diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/Kconfig | 10 | ||||
-rw-r--r-- | security/Makefile | 11 | ||||
-rw-r--r-- | security/capability.c | 1050 | ||||
-rw-r--r-- | security/dummy.c | 1250 | ||||
-rw-r--r-- | security/security.c | 15 |
5 files changed, 996 insertions, 1340 deletions
diff --git a/security/Kconfig b/security/Kconfig index 49b51f964897..77def9f9f5f5 100644 --- a/security/Kconfig +++ b/security/Kconfig | |||
@@ -73,17 +73,9 @@ config SECURITY_NETWORK_XFRM | |||
73 | IPSec. | 73 | IPSec. |
74 | If you are unsure how to answer this question, answer N. | 74 | If you are unsure how to answer this question, answer N. |
75 | 75 | ||
76 | config SECURITY_CAPABILITIES | ||
77 | bool "Default Linux Capabilities" | ||
78 | depends on SECURITY | ||
79 | default y | ||
80 | help | ||
81 | This enables the "default" Linux capabilities functionality. | ||
82 | If you are unsure how to answer this question, answer Y. | ||
83 | |||
84 | config SECURITY_FILE_CAPABILITIES | 76 | config SECURITY_FILE_CAPABILITIES |
85 | bool "File POSIX Capabilities (EXPERIMENTAL)" | 77 | bool "File POSIX Capabilities (EXPERIMENTAL)" |
86 | depends on (SECURITY=n || SECURITY_CAPABILITIES!=n) && EXPERIMENTAL | 78 | depends on SECURITY && EXPERIMENTAL |
87 | default n | 79 | default n |
88 | help | 80 | help |
89 | This enables filesystem capabilities, allowing you to give | 81 | This enables filesystem capabilities, allowing you to give |
diff --git a/security/Makefile b/security/Makefile index 7ef1107a7287..f65426099aa6 100644 --- a/security/Makefile +++ b/security/Makefile | |||
@@ -6,16 +6,13 @@ obj-$(CONFIG_KEYS) += keys/ | |||
6 | subdir-$(CONFIG_SECURITY_SELINUX) += selinux | 6 | subdir-$(CONFIG_SECURITY_SELINUX) += selinux |
7 | subdir-$(CONFIG_SECURITY_SMACK) += smack | 7 | subdir-$(CONFIG_SECURITY_SMACK) += smack |
8 | 8 | ||
9 | # if we don't select a security model, use the default capabilities | 9 | # always enable default capabilities |
10 | ifneq ($(CONFIG_SECURITY),y) | ||
11 | obj-y += commoncap.o | 10 | obj-y += commoncap.o |
12 | endif | ||
13 | 11 | ||
14 | # Object file lists | 12 | # Object file lists |
15 | obj-$(CONFIG_SECURITY) += security.o dummy.o inode.o | 13 | obj-$(CONFIG_SECURITY) += security.o capability.o inode.o |
16 | # Must precede capability.o in order to stack properly. | 14 | # Must precede capability.o in order to stack properly. |
17 | obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o | 15 | obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o |
18 | obj-$(CONFIG_SECURITY_SMACK) += commoncap.o smack/built-in.o | 16 | obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o |
19 | obj-$(CONFIG_SECURITY_CAPABILITIES) += commoncap.o capability.o | 17 | obj-$(CONFIG_SECURITY_ROOTPLUG) += root_plug.o |
20 | obj-$(CONFIG_SECURITY_ROOTPLUG) += commoncap.o root_plug.o | ||
21 | obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o | 18 | obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o |
diff --git a/security/capability.c b/security/capability.c index 38ac54e3aed1..6e0671c82018 100644 --- a/security/capability.c +++ b/security/capability.c | |||
@@ -1,6 +1,8 @@ | |||
1 | /* | 1 | /* |
2 | * Capabilities Linux Security Module | 2 | * Capabilities Linux Security Module |
3 | * | 3 | * |
4 | * This is the default security module in case no other module is loaded. | ||
5 | * | ||
4 | * This program is free software; you can redistribute it and/or modify | 6 | * This program is free software; you can redistribute it and/or modify |
5 | * it under the terms of the GNU General Public License as published by | 7 | * it under the terms of the GNU General Public License as published by |
6 | * the Free Software Foundation; either version 2 of the License, or | 8 | * the Free Software Foundation; either version 2 of the License, or |
@@ -8,75 +10,995 @@ | |||
8 | * | 10 | * |
9 | */ | 11 | */ |
10 | 12 | ||
11 | #include <linux/init.h> | ||
12 | #include <linux/kernel.h> | ||
13 | #include <linux/security.h> | 13 | #include <linux/security.h> |
14 | #include <linux/file.h> | ||
15 | #include <linux/mm.h> | ||
16 | #include <linux/mman.h> | ||
17 | #include <linux/pagemap.h> | ||
18 | #include <linux/swap.h> | ||
19 | #include <linux/skbuff.h> | ||
20 | #include <linux/netlink.h> | ||
21 | #include <linux/ptrace.h> | ||
22 | #include <linux/moduleparam.h> | ||
23 | |||
24 | static struct security_operations capability_ops = { | ||
25 | .ptrace = cap_ptrace, | ||
26 | .capget = cap_capget, | ||
27 | .capset_check = cap_capset_check, | ||
28 | .capset_set = cap_capset_set, | ||
29 | .capable = cap_capable, | ||
30 | .settime = cap_settime, | ||
31 | .netlink_send = cap_netlink_send, | ||
32 | .netlink_recv = cap_netlink_recv, | ||
33 | |||
34 | .bprm_apply_creds = cap_bprm_apply_creds, | ||
35 | .bprm_set_security = cap_bprm_set_security, | ||
36 | .bprm_secureexec = cap_bprm_secureexec, | ||
37 | |||
38 | .inode_setxattr = cap_inode_setxattr, | ||
39 | .inode_removexattr = cap_inode_removexattr, | ||
40 | .inode_need_killpriv = cap_inode_need_killpriv, | ||
41 | .inode_killpriv = cap_inode_killpriv, | ||
42 | |||
43 | .task_setscheduler = cap_task_setscheduler, | ||
44 | .task_setioprio = cap_task_setioprio, | ||
45 | .task_setnice = cap_task_setnice, | ||
46 | .task_post_setuid = cap_task_post_setuid, | ||
47 | .task_prctl = cap_task_prctl, | ||
48 | .task_reparent_to_init = cap_task_reparent_to_init, | ||
49 | |||
50 | .syslog = cap_syslog, | ||
51 | |||
52 | .vm_enough_memory = cap_vm_enough_memory, | ||
53 | }; | ||
54 | 14 | ||
55 | /* flag to keep track of how we were registered */ | 15 | static int cap_acct(struct file *file) |
56 | static int secondary; | 16 | { |
17 | return 0; | ||
18 | } | ||
19 | |||
20 | static int cap_sysctl(ctl_table *table, int op) | ||
21 | { | ||
22 | return 0; | ||
23 | } | ||
24 | |||
25 | static int cap_quotactl(int cmds, int type, int id, struct super_block *sb) | ||
26 | { | ||
27 | return 0; | ||
28 | } | ||
29 | |||
30 | static int cap_quota_on(struct dentry *dentry) | ||
31 | { | ||
32 | return 0; | ||
33 | } | ||
34 | |||
35 | static int cap_bprm_alloc_security(struct linux_binprm *bprm) | ||
36 | { | ||
37 | return 0; | ||
38 | } | ||
39 | |||
40 | static void cap_bprm_free_security(struct linux_binprm *bprm) | ||
41 | { | ||
42 | } | ||
43 | |||
44 | static void cap_bprm_post_apply_creds(struct linux_binprm *bprm) | ||
45 | { | ||
46 | } | ||
47 | |||
48 | static int cap_bprm_check_security(struct linux_binprm *bprm) | ||
49 | { | ||
50 | return 0; | ||
51 | } | ||
52 | |||
53 | static int cap_sb_alloc_security(struct super_block *sb) | ||
54 | { | ||
55 | return 0; | ||
56 | } | ||
57 | |||
58 | static void cap_sb_free_security(struct super_block *sb) | ||
59 | { | ||
60 | } | ||
61 | |||
62 | static int cap_sb_copy_data(char *orig, char *copy) | ||
63 | { | ||
64 | return 0; | ||
65 | } | ||
66 | |||
67 | static int cap_sb_kern_mount(struct super_block *sb, void *data) | ||
68 | { | ||
69 | return 0; | ||
70 | } | ||
71 | |||
72 | static int cap_sb_show_options(struct seq_file *m, struct super_block *sb) | ||
73 | { | ||
74 | return 0; | ||
75 | } | ||
76 | |||
77 | static int cap_sb_statfs(struct dentry *dentry) | ||
78 | { | ||
79 | return 0; | ||
80 | } | ||
81 | |||
82 | static int cap_sb_mount(char *dev_name, struct path *path, char *type, | ||
83 | unsigned long flags, void *data) | ||
84 | { | ||
85 | return 0; | ||
86 | } | ||
87 | |||
88 | static int cap_sb_check_sb(struct vfsmount *mnt, struct path *path) | ||
89 | { | ||
90 | return 0; | ||
91 | } | ||
92 | |||
93 | static int cap_sb_umount(struct vfsmount *mnt, int flags) | ||
94 | { | ||
95 | return 0; | ||
96 | } | ||
97 | |||
98 | static void cap_sb_umount_close(struct vfsmount *mnt) | ||
99 | { | ||
100 | } | ||
101 | |||
102 | static void cap_sb_umount_busy(struct vfsmount *mnt) | ||
103 | { | ||
104 | } | ||
105 | |||
106 | static void cap_sb_post_remount(struct vfsmount *mnt, unsigned long flags, | ||
107 | void *data) | ||
108 | { | ||
109 | } | ||
110 | |||
111 | static void cap_sb_post_addmount(struct vfsmount *mnt, struct path *path) | ||
112 | { | ||
113 | } | ||
114 | |||
115 | static int cap_sb_pivotroot(struct path *old_path, struct path *new_path) | ||
116 | { | ||
117 | return 0; | ||
118 | } | ||
119 | |||
120 | static void cap_sb_post_pivotroot(struct path *old_path, struct path *new_path) | ||
121 | { | ||
122 | } | ||
123 | |||
124 | static int cap_sb_set_mnt_opts(struct super_block *sb, | ||
125 | struct security_mnt_opts *opts) | ||
126 | { | ||
127 | if (unlikely(opts->num_mnt_opts)) | ||
128 | return -EOPNOTSUPP; | ||
129 | return 0; | ||
130 | } | ||
131 | |||
132 | static void cap_sb_clone_mnt_opts(const struct super_block *oldsb, | ||
133 | struct super_block *newsb) | ||
134 | { | ||
135 | } | ||
136 | |||
137 | static int cap_sb_parse_opts_str(char *options, struct security_mnt_opts *opts) | ||
138 | { | ||
139 | return 0; | ||
140 | } | ||
141 | |||
142 | static int cap_inode_alloc_security(struct inode *inode) | ||
143 | { | ||
144 | return 0; | ||
145 | } | ||
146 | |||
147 | static void cap_inode_free_security(struct inode *inode) | ||
148 | { | ||
149 | } | ||
150 | |||
151 | static int cap_inode_init_security(struct inode *inode, struct inode *dir, | ||
152 | char **name, void **value, size_t *len) | ||
153 | { | ||
154 | return -EOPNOTSUPP; | ||
155 | } | ||
156 | |||
157 | static int cap_inode_create(struct inode *inode, struct dentry *dentry, | ||
158 | int mask) | ||
159 | { | ||
160 | return 0; | ||
161 | } | ||
162 | |||
163 | static int cap_inode_link(struct dentry *old_dentry, struct inode *inode, | ||
164 | struct dentry *new_dentry) | ||
165 | { | ||
166 | return 0; | ||
167 | } | ||
168 | |||
169 | static int cap_inode_unlink(struct inode *inode, struct dentry *dentry) | ||
170 | { | ||
171 | return 0; | ||
172 | } | ||
173 | |||
174 | static int cap_inode_symlink(struct inode *inode, struct dentry *dentry, | ||
175 | const char *name) | ||
176 | { | ||
177 | return 0; | ||
178 | } | ||
179 | |||
180 | static int cap_inode_mkdir(struct inode *inode, struct dentry *dentry, | ||
181 | int mask) | ||
182 | { | ||
183 | return 0; | ||
184 | } | ||
185 | |||
