[PATCH] seclvl securityfs

Once again, the simple_attr in libfs was actually sufficient - I'd thought the __attribute__(format(printk(1,2))) was more mysterious than it really is. At last, here is the full patch to make seclvl use securityfs. Signed-off-by: Serge Hallyn <serue@us.ibm.com> Signed-off-by: Chris Wright <chrisw@osdl.org> -- seclvl.c | 228 +++++++++++++++++++-------------------------------------------- 1 files changed, 70 insertions(+), 158 deletions(-) Index: linux-2.6.13-rc1/security/seclvl.c ===================================================================
author: serue@us.ibm.com <serue@us.ibm.com> 2005-07-08 16:44:19 -0400
committer: Chris Wright <chrisw@osdl.org> 2005-07-08 21:49:05 -0400
commit: 5a73c308754e27829c94544e010f133019cbd432 (patch)
tree: be66dc5e28c5510f6c3da99a4f8d9d9efe1360d6 /security
parent: b67dbf9d4c1987c370fd18fdc4cf9d8aaea604c2 (diff)
1 files changed, 70 insertions, 158 deletions
diff --git a/security/seclvl.c b/security/seclvl.c
index c8e87b22c9bd..f8700e935b33 100644
--- a/security/seclvl.c
+++ b/security/seclvl.c
@@ -119,69 +119,6 @@ MODULE_PARM_DESC(hideHash, "When set to 0, reading seclvl/passwd from sysfs "
        } while (0)
 /**
- * kobject stuff
- */
-struct subsystem seclvl_subsys;
-struct seclvl_obj {
-        char *name;
-        struct list_head slot_list;
-        struct kobject kobj;
-};
-/**
- * There is a seclvl_attribute struct for each file in sysfs.
- *
- * In our case, we have one of these structs for "passwd" and another
- * for "seclvl".
- */
-struct seclvl_attribute {
-        struct attribute attr;
-        ssize_t(*show) (struct seclvl_obj *, char *);
-        ssize_t(*store) (struct seclvl_obj *, const char *, size_t);
-};
-/**
- * When this function is called, one of the files in sysfs is being
- * written to.  attribute->store is a function pointer to whatever the
- * struct seclvl_attribute store function pointer points to.  It is
- * unique for "passwd" and "seclvl".
- */
-static ssize_t
-seclvl_attr_store(struct kobject *kobj,
-                  struct attribute *attr, const char *buf, size_t len)
-{
-        struct seclvl_obj *obj = container_of(kobj, struct seclvl_obj, kobj);
-        struct seclvl_attribute *attribute =
-            container_of(attr, struct seclvl_attribute, attr);
-        return attribute->store ? attribute->store(obj, buf, len) : -EIO;
-}
-static ssize_t
-seclvl_attr_show(struct kobject *kobj, struct attribute *attr, char *buf)
-{
-        struct seclvl_obj *obj = container_of(kobj, struct seclvl_obj, kobj);
-        struct seclvl_attribute *attribute =
-            container_of(attr, struct seclvl_attribute, attr);
-        return attribute->show ? attribute->show(obj, buf) : -EIO;
-}
-/**
- * Callback function pointers for show and store
- */
-static struct sysfs_ops seclvlfs_sysfs_ops = {
-        .show = seclvl_attr_show,
-        .store = seclvl_attr_store,
-};
-static struct kobj_type seclvl_ktype = {
-        .sysfs_ops = &seclvlfs_sysfs_ops
-};
-decl_subsys(seclvl, &seclvl_ktype, NULL);
-/**
 * The actual security level.  Ranges between -1 and 2 inclusive.
 */
 static int seclvl;
@@ -213,97 +150,44 @@ static int seclvl_sanity(int reqlvl)
 }
 /**
- * Called whenever the user reads the sysfs handle to this kernel
- * object
- */
-static ssize_t seclvl_read_file(struct seclvl_obj *obj, char *buff)
-{
-        return snprintf(buff, PAGE_SIZE, "%d\n", seclvl);
-}
-/**
 * security level advancement rules:
 *   Valid levels are -1 through 2, inclusive.
 *   From -1, stuck.  [ in case compiled into kernel ]
 *   From 0 or above, can only increment.
