aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
Diffstat (limited to 'security')
-rw-r--r--security/Kconfig10
-rw-r--r--security/Makefile11
-rw-r--r--security/capability.c1050
-rw-r--r--security/dummy.c1250
-rw-r--r--security/security.c15
5 files changed, 996 insertions, 1340 deletions
diff --git a/security/Kconfig b/security/Kconfig
index 49b51f964897..77def9f9f5f5 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -73,17 +73,9 @@ config SECURITY_NETWORK_XFRM
73 IPSec. 73 IPSec.
74 If you are unsure how to answer this question, answer N. 74 If you are unsure how to answer this question, answer N.
75 75
76config SECURITY_CAPABILITIES
77 bool "Default Linux Capabilities"
78 depends on SECURITY
79 default y
80 help
81 This enables the "default" Linux capabilities functionality.
82 If you are unsure how to answer this question, answer Y.
83
84config SECURITY_FILE_CAPABILITIES 76config SECURITY_FILE_CAPABILITIES
85 bool "File POSIX Capabilities (EXPERIMENTAL)" 77 bool "File POSIX Capabilities (EXPERIMENTAL)"
86 depends on (SECURITY=n || SECURITY_CAPABILITIES!=n) && EXPERIMENTAL 78 depends on SECURITY && EXPERIMENTAL
87 default n 79 default n
88 help 80 help
89 This enables filesystem capabilities, allowing you to give 81 This enables filesystem capabilities, allowing you to give
diff --git a/security/Makefile b/security/Makefile
index 7ef1107a7287..f65426099aa6 100644
--- a/security/Makefile
+++ b/security/Makefile
@@ -6,16 +6,13 @@ obj-$(CONFIG_KEYS) += keys/
6subdir-$(CONFIG_SECURITY_SELINUX) += selinux 6subdir-$(CONFIG_SECURITY_SELINUX) += selinux
7subdir-$(CONFIG_SECURITY_SMACK) += smack 7subdir-$(CONFIG_SECURITY_SMACK) += smack
8 8
9# if we don't select a security model, use the default capabilities 9# always enable default capabilities
10ifneq ($(CONFIG_SECURITY),y)
11obj-y += commoncap.o 10obj-y += commoncap.o
12endif
13 11
14# Object file lists 12# Object file lists
15obj-$(CONFIG_SECURITY) += security.o dummy.o inode.o 13obj-$(CONFIG_SECURITY) += security.o capability.o inode.o
16# Must precede capability.o in order to stack properly. 14# Must precede capability.o in order to stack properly.
17obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o 15obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
18obj-$(CONFIG_SECURITY_SMACK) += commoncap.o smack/built-in.o 16obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o
19obj-$(CONFIG_SECURITY_CAPABILITIES) += commoncap.o capability.o 17obj-$(CONFIG_SECURITY_ROOTPLUG) += root_plug.o
20obj-$(CONFIG_SECURITY_ROOTPLUG) += commoncap.o root_plug.o
21obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o 18obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
diff --git a/security/capability.c b/security/capability.c
index 38ac54e3aed1..6e0671c82018 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -1,6 +1,8 @@
1/* 1/*
2 * Capabilities Linux Security Module 2 * Capabilities Linux Security Module
3 * 3 *
4 * This is the default security module in case no other module is loaded.
5 *
4 * This program is free software; you can redistribute it and/or modify 6 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by 7 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation; either version 2 of the License, or 8 * the Free Software Foundation; either version 2 of the License, or
@@ -8,75 +10,995 @@
8 * 10 *
9 */ 11 */
10 12
11#include <linux/init.h>
12#include <linux/kernel.h>
13#include <linux/security.h> 13#include <linux/security.h>
14#include <linux/file.h>
15#include <linux/mm.h>
16#include <linux/mman.h>
17#include <linux/pagemap.h>
18#include <linux/swap.h>
19#include <linux/skbuff.h>
20#include <linux/netlink.h>
21#include <linux/ptrace.h>
22#include <linux/moduleparam.h>
23
24static struct security_operations capability_ops = {
25 .ptrace = cap_ptrace,
26 .capget = cap_capget,
27 .capset_check = cap_capset_check,
28 .capset_set = cap_capset_set,
29 .capable = cap_capable,
30 .settime = cap_settime,
31 .netlink_send = cap_netlink_send,
32 .netlink_recv = cap_netlink_recv,
33
34 .bprm_apply_creds = cap_bprm_apply_creds,
35 .bprm_set_security = cap_bprm_set_security,
36 .bprm_secureexec = cap_bprm_secureexec,
37
38 .inode_setxattr = cap_inode_setxattr,
39 .inode_removexattr = cap_inode_removexattr,
40 .inode_need_killpriv = cap_inode_need_killpriv,
41 .inode_killpriv = cap_inode_killpriv,
42
43 .task_setscheduler = cap_task_setscheduler,
44 .task_setioprio = cap_task_setioprio,
45 .task_setnice = cap_task_setnice,
46 .task_post_setuid = cap_task_post_setuid,
47 .task_prctl = cap_task_prctl,
48 .task_reparent_to_init = cap_task_reparent_to_init,
49
50 .syslog = cap_syslog,
51
52 .vm_enough_memory = cap_vm_enough_memory,
53};
54 14
55/* flag to keep track of how we were registered */ 15static int cap_acct(struct file *file)
56static int secondary; 16{
17 return 0;
18}
19
20static int cap_sysctl(ctl_table *table, int op)
21{
22 return 0;
23}
24
25static int cap_quotactl(int cmds, int type, int id, struct super_block *sb)
26{
27 return 0;
28}
29
30static int cap_quota_on(struct dentry *dentry)
31{
32 return 0;
33}
34
35static int cap_bprm_alloc_security(struct linux_binprm *bprm)
36{
37 return 0;
38}
39
40static void cap_bprm_free_security(struct linux_binprm *bprm)
41{
42}
43
44static void cap_bprm_post_apply_creds(struct linux_binprm *bprm)
45{
46}
47
48static int cap_bprm_check_security(struct linux_binprm *bprm)
49{
50 return 0;
51}
52
53static int cap_sb_alloc_security(struct super_block *sb)
54{
55 return 0;
56}
57
58static void cap_sb_free_security(struct super_block *sb)
59{
60}
61
62static int cap_sb_copy_data(char *orig, char *copy)
63{
64 return 0;
65}
66
67static int cap_sb_kern_mount(struct super_block *sb, void *data)
68{
69 return 0;
70}
71
72static int cap_sb_show_options(struct seq_file *m, struct super_block *sb)
73{
74 return 0;
75}
76
77static int cap_sb_statfs(struct dentry *dentry)
78{
79 return 0;
80}
81
82static int cap_sb_mount(char *dev_name, struct path *path, char *type,
83 unsigned long flags, void *data)
84{
85 return 0;
86}
87
88static int cap_sb_check_sb(struct vfsmount *mnt, struct path *path)
89{
90 return 0;
91}
92
93static int cap_sb_umount(struct vfsmount *mnt, int flags)
94{
95 return 0;
96}
97
98static void cap_sb_umount_close(struct vfsmount *mnt)
99{
100}
101
102static void cap_sb_umount_busy(struct vfsmount *mnt)
103{
104}
105
106static void cap_sb_post_remount(struct vfsmount *mnt, unsigned long flags,
107 void *data)
108{
109}
110
111static void cap_sb_post_addmount(struct vfsmount *mnt, struct path *path)
112{
113}
114
115static int cap_sb_pivotroot(struct path *old_path, struct path *new_path)
116{
117 return 0;
118}
119
120static void cap_sb_post_pivotroot(struct path *old_path, struct path *new_path)
121{
122}
123
124static int cap_sb_set_mnt_opts(struct super_block *sb,
125 struct security_mnt_opts *opts)
126{
127 if (unlikely(opts->num_mnt_opts))
128 return -EOPNOTSUPP;
129 return 0;
130}
131
132static void cap_sb_clone_mnt_opts(const struct super_block *oldsb,
133 struct super_block *newsb)
134{
135}
136
137static int cap_sb_parse_opts_str(char *options, struct security_mnt_opts *opts)
138{
139 return 0;
140}
141
142static int cap_inode_alloc_security(struct inode *inode)
143{
144 return 0;
145}
146
147static void cap_inode_free_security(struct inode *inode)
148{
149}
150
151static int cap_inode_init_security(struct inode *inode, struct inode *dir,
152 char **name, void **value, size_t *len)
153{
154 return -EOPNOTSUPP;
155}
156
157static int cap_inode_create(struct inode *inode, struct dentry *dentry,
158 int mask)
159{
160 return 0;
161}
162
