aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorJames Morris <jmorris@namei.org>2008-07-10 04:02:07 -0400
committerJames Morris <jmorris@namei.org>2008-07-14 01:04:06 -0400
commit6f0f0fd496333777d53daff21a4e3b28c4d03a6d (patch)
tree202de67376fce2547b44ae5b016d6424c3c7409c /security
parent93cbace7a058bce7f99319ef6ceff4b78cf45051 (diff)
security: remove register_security hook
The register security hook is no longer required, as the capability module is always registered. LSMs wishing to stack capability as a secondary module should do so explicitly. Signed-off-by: James Morris <jmorris@namei.org> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'security')
-rw-r--r--security/capability.c7
-rw-r--r--security/root_plug.c9
-rw-r--r--security/security.c29
-rw-r--r--security/selinux/hooks.c32
-rw-r--r--security/smack/smack_lsm.c23
5 files changed, 5 insertions, 95 deletions
diff --git a/security/capability.c b/security/capability.c
index 6e0671c82018..5b01c0b02422 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -721,12 +721,6 @@ static int cap_xfrm_decode_session(struct sk_buff *skb, u32 *fl, int ckall)
721} 721}
722 722
723#endif /* CONFIG_SECURITY_NETWORK_XFRM */ 723#endif /* CONFIG_SECURITY_NETWORK_XFRM */
724static int cap_register_security(const char *name,
725 struct security_operations *ops)
726{
727 return -EINVAL;
728}
729
730static void cap_d_instantiate(struct dentry *dentry, struct inode *inode) 724static void cap_d_instantiate(struct dentry *dentry, struct inode *inode)
731{ 725{
732} 726}
@@ -940,7 +934,6 @@ void security_fixup_ops(struct security_operations *ops)
940 set_to_cap_if_null(ops, sem_semop); 934 set_to_cap_if_null(ops, sem_semop);
941 set_to_cap_if_null(ops, netlink_send); 935 set_to_cap_if_null(ops, netlink_send);
942 set_to_cap_if_null(ops, netlink_recv); 936 set_to_cap_if_null(ops, netlink_recv);
943 set_to_cap_if_null(ops, register_security);
944 set_to_cap_if_null(ops, d_instantiate); 937 set_to_cap_if_null(ops, d_instantiate);
945 set_to_cap_if_null(ops, getprocattr); 938 set_to_cap_if_null(ops, getprocattr);
946 set_to_cap_if_null(ops, setprocattr); 939 set_to_cap_if_null(ops, setprocattr);
diff --git a/security/root_plug.c b/security/root_plug.c
index a41cf42a4fa0..be0ebec2580b 100644
--- a/security/root_plug.c
+++ b/security/root_plug.c
@@ -28,9 +28,6 @@
28#include <linux/usb.h> 28#include <linux/usb.h>
29#include <linux/moduleparam.h> 29#include <linux/moduleparam.h>
30 30
31/* flag to keep track of how we were registered */
32static int secondary;
33
34/* default is a generic type of usb to serial converter */ 31/* default is a generic type of usb to serial converter */
35static int vendor_id = 0x0557; 32static int vendor_id = 0x0557;
36static int product_id = 0x2008; 33static int product_id = 0x2008;
@@ -97,13 +94,7 @@ static int __init rootplug_init (void)
97 if (register_security (&rootplug_security_ops)) { 94 if (register_security (&rootplug_security_ops)) {
98 printk (KERN_INFO 95 printk (KERN_INFO
99 "Failure registering Root Plug module with the kernel\n"); 96 "Failure registering Root Plug module with the kernel\n");
100 /* try registering with primary module */
101 if (mod_reg_security (MY_NAME, &rootplug_security_ops)) {
102 printk (KERN_INFO "Failure registering Root Plug "
103 " module with primary security module.\n");
104 return -EINVAL; 97 return -EINVAL;
105 }
106 secondary = 1;
107 } 98 }
108 printk (KERN_INFO "Root Plug module initialized, " 99 printk (KERN_INFO "Root Plug module initialized, "
109 "vendor_id = %4.4x, product id = %4.4x\n", vendor_id, product_id); 100 "vendor_id = %4.4x, product id = %4.4x\n", vendor_id, product_id);
diff --git a/security/security.c b/security/security.c
index 30b0278de394..59f23b5918b3 100644
--- a/security/security.c
+++ b/security/security.c
@@ -125,35 +125,6 @@ int register_security(struct security_operations *ops)
125 return 0; 125 return 0;
126} 126}
127 127
128/**
129 * mod_reg_security - allows security modules to be "stacked"
130 * @name: a pointer to a string with the name of the security_options to be registered
131 * @ops: a pointer to the struct security_options that is to be registered
132 *
133 * This function allows security modules to be stacked if the currently loaded
134 * security module allows this to happen. It passes the @name and @ops to the
135 * register_security function of the currently loaded security module.
136 *
137 * The return value depends on the currently loaded security module, with 0 as
138 * success.