 */
-static int do_seclvl_advance(int newlvl)
+static void do_seclvl_advance(void *data, u64 val)
 {
-        if (newlvl <= seclvl) {
+        int ret;
-                seclvl_printk(1, KERN_WARNING, "Cannot advance to seclvl "
+        int newlvl = (int)val;
-                              "[%d]\n", newlvl);
-                return -EINVAL;
+        ret = seclvl_sanity(newlvl);
-        }
+        if (ret)
+                return;
        if (newlvl > 2) {
                seclvl_printk(1, KERN_WARNING, "Cannot advance to seclvl "
                              "[%d]\n", newlvl);
-                return -EINVAL;
+                return;
        }
        if (seclvl == -1) {
                seclvl_printk(1, KERN_WARNING, "Not allowed to advance to "
                              "seclvl [%d]\n", seclvl);
-                return -EPERM;
+                return;
        }
-        seclvl = newlvl;
+        seclvl = newlvl;  /* would it be more "correct" to set *data? */
-        return 0;
+        return;
 }
-/**
+static u64 seclvl_int_get(void *data)
- * Called whenever the user writes to the sysfs handle to this kernel
- * object (seclvl/seclvl).  It expects a single-digit number.
- */
-static ssize_t
-seclvl_write_file(struct seclvl_obj *obj, const char *buff, size_t count)
 {
-        unsigned long val;
+        return *(int *)data;
-        if (count > 2 || (count == 2 && buff[1] != '\n')) {
-                seclvl_printk(1, KERN_WARNING, "Invalid value passed to "
-                              "seclvl: [%s]\n", buff);
-                return -EINVAL;
-        }
-        val = buff[0] - 48;
-        if (seclvl_sanity(val)) {
-                seclvl_printk(1, KERN_WARNING, "Illegal secure level "
-                              "requested: [%d]\n", (int)val);
-                return -EPERM;
-        }
-        if (do_seclvl_advance(val)) {
-                seclvl_printk(0, KERN_ERR, "Failure advancing security level "
-                              "to %lu\n", val);
-        }
-        return count;
 }
-/* Generate sysfs_attr_seclvl */
+DEFINE_SIMPLE_ATTRIBUTE(seclvl_file_ops, seclvl_int_get, do_seclvl_advance, "%lld\n");
-static struct seclvl_attribute sysfs_attr_seclvl =
-__ATTR(seclvl, (S_IFREG | S_IRUGO | S_IWUSR), seclvl_read_file,
-       seclvl_write_file);
 static unsigned char hashedPassword[SHA1_DIGEST_SIZE];
 /**
- * Called whenever the user reads the sysfs passwd handle.
- */
-static ssize_t seclvl_read_passwd(struct seclvl_obj *obj, char *buff)
-{
-        /* So just how good *is* your password? :-) */
-        char tmp[3];
-        int i = 0;
-        buff[0] = '\0';
-        if (hideHash) {
-                /* Security through obscurity */
-                return 0;
-        }
-        while (i < SHA1_DIGEST_SIZE) {
-                snprintf(tmp, 3, "%02x", hashedPassword[i]);
-                strncat(buff, tmp, 2);
-                i++;
-        }
-        strcat(buff, "\n");
-        return ((SHA1_DIGEST_SIZE * 2) + 1);
-}
-/**
 * Converts a block of plaintext of into its SHA1 hashed value.
 *
 * It would be nice if crypto had a wrapper to do this for us linear
@@ -347,12 +231,15 @@ plaintext_to_sha1(unsigned char *hash, const char *plaintext, int len)
 * object.  It hashes the password and compares the hashed results.
