aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAhmed S. Darwish <darwish.07@gmail.com>2008-03-06 11:09:10 -0500
committerJames Morris <jmorris@namei.org>2008-04-18 20:00:51 -0400
commit076c54c5bcaed2081c0cba94a6f77c4d470236ad (patch)
tree5e8f05cab20a49922618bb3af697a6b46e610eee
parent04305e4aff8b0533dc05f9f6f1a34d0796bd985f (diff)
Security: Introduce security= boot parameter
Add the security= boot parameter. This is done to avoid LSM registration clashes in case of more than one bult-in module. User can choose a security module to enable at boot. If no security= boot parameter is specified, only the first LSM asking for registration will be loaded. An invalid security module name will be treated as if no module has been chosen. LSM modules must check now if they are allowed to register by calling security_module_enable(ops) first. Modify SELinux and SMACK to do so. Do not let SMACK register smackfs if it was not chosen on boot. Smackfs assumes that smack hooks are registered and the initial task security setup (swapper->security) is done. Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com> Acked-by: James Morris <jmorris@namei.org>
-rw-r--r--Documentation/kernel-parameters.txt6
-rw-r--r--include/linux/security.h12
-rw-r--r--security/dummy.c4
-rw-r--r--security/security.c38
-rw-r--r--security/selinux/hooks.c7
-rw-r--r--security/smack/smack.h2
-rw-r--r--security/smack/smack_lsm.c7
-rw-r--r--security/smack/smackfs.c11
8 files changed, 83 insertions, 4 deletions
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 256a2162503c..4b0f1ae31a4c 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -366,6 +366,12 @@ and is between 256 and 4096 characters. It is defined in the file
366 possible to determine what the correct size should be. 366 possible to determine what the correct size should be.
367 This option provides an override for these situations. 367 This option provides an override for these situations.
368 368
369 security= [SECURITY] Choose a security module to enable at boot.
370 If this boot parameter is not specified, only the first
371 security module asking for security registration will be
372 loaded. An invalid security module name will be treated
373 as if no module has been chosen.
374
369 capability.disable= 375 capability.disable=
370 [SECURITY] Disable capabilities. This would normally 376 [SECURITY] Disable capabilities. This would normally
371 be used only if an alternative security model is to be 377 be used only if an alternative security model is to be
diff --git a/include/linux/security.h b/include/linux/security.h
index 697f228daf19..f4116d6ed64b 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -36,6 +36,9 @@
36 36
37extern unsigned securebits; 37extern unsigned securebits;
38 38
39/* Maximum number of letters for an LSM name string */
40#define SECURITY_NAME_MAX 10
41
39struct ctl_table; 42struct ctl_table;
40struct audit_krule; 43struct audit_krule;
41 44
@@ -137,6 +140,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
137/** 140/**
138 * struct security_operations - main security structure 141 * struct security_operations - main security structure
139 * 142 *
143 * Security module identifier.
144 *
145 * @name:
146 * A string that acts as a unique identifeir for the LSM with max number
147 * of characters = SECURITY_NAME_MAX.
148 *
140 * Security hooks for program execution operations. 149 * Security hooks for program execution operations.
141 * 150 *
142 * @bprm_alloc_security: 151 * @bprm_alloc_security:
@@ -1270,6 +1279,8 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
1270 * This is the main security structure. 1279 * This is the main security structure.
