Commit 6f0f0fd4 authored by James Morris's avatar James Morris

security: remove register_security hook

The register security hook is no longer required, as the capability
module is always registered.  LSMs wishing to stack capability as
a secondary module should do so explicitly.
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Acked-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 93cbace7
...@@ -1239,11 +1239,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) ...@@ -1239,11 +1239,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
* @pages contains the number of pages. * @pages contains the number of pages.
* Return 0 if permission is granted. * Return 0 if permission is granted.
* *
* @register_security:
* allow module stacking.
* @name contains the name of the security module being stacked.
* @ops contains a pointer to the struct security_operations of the module to stack.
*
* @secid_to_secctx: * @secid_to_secctx:
* Convert secid to security context. * Convert secid to security context.
* @secid contains the security ID. * @secid contains the security ID.
...@@ -1471,10 +1466,6 @@ struct security_operations { ...@@ -1471,10 +1466,6 @@ struct security_operations {
int (*netlink_send) (struct sock *sk, struct sk_buff *skb); int (*netlink_send) (struct sock *sk, struct sk_buff *skb);
int (*netlink_recv) (struct sk_buff *skb, int cap); int (*netlink_recv) (struct sk_buff *skb, int cap);
/* allow module stacking */
int (*register_security) (const char *name,
struct security_operations *ops);
void (*d_instantiate) (struct dentry *dentry, struct inode *inode); void (*d_instantiate) (struct dentry *dentry, struct inode *inode);
int (*getprocattr) (struct task_struct *p, char *name, char **value); int (*getprocattr) (struct task_struct *p, char *name, char **value);
...@@ -1564,7 +1555,6 @@ struct security_operations { ...@@ -1564,7 +1555,6 @@ struct security_operations {
extern int security_init(void); extern int security_init(void);
extern int security_module_enable(struct security_operations *ops); extern int security_module_enable(struct security_operations *ops);
extern int register_security(struct security_operations *ops); extern int register_security(struct security_operations *ops);
extern int mod_reg_security(const char *name, struct security_operations *ops);
extern struct dentry *securityfs_create_file(const char *name, mode_t mode, extern struct dentry *securityfs_create_file(const char *name, mode_t mode,
struct dentry *parent, void *data, struct dentry *parent, void *data,
const struct file_operations *fops); const struct file_operations *fops);
......
...@@ -721,12 +721,6 @@ static int cap_xfrm_decode_session(struct sk_buff *skb, u32 *fl, int ckall) ...@@ -721,12 +721,6 @@ static int cap_xfrm_decode_session(struct sk_buff *skb, u32 *fl, int ckall)
} }
#endif /* CONFIG_SECURITY_NETWORK_XFRM */ #endif /* CONFIG_SECURITY_NETWORK_XFRM */
static int cap_register_security(const char *name,
struct security_operations *ops)
{
return -EINVAL;
}
static void cap_d_instantiate(struct dentry *dentry, struct inode *inode) static void cap_d_instantiate(struct dentry *dentry, struct inode *inode)
{ {
} }
...@@ -940,7 +934,6 @@ void security_fixup_ops(struct security_operations *ops) ...@@ -940,7 +934,6 @@ void security_fixup_ops(struct security_operations *ops)
set_to_cap_if_null(ops, sem_semop); set_to_cap_if_null(ops, sem_semop);
set_to_cap_if_null(ops, netlink_send); set_to_cap_if_null(ops, netlink_send);
set_to_cap_if_null(ops, netlink_recv); set_to_cap_if_null(ops, netlink_recv);
set_to_cap_if_null(ops, register_security);
set_to_cap_if_null(ops, d_instantiate); set_to_cap_if_null(ops, d_instantiate);
set_to_cap_if_null(ops, getprocattr); set_to_cap_if_null(ops, getprocattr);
set_to_cap_if_null(ops, setprocattr); set_to_cap_if_null(ops, setprocattr);
......
...@@ -28,9 +28,6 @@ ...@@ -28,9 +28,6 @@
#include <linux/usb.h> #include <linux/usb.h>
#include <linux/moduleparam.h> #include <linux/moduleparam.h>
/* flag to keep track of how we were registered */
static int secondary;
/* default is a generic type of usb to serial converter */ /* default is a generic type of usb to serial converter */
static int vendor_id = 0x0557; static int vendor_id = 0x0557;
static int product_id = 0x2008; static int product_id = 0x2008;
...@@ -97,13 +94,7 @@ static int __init rootplug_init (void) ...@@ -97,13 +94,7 @@ static int __init rootplug_init (void)
if (register_security (&rootplug_security_ops)) { if (register_security (&rootplug_security_ops)) {
printk (KERN_INFO printk (KERN_INFO
"Failure registering Root Plug module with the kernel\n"); "Failure registering Root Plug module with the kernel\n");
/* try registering with primary module */
if (mod_reg_security (MY_NAME, &rootplug_security_ops)) {
printk (KERN_INFO "Failure registering Root Plug "
" module with primary security module.\n");
return -EINVAL; return -EINVAL;
}
secondary = 1;
} }
printk (KERN_INFO "Root Plug module initialized, " printk (KERN_INFO "Root Plug module initialized, "
"vendor_id = %4.4x, product id = %4.4x\n", vendor_id, product_id); "vendor_id = %4.4x, product id = %4.4x\n", vendor_id, product_id);
......