 */
 static ssize_t
-seclvl_write_passwd(struct seclvl_obj *obj, const char *buff, size_t count)
+passwd_write_file(struct file * file, const char __user * buf,
+                                size_t count, loff_t *ppos)
 {
        int i;
        unsigned char tmp[SHA1_DIGEST_SIZE];
+        char *page;
        int rc;
        int len;
        if (!*passwd && !*sha1_passwd) {
                seclvl_printk(0, KERN_ERR, "Attempt to password-unlock the "
                              "seclvl module, but neither a plain text "
@@ -363,13 +250,26 @@ seclvl_write_passwd(struct seclvl_obj *obj, const char *buff, size_t count)
                              "maintainer about this event.\n");
                return -EINVAL;
        }
-        len = strlen(buff);
+        if (count < 0 || count >= PAGE_SIZE)
+                return -ENOMEM;
+        if (*ppos != 0) {
+                return -EINVAL;
+        }
+        page = (char *)get_zeroed_page(GFP_KERNEL);
+        if (!page)
+                return -ENOMEM;
+        len = -EFAULT;
+        if (copy_from_user(page, buf, count))
+                goto out;
+        
+        len = strlen(page);
        /* ``echo "secret" > seclvl/passwd'' includes a newline */
-        if (buff[len - 1] == '\n') {
+        if (page[len - 1] == '\n') {
                len--;
        }
        /* Hash the password, then compare the hashed values */
-        if ((rc = plaintext_to_sha1(tmp, buff, len))) {
+        if ((rc = plaintext_to_sha1(tmp, page, len))) {
                seclvl_printk(0, KERN_ERR, "Error hashing password: rc = "
                              "[%d]\n", rc);
                return rc;
@@ -382,13 +282,16 @@ seclvl_write_passwd(struct seclvl_obj *obj, const char *buff, size_t count)
        seclvl_printk(0, KERN_INFO,
                      "Password accepted; seclvl reduced to 0.\n");
        seclvl = 0;
-        return count;
+        len = count;
+out:
+        free_page((unsigned long)page);
+        return len;
 }
-/* Generate sysfs_attr_passwd */
+static struct file_operations passwd_file_ops = {
-static struct seclvl_attribute sysfs_attr_passwd =
+        .write = passwd_write_file,
-__ATTR(passwd, (S_IFREG | S_IRUGO | S_IWUSR), seclvl_read_passwd,
+};
-       seclvl_write_passwd);
 /**
 * Explicitely disallow ptrace'ing the init process.
@@ -647,22 +550,34 @@ static int processPassword(void)
 }
 /**
- * Sysfs registrations
+ * securityfs registrations
 */
-static int doSysfsRegistrations(void)
+struct dentry *dir_ino, *seclvl_ino, *passwd_ino;
+static int seclvlfs_register(void)
 {
-        int rc = 0;
+        dir_ino = securityfs_create_dir("seclvl", NULL);
-        if ((rc = subsystem_register(&seclvl_subsys))) {
+        if (!dir_ino)
-                seclvl_printk(0, KERN_WARNING,
+                return -EFAULT;
-                              "Error [%d] registering seclvl subsystem\n", rc);
-                return rc;
+        seclvl_ino = securityfs_create_file("seclvl", S_IRUGO | S_IWUSR,
-        }
+                                dir_ino, &seclvl, &seclvl_file_ops);
-        sysfs_create_file(&seclvl_subsys.kset.kobj, &sysfs_attr_seclvl.attr);
+        if (!seclvl_ino)
+                goto out_deldir;
        if (*passwd || *sha1_passwd) {
-                sysfs_create_file(&seclvl_subsys.kset.kobj,
+                passwd_ino = securityfs_create_file("passwd", S_IRUGO | S_IWUSR,
-                                  &sysfs_attr_passwd.attr);
+                                dir_ino, NULL, &passwd_file_ops);
+                if (!passwd_ino)
+                        goto out_delf;
        }
        return 0;
+out_deldir:
+        securityfs_remove(dir_ino);
+out_delf:
+        securityfs_remove(seclvl_ino);
+        return -EFAULT;
 }
 /**
@@ -677,8 +592,6 @@ static int __init seclvl_init(void)
                rc = -EINVAL;
                goto exit;
        }
-        sysfs_attr_seclvl.attr.owner = THIS_MODULE;
-        sysfs_attr_passwd.attr.owner = THIS_MODULE;
        if (initlvl < -1 || initlvl > 2) {
                seclvl_printk(0, KERN_ERR, "Error: bad initial securelevel "
                              "[%d].\n", initlvl);
@@ -706,7 +619,7 @@ static int __init seclvl_init(void)
