Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * Security plug functions | |
3 | * | |
4 | * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com> | |
5 | * Copyright (C) 2001-2002 Greg Kroah-Hartman <greg@kroah.com> | |
6 | * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com> | |
7 | * | |
8 | * This program is free software; you can redistribute it and/or modify | |
9 | * it under the terms of the GNU General Public License as published by | |
10 | * the Free Software Foundation; either version 2 of the License, or | |
11 | * (at your option) any later version. | |
12 | */ | |
13 | ||
c59ede7b | 14 | #include <linux/capability.h> |
1da177e4 LT |
15 | #include <linux/module.h> |
16 | #include <linux/init.h> | |
17 | #include <linux/kernel.h> | |
1da177e4 LT |
18 | #include <linux/security.h> |
19 | ||
20 | #define SECURITY_FRAMEWORK_VERSION "1.0.0" | |
21 | ||
22 | /* things that live in dummy.c */ | |
23 | extern struct security_operations dummy_security_ops; | |
24 | extern void security_fixup_ops(struct security_operations *ops); | |
25 | ||
26 | struct security_operations *security_ops; /* Initialized to NULL */ | |
27 | ||
28 | static inline int verify(struct security_operations *ops) | |
29 | { | |
30 | /* verify the security_operations structure exists */ | |
31 | if (!ops) | |
32 | return -EINVAL; | |
33 | security_fixup_ops(ops); | |
34 | return 0; | |
35 | } | |
36 | ||
37 | static void __init do_security_initcalls(void) | |
38 | { | |
39 | initcall_t *call; | |
40 | call = __security_initcall_start; | |
41 | while (call < __security_initcall_end) { | |
42 | (*call) (); | |
43 | call++; | |
44 | } | |
45 | } | |
46 | ||
47 | /** | |
48 | * security_init - initializes the security framework | |
49 | * | |
50 | * This should be called early in the kernel initialization sequence. | |
51 | */ | |
52 | int __init security_init(void) | |
53 | { | |
54 | printk(KERN_INFO "Security Framework v" SECURITY_FRAMEWORK_VERSION | |
55 | " initialized\n"); | |
56 | ||
57 | if (verify(&dummy_security_ops)) { | |
58 | printk(KERN_ERR "%s could not verify " | |
59 | "dummy_security_ops structure.\n", __FUNCTION__); | |
60 | return -EIO; | |
61 | } | |
62 | ||
63 | security_ops = &dummy_security_ops; | |
64 | do_security_initcalls(); | |
65 | ||
66 | return 0; | |
67 | } | |
68 | ||
69 | /** | |
70 | * register_security - registers a security framework with the kernel | |
71 | * @ops: a pointer to the struct security_options that is to be registered | |
72 | * | |
73 | * This function is to allow a security module to register itself with the | |
74 | * kernel security subsystem. Some rudimentary checking is done on the @ops | |
75 | * value passed to this function. A call to unregister_security() should be | |
76 | * done to remove this security_options structure from the kernel. | |
77 | * | |
78 | * If there is already a security module registered with the kernel, | |
79 | * an error will be returned. Otherwise 0 is returned on success. | |
80 | */ | |
81 | int register_security(struct security_operations *ops) | |
82 | { | |
83 | if (verify(ops)) { | |
84 | printk(KERN_DEBUG "%s could not verify " | |
85 | "security_operations structure.\n", __FUNCTION__); | |
86 | return -EINVAL; | |
87 | } | |
88 | ||
89 | if (security_ops != &dummy_security_ops) | |
90 | return -EAGAIN; | |
91 | ||
92 | security_ops = ops; | |
93 | ||
94 | return 0; | |
95 | } | |
96 | ||
97 | /** | |
98 | * unregister_security - unregisters a security framework with the kernel | |
99 | * @ops: a pointer to the struct security_options that is to be registered | |
100 | * | |
101 | * This function removes a struct security_operations variable that had | |
102 | * previously been registered with a successful call to register_security(). | |
103 | * | |
104 | * If @ops does not match the valued previously passed to register_security() | |
105 | * an error is returned. Otherwise the default security options is set to the | |
106 | * the dummy_security_ops structure, and 0 is returned. | |
107 | */ | |
108 | int unregister_security(struct security_operations *ops) | |
109 | { | |
110 | if (ops != security_ops) { | |
111 | printk(KERN_INFO "%s: trying to unregister " | |
112 | "a security_opts structure that is not " | |
113 | "registered, failing.\n", __FUNCTION__); | |
114 | return -EINVAL; | |
115 | } | |
116 | ||
117 | security_ops = &dummy_security_ops; | |
118 | ||
119 | return 0; | |
120 | } | |
121 | ||
122 | /** | |
123 | * mod_reg_security - allows security modules to be "stacked" | |
124 | * @name: a pointer to a string with the name of the security_options to be registered | |
125 | * @ops: a pointer to the struct security_options that is to be registered | |
126 | * | |
127 | * This function allows security modules to be stacked if the currently loaded | |
128 | * security module allows this to happen. It passes the @name and @ops to the | |
129 | * register_security function of the currently loaded security module. | |
130 | * | |
131 | * The return value depends on the currently loaded security module, with 0 as | |
132 | * success. | |
133 | */ | |
134 | int mod_reg_security(const char *name, struct security_operations *ops) | |
135 | { | |
136 | if (verify(ops)) { | |
137 | printk(KERN_INFO "%s could not verify " | |
138 | "security operations.\n", __FUNCTION__); | |
139 | return -EINVAL; | |
140 | } | |
141 | ||
142 | if (ops == security_ops) { | |
143 | printk(KERN_INFO "%s security operations " | |
144 | "already registered.\n", __FUNCTION__); | |
145 | return -EINVAL; | |
146 | } | |
147 | ||
148 | return security_ops->register_security(name, ops); | |
149 | } | |
150 | ||
151 | /** | |
152 | * mod_unreg_security - allows a security module registered with mod_reg_security() to be unloaded | |
153 | * @name: a pointer to a string with the name of the security_options to be removed | |
154 | * @ops: a pointer to the struct security_options that is to be removed | |
155 | * | |
156 | * This function allows security modules that have been successfully registered | |
157 | * with a call to mod_reg_security() to be unloaded from the system. | |
158 | * This calls the currently loaded security module's unregister_security() call | |
159 | * with the @name and @ops variables. | |
160 | * | |
161 | * The return value depends on the currently loaded security module, with 0 as | |
162 | * success. | |
163 | */ | |
164 | int mod_unreg_security(const char *name, struct security_operations *ops) | |
165 | { | |
166 | if (ops == security_ops) { | |
167 | printk(KERN_INFO "%s invalid attempt to unregister " | |
168 | " primary security ops.\n", __FUNCTION__); | |
169 | return -EINVAL; | |
170 | } | |
171 | ||
172 | return security_ops->unregister_security(name, ops); | |
173 | } | |
174 | ||
1da177e4 LT |
175 | EXPORT_SYMBOL_GPL(register_security); |
176 | EXPORT_SYMBOL_GPL(unregister_security); | |
177 | EXPORT_SYMBOL_GPL(mod_reg_security); | |
178 | EXPORT_SYMBOL_GPL(mod_unreg_security); | |
1da177e4 | 179 | EXPORT_SYMBOL(security_ops); |