diff options
| author | James Morris <jmorris@namei.org> | 2008-07-10 04:02:07 -0400 |
|---|---|---|
| committer | James Morris <jmorris@namei.org> | 2008-07-14 01:04:06 -0400 |
| commit | 6f0f0fd496333777d53daff21a4e3b28c4d03a6d (patch) | |
| tree | 202de67376fce2547b44ae5b016d6424c3c7409c /security | |
| parent | 93cbace7a058bce7f99319ef6ceff4b78cf45051 (diff) | |
security: remove register_security hook
The register security hook is no longer required, as the capability
module is always registered. LSMs wishing to stack capability as
a secondary module should do so explicitly.
Signed-off-by: James Morris <jmorris@namei.org>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'security')
| -rw-r--r-- | security/capability.c | 7 | ||||
| -rw-r--r-- | security/root_plug.c | 9 | ||||
| -rw-r--r-- | security/security.c | 29 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 32 | ||||
| -rw-r--r-- | security/smack/smack_lsm.c | 23 |
5 files changed, 5 insertions, 95 deletions
diff --git a/security/capability.c b/security/capability.c index 6e0671c82018..5b01c0b02422 100644 --- a/security/capability.c +++ b/security/capability.c | |||
| @@ -721,12 +721,6 @@ static int cap_xfrm_decode_session(struct sk_buff *skb, u32 *fl, int ckall) | |||
| 721 | } | 721 | } |
| 722 | 722 | ||
| 723 | #endif /* CONFIG_SECURITY_NETWORK_XFRM */ | 723 | #endif /* CONFIG_SECURITY_NETWORK_XFRM */ |
| 724 | static int cap_register_security(const char *name, | ||
| 725 | struct security_operations *ops) | ||
| 726 | { | ||
| 727 | return -EINVAL; | ||
| 728 | } | ||
| 729 | |||
| 730 | static void cap_d_instantiate(struct dentry *dentry, struct inode *inode) | 724 | static void cap_d_instantiate(struct dentry *dentry, struct inode *inode) |
| 731 | { | 725 | { |
| 732 | } | 726 | } |
| @@ -940,7 +934,6 @@ void security_fixup_ops(struct security_operations *ops) | |||
| 940 | set_to_cap_if_null(ops, sem_semop); | 934 | set_to_cap_if_null(ops, sem_semop); |
| 941 | set_to_cap_if_null(ops, netlink_send); | 935 | set_to_cap_if_null(ops, netlink_send); |
| 942 | set_to_cap_if_null(ops, netlink_recv); | 936 | set_to_cap_if_null(ops, netlink_recv); |
| 943 | set_to_cap_if_null(ops, register_security); | ||
| 944 | set_to_cap_if_null(ops, d_instantiate); | 937 | set_to_cap_if_null(ops, d_instantiate); |
| 945 | set_to_cap_if_null(ops, getprocattr); | 938 | set_to_cap_if_null(ops, getprocattr); |
| 946 | set_to_cap_if_null(ops, setprocattr); | 939 | set_to_cap_if_null(ops, setprocattr); |
diff --git a/security/root_plug.c b/security/root_plug.c index a41cf42a4fa0..be0ebec2580b 100644 --- a/security/root_plug.c +++ b/security/root_plug.c | |||
| @@ -28,9 +28,6 @@ | |||
| 28 | #include <linux/usb.h> | 28 | #include <linux/usb.h> |
| 29 | #include <linux/moduleparam.h> | 29 | #include <linux/moduleparam.h> |
| 30 | 30 | ||
| 31 | /* flag to keep track of how we were registered */ | ||
| 32 | static int secondary; | ||
| 33 | |||
| 34 | /* default is a generic type of usb to serial converter */ | 31 | /* default is a generic type of usb to serial converter */ |
| 35 | static int vendor_id = 0x0557; | 32 | static int vendor_id = 0x0557; |
| 36 | static int product_id = 0x2008; | 33 | static int product_id = 0x2008; |
| @@ -97,13 +94,7 @@ static int __init rootplug_init (void) | |||
| 97 | if (register_security (&rootplug_security_ops)) { | 94 | if (register_security (&rootplug_security_ops)) { |
| 98 | printk (KERN_INFO | 95 | printk (KERN_INFO |
| 99 | "Failure registering Root Plug module with the kernel\n"); | 96 | "Failure registering Root Plug module with the kernel\n"); |
| 100 | /* try registering with primary module */ | ||
| 101 | if (mod_reg_security (MY_NAME, &rootplug_security_ops)) { | ||