                }               /* if primary module registered */
                secondary = 1;
        }                       /* if we registered ourselves with the security framework */
-        if ((rc = doSysfsRegistrations())) {
+        if ((rc = seclvlfs_register())) {
                seclvl_printk(0, KERN_ERR, "Error registering with sysfs\n");
                goto exit;
        }
@@ -724,12 +637,11 @@ static int __init seclvl_init(void)
 */
 static void __exit seclvl_exit(void)
 {
-        sysfs_remove_file(&seclvl_subsys.kset.kobj, &sysfs_attr_seclvl.attr);
+        securityfs_remove(seclvl_ino);
        if (*passwd || *sha1_passwd) {
-                sysfs_remove_file(&seclvl_subsys.kset.kobj,
+                securityfs_remove(passwd_ino);
-                                  &sysfs_attr_passwd.attr);
        }
-        subsystem_unregister(&seclvl_subsys);
+        securityfs_remove(dir_ino);
        if (secondary == 1) {
                mod_unreg_security(MY_NAME, &seclvl_ops);
        } else if (unregister_security(&seclvl_ops)) {
author	serue@us.ibm.com <serue@us.ibm.com>	2005-07-08 16:44:19 -0400
committer	Chris Wright <chrisw@osdl.org>	2005-07-08 21:49:05 -0400
commit	5a73c308754e27829c94544e010f133019cbd432 (patch)
tree	be66dc5e28c5510f6c3da99a4f8d9d9efe1360d6 /security
parent	b67dbf9d4c1987c370fd18fdc4cf9d8aaea604c2 (diff)

diff --git a/security/seclvl.c b/security/seclvl.c index c8e87b22c9bd..f8700e935b33 100644 --- a/security/seclvl.c +++ b/security/seclvl.c
@@ -119,69 +119,6 @@ MODULE_PARM_DESC(hideHash, "When set to 0, reading seclvl/passwd from sysfs "
119	} while (0)	119	} while (0)
120		120
121	/**	121	/**
122	* kobject stuff
123	*/
124
125	struct subsystem seclvl_subsys;
126
127	struct seclvl_obj {
128	char *name;
129	struct list_head slot_list;
130	struct kobject kobj;
131	};
132
133	/**
134	* There is a seclvl_attribute struct for each file in sysfs.
135	*
136	* In our case, we have one of these structs for "passwd" and another
137	* for "seclvl".
138	*/
139	struct seclvl_attribute {
140	struct attribute attr;
141	ssize_t(show) (struct seclvl_obj , char *);
142	ssize_t(store) (struct seclvl_obj , const char *, size_t);
143	};
144
145	/**
146	* When this function is called, one of the files in sysfs is being
147	* written to. attribute->store is a function pointer to whatever the
148	* struct seclvl_attribute store function pointer points to. It is
149	* unique for "passwd" and "seclvl".
150	*/
151	static ssize_t
152	seclvl_attr_store(struct kobject *kobj,
153	struct attribute attr, const char buf, size_t len)
154	{
155	struct seclvl_obj *obj = container_of(kobj, struct seclvl_obj, kobj);
156	struct seclvl_attribute *attribute =
157	container_of(attr, struct seclvl_attribute, attr);
158	return attribute->store ? attribute->store(obj, buf, len) : -EIO;
159	}
160
161	static ssize_t
162	seclvl_attr_show(struct kobject kobj, struct attribute attr, char *buf)
163	{
164	struct seclvl_obj *obj = container_of(kobj, struct seclvl_obj, kobj);
165	struct seclvl_attribute *attribute =
166	container_of(attr, struct seclvl_attribute, attr);
167	return attribute->show ? attribute->show(obj, buf) : -EIO;
168	}
169
170	/**
171	* Callback function pointers for show and store
172	*/
173	static struct sysfs_ops seclvlfs_sysfs_ops = {
174	.show = seclvl_attr_show,
175	.store = seclvl_attr_store,
176	};
177
178	static struct kobj_type seclvl_ktype = {
179	.sysfs_ops = &seclvlfs_sysfs_ops
180	};
181
182	decl_subsys(seclvl, &seclvl_ktype, NULL);
183
184	/**
185	* The actual security level. Ranges between -1 and 2 inclusive.	122	* The actual security level. Ranges between -1 and 2 inclusive.
186	*/	123	*/
187	static int seclvl;	124	static int seclvl;
@@ -213,97 +150,44 @@ static int seclvl_sanity(int reqlvl)
213	}	150	}
214		151
215	/**	152	/**
216	* Called whenever the user reads the sysfs handle to this kernel
217	* object
218	*/
219	static ssize_t seclvl_read_file(struct seclvl_obj obj, char buff)
220	{
221	return snprintf(buff, PAGE_SIZE, "%d\n", seclvl);
222	}
223
224	/**
225	* security level advancement rules:	153	* security level advancement rules:
226	* Valid levels are -1 through 2, inclusive.	154	* Valid levels are -1 through 2, inclusive.
