security: remove register_security hook
The register security hook is no longer required, as the capability module is always registered. LSMs wishing to stack capability as a secondary module should do so explicitly. Signed-off-by: James Morris <jmorris@namei.org> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Acked-by: Greg Kroah-Hartman <gregkh@suse.de>
This commit is contained in:
parent
93cbace7a0
commit
6f0f0fd496
|
@ -1239,11 +1239,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
|
|||
* @pages contains the number of pages.
|
||||
* Return 0 if permission is granted.
|
||||
*
|
||||
* @register_security:
|
||||
* allow module stacking.
|
||||
* @name contains the name of the security module being stacked.
|
||||
* @ops contains a pointer to the struct security_operations of the module to stack.
|
||||
*
|
||||
* @secid_to_secctx:
|
||||
* Convert secid to security context.
|
||||
* @secid contains the security ID.
|
||||
|
@ -1471,10 +1466,6 @@ struct security_operations {
|
|||
int (*netlink_send) (struct sock *sk, struct sk_buff *skb);
|
||||
int (*netlink_recv) (struct sk_buff *skb, int cap);
|
||||
|
||||
/* allow module stacking */
|
||||
int (*register_security) (const char *name,
|
||||
struct security_operations *ops);
|
||||
|
||||
void (*d_instantiate) (struct dentry *dentry, struct inode *inode);
|
||||
|
||||
int (*getprocattr) (struct task_struct *p, char *name, char **value);
|
||||
|
@ -1564,7 +1555,6 @@ struct security_operations {
|
|||
extern int security_init(void);
|
||||
extern int security_module_enable(struct security_operations *ops);
|
||||
extern int register_security(struct security_operations *ops);
|
||||
extern int mod_reg_security(const char *name, struct security_operations *ops);
|
||||
extern struct dentry *securityfs_create_file(const char *name, mode_t mode,
|
||||
struct dentry *parent, void *data,
|
||||
const struct file_operations *fops);
|
||||
|
|
|
@ -721,12 +721,6 @@ static int cap_xfrm_decode_session(struct sk_buff *skb, u32 *fl, int ckall)
|
|||
}
|
||||
|
||||
#endif /* CONFIG_SECURITY_NETWORK_XFRM */
|
||||
static int cap_register_security(const char *name,
|
||||
struct security_operations *ops)
|
||||
{
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
static void cap_d_instantiate(struct dentry *dentry, struct inode *inode)
|
||||
{
|
||||
}
|
||||
|
@ -940,7 +934,6 @@ void security_fixup_ops(struct security_operations *ops)
|
|||
set_to_cap_if_null(ops, sem_semop);
|
||||
set_to_cap_if_null(ops, netlink_send);
|
||||
set_to_cap_if_null(ops, netlink_recv);
|
||||
set_to_cap_if_null(ops, register_security);
|
||||
set_to_cap_if_null(ops, d_instantiate);
|
||||
set_to_cap_if_null(ops, getprocattr);
|
||||
set_to_cap_if_null(ops, setprocattr);
|
||||
|
|
|
@ -28,9 +28,6 @@
|
|||
#include <linux/usb.h>
|
||||
#include <linux/moduleparam.h>
|
||||
|
||||
/* flag to keep track of how we were registered */
|
||||
static int secondary;
|
||||
|
||||
/* default is a generic type of usb to serial converter */
|
||||
static int vendor_id = 0x0557;
|
||||
static int product_id = 0x2008;
|
||||
|
@ -97,14 +94,8 @@ static int __init rootplug_init (void)
|
|||
if (register_security (&rootplug_security_ops)) {
|
||||
printk (KERN_INFO
|
||||
"Failure registering Root Plug module with the kernel\n");
|
||||
/* try registering with primary module */
|
||||
if (mod_reg_security (MY_NAME, &rootplug_security_ops)) {
|
||||
printk (KERN_INFO "Failure registering Root Plug "
|
||||
" module with primary security module.\n");
|
||||
return -EINVAL;
|
||||
}
|
||||
secondary = 1;
|
||||
}
|
||||
printk (KERN_INFO "Root Plug module initialized, "
|
||||
"vendor_id = %4.4x, product id = %4.4x\n", vendor_id, product_id);
|
||||
return 0;
|
||||
|
|
|
@ -125,35 +125,6 @@ int register_security(struct security_operations *ops)
|
|||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* mod_reg_security - allows security modules to be "stacked"
|
||||
* @name: a pointer to a string with the name of the security_options to be registered
|
||||
* @ops: a pointer to the struct security_options that is to be registered
|
||||
*
|
||||
* This function allows security modules to be stacked if the currently loaded
|
||||
* security module allows this to happen. It passes the @name and @ops to the
|
||||
* register_security function of the currently loaded security module.
