diff options
| author | H. Peter Anvin <hpa@zytor.com> | 2007-12-29 19:20:25 -0500 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2008-01-24 19:29:50 -0500 |
| commit | bced95283e9434611cbad8f2ff903cd396eaea72 (patch) | |
| tree | 5d56afc7a5f239ebc53a1800a508f16b8d8701b0 | |
| parent | 42d7896ebc5f7268b1fe6bbd20f2282e20ae7895 (diff) | |
security: remove security_sb_post_mountroot hook
The security_sb_post_mountroot() hook is long-since obsolete, and is
fundamentally broken: it is never invoked if someone uses initramfs.
This is particularly damaging, because the existence of this hook has
been used as motivation for not using initramfs.
Stephen Smalley confirmed on 2007-07-19 that this hook was originally
used by SELinux but can now be safely removed:
http://marc.info/?l=linux-kernel&m=118485683612916&w=2
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: James Morris <jmorris@namei.org>
Cc: Eric Paris <eparis@parisplace.org>
Cc: Chris Wright <chrisw@sous-sol.org>
Signed-off-by: H. Peter Anvin <hpa@zytor.com>
Signed-off-by: James Morris <jmorris@namei.org>
| -rw-r--r-- | include/linux/security.h | 8 | ||||
| -rw-r--r-- | init/do_mounts.c | 1 | ||||
| -rw-r--r-- | security/dummy.c | 6 | ||||
| -rw-r--r-- | security/security.c | 5 |
4 files changed, 0 insertions, 20 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index cbd970a735f2..2e2c63faead7 100644 --- a/include/linux/security.h +++ b/include/linux/security.h | |||
| @@ -249,9 +249,6 @@ struct request_sock; | |||
| 249 | * @mnt contains the mounted file system. | 249 | * @mnt contains the mounted file system. |
| 250 | * @flags contains the new filesystem flags. | 250 | * @flags contains the new filesystem flags. |
| 251 | * @data contains the filesystem-specific data. | 251 | * @data contains the filesystem-specific data. |
| 252 | * @sb_post_mountroot: | ||
| 253 | * Update the security module's state when the root filesystem is mounted. | ||
| 254 | * This hook is only called if the mount was successful. | ||
| 255 | * @sb_post_addmount: | 252 | * @sb_post_addmount: |
| 256 | * Update the security module's state when a filesystem is mounted. | 253 | * Update the security module's state when a filesystem is mounted. |
| 257 | * This hook is called any time a mount is successfully grafetd to | 254 | * This hook is called any time a mount is successfully grafetd to |
| @@ -1257,7 +1254,6 @@ struct security_operations { | |||
| 1257 | void (*sb_umount_busy) (struct vfsmount * mnt); | 1254 | void (*sb_umount_busy) (struct vfsmount * mnt); |
| 1258 | void (*sb_post_remount) (struct vfsmount * mnt, | 1255 | void (*sb_post_remount) (struct vfsmount * mnt, |
| 1259 | unsigned long flags, void *data); | 1256 | unsigned long flags, void *data); |
| 1260 | void (*sb_post_mountroot) (void); | ||
| 1261 | void (*sb_post_addmount) (struct vfsmount * mnt, | 1257 | void (*sb_post_addmount) (struct vfsmount * mnt, |
| 1262 | struct nameidata * mountpoint_nd); | 1258 | struct nameidata * mountpoint_nd); |
| 1263 | int (*sb_pivotroot) (struct nameidata * old_nd, | 1259 | int (*sb_pivotroot) (struct nameidata * old_nd, |
| @@ -1524,7 +1520,6 @@ int security_sb_umount(struct vfsmount *mnt, int flags); | |||
| 1524 | void security_sb_umount_close(struct vfsmount *mnt); | 1520 | void security_sb_umount_close(struct vfsmount *mnt); |
| 1525 | void security_sb_umount_busy(struct vfsmount *mnt); | 1521 | void security_sb_umount_busy(struct vfsmount *mnt); |
| 1526 | void security_sb_post_remount(struct vfsmount *mnt, unsigned long flags, void *data); | 1522 | void security_sb_post_remount(struct vfsmount *mnt, unsigned long flags, void *data); |
| 1527 | void security_sb_post_mountroot(void); | ||
| 1528 | void security_sb_post_addmount(struct vfsmount *mnt, struct nameidata *mountpoint_nd); | 1523 | void security_sb_post_addmount(struct vfsmount *mnt, struct nameidata *mountpoint_nd); |