227	* From -1, stuck. [ in case compiled into kernel ]	155	* From -1, stuck. [ in case compiled into kernel ]
228	* From 0 or above, can only increment.	156	* From 0 or above, can only increment.
229	*/	157	*/
230	static int do_seclvl_advance(int newlvl)	158	static void do_seclvl_advance(void *data, u64 val)
231	{	159	{
232	if (newlvl <= seclvl) {	160	int ret;
233	seclvl_printk(1, KERN_WARNING, "Cannot advance to seclvl "	161	int newlvl = (int)val;
234	"[%d]\n", newlvl);	162
235	return -EINVAL;	163	ret = seclvl_sanity(newlvl);
236	}	164	if (ret)
		165	return;
		166
237	if (newlvl > 2) {	167	if (newlvl > 2) {
238	seclvl_printk(1, KERN_WARNING, "Cannot advance to seclvl "	168	seclvl_printk(1, KERN_WARNING, "Cannot advance to seclvl "
239	"[%d]\n", newlvl);	169	"[%d]\n", newlvl);
240	return -EINVAL;	170	return;
241	}	171	}
242	if (seclvl == -1) {	172	if (seclvl == -1) {
243	seclvl_printk(1, KERN_WARNING, "Not allowed to advance to "	173	seclvl_printk(1, KERN_WARNING, "Not allowed to advance to "
244	"seclvl [%d]\n", seclvl);	174	"seclvl [%d]\n", seclvl);
245	return -EPERM;	175	return;
246	}	176	}
247	seclvl = newlvl;	177	seclvl = newlvl; /* would it be more "correct" to set data? /
248	return 0;	178	return;
249	}	179	}
250		180
251	/**	181	static u64 seclvl_int_get(void *data)
252	* Called whenever the user writes to the sysfs handle to this kernel
253	* object (seclvl/seclvl). It expects a single-digit number.
254	*/
255	static ssize_t
256	seclvl_write_file(struct seclvl_obj obj, const char buff, size_t count)
257	{	182	{
258	unsigned long val;	183	return (int )data;
259	if (count > 2 \|\| (count == 2 && buff[1] != '\n')) {
260	seclvl_printk(1, KERN_WARNING, "Invalid value passed to "
261	"seclvl: [%s]\n", buff);
262	return -EINVAL;
263	}
264	val = buff[0] - 48;
265	if (seclvl_sanity(val)) {
266	seclvl_printk(1, KERN_WARNING, "Illegal secure level "
267	"requested: [%d]\n", (int)val);
268	return -EPERM;
269	}
270	if (do_seclvl_advance(val)) {
271	seclvl_printk(0, KERN_ERR, "Failure advancing security level "
272	"to %lu\n", val);
273	}
274	return count;
275	}	184	}
276		185
277	/* Generate sysfs_attr_seclvl */	186	DEFINE_SIMPLE_ATTRIBUTE(seclvl_file_ops, seclvl_int_get, do_seclvl_advance, "%lld\n");
278	static struct seclvl_attribute sysfs_attr_seclvl =
279	__ATTR(seclvl, (S_IFREG \| S_IRUGO \| S_IWUSR), seclvl_read_file,
280	seclvl_write_file);
281		187
282	static unsigned char hashedPassword[SHA1_DIGEST_SIZE];	188	static unsigned char hashedPassword[SHA1_DIGEST_SIZE];
283		189
284	/**	190	/**
285	* Called whenever the user reads the sysfs passwd handle.
286	*/
287	static ssize_t seclvl_read_passwd(struct seclvl_obj obj, char buff)
288	{
289	/* So just how good is your password? :-) */
290	char tmp[3];
291	int i = 0;
292	buff[0] = '\0';
293	if (hideHash) {
294	/* Security through obscurity */
295	return 0;
296	}
297	while (i < SHA1_DIGEST_SIZE) {
298	snprintf(tmp, 3, "%02x", hashedPassword[i]);
299	strncat(buff, tmp, 2);
300	i++;
301	}
302	strcat(buff, "\n");
303	return ((SHA1_DIGEST_SIZE * 2) + 1);
304	}
305
306	/**
307	* Converts a block of plaintext of into its SHA1 hashed value.	191	* Converts a block of plaintext of into its SHA1 hashed value.
