aboutsummaryrefslogtreecommitdiffstats
path: root/security/security.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/security.c')
-rw-r--r--security/security.c73
1 files changed, 72 insertions, 1 deletions
diff --git a/security/security.c b/security/security.c
index 54affd0ce6ad..2e250c7028eb 100644
--- a/security/security.c
+++ b/security/security.c
@@ -17,6 +17,8 @@
17#include <linux/kernel.h> 17#include <linux/kernel.h>
18#include <linux/security.h> 18#include <linux/security.h>
19 19
20/* Boot-time LSM user choice */
21static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1];
20 22
21/* things that live in dummy.c */ 23/* things that live in dummy.c */
22extern struct security_operations dummy_security_ops; 24extern struct security_operations dummy_security_ops;
@@ -67,13 +69,47 @@ int __init security_init(void)
67 return 0; 69 return 0;
68} 70}
69 71
72/* Save user chosen LSM */
73static int __init choose_lsm(char *str)
74{
75 strncpy(chosen_lsm, str, SECURITY_NAME_MAX);
76 return 1;
77}
78__setup("security=", choose_lsm);
79
80/**
81 * security_module_enable - Load given security module on boot ?
82 * @ops: a pointer to the struct security_operations that is to be checked.
83 *
84 * Each LSM must pass this method before registering its own operations
85 * to avoid security registration races. This method may also be used
86 * to check if your LSM is currently loaded during kernel initialization.
87 *
88 * Return true if:
89 * -The passed LSM is the one chosen by user at boot time,
90 * -or user didsn't specify a specific LSM and we're the first to ask
91 * for registeration permissoin,
92 * -or the passed LSM is currently loaded.
93 * Otherwise, return false.
94 */
95int __init security_module_enable(struct security_operations *ops)
96{
97 if (!*chosen_lsm)
98 strncpy(chosen_lsm, ops->name, SECURITY_NAME_MAX);
99 else if (strncmp(ops->name, chosen_lsm, SECURITY_NAME_MAX))
100 return 0;
101
102 return 1;
103}
104
70/** 105/**
71 * register_security - registers a security framework with the kernel 106 * register_security - registers a security framework with the kernel
72 * @ops: a pointer to the struct security_options that is to be registered 107 * @ops: a pointer to the struct security_options that is to be registered
73 * 108 *
74 * This function is to allow a security module to register itself with the 109 * This function is to allow a security module to register itself with the
75 * kernel security subsystem. Some rudimentary checking is done on the @ops 110 * kernel security subsystem. Some rudimentary checking is done on the @ops
76 * value passed to this function. 111 * value passed to this function. You'll need to check first if your LSM
112 * is allowed to register its @ops by calling security_module_enable(@ops).
77 * 113 *
78 * If there is already a security module registered with the kernel, 114 * If there is already a security module registered with the kernel,
79 * an error will be returned. Otherwise 0 is returned on success. 115 * an error will be returned. Otherwise 0 is returned on success.
@@ -523,6 +559,11 @@ int security_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer
523 return security_ops->inode_listsecurity(inode, buffer, buffer_size); 559 return security_ops->inode_listsecurity(inode, buffer, buffer_size);
524} 560}
525 561
562void security_inode_getsecid(const struct inode *inode, u32 *secid)
563{
564 security_ops->inode_getsecid(inode, secid);
565}
566
526int security_file_permission(struct file *file, int mask) 567int security_file_permission(struct file *file, int mask)
527{ 568{
528 return security_ops->file_permission(file, mask); 569 return security_ops->file_permission(file, mask);
@@ -712,6 +753,11 @@ int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
712 return security_ops->ipc_permission(ipcp, flag); 753 return security_ops->ipc_permission(ipcp, flag);
713} 754}
714 755
756void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
757{
758 security_ops->ipc_getsecid(ipcp, secid);
759}
760
715int security_msg_msg_alloc(struct msg_msg *msg) 761int security_msg_msg_alloc(struct msg_msg *msg)
716{ 762{
717 return security_ops->msg_msg_alloc_security(msg); 763 return security_ops->msg_msg_alloc_security(msg);
@@ -1111,3 +1157,28 @@ int security_key_permission(key_ref_t key_ref,
1111} 1157}
1112 1158
1113#endif /* CONFIG_KEYS */ 1159#endif /* CONFIG_KEYS */
1160
1161#ifdef CONFIG_AUDIT
1162
1163int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
1164{
1165 return security_ops->audit_rule_init(field, op, rulestr, lsmrule);
1166}
1167
1168int security_audit_rule_known(struct audit_krule *krule)
1169{
1170 return security_ops->audit_rule_known(krule);
1171}
1172
1173void security_audit_rule_free(void *lsmrule)
1174{
1175 security_ops->audit_rule_free(lsmrule);
1176}
1177
1178int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
1179 struct audit_context *actx)
1180{
1181 return security_ops->audit_rule_match(secid, field, op, lsmrule, actx);
1182}
1183
1184#endif /* CONFIG_AUDIT */