| 102 | printk (KERN_INFO "Failure registering Root Plug " | ||
| 103 | " module with primary security module.\n"); | ||
| 104 | return -EINVAL; | 97 | return -EINVAL; |
| 105 | } | ||
| 106 | secondary = 1; | ||
| 107 | } | 98 | } |
| 108 | printk (KERN_INFO "Root Plug module initialized, " | 99 | printk (KERN_INFO "Root Plug module initialized, " |
| 109 | "vendor_id = %4.4x, product id = %4.4x\n", vendor_id, product_id); | 100 | "vendor_id = %4.4x, product id = %4.4x\n", vendor_id, product_id); |
diff --git a/security/security.c b/security/security.c index 30b0278de394..59f23b5918b3 100644 --- a/security/security.c +++ b/security/security.c | |||
| @@ -125,35 +125,6 @@ int register_security(struct security_operations *ops) | |||
| 125 | return 0; | 125 | return 0; |
| 126 | } | 126 | } |
| 127 | 127 | ||
| 128 | /** | ||
| 129 | * mod_reg_security - allows security modules to be "stacked" | ||
| 130 | * @name: a pointer to a string with the name of the security_options to be registered | ||
| 131 | * @ops: a pointer to the struct security_options that is to be registered | ||
| 132 | * | ||
| 133 | * This function allows security modules to be stacked if the currently loaded | ||
| 134 | * security module allows this to happen. It passes the @name and @ops to the | ||
| 135 | * register_security function of the currently loaded security module. | ||
| 136 | * | ||
| 137 | * The return value depends on the currently loaded security module, with 0 as | ||
| 138 | * success. | ||
| 139 | */ | ||
| 140 | int mod_reg_security(const char *name, struct security_operations *ops) | ||
| 141 | { | ||
| 142 | if (verify(ops)) { | ||
| 143 | printk(KERN_INFO "%s could not verify " | ||
| 144 | "security operations.\n", __func__); | ||
| 145 | return -EINVAL; | ||
| 146 | } | ||
| 147 | |||
| 148 | if (ops == security_ops) { | ||
| 149 | printk(KERN_INFO "%s security operations " | ||
| 150 | "already registered.\n", __func__); | ||
| 151 | return -EINVAL; | ||
| 152 | } | ||
| 153 | |||
| 154 | return security_ops->register_security(name, ops); | ||
| 155 | } | ||
| 156 | |||
| 157 | /* Security operations */ | 128 | /* Security operations */ |
| 158 | 129 | ||
| 159 | int security_ptrace(struct task_struct *parent, struct task_struct *child, | 130 | int security_ptrace(struct task_struct *parent, struct task_struct *child, |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 745a69e74e38..91200feb3f9c 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -126,13 +126,11 @@ __setup("selinux=", selinux_enabled_setup); | |||
| 126 | int selinux_enabled = 1; | 126 | int selinux_enabled = 1; |
| 127 | #endif | 127 | #endif |
| 128 | 128 | ||
| 129 | /* Original (dummy) security module. */ | ||
| 130 | static struct security_operations *original_ops; | ||
| 131 | 129 | ||
| 132 | /* Minimal support for a secondary security module, | 130 | /* |
| 133 | just to allow the use of the dummy or capability modules. | 131 | * Minimal support for a secondary security module, |
| 134 | The owlsm module can alternatively be used as a secondary | 132 | * just to allow the use of the capability module. |
| 135 | module as long as CONFIG_OWLSM_FD is not enabled. */ | 133 | */ |
| 136 | static struct security_operations *secondary_ops; | 134 | static struct security_operations *secondary_ops; |
| 137 | 135 | ||
| 138 | /* Lists of inode and superblock security structures initialized | 136 | /* Lists of inode and superblock security structures initialized |
| @@ -5115,24 +5113,6 @@ static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) | |||
| 5115 | *secid = isec->sid; | 5113 | *secid = isec->sid; |
| 5116 | } | 5114 | } |
| 5117 | 5115 | ||
| 5118 | /* module stacking operations */ | ||