308	*	192	*
309	* It would be nice if crypto had a wrapper to do this for us linear	193	* It would be nice if crypto had a wrapper to do this for us linear
@@ -347,12 +231,15 @@ plaintext_to_sha1(unsigned char hash, const char plaintext, int len)
347	* object. It hashes the password and compares the hashed results.	231	* object. It hashes the password and compares the hashed results.
348	*/	232	*/
349	static ssize_t	233	static ssize_t
350	seclvl_write_passwd(struct seclvl_obj obj, const char buff, size_t count)	234	passwd_write_file(struct file * file, const char __user * buf,
		235	size_t count, loff_t *ppos)
351	{	236	{
352	int i;	237	int i;
353	unsigned char tmp[SHA1_DIGEST_SIZE];	238	unsigned char tmp[SHA1_DIGEST_SIZE];
		239	char *page;
354	int rc;	240	int rc;
355	int len;	241	int len;
		242
356	if (!passwd && !sha1_passwd) {	243	if (!passwd && !sha1_passwd) {
357	seclvl_printk(0, KERN_ERR, "Attempt to password-unlock the "	244	seclvl_printk(0, KERN_ERR, "Attempt to password-unlock the "
358	"seclvl module, but neither a plain text "	245	"seclvl module, but neither a plain text "
@@ -363,13 +250,26 @@ seclvl_write_passwd(struct seclvl_obj obj, const char buff, size_t count)
363	"maintainer about this event.\n");	250	"maintainer about this event.\n");
364	return -EINVAL;	251	return -EINVAL;
365	}	252	}
366	len = strlen(buff);	253
		254	if (count < 0 \|\| count >= PAGE_SIZE)
		255	return -ENOMEM;
		256	if (*ppos != 0) {
		257	return -EINVAL;
		258	}
		259	page = (char *)get_zeroed_page(GFP_KERNEL);
		260	if (!page)
		261	return -ENOMEM;
		262	len = -EFAULT;
		263	if (copy_from_user(page, buf, count))
		264	goto out;
		265
		266	len = strlen(page);
367	/* ``echo "secret" > seclvl/passwd'' includes a newline */	267	/* ``echo "secret" > seclvl/passwd'' includes a newline */
368	if (buff[len - 1] == '\n') {	268	if (page[len - 1] == '\n') {
369	len--;	269	len--;
370	}	270	}
371	/* Hash the password, then compare the hashed values */	271	/* Hash the password, then compare the hashed values */
372	if ((rc = plaintext_to_sha1(tmp, buff, len))) {	272	if ((rc = plaintext_to_sha1(tmp, page, len))) {
373	seclvl_printk(0, KERN_ERR, "Error hashing password: rc = "	273	seclvl_printk(0, KERN_ERR, "Error hashing password: rc = "
374	"[%d]\n", rc);	274	"[%d]\n", rc);
375	return rc;	275	return rc;
@@ -382,13 +282,16 @@ seclvl_write_passwd(struct seclvl_obj obj, const char buff, size_t count)
382	seclvl_printk(0, KERN_INFO,	282	seclvl_printk(0, KERN_INFO,
383	"Password accepted; seclvl reduced to 0.\n");	283	"Password accepted; seclvl reduced to 0.\n");
384	seclvl = 0;	284	seclvl = 0;
385	return count;	285	len = count;
		286
		287	out:
		288	free_page((unsigned long)page);
		289	return len;
386	}	290	}
387		291
388	/* Generate sysfs_attr_passwd */	292	static struct file_operations passwd_file_ops = {
389	static struct seclvl_attribute sysfs_attr_passwd =	293	.write = passwd_write_file,
390	__ATTR(passwd, (S_IFREG \| S_IRUGO \| S_IWUSR), seclvl_read_passwd,	294	};
391	seclvl_write_passwd);
392		295
393	/**	296	/**
394	* Explicitely disallow ptrace'ing the init process.	297	* Explicitely disallow ptrace'ing the init process.
