X-Git-Url: http://ftp.safe.ca/?a=blobdiff_plain;f=security%2Fsecurity.c;h=c0acfa7177e5d1a01d19375f94bfa1ff819637a3;hb=7e452baf6b96b5aeba097afd91501d33d390cc97;hp=dd0c6baed494d96969432c9616a81990689ade29;hpb=076c54c5bcaed2081c0cba94a6f77c4d470236ad;p=safe%2Fjmp%2Flinux-2.6 diff --git a/security/security.c b/security/security.c index dd0c6ba..c0acfa7 100644 --- a/security/security.c +++ b/security/security.c @@ -20,8 +20,8 @@ /* Boot-time LSM user choice */ static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1]; -/* things that live in dummy.c */ -extern struct security_operations dummy_security_ops; +/* things that live in capability.c */ +extern struct security_operations default_security_ops; extern void security_fixup_ops(struct security_operations *ops); struct security_operations *security_ops; /* Initialized to NULL */ @@ -57,13 +57,8 @@ int __init security_init(void) { printk(KERN_INFO "Security Framework initialized\n"); - if (verify(&dummy_security_ops)) { - printk(KERN_ERR "%s could not verify " - "dummy_security_ops structure.\n", __func__); - return -EIO; - } - - security_ops = &dummy_security_ops; + security_fixup_ops(&default_security_ops); + security_ops = &default_security_ops; do_security_initcalls(); return 0; @@ -83,12 +78,12 @@ __setup("security=", choose_lsm); * * Each LSM must pass this method before registering its own operations * to avoid security registration races. This method may also be used - * to check if your LSM is currently loaded. + * to check if your LSM is currently loaded during kernel initialization. * * Return true if: * -The passed LSM is the one chosen by user at boot time, - * -or user didsn't specify a specific LSM and we're the first to ask - * for registeration permissoin, + * -or user didn't specify a specific LSM and we're the first to ask + * for registration permission, * -or the passed LSM is currently loaded. * Otherwise, return false. */ @@ -106,13 +101,13 @@ int __init security_module_enable(struct security_operations *ops) * register_security - registers a security framework with the kernel * @ops: a pointer to the struct security_options that is to be registered * - * This function is to allow a security module to register itself with the + * This function allows a security module to register itself with the * kernel security subsystem. Some rudimentary checking is done on the @ops * value passed to this function. You'll need to check first if your LSM * is allowed to register its @ops by calling security_module_enable(@ops). * * If there is already a security module registered with the kernel, - * an error will be returned. Otherwise 0 is returned on success. + * an error will be returned. Otherwise %0 is returned on success. */ int register_security(struct security_operations *ops) { @@ -122,7 +117,7 @@ int register_security(struct security_operations *ops) return -EINVAL; } - if (security_ops != &dummy_security_ops) + if (security_ops != &default_security_ops) return -EAGAIN; security_ops = ops; @@ -130,40 +125,16 @@ int register_security(struct security_operations *ops) return 0; } -/** - * mod_reg_security - allows security modules to be "stacked" - * @name: a pointer to a string with the name of the security_options to be registered - * @ops: a pointer to the struct security_options that is to be registered - * - * This function allows security modules to be stacked if the currently loaded - * security module allows this to happen. It passes the @name and @ops to the - * register_security function of the currently loaded security module. - * - * The return value depends on the currently loaded security module, with 0 as - * success. - */ -int mod_reg_security(const char *name, struct security_operations *ops) -{ - if (verify(ops)) { - printk(KERN_INFO "%s could not verify " - "security operations.\n", __func__); - return -EINVAL; - } - - if (ops == security_ops) { - printk(KERN_INFO "%s security operations " - "already registered.