (*pos == LSMPMON_NUM) + return NULL; + + return pos; +} + +static void lsmpmon_stop(struct seq_file *m, void *p) +{ + return; +} + +static int lsmpmon_show_result(struct seq_file *m, void *p) +{ + int i = *(int *)p; /* i is offset */ + long long tmp; + + if (lsmpmon_count[i] == 0) + seq_printf(m, "%s\n", lsmpmon_hookname[i]); + else { + tmp = lsmpmon_sum[i]; + do_div(tmp, lsmpmon_count[i]); + seq_printf(m, "%s %lu\t%lu\t%llu\t%lu\n", + lsmpmon_hookname[i], lsmpmon_min[i], lsmpmon_max[i], + tmp, lsmpmon_count[i]); + } + return 0; +} + +/* + * 時刻の取得用関数 + */ +long long gettime(void) +{ + long long time; + rdtscll(time); + return time; +} + +/* + * 時刻の差分を計算 + */ +long long difftime(long long before, long long after) +{ + if (after > before) + return (after - before); + else /* tsc overflowed */ + return (0xFFFFFFFFFFFFFFFFULL - before + after); +} + +/* + * データを比較し,保存 + * 最大値,最小値,呼び出し回数,合計処理時間をフック関数ごとに保存 + * time: 今回の処理時間 + * offset: 対応するフック関数 + */ +void lsmpmon_store(long long time, int offset) +{ + if (time > lsmpmon_max[offset]) + lsmpmon_max[offset] = time; + if (time < lsmpmon_min[offset]) + lsmpmon_min[offset] = time; + lsmpmon_count[offset]++; + lsmpmon_sum[offset] += time; +} + diff -Nur linux-2.6.19.7/security/lsmpmon.h linux-lsmpmon/security/lsmpmon.h --- linux-2.6.19.7/security/lsmpmon.h 1970-01-01 09:00:00.000000000 +0900 +++ linux-lsmpmon/security/lsmpmon.h 2007-12-07 13:39:17.000000000 +0900 @@ -0,0 +1,278 @@ +/* + * LSMPMON制御用変数 + * lsmpmon_enable == 0 : LSMPMON無効 + * lsmpmon_enable != 0 : LSMPMON有効 + */ +int lsmpmon_enable = 0; + +/* + * 結果の保存用変数 + * min: 最小値 + * max: 最大値 + * count: フック関数の呼び出し回数 + */ +unsigned long int + lsmpmon_min[LSMPMON_NUM] = {0}, + lsmpmon_max[LSMPMON_NUM] = {0}, + lsmpmon_count[LSMPMON_NUM] = {0}; + +/* + * 結果の保存用変数 + * フック関数の処理時間合計用 + */ +unsigned long long + lsmpmon_sum[LSMPMON_NUM] = {0}; + +/* + * フック関数の名前表示用 + */ +char *lsmpmon_hookname[LSMPMON_NUM] = { + "ptrace ", + "capget ", + "capset_check ", + "capset_set ", + "capable ", + "acct ", + "sysctl ", + "quotactl ", + "quota_on ", + "syslog ", + "settime ", + "vm_enough_memory ", + "bprm_alloc ", + "bprm_free ", + "bprm_apply_creds ", + "bprm_post_apply_creds ", + "bprm_set ", + "bprm_check ", + "bprm_secureexec ", + "sb_alloc ", + "sb_free ", + "sb_copy_data ", + "sb_kern_mount ", + "sb_statfs ", + "sb_mount ", + "sb_check_sb ", + "sb_umount ", + "sb_umount_close ", + "sb_umount_busy ", + "sb_post_remount ", + "sb_post_mountroot ", + "sb_post_addmount ", + "sb_pivotroot ", + "sb_post_pivotroot ", + "inode_alloc ", + "inode_free ", + "inode_init_security ", + "inode_create ", + "inode_link ", + "inode_unlink ", + "inode_symlink ", + "inode_mkdir ", + "inode_rmdir ", + "inode_mknod ", + "inode_rename ", + "inode_readlink ", + "inode_follow_link ", + "inode_permission ", + "inode_setattr ", + "inode_getattr ", + "inode_delete ", + "inode_setxattr ", + "inode_post_setxattr ", + "inode_getxattr ", + "inode_listxattr ", + "inode_removexattr ", + "inode_xattr_getsuffix ", + "inode_getsecurity ", + "inode_setsecurity ", + "inode_listsecurity ", + "file_permission ", + "file_alloc ", + "file_free ", + "file_ioctl ", + "file_mmap ", + "file_mprotect ", + "file_lock ", + "file_fcntl ", + "file_set_fowner ", + "file_send_sigiotask ", + "file_receive ", + "task_create ", + "task_alloc ", + "task_free ", + "task_setuid ", + "task_post_setuid ", + "task_setgid ", + "task_setpgid ", + "task_getpgid ", + "task_getsid ", + "task_getsecid ", + "task_setgroups ", + "task_setnice ", + "task_setioprio ", + "task_getioprio ", + "task_setrlimit ", + "task_setscheduler ", + "task_getscheduler ", + "task_movememory ", + "task_kill ", + "task_wait ", + "task_prctl ", + "task_reparent_to_init ", + "task_to_inode ", + "ipc_permission ", + "msg_msg_alloc ", + "msg_msg_free ", + "msg_queue_alloc ", + "msg_queue_free ", + "msg_queue_associate ", + "msg_queue_msgctl ", + "msg_queue_msgsnd ", + "msg_queue_msgrcv ", + "shm_alloc ", + "shm_free ", + "shm_associate ", + "shm_shmctl ", + "shm_shmat ", + "sem_alloc ", + "sem_free ", + "sem_associate ", + "sem_semctl ", + "sem_semop ", + "d_instantiate ", + "getprocattr ", + "setprocattr ", + "netlink_send ", + "netlink_recv ", + "secid_to_secctx ", + "release_secctx ", + "unix_stream_connect ", + "unix_may_send ", + "socket_create ", + "socket_post_create ", + "socket_bind ", + "socket_connect ", + "socket_listen ", + "socket_accept ", + "socket_post_accept ", + "socket_sendmsg ", + "socket_recvmsg ", + "socket_getsockname ", + "socket_getpeername ", + "socket_getsockopt ", + "socket_setsockopt ", + "socket_shutdown ", + "sock_rcv_skb ", + "socket_getpeersec_stream ", + "socket_getpeersec_dgram ", + "sk_alloc ", + "sk_free ", + "sk_clone ", + "sk_classify_flow ", + "req_classify_flow ", + "sock_graft ", + "inet_conn_request ", + "inet_csk_clone ", + "xfrm_policy_alloc ", + "xfrm_policy_clone ", + "xfrm_policy_free ", + "xfrm_policy_delete ", + "xfrm_state_alloc ", + "xfrm_state_alloc_acquire ", + "xfrm_state_delete ", + "xfrm_state_free ", + "xfrm_policy_lookup ", + "xfrm_state_pol_flow_match", + "xfrm_flow_state_match ", + "xfrm_decode_session ", + "skb_classify_flow ", + "key_alloc ", + "key_free ", + "key_permission ", +}; + +/* + * CONTROLファイル用の読み書き関数 + */ +static ssize_t lsmpmon_control_write(struct file *file, const char __user *buf, + size_t size, loff_t *ppos); +static ssize_t lsmpmon_control_read(struct file *file, char __user *buf, + size_t size, loff_t *pos); +/* + * ユーザ空間のデータ取得用関数 + */ +static char *lsmpmon_get_user_data(const char __user *userbuf, + size_t alloc_size, size_t copy_size, loff_t *pos); + +/* + * 結果の保存用変数を初期化 + * CONTROLファイルに"reset"という文字列が書き込まれた場合に呼び出される + */ +static void lsmpmon_reset_counter(void); + +/* + * RESULTファイルの読み込み用関数 + */ +static int lsmpmon_result_open(struct inode *, struct file *); + +/* + * seq_file機構のための関数群 + * RESULTファイルへの読み込み要求に対し,以下の処理を行う + * 1. lsmpmon_startが呼び出される.lsmpmon_startはヘッダを表示 + * 2. lsmpmon_show_resultが呼び出される. + * lsmpmon_show_resultは,LSMPMONによって取得されたフック関数の結果 + * のうち,オフセットposに対応したデータを表示する. + * pos: 0~162 + * 3. lsmpmon_nextが呼び出される.lsmpmon_nextは,オフセット値をインク + * リメントする. + * 4. 2, 3の処理をLSMPMON_NUM回繰り返す. + */ +static void *lsmpmon_start(struct seq_file *, loff_t *); +static void *lsmpmon_next(struct seq_file *, void *, loff_t *); +static void lsmpmon_stop(struct seq_file *, void *); +static int lsmpmon_show_result(struct seq_file *, void *); + +/* + * RESULTファイルの操作関数群 + */ +static struct file_operations result_ops = { + .open = lsmpmon_result_open, + .read = seq_read, + .llseek = seq_lseek, + .release = seq_release, +}; + +struct seq_operations result_ops_seq = { + .start = lsmpmon_start, + .stop = lsmpmon_stop, + .next = lsmpmon_next, + .show = lsmpmon_show_result, +}; + +/* + * CONTROLファイルの操作関数群 + */ +static struct file_operations control_ops = { + .read = lsmpmon_control_read, + .write = lsmpmon_control_write, +}; + + +/* for securityfs */ +struct dentry *parent, *result, *control; + +/* + * 時刻の取得用関数 + */ +long long gettime(void); + +/* + * 時刻の差分を計算 + */ +long long difftime(long long before, long long after); + +/* + * データを比較し,保存 + */ +void lsmpmon_store(long long time, int offset);