Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * Security plug functions | |
3 | * | |
4 | * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com> | |
5 | * Copyright (C) 2001-2002 Greg Kroah-Hartman <greg@kroah.com> | |
6 | * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com> | |
7 | * | |
8 | * This program is free software; you can redistribute it and/or modify | |
9 | * it under the terms of the GNU General Public License as published by | |
10 | * the Free Software Foundation; either version 2 of the License, or | |
11 | * (at your option) any later version. | |
12 | */ | |
13 | ||
c59ede7b | 14 | #include <linux/capability.h> |
1da177e4 LT |
15 | #include <linux/module.h> |
16 | #include <linux/init.h> | |
17 | #include <linux/kernel.h> | |
18 | #include <linux/sched.h> | |
19 | #include <linux/security.h> | |
20 | ||
21 | #define SECURITY_FRAMEWORK_VERSION "1.0.0" | |
22 | ||
23 | /* things that live in dummy.c */ | |
24 | extern struct security_operations dummy_security_ops; | |
25 | extern void security_fixup_ops(struct security_operations *ops); | |
26 | ||
27 | struct security_operations *security_ops; /* Initialized to NULL */ | |
28 | ||
29 | static inline int verify(struct security_operations *ops) | |
30 | { | |
31 | /* verify the security_operations structure exists */ | |
32 | if (!ops) | |
33 | return -EINVAL; | |
34 | security_fixup_ops(ops); | |
35 | return 0; | |
36 | } | |
37 | ||
38 | static void __init do_security_initcalls(void) | |
39 | { | |
40 | initcall_t *call; | |
41 | call = __security_initcall_start; | |
42 | while (call < __security_initcall_end) { | |
43 | (*call) (); | |
44 | call++; | |
45 | } | |
46 | } | |
47 | ||
48 | /** | |
49 | * security_init - initializes the security framework | |
50 | * | |
51 | * This should be called early in the kernel initialization sequence. | |
52 | */ | |
53 | int __init security_init(void) | |
54 | { | |
55 | printk(KERN_INFO "Security Framework v" SECURITY_FRAMEWORK_VERSION | |
56 | " initialized\n"); | |
57 | ||
58 | if (verify(&dummy_security_ops)) { | |
59 | printk(KERN_ERR "%s could not verify " | |
60 | "dummy_security_ops structure.\n", __FUNCTION__); | |
61 | return -EIO; | |
62 | } | |
63 | ||
64 | security_ops = &dummy_security_ops; | |
65 | do_security_initcalls(); | |
66 | ||
67 | return 0; | |
68 | } | |
69 | ||
70 | /** | |
71 | * register_security - registers a security framework with the kernel | |
72 | * @ops: a pointer to the struct security_options that is to be registered | |
73 | * | |
74 | * This function is to allow a security module to register itself with the | |
75 | * kernel security subsystem. Some rudimentary checking is done on the @ops | |
76 | * value passed to this function. A call to unregister_security() should be | |
77 | * done to remove this security_options structure from the kernel. | |
78 | * | |
79 | * If there is already a security module registered with the kernel, | |
80 | * an error will be returned. Otherwise 0 is returned on success. | |
81 | */ | |
82 | int register_security(struct security_operations *ops) | |
83 | { | |
84 | if (verify(ops)) { | |
85 | printk(KERN_DEBUG "%s could not verify " | |
86 | "security_operations structure.\n", __FUNCTION__); | |
87 | return -EINVAL; | |
88 | } | |
89 | ||
90 | if (security_ops != &dummy_security_ops) | |
91 | return -EAGAIN; | |
92 | ||
93 | security_ops = ops; | |
94 | ||
95 | return 0; | |
96 | } | |
97 | ||
98 | /** | |
99 | * unregister_security - unregisters a security framework with the kernel | |
100 | * @ops: a pointer to the struct security_options that is to be registered | |
101 | * | |
102 | * This function removes a struct security_operations variable that had | |
103 | * previously been registered with a successful call to register_security(). | |
104 | * | |
105 | * If @ops does not match the valued previously passed to register_security() | |
106 | * an error is returned. Otherwise the default security options is set to the | |
107 | * the dummy_security_ops structure, and 0 is returned. | |
108 | */ | |
109 | int unregister_security(struct security_operations *ops) | |
110 | { | |
111 | if (ops != security_ops) { | |
112 | printk(KERN_INFO "%s: trying to unregister " | |
113 | "a security_opts structure that is not " | |
114 | "registered, failing.\n", __FUNCTION__); | |
115 | return -EINVAL; | |
116 | } | |
117 | ||
118 | security_ops = &dummy_security_ops; | |
119 | ||
120 | return 0; | |
121 | } | |
122 | ||
123 | /** | |
124 | * mod_reg_security - allows security modules to be "stacked" | |
125 | * @name: a pointer to a string with the name of the security_options to be registered | |
126 | * @ops: a pointer to the struct security_options that is to be registered | |
127 | * | |
128 | * This function allows security modules to be stacked if the currently loaded | |
129 | * security module allows this to happen. It passes the @name and @ops to the | |
130 | * register_security function of the currently loaded security module. | |
131 | * | |
132 | * The return value depends on the currently loaded security module, with 0 as | |
133 | * success. | |
134 | */ | |
135 | int mod_reg_security(const char *name, struct security_operations *ops) | |
136 | { | |
137 | if (verify(ops)) { | |
138 | printk(KERN_INFO "%s could not verify " | |
139 | "security operations.\n", __FUNCTION__); | |
140 | return -EINVAL; | |
141 | } | |
142 | ||
143 | if (ops == security_ops) { | |
144 | printk(KERN_INFO "%s security operations " | |
145 | "already registered.\n", __FUNCTION__); | |
146 | return -EINVAL; | |
147 | } | |
148 | ||
149 | return security_ops->register_security(name, ops); | |
150 | } | |
151 | ||
152 | /** | |
153 | * mod_unreg_security - allows a security module registered with mod_reg_security() to be unloaded | |
154 | * @name: a pointer to a string with the name of the security_options to be removed | |
155 | * @ops: a pointer to the struct security_options that is to be removed | |
156 | * | |
157 | * This function allows security modules that have been successfully registered | |
158 | * with a call to mod_reg_security() to be unloaded from the system. | |
159 | * This calls the currently loaded security module's unregister_security() call | |
160 | * with the @name and @ops variables. | |
161 | * | |
162 | * The return value depends on the currently loaded security module, with 0 as | |
163 | * success. | |
164 | */ | |
165 | int mod_unreg_security(const char *name, struct security_operations *ops) | |
166 | { | |
167 | if (ops == security_ops) { | |
168 | printk(KERN_INFO "%s invalid attempt to unregister " | |
169 | " primary security ops.\n", __FUNCTION__); | |
170 | return -EINVAL; | |
171 | } | |
172 | ||
173 | return security_ops->unregister_security(name, ops); | |
174 | } | |
175 | ||
1da177e4 LT |
176 | EXPORT_SYMBOL_GPL(register_security); |
177 | EXPORT_SYMBOL_GPL(unregister_security); | |
178 | EXPORT_SYMBOL_GPL(mod_reg_security); | |
179 | EXPORT_SYMBOL_GPL(mod_unreg_security); | |
1da177e4 | 180 | EXPORT_SYMBOL(security_ops); |