1271 */ 1280 */
1272struct security_operations { 1281struct security_operations {
1282 char name[SECURITY_NAME_MAX + 1];
1283
1273 int (*ptrace) (struct task_struct * parent, struct task_struct * child); 1284 int (*ptrace) (struct task_struct * parent, struct task_struct * child);
1274 int (*capget) (struct task_struct * target, 1285 int (*capget) (struct task_struct * target,
1275 kernel_cap_t * effective, 1286 kernel_cap_t * effective,
@@ -1537,6 +1548,7 @@ struct security_operations {
1537 1548
1538/* prototypes */ 1549/* prototypes */
1539extern int security_init (void); 1550extern int security_init (void);
1551extern int security_module_enable(struct security_operations *ops);
1540extern int register_security (struct security_operations *ops); 1552extern int register_security (struct security_operations *ops);
1541extern int mod_reg_security (const char *name, struct security_operations *ops); 1553extern int mod_reg_security (const char *name, struct security_operations *ops);
1542extern struct dentry *securityfs_create_file(const char *name, mode_t mode, 1554extern struct dentry *securityfs_create_file(const char *name, mode_t mode,
diff --git a/security/dummy.c b/security/dummy.c
index 1ac9f8e66aa2..d797a4196b89 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -1017,7 +1017,9 @@ static inline void dummy_audit_rule_free(void *lsmrule)
1017 1017
1018#endif /* CONFIG_AUDIT */ 1018#endif /* CONFIG_AUDIT */
1019 1019
1020struct security_operations dummy_security_ops; 1020struct security_operations dummy_security_ops = {
1021 .name = "dummy",
1022};
1021 1023
1022#define set_to_dummy_if_null(ops, function) \ 1024#define set_to_dummy_if_null(ops, function) \
1023 do { \ 1025 do { \
diff --git a/security/security.c b/security/security.c
index 2ef593ec70f3..dd0c6baed494 100644
--- a/security/security.c
+++ b/security/security.c
@@ -17,6 +17,8 @@
17#include <linux/kernel.h> 17#include <linux/kernel.h>
18#include <linux/security.h> 18#include <linux/security.h>
19 19
20/* Boot-time LSM user choice */
21static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1];
20 22
21/* things that live in dummy.c */ 23/* things that live in dummy.c */
22extern struct security_operations dummy_security_ops; 24extern struct security_operations dummy_security_ops;
@@ -67,13 +69,47 @@ int __init security_init(void)
67 return 0; 69 return 0;
68} 70}
69 71
72/* Save user chosen LSM */
73static int __init choose_lsm(char *str)
74{
75 strncpy(chosen_lsm, str, SECURITY_NAME_MAX);
76 return 1;
77}
78__setup("security=", choose_lsm);
79
80/**
81 * security_module_enable - Load given security module on boot ?
82 * @ops: a pointer to the struct security_operations that is to be checked.
83 *
84 * Each LSM must pass this method before registering its own operations
85 * to avoid security registration races. This method may also be used
86 * to check if your LSM is currently loaded.
87 *
88 * Return true if:
89 * -The passed LSM is the one chosen by user at boot time,
90 * -or user didsn't specify a specific LSM and we're the first to ask
91 * for registeration permissoin,
92 * -or the passed LSM is currently loaded.
93 * Otherwise, return false.
94 */
95int __init security_module_enable(struct security_operations *ops)
96{
97 if (!*chosen_lsm)
98 strncpy(chosen_lsm, ops->name, SECURITY_NAME_MAX);
99 else if (strncmp(ops->name, chosen_lsm, SECURITY_NAME_MAX))
100 return 0;
101
102 return 1;
103}
104
70/** 105/**
71 * register_security - registers a security framework with the kernel 106 * register_security - registers a security framework with the kernel
72 * @ops: a pointer to the struct security_options that is to be registered 107 * @ops: a pointer to the struct security_options that is to be registered
73 * 108 *
74 * This function is to allow a security module to register itself with the 109 * This function is to allow a security module to register itself with the
75 * kernel security subsystem. Some rudimentary checking is done on the @ops 110 * kernel security subsystem. Some rudimentary checking is done on the @ops
76 * value passed to this function. 111 * value passed to this function. You'll need to check first if your LSM
112 * is allowed to register its @ops by calling security_module_enable(@ops).
77 * 113 *
78 * If there is already a security module registered with the kernel, 114 * If there is already a security module registered with the kernel,
79 * an error will be returned. Otherwise 0 is returned on success. 115 * an error will be returned. Otherwise 0 is returned on success.