...@@ -125,35 +125,6 @@ int register_security(struct security_operations *ops) ...@@ -125,35 +125,6 @@ int register_security(struct security_operations *ops)
return 0; return 0;
} }
/**
* mod_reg_security - allows security modules to be "stacked"
* @name: a pointer to a string with the name of the security_options to be registered
* @ops: a pointer to the struct security_options that is to be registered
*
* This function allows security modules to be stacked if the currently loaded
* security module allows this to happen. It passes the @name and @ops to the
* register_security function of the currently loaded security module.
*
* The return value depends on the currently loaded security module, with 0 as
* success.
*/
int mod_reg_security(const char *name, struct security_operations *ops)
{
if (verify(ops)) {
printk(KERN_INFO "%s could not verify "
"security operations.\n", __func__);
return -EINVAL;
}
if (ops == security_ops) {
printk(KERN_INFO "%s security operations "
"already registered.\n", __func__);
return -EINVAL;
}
return security_ops->register_security(name, ops);
}
/* Security operations */ /* Security operations */
int security_ptrace(struct task_struct *parent, struct task_struct *child, int security_ptrace(struct task_struct *parent, struct task_struct *child,
......
...@@ -126,13 +126,11 @@ __setup("selinux=", selinux_enabled_setup); ...@@ -126,13 +126,11 @@ __setup("selinux=", selinux_enabled_setup);
int selinux_enabled = 1; int selinux_enabled = 1;
#endif #endif
/* Original (dummy) security module. */
static struct security_operations *original_ops;
/* Minimal support for a secondary security module, /*
just to allow the use of the dummy or capability modules. * Minimal support for a secondary security module,
The owlsm module can alternatively be used as a secondary * just to allow the use of the capability module.
module as long as CONFIG_OWLSM_FD is not enabled. */ */
static struct security_operations *secondary_ops; static struct security_operations *secondary_ops;
/* Lists of inode and superblock security structures initialized /* Lists of inode and superblock security structures initialized
...@@ -5115,24 +5113,6 @@ static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid) ...@@ -5115,24 +5113,6 @@ static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
*secid = isec->sid; *secid = isec->sid;
} }
/* module stacking operations */
static int selinux_register_security(const char *name, struct security_operations *ops)
{
if (secondary_ops != original_ops) {
printk(KERN_ERR "%s: There is already a secondary security "
"module registered.\n", __func__);
return -EINVAL;
}
secondary_ops = ops;
printk(KERN_INFO "%s: Registering secondary module %s\n",
__func__,
name);
return 0;
}
static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode) static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
{ {
if (inode) if (inode)
...@@ -5517,8 +5497,6 @@ static struct security_operations selinux_ops = { ...@@ -5517,8 +5497,6 @@ static struct security_operations selinux_ops = {
.sem_semctl = selinux_sem_semctl, .sem_semctl = selinux_sem_semctl,
.sem_semop = selinux_sem_semop, .sem_semop = selinux_sem_semop,
.register_security = selinux_register_security,
.d_instantiate = selinux_d_instantiate, .d_instantiate = selinux_d_instantiate,
.getprocattr = selinux_getprocattr, .getprocattr = selinux_getprocattr,
...@@ -5612,7 +5590,7 @@ static __init int selinux_init(void) ...@@ -5612,7 +5590,7 @@ static __init int selinux_init(void)
0, SLAB_PANIC, NULL); 0, SLAB_PANIC, NULL);
avc_init(); avc_init();
original_ops = secondary_ops = security_ops; secondary_ops = security_ops;
if (!secondary_ops) if (!secondary_ops)
panic("SELinux: No initial security operations\n"); panic("SELinux: No initial security operations\n");
if (register_security(&selinux_ops)) if (register_security(&selinux_ops))
......
...@@ -1822,27 +1822,6 @@ static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid) ...@@ -1822,27 +1822,6 @@ static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid)
*secid = smack_to_secid(smack); *secid = smack_to_secid(smack);
} }
/* module stacking operations */
/**
* smack_register_security - stack capability module
* @name: module name
* @ops: module operations - ignored
*
* Allow the capability module to register.
*/
static int smack_register_security(const char *name,
struct security_operations *ops)
{
if (strcmp(name, "capability") != 0)
return -EINVAL;
printk(KERN_INFO "%s: Registering secondary module %s\n",
__func__, name);
return 0;
}
/** /**
* smack_d_instantiate - Make sure the blob is correct on an inode * smack_d_instantiate - Make sure the blob is correct on an inode
* @opt_dentry: unused * @opt_dentry: unused
...@@ -2673,8 +2652,6 @@ struct security_operations smack_ops = { ...@@ -2673,8 +2652,6 @@ struct security_operations smack_ops = {
.netlink_send = cap_netlink_send, .netlink_send = cap_netlink_send,
.netlink_recv = cap_netlink_recv, .netlink_recv = cap_netlink_recv,
.register_security = smack_register_security,
.d_instantiate = smack_d_instantiate, .d_instantiate = smack_d_instantiate,
.getprocattr = smack_getprocattr, .getprocattr = smack_getprocattr,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment