diff options
| author | James Morris <jmorris@namei.org> | 2007-10-17 02:31:32 -0400 |
|---|---|---|
| committer | Linus Torvalds <torvalds@woody.linux-foundation.org> | 2007-10-17 11:43:07 -0400 |
| commit | 20510f2f4e2dabb0ff6c13901807627ec9452f98 (patch) | |
| tree | d64b9eeb90d577f7f9688a215c4c6c3c2405188a /security/selinux | |
| parent | 5c3b447457789374cdb7b03afe2540d48c649a36 (diff) | |
security: Convert LSM into a static interface
Convert LSM into a static interface, as the ability to unload a security
module is not required by in-tree users and potentially complicates the
overall security architecture.
Needlessly exported LSM symbols have been unexported, to help reduce API
abuse.
Parameters for the capability and root_plug modules are now specified
at boot.
The SECURITY_FRAMEWORK_VERSION macro has also been removed.
In a nutshell, there is no safe way to unload an LSM. The modular interface
is thus unecessary and broken infrastructure. It is used only by out-of-tree
modules, which are often binary-only, illegal, abusive of the API and
dangerous, e.g. silently re-vectoring SELinux.
[akpm@linux-foundation.org: cleanups]
[akpm@linux-foundation.org: USB Kconfig fix]
[randy.dunlap@oracle.com: fix LSM kernel-doc]
Signed-off-by: James Morris <jmorris@namei.org>
Acked-by: Chris Wright <chrisw@sous-sol.org>
Cc: Stephen Smalley <sds@tycho.nsa.gov>
Cc: "Serge E. Hallyn" <serue@us.ibm.com>
Acked-by: Arjan van de Ven <arjan@infradead.org>
Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'security/selinux')
| -rw-r--r-- | security/selinux/hooks.c | 2 | ||||
| -rw-r--r-- | security/selinux/xfrm.c | 1 |
2 files changed, 1 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 97b7e2738097..83a535b7bc60 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -22,7 +22,6 @@ | |||
| 22 | * as published by the Free Software Foundation. | 22 | * as published by the Free Software Foundation. |
| 23 | */ | 23 | */ |
| 24 | 24 | ||
| 25 | #include <linux/module.h> | ||
| 26 | #include <linux/init.h> | 25 | #include <linux/init.h> |
| 27 | #include <linux/kernel.h> | 26 | #include <linux/kernel.h> |
| 28 | #include <linux/ptrace.h> | 27 | #include <linux/ptrace.h> |
| @@ -86,6 +85,7 @@ | |||
| 86 | extern unsigned int policydb_loaded_version; | 85 | extern unsigned int policydb_loaded_version; |
| 87 | extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); | 86 | extern int selinux_nlmsg_lookup(u16 sclass, u16 nlmsg_type, u32 *perm); |
| 88 | extern int selinux_compat_net; | 87 | extern int selinux_compat_net; |
| 88 | extern struct security_operations *security_ops; | ||
| 89 | 89 | ||
| 90 | #ifdef CONFIG_SECURITY_SELINUX_DEVELOP | 90 | #ifdef CONFIG_SECURITY_SELINUX_DEVELOP |
| 91 | int selinux_enforcing = 0; | 91 | int selinux_enforcing = 0; |
diff --git a/security/selinux/xfrm.c b/security/selinux/xfrm.c index ba715f40b658..cb008d9f0a82 100644 --- a/security/selinux/xfrm.c +++ b/security/selinux/xfrm.c | |||
| @@ -31,7 +31,6 @@ | |||
| 31 | * 2. Emulating a reasonable SO_PEERSEC across machines | 31 | * 2. Emulating a reasonable SO_PEERSEC across machines |
| 32 | * 3. Testing addition of sk_policy's with security context via setsockopt | 32 | * 3. Testing addition of sk_policy's with security context via setsockopt |
| 33 | */ | 33 | */ |
| 34 | #include <linux/module.h> | ||
| 35 | #include <linux/kernel.h> | 34 | #include <linux/kernel.h> |
| 36 | #include <linux/init.h> | 35 | #include <linux/init.h> |
| 37 | #include <linux/security.h> | 36 | #include <linux/security.h> |