aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorwzt.wzt@gmail.com <wzt.wzt@gmail.com>2010-02-23 10:15:28 -0500
committerJames Morris <jmorris@namei.org>2010-02-23 16:11:02 -0500
commit189b3b1c89761054fee3438f063d7f257306e2d8 (patch)
tree8099352fa731fca91b95d862ac0d7199f21ca54d
parent2ae3ba39389b51d8502123de0a59374bec899c4d (diff)
Security: add static to security_ops and default_security_ops variable
Enhance the security framework to support resetting the active security module. This eliminates the need for direct use of the security_ops and default_security_ops variables outside of security.c, so make security_ops and default_security_ops static. Also remove the secondary_ops variable as a cleanup since there is no use for that. secondary_ops was originally used by SELinux to call the "secondary" security module (capability or dummy), but that was replaced by direct calls to capability and the only remaining use is to save and restore the original security ops pointer value if SELinux is disabled by early userspace based on /etc/selinux/config. Further, if we support this directly in the security framework, then we can just use &default_security_ops for this purpose since that is now available. Signed-off-by: Zhitong Wang <zhitong.wangzt@alibaba-inc.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--include/linux/security.h2
-rw-r--r--security/capability.c4
-rw-r--r--security/security.c11
-rw-r--r--security/selinux/hooks.c13
4 files changed, 12 insertions, 18 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index a4dc74d86ac6..233d20b52c1b 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -95,6 +95,8 @@ struct seq_file;
95extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb); 95extern int cap_netlink_send(struct sock *sk, struct sk_buff *skb);
96extern int cap_netlink_recv(struct sk_buff *skb, int cap); 96extern int cap_netlink_recv(struct sk_buff *skb, int cap);
97 97
98void reset_security_ops(void);
99
98#ifdef CONFIG_MMU 100#ifdef CONFIG_MMU
99extern unsigned long mmap_min_addr; 101extern unsigned long mmap_min_addr;
100extern unsigned long dac_mmap_min_addr; 102extern unsigned long dac_mmap_min_addr;
diff --git a/security/capability.c b/security/capability.c
index 5c700e1a4fd3..4875142b858d 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -906,10 +906,6 @@ static void cap_audit_rule_free(void *lsmrule)
906} 906}
907#endif /* CONFIG_AUDIT */ 907#endif /* CONFIG_AUDIT */
908 908
909struct security_operations default_security_ops = {
910 .name = "default",
911};
912
913#define set_to_cap_if_null(ops, function) \ 909#define set_to_cap_if_null(ops, function) \
914 do { \ 910 do { \
915 if (!ops->function) { \ 911 if (!ops->function) { \
diff --git a/security/security.c b/security/security.c
index 971092c06f31..edae56b78771 100644
--- a/security/security.c
+++ b/security/security.c
@@ -23,10 +23,12 @@ static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1] =
23 CONFIG_DEFAULT_SECURITY; 23 CONFIG_DEFAULT_SECURITY;
24 24
25/* things that live in capability.c */ 25/* things that live in capability.c */
26extern struct security_operations default_security_ops;
27extern void security_fixup_ops(struct security_operations *ops); 26extern void security_fixup_ops(struct security_operations *ops);
28 27
29struct security_operations *security_ops; /* Initialized to NULL */ 28static struct security_operations *security_ops;
29static struct security_operations default_security_ops = {
30 .name = "default",
31};
30 32
31static inline int verify(struct security_operations *ops) 33static inline int verify(struct security_operations *ops)
32{ 34{
@@ -63,6 +65,11 @@ int __init security_init(void)
63 return 0; 65 return 0;
64} 66}
65 67
68void reset_security_ops(void)
69{
70 security_ops = &default_security_ops;
71}
72
66/* Save user chosen LSM */ 73/* Save user chosen LSM */
67static int __init choose_lsm(char *str) 74static int __init choose_lsm(char *str)
68{ 75{
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 6b36ce2eef2e..dc7660074b99 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -126,13 +126,6 @@ __setup("selinux=", selinux_enabled_setup);
126int selinux_enabled = 1; 126int selinux_enabled = 1;
127#endif 127#endif
128 128
129
130/*
131 * Minimal support for a secondary security module,
132 * just to allow the use of the capability module.
133 */
134static struct security_operations *secondary_ops;
135
136/* Lists of inode and superblock security structures initialized 129/* Lists of inode and superblock security structures initialized
137 before the policy was loaded. */ 130 before the policy was loaded. */
138static LIST_HEAD(superblock_security_head); 131static LIST_HEAD(superblock_security_head);
@@ -5674,9 +5667,6 @@ static __init int selinux_init(void)
5674 0, SLAB_PANIC, NULL); 5667 0, SLAB_PANIC, NULL);
5675 avc_init(); 5668 avc_init();
5676 5669
5677 secondary_ops = security_ops;
5678 if (!secondary_ops)
5679 panic("SELinux: No initial security operations\n");
5680 if (register_security(&selinux_ops)) 5670 if (register_security(&selinux_ops))
5681 panic("SELinux: Unable to register with kernel.\n"); 5671 panic("SELinux: Unable to register with kernel.\n");
5682 5672
@@ -5837,8 +5827,7 @@ int selinux_disable(void)
5837 selinux_disabled = 1; 5827 selinux_disabled = 1;
5838 selinux_enabled = 0; 5828 selinux_enabled = 0;
5839 5829
5840 /* Reset security_ops to the secondary module, dummy or capability. */ 5830 reset_security_ops();
5841 security_ops = secondary_ops;
5842 5831
5843 /* Try to destroy the avc node cache */ 5832 /* Try to destroy the avc node cache */
5844 avc_disable(); 5833 avc_disable();