aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorAhmed S. Darwish <darwish.07@gmail.com>2008-03-06 11:09:10 -0500
committerJames Morris <jmorris@namei.org>2008-04-18 20:00:51 -0400
commit076c54c5bcaed2081c0cba94a6f77c4d470236ad (patch)
tree5e8f05cab20a49922618bb3af697a6b46e610eee /include
parent04305e4aff8b0533dc05f9f6f1a34d0796bd985f (diff)
Security: Introduce security= boot parameter
Add the security= boot parameter. This is done to avoid LSM registration clashes in case of more than one bult-in module. User can choose a security module to enable at boot. If no security= boot parameter is specified, only the first LSM asking for registration will be loaded. An invalid security module name will be treated as if no module has been chosen. LSM modules must check now if they are allowed to register by calling security_module_enable(ops) first. Modify SELinux and SMACK to do so. Do not let SMACK register smackfs if it was not chosen on boot. Smackfs assumes that smack hooks are registered and the initial task security setup (swapper->security) is done. Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com> Acked-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'include')
-rw-r--r--include/linux/security.h12
1 files changed, 12 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h
index 697f228daf19..f4116d6ed64b 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -36,6 +36,9 @@
36 36
37extern unsigned securebits; 37extern unsigned securebits;
38 38
39/* Maximum number of letters for an LSM name string */
40#define SECURITY_NAME_MAX 10
41
39struct ctl_table; 42struct ctl_table;
40struct audit_krule; 43struct audit_krule;
41 44
@@ -137,6 +140,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
137/** 140/**
138 * struct security_operations - main security structure 141 * struct security_operations - main security structure
139 * 142 *
143 * Security module identifier.
144 *
145 * @name:
146 * A string that acts as a unique identifeir for the LSM with max number
147 * of characters = SECURITY_NAME_MAX.
148 *
140 * Security hooks for program execution operations. 149 * Security hooks for program execution operations.
141 * 150 *
142 * @bprm_alloc_security: 151 * @bprm_alloc_security:
@@ -1270,6 +1279,8 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
1270 * This is the main security structure. 1279 * This is the main security structure.
1271 */ 1280 */
1272struct security_operations { 1281struct security_operations {
1282 char name[SECURITY_NAME_MAX + 1];
1283
1273 int (*ptrace) (struct task_struct * parent, struct task_struct * child); 1284 int (*ptrace) (struct task_struct * parent, struct task_struct * child);
1274 int (*capget) (struct task_struct * target, 1285 int (*capget) (struct task_struct * target,
1275 kernel_cap_t * effective, 1286 kernel_cap_t * effective,
@@ -1537,6 +1548,7 @@ struct security_operations {
1537 1548
1538/* prototypes */ 1549/* prototypes */
1539extern int security_init (void); 1550extern int security_init (void);
1551extern int security_module_enable(struct security_operations *ops);
1540extern int register_security (struct security_operations *ops); 1552extern int register_security (struct security_operations *ops);
1541extern int mod_reg_security (const char *name, struct security_operations *ops); 1553extern int mod_reg_security (const char *name, struct security_operations *ops);
1542extern struct dentry *securityfs_create_file(const char *name, mode_t mode, 1554extern struct dentry *securityfs_create_file(const char *name, mode_t mode,