\n", __func__); - return -EINVAL; - } +/* Security operations */ - return security_ops->register_security(name, ops); +int security_ptrace_may_access(struct task_struct *child, unsigned int mode) +{ + return security_ops->ptrace_may_access(child, mode); } -/* Security operations */ - -int security_ptrace(struct task_struct *parent, struct task_struct *child) +int security_ptrace_traceme(struct task_struct *parent) { - return security_ops->ptrace(parent, child); + return security_ops->ptrace_traceme(parent); } int security_capget(struct task_struct *target, @@ -227,14 +198,23 @@ int security_settime(struct timespec *ts, struct timezone *tz) int security_vm_enough_memory(long pages) { + WARN_ON(current->mm == NULL); return security_ops->vm_enough_memory(current->mm, pages); } int security_vm_enough_memory_mm(struct mm_struct *mm, long pages) { + WARN_ON(mm == NULL); return security_ops->vm_enough_memory(mm, pages); } +int security_vm_enough_memory_kern(long pages) +{ + /* If current->mm is a kernel thread then we will pass NULL, + for this specific case that is fine */ + return security_ops->vm_enough_memory(current->mm, pages); +} + int security_bprm_alloc(struct linux_binprm *bprm) { return security_ops->bprm_alloc_security(bprm); @@ -291,20 +271,25 @@ int security_sb_kern_mount(struct super_block *sb, void *data) return security_ops->sb_kern_mount(sb, data); } +int security_sb_show_options(struct seq_file *m, struct super_block *sb) +{ + return security_ops->sb_show_options(m, sb); +} + int security_sb_statfs(struct dentry *dentry) { return security_ops->sb_statfs(dentry); } -int security_sb_mount(char *dev_name, struct nameidata *nd, +int security_sb_mount(char *dev_name, struct path *path, char *type, unsigned long flags, void *data) { - return security_ops->sb_mount(dev_name, nd, type, flags, data); + return security_ops->sb_mount(dev_name, path, type, flags, data); } -int security_sb_check_sb(struct vfsmount *mnt, struct nameidata *nd) +int security_sb_check_sb(struct vfsmount *mnt, struct path *path) { - return security_ops->sb_check_sb(mnt, nd); + return security_ops->sb_check_sb(mnt, path); } int security_sb_umount(struct vfsmount *mnt, int flags) @@ -327,25 +312,19 @@ void security_sb_post_remount(struct vfsmount *mnt, unsigned long flags, void *d security_ops->sb_post_remount(mnt, flags, data); } -void security_sb_post_addmount(struct vfsmount *mnt, struct nameidata *mountpoint_nd) -{ - security_ops->sb_post_addmount(mnt, mountpoint_nd); -} - -int security_sb_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd) +void security_sb_post_addmount(struct vfsmount *mnt, struct path *mountpoint) { - return security_ops->sb_pivotroot(old_nd, new_nd); + security_ops->sb_post_addmount(mnt, mountpoint); } -void security_sb_post_pivotroot(struct nameidata *old_nd, struct nameidata *new_nd) +int security_sb_pivotroot(struct path *old_path, struct path *new_path) { - security_ops->sb_post_pivotroot(old_nd, new_nd); + return security_ops->sb_pivotroot(old_path, new_path); } -int security_sb_get_mnt_opts(const struct super_block *sb, - struct security_mnt_opts *opts) +void security_sb_post_pivotroot(struct path *old_path, struct path *new_path) { - return security_ops->sb_get_mnt_opts(sb, opts); + security_ops->sb_post_pivotroot(old_path, new_path); } int security_sb_set_mnt_opts(struct super_block *sb, @@ -463,11 +442,11 @@ int security_inode_follow_link(struct dentry *dentry, struct nameidata *nd) return security_ops->inode_follow_link(dentry, nd); } -int security_inode_permission(struct inode *inode, int mask, struct nameidata *nd) +int security_inode_permission(struct inode *inode, int mask) { if (unlikely(IS_PRIVATE(inode))) return 0; - return security_ops->inode_permission(inode, mask, nd); + return security_ops->inode_permission(inode, mask); } int security_inode_setattr(struct dentry *dentry, struct iattr *attr) @@ -476,6 +455,7 @@ int security_inode_setattr(struct dentry *dentry, struct iattr *attr) return 0; return security_ops->inode_setattr(dentry, attr); } +EXPORT_SYMBOL_GPL(security_inode_setattr); int security_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) { @@ -491,23 +471,23 @@ void security_inode_delete(struct inode *inode) security_ops->inode_delete(inode); } -int security_inode_setxattr(struct dentry *dentry, char *name, - void *value, size_t size, int flags) +int security_inode_setxattr(struct dentry *dentry, const char *name, + const void *value, size_t size, int flags) { if (unlikely(IS_PRIVATE(dentry->d_inode))) return 0; return security_ops->inode_setxattr(dentry, name, value, size, flags); } -void security_inode_post_setxattr(struct dentry *dentry, char *name, - void *value, size_t size, int flags) +void