security/security.c

   1 /*
   2  * Security plug functions
   3  *
   4  * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com>
   5  * Copyright (C) 2001-2002 Greg Kroah-Hartman <greg@kroah.com>
   6  * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com>
   7  *
   8  *      This program is free software; you can redistribute it and/or modify
   9  *      it under the terms of the GNU General Public License as published by
  10  *      the Free Software Foundation; either version 2 of the License, or
  11  *      (at your option) any later version.
  12  */
  13
  14 #include <linux/capability.h>
  15 #include <linux/module.h>
  16 #include <linux/init.h>
  17 #include <linux/kernel.h>
  18 #include <linux/security.h>
  19
  20 #define SECURITY_FRAMEWORK_VERSION      "1.0.0"
  21
  22 /* things that live in dummy.c */
  23 extern struct security_operations dummy_security_ops;
  24 extern void security_fixup_ops(struct security_operations *ops);
  25
  26 struct security_operations *security_ops;       /* Initialized to NULL */
  27
  28 static inline int verify(struct security_operations *ops)
  29 {
  30         /* verify the security_operations structure exists */
  31         if (!ops)
  32                 return -EINVAL;
  33         security_fixup_ops(ops);
  34         return 0;
  35 }
  36
  37 static void __init do_security_initcalls(void)
  38 {
  39         initcall_t *call;
  40         call = __security_initcall_start;
  41         while (call < __security_initcall_end) {
  42                 (*call) ();
  43                 call++;
  44         }
  45 }
  46
  47 /**
  48  * security_init - initializes the security framework
  49  *
  50  * This should be called early in the kernel initialization sequence.
  51  */
  52 int __init security_init(void)
  53 {
  54         printk(KERN_INFO "Security Framework v" SECURITY_FRAMEWORK_VERSION
  55                " initialized\n");
  56
  57         if (verify(&dummy_security_ops)) {
  58                 printk(KERN_ERR "%s could not verify "
  59                        "dummy_security_ops structure.\n", __FUNCTION__);
  60                 return -EIO;
  61         }
  62
  63         security_ops = &dummy_security_ops;
  64         do_security_initcalls();
  65
  66         return 0;
  67 }
  68
  69 /**
  70  * register_security - registers a security framework with the kernel
  71  * @ops: a pointer to the struct security_options that is to be registered
  72  *
  73  * This function is to allow a security module to register itself with the
  74  * kernel security subsystem.  Some rudimentary checking is done on the @ops
  75  * value passed to this function.  A call to unregister_security() should be
  76  * done to remove this security_options structure from the kernel.
  77  *
  78  * If there is already a security module registered with the kernel,
  79  * an error will be returned.  Otherwise 0 is returned on success.
  80  */
  81 int register_security(struct security_operations *ops)
  82 {
  83         if (verify(ops)) {
  84                 printk(KERN_DEBUG "%s could not verify "
  85                        "security_operations structure.\n", __FUNCTION__);
  86                 return -EINVAL;
  87         }
  88
  89         if (security_ops != &dummy_security_ops)
  90                 return -EAGAIN;
  91
  92         security_ops = ops;
  93
  94         return 0;
  95 }
  96
  97 /**
  98  * unregister_security - unregisters a security framework with the kernel
  99  * @ops: a pointer to the struct security_options that is to be registered
 100  *
 101  * This function removes a struct security_operations variable that had
 102  * previously been registered with a successful call to register_security().
 103  *
 104  * If @ops does not match the valued previously passed to register_security()
 105  * an error is returned.  Otherwise the default security options is set to the
 106  * the dummy_security_ops structure, and 0 is returned.
 107  */
 108 int unregister_security(struct security_operations *ops)
 109 {
 110         if (ops != security_ops) {
 111                 printk(KERN_INFO "%s: trying to unregister "
 112                        "a security_opts structure that is not "
 113                        "registered, failing.\n", __FUNCTION__);
 114                 return -EINVAL;
 115         }
 116
 117         security_ops = &dummy_security_ops;
 118
 119         return 0;
 120 }
 121
 122 /**
 123  * mod_reg_security - allows security modules to be "stacked"
 124  * @name: a pointer to a string with the name of the security_options to be registered
 125  * @ops: a pointer to the struct security_options that is to be registered
 126  *
 127  * This function allows security modules to be stacked if the currently loaded
 128  * security module allows this to happen.  It passes the @name and @ops to the
 129  * register_security function of the currently loaded security module.
 130  *
 131  * The return value depends on the currently loaded security module, with 0 as
 132  * success.
 133  */
 134 int mod_reg_security(const char *name, struct security_operations *ops)
 135 {
 136         if (verify(ops)) {
 137                 printk(KERN_INFO "%s could not verify "
 138                        "security operations.\n", __FUNCTION__);
 139                 return -EINVAL;
 140         }
 141
 142         if (ops == security_ops) {
 143                 printk(KERN_INFO "%s security operations "
 144                        "already registered.\n", __FUNCTION__);
 145                 return -EINVAL;
 146         }
 147
 148         return security_ops->register_security(name, ops);
 149 }
 150
 151 /**
 152  * mod_unreg_security - allows a security module registered with mod_reg_security() to be unloaded
 153  * @name: a pointer to a string with the name of the security_options to be removed
 154  * @ops: a pointer to the struct security_options that is to be removed
 155  *
 156  * This function allows security modules that have been successfully registered
 157  * with a call to mod_reg_security() to be unloaded from the system.
 158  * This calls the currently loaded security module's unregister_security() call
 159  * with the @name and @ops variables.
 160  *
 161  * The return value depends on the currently loaded security module, with 0 as
 162  * success.
 163  */
 164 int mod_unreg_security(const char *name, struct security_operations *ops)
 165 {
 166         if (ops == security_ops) {
 167                 printk(KERN_INFO "%s invalid attempt to unregister "
 168                        " primary security ops.\n", __FUNCTION__);
 169                 return -EINVAL;
 170         }
 171
 172         return security_ops->unregister_security(name, ops);
 173 }
 174
 175 EXPORT_SYMBOL_GPL(register_security);
 176 EXPORT_SYMBOL_GPL(unregister_security);
 177 EXPORT_SYMBOL_GPL(mod_reg_security);
 178 EXPORT_SYMBOL_GPL(mod_unreg_security);
 179 EXPORT_SYMBOL(security_ops);