163static int cap_inode_link(struct dentry *old_dentry, struct inode *inode,
164 struct dentry *new_dentry)
165{
166 return 0;
167}
168
169static int cap_inode_unlink(struct inode *inode, struct dentry *dentry)
170{
171 return 0;
172}
173
174static int cap_inode_symlink(struct inode *inode, struct dentry *dentry,
175 const char *name)
176{
177 return 0;
178}
179
180static int cap_inode_mkdir(struct inode *inode, struct dentry *dentry,
181 int mask)
182{
183 return 0;
184}
185
186static int cap_inode_rmdir(struct inode *inode, struct dentry *dentry)
187{
188 return 0;
189}
190
191static int cap_inode_mknod(struct inode *inode, struct dentry *dentry,
192 int mode, dev_t dev)
193{
194 return 0;
195}
196
197static int cap_inode_rename(struct inode *old_inode, struct dentry *old_dentry,
198 struct inode *new_inode, struct dentry *new_dentry)
199{
200 return 0;
201}
202
203static int cap_inode_readlink(struct dentry *dentry)
204{
205 return 0;
206}
207
208static int cap_inode_follow_link(struct dentry *dentry,
209 struct nameidata *nameidata)
210{
211 return 0;
212}
213
214static int cap_inode_permission(struct inode *inode, int mask,
215 struct nameidata *nd)
216{
217 return 0;
218}
219
220static int cap_inode_setattr(struct dentry *dentry, struct iattr *iattr)
221{
222 return 0;
223}
224
225static int cap_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
226{
227 return 0;
228}
229
230static void cap_inode_delete(struct inode *ino)
231{
232}
233
234static void cap_inode_post_setxattr(struct dentry *dentry, const char *name,
235 const void *value, size_t size, int flags)
236{
237}
238
239static int cap_inode_getxattr(struct dentry *dentry, const char *name)
240{
241 return 0;
242}
57 243
58static int capability_disable; 244static int cap_inode_listxattr(struct dentry *dentry)
59module_param_named(disable, capability_disable, int, 0); 245{
246 return 0;
247}
248
249static int cap_inode_getsecurity(const struct inode *inode, const char *name,
250 void **buffer, bool alloc)
251{
252 return -EOPNOTSUPP;
253}
254
255static int cap_inode_setsecurity(struct inode *inode, const char *name,
256 const void *value, size_t size, int flags)
257{
258 return -EOPNOTSUPP;
259}
60 260
61static int __init capability_init (void) 261static int cap_inode_listsecurity(struct inode *inode, char *buffer,
262 size_t buffer_size)
62{ 263{
63 if (capability_disable) {
64 printk(KERN_INFO "Capabilities disabled at initialization\n");
65 return 0;
66 }
67 /* register ourselves with the security framework */
68 if (register_security (&capability_ops)) {
69 /* try registering with primary module */
70 if (mod_reg_security (KBUILD_MODNAME, &capability_ops)) {
71 printk (KERN_INFO "Failure registering capabilities "
72 "with primary security module.\n");
73 return -EINVAL;
74 }
75 secondary = 1;
76 }
77 printk (KERN_INFO "Capability LSM initialized%s\n",
78 secondary ? " as secondary" : "");
79 return 0; 264 return 0;
80} 265}
81 266
82security_initcall (capability_init); 267static void cap_inode_getsecid(const struct inode *inode, u32 *secid)
268{
269 *secid = 0;
270}
271
272static int cap_file_permission(struct file *file, int mask)
273{
274 return 0;
275}
276
277static int cap_file_alloc_security(struct file *file)
278{
279 return 0;
280}
281
282static void cap_file_free_security(struct file *file)
283{
284}
285
286static int cap_file_ioctl(struct file *file, unsigned int command,
287 unsigned long arg)
288{
289 return 0;
290}
291
292static int cap_file_mmap(struct file *file, unsigned long reqprot,
293 unsigned long prot, unsigned long flags,
294 unsigned long addr, unsigned long addr_only)
295{
296 if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
297 return -EACCES;
298 return 0;
299}
300
301static int cap_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot,
302 unsigned long prot)
303{
304 return 0;
305}
306
307static int cap_file_lock(struct file *file, unsigned int cmd)
308{
309 return 0;
310}
311
312static int cap_file_fcntl(struct file *file, unsigned int cmd,
313 unsigned long arg)
314{
315 return 0;
316}
317
318static int cap_file_set_fowner(struct file *file)
319{
320 return 0;
321}
322
323static int cap_file_send_sigiotask(struct task_struct *tsk,
324 struct fown_struct *fown, int sig)
325{
326 return 0;
327}
328
329static int cap_file_receive(struct file *file)
330{
331 return 0;
332}
333
334static int cap_dentry_open(struct file *file)
335{
336 return 0;
337}
338
339static int cap_task_create(unsigned long clone_flags)
340{
341 return 0;
342}
343
344static int cap_task_alloc_security(struct task_struct *p)
345{
346 return 0;
347}
348
349static void cap_task_free_security(struct task_struct *p)
350{
351}
352
353static int cap_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags)
354{
355 return 0;
356}
357
358static int cap_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags)
359{
360 return 0;
361}
362
363static int cap_task_setpgid(struct task_struct *p, pid_t pgid)
364{
365 return 0;
366}
367
368static int cap_task_getpgid(struct task_struct *p)
369{
370 return 0;
371}
372
373static int cap_task_getsid(struct task_struct *p)
374{
375 return 0;
376}
377
378static void cap_task_getsecid(struct task_struct *p, u32 *secid)
379{
380 *secid = 0;
381}
382
383static int cap_task_setgroups(struct group_info *group_info)
384{
385 return 0;
386}
387
388static int cap_task_getioprio(struct task_struct *p)
389{
390 return 0;
391}
392
393static int cap_task_setrlimit(unsigned int resource, struct rlimit *new_rlim)
394{
395 return 0;
396}
397
398static int cap_task_getscheduler(struct task_struct *p)
399{
400 return 0;
401}
402
403static int cap_task_movememory(struct task_struct *p)
404{
405 return 0;
406}
407
408static int cap_task_wait(struct task_struct *p)
409{
410 return 0;
411}
412
413static int cap_task_kill(struct task_struct *p, struct siginfo *info,
414 int sig, u32 secid)
415{
416 return 0;
417}
418
419static void cap_task_to_inode(struct task_struct *p, struct inode *inode)
420{
421}
422
423static int cap_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
424{
425 return 0;
426}
427
428static void cap_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
429{
430 *secid = 0;
431}
432
433static int cap_msg_msg_alloc_security(struct msg_msg *msg)
434{
435 return 0;
436}
437
438static void cap_msg_msg_free_security(struct msg_msg *msg)
439{
440}
441
442static int cap_msg_queue_alloc_security(struct msg_queue *msq)
443{
444 return 0;
445}
446
447static void cap_msg_queue_free_security(struct msg_queue *msq)
448{
449}
450
451static int cap_msg_queue_associate(struct msg_queue *msq, int msqflg)
452{
453 return 0;
454}
455
456static int cap_msg_queue_msgctl(struct msg_queue *msq, int cmd)
457{
458 return 0;
459}
460
461static int cap_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
462 int msgflg)
463{
464 return 0;
465}
466
467static int cap_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
468 struct task_struct *target, long type, int mode)
469{
470 return 0;
471}
472
473static int cap_shm_alloc_security(struct shmid_kernel *shp)
474{
475 return 0;
476}
477
478static void cap_shm_free_security(struct shmid_kernel *shp)
479{
480}
481
482static int cap_shm_associate(struct shmid_kernel *shp, int shmflg)
483{
484 return 0;
485}
486
487static int cap_shm_shmctl(struct shmid_kernel *shp, int cmd)
488{
489 return 0;
490}
491
492static int cap_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr,
493 int shmflg)
494{
495 return 0;
496}
497
498static int cap_sem_alloc_security(struct sem_array *sma)
499{
500 return 0;
501}
502
503static void cap_sem_free_security(struct sem_array *sma)
504{
505}