security_inode_post_setxattr(struct dentry *dentry, const char *name, + const void *value, size_t size, int flags) { if (unlikely(IS_PRIVATE(dentry->d_inode))) return; security_ops->inode_post_setxattr(dentry, name, value, size, flags); } -int security_inode_getxattr(struct dentry *dentry, char *name) +int security_inode_getxattr(struct dentry *dentry, const char *name) { if (unlikely(IS_PRIVATE(dentry->d_inode))) return 0; @@ -521,7 +501,7 @@ int security_inode_listxattr(struct dentry *dentry) return security_ops->inode_listxattr(dentry); } -int security_inode_removexattr(struct dentry *dentry, char *name) +int security_inode_removexattr(struct dentry *dentry, const char *name) { if (unlikely(IS_PRIVATE(dentry->d_inode))) return 0; @@ -733,9 +713,9 @@ int security_task_wait(struct task_struct *p) } int security_task_prctl(int option, unsigned long arg2, unsigned long arg3, - unsigned long arg4, unsigned long arg5) + unsigned long arg4, unsigned long arg5, long *rc_p) { - return security_ops->task_prctl(option, arg2, arg3, arg4, arg5); + return security_ops->task_prctl(option, arg2, arg3, arg4, arg5, rc_p); } void security_task_reparent_to_init(struct task_struct *p) @@ -886,7 +866,7 @@ int security_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) } EXPORT_SYMBOL(security_secid_to_secctx); -int security_secctx_to_secid(char *secdata, u32 seclen, u32 *secid) +int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) { return security_ops->secctx_to_secid(secdata, seclen, secid); } @@ -894,7 +874,7 @@ EXPORT_SYMBOL(security_secctx_to_secid); void security_release_secctx(char *secdata, u32 seclen) { - return security_ops->release_secctx(secdata, seclen); + security_ops->release_secctx(secdata, seclen); } EXPORT_SYMBOL(security_release_secctx); @@ -1011,12 +991,12 @@ int security_sk_alloc(struct sock *sk, int family, gfp_t priority) void security_sk_free(struct sock *sk) { - return security_ops->sk_free_security(sk); + security_ops->sk_free_security(sk); } void security_sk_clone(const struct sock *sk, struct sock *newsk) { - return security_ops->sk_clone_security(sk, newsk); + security_ops->sk_clone_security(sk, newsk); } void security_sk_classify_flow(struct sock *sk, struct flowi *fl) @@ -1060,26 +1040,27 @@ void security_inet_conn_established(struct sock *sk, #ifdef CONFIG_SECURITY_NETWORK_XFRM -int security_xfrm_policy_alloc(struct xfrm_policy *xp, struct xfrm_user_sec_ctx *sec_ctx) +int security_xfrm_policy_alloc(struct xfrm_sec_ctx **ctxp, struct xfrm_user_sec_ctx *sec_ctx) { - return security_ops->xfrm_policy_alloc_security(xp, sec_ctx); + return security_ops->xfrm_policy_alloc_security(ctxp, sec_ctx); } EXPORT_SYMBOL(security_xfrm_policy_alloc); -int security_xfrm_policy_clone(struct xfrm_policy *old, struct xfrm_policy *new) +int security_xfrm_policy_clone(struct xfrm_sec_ctx *old_ctx, + struct xfrm_sec_ctx **new_ctxp) { - return security_ops->xfrm_policy_clone_security(old, new); + return security_ops->xfrm_policy_clone_security(old_ctx, new_ctxp); } -void security_xfrm_policy_free(struct xfrm_policy *xp) +void security_xfrm_policy_free(struct xfrm_sec_ctx *ctx) { - security_ops->xfrm_policy_free_security(xp); + security_ops->xfrm_policy_free_security(ctx); } EXPORT_SYMBOL(security_xfrm_policy_free); -int security_xfrm_policy_delete(struct xfrm_policy *xp) +int security_xfrm_policy_delete(struct xfrm_sec_ctx *ctx) { - return security_ops->xfrm_policy_delete_security(xp); + return security_ops->xfrm_policy_delete_security(ctx); } int security_xfrm_state_alloc(struct xfrm_state *x, struct xfrm_user_sec_ctx *sec_ctx) @@ -1111,9 +1092,9 @@ void security_xfrm_state_free(struct xfrm_state *x) security_ops->xfrm_state_free_security(x); } -int security_xfrm_policy_lookup(struct xfrm_policy *xp, u32 fl_secid, u8 dir) +int security_xfrm_policy_lookup(struct xfrm_sec_ctx *ctx, u32 fl_secid, u8 dir) { - return security_ops->xfrm_policy_lookup(xp, fl_secid, dir); + return security_ops->xfrm_policy_lookup(ctx, fl_secid, dir); } int security_xfrm_state_pol_flow_match(struct xfrm_state *x, @@ -1155,6 +1136,11 @@ int security_key_permission(key_ref_t key_ref, return security_ops->key_permission(key_ref, context, perm); } +int security_key_getsecurity(struct key *key, char **_buffer) +{ + return security_ops->key_getsecurity(key, _buffer); +} + #endif /* CONFIG_KEYS */ #ifdef CONFIG_AUDIT