| 5119 | static int selinux_register_security(const char *name, struct security_operations *ops) | ||
| 5120 | { | ||
| 5121 | if (secondary_ops != original_ops) { | ||
| 5122 | printk(KERN_ERR "%s: There is already a secondary security " | ||
| 5123 | "module registered.\n", __func__); | ||
| 5124 | return -EINVAL; | ||
| 5125 | } | ||
| 5126 | |||
| 5127 | secondary_ops = ops; | ||
| 5128 | |||
| 5129 | printk(KERN_INFO "%s: Registering secondary module %s\n", | ||
| 5130 | __func__, | ||
| 5131 | name); | ||
| 5132 | |||
| 5133 | return 0; | ||
| 5134 | } | ||
| 5135 | |||
| 5136 | static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) | 5116 | static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) |
| 5137 | { | 5117 | { |
| 5138 | if (inode) | 5118 | if (inode) |
| @@ -5517,8 +5497,6 @@ static struct security_operations selinux_ops = { | |||
| 5517 | .sem_semctl = selinux_sem_semctl, | 5497 | .sem_semctl = selinux_sem_semctl, |
| 5518 | .sem_semop = selinux_sem_semop, | 5498 | .sem_semop = selinux_sem_semop, |
| 5519 | 5499 | ||
| 5520 | .register_security = selinux_register_security, | ||
| 5521 | |||
| 5522 | .d_instantiate = selinux_d_instantiate, | 5500 | .d_instantiate = selinux_d_instantiate, |
| 5523 | 5501 | ||
| 5524 | .getprocattr = selinux_getprocattr, | 5502 | .getprocattr = selinux_getprocattr, |
| @@ -5612,7 +5590,7 @@ static __init int selinux_init(void) | |||
| 5612 | 0, SLAB_PANIC, NULL); | 5590 | 0, SLAB_PANIC, NULL); |
| 5613 | avc_init(); | 5591 | avc_init(); |
| 5614 | 5592 | ||
| 5615 | original_ops = secondary_ops = security_ops; | 5593 | secondary_ops = security_ops; |
| 5616 | if (!secondary_ops) | 5594 | if (!secondary_ops) |
| 5617 | panic("SELinux: No initial security operations\n"); | 5595 | panic("SELinux: No initial security operations\n"); |
| 5618 | if (register_security(&selinux_ops)) | 5596 | if (register_security(&selinux_ops)) |
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 3c7150b3493d..ee5a51cbc5eb 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c | |||
| @@ -1822,27 +1822,6 @@ static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) | |||
| 1822 | *secid = smack_to_secid(smack); | 1822 | *secid = smack_to_secid(smack); |
| 1823 | } | 1823 | } |
| 1824 | 1824 | ||
| 1825 | /* module stacking operations */ | ||
| 1826 | |||
| 1827 | /** | ||
| 1828 | * smack_register_security - stack capability module | ||
| 1829 | * @name: module name | ||
| 1830 | * @ops: module operations - ignored | ||
| 1831 | * | ||
| 1832 | * Allow the capability module to register. | ||
| 1833 | */ | ||
| 1834 | static int smack_register_security(const char *name, | ||
| 1835 | struct security_operations *ops) | ||
| 1836 | { | ||
| 1837 | if (strcmp(name, "capability") != 0) | ||
| 1838 | return -EINVAL; | ||
| 1839 | |||
| 1840 | printk(KERN_INFO "%s: Registering secondary module %s\n", | ||
| 1841 | __func__, name); | ||
| 1842 | |||
| 1843 | return 0; | ||
| 1844 | } | ||
| 1845 | |||
| 1846 | /** | 1825 | /** |
| 1847 | * smack_d_instantiate - Make sure the blob is correct on an inode | 1826 | * smack_d_instantiate - Make sure the blob is correct on an inode |
| 1848 | * @opt_dentry: unused | 1827 | * @opt_dentry: unused |
| @@ -2673,8 +2652,6 @@ struct security_operations smack_ops = { | |||
| 2673 | .netlink_send = cap_netlink_send, | 2652 | .netlink_send = cap_netlink_send, |
| 2674 | .netlink_recv = cap_netlink_recv, | 2653 | .netlink_recv = cap_netlink_recv, |
| 2675 | 2654 | ||
| 2676 | .register_security = smack_register_security, | ||
| 2677 | |||
| 2678 | .d_instantiate = smack_d_instantiate, | 2655 | .d_instantiate = smack_d_instantiate, |
| 2679 | 2656 | ||
| 2680 | .getprocattr = smack_getprocattr, | 2657 | .getprocattr = smack_getprocattr, |