506
507static int cap_sem_associate(struct sem_array *sma, int semflg)
508{
509 return 0;
510}
511
512static int cap_sem_semctl(struct sem_array *sma, int cmd)
513{
514 return 0;
515}
516
517static int cap_sem_semop(struct sem_array *sma, struct sembuf *sops,
518 unsigned nsops, int alter)
519{
520 return 0;
521}
522
523#ifdef CONFIG_SECURITY_NETWORK
524static int cap_unix_stream_connect(struct socket *sock, struct socket *other,
525 struct sock *newsk)
526{
527 return 0;
528}
529
530static int cap_unix_may_send(struct socket *sock, struct socket *other)
531{
532 return 0;
533}
534
535static int cap_socket_create(int family, int type, int protocol, int kern)
536{
537 return 0;
538}
539
540static int cap_socket_post_create(struct socket *sock, int family, int type,
541 int protocol, int kern)
542{
543 return 0;
544}
545
546static int cap_socket_bind(struct socket *sock, struct sockaddr *address,
547 int addrlen)
548{
549 return 0;
550}
551
552static int cap_socket_connect(struct socket *sock, struct sockaddr *address,
553 int addrlen)
554{
555 return 0;
556}
557
558static int cap_socket_listen(struct socket *sock, int backlog)
559{
560 return 0;
561}
562
563static int cap_socket_accept(struct socket *sock, struct socket *newsock)
564{
565 return 0;
566}
567
568static void cap_socket_post_accept(struct socket *sock, struct socket *newsock)
569{
570}
571
572static int cap_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size)
573{
574 return 0;
575}
576
577static int cap_socket_recvmsg(struct socket *sock, struct msghdr *msg,
578 int size, int flags)
579{
580 return 0;
581}
582
583static int cap_socket_getsockname(struct socket *sock)
584{
585 return 0;
586}
587
588static int cap_socket_getpeername(struct socket *sock)
589{
590 return 0;
591}
592
593static int cap_socket_setsockopt(struct socket *sock, int level, int optname)
594{
595 return 0;
596}
597
598static int cap_socket_getsockopt(struct socket *sock, int level, int optname)
599{
600 return 0;
601}
602
603static int cap_socket_shutdown(struct socket *sock, int how)
604{
605 return 0;
606}
607
608static int cap_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
609{
610 return 0;
611}
612
613static int cap_socket_getpeersec_stream(struct socket *sock,
614 char __user *optval,
615 int __user *optlen, unsigned len)
616{
617 return -ENOPROTOOPT;
618}
619
620static int cap_socket_getpeersec_dgram(struct socket *sock,
621 struct sk_buff *skb, u32 *secid)
622{
623 return -ENOPROTOOPT;
624}
625
626static int cap_sk_alloc_security(struct sock *sk, int family, gfp_t priority)
627{
628 return 0;
629}
630
631static void cap_sk_free_security(struct sock *sk)
632{
633}
634
635static void cap_sk_clone_security(const struct sock *sk, struct sock *newsk)
636{
637}
638
639static void cap_sk_getsecid(struct sock *sk, u32 *secid)
640{
641}
642
643static void cap_sock_graft(struct sock *sk, struct socket *parent)
644{
645}
646
647static int cap_inet_conn_request(struct sock *sk, struct sk_buff *skb,
648 struct request_sock *req)
649{
650 return 0;
651}
652
653static void cap_inet_csk_clone(struct sock *newsk,
654 const struct request_sock *req)
655{
656}
657
658static void cap_inet_conn_established(struct sock *sk, struct sk_buff *skb)
659{
660}
661
662static void cap_req_classify_flow(const struct request_sock *req,
663 struct flowi *fl)
664{
665}
666#endif /* CONFIG_SECURITY_NETWORK */
667
668#ifdef CONFIG_SECURITY_NETWORK_XFRM
669static int cap_xfrm_policy_alloc_security(struct xfrm_sec_ctx **ctxp,
670 struct xfrm_user_sec_ctx *sec_ctx)
671{
672 return 0;
673}
674
675static int cap_xfrm_policy_clone_security(struct xfrm_sec_ctx *old_ctx,
676 struct xfrm_sec_ctx **new_ctxp)
677{
678 return 0;
679}
680
681static void cap_xfrm_policy_free_security(struct xfrm_sec_ctx *ctx)
682{
683}
684
685static int cap_xfrm_policy_delete_security(struct xfrm_sec_ctx *ctx)
686{
687 return 0;
688}
689
690static int cap_xfrm_state_alloc_security(struct xfrm_state *x,
691 struct xfrm_user_sec_ctx *sec_ctx,
692 u32 secid)
693{
694 return 0;
695}
696
697static void cap_xfrm_state_free_security(struct xfrm_state *x)
698{
699}
700
701static int cap_xfrm_state_delete_security(struct xfrm_state *x)
702{
703 return 0;
704}
705
706static int cap_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 sk_sid, u8 dir)
707{
708 return 0;
709}
710
711static int cap_xfrm_state_pol_flow_match(struct xfrm_state *x,
712 struct xfrm_policy *xp,
713 struct flowi *fl)
714{
715 return 1;
716}
717
718static int cap_xfrm_decode_session(struct sk_buff *skb, u32 *fl, int ckall)
719{
720 return 0;
721}
722
723#endif /* CONFIG_SECURITY_NETWORK_XFRM */
724static int cap_register_security(const char *name,
725 struct security_operations *ops)
726{
727 return -EINVAL;
728}
729
730static void cap_d_instantiate(struct dentry *dentry, struct inode *inode)
731{
732}
733
734static int cap_getprocattr(struct task_struct *p, char *name, char **value)
735{
736 return -EINVAL;
737}
738
739static int cap_setprocattr(struct task_struct *p, char *name, void *value,
740 size_t size)
741{
742 return -EINVAL;
743}
744
745static int cap_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
746{
747 return -EOPNOTSUPP;
748}
749
750static int cap_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
751{
752 return -EOPNOTSUPP;
753}
754
755static void cap_release_secctx(char *secdata, u32 seclen)
756{
757}
758
759#ifdef CONFIG_KEYS
760static int cap_key_alloc(struct key *key, struct task_struct *ctx,
761 unsigned long flags)
762{
763 return 0;
764}
765
766static void cap_key_free(struct key *key)
767{
768}
769
770static int cap_key_permission(key_ref_t key_ref, struct task_struct *context,
771 key_perm_t perm)
772{
773 return 0;
774}
775
776static int cap_key_getsecurity(struct key *key, char **_buffer)
777{
778 *_buffer = NULL;
779 return 0;
780}
781
782#endif /* CONFIG_KEYS */
783
784#ifdef CONFIG_AUDIT
785static int cap_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule)
786{
787 return 0;
788}
789
790static int cap_audit_rule_known(struct audit_krule *krule)
791{
792 return 0;
793}
794
795static int cap_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
796 struct audit_context *actx)
797{
798 return 0;
799}
800
801static void cap_audit_rule_free(void *lsmrule)
802{
803}
804#endif /* CONFIG_AUDIT */
805
806struct security_operations default_security_ops = {
807 .name = "default",
808};
809
810#define set_to_cap_if_null(ops, function) \
811 do { \
812 if (!ops->function) { \
813 ops->function = cap_##function; \
814 pr_debug("Had to override the " #function \
815 " security operation with the default.\n");\
816 } \
817 } while (0)
818
819void security_fixup_ops(struct security_operations *ops)
820{
821 set_to_cap_if_null(ops, ptrace);
822 set_to_cap_if_null(ops, capget);
823 set_to_cap_if_null(ops, capset_check);
824 set_to_cap_if_null(ops, capset_set);
825 set_to_cap_if_null(ops, acct);
826 set_to_cap_if_null(ops, capable);
827 set_to_cap_if_null(ops, quotactl);
828 set_to_cap_if_null(ops, quota_on);
829 set_to_cap_if_null(ops, sysctl);
830 set_to_cap_if_null(ops, syslog);
831 set_to_cap_if_null(ops, settime);
832 set_to_cap_if_null(ops, vm_enough_memory);
833 set_to_cap_if_null(ops, bprm_alloc_security);
834 set_to_cap_if_null(ops, bprm_free_security);
835 set_to_cap_if_null(ops, bprm_apply_creds);
836 set_to_cap_if_null(ops, bprm_post_apply_creds);
837 set_to_cap_if_null(ops, bprm_set_security);
838 set_to_cap_if_null(ops, bprm_check_security);
839 set_to_cap_if_null(ops, bprm_secureexec);
840 set_to_cap_if_null(ops, sb_alloc_security);
841 set_to_cap_if_null(ops, sb_free_security);