186 | static int cap_inode_rmdir(struct inode *inode, struct dentry *dentry) | ||
187 | { | ||
188 | return 0; | ||
189 | } | ||
190 | |||
191 | static int cap_inode_mknod(struct inode *inode, struct dentry *dentry, | ||
192 | int mode, dev_t dev) | ||
193 | { | ||
194 | return 0; | ||
195 | } | ||
196 | |||
197 | static int cap_inode_rename(struct inode *old_inode, struct dentry *old_dentry, | ||
198 | struct inode *new_inode, struct dentry *new_dentry) | ||
199 | { | ||
200 | return 0; | ||
201 | } | ||
202 | |||
203 | static int cap_inode_readlink(struct dentry *dentry) | ||
204 | { | ||
205 | return 0; | ||
206 | } | ||
207 | |||
208 | static int cap_inode_follow_link(struct dentry *dentry, | ||
209 | struct nameidata *nameidata) | ||
210 | { | ||
211 | return 0; | ||
212 | } | ||
213 | |||
214 | static int cap_inode_permission(struct inode *inode, int mask, | ||
215 | struct nameidata *nd) | ||
216 | { | ||
217 | return 0; | ||
218 | } | ||
219 | |||
220 | static int cap_inode_setattr(struct dentry *dentry, struct iattr *iattr) | ||
221 | { | ||
222 | return 0; | ||
223 | } | ||
224 | |||
225 | static int cap_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) | ||
226 | { | ||
227 | return 0; | ||
228 | } | ||
229 | |||
230 | static void cap_inode_delete(struct inode *ino) | ||
231 | { | ||
232 | } | ||
233 | |||
234 | static void cap_inode_post_setxattr(struct dentry *dentry, const char *name, | ||
235 | const void *value, size_t size, int flags) | ||
236 | { | ||
237 | } | ||
238 | |||
239 | static int cap_inode_getxattr(struct dentry *dentry, const char *name) | ||
240 | { | ||
241 | return 0; | ||
242 | } | ||
57 | 243 | ||
58 | static int capability_disable; | 244 | static int cap_inode_listxattr(struct dentry *dentry) |
59 | module_param_named(disable, capability_disable, int, 0); | 245 | { |
246 | return 0; | ||
247 | } | ||
248 | |||
249 | static int cap_inode_getsecurity(const struct inode *inode, const char *name, | ||
250 | void **buffer, bool alloc) | ||
251 | { | ||
252 | return -EOPNOTSUPP; | ||
253 | } | ||
254 | |||
255 | static int cap_inode_setsecurity(struct inode *inode, const char *name, | ||
256 | const void *value, size_t size, int flags) | ||
257 | { | ||
258 | return -EOPNOTSUPP; | ||
259 | } | ||
60 | 260 | ||
61 | static int __init capability_init (void) | 261 | static int cap_inode_listsecurity(struct inode *inode, char *buffer, |
262 | size_t buffer_size) | ||
62 | { | 263 | { |
63 | if (capability_disable) { | ||
64 | printk(KERN_INFO "Capabilities disabled at initialization\n"); | ||
65 | return 0; | ||
66 | } | ||
67 | /* register ourselves with the security framework */ | ||
68 | if (register_security (&capability_ops)) { | ||
69 | /* try registering with primary module */ | ||
70 | if (mod_reg_security (KBUILD_MODNAME, &capability_ops)) { | ||
71 | printk (KERN_INFO "Failure registering capabilities " | ||
72 | "with primary security module.\n"); | ||
73 | return -EINVAL; | ||
74 | } | ||
75 | secondary = 1; | ||
76 | } | ||
77 | printk (KERN_INFO "Capability LSM initialized%s\n", | ||
78 | secondary ? " as secondary" : ""); | ||
79 | return 0; | 264 | return 0; |
80 | } | 265 | } |
81 | 266 | ||
82 | security_initcall (capability_init); | 267 | static void cap_inode_getsecid(const struct inode *inode, u32 *secid) |
268 | { | ||
269 | *secid = 0; | ||
270 | } | ||
271 | |||
272 | static int cap_file_permission(struct file *file, int mask) | ||
273 | { | ||
274 | return 0; | ||
275 | } | ||
276 | |||
277 | static int cap_file_alloc_security(struct file *file) | ||
278 | { | ||
279 | return 0; | ||
280 | } | ||
281 | |||
282 | static void cap_file_free_security(struct file *file) | ||
283 | { | ||
284 | } | ||
285 | |||
286 | static int cap_file_ioctl(struct file *file, unsigned int command, | ||
287 | unsigned long arg) | ||
288 | { | ||
289 | return 0; | ||
290 | } | ||
291 | |||
292 | static int cap_file_mmap(struct file *file, unsigned long reqprot, | ||
293 | unsigned long prot, unsigned long flags, | ||
294 | unsigned long addr, unsigned long addr_only) | ||
295 | { | ||
296 | if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO)) | ||
297 | return -EACCES; | ||
298 | return 0; | ||
299 | } | ||
300 | |||
301 | static int cap_file_mprotect(struct vm_area_struct *vma, unsigned long reqprot, | ||
302 | unsigned long prot) | ||
303 | { | ||
304 | return 0; | ||
305 | } | ||
306 | |||
307 | static int cap_file_lock(struct file *file, unsigned int cmd) | ||
308 | { | ||
309 | return 0; | ||
310 | } | ||
311 | |||
312 | static int cap_file_fcntl(struct file *file, unsigned int cmd, | ||
313 | unsigned long arg) | ||
314 | { | ||
315 | return 0; | ||
316 | } | ||
317 | |||
318 | static int cap_file_set_fowner(struct file *file) | ||
319 | { | ||
320 | return 0; | ||
321 | } | ||
322 | |||
323 | static int cap_file_send_sigiotask(struct task_struct *tsk, | ||
324 | struct fown_struct *fown, int sig) | ||
325 | { | ||
326 | return 0; | ||
327 | } | ||
328 | |||
329 | static int cap_file_receive(struct file *file) | ||
330 | { | ||
331 | return 0; | ||
332 | } | ||
333 | |||
334 | static int cap_dentry_open(struct file *file) | ||
335 | { | ||
336 | return 0; | ||
337 | } | ||
338 | |||
339 | static int cap_task_create(unsigned long clone_flags) | ||
340 | { | ||
341 | return 0; | ||
342 | } | ||
343 | |||
344 | static int cap_task_alloc_security(struct task_struct *p) | ||
345 | { | ||
346 | return 0; | ||
347 | } | ||
348 | |||
349 | static void cap_task_free_security(struct task_struct *p) | ||
350 | { | ||
351 | } | ||
352 | |||
353 | static int cap_task_setuid(uid_t id0, uid_t id1, uid_t id2, int flags) | ||
354 | { | ||
355 | return 0; | ||
356 | } | ||
357 | |||
358 | static int cap_task_setgid(gid_t id0, gid_t id1, gid_t id2, int flags) | ||
359 | { | ||
360 | return 0; | ||
361 | } | ||
362 | |||
363 | static int cap_task_setpgid(struct task_struct *p, pid_t pgid) | ||
364 | { | ||
365 | return 0; | ||
366 | } | ||
367 | |||
368 | static int cap_task_getpgid(struct task_struct *p) | ||
369 | { | ||
370 | return 0; | ||
371 | } | ||
372 | |||
373 | static int cap_task_getsid(struct task_struct *p) | ||
374 | { | ||
375 | return 0; | ||
376 | } | ||
377 | |||
378 | static void cap_task_getsecid(struct task_struct *p, u32 *secid) | ||
379 | { | ||
380 | *secid = 0; | ||
381 | } | ||
382 | |||
383 | static int cap_task_setgroups(struct group_info *group_info) | ||
384 | { | ||
385 | return 0; | ||
386 | } | ||
387 | |||
388 | static int cap_task_getioprio(struct task_struct *p) | ||
389 | { | ||
390 | return 0; | ||
391 | } | ||
392 | |||
393 | static int cap_task_setrlimit(unsigned int resource, struct rlimit *new_rlim) | ||
394 | { | ||
395 | return 0; | ||
396 | } | ||
397 | |||
398 | static int cap_task_getscheduler(struct task_struct *p) | ||
399 | { | ||
400 | return 0; | ||
401 | } | ||
402 | |||
403 | static int cap_task_movememory(struct task_struct *p) | ||
404 | { | ||
405 | return 0; | ||
406 | } | ||
407 | |||
408 | static int cap_task_wait(struct task_struct *p) | ||
409 | { | ||
410 | return 0; | ||
411 | } | ||
412 | |||
413 | static int cap_task_kill(struct task_struct *p, struct siginfo *info, | ||
414 | int sig, u32 secid) | ||
415 | { | ||
416 | return 0; | ||
417 | } | ||
418 | |||
419 | static void cap_task_to_inode(struct task_struct *p, struct inode *inode) | ||
420 | { | ||
421 | } | ||
422 | |||
423 | static int cap_ipc_permission(struct kern_ipc_perm *ipcp, short flag) | ||
424 | { | ||
425 | return 0; | ||
426 | } | ||
427 | |||
428 | static void cap_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) | ||
429 | { | ||
430 | *secid = 0; | ||
431 | } | ||
432 | |||
433 | static int cap_msg_msg_alloc_security(struct msg_msg *msg) | ||
434 | { | ||
435 | return 0; | ||
436 | } | ||
437 | |||
438 | static void cap_msg_msg_free_security(struct msg_msg *msg) | ||
439 | { | ||
440 | } | ||
441 | |||
442 | static int cap_msg_queue_alloc_security(struct msg_queue *msq) | ||
443 | { | ||
444 | return 0; | ||
445 | } | ||
446 | |||
447 | static void cap_msg_queue_free_security(struct msg_queue *msq) | ||
448 | { | ||
449 | } | ||
450 | |||
451 | static int cap_msg_queue_associate(struct msg_queue *msq, int msqflg) | ||
452 | { | ||
453 | return 0; | ||
454 | } | ||
455 | |||
456 | static int cap_msg_queue_msgctl(struct msg_queue *msq, int cmd) | ||
457 | { | ||
458 | return 0; | ||
459 | } | ||
460 | |||
461 | static int cap_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg, | ||
462 | int msgflg) | ||
463 | { | ||
464 | return 0; | ||
465 | } | ||
466 | |||
467 | static int cap_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg, | ||
468 | struct task_struct *target, long type, int mode) | ||
469 | { | ||
470 | return 0; | ||
471 | } | ||
472 | |||
473 | static int cap_shm_alloc_security(struct shmid_kernel *shp) | ||
474 | { | ||
475 | return 0; | ||
476 | } | ||
477 | |||
478 | static void cap_shm_free_security(struct shmid_kernel *shp) | ||
479 | { | ||
480 | } | ||
481 | |||
482 | static int cap_shm_associate(struct shmid_kernel *shp, int shmflg) | ||
483 | { | ||
484 | return 0; | ||
485 | } | ||
486 | |||
487 | static int cap_shm_shmctl(struct shmid_kernel *shp, int cmd) | ||
488 | { | ||
489 | return 0; | ||
490 | } | ||
491 | |||
492 | static int cap_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr, | ||
493 | int shmflg) | ||
494 | { | ||
495 | return 0; | ||
496 | } | ||
497 | |||
498 | static int cap_sem_alloc_security(struct sem_array *sma) | ||
499 | { | ||
500 | return 0; | ||
501 | } | ||
502 | |||
503 | static void cap_sem_free_security(struct sem_array *sma) | ||
504 | { | ||
505 | } | ||
506 | |||
507 | static int cap_sem_associate(struct sem_array *sma, int semflg) | ||
508 | { | ||
509 | return 0; | ||
510 | } | ||
511 | |||
512 | static int cap_sem_semctl(struct sem_array *sma, int cmd) | ||
513 | { | ||
514 | return 0; | ||
515 | } | ||
516 | |||
517 | static int cap_sem_semop(struct sem_array *sma, struct sembuf *sops, | ||
518 | unsigned nsops, int alter) | ||
519 | { | ||
520 | return 0; | ||
521 | } | ||
522 | |||
523 | #ifdef CONFIG_SECURITY_NETWORK | ||
524 | static int cap_unix_stream_connect(struct socket *sock, struct socket *other, | ||
525 | struct sock *newsk) | ||