@@ -647,22 +550,34 @@ static int processPassword(void)
647	}	550	}
648		551
649	/**	552	/**
650	* Sysfs registrations	553	* securityfs registrations
651	*/	554	*/
652	static int doSysfsRegistrations(void)	555	struct dentry dir_ino, seclvl_ino, *passwd_ino;
		556
		557	static int seclvlfs_register(void)
653	{	558	{
654	int rc = 0;	559	dir_ino = securityfs_create_dir("seclvl", NULL);
655	if ((rc = subsystem_register(&seclvl_subsys))) {	560	if (!dir_ino)
656	seclvl_printk(0, KERN_WARNING,	561	return -EFAULT;
657	"Error [%d] registering seclvl subsystem\n", rc);	562
658	return rc;	563	seclvl_ino = securityfs_create_file("seclvl", S_IRUGO \| S_IWUSR,
659	}	564	dir_ino, &seclvl, &seclvl_file_ops);
660	sysfs_create_file(&seclvl_subsys.kset.kobj, &sysfs_attr_seclvl.attr);	565	if (!seclvl_ino)
		566	goto out_deldir;
661	if (passwd \|\| sha1_passwd) {	567	if (passwd \|\| sha1_passwd) {
662	sysfs_create_file(&seclvl_subsys.kset.kobj,	568	passwd_ino = securityfs_create_file("passwd", S_IRUGO \| S_IWUSR,
663	&sysfs_attr_passwd.attr);	569	dir_ino, NULL, &passwd_file_ops);
		570	if (!passwd_ino)
		571	goto out_delf;
664	}	572	}
665	return 0;	573	return 0;
		574
		575	out_deldir:
		576	securityfs_remove(dir_ino);
		577	out_delf:
		578	securityfs_remove(seclvl_ino);
		579
		580	return -EFAULT;
666	}	581	}
667		582
668	/**	583	/**
@@ -677,8 +592,6 @@ static int __init seclvl_init(void)
677	rc = -EINVAL;	592	rc = -EINVAL;
678	goto exit;	593	goto exit;
679	}	594	}
680	sysfs_attr_seclvl.attr.owner = THIS_MODULE;
681	sysfs_attr_passwd.attr.owner = THIS_MODULE;
682	if (initlvl < -1 \|\| initlvl > 2) {	595	if (initlvl < -1 \|\| initlvl > 2) {
683	seclvl_printk(0, KERN_ERR, "Error: bad initial securelevel "	596	seclvl_printk(0, KERN_ERR, "Error: bad initial securelevel "
684	"[%d].\n", initlvl);	597	"[%d].\n", initlvl);
@@ -706,7 +619,7 @@ static int __init seclvl_init(void)
706	} /* if primary module registered */	619	} /* if primary module registered */
707	secondary = 1;	620	secondary = 1;
708	} /* if we registered ourselves with the security framework */	621	} /* if we registered ourselves with the security framework */
709	if ((rc = doSysfsRegistrations())) {	622	if ((rc = seclvlfs_register())) {
710	seclvl_printk(0, KERN_ERR, "Error registering with sysfs\n");	623	seclvl_printk(0, KERN_ERR, "Error registering with sysfs\n");
711	goto exit;	624	goto exit;
712	}	625	}
@@ -724,12 +637,11 @@ static int __init seclvl_init(void)
724	*/	637	*/
725	static void __exit seclvl_exit(void)	638	static void __exit seclvl_exit(void)
726	{	639	{
727	sysfs_remove_file(&seclvl_subsys.kset.kobj, &sysfs_attr_seclvl.attr);	640	securityfs_remove(seclvl_ino);
728	if (passwd \|\| sha1_passwd) {	641	if (passwd \|\| sha1_passwd) {
729	sysfs_remove_file(&seclvl_subsys.kset.kobj,	642	securityfs_remove(passwd_ino);
730	&sysfs_attr_passwd.attr);
731	}	643	}
732	subsystem_unregister(&seclvl_subsys);	644	securityfs_remove(dir_ino);
733	if (secondary == 1) {	645	if (secondary == 1) {
734	mod_unreg_security(MY_NAME, &seclvl_ops);	646	mod_unreg_security(MY_NAME, &seclvl_ops);
735	} else if (unregister_security(&seclvl_ops)) {	647	} else if (unregister_security(&seclvl_ops)) {