842 set_to_cap_if_null(ops, sb_copy_data);
843 set_to_cap_if_null(ops, sb_kern_mount);
844 set_to_cap_if_null(ops, sb_show_options);
845 set_to_cap_if_null(ops, sb_statfs);
846 set_to_cap_if_null(ops, sb_mount);
847 set_to_cap_if_null(ops, sb_check_sb);
848 set_to_cap_if_null(ops, sb_umount);
849 set_to_cap_if_null(ops, sb_umount_close);
850 set_to_cap_if_null(ops, sb_umount_busy);
851 set_to_cap_if_null(ops, sb_post_remount);
852 set_to_cap_if_null(ops, sb_post_addmount);
853 set_to_cap_if_null(ops, sb_pivotroot);
854 set_to_cap_if_null(ops, sb_post_pivotroot);
855 set_to_cap_if_null(ops, sb_set_mnt_opts);
856 set_to_cap_if_null(ops, sb_clone_mnt_opts);
857 set_to_cap_if_null(ops, sb_parse_opts_str);
858 set_to_cap_if_null(ops, inode_alloc_security);
859 set_to_cap_if_null(ops, inode_free_security);
860 set_to_cap_if_null(ops, inode_init_security);
861 set_to_cap_if_null(ops, inode_create);
862 set_to_cap_if_null(ops, inode_link);
863 set_to_cap_if_null(ops, inode_unlink);
864 set_to_cap_if_null(ops, inode_symlink);
865 set_to_cap_if_null(ops, inode_mkdir);
866 set_to_cap_if_null(ops, inode_rmdir);
867 set_to_cap_if_null(ops, inode_mknod);
868 set_to_cap_if_null(ops, inode_rename);
869 set_to_cap_if_null(ops, inode_readlink);
870 set_to_cap_if_null(ops, inode_follow_link);
871 set_to_cap_if_null(ops, inode_permission);
872 set_to_cap_if_null(ops, inode_setattr);
873 set_to_cap_if_null(ops, inode_getattr);
874 set_to_cap_if_null(ops, inode_delete);
875 set_to_cap_if_null(ops, inode_setxattr);
876 set_to_cap_if_null(ops, inode_post_setxattr);
877 set_to_cap_if_null(ops, inode_getxattr);
878 set_to_cap_if_null(ops, inode_listxattr);
879 set_to_cap_if_null(ops, inode_removexattr);
880 set_to_cap_if_null(ops, inode_need_killpriv);
881 set_to_cap_if_null(ops, inode_killpriv);
882 set_to_cap_if_null(ops, inode_getsecurity);
883 set_to_cap_if_null(ops, inode_setsecurity);
884 set_to_cap_if_null(ops, inode_listsecurity);
885 set_to_cap_if_null(ops, inode_getsecid);
886 set_to_cap_if_null(ops, file_permission);
887 set_to_cap_if_null(ops, file_alloc_security);
888 set_to_cap_if_null(ops, file_free_security);
889 set_to_cap_if_null(ops, file_ioctl);
890 set_to_cap_if_null(ops, file_mmap);
891 set_to_cap_if_null(ops, file_mprotect);
892 set_to_cap_if_null(ops, file_lock);
893 set_to_cap_if_null(ops, file_fcntl);
894 set_to_cap_if_null(ops, file_set_fowner);
895 set_to_cap_if_null(ops, file_send_sigiotask);
896 set_to_cap_if_null(ops, file_receive);
897 set_to_cap_if_null(ops, dentry_open);
898 set_to_cap_if_null(ops, task_create);
899 set_to_cap_if_null(ops, task_alloc_security);
900 set_to_cap_if_null(ops, task_free_security);
901 set_to_cap_if_null(ops, task_setuid);
902 set_to_cap_if_null(ops, task_post_setuid);
903 set_to_cap_if_null(ops, task_setgid);
904 set_to_cap_if_null(ops, task_setpgid);
905 set_to_cap_if_null(ops, task_getpgid);
906 set_to_cap_if_null(ops, task_getsid);
907 set_to_cap_if_null(ops, task_getsecid);
908 set_to_cap_if_null(ops, task_setgroups);
909 set_to_cap_if_null(ops, task_setnice);
910 set_to_cap_if_null(ops, task_setioprio);
911 set_to_cap_if_null(ops, task_getioprio);
912 set_to_cap_if_null(ops, task_setrlimit);
913 set_to_cap_if_null(ops, task_setscheduler);
914 set_to_cap_if_null(ops, task_getscheduler);
915 set_to_cap_if_null(ops, task_movememory);
916 set_to_cap_if_null(ops, task_wait);
917 set_to_cap_if_null(ops, task_kill);
918 set_to_cap_if_null(ops, task_prctl);
919 set_to_cap_if_null(ops, task_reparent_to_init);
920 set_to_cap_if_null(ops, task_to_inode);
921 set_to_cap_if_null(ops, ipc_permission);
922 set_to_cap_if_null(ops, ipc_getsecid);
923 set_to_cap_if_null(ops, msg_msg_alloc_security);
924 set_to_cap_if_null(ops, msg_msg_free_security);
925 set_to_cap_if_null(ops, msg_queue_alloc_security);
926 set_to_cap_if_null(ops, msg_queue_free_security);
927 set_to_cap_if_null(ops, msg_queue_associate);
928 set_to_cap_if_null(ops, msg_queue_msgctl);
929 set_to_cap_if_null(ops, msg_queue_msgsnd);
930 set_to_cap_if_null(ops, msg_queue_msgrcv);
931 set_to_cap_if_null(ops, shm_alloc_security);
932 set_to_cap_if_null(ops, shm_free_security);
933 set_to_cap_if_null(ops, shm_associate);
934 set_to_cap_if_null(ops, shm_shmctl);
935 set_to_cap_if_null(ops, shm_shmat);
936 set_to_cap_if_null(ops, sem_alloc_security);
937 set_to_cap_if_null(ops, sem_free_security);
938 set_to_cap_if_null(ops, sem_associate);
939 set_to_cap_if_null(ops, sem_semctl);
940 set_to_cap_if_null(ops, sem_semop);
941 set_to_cap_if_null(ops, netlink_send);
942 set_to_cap_if_null(ops, netlink_recv);
943 set_to_cap_if_null(ops, register_security);
944 set_to_cap_if_null(ops, d_instantiate);
945 set_to_cap_if_null(ops, getprocattr);
946 set_to_cap_if_null(ops, setprocattr);
947 set_to_cap_if_null(ops, secid_to_secctx);
948 set_to_cap_if_null(ops, secctx_to_secid);
949 set_to_cap_if_null(ops, release_secctx);
950#ifdef CONFIG_SECURITY_NETWORK
951 set_to_cap_if_null(ops, unix_stream_connect);
952 set_to_cap_if_null(ops, unix_may_send);
953 set_to_cap_if_null(ops, socket_create);
954 set_to_cap_if_null(ops, socket_post_create);
955 set_to_cap_if_null(ops, socket_bind);
956 set_to_cap_if_null(ops, socket_connect);
957 set_to_cap_if_null(ops, socket_listen);
958 set_to_cap_if_null(ops, socket_accept);
959 set_to_cap_if_null(ops, socket_post_accept);
960 set_to_cap_if_null(ops, socket_sendmsg);
961 set_to_cap_if_null(ops, socket_recvmsg);
962 set_to_cap_if_null(ops, socket_getsockname);
963 set_to_cap_if_null(ops, socket_getpeername);
964 set_to_cap_if_null(ops, socket_setsockopt);
965 set_to_cap_if_null(ops, socket_getsockopt);
966 set_to_cap_if_null(ops, socket_shutdown);
967 set_to_cap_if_null(ops, socket_sock_rcv_skb);
968 set_to_cap_if_null(ops, socket_getpeersec_stream);
969 set_to_cap_if_null(ops, socket_getpeersec_dgram);
970 set_to_cap_if_null(ops, sk_alloc_security);
971 set_to_cap_if_null(ops, sk_free_security);
972 set_to_cap_if_null(ops, sk_clone_security);
973 set_to_cap_if_null(ops, sk_getsecid);
974 set_to_cap_if_null(ops, sock_graft);
975 set_to_cap_if_null(ops, inet_conn_request);
976 set_to_cap_if_null(ops, inet_csk_clone);
977 set_to_cap_if_null(ops, inet_conn_established);
978 set_to_cap_if_null(ops, req_classify_flow);
979#endif /* CONFIG_SECURITY_NETWORK */
980#ifdef CONFIG_SECURITY_NETWORK_XFRM
981 set_to_cap_if_null(ops, xfrm_policy_alloc_security);
982 set_to_cap_if_null(ops, xfrm_policy_clone_security);
983 set_to_cap_if_null(ops, xfrm_policy_free_security);
984 set_to_cap_if_null(ops, xfrm_policy_delete_security);
985 set_to_cap_if_null(ops, xfrm_state_alloc_security);
986 set_to_cap_if_null(ops, xfrm_state_free_security);
987 set_to_cap_if_null(ops, xfrm_state_delete_security);
988 set_to_cap_if_null(ops, xfrm_policy_lookup);
989 set_to_cap_if_null(ops, xfrm_state_pol_flow_match);
990 set_to_cap_if_null(ops, xfrm_decode_session);
991#endif /* CONFIG_SECURITY_NETWORK_XFRM */
992#ifdef CONFIG_KEYS
993 set_to_cap_if_null(ops, key_alloc);
994 set_to_cap_if_null(ops, key_free);
995 set_to_cap_if_null(ops, key_permission);
996 set_to_cap_if_null(ops, key_getsecurity);
997#endif /* CONFIG_KEYS */
998#ifdef CONFIG_AUDIT
999 set_to_cap_if_null(ops, audit_rule_init);
1000 set_to_cap_if_null(ops, audit_rule_known);
1001 set_to_cap_if_null(ops, audit_rule_match);
1002 set_to_cap_if_null(ops, audit_rule_free);
1003#endif
1004}
diff --git a/security/dummy.c b/security/dummy.c
deleted file mode 100644
index 793856691641..000000000000
--- a/security/dummy.c
+++ /dev/null
@@ -1,1250 +0,0 @@
1/*
2 * Stub functions for the default security function pointers in case no
3 * security model is loaded.