526 | { | ||
527 | return 0; | ||
528 | } | ||
529 | |||
530 | static int cap_unix_may_send(struct socket *sock, struct socket *other) | ||
531 | { | ||
532 | return 0; | ||
533 | } | ||
534 | |||
535 | static int cap_socket_create(int family, int type, int protocol, int kern) | ||
536 | { | ||
537 | return 0; | ||
538 | } | ||
539 | |||
540 | static int cap_socket_post_create(struct socket *sock, int family, int type, | ||
541 | int protocol, int kern) | ||
542 | { | ||
543 | return 0; | ||
544 | } | ||
545 | |||
546 | static int cap_socket_bind(struct socket *sock, struct sockaddr *address, | ||
547 | int addrlen) | ||
548 | { | ||
549 | return 0; | ||
550 | } | ||
551 | |||
552 | static int cap_socket_connect(struct socket *sock, struct sockaddr *address, | ||
553 | int addrlen) | ||
554 | { | ||
555 | return 0; | ||
556 | } | ||
557 | |||
558 | static int cap_socket_listen(struct socket *sock, int backlog) | ||
559 | { | ||
560 | return 0; | ||
561 | } | ||
562 | |||
563 | static int cap_socket_accept(struct socket *sock, struct socket *newsock) | ||
564 | { | ||
565 | return 0; | ||
566 | } | ||
567 | |||
568 | static void cap_socket_post_accept(struct socket *sock, struct socket *newsock) | ||
569 | { | ||
570 | } | ||
571 | |||
572 | static int cap_socket_sendmsg(struct socket *sock, struct msghdr *msg, int size) | ||
573 | { | ||
574 | return 0; | ||
575 | } | ||
576 | |||
577 | static int cap_socket_recvmsg(struct socket *sock, struct msghdr *msg, | ||
578 | int size, int flags) | ||
579 | { | ||
580 | return 0; | ||
581 | } | ||
582 | |||
583 | static int cap_socket_getsockname(struct socket *sock) | ||
584 | { | ||
585 | return 0; | ||
586 | } | ||
587 | |||
588 | static int cap_socket_getpeername(struct socket *sock) | ||
589 | { | ||
590 | return 0; | ||
591 | } | ||
592 | |||
593 | static int cap_socket_setsockopt(struct socket *sock, int level, int optname) | ||
594 | { | ||
595 | return 0; | ||
596 | } | ||
597 | |||
598 | static int cap_socket_getsockopt(struct socket *sock, int level, int optname) | ||
599 | { | ||
600 | return 0; | ||
601 | } | ||
602 | |||
603 | static int cap_socket_shutdown(struct socket *sock, int how) | ||
604 | { | ||
605 | return 0; | ||
606 | } | ||
607 | |||
608 | static int cap_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) | ||
609 | { | ||
610 | return 0; | ||
611 | } | ||
612 | |||
613 | static int cap_socket_getpeersec_stream(struct socket *sock, | ||
614 | char __user *optval, | ||
615 | int __user *optlen, unsigned len) | ||
616 | { | ||
617 | return -ENOPROTOOPT; | ||
618 | } | ||
619 | |||
620 | static int cap_socket_getpeersec_dgram(struct socket *sock, | ||
621 | struct sk_buff *skb, u32 *secid) | ||
622 | { | ||
623 | return -ENOPROTOOPT; | ||
624 | } | ||
625 | |||
626 | static int cap_sk_alloc_security(struct sock *sk, int family, gfp_t priority) | ||
627 | { | ||
628 | return 0; | ||
629 | } | ||
630 | |||
631 | static void cap_sk_free_security(struct sock *sk) | ||
632 | { | ||
633 | } | ||
634 | |||
635 | static void cap_sk_clone_security(const struct sock *sk, struct sock *newsk) | ||
636 | { | ||
637 | } | ||
638 | |||
639 | static void cap_sk_getsecid(struct sock *sk, u32 *secid) | ||
640 | { | ||
641 | } | ||
642 | |||
643 | static void cap_sock_graft(struct sock *sk, struct socket *parent) | ||
644 | { | ||
645 | } | ||
646 | |||
647 | static int cap_inet_conn_request(struct sock *sk, struct sk_buff *skb, | ||
648 | struct request_sock *req) | ||
649 | { | ||
650 | return 0; | ||
651 | } | ||
652 | |||
653 | static void cap_inet_csk_clone(struct sock *newsk, | ||
654 | const struct request_sock *req) | ||
655 | { | ||
656 | } | ||
657 | |||
658 | static void cap_inet_conn_established(struct sock *sk, struct sk_buff *skb) | ||
659 | { | ||
660 | } | ||
661 | |||
662 | static void cap_req_classify_flow(const struct request_sock *req, | ||
663 | struct flowi *fl) | ||
664 | { | ||
665 | } | ||
666 | #endif /* CONFIG_SECURITY_NETWORK */ | ||
667 | |||
668 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | ||
669 | static int cap_xfrm_policy_alloc_security(struct xfrm_sec_ctx **ctxp, | ||
670 | struct xfrm_user_sec_ctx *sec_ctx) | ||
671 | { | ||
672 | return 0; | ||
673 | } | ||
674 | |||
675 | static int cap_xfrm_policy_clone_security(struct xfrm_sec_ctx *old_ctx, | ||
676 | struct xfrm_sec_ctx **new_ctxp) | ||
677 | { | ||
678 | return 0; | ||
679 | } | ||
680 | |||
681 | static void cap_xfrm_policy_free_security(struct xfrm_sec_ctx *ctx) | ||
682 | { | ||
683 | } | ||
684 | |||
685 | static int cap_xfrm_policy_delete_security(struct xfrm_sec_ctx *ctx) | ||
686 | { | ||
687 | return 0; | ||
688 | } | ||
689 | |||
690 | static int cap_xfrm_state_alloc_security(struct xfrm_state *x, | ||
691 | struct xfrm_user_sec_ctx *sec_ctx, | ||
692 | u32 secid) | ||
693 | { | ||
694 | return 0; | ||
695 | } | ||
696 | |||
697 | static void cap_xfrm_state_free_security(struct xfrm_state *x) | ||
698 | { | ||
699 | } | ||
700 | |||
701 | static int cap_xfrm_state_delete_security(struct xfrm_state *x) | ||
702 | { | ||
703 | return 0; | ||
704 | } | ||
705 | |||
706 | static int cap_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 sk_sid, u8 dir) | ||
707 | { | ||
708 | return 0; | ||
709 | } | ||
710 | |||
711 | static int cap_xfrm_state_pol_flow_match(struct xfrm_state *x, | ||
712 | struct xfrm_policy *xp, | ||
713 | struct flowi *fl) | ||
714 | { | ||
715 | return 1; | ||
716 | } | ||
717 | |||
718 | static int cap_xfrm_decode_session(struct sk_buff *skb, u32 *fl, int ckall) | ||
719 | { | ||
720 | return 0; | ||
721 | } | ||
722 | |||
723 | #endif /* CONFIG_SECURITY_NETWORK_XFRM */ | ||
724 | static int cap_register_security(const char *name, | ||
725 | struct security_operations *ops) | ||
726 | { | ||
727 | return -EINVAL; | ||
728 | } | ||
729 | |||
730 | static void cap_d_instantiate(struct dentry *dentry, struct inode *inode) | ||
731 | { | ||
732 | } | ||
733 | |||
734 | static int cap_getprocattr(struct task_struct *p, char *name, char **value) | ||
735 | { | ||
736 | return -EINVAL; | ||
737 | } | ||
738 | |||
739 | static int cap_setprocattr(struct task_struct *p, char *name, void *value, | ||
740 | size_t size) | ||
741 | { | ||
742 | return -EINVAL; | ||
743 | } | ||
744 | |||
745 | static int cap_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) | ||
746 | { | ||
747 | return -EOPNOTSUPP; | ||
748 | } | ||
749 | |||
750 | static int cap_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) | ||
751 | { | ||
752 | return -EOPNOTSUPP; | ||
753 | } | ||
754 | |||
755 | static void cap_release_secctx(char *secdata, u32 seclen) | ||
756 | { | ||
757 | } | ||
758 | |||
759 | #ifdef CONFIG_KEYS | ||
760 | static int cap_key_alloc(struct key *key, struct task_struct *ctx, | ||
761 | unsigned long flags) | ||
762 | { | ||
763 | return 0; | ||
764 | } | ||
765 | |||
766 | static void cap_key_free(struct key *key) | ||
767 | { | ||
768 | } | ||
769 | |||
770 | static int cap_key_permission(key_ref_t key_ref, struct task_struct *context, | ||
771 | key_perm_t perm) | ||
772 | { | ||
773 | return 0; | ||
774 | } | ||
775 | |||
776 | static int cap_key_getsecurity(struct key *key, char **_buffer) | ||
777 | { | ||
778 | *_buffer = NULL; | ||
779 | return 0; | ||
780 | } | ||
781 | |||
782 | #endif /* CONFIG_KEYS */ | ||
783 | |||
784 | #ifdef CONFIG_AUDIT | ||
785 | static int cap_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule) | ||
786 | { | ||
787 | return 0; | ||
788 | } | ||
789 | |||
790 | static int cap_audit_rule_known(struct audit_krule *krule) | ||
791 | { | ||
792 | return 0; | ||
793 | } | ||
794 | |||
795 | static int cap_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule, | ||
796 | struct audit_context *actx) | ||
797 | { | ||
798 | return 0; | ||
799 | } | ||
800 | |||
801 | static void cap_audit_rule_free(void *lsmrule) | ||
802 | { | ||
803 | } | ||
804 | #endif /* CONFIG_AUDIT */ | ||
805 | |||
806 | struct security_operations default_security_ops = { | ||
807 | .name = "default", | ||
808 | }; | ||
809 | |||
810 | #define set_to_cap_if_null(ops, function) \ | ||
811 | do { \ | ||
812 | if (!ops->function) { \ | ||
813 | ops->function = cap_##function; \ | ||
814 | pr_debug("Had to override the " #function \ | ||
815 | " security operation with the default.\n");\ | ||
816 | } \ | ||
817 | } while (0) | ||
818 | |||
819 | void security_fixup_ops(struct security_operations *ops) | ||
820 | { | ||
821 | set_to_cap_if_null(ops, ptrace); | ||
822 | set_to_cap_if_null(ops, capget); | ||
823 | set_to_cap_if_null(ops, capset_check); | ||
824 | set_to_cap_if_null(ops, capset_set); | ||
825 | set_to_cap_if_null(ops, acct); | ||
826 | set_to_cap_if_null(ops, capable); | ||
827 | set_to_cap_if_null(ops, quotactl); | ||
828 | set_to_cap_if_null(ops, quota_on); | ||
829 | set_to_cap_if_null(ops, sysctl); | ||
830 | set_to_cap_if_null(ops, syslog); | ||
831 | set_to_cap_if_null(ops, settime); | ||
832 | set_to_cap_if_null(ops, vm_enough_memory); | ||
833 | set_to_cap_if_null(ops, bprm_alloc_security); | ||
834 | set_to_cap_if_null(ops, bprm_free_security); | ||
835 | set_to_cap_if_null(ops, bprm_apply_creds); | ||
836 | set_to_cap_if_null(ops, bprm_post_apply_creds); | ||
837 | set_to_cap_if_null(ops, bprm_set_security); | ||
838 | set_to_cap_if_null(ops, bprm_check_security); | ||
839 | set_to_cap_if_null(ops, bprm_secureexec); | ||
840 | set_to_cap_if_null(ops, sb_alloc_security); | ||
841 | set_to_cap_if_null(ops, sb_free_security); | ||
842 | set_to_cap_if_null(ops, sb_copy_data); | ||
843 | set_to_cap_if_null(ops, sb_kern_mount); | ||
844 | set_to_cap_if_null(ops, sb_show_options); | ||
845 | set_to_cap_if_null(ops, sb_statfs); | ||
846 | set_to_cap_if_null(ops, sb_mount); | ||
847 | set_to_cap_if_null(ops, sb_check_sb); | ||
848 | set_to_cap_if_null(ops, sb_umount); | ||
849 | set_to_cap_if_null(ops, sb_umount_close); | ||
850 | set_to_cap_if_null(ops, sb_umount_busy); | ||
851 | set_to_cap_if_null(ops, sb_post_remount); | ||
852 | set_to_cap_if_null(ops, sb_post_addmount); | ||
853 | set_to_cap_if_null(ops, sb_pivotroot); | ||
854 | set_to_cap_if_null(ops, sb_post_pivotroot); | ||
855 | set_to_cap_if_null(ops, sb_set_mnt_opts); | ||
856 | set_to_cap_if_null(ops, sb_clone_mnt_opts); | ||
857 | set_to_cap_if_null(ops, sb_parse_opts_str); | ||
858 | set_to_cap_if_null(ops, inode_alloc_security); | ||
859 | set_to_cap_if_null(ops, inode_free_security); | ||
860 | set_to_cap_if_null(ops, inode_init_security); | ||
861 | set_to_cap_if_null(ops, inode_create); | ||
862 | set_to_cap_if_null(ops, inode_link); | ||
863 | set_to_cap_if_null(ops, inode_unlink); | ||
864 | set_to_cap_if_null(ops, inode_symlink); | ||
865 | set_to_cap_if_null(ops, inode_mkdir); | ||
866 | set_to_cap_if_null(ops, inode_rmdir); | ||
867 | set_to_cap_if_null(ops, inode_mknod); | ||
868 | set_to_cap_if_null(ops, inode_rename); | ||
869 | set_to_cap_if_null(ops, inode_readlink); | ||
870 | set_to_cap_if_null(ops, inode_follow_link); | ||
871 | set_to_cap_if_null(ops, inode_permission); | ||
872 | set_to_cap_if_null(ops, inode_setattr); | ||
873 | set_to_cap_if_null(ops, inode_getattr); | ||
874 | set_to_cap_if_null(ops, inode_delete); | ||
875 | set_to_cap_if_null(ops, inode_setxattr); | ||
876 | set_to_cap_if_null(ops, inode_post_setxattr); | ||
877 | set_to_cap_if_null(ops, inode_getxattr); | ||
878 | set_to_cap_if_null(ops, inode_listxattr); | ||
879 | set_to_cap_if_null(ops, inode_removexattr); | ||
880 | set_to_cap_if_null(ops, inode_need_killpriv); | ||
881 | set_to_cap_if_null(ops, inode_killpriv); | ||
882 | set_to_cap_if_null(ops, inode_getsecurity); | ||
883 | set_to_cap_if_null(ops, inode_setsecurity); | ||
884 | set_to_cap_if_null(ops, inode_listsecurity); | ||
885 | set_to_cap_if_null(ops, inode_getsecid); | ||
886 | set_to_cap_if_null(ops, file_permission); | ||
887 | set_to_cap_if_null(ops, file_alloc_security); | ||
888 | set_to_cap_if_null(ops, file_free_security); | ||
889 | set_to_cap_if_null(ops, file_ioctl); | ||
890 | set_to_cap_if_null(ops, file_mmap); | ||
891 | set_to_cap_if_null(ops, file_mprotect); | ||
892 | set_to_cap_if_null(ops, file_lock); | ||
893 | set_to_cap_if_null(ops, file_fcntl); | ||
894 | set_to_cap_if_null(ops, file_set_fowner); | ||
895 | set_to_cap_if_null(ops, file_send_sigiotask); | ||
896 | set_to_cap_if_null(ops, file_receive); | ||
897 | set_to_cap_if_null(ops, dentry_open); | ||
898 | set_to_cap_if_null(ops, task_create); | ||
899 | set_to_cap_if_null(ops, task_alloc_security); | ||
900 | set_to_cap_if_null(ops, task_free_security); | ||
901 | set_to_cap_if_null(ops, task_setuid); | ||
902 | set_to_cap_if_null(ops, task_post_setuid); | ||
903 | set_to_cap_if_null(ops, task_setgid); | ||
904 | set_to_cap_if_null(ops, task_setpgid); | ||
905 | set_to_cap_if_null(ops, task_getpgid); | ||
906 | set_to_cap_if_null(ops, task_getsid); | ||
907 | set_to_cap_if_null(ops, task_getsecid); | ||
908 | set_to_cap_if_null(ops, task_setgroups); | ||
909 | set_to_cap_if_null(ops, task_setnice); | ||
910 | set_to_cap_if_null(ops, task_setioprio); | ||
911 | set_to_cap_if_null(ops, task_getioprio); | ||
912 | set_to_cap_if_null(ops, task_setrlimit); | ||
913 | set_to_cap_if_null(ops, task_setscheduler); | ||
914 | set_to_cap_if_null(ops, task_getscheduler); | ||
915 | set_to_cap_if_null(ops, task_movememory); | ||
916 | set_to_cap_if_null(ops, task_wait); | ||
917 | set_to_cap_if_null(ops, task_kill); | ||
918 | set_to_cap_if_null(ops, task_prctl); | ||
919 | set_to_cap_if_null(ops, task_reparent_to_init); | ||
920 | set_to_cap_if_null(ops, task_to_inode); | ||
921 | set_to_cap_if_null(ops, ipc_permission); | ||
922 | set_to_cap_if_null(ops, ipc_getsecid); | ||
923 | set_to_cap_if_null(ops, msg_msg_alloc_security); | ||
924 | set_to_cap_if_null(ops, msg_msg_free_security); | ||
925 | set_to_cap_if_null(ops, msg_queue_alloc_security); | ||
926 | set_to_cap_if_null(ops, msg_queue_free_security); | ||
927 | set_to_cap_if_null(ops, msg_queue_associate); | ||
928 | set_to_cap_if_null(ops, msg_queue_msgctl); | ||
929 | set_to_cap_if_null(ops, msg_queue_msgsnd); | ||
930 | set_to_cap_if_null(ops, msg_queue_msgrcv); | ||
931 | set_to_cap_if_null(ops, shm_alloc_security); | ||
932 | set_to_cap_if_null(ops, shm_free_security); | ||
933 | set_to_cap_if_null(ops, shm_associate); | ||
934 | set_to_cap_if_null(ops, shm_shmctl); | ||
935 | set_to_cap_if_null(ops, shm_shmat); | ||
936 | set_to_cap_if_null(ops, sem_alloc_security); | ||
937 | set_to_cap_if_null(ops, sem_free_security); | ||
938 | set_to_cap_if_null(ops, sem_associate); | ||
939 | set_to_cap_if_null(ops, sem_semctl); | ||
940 | set_to_cap_if_null(ops, sem_semop); | ||
941 | set_to_cap_if_null(ops, netlink_send); | ||
942 | set_to_cap_if_null(ops, netlink_recv); | ||
943 | set_to_cap_if_null(ops, register_security); | ||
944 | set_to_cap_if_null(ops, d_instantiate); | ||
945 | set_to_cap_if_null(ops, getprocattr); | ||
946 | set_to_cap_if_null(ops, setprocattr); | ||
947 | set_to_cap_if_null(ops, secid_to_secctx); | ||
948 | set_to_cap_if_null(ops, secctx_to_secid); | ||
949 | set_to_cap_if_null(ops, release_secctx); | ||
950 | #ifdef CONFIG_SECURITY_NETWORK | ||
951 | set_to_cap_if_null(ops, unix_stream_connect); | ||
952 | set_to_cap_if_null(ops, unix_may_send); | ||
953 | set_to_cap_if_null(ops, socket_create); | ||
954 | set_to_cap_if_null(ops, socket_post_create); | ||
955 | set_to_cap_if_null(ops, socket_bind); | ||
956 | set_to_cap_if_null(ops, socket_connect); | ||
957 | set_to_cap_if_null(ops, socket_listen); | ||
958 | set_to_cap_if_null(ops, socket_accept); | ||
959 | set_to_cap_if_null(ops, socket_post_accept); | ||
960 | set_to_cap_if_null(ops, socket_sendmsg); | ||
961 | set_to_cap_if_null(ops, socket_recvmsg); | ||
962 | set_to_cap_if_null(ops, socket_getsockname); | ||
963 | set_to_cap_if_null(ops, socket_getpeername); | ||
964 | set_to_cap_if_null(ops, socket_setsockopt); | ||
965 | set_to_cap_if_null(ops, socket_getsockopt); | ||
966 | set_to_cap_if_null(ops, socket_shutdown); | ||
967 | set_to_cap_if_null(ops, socket_sock_rcv_skb); | ||
968 | set_to_cap_if_null(ops, socket_getpeersec_stream); | ||
969 | set_to_cap_if_null(ops, socket_getpeersec_dgram); | ||
970 | set_to_cap_if_null(ops, sk_alloc_security); | ||
971 | set_to_cap_if_null(ops, sk_free_security); | ||
972 | set_to_cap_if_null(ops, sk_clone_security); | ||
973 | set_to_cap_if_null(ops, sk_getsecid); | ||
974 | set_to_cap_if_null(ops, sock_graft); | ||
975 | set_to_cap_if_null(ops, inet_conn_request); | ||
976 | set_to_cap_if_null(ops, inet_csk_clone); | ||
977 | set_to_cap_if_null(ops, inet_conn_established); | ||
978 | set_to_cap_if_null(ops, req_classify_flow); | ||
979 | #endif /* CONFIG_SECURITY_NETWORK */ | ||
980 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | ||
981 | set_to_cap_if_null(ops, xfrm_policy_alloc_security); | ||
982 | set_to_cap_if_null(ops, xfrm_policy_clone_security); | ||
983 | set_to_cap_if_null(ops, xfrm_policy_free_security); | ||
984 | set_to_cap_if_null(ops, xfrm_policy_delete_security); | ||
985 | set_to_cap_if_null(ops, xfrm_state_alloc_security); | ||
986 | set_to_cap_if_null(ops, xfrm_state_free_security); | ||
987 | set_to_cap_if_null(ops, xfrm_state_delete_security); | ||
988 | set_to_cap_if_null(ops, xfrm_policy_lookup); | ||
989 | set_to_cap_if_null(ops, xfrm_state_pol_flow_match); | ||
990 | set_to_cap_if_null(ops, xfrm_decode_session); | ||
991 | #endif /* CONFIG_SECURITY_NETWORK_XFRM */ | ||
992 | #ifdef CONFIG_KEYS | ||
993 | set_to_cap_if_null(ops, key_alloc); | ||
994 | set_to_cap_if_null(ops, key_free); | ||
995 | set_to_cap_if_null(ops, key_permission); | ||
996 | set_to_cap_if_null(ops, key_getsecurity); | ||
997 | #endif /* CONFIG_KEYS */ | ||
998 | #ifdef CONFIG_AUDIT | ||
999 | set_to_cap_if_null(ops, audit_rule_init); | ||
1000 | set_to_cap_if_null(ops, audit_rule_known); | ||
1001 | set_to_cap_if_null(ops, audit_rule_match); | ||
1002 | set_to_cap_if_null(ops, audit_rule_free); | ||
1003 | #endif | ||
1004 | } | ||
diff --git a/security/dummy.c b/security/dummy.c deleted file mode 100644 index 793856691641..000000000000 --- a/security/dummy.c +++ /dev/null | |||
@@ -1,1250 +0,0 @@ | |||
1 | /* | ||
2 | * Stub functions for the default security function pointers in case no | ||
3 | * security model is loaded. | ||
4 | * | ||
5 | * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com> | ||
6 | * Copyright (C) 2001-2002 Greg Kroah-Hartman <greg@kroah.com> | ||
7 | * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com> | ||
8 | * | ||
9 | * This program is free software; you can redistribute it and/or modify | ||
10 | * it under the terms of the GNU General Public License as published by | ||
11 | * the Free Software Foundation; either version 2 of the License, or | ||
12 | * (at your option) any later version. | ||
13 | */ | ||
14 | |||
15 | #undef DEBUG | ||
16 | |||
17 | #include <linux/capability.h> | ||
18 | #include <linux/kernel.h> | ||
19 | #include <linux/mman.h> | ||
20 | #include <linux/pagemap.h> | ||
21 | #include <linux/swap.h> | ||
22 | #include <linux/security.h> | ||
23 | #include <linux/skbuff.h> | ||
24 | #include <linux/netlink.h> | ||
25 | #include <net/sock.h> | ||
26 | #include <linux/xattr.h> | ||
27 | #include <linux/hugetlb.h> | ||
28 | #include <linux/ptrace.h> | ||
29 | #include <linux/file.h> | ||
30 | #include <linux/prctl.h> | ||
31 | #include <linux/securebits.h> | ||
32 | |||
33 | static int dummy_ptrace (struct task_struct *parent, struct task_struct *child, | ||
34 | unsigned int mode) | ||
35 | { | ||
36 | return 0; | ||
37 | } | ||
38 | |||
39 | static int dummy_capget (struct task_struct *target, kernel_cap_t * effective, | ||
40 | kernel_cap_t * inheritable, kernel_cap_t * permitted) | ||
41 | { | ||
42 | if (target->euid == 0) { | ||
43 | cap_set_full(*permitted); | ||
44 | cap_set_init_eff(*effective); | ||
45 | } else { | ||
46 | cap_clear(*permitted); | ||
47 | cap_clear(*effective); | ||
48 | } | ||
49 | |||
50 | cap_clear(*inheritable); | ||
51 | |||
52 | if (target->fsuid != 0) { | ||
53 | *permitted = cap_drop_fs_set(*permitted); | ||
54 | *effective = cap_drop_fs_set(*effective); | ||
55 | } | ||
56 | return 0; | ||
57 | } | ||
58 | |||
59 | static int dummy_capset_check (struct task_struct *target, | ||
60 | kernel_cap_t * effective, | ||
61 | kernel_cap_t * inheritable, | ||
62 | kernel_cap_t * permitted) | ||
63 | { | ||
64 | return -EPERM; | ||
65 | } | ||
66 | |||
