aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJames Morris <jmorris@namei.org>2009-10-20 00:48:33 -0400
committerJames Morris <jmorris@namei.org>2009-10-20 01:26:16 -0400
commit3e1c2515acf70448cad1ae3ab835ca80be043d33 (patch)
tree46034a30e83ba406479d9753acdbb0fd76180b2b
parentb7f3008ad1d795935551e4dd810b0255a7bfa3c9 (diff)
security: remove root_plug
Remove the root_plug example LSM code. It's unmaintained and increasingly broken in various ways. Made at the 2009 Kernel Summit in Tokyo! Acked-by: Greg Kroah-Hartman <gregkh@suse.de> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--Documentation/kernel-parameters.txt10
-rw-r--r--security/Kconfig13
-rw-r--r--security/Makefile1
-rw-r--r--security/commoncap.c2
-rw-r--r--security/root_plug.c90
5 files changed, 1 insertions, 115 deletions
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index 6fa7292947e5..5d386b4ff6a0 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -85,7 +85,6 @@ parameter is applicable:
85 PPT Parallel port support is enabled. 85 PPT Parallel port support is enabled.
86 PS2 Appropriate PS/2 support is enabled. 86 PS2 Appropriate PS/2 support is enabled.
87 RAM RAM disk support is enabled. 87 RAM RAM disk support is enabled.
88 ROOTPLUG The example Root Plug LSM is enabled.
89 S390 S390 architecture is enabled. 88 S390 S390 architecture is enabled.
90 SCSI Appropriate SCSI support is enabled. 89 SCSI Appropriate SCSI support is enabled.
91 A lot of drivers has their options described inside of 90 A lot of drivers has their options described inside of
@@ -2163,15 +2162,6 @@ and is between 256 and 4096 characters. It is defined in the file
2163 Useful for devices that are detected asynchronously 2162 Useful for devices that are detected asynchronously
2164 (e.g. USB and MMC devices). 2163 (e.g. USB and MMC devices).
2165 2164
2166 root_plug.vendor_id=
2167 [ROOTPLUG] Override the default vendor ID
2168
2169 root_plug.product_id=
2170 [ROOTPLUG] Override the default product ID
2171
2172 root_plug.debug=
2173 [ROOTPLUG] Enable debugging output
2174
2175 rw [KNL] Mount root device read-write on boot 2165 rw [KNL] Mount root device read-write on boot
2176 2166
2177 S [KNL] Run init in single mode 2167 S [KNL] Run init in single mode
diff --git a/security/Kconfig b/security/Kconfig
index fb363cd81cf6..aeea8c2bb59c 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -100,19 +100,6 @@ config SECURITY_FILE_CAPABILITIES
100 100
101 If in doubt, answer N. 101 If in doubt, answer N.
102 102
103config SECURITY_ROOTPLUG
104 bool "Root Plug Support"
105 depends on USB=y && SECURITY
106 help
107 This is a sample LSM module that should only be used as such.
108 It prevents any programs running with egid == 0 if a specific
109 USB device is not present in the system.
110
111 See <http://www.linuxjournal.com/article.php?sid=6279> for
112 more information about this module.
113
114 If you are unsure how to answer this question, answer N.
115
116config INTEL_TXT 103config INTEL_TXT
117 bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)" 104 bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)"
118 depends on HAVE_INTEL_TXT 105 depends on HAVE_INTEL_TXT
diff --git a/security/Makefile b/security/Makefile
index 95ecc06392d7..bb44e350c618 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -18,7 +18,6 @@ obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
18obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o 18obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o
19obj-$(CONFIG_AUDIT) += lsm_audit.o 19obj-$(CONFIG_AUDIT) += lsm_audit.o
20obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o 20obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o
21obj-$(CONFIG_SECURITY_ROOTPLUG) += root_plug.o
22obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o 21obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
23 22
24# Object integrity file lists 23# Object integrity file lists
diff --git a/security/commoncap.c b/security/commoncap.c
index fe30751a6cd9..45b87af4ae5d 100644
--- a/security/commoncap.c
+++ b/security/commoncap.c
@@ -1,4 +1,4 @@
1/* Common capabilities, needed by capability.o and root_plug.o 1/* Common capabilities, needed by capability.o.
2 * 2 *
3 * This program is free software; you can redistribute it and/or modify 3 * This program is free software; you can redistribute it and/or modify
4 * it under the terms of the GNU General Public License as published by 4 * it under the terms of the GNU General Public License as published by
diff --git a/security/root_plug.c b/security/root_plug.c
deleted file mode 100644
index 2f7ffa67c4d2..000000000000
--- a/security/root_plug.c
+++ /dev/null
@@ -1,90 +0,0 @@
1/*
2 * Root Plug sample LSM module
3 *
4 * Originally written for a Linux Journal.
5 *
6 * Copyright (C) 2002 Greg Kroah-Hartman <greg@kroah.com>
7 *
8 * Prevents any programs running with egid == 0 if a specific USB device
9 * is not present in the system. Yes, it can be gotten around, but is a
10 * nice starting point for people to play with, and learn the LSM
11 * interface.
12 *
13 * If you want to turn this into something with a semblance of security,
14 * you need to hook the task_* functions also.
15 *
16 * See http://www.linuxjournal.com/article.php?sid=6279 for more information
17 * about this code.
18 *
19 * This program is free software; you can redistribute it and/or
20 * modify it under the terms of the GNU General Public License as
21 * published by the Free Software Foundation, version 2 of the
22 * License.
23 */
24
25#include <linux/kernel.h>
26#include <linux/init.h>
27#include <linux/security.h>
28#include <linux/usb.h>
29#include <linux/moduleparam.h>
30
31/* default is a generic type of usb to serial converter */
32static int vendor_id = 0x0557;
33static int product_id = 0x2008;
34
35module_param(vendor_id, uint, 0400);
36module_param(product_id, uint, 0400);
37
38/* should we print out debug messages */
39static int debug = 0;
40
41module_param(debug, bool, 0600);
42
43#define MY_NAME "root_plug"
44
45#define root_dbg(fmt, arg...) \
46 do { \
47 if (debug) \
48 printk(KERN_DEBUG "%s: %s: " fmt , \
49 MY_NAME , __func__ , \
50 ## arg); \
51 } while (0)
52
53static int rootplug_bprm_check_security (struct linux_binprm *bprm)
54{
55 struct usb_device *dev;
56
57 root_dbg("file %s, e_uid = %d, e_gid = %d\n",
58 bprm->filename, bprm->cred->euid, bprm->cred->egid);
59
60 if (bprm->cred->egid == 0) {
61 dev = usb_find_device(vendor_id, product_id);
62 if (!dev) {
63 root_dbg("e_gid = 0, and device not found, "
64 "task not allowed to run...\n");
65 return -EPERM;
66 }
67 usb_put_dev(dev);
68 }
69
70 return 0;
71}
72
73static struct security_operations rootplug_security_ops = {
74 .bprm_check_security = rootplug_bprm_check_security,
75};
76
77static int __init rootplug_init (void)
78{
79 /* register ourselves with the security framework */
80 if (register_security (&rootplug_security_ops)) {
81 printk (KERN_INFO
82 "Failure registering Root Plug module with the kernel\n");
83 return -EINVAL;
84 }
85 printk (KERN_INFO "Root Plug module initialized, "
86 "vendor_id = %4.4x, product id = %4.4x\n", vendor_id, product_id);
87 return 0;
88}
89
90security_initcall (rootplug_init);