4 *
5 * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com>
6 * Copyright (C) 2001-2002 Greg Kroah-Hartman <greg@kroah.com>
7 * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com>
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 */
14
15#undef DEBUG
16
17#include <linux/capability.h>
18#include <linux/kernel.h>
19#include <linux/mman.h>
20#include <linux/pagemap.h>
21#include <linux/swap.h>
22#include <linux/security.h>
23#include <linux/skbuff.h>
24#include <linux/netlink.h>
25#include <net/sock.h>
26#include <linux/xattr.h>
27#include <linux/hugetlb.h>
28#include <linux/ptrace.h>
29#include <linux/file.h>
30#include <linux/prctl.h>
31#include <linux/securebits.h>
32
33static int dummy_ptrace (struct task_struct *parent, struct task_struct *child,
34 unsigned int mode)
35{
36 return 0;
37}
38
39static int dummy_capget (struct task_struct *target, kernel_cap_t * effective,
40 kernel_cap_t * inheritable, kernel_cap_t * permitted)
41{
42 if (target->euid == 0) {
43 cap_set_full(*permitted);
44 cap_set_init_eff(*effective);
45 } else {
46 cap_clear(*permitted);
47 cap_clear(*effective);
48 }
49
50 cap_clear(*inheritable);
51
52 if (target->fsuid != 0) {
53 *permitted = cap_drop_fs_set(*permitted);
54 *effective = cap_drop_fs_set(*effective);
55 }
56 return 0;
57}
58
59static int dummy_capset_check (struct task_struct *target,
60 kernel_cap_t * effective,
61 kernel_cap_t * inheritable,
62 kernel_cap_t * permitted)
63{
64 return -EPERM;
65}
66
67static void dummy_capset_set (struct task_struct *target,
68 kernel_cap_t * effective,
69 kernel_cap_t * inheritable,
70 kernel_cap_t * permitted)
71{
72 return;
73}
74
75static int dummy_acct (struct file *file)
76{
77 return 0;
78}
79
80static int dummy_capable (struct task_struct *tsk, int cap)
81{
82 if (cap_raised (tsk->cap_effective, cap))
83 return 0;
84 return -EPERM;
85}
86
87static int dummy_sysctl (ctl_table * table, int op)
88{
89 return 0;
90}
91
92static int dummy_quotactl (int cmds, int type, int id, struct super_block *sb)
93{
94 return 0;
95}
96
97static int dummy_quota_on (struct dentry *dentry)
98{
99 return 0;
100}
101
102static int dummy_syslog (int type)
103{
104 if ((type != 3 && type != 10) && current->euid)
105 return -EPERM;
106 return 0;
107}
108
109static int dummy_settime(struct timespec *ts, struct timezone *tz)
110{
111 if (!capable(CAP_SYS_TIME))
112 return -EPERM;
113 return 0;
114}
115
116static int dummy_vm_enough_memory(struct mm_struct *mm, long pages)
117{
118 int cap_sys_admin = 0;
119
120 if (dummy_capable(current, CAP_SYS_ADMIN) == 0)
121 cap_sys_admin = 1;
122 return __vm_enough_memory(mm, pages, cap_sys_admin);
123}
124
125static int dummy_bprm_alloc_security (struct linux_binprm *bprm)
126{
127 return 0;
128}
129
130static void dummy_bprm_free_security (struct linux_binprm *bprm)
131{
132 return;
133}
134
135static void dummy_bprm_apply_creds (struct linux_binprm *bprm, int unsafe)
136{
137 if (bprm->e_uid != current->uid || bprm->e_gid != current->gid) {
138 set_dumpable(current->mm, suid_dumpable);
139
140 if ((unsafe & ~LSM_UNSAFE_PTRACE_CAP) && !capable(CAP_SETUID)) {
141 bprm->e_uid = current->uid;
142 bprm->e_gid = current->gid;
143 }
144 }
145
146 current->suid = current->euid = current->fsuid = bprm->e_uid;
147 current->sgid = current->egid = current->fsgid = bprm->e_gid;
148
149 dummy_capget(current, &current->cap_effective, &current->cap_inheritable, &current->cap_permitted);
150}
151
152static void dummy_bprm_post_apply_creds (struct linux_binprm *bprm)
153{
154 return;
155}
156
157static int dummy_bprm_set_security (struct linux_binprm *bprm)
158{
159 return 0;
160}
161
162static int dummy_bprm_check_security (struct linux_binprm *bprm)
163{
164 return 0;
165}
166
167static int dummy_bprm_secureexec (struct linux_binprm *bprm)
168{
169 /* The new userland will simply use the value provided
170 in the AT_SECURE field to decide whether secure mode
171 is required. Hence, this logic is required to preserve
172 the legacy decision algorithm used by the old userland. */
173 return (current->euid != current->uid ||
174 current->egid != current->gid);
175}
176
177static int dummy_sb_alloc_security (struct super_block *sb)
178{
179 return 0;
180}
181
182static void dummy_sb_free_security (struct super_block *sb)
183{
184 return;
185}
186
187static int dummy_sb_copy_data (char *orig, char *copy)
188{
189 return 0;
190}
191
192static int dummy_sb_kern_mount (struct super_block *sb, void *data)
193{
194 return 0;
195}
196
197static int dummy_sb_show_options(struct seq_file *m, struct super_block *sb)
198{
199 return 0;
200}
201
202static int dummy_sb_statfs (struct dentry *dentry)
203{
204 return 0;
205}
206
207static int dummy_sb_mount (char *dev_name, struct path *path, char *type,
208 unsigned long flags, void *data)
209{
210 return 0;
211}
212
213static int dummy_sb_check_sb (struct vfsmount *mnt, struct path *path)
214{
215 return 0;
216}
217
218static int dummy_sb_umount (struct vfsmount *mnt, int flags)
219{
220 return 0;
221}
222
223static void dummy_sb_umount_close (struct vfsmount *mnt)
224{
225 return;
226}
227
228static void dummy_sb_umount_busy (struct vfsmount *mnt)
229{
230 return;
231}
232
233static void dummy_sb_post_remount (struct vfsmount *mnt, unsigned long flags,
234 void *data)
235{
236 return;
237}
238
239
240static void dummy_sb_post_addmount (struct vfsmount *mnt, struct path *path)
241{
242 return;
243}
244
245static int dummy_sb_pivotroot (struct path *old_path, struct path *new_path)
246{
247 return 0;
248}
249
250static void dummy_sb_post_pivotroot (struct path *old_path, struct path *new_path)
251{
252 return;
253}
254
255static int dummy_sb_set_mnt_opts(struct super_block *sb,
256 struct security_mnt_opts *opts)
257{
258 if (unlikely(opts->num_mnt_opts))
259 return -EOPNOTSUPP;
260 return 0;
261}
262
263static void dummy_sb_clone_mnt_opts(const struct super_block *oldsb,
264 struct super_block *newsb)
265{
266 return;
267}
268
269static int dummy_sb_parse_opts_str(char *options, struct security_mnt_opts *opts)
270{
271 return 0;
272}
273
274static int dummy_inode_alloc_security (struct inode *inode)
275{
276 return 0;
277}
278
279static void dummy_inode_free_security (struct inode *inode)
280{
281 return;
282}
283
284static int dummy_inode_init_security (struct inode *inode, struct inode *dir,
285 char **name, void **value, size_t *len)
286{
287 return -EOPNOTSUPP;
288}
289
290static int dummy_inode_create (struct inode *inode, struct dentry *dentry,
291 int mask)
292{
293 return 0;
294}
295
296static int dummy_inode_link (struct dentry *old_dentry, struct inode *inode,
297 struct dentry *new_dentry)
298{
299 return 0;
300}
301
302static int dummy_inode_unlink (struct inode *inode, struct dentry *dentry)
303{
304 return 0;
305}
306
307static int dummy_inode_symlink (struct inode *inode, struct dentry *dentry,
308 const char *name)
309{
310 return 0;
311}
312
313static int dummy_inode_mkdir (struct inode *inode, struct dentry *dentry,
314 int mask)
315{
316 return 0;
317}
318
319static int dummy_inode_rmdir (struct inode *inode, struct dentry *dentry)
320{
321 return 0;
322}
323
324static int dummy_inode_mknod (struct inode *inode, struct dentry *dentry,
325 int mode, dev_t dev)
326{
327 return 0;
328}
329
330static int dummy_inode_rename (struct inode *old_inode,
331 struct dentry *old_dentry,
332 struct inode *new_inode,
333 struct dentry *new_dentry)
334{
335 return 0;
336}
337
338static int dummy_inode_readlink (struct dentry *dentry)
339{
340 return 0;
341}
342
343static int dummy_inode_follow_link (struct dentry *dentry,
344 struct nameidata *nameidata)
345{
346 return 0;
347}
348
349static int dummy_inode_permission (struct inode *inode, int mask, struct nameidata *nd)
350{
351 return 0;
352}
353
354static int dummy_inode_setattr (struct dentry *dentry, struct iattr *iattr)
355{
356 return 0;
357}
358
359static int dummy_inode_getattr (struct vfsmount *mnt, struct dentry *dentry)
360{
361 return 0;
362}
363
364static void dummy_inode_delete (struct inode *ino)
365{
366 return;
367}
368
369static int dummy_inode_setxattr (struct dentry *dentry, const char *name,
370 const void *value, size_t size, int flags)
371{
372 if (!strncmp(name, XATTR_SECURITY_PREFIX,
373 sizeof(XATTR_SECURITY_PREFIX) - 1) &&
374 !capable(CAP_SYS_ADMIN))
375 return -EPERM;
376 return 0;
377}
378