67 | static void dummy_capset_set (struct task_struct *target, | ||
68 | kernel_cap_t * effective, | ||
69 | kernel_cap_t * inheritable, | ||
70 | kernel_cap_t * permitted) | ||
71 | { | ||
72 | return; | ||
73 | } | ||
74 | |||
75 | static int dummy_acct (struct file *file) | ||
76 | { | ||
77 | return 0; | ||
78 | } | ||
79 | |||
80 | static int dummy_capable (struct task_struct *tsk, int cap) | ||
81 | { | ||
82 | if (cap_raised (tsk->cap_effective, cap)) | ||
83 | return 0; | ||
84 | return -EPERM; | ||
85 | } | ||
86 | |||
87 | static int dummy_sysctl (ctl_table * table, int op) | ||
88 | { | ||
89 | return 0; | ||
90 | } | ||
91 | |||
92 | static int dummy_quotactl (int cmds, int type, int id, struct super_block *sb) | ||
93 | { | ||
94 | return 0; | ||
95 | } | ||
96 | |||
97 | static int dummy_quota_on (struct dentry *dentry) | ||
98 | { | ||
99 | return 0; | ||
100 | } | ||
101 | |||
102 | static int dummy_syslog (int type) | ||
103 | { | ||
104 | if ((type != 3 && type != 10) && current->euid) | ||
105 | return -EPERM; | ||
106 | return 0; | ||
107 | } | ||
108 | |||
109 | static int dummy_settime(struct timespec *ts, struct timezone *tz) | ||
110 | { | ||
111 | if (!capable(CAP_SYS_TIME)) | ||
112 | return -EPERM; | ||
113 | return 0; | ||
114 | } | ||
115 | |||
116 | static int dummy_vm_enough_memory(struct mm_struct *mm, long pages) | ||
117 | { | ||
118 | int cap_sys_admin = 0; | ||
119 | |||
120 | if (dummy_capable(current, CAP_SYS_ADMIN) == 0) | ||
121 | cap_sys_admin = 1; | ||
122 | return __vm_enough_memory(mm, pages, cap_sys_admin); | ||
123 | } | ||
124 | |||
125 | static int dummy_bprm_alloc_security (struct linux_binprm *bprm) | ||
126 | { | ||
127 | return 0; | ||
128 | } | ||
129 | |||
130 | static void dummy_bprm_free_security (struct linux_binprm *bprm) | ||
131 | { | ||
132 | return; | ||
133 | } | ||
134 | |||
135 | static void dummy_bprm_apply_creds (struct linux_binprm *bprm, int unsafe) | ||
136 | { | ||
137 | if (bprm->e_uid != current->uid || bprm->e_gid != current->gid) { | ||
138 | set_dumpable(current->mm, suid_dumpable); | ||
139 | |||
140 | if ((unsafe & ~LSM_UNSAFE_PTRACE_CAP) && !capable(CAP_SETUID)) { | ||
141 | bprm->e_uid = current->uid; | ||
142 | bprm->e_gid = current->gid; | ||
143 | } | ||
144 | } | ||
145 | |||
146 | current->suid = current->euid = current->fsuid = bprm->e_uid; | ||
147 | current->sgid = current->egid = current->fsgid = bprm->e_gid; | ||
148 | |||
149 | dummy_capget(current, ¤t->cap_effective, ¤t->cap_inheritable, ¤t->cap_permitted); | ||
150 | } | ||
151 | |||
152 | static void dummy_bprm_post_apply_creds (struct linux_binprm *bprm) | ||
153 | { | ||
154 | return; | ||
155 | } | ||
156 | |||
157 | static int dummy_bprm_set_security (struct linux_binprm *bprm) | ||
158 | { | ||
159 | return 0; | ||
160 | } | ||
161 | |||
162 | static int dummy_bprm_check_security (struct linux_binprm *bprm) | ||
163 | { | ||
164 | return 0; | ||
165 | } | ||
166 | |||
167 | static int dummy_bprm_secureexec (struct linux_binprm *bprm) | ||
168 | { | ||
169 | /* The new userland will simply use the value provided | ||
170 | in the AT_SECURE field to decide whether secure mode | ||
171 | is required. Hence, this logic is required to preserve | ||
172 | the legacy decision algorithm used by the old userland. */ | ||
173 | return (current->euid != current->uid || | ||
174 | current->egid != current->gid); | ||
175 | } | ||
176 | |||
177 | static int dummy_sb_alloc_security (struct super_block *sb) | ||
178 | { | ||
179 | return 0; | ||
180 | } | ||
181 | |||
182 | static void dummy_sb_free_security (struct super_block *sb) | ||
183 | { | ||
184 | return; | ||
185 | } | ||
186 | |||
187 | static int dummy_sb_copy_data (char *orig, char *copy) | ||
188 | { | ||
189 | return 0; | ||
190 | } | ||
191 | |||
192 | static int dummy_sb_kern_mount (struct super_block *sb, void *data) | ||
193 | { | ||
194 | return 0; | ||
195 | } | ||
196 | |||
197 | static int dummy_sb_show_options(struct seq_file *m, struct super_block *sb) | ||
198 | { | ||
199 | return 0; | ||
200 | } | ||
201 | |||
202 | static int dummy_sb_statfs (struct dentry *dentry) | ||
203 | { | ||
204 | return 0; | ||
205 | } | ||
206 | |||
207 | static int dummy_sb_mount (char *dev_name, struct path *path, char *type, | ||
208 | unsigned long flags, void *data) | ||
209 | { | ||
210 | return 0; | ||
211 | } | ||
212 | |||
213 | static int dummy_sb_check_sb (struct vfsmount *mnt, struct path *path) | ||
214 | { | ||
215 | return 0; | ||
216 | } | ||
217 | |||
218 | static int dummy_sb_umount (struct vfsmount *mnt, int flags) | ||
219 | { | ||
220 | return 0; | ||
221 | } | ||
222 | |||
223 | static void dummy_sb_umount_close (struct vfsmount *mnt) | ||
224 | { | ||
225 | return; | ||
226 | } | ||
227 | |||
228 | static void dummy_sb_umount_busy (struct vfsmount *mnt) | ||
229 | { | ||
230 | return; | ||
231 | } | ||
232 | |||
233 | static void dummy_sb_post_remount (struct vfsmount *mnt, unsigned long flags, | ||
234 | void *data) | ||
235 | { | ||
236 | return; | ||
237 | } | ||
238 | |||
239 | |||
240 | static void dummy_sb_post_addmount (struct vfsmount *mnt, struct path *path) | ||
241 | { | ||
242 | return; | ||
243 | } | ||
244 | |||
245 | static int dummy_sb_pivotroot (struct path *old_path, struct path *new_path) | ||
246 | { | ||
247 | return 0; | ||
248 | } | ||
249 | |||
250 | static void dummy_sb_post_pivotroot (struct path *old_path, struct path *new_path) | ||
251 | { | ||
252 | return; | ||
253 | } | ||
254 | |||
255 | static int dummy_sb_set_mnt_opts(struct super_block *sb, | ||
256 | struct security_mnt_opts *opts) | ||
257 | { | ||
258 | if (unlikely(opts->num_mnt_opts)) | ||
259 | return -EOPNOTSUPP; | ||
260 | return 0; | ||
261 | } | ||
262 | |||
263 | static void dummy_sb_clone_mnt_opts(const struct super_block *oldsb, | ||
264 | struct super_block *newsb) | ||
265 | { | ||
266 | return; | ||
267 | } | ||
268 | |||
269 | static int dummy_sb_parse_opts_str(char *options, struct security_mnt_opts *opts) | ||
270 | { | ||
271 | return 0; | ||
272 | } | ||
273 | |||
274 | static int dummy_inode_alloc_security (struct inode *inode) | ||
275 | { | ||
276 | return 0; | ||
277 | } | ||
278 | |||
279 | static void dummy_inode_free_security (struct inode *inode) | ||
280 | { | ||
281 | return; | ||
282 | } | ||
283 | |||
284 | static int dummy_inode_init_security (struct inode *inode, struct inode *dir, | ||
285 | char **name, void **value, size_t *len) | ||
286 | { | ||
287 | return -EOPNOTSUPP; | ||
288 | } | ||
289 | |||
290 | static int dummy_inode_create (struct inode *inode, struct dentry *dentry, | ||
291 | int mask) | ||
292 | { | ||
293 | return 0; | ||
294 | } | ||
295 | |||
296 | static int dummy_inode_link (struct dentry *old_dentry, struct inode *inode, | ||
297 | struct dentry *new_dentry) | ||
298 | { | ||
299 | return 0; | ||
300 | } | ||
301 | |||
302 | static int dummy_inode_unlink (struct inode *inode, struct dentry *dentry) | ||
303 | { | ||
304 | return 0; | ||
305 | } | ||
306 | |||
307 | static int dummy_inode_symlink (struct inode *inode, struct dentry *dentry, | ||
308 | const char *name) | ||
309 | { | ||
310 | return 0; | ||
311 | } | ||
312 | |||
313 | static int dummy_inode_mkdir (struct inode *inode, struct dentry *dentry, | ||
314 | int mask) | ||
315 | { | ||
316 | return 0; | ||
317 | } | ||
318 | |||
319 | static int dummy_inode_rmdir (struct inode *inode, struct dentry *dentry) | ||
320 | { | ||
321 | return 0; | ||
322 | } | ||
323 | |||
324 | static int dummy_inode_mknod (struct inode *inode, struct dentry *dentry, | ||
325 | int mode, dev_t dev) | ||
326 | { | ||
327 | return 0; | ||
328 | } | ||
329 | |||
330 | static int dummy_inode_rename (struct inode *old_inode, | ||
331 | struct dentry *old_dentry, | ||
332 | struct inode *new_inode, | ||
333 | struct dentry *new_dentry) | ||
334 | { | ||
335 | return 0; | ||
336 | } | ||
337 | |||
338 | static int dummy_inode_readlink (struct dentry *dentry) | ||
339 | { | ||
340 | return 0; | ||
341 | } | ||
342 | |||
343 | static int dummy_inode_follow_link (struct dentry *dentry, | ||
344 | struct nameidata *nameidata) | ||
345 | { | ||
346 | return 0; | ||
347 | } | ||
348 | |||
349 | static int dummy_inode_permission (struct inode *inode, int mask, struct nameidata *nd) | ||
350 | { | ||
351 | return 0; | ||
352 | } | ||
353 | |||
354 | static int dummy_inode_setattr (struct dentry *dentry, struct iattr *iattr) | ||
355 | { | ||
356 | return 0; | ||
357 | } | ||
358 | |||
359 | static int dummy_inode_getattr (struct vfsmount *mnt, struct dentry *dentry) | ||
360 | { | ||
361 | return 0; | ||
362 | } | ||
363 | |||
364 | static void dummy_inode_delete (struct inode *ino) | ||
365 | { | ||
366 | return; | ||
367 | } | ||
368 | |||
369 | static int dummy_inode_setxattr (struct dentry *dentry, const char *name, | ||
370 | const void *value, size_t size, int flags) | ||
371 | { | ||
372 | if (!strncmp(name, XATTR_SECURITY_PREFIX, | ||
373 | sizeof(XATTR_SECURITY_PREFIX) - 1) && | ||
374 | !capable(CAP_SYS_ADMIN)) | ||
375 | return -EPERM; | ||
376 | return 0; | ||
377 | } | ||
378 | |||
379 | static void dummy_inode_post_setxattr (struct dentry *dentry, const char *name, | ||
380 | const void *value, size_t size, | ||
381 | int flags) | ||
382 | { | ||
383 | } | ||
384 | |||
385 | static int dummy_inode_getxattr (struct dentry *dentry, const char *name) | ||
386 | { | ||
387 | return 0; | ||
388 | } | ||
389 | |||
390 | static int dummy_inode_listxattr (struct dentry *dentry) | ||
391 | { | ||
392 | return 0; | ||
393 | } | ||
394 | |||
395 | static int dummy_inode_removexattr (struct dentry *dentry, const char *name) | ||
396 | { | ||
397 | if (!strncmp(name, XATTR_SECURITY_PREFIX, | ||
398 | sizeof(XATTR_SECURITY_PREFIX) - 1) && | ||
399 | !capable(CAP_SYS_ADMIN)) | ||
400 | return -EPERM; | ||
401 | return 0; | ||
402 | } | ||
403 | |||
404 | static int dummy_inode_need_killpriv(struct dentry *dentry) | ||
405 | { | ||
406 | return 0; | ||
407 | } | ||
408 | |||
409 | static int dummy_inode_killpriv(struct dentry *dentry) | ||
410 | { | ||
411 | return 0; | ||
412 | } | ||
413 | |||
414 | static int dummy_inode_getsecurity(const struct inode *inode, const char *name, void **buffer, bool alloc) | ||
