aboutsummaryrefslogtreecommitdiffstats
path: root/Documentation
diff options
context:
space:
mode:
authorJames Morris <jmorris@namei.org>2007-10-17 02:31:32 -0400
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-10-17 11:43:07 -0400
commit20510f2f4e2dabb0ff6c13901807627ec9452f98 (patch)
treed64b9eeb90d577f7f9688a215c4c6c3c2405188a /Documentation
parent5c3b447457789374cdb7b03afe2540d48c649a36 (diff)
security: Convert LSM into a static interface
Convert LSM into a static interface, as the ability to unload a security module is not required by in-tree users and potentially complicates the overall security architecture. Needlessly exported LSM symbols have been unexported, to help reduce API abuse. Parameters for the capability and root_plug modules are now specified at boot. The SECURITY_FRAMEWORK_VERSION macro has also been removed. In a nutshell, there is no safe way to unload an LSM. The modular interface is thus unecessary and broken infrastructure. It is used only by out-of-tree modules, which are often binary-only, illegal, abusive of the API and dangerous, e.g. silently re-vectoring SELinux. [akpm@linux-foundation.org: cleanups] [akpm@linux-foundation.org: USB Kconfig fix] [randy.dunlap@oracle.com: fix LSM kernel-doc] Signed-off-by: James Morris <jmorris@namei.org> Acked-by: Chris Wright <chrisw@sous-sol.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: "Serge E. Hallyn" <serue@us.ibm.com> Acked-by: Arjan van de Ven <arjan@infradead.org> Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'Documentation')
-rw-r--r--Documentation/DocBook/kernel-api.tmpl2
-rw-r--r--Documentation/kernel-parameters.txt17
2 files changed, 18 insertions, 1 deletions
diff --git a/Documentation/DocBook/kernel-api.tmpl b/Documentation/DocBook/kernel-api.tmpl
index 083258f0eab5..d3290c46af51 100644
--- a/Documentation/DocBook/kernel-api.tmpl
+++ b/Documentation/DocBook/kernel-api.tmpl
@@ -340,7 +340,7 @@ X!Earch/x86/kernel/mca_32.c
340 340
341 <chapter id="security"> 341 <chapter id="security">
342 <title>Security Framework</title> 342 <title>Security Framework</title>
343!Esecurity/security.c 343!Isecurity/security.c
344 </chapter> 344 </chapter>
345 345
346 <chapter id="audit"> 346 <chapter id="audit">
diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
index a0ed205e5351..63bda3637085 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -75,10 +75,12 @@ parameter is applicable:
75 PPT Parallel port support is enabled. 75 PPT Parallel port support is enabled.
76 PS2 Appropriate PS/2 support is enabled. 76 PS2 Appropriate PS/2 support is enabled.
77 RAM RAM disk support is enabled. 77 RAM RAM disk support is enabled.
78 ROOTPLUG The example Root Plug LSM is enabled.
78 S390 S390 architecture is enabled. 79 S390 S390 architecture is enabled.
79 SCSI Appropriate SCSI support is enabled. 80 SCSI Appropriate SCSI support is enabled.
80 A lot of drivers has their options described inside of 81 A lot of drivers has their options described inside of
81 Documentation/scsi/. 82 Documentation/scsi/.
83 SECURITY Different security models are enabled.
82 SELINUX SELinux support is enabled. 84 SELINUX SELinux support is enabled.
83 SERIAL Serial support is enabled. 85 SERIAL Serial support is enabled.
84 SH SuperH architecture is enabled. 86 SH SuperH architecture is enabled.
@@ -373,6 +375,12 @@ and is between 256 and 4096 characters. It is defined in the file
373 possible to determine what the correct size should be. 375 possible to determine what the correct size should be.
374 This option provides an override for these situations. 376 This option provides an override for these situations.
375 377
378 capability.disable=
379 [SECURITY] Disable capabilities. This would normally
380 be used only if an alternative security model is to be
381 configured. Potentially dangerous and should only be
382 used if you are entirely sure of the consequences.
383
376 chandev= [HW,NET] Generic channel device initialisation 384 chandev= [HW,NET] Generic channel device initialisation
377 385
378 checkreqprot [SELINUX] Set initial checkreqprot flag value. 386 checkreqprot [SELINUX] Set initial checkreqprot flag value.
@@ -1539,6 +1547,15 @@ and is between 256 and 4096 characters. It is defined in the file
1539 Useful for devices that are detected asynchronously 1547 Useful for devices that are detected asynchronously
1540 (e.g. USB and MMC devices). 1548 (e.g. USB and MMC devices).
1541 1549
1550 root_plug.vendor_id=
1551 [ROOTPLUG] Override the default vendor ID
1552
1553 root_plug.product_id=
1554 [ROOTPLUG] Override the default product ID
1555
1556 root_plug.debug=
1557 [ROOTPLUG] Enable debugging output
1558
1542 rw [KNL] Mount root device read-write on boot 1559 rw [KNL] Mount root device read-write on boot
1543 1560
1544 S [KNL] Run init in single mode 1561 S [KNL] Run init in single mode