Contents of /alx-src/tags/kernel26-2.6.12-alx-r9/security/security.c
Parent Directory | Revision Log
Revision 630 -
(show annotations)
(download)
Wed Mar 4 11:03:09 2009 UTC (15 years, 6 months ago) by niro
File MIME type: text/plain
File size: 6183 byte(s)
Wed Mar 4 11:03:09 2009 UTC (15 years, 6 months ago) by niro
File MIME type: text/plain
File size: 6183 byte(s)
Tag kernel26-2.6.12-alx-r9
1 | /* |
2 | * Security plug functions |
3 | * |
4 | * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com> |
5 | * Copyright (C) 2001-2002 Greg Kroah-Hartman <greg@kroah.com> |
6 | * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com> |
7 | * |
8 | * This program is free software; you can redistribute it and/or modify |
9 | * it under the terms of the GNU General Public License as published by |
10 | * the Free Software Foundation; either version 2 of the License, or |
11 | * (at your option) any later version. |
12 | */ |
13 | |
14 | #include <linux/config.h> |
15 | #include <linux/module.h> |
16 | #include <linux/init.h> |
17 | #include <linux/kernel.h> |
18 | #include <linux/sched.h> |
19 | #include <linux/security.h> |
20 | |
21 | #define SECURITY_FRAMEWORK_VERSION "1.0.0" |
22 | |
23 | /* things that live in dummy.c */ |
24 | extern struct security_operations dummy_security_ops; |
25 | extern void security_fixup_ops(struct security_operations *ops); |
26 | |
27 | struct security_operations *security_ops; /* Initialized to NULL */ |
28 | |
29 | static inline int verify(struct security_operations *ops) |
30 | { |
31 | /* verify the security_operations structure exists */ |
32 | if (!ops) |
33 | return -EINVAL; |
34 | security_fixup_ops(ops); |
35 | return 0; |
36 | } |
37 | |
38 | static void __init do_security_initcalls(void) |
39 | { |
40 | initcall_t *call; |
41 | call = __security_initcall_start; |
42 | while (call < __security_initcall_end) { |
43 | (*call) (); |
44 | call++; |
45 | } |
46 | } |
47 | |
48 | /** |
49 | * security_init - initializes the security framework |
50 | * |
51 | * This should be called early in the kernel initialization sequence. |
52 | */ |
53 | int __init security_init(void) |
54 | { |
55 | printk(KERN_INFO "Security Framework v" SECURITY_FRAMEWORK_VERSION |
56 | " initialized\n"); |
57 | |
58 | if (verify(&dummy_security_ops)) { |
59 | printk(KERN_ERR "%s could not verify " |
60 | "dummy_security_ops structure.\n", __FUNCTION__); |
61 | return -EIO; |
62 | } |
63 | |
64 | security_ops = &dummy_security_ops; |
65 | do_security_initcalls(); |
66 | |
67 | return 0; |
68 | } |
69 | |
70 | /** |
71 | * register_security - registers a security framework with the kernel |
72 | * @ops: a pointer to the struct security_options that is to be registered |
73 | * |
74 | * This function is to allow a security module to register itself with the |
75 | * kernel security subsystem. Some rudimentary checking is done on the @ops |
76 | * value passed to this function. A call to unregister_security() should be |
77 | * done to remove this security_options structure from the kernel. |
78 | * |
79 | * If there is already a security module registered with the kernel, |
80 | * an error will be returned. Otherwise 0 is returned on success. |
81 | */ |
82 | int register_security(struct security_operations *ops) |
83 | { |
84 | if (verify(ops)) { |
85 | printk(KERN_DEBUG "%s could not verify " |
86 | "security_operations structure.\n", __FUNCTION__); |
87 | return -EINVAL; |
88 | } |
89 | |
90 | if (security_ops != &dummy_security_ops) |
91 | return -EAGAIN; |
92 | |
93 | security_ops = ops; |
94 | |
95 | return 0; |
96 | } |
97 | |
98 | /** |
99 | * unregister_security - unregisters a security framework with the kernel |
100 | * @ops: a pointer to the struct security_options that is to be registered |
101 | * |
102 | * This function removes a struct security_operations variable that had |
103 | * previously been registered with a successful call to register_security(). |