415 | { | ||
416 | return -EOPNOTSUPP; | ||
417 | } | ||
418 | |||
419 | static int dummy_inode_setsecurity(struct inode *inode, const char *name, const void *value, size_t size, int flags) | ||
420 | { | ||
421 | return -EOPNOTSUPP; | ||
422 | } | ||
423 | |||
424 | static int dummy_inode_listsecurity(struct inode *inode, char *buffer, size_t buffer_size) | ||
425 | { | ||
426 | return 0; | ||
427 | } | ||
428 | |||
429 | static void dummy_inode_getsecid(const struct inode *inode, u32 *secid) | ||
430 | { | ||
431 | *secid = 0; | ||
432 | } | ||
433 | |||
434 | static int dummy_file_permission (struct file *file, int mask) | ||
435 | { | ||
436 | return 0; | ||
437 | } | ||
438 | |||
439 | static int dummy_file_alloc_security (struct file *file) | ||
440 | { | ||
441 | return 0; | ||
442 | } | ||
443 | |||
444 | static void dummy_file_free_security (struct file *file) | ||
445 | { | ||
446 | return; | ||
447 | } | ||
448 | |||
449 | static int dummy_file_ioctl (struct file *file, unsigned int command, | ||
450 | unsigned long arg) | ||
451 | { | ||
452 | return 0; | ||
453 | } | ||
454 | |||
455 | static int dummy_file_mmap (struct file *file, unsigned long reqprot, | ||
456 | unsigned long prot, | ||
457 | unsigned long flags, | ||
458 | unsigned long addr, | ||
459 | unsigned long addr_only) | ||
460 | { | ||
461 | if ((addr < mmap_min_addr) && !capable(CAP_SYS_RAWIO)) | ||
462 | return -EACCES; | ||
463 | return 0; | ||
464 | } | ||
465 | |||
466 | static int dummy_file_mprotect (struct vm_area_struct *vma, | ||
467 | unsigned long reqprot, | ||
468 | unsigned long prot) | ||
469 | { | ||
470 | return 0; | ||
471 | } | ||
472 | |||
473 | static int dummy_file_lock (struct file *file, unsigned int cmd) | ||
474 | { | ||
475 | return 0; | ||
476 | } | ||
477 | |||
478 | static int dummy_file_fcntl (struct file *file, unsigned int cmd, | ||
479 | unsigned long arg) | ||
480 | { | ||
481 | return 0; | ||
482 | } | ||
483 | |||
484 | static int dummy_file_set_fowner (struct file *file) | ||
485 | { | ||
486 | return 0; | ||
487 | } | ||
488 | |||
489 | static int dummy_file_send_sigiotask (struct task_struct *tsk, | ||
490 | struct fown_struct *fown, int sig) | ||
491 | { | ||
492 | return 0; | ||
493 | } | ||
494 | |||
495 | static int dummy_file_receive (struct file *file) | ||
496 | { | ||
497 | return 0; | ||
498 | } | ||
499 | |||
500 | static int dummy_dentry_open (struct file *file) | ||
501 | { | ||
502 | return 0; | ||
503 | } | ||
504 | |||
505 | static int dummy_task_create (unsigned long clone_flags) | ||
506 | { | ||
507 | return 0; | ||
508 | } | ||
509 | |||
510 | static int dummy_task_alloc_security (struct task_struct *p) | ||
511 | { | ||
512 | return 0; | ||
513 | } | ||
514 | |||
515 | static void dummy_task_free_security (struct task_struct *p) | ||
516 | { | ||
517 | return; | ||
518 | } | ||
519 | |||
520 | static int dummy_task_setuid (uid_t id0, uid_t id1, uid_t id2, int flags) | ||
521 | { | ||
522 | return 0; | ||
523 | } | ||
524 | |||
525 | static int dummy_task_post_setuid (uid_t id0, uid_t id1, uid_t id2, int flags) | ||
526 | { | ||
527 | dummy_capget(current, ¤t->cap_effective, ¤t->cap_inheritable, ¤t->cap_permitted); | ||
528 | return 0; | ||
529 | } | ||
530 | |||
531 | static int dummy_task_setgid (gid_t id0, gid_t id1, gid_t id2, int flags) | ||
532 | { | ||
533 | return 0; | ||
534 | } | ||
535 | |||
536 | static int dummy_task_setpgid (struct task_struct *p, pid_t pgid) | ||
537 | { | ||
538 | return 0; | ||
539 | } | ||
540 | |||
541 | static int dummy_task_getpgid (struct task_struct *p) | ||
542 | { | ||
543 | return 0; | ||
544 | } | ||
545 | |||
546 | static int dummy_task_getsid (struct task_struct *p) | ||
547 | { | ||
548 | return 0; | ||
549 | } | ||
550 | |||
551 | static void dummy_task_getsecid (struct task_struct *p, u32 *secid) | ||
552 | { | ||
553 | *secid = 0; | ||
554 | } | ||
555 | |||
556 | static int dummy_task_setgroups (struct group_info *group_info) | ||
557 | { | ||
558 | return 0; | ||
559 | } | ||
560 | |||
561 | static int dummy_task_setnice (struct task_struct *p, int nice) | ||
562 | { | ||
563 | return 0; | ||
564 | } | ||
565 | |||
566 | static int dummy_task_setioprio (struct task_struct *p, int ioprio) | ||
567 | { | ||
568 | return 0; | ||
569 | } | ||
570 | |||
571 | static int dummy_task_getioprio (struct task_struct *p) | ||
572 | { | ||
573 | return 0; | ||
574 | } | ||
575 | |||
576 | static int dummy_task_setrlimit (unsigned int resource, struct rlimit *new_rlim) | ||
577 | { | ||
578 | return 0; | ||
579 | } | ||
580 | |||
581 | static int dummy_task_setscheduler (struct task_struct *p, int policy, | ||
582 | struct sched_param *lp) | ||
583 | { | ||
584 | return 0; | ||
585 | } | ||
586 | |||
587 | static int dummy_task_getscheduler (struct task_struct *p) | ||
588 | { | ||
589 | return 0; | ||
590 | } | ||
591 | |||
592 | static int dummy_task_movememory (struct task_struct *p) | ||
593 | { | ||
594 | return 0; | ||
595 | } | ||
596 | |||
597 | static int dummy_task_wait (struct task_struct *p) | ||
598 | { | ||
599 | return 0; | ||
600 | } | ||
601 | |||
602 | static int dummy_task_kill (struct task_struct *p, struct siginfo *info, | ||
603 | int sig, u32 secid) | ||
604 | { | ||
605 | return 0; | ||
606 | } | ||
607 | |||
608 | static int dummy_task_prctl (int option, unsigned long arg2, unsigned long arg3, | ||
609 | unsigned long arg4, unsigned long arg5, long *rc_p) | ||
610 | { | ||
611 | switch (option) { | ||
612 | case PR_CAPBSET_READ: | ||
613 | *rc_p = (cap_valid(arg2) ? 1 : -EINVAL); | ||
614 | break; | ||
615 | case PR_GET_KEEPCAPS: | ||
616 | *rc_p = issecure(SECURE_KEEP_CAPS); | ||
617 | break; | ||
618 | case PR_SET_KEEPCAPS: | ||
619 | if (arg2 > 1) | ||
620 | *rc_p = -EINVAL; | ||
621 | else if (arg2) | ||
622 | current->securebits |= issecure_mask(SECURE_KEEP_CAPS); | ||
623 | else | ||
624 | current->securebits &= | ||
625 | ~issecure_mask(SECURE_KEEP_CAPS); | ||
626 | break; | ||
627 | default: | ||
628 | return 0; | ||
629 | } | ||
630 | |||
631 | return 1; | ||
632 | } | ||
633 | |||
634 | static void dummy_task_reparent_to_init (struct task_struct *p) | ||
635 | { | ||
636 | p->euid = p->fsuid = 0; | ||
637 | return; | ||
638 | } | ||
639 | |||
640 | static void dummy_task_to_inode(struct task_struct *p, struct inode *inode) | ||
641 | { } | ||
642 | |||
643 | static int dummy_ipc_permission (struct kern_ipc_perm *ipcp, short flag) | ||
644 | { | ||
645 | return 0; | ||
646 | } | ||
647 | |||
648 | static void dummy_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) | ||
649 | { | ||
650 | *secid = 0; | ||
651 | } | ||
652 | |||
653 | static int dummy_msg_msg_alloc_security (struct msg_msg *msg) | ||
654 | { | ||
655 | return 0; | ||
656 | } | ||
657 | |||
658 | static void dummy_msg_msg_free_security (struct msg_msg *msg) | ||
659 | { | ||
660 | return; | ||
661 | } | ||
662 | |||
663 | static int dummy_msg_queue_alloc_security (struct msg_queue *msq) | ||
664 | { | ||
665 | return 0; | ||
666 | } | ||
667 | |||
668 | static void dummy_msg_queue_free_security (struct msg_queue *msq) | ||
669 | { | ||
670 | return; | ||
671 | } | ||
672 | |||
673 | static int dummy_msg_queue_associate (struct msg_queue *msq, | ||
674 | int msqflg) | ||
675 | { | ||
676 | return 0; | ||
677 | } | ||
678 | |||
679 | static int dummy_msg_queue_msgctl (struct msg_queue *msq, int cmd) | ||
680 | { | ||
681 | return 0; | ||
682 | } | ||
683 | |||
684 | static int dummy_msg_queue_msgsnd (struct msg_queue *msq, struct msg_msg *msg, | ||
685 | int msgflg) | ||
686 | { | ||
687 | return 0; | ||
688 | } | ||
689 | |||
690 | static int dummy_msg_queue_msgrcv (struct msg_queue *msq, struct msg_msg *msg, | ||
691 | struct task_struct *target, long type, | ||
692 | int mode) | ||
693 | { | ||
694 | return 0; | ||
695 | } | ||
696 | |||
697 | static int dummy_shm_alloc_security (struct shmid_kernel *shp) | ||
698 | { | ||
699 | return 0; | ||
700 | } | ||
701 | |||
702 | static void dummy_shm_free_security (struct shmid_kernel *shp) | ||
703 | { | ||
704 | return; | ||
705 | } | ||
706 | |||
707 | static int dummy_shm_associate (struct shmid_kernel *shp, int shmflg) | ||
708 | { | ||
709 | return 0; | ||
710 | } | ||
711 | |||
712 | static int dummy_shm_shmctl (struct shmid_kernel *shp, int cmd) | ||
713 | { | ||
714 | return 0; | ||
715 | } | ||
716 | |||
717 | static int dummy_shm_shmat (struct shmid_kernel *shp, char __user *shmaddr, | ||
718 | int shmflg) | ||
719 | { | ||
720 | return 0; | ||
721 | } | ||
722 | |||
723 | static int dummy_sem_alloc_security (struct sem_array *sma) | ||
724 | { | ||
725 | return 0; | ||
726 | } | ||
727 | |||
728 | static void dummy_sem_free_security (struct sem_array *sma) | ||
729 | { | ||
730 | return; | ||
731 | } | ||
732 | |||
733 | static int dummy_sem_associate (struct sem_array *sma, int semflg) | ||
734 | { | ||
735 | return 0; | ||
736 | } | ||
737 | |||
738 | static int dummy_sem_semctl (struct sem_array *sma, int cmd) | ||
739 | { | ||
740 | return 0; | ||
741 | } | ||
742 | |||
743 | static int dummy_sem_semop (struct sem_array *sma, | ||
744 | struct sembuf *sops, unsigned nsops, int alter) | ||
745 | { | ||
746 | return 0; | ||
747 | } | ||
748 | |||
749 | static int dummy_netlink_send (struct sock *sk, struct sk_buff *skb) | ||
750 | { | ||
751 | NETLINK_CB(skb).eff_cap = current->cap_effective; | ||
752 | return 0; | ||
753 | } | ||
754 | |||
755 | static int dummy_netlink_recv (struct sk_buff *skb, int cap) | ||
756 | { | ||
757 | if (!cap_raised (NETLINK_CB (skb).eff_cap, cap)) | ||
758 | return -EPERM; | ||
759 | return 0; | ||
760 | } | ||
761 | |||
762 | #ifdef CONFIG_SECURITY_NETWORK | ||
763 | static int dummy_unix_stream_connect (struct socket *sock, | ||
764 | struct socket *other, | ||
765 | struct sock *newsk) | ||
766 | { | ||
767 | return 0; | ||
768 | } | ||
769 | |||
770 | static int dummy_unix_may_send (struct socket *sock, | ||
771 | struct socket *other) | ||
772 | { | ||
773 | return 0; | ||
774 | } | ||
775 | |||
776 | static int dummy_socket_create (int family, int type, | ||
777 | int protocol, int kern) | ||
778 | { | ||
779 | return 0; | ||
780 | } | ||
781 | |||