| 1529 | int security_sb_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd); | 1524 | int security_sb_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd); |
| 1530 | void security_sb_post_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd); | 1525 | void security_sb_post_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd); |
| @@ -1813,9 +1808,6 @@ static inline void security_sb_post_remount (struct vfsmount *mnt, | |||
| 1813 | unsigned long flags, void *data) | 1808 | unsigned long flags, void *data) |
| 1814 | { } | 1809 | { } |
| 1815 | 1810 | ||
| 1816 | static inline void security_sb_post_mountroot (void) | ||
| 1817 | { } | ||
| 1818 | |||
| 1819 | static inline void security_sb_post_addmount (struct vfsmount *mnt, | 1811 | static inline void security_sb_post_addmount (struct vfsmount *mnt, |
| 1820 | struct nameidata *mountpoint_nd) | 1812 | struct nameidata *mountpoint_nd) |
| 1821 | { } | 1813 | { } |
diff --git a/init/do_mounts.c b/init/do_mounts.c index 4efa1e5385e3..31b2185ce304 100644 --- a/init/do_mounts.c +++ b/init/do_mounts.c | |||
| @@ -470,6 +470,5 @@ void __init prepare_namespace(void) | |||
| 470 | out: | 470 | out: |
| 471 | sys_mount(".", "/", NULL, MS_MOVE, NULL); | 471 | sys_mount(".", "/", NULL, MS_MOVE, NULL); |
| 472 | sys_chroot("."); | 472 | sys_chroot("."); |
| 473 | security_sb_post_mountroot(); | ||
| 474 | } | 473 | } |
| 475 | 474 | ||
diff --git a/security/dummy.c b/security/dummy.c index a3b29d0d00e5..8e34e03415f8 100644 --- a/security/dummy.c +++ b/security/dummy.c | |||
| @@ -225,11 +225,6 @@ static void dummy_sb_post_remount (struct vfsmount *mnt, unsigned long flags, | |||
| 225 | } | 225 | } |
| 226 | 226 | ||
| 227 | 227 | ||
| 228 | static void dummy_sb_post_mountroot (void) | ||
| 229 | { | ||
| 230 | return; | ||
| 231 | } | ||
| 232 | |||
| 233 | static void dummy_sb_post_addmount (struct vfsmount *mnt, struct nameidata *nd) | 228 | static void dummy_sb_post_addmount (struct vfsmount *mnt, struct nameidata *nd) |
| 234 | { | 229 | { |
| 235 | return; | 230 | return; |
| @@ -1017,7 +1012,6 @@ void security_fixup_ops (struct security_operations *ops) | |||
| 1017 | set_to_dummy_if_null(ops, sb_umount_close); | 1012 | set_to_dummy_if_null(ops, sb_umount_close); |
| 1018 | set_to_dummy_if_null(ops, sb_umount_busy); | 1013 | set_to_dummy_if_null(ops, sb_umount_busy); |
| 1019 | set_to_dummy_if_null(ops, sb_post_remount); | 1014 | set_to_dummy_if_null(ops, sb_post_remount); |
| 1020 | set_to_dummy_if_null(ops, sb_post_mountroot); | ||
| 1021 | set_to_dummy_if_null(ops, sb_post_addmount); | 1015 | set_to_dummy_if_null(ops, sb_post_addmount); |
| 1022 | set_to_dummy_if_null(ops, sb_pivotroot); | 1016 | set_to_dummy_if_null(ops, sb_pivotroot); |
| 1023 | set_to_dummy_if_null(ops, sb_post_pivotroot); | 1017 | set_to_dummy_if_null(ops, sb_post_pivotroot); |
diff --git a/security/security.c b/security/security.c index b13b54f0af85..5068808343d0 100644 --- a/security/security.c +++ b/security/security.c | |||
| @@ -288,11 +288,6 @@ void security_sb_post_remount(struct vfsmount *mnt, unsigned long flags, void *d | |||
| 288 | security_ops->sb_post_remount(mnt, flags, data); | 288 | security_ops->sb_post_remount(mnt, flags, data); |
| 289 | } | 289 | } |
| 290 | 290 | ||
| 291 | void security_sb_post_mountroot(void) | ||
| 292 | { | ||
| 293 | security_ops->sb_post_mountroot(); | ||
| 294 | } | ||
| 295 | |||
| 296 | void security_sb_post_addmount(struct vfsmount *mnt, struct nameidata *mountpoint_nd) | 291 | void security_sb_post_addmount(struct vfsmount *mnt, struct nameidata *mountpoint_nd) |
| 297 | { | 292 | { |
| 298 | security_ops->sb_post_addmount(mnt, mountpoint_nd); | 293 | security_ops->sb_post_addmount(mnt, mountpoint_nd); |