diff options
author | James Morris <jmorris@namei.org> | 2009-10-20 00:48:33 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-10-20 01:26:16 -0400 |
commit | 3e1c2515acf70448cad1ae3ab835ca80be043d33 (patch) | |
tree | 46034a30e83ba406479d9753acdbb0fd76180b2b | |
parent | b7f3008ad1d795935551e4dd810b0255a7bfa3c9 (diff) |
security: remove root_plug
Remove the root_plug example LSM code. It's unmaintained and
increasingly broken in various ways.
Made at the 2009 Kernel Summit in Tokyo!
Acked-by: Greg Kroah-Hartman <gregkh@suse.de>
Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r-- | Documentation/kernel-parameters.txt | 10 | ||||
-rw-r--r-- | security/Kconfig | 13 | ||||
-rw-r--r-- | security/Makefile | 1 | ||||
-rw-r--r-- | security/commoncap.c | 2 | ||||
-rw-r--r-- | security/root_plug.c | 90 |
5 files changed, 1 insertions, 115 deletions
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt index 6fa7292947e5..5d386b4ff6a0 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt | |||
@@ -85,7 +85,6 @@ parameter is applicable: | |||
85 | PPT Parallel port support is enabled. | 85 | PPT Parallel port support is enabled. |
86 | PS2 Appropriate PS/2 support is enabled. | 86 | PS2 Appropriate PS/2 support is enabled. |
87 | RAM RAM disk support is enabled. | 87 | RAM RAM disk support is enabled. |
88 | ROOTPLUG The example Root Plug LSM is enabled. | ||
89 | S390 S390 architecture is enabled. | 88 | S390 S390 architecture is enabled. |
90 | SCSI Appropriate SCSI support is enabled. | 89 | SCSI Appropriate SCSI support is enabled. |
91 | A lot of drivers has their options described inside of | 90 | A lot of drivers has their options described inside of |
@@ -2163,15 +2162,6 @@ and is between 256 and 4096 characters. It is defined in the file | |||
2163 | Useful for devices that are detected asynchronously | 2162 | Useful for devices that are detected asynchronously |
2164 | (e.g. USB and MMC devices). | 2163 | (e.g. USB and MMC devices). |
2165 | 2164 | ||
2166 | root_plug.vendor_id= | ||
2167 | [ROOTPLUG] Override the default vendor ID | ||
2168 | |||
2169 | root_plug.product_id= | ||
2170 | [ROOTPLUG] Override the default product ID | ||
2171 | |||
2172 | root_plug.debug= | ||
2173 | [ROOTPLUG] Enable debugging output | ||
2174 | |||
2175 | rw [KNL] Mount root device read-write on boot | 2165 | rw [KNL] Mount root device read-write on boot |
2176 | 2166 | ||
2177 | S [KNL] Run init in single mode | 2167 | S [KNL] Run init in single mode |
diff --git a/security/Kconfig b/security/Kconfig index fb363cd81cf6..aeea8c2bb59c 100644 --- a/security/Kconfig +++ b/security/Kconfig | |||
@@ -100,19 +100,6 @@ config SECURITY_FILE_CAPABILITIES | |||
100 | 100 | ||
101 | If in doubt, answer N. | 101 | If in doubt, answer N. |
102 | 102 | ||
103 | config SECURITY_ROOTPLUG | ||
104 | bool "Root Plug Support" | ||
105 | depends on USB=y && SECURITY | ||
106 | help | ||
107 | This is a sample LSM module that should only be used as such. | ||
108 | It prevents any programs running with egid == 0 if a specific | ||
109 | USB device is not present in the system. | ||
110 | |||
111 | See <http://www.linuxjournal.com/article.php?sid=6279> for | ||
112 | more information about this module. | ||
113 | |||
114 | If you are unsure how to answer this question, answer N. | ||
115 | |||
116 | config INTEL_TXT | 103 | config INTEL_TXT |
117 | bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)" | 104 | bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)" |
118 | depends on HAVE_INTEL_TXT | 105 | depends on HAVE_INTEL_TXT |
diff --git a/security/Makefile b/security/Makefile index 95ecc06392d7..bb44e350c618 100644 --- a/security/Makefile +++ b/security/Makefile | |||
@@ -18,7 +18,6 @@ obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o | |||
18 | obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o | 18 | obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o |
19 | obj-$(CONFIG_AUDIT) += lsm_audit.o | 19 | obj-$(CONFIG_AUDIT) += lsm_audit.o |
20 | obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o | 20 | obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o |
21 | obj-$(CONFIG_SECURITY_ROOTPLUG) += root_plug.o | ||