104 | * |
105 | * If @ops does not match the valued previously passed to register_security() |
106 | * an error is returned. Otherwise the default security options is set to the |
107 | * the dummy_security_ops structure, and 0 is returned. |
108 | */ |
109 | int unregister_security(struct security_operations *ops) |
110 | { |
111 | if (ops != security_ops) { |
112 | printk(KERN_INFO "%s: trying to unregister " |
113 | "a security_opts structure that is not " |
114 | "registered, failing.\n", __FUNCTION__); |
115 | return -EINVAL; |
116 | } |
117 | |
118 | security_ops = &dummy_security_ops; |
119 | |
120 | return 0; |
121 | } |
122 | |
123 | /** |
124 | * mod_reg_security - allows security modules to be "stacked" |
125 | * @name: a pointer to a string with the name of the security_options to be registered |
126 | * @ops: a pointer to the struct security_options that is to be registered |
127 | * |
128 | * This function allows security modules to be stacked if the currently loaded |
129 | * security module allows this to happen. It passes the @name and @ops to the |
130 | * register_security function of the currently loaded security module. |
131 | * |
132 | * The return value depends on the currently loaded security module, with 0 as |
133 | * success. |
134 | */ |
135 | int mod_reg_security(const char *name, struct security_operations *ops) |
136 | { |
137 | if (verify(ops)) { |
138 | printk(KERN_INFO "%s could not verify " |
139 | "security operations.\n", __FUNCTION__); |
140 | return -EINVAL; |
141 | } |
142 | |
143 | if (ops == security_ops) { |
144 | printk(KERN_INFO "%s security operations " |
145 | "already registered.\n", __FUNCTION__); |
146 | return -EINVAL; |
147 | } |
148 | |
149 | return security_ops->register_security(name, ops); |
150 | } |
151 | |
152 | /** |
153 | * mod_unreg_security - allows a security module registered with mod_reg_security() to be unloaded |
154 | * @name: a pointer to a string with the name of the security_options to be removed |
155 | * @ops: a pointer to the struct security_options that is to be removed |
156 | * |
157 | * This function allows security modules that have been successfully registered |
158 | * with a call to mod_reg_security() to be unloaded from the system. |
159 | * This calls the currently loaded security module's unregister_security() call |
160 | * with the @name and @ops variables. |
161 | * |
162 | * The return value depends on the currently loaded security module, with 0 as |
163 | * success. |
164 | */ |
165 | int mod_unreg_security(const char *name, struct security_operations *ops) |
166 | { |
167 | if (ops == security_ops) { |
168 | printk(KERN_INFO "%s invalid attempt to unregister " |
169 | " primary security ops.\n", __FUNCTION__); |
170 | return -EINVAL; |
171 | } |
172 | |
173 | return security_ops->unregister_security(name, ops); |
174 | } |
175 | |
176 | /** |
177 | * capable - calls the currently loaded security module's capable() function with the specified capability |
178 | * @cap: the requested capability level. |
179 | * |
180 | * This function calls the currently loaded security module's capable() |
181 | * function with a pointer to the current task and the specified @cap value. |
182 | * |
183 | * This allows the security module to implement the capable function call |
184 | * however it chooses to. |
185 | */ |
186 | int capable(int cap) |
187 | { |
188 | if (security_ops->capable(current, cap)) { |
189 | /* capability denied */ |
190 | return 0; |
191 | } |
192 | |
193 | /* capability granted */ |
194 | current->flags |= PF_SUPERPRIV; |
195 | return 1; |
196 | } |
197 | |
198 | EXPORT_SYMBOL_GPL(register_security); |
199 | EXPORT_SYMBOL_GPL(unregister_security); |
200 | EXPORT_SYMBOL_GPL(mod_reg_security); |
201 | EXPORT_SYMBOL_GPL(mod_unreg_security); |
202 | EXPORT_SYMBOL(capable); |
203 | EXPORT_SYMBOL(security_ops); |