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index a2f7e9cf78c5..f9927f02bc3d 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -5295,6 +5295,8 @@ static int selinux_key_permission(key_ref_t key_ref,
5295#endif 5295#endif
5296 5296
5297static struct security_operations selinux_ops = { 5297static struct security_operations selinux_ops = {
5298 .name = "selinux",
5299
5298 .ptrace = selinux_ptrace, 5300 .ptrace = selinux_ptrace,
5299 .capget = selinux_capget, 5301 .capget = selinux_capget,
5300 .capset_check = selinux_capset_check, 5302 .capset_check = selinux_capset_check,
@@ -5492,6 +5494,11 @@ static __init int selinux_init(void)
5492{ 5494{
5493 struct task_security_struct *tsec; 5495 struct task_security_struct *tsec;
5494 5496
5497 if (!security_module_enable(&selinux_ops)) {
5498 selinux_enabled = 0;
5499 return 0;
5500 }
5501
5495 if (!selinux_enabled) { 5502 if (!selinux_enabled) {
5496 printk(KERN_INFO "SELinux: Disabled at boot.\n"); 5503 printk(KERN_INFO "SELinux: Disabled at boot.\n");
5497 return 0; 5504 return 0;
diff --git a/security/smack/smack.h b/security/smack/smack.h
index 62c1e982849d..4a4477f5afdc 100644
--- a/security/smack/smack.h
+++ b/security/smack/smack.h
@@ -15,6 +15,7 @@
15 15
16#include <linux/capability.h> 16#include <linux/capability.h>
17#include <linux/spinlock.h> 17#include <linux/spinlock.h>
18#include <linux/security.h>
18#include <net/netlabel.h> 19#include <net/netlabel.h>
19 20
20/* 21/*
@@ -187,6 +188,7 @@ extern struct smack_known smack_known_star;
187extern struct smack_known smack_known_unset; 188extern struct smack_known smack_known_unset;
188 189
189extern struct smk_list_entry *smack_list; 190extern struct smk_list_entry *smack_list;
191extern struct security_operations smack_ops;
190 192
191/* 193/*
192 * Stricly for CIPSO level manipulation. 194 * Stricly for CIPSO level manipulation.
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 732ba27923c4..904bdc01a12b 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -2424,7 +2424,9 @@ static void smack_release_secctx(char *secdata, u32 seclen)
2424{ 2424{
2425} 2425}
2426 2426
2427static struct security_operations smack_ops = { 2427struct security_operations smack_ops = {
2428 .name = "smack",
2429
2428 .ptrace = smack_ptrace, 2430 .ptrace = smack_ptrace,
2429 .capget = cap_capget, 2431 .capget = cap_capget,
2430 .capset_check = cap_capset_check, 2432 .capset_check = cap_capset_check,
@@ -2557,6 +2559,9 @@ static struct security_operations smack_ops = {
2557 */ 2559 */
2558static __init int smack_init(void) 2560static __init int smack_init(void)
2559{ 2561{
2562 if (!security_module_enable(&smack_ops))
2563 return 0;
2564
2560 printk(KERN_INFO "Smack: Initializing.\n"); 2565 printk(KERN_INFO "Smack: Initializing.\n");
2561 2566
2562 /* 2567 /*
diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
index cfae8afcc262..6ba283783b70 100644
--- a/security/smack/smackfs.c
+++ b/security/smack/smackfs.c
@@ -965,12 +965,21 @@ static struct vfsmount *smackfs_mount;
965 * 965 *
966 * register the smackfs 966 * register the smackfs
967 * 967 *
968 * Returns 0 unless the registration fails. 968 * Do not register smackfs if Smack wasn't enabled
969 * on boot. We can not put this method normally under the
970 * smack_init() code path since the security subsystem get
971 * initialized before the vfs caches.
972 *
973 * Returns true if we were not chosen on boot or if
974 * we were chosen and filesystem registration succeeded.
969 */ 975 */
970static int __init init_smk_fs(void) 976static int __init init_smk_fs(void)
971{ 977{
972 int err; 978 int err;
973 979
980 if (!security_module_enable(&smack_ops))
981 return 0;
982
974 err = register_filesystem(&smk_fs_type); 983 err = register_filesystem(&smk_fs_type);
975 if (!err) { 984 if (!err) {
976 smackfs_mount = kern_mount(&smk_fs_type); 985 smackfs_mount = kern_mount(&smk_fs_type);