Commit | Line | Data |
---|---|---|
1da177e4 LT |
1 | /* |
2 | * Security plug functions | |
3 | * | |
4 | * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com> | |
5 | * Copyright (C) 2001-2002 Greg Kroah-Hartman <greg@kroah.com> | |
6 | * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com> | |
7 | * | |
8 | * This program is free software; you can redistribute it and/or modify | |
9 | * it under the terms of the GNU General Public License as published by | |
10 | * the Free Software Foundation; either version 2 of the License, or | |
11 | * (at your option) any later version. | |
12 | */ | |
13 | ||
c59ede7b | 14 | #include <linux/capability.h> |
1da177e4 LT |
15 | #include <linux/config.h> |
16 | #include <linux/module.h> | |
17 | #include <linux/init.h> | |
18 | #include <linux/kernel.h> | |
19 | #include <linux/sched.h> | |
20 | #include <linux/security.h> | |
21 | ||
22 | #define SECURITY_FRAMEWORK_VERSION "1.0.0" | |
23 | ||
24 | /* things that live in dummy.c */ | |
25 | extern struct security_operations dummy_security_ops; | |
26 | extern void security_fixup_ops(struct security_operations *ops); | |
27 | ||
28 | struct security_operations *security_ops; /* Initialized to NULL */ | |
29 | ||
30 | static inline int verify(struct security_operations *ops) | |
31 | { | |
32 | /* verify the security_operations structure exists */ | |
33 | if (!ops) | |
34 | return -EINVAL; | |
35 | security_fixup_ops(ops); | |
36 | return 0; | |
37 | } | |
38 | ||
39 | static void __init do_security_initcalls(void) | |
40 | { | |
41 | initcall_t *call; | |
42 | call = __security_initcall_start; | |
43 | while (call < __security_initcall_end) { | |
44 | (*call) (); | |
45 | call++; | |
46 | } | |
47 | } | |
48 | ||
49 | /** | |
50 | * security_init - initializes the security framework | |
51 | * | |
52 | * This should be called early in the kernel initialization sequence. | |
53 | */ | |
54 | int __init security_init(void) | |
55 | { | |
56 | printk(KERN_INFO "Security Framework v" SECURITY_FRAMEWORK_VERSION | |
57 | " initialized\n"); | |
58 | ||
59 | if (verify(&dummy_security_ops)) { | |
60 | printk(KERN_ERR "%s could not verify " | |
61 | "dummy_security_ops structure.\n", __FUNCTION__); | |
62 | return -EIO; | |
63 | } | |
64 | ||
65 | security_ops = &dummy_security_ops; | |
66 | do_security_initcalls(); | |
67 | ||
68 | return 0; | |
69 | } | |
70 | ||
71 | /** | |
72 | * register_security - registers a security framework with the kernel | |
73 | * @ops: a pointer to the struct security_options that is to be registered | |
74 | * | |
75 | * This function is to allow a security module to register itself with the | |
76 | * kernel security subsystem. Some rudimentary checking is done on the @ops | |
77 | * value passed to this function. A call to unregister_security() should be | |
78 | * done to remove this security_options structure from the kernel. | |
79 | * | |
80 | * If there is already a security module registered with the kernel, | |
81 | * an error will be returned. Otherwise 0 is returned on success. | |
82 | */ | |
83 | int register_security(struct security_operations *ops) | |
84 | { | |
85 | if (verify(ops)) { | |
86 | printk(KERN_DEBUG "%s could not verify " | |
87 | "security_operations structure.\n", __FUNCTION__); | |
88 | return -EINVAL; | |
89 | } | |
90 | ||
91 | if (security_ops != &dummy_security_ops) | |
92 | return -EAGAIN; | |
93 | ||
94 | security_ops = ops; | |
95 | ||
96 | return 0; | |
97 | } | |
98 | ||
99 | /** | |
100 | * unregister_security - unregisters a security framework with the kernel | |
101 | * @ops: a pointer to the struct security_options that is to be registered | |
102 | * | |
103 | * This function removes a struct security_operations variable that had | |
104 | * previously been registered with a successful call to register_security(). | |
105 | * | |
106 | * If @ops does not match the valued previously passed to register_security() | |
107 | * an error is returned. Otherwise the default security options is set to the | |
108 | * the dummy_security_ops structure, and 0 is returned. | |
109 | */ | |
110 | int unregister_security(struct security_operations *ops) | |
111 | { | |
112 | if (ops != security_ops) { | |
113 | printk(KERN_INFO "%s: trying to unregister " | |
114 | "a security_opts structure that is not " | |
115 | "registered, failing.\n", __FUNCTION__); | |
116 | return -EINVAL; | |
117 | } | |
118 | ||
119 | security_ops = &dummy_security_ops; | |
120 | ||
121 | return 0; | |
122 | } | |
123 | ||
124 | /** | |
125 | * mod_reg_security - allows security modules to be "stacked" | |
126 | * @name: a pointer to a string with the name of the security_options to be registered | |
127 | * @ops: a pointer to the struct security_options that is to be registered | |
128 | * | |
129 | * This function allows security modules to be stacked if the currently loaded | |
130 | * security module allows this to happen. It passes the @name and @ops to the | |
131 | * register_security function of the currently loaded security module. | |
132 | * | |
133 | * The return value depends on the currently loaded security module, with 0 as | |
134 | * success. | |
135 | */ | |
136 | int mod_reg_security(const char *name, struct security_operations *ops) | |
137 | { | |
138 | if (verify(ops)) { | |
139 | printk(KERN_INFO "%s could not verify " | |
140 | "security operations.\n", __FUNCTION__); | |
141 | return -EINVAL; | |
142 | } | |
143 | ||
144 | if (ops == security_ops) { | |
145 | printk(KERN_INFO "%s security operations " | |
146 | "already registered.\n", __FUNCTION__); | |
147 | return -EINVAL; | |
148 | } | |
149 | ||
150 | return security_ops->register_security(name, ops); | |
151 | } | |
152 | ||
153 | /** | |
154 | * mod_unreg_security - allows a security module registered with mod_reg_security() to be unloaded | |
155 | * @name: a pointer to a string with the name of the security_options to be removed | |
156 | * @ops: a pointer to the struct security_options that is to be removed | |
157 | * | |
158 | * This function allows security modules that have been successfully registered | |
159 | * with a call to mod_reg_security() to be unloaded from the system. | |
160 | * This calls the currently loaded security module's unregister_security() call | |
161 | * with the @name and @ops variables. | |
162 | * | |
163 | * The return value depends on the currently loaded security module, with 0 as | |
164 | * success. | |
165 | */ | |
166 | int mod_unreg_security(const char *name, struct security_operations *ops) | |
167 | { | |
168 | if (ops == security_ops) { | |
169 | printk(KERN_INFO "%s invalid attempt to unregister " | |
170 | " primary security ops.\n", __FUNCTION__); | |
171 | return -EINVAL; | |
172 | } | |
173 | ||
174 | return security_ops->unregister_security(name, ops); | |
175 | } | |
176 | ||
1da177e4 LT |
177 | EXPORT_SYMBOL_GPL(register_security); |
178 | EXPORT_SYMBOL_GPL(unregister_security); | |
179 | EXPORT_SYMBOL_GPL(mod_reg_security); | |
180 | EXPORT_SYMBOL_GPL(mod_unreg_security); | |
1da177e4 | 181 | EXPORT_SYMBOL(security_ops); |