Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 6f0f0fd4 authored by James Morris's avatar James Morris
Browse files

security: remove register_security hook



The register security hook is no longer required, as the capability
module is always registered.  LSMs wishing to stack capability as
a secondary module should do so explicitly.

Signed-off-by: default avatarJames Morris <jmorris@namei.org>
Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Acked-by: default avatarGreg Kroah-Hartman <gregkh@suse.de>
parent 93cbace7
Loading
Loading
Loading
Loading
+0 −10
Original line number Diff line number Diff line
@@ -1239,11 +1239,6 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts)
 *	@pages contains the number of pages.
 *	Return 0 if permission is granted.
 *
 * @register_security:
 *	allow module stacking.
 *	@name contains the name of the security module being stacked.
 *	@ops contains a pointer to the struct security_operations of the module to stack.
 *
 * @secid_to_secctx:
 *	Convert secid to security context.
 *	@secid contains the security ID.
@@ -1471,10 +1466,6 @@ struct security_operations {
	int (*netlink_send) (struct sock *sk, struct sk_buff *skb);
	int (*netlink_recv) (struct sk_buff *skb, int cap);

	/* allow module stacking */
	int (*register_security) (const char *name,
				  struct security_operations *ops);

	void (*d_instantiate) (struct dentry *dentry, struct inode *inode);

	int (*getprocattr) (struct task_struct *p, char *name, char **value);
@@ -1564,7 +1555,6 @@ struct security_operations {
extern int security_init(void);
extern int security_module_enable(struct security_operations *ops);
extern int register_security(struct security_operations *ops);
extern int mod_reg_security(const char *name, struct security_operations *ops);
extern struct dentry *securityfs_create_file(const char *name, mode_t mode,
					     struct dentry *parent, void *data,
					     const struct file_operations *fops);
+0 −7
Original line number Diff line number Diff line
@@ -721,12 +721,6 @@ static int cap_xfrm_decode_session(struct sk_buff *skb, u32 *fl, int ckall)
}

#endif /* CONFIG_SECURITY_NETWORK_XFRM */
static int cap_register_security(const char *name,
				 struct security_operations *ops)
{
	return -EINVAL;
}

static void cap_d_instantiate(struct dentry *dentry, struct inode *inode)
{
}
@@ -940,7 +934,6 @@ void security_fixup_ops(struct security_operations *ops)
	set_to_cap_if_null(ops, sem_semop);
	set_to_cap_if_null(ops, netlink_send);
	set_to_cap_if_null(ops, netlink_recv);
	set_to_cap_if_null(ops, register_security);
	set_to_cap_if_null(ops, d_instantiate);
	set_to_cap_if_null(ops, getprocattr);
	set_to_cap_if_null(ops, setprocattr);
+0 −9
Original line number Diff line number Diff line
@@ -28,9 +28,6 @@
#include <linux/usb.h>
#include <linux/moduleparam.h>

/* flag to keep track of how we were registered */
static int secondary;

/* default is a generic type of usb to serial converter */
static int vendor_id = 0x0557;
static int product_id = 0x2008;
@@ -97,14 +94,8 @@ static int __init rootplug_init (void)
	if (register_security (&rootplug_security_ops)) {
		printk (KERN_INFO 
			"Failure registering Root Plug module with the kernel\n");
		/* try registering with primary module */
		if (mod_reg_security (MY_NAME, &rootplug_security_ops)) {
			printk (KERN_INFO "Failure registering Root Plug "
				" module with primary security module.\n");
			return -EINVAL;
	}
		secondary = 1;
	}
	printk (KERN_INFO "Root Plug module initialized, "
		"vendor_id = %4.4x, product id = %4.4x\n", vendor_id, product_id);
	return 0;
+0 −29
Original line number Diff line number Diff line
@@ -125,35 +125,6 @@ int register_security(struct security_operations *ops)
	return 0;
}

/**
 * mod_reg_security - allows security modules to be "stacked"
 * @name: a pointer to a string with the name of the security_options to be registered
 * @ops: a pointer to the struct security_options that is to be registered
 *
 * This function allows security modules to be stacked if the currently loaded
 * security module allows this to happen.  It passes the @name and @ops to the
 * register_security function of the currently loaded security module.
 *
 * The return value depends on the currently loaded security module, with 0 as
 * success.
 */
int mod_reg_security(const char *name, struct security_operations *ops)
{
	if (verify(ops)) {
		printk(KERN_INFO "%s could not verify "
		       "security operations.\n", __func__);
		return -EINVAL;
	}

	if (ops == security_ops) {
		printk(KERN_INFO "%s security operations "
		       "already registered.\n", __func__);
		return -EINVAL;
	}

	return security_ops->register_security(name, ops);
}

/* Security operations */

int security_ptrace(struct task_struct *parent, struct task_struct *child,
+5 −27
Original line number Diff line number Diff line
@@ -126,13 +126,11 @@ __setup("selinux=", selinux_enabled_setup);
int selinux_enabled = 1;
#endif

/* Original (dummy) security module. */
static struct security_operations *original_ops;

/* Minimal support for a secondary security module,
   just to allow the use of the dummy or capability modules.
   The owlsm module can alternatively be used as a secondary
   module as long as CONFIG_OWLSM_FD is not enabled. */
/*
 * Minimal support for a secondary security module,
 * just to allow the use of the capability module.
 */
static struct security_operations *secondary_ops;

/* Lists of inode and superblock security structures initialized
@@ -5115,24 +5113,6 @@ static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
	*secid = isec->sid;
}

/* module stacking operations */
static int selinux_register_security(const char *name, struct security_operations *ops)
{
	if (secondary_ops != original_ops) {
		printk(KERN_ERR "%s:  There is already a secondary security "
		       "module registered.\n", __func__);
		return -EINVAL;
	}

	secondary_ops = ops;

	printk(KERN_INFO "%s:  Registering secondary module %s\n",
	       __func__,
	       name);

	return 0;
}

static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
{
	if (inode)
@@ -5517,8 +5497,6 @@ static struct security_operations selinux_ops = {
	.sem_semctl =			selinux_sem_semctl,
	.sem_semop =			selinux_sem_semop,

	.register_security =		selinux_register_security,

	.d_instantiate =		selinux_d_instantiate,

	.getprocattr =			selinux_getprocattr,
@@ -5612,7 +5590,7 @@ static __init int selinux_init(void)
					    0, SLAB_PANIC, NULL);
	avc_init();

	original_ops = secondary_ops = security_ops;
	secondary_ops = security_ops;
	if (!secondary_ops)
		panic("SELinux: No initial security operations\n");
	if (register_security(&selinux_ops))
Loading