379static void dummy_inode_post_setxattr (struct dentry *dentry, const char *name,
380 const void *value, size_t size,
381 int flags)
382{
383}
384
385static int dummy_inode_getxattr (struct dentry *dentry, const char *name)
386{
387 return 0;
388}
389
390static int dummy_inode_listxattr (struct dentry *dentry)
391{
392 return 0;
393}
394
395static int dummy_inode_removexattr (struct dentry *dentry, const char *name)
396{
397 if (!strncmp(name, XATTR_SECURITY_PREFIX,
398 sizeof(XATTR_SECURITY_PREFIX) - 1) &&
399 !capable(CAP_SYS_ADMIN))
400 return -EPERM;
401 return 0;
402}
403
404static int dummy_inode_need_killpriv(struct dentry *dentry)
405{
406 return 0;
407}
408
409static int dummy_inode_killpriv(struct dentry *dentry)
410{
411 return 0;
412}
413
414static int dummy_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc)
415{
416 return -EOPNOTSUPP;
417}
418
419static int dummy_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags)
420{
421 return -EOPNOTSUPP;
422}
423
424static int dummy_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size)
425{
426 return 0;
427}
428
429static void dummy_inode_getsecid(const struct inode *inode, u32 *secid)
430{
431 *secid = 0;
432}
433
434static int dummy_file_permission (struct file *file, int mask)
435{
436 return 0;
437}
438
439static int dummy_file_alloc_security (struct file *file)
440{
441 return 0;
442}
443
444static void dummy_file_free_security (struct file *file)
445{
446 return;
447}
448
449static int dummy_file_ioctl (struct file *file, unsigned int command,
450 unsigned long arg)
451{
452 return 0;
453}
454
455static int dummy_file_mmap (struct file *file, unsigned long reqprot,
456 unsigned long prot,
457 unsigned long flags,
458 unsigned long addr,
459 unsigned long addr_only)
460{
461 if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO))
462 return -EACCES;
463 return 0;
464}
465
466static int dummy_file_mprotect (struct vm_area_struct *vma,
467 unsigned long reqprot,
468 unsigned long prot)
469{
470 return 0;
471}
472
473static int dummy_file_lock (struct file *file, unsigned int cmd)
474{
475 return 0;
476}
477
478static int dummy_file_fcntl (struct file *file, unsigned int cmd,
479 unsigned long arg)
480{
481 return 0;
482}
483
484static int dummy_file_set_fowner (struct file *file)
485{
486 return 0;
487}
488
489static int dummy_file_send_sigiotask (struct task_struct *tsk,
490 struct fown_struct *fown, int sig)
491{
492 return 0;
493}
494
495static int dummy_file_receive (struct file *file)
496{
497 return 0;
498}
499
500static int dummy_dentry_open (struct file *file)
501{
502 return 0;
503}
504
505static int dummy_task_create (unsigned long clone_flags)
506{
507 return 0;
508}
509
510static int dummy_task_alloc_security (struct task_struct *p)
511{
512 return 0;
513}
514
515static void dummy_task_free_security (struct task_struct *p)
516{
517 return;
518}
519
520static int dummy_task_setuid (uid_t id0, uid_t id1, uid_t id2, int flags)
521{
522 return 0;
523}
524
525static int dummy_task_post_setuid (uid_t id0, uid_t id1, uid_t id2, int flags)
526{
527 dummy_capget(current, &current->cap_effective, &current->cap_inheritable, &current->cap_permitted);
528 return 0;
529}
530
531static int dummy_task_setgid (gid_t id0, gid_t id1, gid_t id2, int flags)
532{
533 return 0;
534}
535
536static int dummy_task_setpgid (struct task_struct *p, pid_t pgid)
537{
538 return 0;
539}
540
541static int dummy_task_getpgid (struct task_struct *p)
542{
543 return 0;
544}
545
546static int dummy_task_getsid (struct task_struct *p)
547{
548 return 0;
549}
550
551static void dummy_task_getsecid (struct task_struct *p, u32 *secid)
552{
553 *secid = 0;
554}
555
556static int dummy_task_setgroups (struct group_info *group_info)
557{
558 return 0;
559}
560
561static int dummy_task_setnice (struct task_struct *p, int nice)
562{
563 return 0;
564}
565
566static int dummy_task_setioprio (struct task_struct *p, int ioprio)
567{
568 return 0;
569}
570
571static int dummy_task_getioprio (struct task_struct *p)
572{
573 return 0;
574}
575
576static int dummy_task_setrlimit (unsigned int resource, struct rlimit *new_rlim)
577{
578 return 0;
579}
580
581static int dummy_task_setscheduler (struct task_struct *p, int policy,
582 struct sched_param *lp)
583{
584 return 0;
585}
586
587static int dummy_task_getscheduler (struct task_struct *p)
588{
589 return 0;
590}
591
592static int dummy_task_movememory (struct task_struct *p)
593{
594 return 0;
595}
596
597static int dummy_task_wait (struct task_struct *p)
598{
599 return 0;
600}
601
602static int dummy_task_kill (struct task_struct *p, struct siginfo *info,
603 int sig, u32 secid)
604{
605 return 0;
606}
607
608static int dummy_task_prctl (int option, unsigned long arg2, unsigned long arg3,
609 unsigned long arg4, unsigned long arg5, long *rc_p)
610{
611 switch (option) {
612 case PR_CAPBSET_READ:
613 *rc_p = (cap_valid(arg2) ? 1 : -EINVAL);
614 break;
615 case PR_GET_KEEPCAPS:
616 *rc_p = issecure(SECURE_KEEP_CAPS);
617 break;
618 case PR_SET_KEEPCAPS:
619 if (arg2 > 1)
620 *rc_p = -EINVAL;
621 else if (arg2)
622 current->securebits |= issecure_mask(SECURE_KEEP_CAPS);
623 else
624 current->securebits &=
625 ~issecure_mask(SECURE_KEEP_CAPS);
626 break;
627 default:
628 return 0;
629 }
630
631 return 1;
632}
633
634static void dummy_task_reparent_to_init (struct task_struct *p)
635{
636 p->euid = p->fsuid = 0;
637 return;
638}
639
640static void dummy_task_to_inode(struct task_struct *p, struct inode *inode)
641{ }
642
643static int dummy_ipc_permission (struct kern_ipc_perm *ipcp, short flag)
644{
645 return 0;
646}
647
648static void dummy_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
649{
650 *secid = 0;
651}
652
653static int dummy_msg_msg_alloc_security (struct msg_msg *msg)
654{
655 return 0;
656}
657
658static void dummy_msg_msg_free_security (struct msg_msg *msg)
659{
660 return;
661}
662
663static int dummy_msg_queue_alloc_security (struct msg_queue *msq)
664{
665 return 0;
666}
667
668static void dummy_msg_queue_free_security (struct msg_queue *msq)
669{
670 return;
671}
672
673static int dummy_msg_queue_associate (struct msg_queue *msq,
674 int msqflg)
675{
676 return 0;
677}
678
679static int dummy_msg_queue_msgctl (struct msg_queue *msq, int cmd)
680{
681 return 0;
682}
683
684static int dummy_msg_queue_msgsnd (struct msg_queue *msq, struct msg_msg *msg,
685 int msgflg)
686{
687 return 0;
688}
689
690static int dummy_msg_queue_msgrcv (struct msg_queue *msq, struct msg_msg *msg,
691 struct task_struct *target, long type,
692 int mode)
693{
694 return 0;
695}
696
697static int dummy_shm_alloc_security (struct shmid_kernel *shp)
698{
699 return 0;
700}
701
702static void dummy_shm_free_security (struct shmid_kernel *shp)
703{
704 return;
705}
706
707static int dummy_shm_associate (struct shmid_kernel *shp, int shmflg)
708{
709 return 0;
710}
711
712static int dummy_shm_shmctl (struct shmid_kernel *shp, int cmd)
713{
714 return 0;
715}
716
717static int dummy_shm_shmat (struct shmid_kernel *shp, char __user *shmaddr,
718 int shmflg)
719{
720 return 0;
721}
722
723static int dummy_sem_alloc_security (struct sem_array *sma)
724{
725 return 0;
726}
727
728static void dummy_sem_free_security (struct sem_array *sma)
729{
730 return;
731}
732
733static int dummy_sem_associate (struct sem_array *sma, int semflg)
734{
735 return 0;
736}
737
738static int dummy_sem_semctl (struct sem_array *sma, int cmd)
739{
740 return 0;
741}
742
743static int dummy_sem_semop (struct sem_array *sma,
744 struct sembuf *sops, unsigned nsops, int alter)
745{
746 return 0;
747}
748
749static int dummy_netlink_send (struct sock *sk, struct sk_buff *skb)
750{
751 NETLINK_CB(skb).eff_cap = current->cap_effective;
752 return 0;
753}
754
755static int dummy_netlink_recv (struct sk_buff *skb, int cap)
756{
757 if (!cap_raised (NETLINK_CB (skb).eff_cap, cap))
758 return -EPERM;
759 return 0;
760}
761
762#ifdef CONFIG_SECURITY_NETWORK
763static int dummy_unix_stream_connect (struct socket *sock,
764 struct socket *other,
765 struct sock *newsk)
766{
767 return 0;
768}
769
770static int dummy_unix_may_send (struct socket *sock,
771 struct socket *other)
772{
773 return 0;
774}
775
776static int dummy_socket_create (int family, int type,
777 int protocol, int kern)
778{
779 return 0;
780}
781
782static int dummy_socket_post_create (struct socket *sock, int family, int type,
783 int protocol, int kern)