782 | static int dummy_socket_post_create (struct socket *sock, int family, int type, | ||
783 | int protocol, int kern) | ||
784 | { | ||
785 | return 0; | ||
786 | } | ||
787 | |||
788 | static int dummy_socket_bind (struct socket *sock, struct sockaddr *address, | ||
789 | int addrlen) | ||
790 | { | ||
791 | return 0; | ||
792 | } | ||
793 | |||
794 | static int dummy_socket_connect (struct socket *sock, struct sockaddr *address, | ||
795 | int addrlen) | ||
796 | { | ||
797 | return 0; | ||
798 | } | ||
799 | |||
800 | static int dummy_socket_listen (struct socket *sock, int backlog) | ||
801 | { | ||
802 | return 0; | ||
803 | } | ||
804 | |||
805 | static int dummy_socket_accept (struct socket *sock, struct socket *newsock) | ||
806 | { | ||
807 | return 0; | ||
808 | } | ||
809 | |||
810 | static void dummy_socket_post_accept (struct socket *sock, | ||
811 | struct socket *newsock) | ||
812 | { | ||
813 | return; | ||
814 | } | ||
815 | |||
816 | static int dummy_socket_sendmsg (struct socket *sock, struct msghdr *msg, | ||
817 | int size) | ||
818 | { | ||
819 | return 0; | ||
820 | } | ||
821 | |||
822 | static int dummy_socket_recvmsg (struct socket *sock, struct msghdr *msg, | ||
823 | int size, int flags) | ||
824 | { | ||
825 | return 0; | ||
826 | } | ||
827 | |||
828 | static int dummy_socket_getsockname (struct socket *sock) | ||
829 | { | ||
830 | return 0; | ||
831 | } | ||
832 | |||
833 | static int dummy_socket_getpeername (struct socket *sock) | ||
834 | { | ||
835 | return 0; | ||
836 | } | ||
837 | |||
838 | static int dummy_socket_setsockopt (struct socket *sock, int level, int optname) | ||
839 | { | ||
840 | return 0; | ||
841 | } | ||
842 | |||
843 | static int dummy_socket_getsockopt (struct socket *sock, int level, int optname) | ||
844 | { | ||
845 | return 0; | ||
846 | } | ||
847 | |||
848 | static int dummy_socket_shutdown (struct socket *sock, int how) | ||
849 | { | ||
850 | return 0; | ||
851 | } | ||
852 | |||
853 | static int dummy_socket_sock_rcv_skb (struct sock *sk, struct sk_buff *skb) | ||
854 | { | ||
855 | return 0; | ||
856 | } | ||
857 | |||
858 | static int dummy_socket_getpeersec_stream(struct socket *sock, char __user *optval, | ||
859 | int __user *optlen, unsigned len) | ||
860 | { | ||
861 | return -ENOPROTOOPT; | ||
862 | } | ||
863 | |||
864 | static int dummy_socket_getpeersec_dgram(struct socket *sock, struct sk_buff *skb, u32 *secid) | ||
865 | { | ||
866 | return -ENOPROTOOPT; | ||
867 | } | ||
868 | |||
869 | static inline int dummy_sk_alloc_security (struct sock *sk, int family, gfp_t priority) | ||
870 | { | ||
871 | return 0; | ||
872 | } | ||
873 | |||
874 | static inline void dummy_sk_free_security (struct sock *sk) | ||
875 | { | ||
876 | } | ||
877 | |||
878 | static inline void dummy_sk_clone_security (const struct sock *sk, struct sock *newsk) | ||
879 | { | ||
880 | } | ||
881 | |||
882 | static inline void dummy_sk_getsecid(struct sock *sk, u32 *secid) | ||
883 | { | ||
884 | } | ||
885 | |||
886 | static inline void dummy_sock_graft(struct sock* sk, struct socket *parent) | ||
887 | { | ||
888 | } | ||
889 | |||
890 | static inline int dummy_inet_conn_request(struct sock *sk, | ||
891 | struct sk_buff *skb, struct request_sock *req) | ||
892 | { | ||
893 | return 0; | ||
894 | } | ||
895 | |||
896 | static inline void dummy_inet_csk_clone(struct sock *newsk, | ||
897 | const struct request_sock *req) | ||
898 | { | ||
899 | } | ||
900 | |||
901 | static inline void dummy_inet_conn_established(struct sock *sk, | ||
902 | struct sk_buff *skb) | ||
903 | { | ||
904 | } | ||
905 | |||
906 | static inline void dummy_req_classify_flow(const struct request_sock *req, | ||
907 | struct flowi *fl) | ||
908 | { | ||
909 | } | ||
910 | #endif /* CONFIG_SECURITY_NETWORK */ | ||
911 | |||
912 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | ||
913 | static int dummy_xfrm_policy_alloc_security(struct xfrm_sec_ctx **ctxp, | ||
914 | struct xfrm_user_sec_ctx *sec_ctx) | ||
915 | { | ||
916 | return 0; | ||
917 | } | ||
918 | |||
919 | static inline int dummy_xfrm_policy_clone_security(struct xfrm_sec_ctx *old_ctx, | ||
920 | struct xfrm_sec_ctx **new_ctxp) | ||
921 | { | ||
922 | return 0; | ||
923 | } | ||
924 | |||
925 | static void dummy_xfrm_policy_free_security(struct xfrm_sec_ctx *ctx) | ||
926 | { | ||
927 | } | ||
928 | |||
929 | static int dummy_xfrm_policy_delete_security(struct xfrm_sec_ctx *ctx) | ||
930 | { | ||
931 | return 0; | ||
932 | } | ||
933 | |||
934 | static int dummy_xfrm_state_alloc_security(struct xfrm_state *x, | ||
935 | struct xfrm_user_sec_ctx *sec_ctx, u32 secid) | ||
936 | { | ||
937 | return 0; | ||
938 | } | ||
939 | |||
940 | static void dummy_xfrm_state_free_security(struct xfrm_state *x) | ||
941 | { | ||
942 | } | ||
943 | |||
944 | static int dummy_xfrm_state_delete_security(struct xfrm_state *x) | ||
945 | { | ||
946 | return 0; | ||
947 | } | ||
948 | |||
949 | static int dummy_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, | ||
950 | u32 sk_sid, u8 dir) | ||
951 | { | ||
952 | return 0; | ||
953 | } | ||
954 | |||
955 | static int dummy_xfrm_state_pol_flow_match(struct xfrm_state *x, | ||
956 | struct xfrm_policy *xp, struct flowi *fl) | ||
957 | { | ||
958 | return 1; | ||
959 | } | ||
960 | |||
961 | static int dummy_xfrm_decode_session(struct sk_buff *skb, u32 *fl, int ckall) | ||
962 | { | ||
963 | return 0; | ||
964 | } | ||
965 | |||
966 | #endif /* CONFIG_SECURITY_NETWORK_XFRM */ | ||
967 | static int dummy_register_security (const char *name, struct security_operations *ops) | ||
968 | { | ||
969 | return -EINVAL; | ||
970 | } | ||
971 | |||
972 | static void dummy_d_instantiate (struct dentry *dentry, struct inode *inode) | ||
973 | { | ||
974 | return; | ||
975 | } | ||
976 | |||
977 | static int dummy_getprocattr(struct task_struct *p, char *name, char **value) | ||
978 | { | ||
979 | return -EINVAL; | ||
980 | } | ||
981 | |||
982 | static int dummy_setprocattr(struct task_struct *p, char *name, void *value, size_t size) | ||
983 | { | ||
984 | return -EINVAL; | ||
985 | } | ||
986 | |||
987 | static int dummy_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) | ||
988 | { | ||
989 | return -EOPNOTSUPP; | ||
990 | } | ||
991 | |||
992 | static int dummy_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) | ||
993 | { | ||
994 | return -EOPNOTSUPP; | ||
995 | } | ||
996 | |||
997 | static void dummy_release_secctx(char *secdata, u32 seclen) | ||
998 | { | ||
999 | } | ||
1000 | |||
1001 | #ifdef CONFIG_KEYS | ||
1002 | static inline int dummy_key_alloc(struct key *key, struct task_struct *ctx, | ||
1003 | unsigned long flags) | ||
1004 | { | ||
1005 | return 0; | ||
1006 | } | ||
1007 | |||
1008 | static inline void dummy_key_free(struct key *key) | ||
1009 | { | ||
1010 | } | ||
1011 | |||
1012 | static inline int dummy_key_permission(key_ref_t key_ref, | ||
1013 | struct task_struct *context, | ||
1014 | key_perm_t perm) | ||
1015 | { | ||
1016 | return 0; | ||
1017 | } | ||
1018 | |||
1019 | static int dummy_key_getsecurity(struct key *key, char **_buffer) | ||
1020 | { | ||
1021 | *_buffer = NULL; | ||
1022 | return 0; | ||
1023 | } | ||
1024 | |||
1025 | #endif /* CONFIG_KEYS */ | ||
1026 | |||
1027 | #ifdef CONFIG_AUDIT | ||
1028 | static inline int dummy_audit_rule_init(u32 field, u32 op, char *rulestr, | ||
1029 | void **lsmrule) | ||
1030 | { | ||
1031 | return 0; | ||
1032 | } | ||
1033 | |||
1034 | static inline int dummy_audit_rule_known(struct audit_krule *krule) | ||
1035 | { | ||
1036 | return 0; | ||
1037 | } | ||
1038 | |||
1039 | static inline int dummy_audit_rule_match(u32 secid, u32 field, u32 op, | ||
1040 | void *lsmrule, | ||
1041 | struct audit_context *actx) | ||
1042 | { | ||
1043 | return 0; | ||
1044 | } | ||
1045 | |||
1046 | static inline void dummy_audit_rule_free(void *lsmrule) | ||
1047 | { } | ||
1048 | |||
1049 | #endif /* CONFIG_AUDIT */ | ||
1050 | |||
1051 | struct security_operations dummy_security_ops = { | ||
1052 | .name = "dummy", | ||
1053 | }; | ||
1054 | |||
1055 | #define set_to_dummy_if_null(ops, function) \ | ||
1056 | do { \ | ||
1057 | if (!ops->function) { \ | ||
1058 | ops->function = dummy_##function; \ | ||
1059 | pr_debug("Had to override the " #function \ | ||
1060 | " security operation with the dummy one.\n");\ | ||
1061 | } \ | ||
1062 | } while (0) | ||
1063 | |||
1064 | void security_fixup_ops (struct security_operations *ops) | ||
1065 | { | ||
1066 | set_to_dummy_if_null(ops, ptrace); | ||
1067 | set_to_dummy_if_null(ops, capget); | ||
1068 | set_to_dummy_if_null(ops, capset_check); | ||
1069 | set_to_dummy_if_null(ops, capset_set); | ||
1070 | set_to_dummy_if_null(ops, acct); | ||
1071 | set_to_dummy_if_null(ops, capable); | ||
1072 | set_to_dummy_if_null(ops, quotactl); | ||
1073 | set_to_dummy_if_null(ops, quota_on); | ||
1074 | set_to_dummy_if_null(ops, sysctl); | ||
1075 | set_to_dummy_if_null(ops, syslog); | ||
1076 | set_to_dummy_if_null(ops, settime); | ||
1077 | set_to_dummy_if_null(ops, vm_enough_memory); | ||
1078 | set_to_dummy_if_null(ops, bprm_alloc_security); | ||
1079 | set_to_dummy_if_null(ops, bprm_free_security); | ||
1080 | set_to_dummy_if_null(ops, bprm_apply_creds); | ||
1081 | set_to_dummy_if_null(ops, bprm_post_apply_creds); | ||
1082 | set_to_dummy_if_null(ops, bprm_set_security); | ||
1083 | set_to_dummy_if_null(ops, bprm_check_security); | ||
1084 | set_to_dummy_if_null(ops, bprm_secureexec); | ||
1085 | set_to_dummy_if_null(ops, sb_alloc_security); | ||
1086 | set_to_dummy_if_null(ops, sb_free_security); | ||
1087 | set_to_dummy_if_null(ops, sb_copy_data); | ||
1088 | set_to_dummy_if_null(ops, sb_kern_mount); | ||
1089 | set_to_dummy_if_null(ops, sb_show_options); | ||
1090 | set_to_dummy_if_null(ops, sb_statfs); | ||
1091 | set_to_dummy_if_null(ops, sb_mount); | ||
1092 | set_to_dummy_if_null(ops, sb_check_sb); | ||
1093 | set_to_dummy_if_null(ops, sb_umount); | ||
1094 | set_to_dummy_if_null(ops, sb_umount_close); | ||
1095 | set_to_dummy_if_null(ops, sb_umount_busy); | ||
1096 | set_to_dummy_if_null(ops, sb_post_remount); | ||
1097 | set_to_dummy_if_null(ops, sb_post_addmount); | ||
1098 | set_to_dummy_if_null(ops, sb_pivotroot); | ||
1099 | set_to_dummy_if_null(ops, sb_post_pivotroot); | ||