22 | obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o | 21 | obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o |
23 | 22 | ||
24 | # Object integrity file lists | 23 | # Object integrity file lists |
diff --git a/security/commoncap.c b/security/commoncap.c index fe30751a6cd9..45b87af4ae5d 100644 --- a/security/commoncap.c +++ b/security/commoncap.c | |||
@@ -1,4 +1,4 @@ | |||
1 | /* Common capabilities, needed by capability.o and root_plug.o | 1 | /* Common capabilities, needed by capability.o. |
2 | * | 2 | * |
3 | * This program is free software; you can redistribute it and/or modify | 3 | * This program is free software; you can redistribute it and/or modify |
4 | * it under the terms of the GNU General Public License as published by | 4 | * it under the terms of the GNU General Public License as published by |
diff --git a/security/root_plug.c b/security/root_plug.c deleted file mode 100644 index 2f7ffa67c4d2..000000000000 --- a/security/root_plug.c +++ /dev/null | |||
@@ -1,90 +0,0 @@ | |||
1 | /* | ||
2 | * Root Plug sample LSM module | ||
3 | * | ||
4 | * Originally written for a Linux Journal. | ||
5 | * | ||
6 | * Copyright (C) 2002 Greg Kroah-Hartman <greg@kroah.com> | ||
7 | * | ||
8 | * Prevents any programs running with egid == 0 if a specific USB device | ||
9 | * is not present in the system. Yes, it can be gotten around, but is a | ||
10 | * nice starting point for people to play with, and learn the LSM | ||
11 | * interface. | ||
12 | * | ||
13 | * If you want to turn this into something with a semblance of security, | ||
14 | * you need to hook the task_* functions also. | ||
15 | * | ||
16 | * See http://www.linuxjournal.com/article.php?sid=6279 for more information | ||
17 | * about this code. | ||
18 | * | ||
19 | * This program is free software; you can redistribute it and/or | ||
20 | * modify it under the terms of the GNU General Public License as | ||
21 | * published by the Free Software Foundation, version 2 of the | ||
22 | * License. | ||
23 | */ | ||
24 | |||
25 | #include <linux/kernel.h> | ||
26 | #include <linux/init.h> | ||
27 | #include <linux/security.h> | ||
28 | #include <linux/usb.h> | ||
29 | #include <linux/moduleparam.h> | ||
30 | |||
31 | /* default is a generic type of usb to serial converter */ | ||
32 | static int vendor_id = 0x0557; | ||
33 | static int product_id = 0x2008; | ||
34 | |||
35 | module_param(vendor_id, uint, 0400); | ||
36 | module_param(product_id, uint, 0400); | ||
37 | |||
38 | /* should we print out debug messages */ | ||
39 | static int debug = 0; | ||
40 | |||
41 | module_param(debug, bool, 0600); | ||
42 | |||
43 | #define MY_NAME "root_plug" | ||
44 | |||
45 | #define root_dbg(fmt, arg...) \ | ||
46 | do { \ | ||
47 | if (debug) \ | ||
48 | printk(KERN_DEBUG "%s: %s: " fmt , \ | ||
49 | MY_NAME , __func__ , \ | ||
50 | ## arg); \ | ||
51 | } while (0) | ||
52 | |||
53 | static int rootplug_bprm_check_security (struct linux_binprm *bprm) | ||
54 | { | ||
55 | struct usb_device *dev; | ||
56 | |||
57 | root_dbg("file %s, e_uid = %d, e_gid = %d\n", | ||
58 | bprm->filename, bprm->cred->euid, bprm->cred->egid); | ||
59 | |||
60 | if (bprm->cred->egid == 0) { | ||
61 | dev = usb_find_device(vendor_id, product_id); | ||
62 | if (!dev) { | ||
63 | root_dbg("e_gid = 0, and device not found, " | ||
64 | "task not allowed to run...\n"); | ||
65 | return -EPERM; | ||
66 | } | ||
67 | usb_put_dev(dev); | ||
68 | } | ||
69 | |||
70 | return 0; | ||
71 | } | ||
72 | |||
73 | static struct security_operations rootplug_security_ops = { | ||
74 | .bprm_check_security = rootplug_bprm_check_security, | ||
75 | }; | ||
76 | |||
77 | static int __init rootplug_init (void) | ||
78 | { | ||
79 | /* register ourselves with the security framework */ | ||
80 | if (register_security (&rootplug_security_ops)) { | ||
81 | printk (KERN_INFO | ||
82 | "Failure registering Root Plug module with the kernel\n"); | ||
83 | return -EINVAL; | ||
84 | } | ||
85 | printk (KERN_INFO "Root Plug module initialized, " | ||
86 | "vendor_id = %4.4x, product id = %4.4x\n", vendor_id, product_id); | ||
87 | return 0; | ||
88 | } | ||
89 | |||
90 | security_initcall (rootplug_init); | ||