784{
785 return 0;
786}
787
788static int dummy_socket_bind (struct socket *sock, struct sockaddr *address,
789 int addrlen)
790{
791 return 0;
792}
793
794static int dummy_socket_connect (struct socket *sock, struct sockaddr *address,
795 int addrlen)
796{
797 return 0;
798}
799
800static int dummy_socket_listen (struct socket *sock, int backlog)
801{
802 return 0;
803}
804
805static int dummy_socket_accept (struct socket *sock, struct socket *newsock)
806{
807 return 0;
808}
809
810static void dummy_socket_post_accept (struct socket *sock,
811 struct socket *newsock)
812{
813 return;
814}
815
816static int dummy_socket_sendmsg (struct socket *sock, struct msghdr *msg,
817 int size)
818{
819 return 0;
820}
821
822static int dummy_socket_recvmsg (struct socket *sock, struct msghdr *msg,
823 int size, int flags)
824{
825 return 0;
826}
827
828static int dummy_socket_getsockname (struct socket *sock)
829{
830 return 0;
831}
832
833static int dummy_socket_getpeername (struct socket *sock)
834{
835 return 0;
836}
837
838static int dummy_socket_setsockopt (struct socket *sock, int level, int optname)
839{
840 return 0;
841}
842
843static int dummy_socket_getsockopt (struct socket *sock, int level, int optname)
844{
845 return 0;
846}
847
848static int dummy_socket_shutdown (struct socket *sock, int how)
849{
850 return 0;
851}
852
853static int dummy_socket_sock_rcv_skb (struct sock *sk, struct sk_buff *skb)
854{
855 return 0;
856}
857
858static int dummy_socket_getpeersec_stream(struct socket *sock, char __user *optval,
859 int __user *optlen, unsigned len)
860{
861 return -ENOPROTOOPT;
862}
863
864static int dummy_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid)
865{
866 return -ENOPROTOOPT;
867}
868
869static inline int dummy_sk_alloc_security (struct sock *sk, int family, gfp_t priority)
870{
871 return 0;
872}
873
874static inline void dummy_sk_free_security (struct sock *sk)
875{
876}
877
878static inline void dummy_sk_clone_security (const struct sock *sk, struct sock *newsk)
879{
880}
881
882static inline void dummy_sk_getsecid(struct sock *sk, u32 *secid)
883{
884}
885
886static inline void dummy_sock_graft(struct sock* sk, struct socket *parent)
887{
888}
889
890static inline int dummy_inet_conn_request(struct sock *sk,
891 struct sk_buff *skb, struct request_sock *req)
892{
893 return 0;
894}
895
896static inline void dummy_inet_csk_clone(struct sock *newsk,
897 const struct request_sock *req)
898{
899}
900
901static inline void dummy_inet_conn_established(struct sock *sk,
902 struct sk_buff *skb)
903{
904}
905
906static inline void dummy_req_classify_flow(const struct request_sock *req,
907 struct flowi *fl)
908{
909}
910#endif /* CONFIG_SECURITY_NETWORK */
911
912#ifdef CONFIG_SECURITY_NETWORK_XFRM
913static int dummy_xfrm_policy_alloc_security(struct xfrm_sec_ctx **ctxp,
914 struct xfrm_user_sec_ctx *sec_ctx)
915{
916 return 0;
917}
918
919static inline int dummy_xfrm_policy_clone_security(struct xfrm_sec_ctx *old_ctx,
920 struct xfrm_sec_ctx **new_ctxp)
921{
922 return 0;
923}
924
925static void dummy_xfrm_policy_free_security(struct xfrm_sec_ctx *ctx)
926{
927}
928
929static int dummy_xfrm_policy_delete_security(struct xfrm_sec_ctx *ctx)
930{
931 return 0;
932}
933
934static int dummy_xfrm_state_alloc_security(struct xfrm_state *x,
935 struct xfrm_user_sec_ctx *sec_ctx, u32 secid)
936{
937 return 0;
938}
939
940static void dummy_xfrm_state_free_security(struct xfrm_state *x)
941{
942}
943
944static int dummy_xfrm_state_delete_security(struct xfrm_state *x)
945{
946 return 0;
947}
948
949static int dummy_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx,
950 u32 sk_sid, u8 dir)
951{
952 return 0;
953}
954
955static int dummy_xfrm_state_pol_flow_match(struct xfrm_state *x,
956 struct xfrm_policy *xp, struct flowi *fl)
957{
958 return 1;
959}
960
961static int dummy_xfrm_decode_session(struct sk_buff *skb, u32 *fl, int ckall)
962{
963 return 0;
964}
965
966#endif /* CONFIG_SECURITY_NETWORK_XFRM */
967static int dummy_register_security (const char *name, struct security_operations *ops)
968{
969 return -EINVAL;
970}
971
972static void dummy_d_instantiate (struct dentry *dentry, struct inode *inode)
973{
974 return;
975}
976
977static int dummy_getprocattr(struct task_struct *p, char *name, char **value)
978{
979 return -EINVAL;
980}
981
982static int dummy_setprocattr(struct task_struct *p, char *name, void *value, size_t size)
983{
984 return -EINVAL;
985}
986
987static int dummy_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
988{
989 return -EOPNOTSUPP;
990}
991
992static int dummy_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
993{
994 return -EOPNOTSUPP;
995}
996
997static void dummy_release_secctx(char *secdata, u32 seclen)
998{
999}
1000
1001#ifdef CONFIG_KEYS
1002static inline int dummy_key_alloc(struct key *key, struct task_struct *ctx,
1003 unsigned long flags)
1004{
1005 return 0;
1006}
1007
1008static inline void dummy_key_free(struct key *key)
1009{
1010}
1011
1012static inline int dummy_key_permission(key_ref_t key_ref,
1013 struct task_struct *context,
1014 key_perm_t perm)
1015{
1016 return 0;
1017}
1018
1019static int dummy_key_getsecurity(struct key *key, char **_buffer)
1020{
1021 *_buffer = NULL;
1022 return 0;
1023}
1024
1025#endif /* CONFIG_KEYS */
1026
1027#ifdef CONFIG_AUDIT
1028static inline int dummy_audit_rule_init(u32 field, u32 op, char *rulestr,
1029 void **lsmrule)
1030{
1031 return 0;
1032}
1033
1034static inline int dummy_audit_rule_known(struct audit_krule *krule)
1035{
1036 return 0;
1037}
1038
1039static inline int dummy_audit_rule_match(u32 secid, u32 field, u32 op,
1040 void *lsmrule,
1041 struct audit_context *actx)
1042{
1043 return 0;
1044}
1045
1046static inline void dummy_audit_rule_free(void *lsmrule)
1047{ }
1048
1049#endif /* CONFIG_AUDIT */
1050
1051struct security_operations dummy_security_ops = {
1052 .name = "dummy",
1053};
1054
1055#define set_to_dummy_if_null(ops, function) \
1056 do { \
1057 if (!ops->function) { \
1058 ops->function = dummy_##function; \
1059 pr_debug("Had to override the " #function \
1060 " security operation with the dummy one.\n");\
1061 } \
1062 } while (0)
1063
1064void security_fixup_ops (struct security_operations *ops)
1065{
1066 set_to_dummy_if_null(ops, ptrace);
1067 set_to_dummy_if_null(ops, capget);
1068 set_to_dummy_if_null(ops, capset_check);
1069 set_to_dummy_if_null(ops, capset_set);
1070 set_to_dummy_if_null(ops, acct);
1071 set_to_dummy_if_null(ops, capable);
1072 set_to_dummy_if_null(ops, quotactl);
1073 set_to_dummy_if_null(ops, quota_on);
1074 set_to_dummy_if_null(ops, sysctl);
1075 set_to_dummy_if_null(ops, syslog);
1076 set_to_dummy_if_null(ops, settime);
1077 set_to_dummy_if_null(ops, vm_enough_memory);
1078 set_to_dummy_if_null(ops, bprm_alloc_security);
1079 set_to_dummy_if_null(ops, bprm_free_security);
1080 set_to_dummy_if_null(ops, bprm_apply_creds);
1081 set_to_dummy_if_null(ops, bprm_post_apply_creds);
1082 set_to_dummy_if_null(ops, bprm_set_security);
1083 set_to_dummy_if_null(ops, bprm_check_security);
1084 set_to_dummy_if_null(ops, bprm_secureexec);
1085 set_to_dummy_if_null(ops, sb_alloc_security);
1086 set_to_dummy_if_null(ops, sb_free_security);
1087 set_to_dummy_if_null(ops, sb_copy_data);
1088 set_to_dummy_if_null(ops, sb_kern_mount);
1089 set_to_dummy_if_null(ops, sb_show_options);
1090 set_to_dummy_if_null(ops, sb_statfs);
1091 set_to_dummy_if_null(ops, sb_mount);
1092 set_to_dummy_if_null(ops, sb_check_sb);
1093 set_to_dummy_if_null(ops, sb_umount);
1094 set_to_dummy_if_null(ops, sb_umount_close);
1095 set_to_dummy_if_null(ops, sb_umount_busy);
1096 set_to_dummy_if_null(ops, sb_post_remount);
1097 set_to_dummy_if_null(ops, sb_post_addmount);
1098 set_to_dummy_if_null(ops, sb_pivotroot);
1099 set_to_dummy_if_null(ops, sb_post_pivotroot);
1100 set_to_dummy_if_null(ops, sb_set_mnt_opts);
1101 set_to_dummy_if_null(ops, sb_clone_mnt_opts);
1102 set_to_dummy_if_null(ops, sb_parse_opts_str);
1103 set_to_dummy_if_null(ops, inode_alloc_security);
1104 set_to_dummy_if_null(ops, inode_free_security);
1105 set_to_dummy_if_null(ops, inode_init_security);
1106 set_to_dummy_if_null(ops, inode_create);
1107 set_to_dummy_if_null(ops, inode_link);
1108 set_to_dummy_if_null(ops, inode_unlink);
1109 set_to_dummy_if_null(ops, inode_symlink);
1110 set_to_dummy_if_null(ops, inode_mkdir);