139 */
140int mod_reg_security(const char *name, struct security_operations *ops)
141{
142 if (verify(ops)) {
143 printk(KERN_INFO "%s could not verify "
144 "security operations.\n", __func__);
145 return -EINVAL;
146 }
147
148 if (ops == security_ops) {
149 printk(KERN_INFO "%s security operations "
150 "already registered.\n", __func__);
151 return -EINVAL;
152 }
153
154 return security_ops->register_security(name, ops);
155}
156
157/* Security operations */ 128/* Security operations */
158 129
159int security_ptrace(struct task_struct *parent, struct task_struct *child, 130int security_ptrace(struct task_struct *parent, struct task_struct *child,
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 745a69e74e38..91200feb3f9c 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -126,13 +126,11 @@ __setup("selinux=", selinux_enabled_setup);
126int selinux_enabled = 1; 126int selinux_enabled = 1;
127#endif 127#endif
128 128
129/* Original (dummy) security module. */
130static struct security_operations *original_ops;
131 129
132/* Minimal support for a secondary security module, 130/*
133 just to allow the use of the dummy or capability modules. 131 * Minimal support for a secondary security module,
134 The owlsm module can alternatively be used as a secondary 132 * just to allow the use of the capability module.
135 module as long as CONFIG_OWLSM_FD is not enabled. */ 133 */
136static struct security_operations *secondary_ops; 134static struct security_operations *secondary_ops;
137 135
138/* Lists of inode and superblock security structures initialized 136/* Lists of inode and superblock security structures initialized
@@ -5115,24 +5113,6 @@ static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
5115 *secid = isec->sid; 5113 *secid = isec->sid;
5116} 5114}
5117 5115
5118/* module stacking operations */
5119static int selinux_register_security(const char *name, struct security_operations *ops)
5120{
5121 if (secondary_ops != original_ops) {
5122 printk(KERN_ERR "%s: There is already a secondary security "
5123 "module registered.\n", __func__);
5124 return -EINVAL;
5125 }
5126
5127 secondary_ops = ops;
5128
5129 printk(KERN_INFO "%s: Registering secondary module %s\n",
5130 __func__,
5131 name);
5132
5133 return 0;
5134}
5135
5136static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) 5116static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
5137{ 5117{
5138 if (inode) 5118 if (inode)
@@ -5517,8 +5497,6 @@ static struct security_operations selinux_ops = {
5517 .sem_semctl = selinux_sem_semctl, 5497 .sem_semctl = selinux_sem_semctl,
5518 .sem_semop = selinux_sem_semop, 5498 .sem_semop = selinux_sem_semop,
5519 5499
5520 .register_security = selinux_register_security,
5521
5522 .d_instantiate = selinux_d_instantiate, 5500 .d_instantiate = selinux_d_instantiate,
5523 5501
5524 .getprocattr = selinux_getprocattr, 5502 .getprocattr = selinux_getprocattr,
@@ -5612,7 +5590,7 @@ static __init int selinux_init(void)
5612 0, SLAB_PANIC, NULL); 5590 0, SLAB_PANIC, NULL);
5613 avc_init(); 5591 avc_init();
5614 5592
5615 original_ops = secondary_ops = security_ops; 5593 secondary_ops = security_ops;
5616 if (!secondary_ops) 5594 if (!secondary_ops)
5617 panic("SELinux: No initial security operations\n"); 5595 panic("SELinux: No initial security operations\n");
5618 if (register_security(&selinux_ops)) 5596 if (register_security(&selinux_ops))
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 3c7150b3493d..ee5a51cbc5eb 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1822,27 +1822,6 @@ static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid)
1822 *secid = smack_to_secid(smack); 1822 *secid = smack_to_secid(smack);
1823} 1823}
1824 1824
1825/* module stacking operations */
1826
1827/**
1828 * smack_register_security - stack capability module
1829 * @name: module name
1830 * @ops: module operations - ignored
1831 *
1832 * Allow the capability module to register.
1833 */
1834static int smack_register_security(const char *name,
1835 struct security_operations *ops)
1836{
1837 if (strcmp(name, "capability") != 0)
1838 return -EINVAL;
1839
1840 printk(KERN_INFO "%s: Registering secondary module %s\n",
1841 __func__, name);
1842
1843 return 0;
1844}
1845
1846/** 1825/**
1847 * smack_d_instantiate - Make sure the blob is correct on an inode 1826 * smack_d_instantiate - Make sure the blob is correct on an inode
1848 * @opt_dentry: unused 1827 * @opt_dentry: unused
@@ -2673,8 +2652,6 @@ struct security_operations smack_ops = {
2673 .netlink_send = cap_netlink_send, 2652 .netlink_send = cap_netlink_send,
2674 .netlink_recv = cap_netlink_recv, 2653 .netlink_recv = cap_netlink_recv,
2675 2654
2676 .register_security = smack_register_security,
2677
2678 .d_instantiate = smack_d_instantiate, 2655 .d_instantiate = smack_d_instantiate,
2679 2656
2680 .getprocattr = smack_getprocattr, 2657 .getprocattr = smack_getprocattr,