1100 | set_to_dummy_if_null(ops, sb_set_mnt_opts); | ||
1101 | set_to_dummy_if_null(ops, sb_clone_mnt_opts); | ||
1102 | set_to_dummy_if_null(ops, sb_parse_opts_str); | ||
1103 | set_to_dummy_if_null(ops, inode_alloc_security); | ||
1104 | set_to_dummy_if_null(ops, inode_free_security); | ||
1105 | set_to_dummy_if_null(ops, inode_init_security); | ||
1106 | set_to_dummy_if_null(ops, inode_create); | ||
1107 | set_to_dummy_if_null(ops, inode_link); | ||
1108 | set_to_dummy_if_null(ops, inode_unlink); | ||
1109 | set_to_dummy_if_null(ops, inode_symlink); | ||
1110 | set_to_dummy_if_null(ops, inode_mkdir); | ||
1111 | set_to_dummy_if_null(ops, inode_rmdir); | ||
1112 | set_to_dummy_if_null(ops, inode_mknod); | ||
1113 | set_to_dummy_if_null(ops, inode_rename); | ||
1114 | set_to_dummy_if_null(ops, inode_readlink); | ||
1115 | set_to_dummy_if_null(ops, inode_follow_link); | ||
1116 | set_to_dummy_if_null(ops, inode_permission); | ||
1117 | set_to_dummy_if_null(ops, inode_setattr); | ||
1118 | set_to_dummy_if_null(ops, inode_getattr); | ||
1119 | set_to_dummy_if_null(ops, inode_delete); | ||
1120 | set_to_dummy_if_null(ops, inode_setxattr); | ||
1121 | set_to_dummy_if_null(ops, inode_post_setxattr); | ||
1122 | set_to_dummy_if_null(ops, inode_getxattr); | ||
1123 | set_to_dummy_if_null(ops, inode_listxattr); | ||
1124 | set_to_dummy_if_null(ops, inode_removexattr); | ||
1125 | set_to_dummy_if_null(ops, inode_need_killpriv); | ||
1126 | set_to_dummy_if_null(ops, inode_killpriv); | ||
1127 | set_to_dummy_if_null(ops, inode_getsecurity); | ||
1128 | set_to_dummy_if_null(ops, inode_setsecurity); | ||
1129 | set_to_dummy_if_null(ops, inode_listsecurity); | ||
1130 | set_to_dummy_if_null(ops, inode_getsecid); | ||
1131 | set_to_dummy_if_null(ops, file_permission); | ||
1132 | set_to_dummy_if_null(ops, file_alloc_security); | ||
1133 | set_to_dummy_if_null(ops, file_free_security); | ||
1134 | set_to_dummy_if_null(ops, file_ioctl); | ||
1135 | set_to_dummy_if_null(ops, file_mmap); | ||
1136 | set_to_dummy_if_null(ops, file_mprotect); | ||
1137 | set_to_dummy_if_null(ops, file_lock); | ||
1138 | set_to_dummy_if_null(ops, file_fcntl); | ||
1139 | set_to_dummy_if_null(ops, file_set_fowner); | ||
1140 | set_to_dummy_if_null(ops, file_send_sigiotask); | ||
1141 | set_to_dummy_if_null(ops, file_receive); | ||
1142 | set_to_dummy_if_null(ops, dentry_open); | ||
1143 | set_to_dummy_if_null(ops, task_create); | ||
1144 | set_to_dummy_if_null(ops, task_alloc_security); | ||
1145 | set_to_dummy_if_null(ops, task_free_security); | ||
1146 | set_to_dummy_if_null(ops, task_setuid); | ||
1147 | set_to_dummy_if_null(ops, task_post_setuid); | ||
1148 | set_to_dummy_if_null(ops, task_setgid); | ||
1149 | set_to_dummy_if_null(ops, task_setpgid); | ||
1150 | set_to_dummy_if_null(ops, task_getpgid); | ||
1151 | set_to_dummy_if_null(ops, task_getsid); | ||
1152 | set_to_dummy_if_null(ops, task_getsecid); | ||
1153 | set_to_dummy_if_null(ops, task_setgroups); | ||
1154 | set_to_dummy_if_null(ops, task_setnice); | ||
1155 | set_to_dummy_if_null(ops, task_setioprio); | ||
1156 | set_to_dummy_if_null(ops, task_getioprio); | ||
1157 | set_to_dummy_if_null(ops, task_setrlimit); | ||
1158 | set_to_dummy_if_null(ops, task_setscheduler); | ||
1159 | set_to_dummy_if_null(ops, task_getscheduler); | ||
1160 | set_to_dummy_if_null(ops, task_movememory); | ||
1161 | set_to_dummy_if_null(ops, task_wait); | ||
1162 | set_to_dummy_if_null(ops, task_kill); | ||
1163 | set_to_dummy_if_null(ops, task_prctl); | ||
1164 | set_to_dummy_if_null(ops, task_reparent_to_init); | ||
1165 | set_to_dummy_if_null(ops, task_to_inode); | ||
1166 | set_to_dummy_if_null(ops, ipc_permission); | ||
1167 | set_to_dummy_if_null(ops, ipc_getsecid); | ||
1168 | set_to_dummy_if_null(ops, msg_msg_alloc_security); | ||
1169 | set_to_dummy_if_null(ops, msg_msg_free_security); | ||
1170 | set_to_dummy_if_null(ops, msg_queue_alloc_security); | ||
1171 | set_to_dummy_if_null(ops, msg_queue_free_security); | ||
1172 | set_to_dummy_if_null(ops, msg_queue_associate); | ||
1173 | set_to_dummy_if_null(ops, msg_queue_msgctl); | ||
1174 | set_to_dummy_if_null(ops, msg_queue_msgsnd); | ||
1175 | set_to_dummy_if_null(ops, msg_queue_msgrcv); | ||
1176 | set_to_dummy_if_null(ops, shm_alloc_security); | ||
1177 | set_to_dummy_if_null(ops, shm_free_security); | ||
1178 | set_to_dummy_if_null(ops, shm_associate); | ||
1179 | set_to_dummy_if_null(ops, shm_shmctl); | ||
1180 | set_to_dummy_if_null(ops, shm_shmat); | ||
1181 | set_to_dummy_if_null(ops, sem_alloc_security); | ||
1182 | set_to_dummy_if_null(ops, sem_free_security); | ||
1183 | set_to_dummy_if_null(ops, sem_associate); | ||
1184 | set_to_dummy_if_null(ops, sem_semctl); | ||
1185 | set_to_dummy_if_null(ops, sem_semop); | ||
1186 | set_to_dummy_if_null(ops, netlink_send); | ||
1187 | set_to_dummy_if_null(ops, netlink_recv); | ||
1188 | set_to_dummy_if_null(ops, register_security); | ||
1189 | set_to_dummy_if_null(ops, d_instantiate); | ||
1190 | set_to_dummy_if_null(ops, getprocattr); | ||
1191 | set_to_dummy_if_null(ops, setprocattr); | ||
1192 | set_to_dummy_if_null(ops, secid_to_secctx); | ||
1193 | set_to_dummy_if_null(ops, secctx_to_secid); | ||
1194 | set_to_dummy_if_null(ops, release_secctx); | ||
1195 | #ifdef CONFIG_SECURITY_NETWORK | ||
1196 | set_to_dummy_if_null(ops, unix_stream_connect); | ||
1197 | set_to_dummy_if_null(ops, unix_may_send); | ||
1198 | set_to_dummy_if_null(ops, socket_create); | ||
1199 | set_to_dummy_if_null(ops, socket_post_create); | ||
1200 | set_to_dummy_if_null(ops, socket_bind); | ||
1201 | set_to_dummy_if_null(ops, socket_connect); | ||
1202 | set_to_dummy_if_null(ops, socket_listen); | ||
1203 | set_to_dummy_if_null(ops, socket_accept); | ||
1204 | set_to_dummy_if_null(ops, socket_post_accept); | ||
1205 | set_to_dummy_if_null(ops, socket_sendmsg); | ||
1206 | set_to_dummy_if_null(ops, socket_recvmsg); | ||
1207 | set_to_dummy_if_null(ops, socket_getsockname); | ||
1208 | set_to_dummy_if_null(ops, socket_getpeername); | ||
1209 | set_to_dummy_if_null(ops, socket_setsockopt); | ||
1210 | set_to_dummy_if_null(ops, socket_getsockopt); | ||
1211 | set_to_dummy_if_null(ops, socket_shutdown); | ||
1212 | set_to_dummy_if_null(ops, socket_sock_rcv_skb); | ||
1213 | set_to_dummy_if_null(ops, socket_getpeersec_stream); | ||
1214 | set_to_dummy_if_null(ops, socket_getpeersec_dgram); | ||
1215 | set_to_dummy_if_null(ops, sk_alloc_security); | ||
1216 | set_to_dummy_if_null(ops, sk_free_security); | ||
1217 | set_to_dummy_if_null(ops, sk_clone_security); | ||
1218 | set_to_dummy_if_null(ops, sk_getsecid); | ||
1219 | set_to_dummy_if_null(ops, sock_graft); | ||
1220 | set_to_dummy_if_null(ops, inet_conn_request); | ||
1221 | set_to_dummy_if_null(ops, inet_csk_clone); | ||
1222 | set_to_dummy_if_null(ops, inet_conn_established); | ||
1223 | set_to_dummy_if_null(ops, req_classify_flow); | ||
1224 | #endif /* CONFIG_SECURITY_NETWORK */ | ||
1225 | #ifdef CONFIG_SECURITY_NETWORK_XFRM | ||
1226 | set_to_dummy_if_null(ops, xfrm_policy_alloc_security); | ||
1227 | set_to_dummy_if_null(ops, xfrm_policy_clone_security); | ||
1228 | set_to_dummy_if_null(ops, xfrm_policy_free_security); | ||
1229 | set_to_dummy_if_null(ops, xfrm_policy_delete_security); | ||
1230 | set_to_dummy_if_null(ops, xfrm_state_alloc_security); | ||
1231 | set_to_dummy_if_null(ops, xfrm_state_free_security); | ||
1232 | set_to_dummy_if_null(ops, xfrm_state_delete_security); | ||
1233 | set_to_dummy_if_null(ops, xfrm_policy_lookup); | ||
1234 | set_to_dummy_if_null(ops, xfrm_state_pol_flow_match); | ||
1235 | set_to_dummy_if_null(ops, xfrm_decode_session); | ||
1236 | #endif /* CONFIG_SECURITY_NETWORK_XFRM */ | ||
1237 | #ifdef CONFIG_KEYS | ||
1238 | set_to_dummy_if_null(ops, key_alloc); | ||
1239 | set_to_dummy_if_null(ops, key_free); | ||
1240 | set_to_dummy_if_null(ops, key_permission); | ||
1241 | set_to_dummy_if_null(ops, key_getsecurity); | ||
1242 | #endif /* CONFIG_KEYS */ | ||
1243 | #ifdef CONFIG_AUDIT | ||
1244 | set_to_dummy_if_null(ops, audit_rule_init); | ||
1245 | set_to_dummy_if_null(ops, audit_rule_known); | ||
1246 | set_to_dummy_if_null(ops, audit_rule_match); | ||
1247 | set_to_dummy_if_null(ops, audit_rule_free); | ||
1248 | #endif | ||
1249 | } | ||
1250 | |||
diff --git a/security/security.c b/security/security.c index 28b2860c1129..30b0278de394 100644 --- a/security/security.c +++ b/security/security.c | |||
@@ -20,8 +20,8 @@ | |||
20 | /* Boot-time LSM user choice */ | 20 | /* Boot-time LSM user choice */ |
21 | static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1]; | 21 | static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1]; |
22 | 22 | ||
23 | /* things that live in dummy.c */ | 23 | /* things that live in capability.c */ |
24 | extern struct security_operations dummy_security_ops; | 24 | extern struct security_operations default_security_ops; |
25 | extern void security_fixup_ops(struct security_operations *ops); | 25 | extern void security_fixup_ops(struct security_operations *ops); |
26 | 26 | ||
27 | struct security_operations *security_ops; /* Initialized to NULL */ | 27 | struct security_operations *security_ops; /* Initialized to NULL */ |
@@ -57,13 +57,8 @@ int __init security_init(void) | |||
57 | { | 57 | { |
58 | printk(KERN_INFO "Security Framework initialized\n"); | 58 | printk(KERN_INFO "Security Framework initialized\n"); |
59 | 59 | ||
60 | if (verify(&dummy_security_ops)) { | 60 | security_fixup_ops(&default_security_ops); |
61 | printk(KERN_ERR "%s could not verify " | 61 | security_ops = &default_security_ops; |
62 | "dummy_security_ops structure.\n", __func__); | ||
63 | return -EIO; | ||
64 | } | ||
65 | |||
66 | security_ops = &dummy_security_ops; | ||
67 | do_security_initcalls(); | 62 | do_security_initcalls(); |
68 | 63 | ||
69 | return 0; | 64 | return 0; |
@@ -122,7 +117,7 @@ int register_security(struct security_operations *ops) | |||
122 | return -EINVAL; | 117 | return -EINVAL; |
123 | } | 118 | } |
124 | 119 | ||
125 | if (security_ops != &dummy_security_ops) | 120 | if (security_ops != &default_security_ops) |
126 | return -EAGAIN; | 121 | return -EAGAIN; |
127 | 122 | ||
128 | security_ops = ops; | 123 | security_ops = ops; |