|
||||
*
|
||||
* The return value depends on the currently loaded security module, with 0 as
|
||||
* success.
|
||||
*/
|
||||
int mod_reg_security(const char *name, struct security_operations *ops)
|
||||
{
|
||||
if (verify(ops)) {
|
||||
printk(KERN_INFO "%s could not verify "
|
||||
"security operations.\n", __func__);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
if (ops == security_ops) {
|
||||
printk(KERN_INFO "%s security operations "
|
||||
"already registered.\n", __func__);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
return security_ops->register_security(name, ops);
|
||||
}
|
||||
|
||||
/* Security operations */
|
||||
|
||||
int security_ptrace(struct task_struct *parent, struct task_struct *child,
|
||||
|
|
|
@ -126,13 +126,11 @@ __setup("selinux=", selinux_enabled_setup);
|
|||
int selinux_enabled = 1;
|
||||
#endif
|
||||
|
||||
/* Original (dummy) security module. */
|
||||
static struct security_operations *original_ops;
|
||||
|
||||
/* Minimal support for a secondary security module,
|
||||
just to allow the use of the dummy or capability modules.
|
||||
The owlsm module can alternatively be used as a secondary
|
||||
module as long as CONFIG_OWLSM_FD is not enabled. */
|
||||
/*
|
||||
* Minimal support for a secondary security module,
|
||||
* just to allow the use of the capability module.
|
||||
*/
|
||||
static struct security_operations *secondary_ops;
|
||||
|
||||
/* Lists of inode and superblock security structures initialized
|
||||
|
@ -5115,24 +5113,6 @@ static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
|
|||
*secid = isec->sid;
|
||||
}
|
||||
|
||||
/* module stacking operations */
|
||||
static int selinux_register_security(const char *name, struct security_operations *ops)
|
||||
{
|
||||
if (secondary_ops != original_ops) {
|
||||
printk(KERN_ERR "%s: There is already a secondary security "
|
||||
"module registered.\n", __func__);
|
||||
return -EINVAL;
|
||||
}
|
||||
|
||||
secondary_ops = ops;
|
||||
|
||||
printk(KERN_INFO "%s: Registering secondary module %s\n",
|
||||
__func__,
|
||||
name);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
|
||||
{
|
||||
if (inode)
|
||||
|
@ -5517,8 +5497,6 @@ static struct security_operations selinux_ops = {
|
|||
.sem_semctl = selinux_sem_semctl,
|
||||
.sem_semop = selinux_sem_semop,
|
||||
|
||||
.register_security = selinux_register_security,
|
||||
|
||||
.d_instantiate = selinux_d_instantiate,
|
||||
|
||||
.getprocattr = selinux_getprocattr,
|
||||
|
@ -5612,7 +5590,7 @@ static __init int selinux_init(void)
|
|||
0, SLAB_PANIC, NULL);
|
||||
avc_init();
|
||||
|
||||
original_ops = secondary_ops = security_ops;
|
||||
secondary_ops = security_ops;
|
||||
if (!secondary_ops)
|
||||
panic("SELinux: No initial security operations\n");
|
||||
if (register_security(&selinux_ops))
|
||||
|
|
|
@ -1822,27 +1822,6 @@ static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid)
|
|||
*secid = smack_to_secid(smack);
|
||||
}
|
||||
|
||||
/* module stacking operations */
|
||||
|
||||
/**
|
||||
* smack_register_security - stack capability module
|
||||
* @name: module name
|
||||
* @ops: module operations - ignored
|
||||
*
|
||||
* Allow the capability module to register.
|
||||
*/
|
||||
static int smack_register_security(const char *name,
|
||||
struct security_operations *ops)
|
||||
{
|
||||
if (strcmp(name, "capability") != 0)
|
||||
return -EINVAL;
|
||||
|
||||
printk(KERN_INFO "%s: Registering secondary module %s\n",
|
||||
__func__, name);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
/**
|
||||
* smack_d_instantiate - Make sure the blob is correct on an inode
|
||||
* @opt_dentry: unused
|
||||
|
@ -2673,8 +2652,6 @@ struct security_operations smack_ops = {
|
|||
.netlink_send = cap_netlink_send,
|
||||
.netlink_recv = cap_netlink_recv,
|
||||
|
||||
.register_security = smack_register_security,
|
||||
|
||||
.d_instantiate = smack_d_instantiate,
|
||||
|
||||
.getprocattr = smack_getprocattr,
|
||||
|
|
Loading…
Reference in New Issue