1111 set_to_dummy_if_null(ops, inode_rmdir);
1112 set_to_dummy_if_null(ops, inode_mknod);
1113 set_to_dummy_if_null(ops, inode_rename);
1114 set_to_dummy_if_null(ops, inode_readlink);
1115 set_to_dummy_if_null(ops, inode_follow_link);
1116 set_to_dummy_if_null(ops, inode_permission);
1117 set_to_dummy_if_null(ops, inode_setattr);
1118 set_to_dummy_if_null(ops, inode_getattr);
1119 set_to_dummy_if_null(ops, inode_delete);
1120 set_to_dummy_if_null(ops, inode_setxattr);
1121 set_to_dummy_if_null(ops, inode_post_setxattr);
1122 set_to_dummy_if_null(ops, inode_getxattr);
1123 set_to_dummy_if_null(ops, inode_listxattr);
1124 set_to_dummy_if_null(ops, inode_removexattr);
1125 set_to_dummy_if_null(ops, inode_need_killpriv);
1126 set_to_dummy_if_null(ops, inode_killpriv);
1127 set_to_dummy_if_null(ops, inode_getsecurity);
1128 set_to_dummy_if_null(ops, inode_setsecurity);
1129 set_to_dummy_if_null(ops, inode_listsecurity);
1130 set_to_dummy_if_null(ops, inode_getsecid);
1131 set_to_dummy_if_null(ops, file_permission);
1132 set_to_dummy_if_null(ops, file_alloc_security);
1133 set_to_dummy_if_null(ops, file_free_security);
1134 set_to_dummy_if_null(ops, file_ioctl);
1135 set_to_dummy_if_null(ops, file_mmap);
1136 set_to_dummy_if_null(ops, file_mprotect);
1137 set_to_dummy_if_null(ops, file_lock);
1138 set_to_dummy_if_null(ops, file_fcntl);
1139 set_to_dummy_if_null(ops, file_set_fowner);
1140 set_to_dummy_if_null(ops, file_send_sigiotask);
1141 set_to_dummy_if_null(ops, file_receive);
1142 set_to_dummy_if_null(ops, dentry_open);
1143 set_to_dummy_if_null(ops, task_create);
1144 set_to_dummy_if_null(ops, task_alloc_security);
1145 set_to_dummy_if_null(ops, task_free_security);
1146 set_to_dummy_if_null(ops, task_setuid);
1147 set_to_dummy_if_null(ops, task_post_setuid);
1148 set_to_dummy_if_null(ops, task_setgid);
1149 set_to_dummy_if_null(ops, task_setpgid);
1150 set_to_dummy_if_null(ops, task_getpgid);
1151 set_to_dummy_if_null(ops, task_getsid);
1152 set_to_dummy_if_null(ops, task_getsecid);
1153 set_to_dummy_if_null(ops, task_setgroups);
1154 set_to_dummy_if_null(ops, task_setnice);
1155 set_to_dummy_if_null(ops, task_setioprio);
1156 set_to_dummy_if_null(ops, task_getioprio);
1157 set_to_dummy_if_null(ops, task_setrlimit);
1158 set_to_dummy_if_null(ops, task_setscheduler);
1159 set_to_dummy_if_null(ops, task_getscheduler);
1160 set_to_dummy_if_null(ops, task_movememory);
1161 set_to_dummy_if_null(ops, task_wait);
1162 set_to_dummy_if_null(ops, task_kill);
1163 set_to_dummy_if_null(ops, task_prctl);
1164 set_to_dummy_if_null(ops, task_reparent_to_init);
1165 set_to_dummy_if_null(ops, task_to_inode);
1166 set_to_dummy_if_null(ops, ipc_permission);
1167 set_to_dummy_if_null(ops, ipc_getsecid);
1168 set_to_dummy_if_null(ops, msg_msg_alloc_security);
1169 set_to_dummy_if_null(ops, msg_msg_free_security);
1170 set_to_dummy_if_null(ops, msg_queue_alloc_security);
1171 set_to_dummy_if_null(ops, msg_queue_free_security);
1172 set_to_dummy_if_null(ops, msg_queue_associate);
1173 set_to_dummy_if_null(ops, msg_queue_msgctl);
1174 set_to_dummy_if_null(ops, msg_queue_msgsnd);
1175 set_to_dummy_if_null(ops, msg_queue_msgrcv);
1176 set_to_dummy_if_null(ops, shm_alloc_security);
1177 set_to_dummy_if_null(ops, shm_free_security);
1178 set_to_dummy_if_null(ops, shm_associate);
1179 set_to_dummy_if_null(ops, shm_shmctl);
1180 set_to_dummy_if_null(ops, shm_shmat);
1181 set_to_dummy_if_null(ops, sem_alloc_security);
1182 set_to_dummy_if_null(ops, sem_free_security);
1183 set_to_dummy_if_null(ops, sem_associate);
1184 set_to_dummy_if_null(ops, sem_semctl);
1185 set_to_dummy_if_null(ops, sem_semop);
1186 set_to_dummy_if_null(ops, netlink_send);
1187 set_to_dummy_if_null(ops, netlink_recv);
1188 set_to_dummy_if_null(ops, register_security);
1189 set_to_dummy_if_null(ops, d_instantiate);
1190 set_to_dummy_if_null(ops, getprocattr);
1191 set_to_dummy_if_null(ops, setprocattr);
1192 set_to_dummy_if_null(ops, secid_to_secctx);
1193 set_to_dummy_if_null(ops, secctx_to_secid);
1194 set_to_dummy_if_null(ops, release_secctx);
1195#ifdef CONFIG_SECURITY_NETWORK
1196 set_to_dummy_if_null(ops, unix_stream_connect);
1197 set_to_dummy_if_null(ops, unix_may_send);
1198 set_to_dummy_if_null(ops, socket_create);
1199 set_to_dummy_if_null(ops, socket_post_create);
1200 set_to_dummy_if_null(ops, socket_bind);
1201 set_to_dummy_if_null(ops, socket_connect);
1202 set_to_dummy_if_null(ops, socket_listen);
1203 set_to_dummy_if_null(ops, socket_accept);
1204 set_to_dummy_if_null(ops, socket_post_accept);
1205 set_to_dummy_if_null(ops, socket_sendmsg);
1206 set_to_dummy_if_null(ops, socket_recvmsg);
1207 set_to_dummy_if_null(ops, socket_getsockname);
1208 set_to_dummy_if_null(ops, socket_getpeername);
1209 set_to_dummy_if_null(ops, socket_setsockopt);
1210 set_to_dummy_if_null(ops, socket_getsockopt);
1211 set_to_dummy_if_null(ops, socket_shutdown);
1212 set_to_dummy_if_null(ops, socket_sock_rcv_skb);
1213 set_to_dummy_if_null(ops, socket_getpeersec_stream);
1214 set_to_dummy_if_null(ops, socket_getpeersec_dgram);
1215 set_to_dummy_if_null(ops, sk_alloc_security);
1216 set_to_dummy_if_null(ops, sk_free_security);
1217 set_to_dummy_if_null(ops, sk_clone_security);
1218 set_to_dummy_if_null(ops, sk_getsecid);
1219 set_to_dummy_if_null(ops, sock_graft);
1220 set_to_dummy_if_null(ops, inet_conn_request);
1221 set_to_dummy_if_null(ops, inet_csk_clone);
1222 set_to_dummy_if_null(ops, inet_conn_established);
1223 set_to_dummy_if_null(ops, req_classify_flow);
1224 #endif /* CONFIG_SECURITY_NETWORK */
1225#ifdef CONFIG_SECURITY_NETWORK_XFRM
1226 set_to_dummy_if_null(ops, xfrm_policy_alloc_security);
1227 set_to_dummy_if_null(ops, xfrm_policy_clone_security);
1228 set_to_dummy_if_null(ops, xfrm_policy_free_security);
1229 set_to_dummy_if_null(ops, xfrm_policy_delete_security);
1230 set_to_dummy_if_null(ops, xfrm_state_alloc_security);
1231 set_to_dummy_if_null(ops, xfrm_state_free_security);
1232 set_to_dummy_if_null(ops, xfrm_state_delete_security);
1233 set_to_dummy_if_null(ops, xfrm_policy_lookup);
1234 set_to_dummy_if_null(ops, xfrm_state_pol_flow_match);
1235 set_to_dummy_if_null(ops, xfrm_decode_session);
1236#endif /* CONFIG_SECURITY_NETWORK_XFRM */
1237#ifdef CONFIG_KEYS
1238 set_to_dummy_if_null(ops, key_alloc);
1239 set_to_dummy_if_null(ops, key_free);
1240 set_to_dummy_if_null(ops, key_permission);
1241 set_to_dummy_if_null(ops, key_getsecurity);
1242#endif /* CONFIG_KEYS */
1243#ifdef CONFIG_AUDIT
1244 set_to_dummy_if_null(ops, audit_rule_init);
1245 set_to_dummy_if_null(ops, audit_rule_known);
1246 set_to_dummy_if_null(ops, audit_rule_match);
1247 set_to_dummy_if_null(ops, audit_rule_free);
1248#endif
1249}
1250
diff --git a/security/security.c b/security/security.c
index 28b2860c1129..30b0278de394 100644
--- a/security/security.c
+++ b/security/security.c
@@ -20,8 +20,8 @@
20/* Boot-time LSM user choice */ 20/* Boot-time LSM user choice */
21static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1]; 21static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1];
22 22
23/* things that live in dummy.c */ 23/* things that live in capability.c */
24extern struct security_operations dummy_security_ops; 24extern struct security_operations default_security_ops;
25extern void security_fixup_ops(struct security_operations *ops); 25extern void security_fixup_ops(struct security_operations *ops);
26 26
27struct security_operations *security_ops; /* Initialized to NULL */ 27struct security_operations *security_ops; /* Initialized to NULL */
@@ -57,13 +57,8 @@ int __init security_init(void)
57{ 57{
58 printk(KERN_INFO "Security Framework initialized\n"); 58 printk(KERN_INFO "Security Framework initialized\n");
59 59
60 if (verify(&dummy_security_ops)) { 60 security_fixup_ops(&default_security_ops);
61 printk(KERN_ERR "%s could not verify " 61 security_ops = &default_security_ops;
62 "dummy_security_ops structure.\n", __func__);
63 return -EIO;
64 }
65
66 security_ops = &dummy_security_ops;
67 do_security_initcalls(); 62 do_security_initcalls();
68 63
69 return 0; 64 return 0;
@@ -122,7 +117,7 @@ int register_security(struct security_operations *ops)
122 return -EINVAL; 117 return -EINVAL;
123 } 118 }
124 119
125 if (security_ops != &dummy_security_ops) 120 if (security_ops != &default_security_ops)
126 return -EAGAIN; 121 return -EAGAIN;
127 122
128 security_ops = ops; 123 security_ops = ops;