include/linux/security.h
Source file repositories/reference/linux-study-clean/include/linux/security.h
File Facts
- System
- Linux kernel
- Corpus path
include/linux/security.h- Extension
.h- Size
- 67333 bytes
- Lines
- 2443
- Domain
- Core OS
- Bucket
- Core Kernel Interface
- Inferred role
- Core OS: operation-table or driver-model contract
- Status
- pattern implementation candidate
Why This File Exists
Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.
- Defines an operation table; this is where Linux turns generic core objects into subsystem-specific behavior.
- Defines or uses C structs; map object ownership, embedded links, reference counts, and lock ownership.
Dependency Surface
linux/kernel_read_file.hlinux/key.hlinux/capability.hlinux/fs.hlinux/slab.hlinux/err.hlinux/string.hlinux/mm.hlinux/sockptr.hlinux/bpf.huapi/linux/lsm.hlinux/lsm/selinux.hlinux/lsm/smack.hlinux/lsm/apparmor.hlinux/lsm/bpf.h
Detected Declarations
struct linux_binprmstruct credstruct rlimitstruct kernel_siginfostruct sembufstruct kern_ipc_permstruct audit_contextstruct super_blockstruct inodestruct dentrystruct filestruct vfsmountstruct pathstruct qstrstruct iattrstruct fown_structstruct file_operationsstruct msg_msgstruct xattrstruct kernfs_nodestruct xfrm_sec_ctxstruct mm_structstruct fs_contextstruct fs_parameterstruct watchstruct watch_notificationstruct lsm_ctxstruct ctl_tablestruct audit_krulestruct user_namespacestruct timezonestruct dm_verity_digeststruct lsm_propstruct msghdrstruct sk_buffstruct sockstruct sockaddrstruct socketstruct flowi_commonstruct dst_entrystruct xfrm_selectorstruct xfrm_policystruct xfrm_statestruct xfrm_user_sec_ctxstruct seq_filestruct sctp_associationstruct lsm_contextstruct sched_param
Annotated Snippet
struct file_operations;
struct msg_msg;
struct xattr;
struct kernfs_node;
struct xfrm_sec_ctx;
struct mm_struct;
struct fs_context;
struct fs_parameter;
enum fs_value_type;
struct watch;
struct watch_notification;
struct lsm_ctx;
/* Default (no) options for the capable function */
#define CAP_OPT_NONE 0x0
/* If capable should audit the security request */
#define CAP_OPT_NOAUDIT BIT(1)
/* If capable is being called by a setid function */
#define CAP_OPT_INSETID BIT(2)
/* LSM Agnostic defines for security_sb_set_mnt_opts() flags */
#define SECURITY_LSM_NATIVE_LABELS 1
struct ctl_table;
struct audit_krule;
struct user_namespace;
struct timezone;
enum lsm_event {
LSM_POLICY_CHANGE,
LSM_STARTED_ALL,
};
struct dm_verity_digest {
const char *alg;
const u8 *digest;
size_t digest_len;
};
enum lsm_integrity_type {
LSM_INT_DMVERITY_SIG_VALID,
LSM_INT_DMVERITY_ROOTHASH,
LSM_INT_FSVERITY_BUILTINSIG_VALID,
};
/*
* These are reasons that can be passed to the security_locked_down()
* LSM hook. Lockdown reasons that protect kernel integrity (ie, the
* ability for userland to modify kernel code) are placed before
* LOCKDOWN_INTEGRITY_MAX. Lockdown reasons that protect kernel
* confidentiality (ie, the ability for userland to extract
* information from the running kernel that would otherwise be
* restricted) are placed before LOCKDOWN_CONFIDENTIALITY_MAX.
*
* LSM authors should note that the semantics of any given lockdown
* reason are not guaranteed to be stable - the same reason may block
* one set of features in one kernel release, and a slightly different
* set of features in a later kernel release. LSMs that seek to expose
* lockdown policy at any level of granularity other than "none",
* "integrity" or "confidentiality" are responsible for either
* ensuring that they expose a consistent level of functionality to
* userland, or ensuring that userland is aware that this is
* potentially a moving target. It is easy to misuse this information
* in a way that could break userspace. Please be careful not to do
* so.
*
* If you add to this, remember to extend lockdown_reasons in
* security/lockdown/lockdown.c.
*/
enum lockdown_reason {
LOCKDOWN_NONE,
LOCKDOWN_MODULE_SIGNATURE,
LOCKDOWN_DEV_MEM,
LOCKDOWN_EFI_TEST,
LOCKDOWN_KEXEC,
LOCKDOWN_HIBERNATION,
LOCKDOWN_PCI_ACCESS,
LOCKDOWN_IOPORT,
LOCKDOWN_MSR,
LOCKDOWN_ACPI_TABLES,
LOCKDOWN_DEVICE_TREE,
LOCKDOWN_PCMCIA_CIS,
LOCKDOWN_TIOCSSERIAL,
LOCKDOWN_MODULE_PARAMETERS,
LOCKDOWN_MMIOTRACE,
LOCKDOWN_DEBUGFS,
LOCKDOWN_XMON_WR,
LOCKDOWN_BPF_WRITE_USER,
LOCKDOWN_DBG_WRITE_KERNEL,
LOCKDOWN_RTAS_ERROR_INJECTION,
Annotation
- Immediate include surface: `linux/kernel_read_file.h`, `linux/key.h`, `linux/capability.h`, `linux/fs.h`, `linux/slab.h`, `linux/err.h`, `linux/string.h`, `linux/mm.h`.
- Detected declarations: `struct linux_binprm`, `struct cred`, `struct rlimit`, `struct kernel_siginfo`, `struct sembuf`, `struct kern_ipc_perm`, `struct audit_context`, `struct super_block`, `struct inode`, `struct dentry`.
- Atlas domain: Core OS / Core Kernel Interface.
- Implementation status: pattern implementation candidate.
Implementation Notes
- This generated page is the file-by-file coverage layer; curated subsystem chapters should link here when they synthesize a multi-file control flow.
- Core OS pages should be promoted from atlas-only to deep-reviewed when they explain data structures, invariants, locking, lifecycle, and C implementation snippets.
- Driver-family pages are intentionally pattern-oriented unless they are part of the selected PCIe/NVMe representative device path.