diff options
Diffstat (limited to 'security/security.c')
-rw-r--r-- | security/security.c | 73 |
1 files changed, 72 insertions, 1 deletions
diff --git a/security/security.c b/security/security.c index 54affd0ce6ad..2e250c7028eb 100644 --- a/security/security.c +++ b/security/security.c | |||
@@ -17,6 +17,8 @@ | |||
17 | #include <linux/kernel.h> | 17 | #include <linux/kernel.h> |
18 | #include <linux/security.h> | 18 | #include <linux/security.h> |
19 | 19 | ||
20 | /* Boot-time LSM user choice */ | ||
21 | static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1]; | ||
20 | 22 | ||
21 | /* things that live in dummy.c */ | 23 | /* things that live in dummy.c */ |
22 | extern struct security_operations dummy_security_ops; | 24 | extern struct security_operations dummy_security_ops; |
@@ -67,13 +69,47 @@ int __init security_init(void) | |||
67 | return 0; | 69 | return 0; |
68 | } | 70 | } |
69 | 71 | ||
72 | /* Save user chosen LSM */ | ||
73 | static int __init choose_lsm(char *str) | ||
74 | { | ||
75 | strncpy(chosen_lsm, str, SECURITY_NAME_MAX); | ||
76 | return 1; | ||
77 | } | ||
78 | __setup("security=", choose_lsm); | ||
79 | |||
80 | /** | ||
81 | * security_module_enable - Load given security module on boot ? | ||
82 | * @ops: a pointer to the struct security_operations that is to be checked. | ||
83 | * | ||
84 | * Each LSM must pass this method before registering its own operations | ||
85 | * to avoid security registration races. This method may also be used | ||
86 | * to check if your LSM is currently loaded during kernel initialization. | ||
87 | * | ||
88 | * Return true if: | ||
89 | * -The passed LSM is the one chosen by user at boot time, | ||
90 | * -or user didsn't specify a specific LSM and we're the first to ask | ||
91 | * for registeration permissoin, | ||
92 | * -or the passed LSM is currently loaded. | ||
93 | * Otherwise, return false. | ||
94 | */ | ||
95 | int __init security_module_enable(struct security_operations *ops) | ||
96 | { | ||
97 | if (!*chosen_lsm) | ||
98 | strncpy(chosen_lsm, ops->name, SECURITY_NAME_MAX); | ||
99 | else if (strncmp(ops->name, chosen_lsm, SECURITY_NAME_MAX)) | ||
100 | return 0; | ||
101 | |||
102 | return 1; | ||
103 | } | ||
104 | |||
70 | /** | 105 | /** |
71 | * register_security - registers a security framework with the kernel | 106 | * register_security - registers a security framework with the kernel |
72 | * @ops: a pointer to the struct security_options that is to be registered | 107 | * @ops: a pointer to the struct security_options that is to be registered |
73 | * | 108 | * |
74 | * This function is to allow a security module to register itself with the | 109 | * This function is to allow a security module to register itself with the |
75 | * kernel security subsystem. Some rudimentary checking is done on the @ops | 110 | * kernel security subsystem. Some rudimentary checking is done on the @ops |
76 | * value passed to this function. | 111 | * value passed to this function. You'll need to check first if your LSM |
112 | * is allowed to register its @ops by calling security_module_enable(@ops). | ||
77 | * | 113 | * |
78 | * If there is already a security module registered with the kernel, | 114 | * If there is already a security module registered with the kernel, |
79 | * an error will be returned. Otherwise 0 is returned on success. | 115 | * an error will be returned. Otherwise 0 is returned on success. |
@@ -523,6 +559,11 @@ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer | |||
523 | return security_ops->inode_listsecurity(inode, buffer, buffer_size); | 559 | return security_ops->inode_listsecurity(inode, buffer, buffer_size); |
524 | } | 560 | } |
525 | 561 | ||
562 | void security_inode_getsecid(const struct inode *inode, u32 *secid) | ||
563 | { | ||
564 | security_ops->inode_getsecid(inode, secid); | ||
565 | } | ||
566 | |||
526 | int security_file_permission(struct file *file, int mask) | 567 | int security_file_permission(struct file *file, int mask) |
527 | { | 568 | { |
528 | return security_ops->file_permission(file, mask); | 569 | return security_ops->file_permission(file, mask); |
@@ -712,6 +753,11 @@ int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag) | |||
712 | return security_ops->ipc_permission(ipcp, flag); | 753 | return security_ops->ipc_permission(ipcp, flag); |
713 | } | 754 | } |
714 | 755 | ||
756 | void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) | ||
757 | { | ||
758 | security_ops->ipc_getsecid(ipcp, secid); | ||
759 | } | ||
760 | |||
715 | int security_msg_msg_alloc(struct msg_msg *msg) | 761 | int security_msg_msg_alloc(struct msg_msg *msg) |
716 | { | 762 | { |
717 | return security_ops->msg_msg_alloc_security(msg); | 763 | return security_ops->msg_msg_alloc_security(msg); |
@@ -1111,3 +1157,28 @@ int security_key_permission(key_ref_t key_ref, | |||
1111 | } | 1157 | } |
1112 | 1158 | ||
1113 | #endif /* CONFIG_KEYS */ | 1159 | #endif /* CONFIG_KEYS */ |
1160 | |||
1161 | #ifdef CONFIG_AUDIT | ||
1162 | |||
1163 | int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) | ||
1164 | { | ||
1165 | return security_ops->audit_rule_init(field, op, rulestr, lsmrule); | ||
1166 | } | ||
1167 | |||
1168 | int security_audit_rule_known(struct audit_krule *krule) | ||
1169 | { | ||
1170 | return security_ops->audit_rule_known(krule); | ||
1171 | } | ||
1172 | |||
1173 | void security_audit_rule_free(void *lsmrule) | ||
1174 | { | ||
1175 | security_ops->audit_rule_free(lsmrule); | ||
1176 | } | ||
1177 | |||
1178 | int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule, | ||
1179 | struct audit_context *actx) | ||
1180 | { | ||
1181 | return security_ops->audit_rule_match(secid, field, op, lsmrule, actx); | ||
1182 | } | ||
1183 | |||
1184 | #endif /* CONFIG_AUDIT */ | ||