security/security.c

   1 /*
   2  * Security plug functions
   3  *
   4  * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com>
   5  * Copyright (C) 2001-2002 Greg Kroah-Hartman <greg@kroah.com>
   6  * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com>
   7  *
   8  *      This program is free software; you can redistribute it and/or modify
   9  *      it under the terms of the GNU General Public License as published by
  10  *      the Free Software Foundation; either version 2 of the License, or
  11  *      (at your option) any later version.
  12  */
  13
  14 #include <linux/config.h>
  15 #include <linux/module.h>
  16 #include <linux/init.h>
  17 #include <linux/kernel.h>
  18 #include <linux/sched.h>
  19 #include <linux/security.h>
  20
  21 #define SECURITY_SCAFFOLD_VERSION       "1.0.0"
  22
  23 /* things that live in dummy.c */
  24 extern struct security_operations dummy_security_ops;
  25 extern void security_fixup_ops (struct security_operations *ops);
  26
  27 struct security_operations *security_ops;       /* Initialized to NULL */
  28
  29 static inline int verify (struct security_operations *ops)
  30 {
  31         /* verify the security_operations structure exists */
  32         if (!ops) {
  33                 printk (KERN_INFO "Passed a NULL security_operations "
  34                         "pointer, %s failed.\n", __FUNCTION__);
  35                 return -EINVAL;
  36         }
  37         security_fixup_ops (ops);
  38         return 0;
  39 }
  40
  41 static void __init do_security_initcalls(void)
  42 {
  43         initcall_t *call;
  44         call = &__security_initcall_start;
  45         while (call < &__security_initcall_end) {
  46                 (*call)();
  47                 call++;
  48         }
  49 }
  50
  51 /**
  52  * security_scaffolding_startup - initialzes the security scaffolding framework
  53  *
  54  * This should be called early in the kernel initialization sequence.
  55  */
  56 int __init security_scaffolding_startup (void)
  57 {
  58         printk (KERN_INFO "Security Scaffold v" SECURITY_SCAFFOLD_VERSION
  59                 " initialized\n");
  60
  61         if (verify (&dummy_security_ops)) {
  62                 printk (KERN_ERR "%s could not verify "
  63                         "dummy_security_ops structure.\n", __FUNCTION__);
  64                 return -EIO;
  65         }
  66
  67         security_ops = &dummy_security_ops;
  68         do_security_initcalls();
  69
  70         return 0;
  71 }
  72
  73 /**
  74  * register_security - registers a security framework with the kernel
  75  * @ops: a pointer to the struct security_options that is to be registered
  76  *
  77  * This function is to allow a security module to register itself with the
  78  * kernel security subsystem.  Some rudimentary checking is done on the @ops
  79  * value passed to this function.  A call to unregister_security() should be
  80  * done to remove this security_options structure from the kernel.
  81  *
  82  * If the @ops structure does not contain function pointers for all hooks in
  83  * the structure, or there is already a security module registered with the
  84  * kernel, an error will be returned.  Otherwise 0 is returned on success.
  85  */
  86 int register_security (struct security_operations *ops)
  87 {
  88         if (verify (ops)) {
  89                 printk (KERN_INFO "%s could not verify "
  90                         "security_operations structure.\n", __FUNCTION__);
  91                 return -EINVAL;
  92         }
  93
  94         if (security_ops != &dummy_security_ops) {
  95                 printk (KERN_INFO "There is already a security "
  96                         "framework initialized, %s failed.\n", __FUNCTION__);
  97                 return -EINVAL;
  98         }
  99
 100         security_ops = ops;
 101
 102         return 0;
 103 }
 104
 105 /**
 106  * unregister_security - unregisters a security framework with the kernel
 107  * @ops: a pointer to the struct security_options that is to be registered
 108  *
 109  * This function removes a struct security_operations variable that had
 110  * previously been registered with a successful call to register_security().
 111  *
 112  * If @ops does not match the valued previously passed to register_security()
 113  * an error is returned.  Otherwise the default security options is set to the
 114  * the dummy_security_ops structure, and 0 is returned.
 115  */
 116 int unregister_security (struct security_operations *ops)
 117 {
 118         if (ops != security_ops) {
 119                 printk (KERN_INFO "%s: trying to unregister "
 120                         "a security_opts structure that is not "
 121                         "registered, failing.\n", __FUNCTION__);
 122                 return -EINVAL;
 123         }
 124
 125         security_ops = &dummy_security_ops;
 126
 127         return 0;
 128 }
 129
 130 /**
 131  * mod_reg_security - allows security modules to be "stacked"
 132  * @name: a pointer to a string with the name of the security_options to be registered
 133  * @ops: a pointer to the struct security_options that is to be registered
 134  *
 135  * This function allows security modules to be stacked if the currently loaded
 136  * security module allows this to happen.  It passes the @name and @ops to the
 137  * register_security function of the currently loaded security module.
 138  *
 139  * The return value depends on the currently loaded security module, with 0 as
 140  * success.
 141  */
 142 int mod_reg_security (const char *name, struct security_operations *ops)
 143 {
 144         if (verify (ops)) {
 145                 printk (KERN_INFO "%s could not verify "
 146                         "security operations.\n", __FUNCTION__);
 147                 return -EINVAL;
 148         }
 149
 150         if (ops == security_ops) {
 151                 printk (KERN_INFO "%s security operations "
 152                         "already registered.\n", __FUNCTION__);
 153                 return -EINVAL;
 154         }
 155
 156         return security_ops->register_security (name, ops);
 157 }
 158
 159 /**
 160  * mod_unreg_security - allows a security module registered with mod_reg_security() to be unloaded
 161  * @name: a pointer to a string with the name of the security_options to be removed
 162  * @ops: a pointer to the struct security_options that is to be removed
 163  *
 164  * This function allows security modules that have been successfully registered
 165  * with a call to mod_reg_security() to be unloaded from the system.
 166  * This calls the currently loaded security module's unregister_security() call
 167  * with the @name and @ops variables.
 168  *
 169  * The return value depends on the currently loaded security module, with 0 as
 170  * success.
 171  */
 172 int mod_unreg_security (const char *name, struct security_operations *ops)
 173 {
 174         if (ops == security_ops) {
 175                 printk (KERN_INFO "%s invalid attempt to unregister "
 176                         " primary security ops.\n", __FUNCTION__);
 177                 return -EINVAL;
 178         }
 179
 180         return security_ops->unregister_security (name, ops);
 181 }
 182
 183 /**
 184  * capable - calls the currently loaded security module's capable() function with the specified capability
 185  * @cap: the requested capability level.
 186  *
 187  * This function calls the currently loaded security module's cabable()
 188  * function with a pointer to the current task and the specified @cap value.
 189  *
 190  * This allows the security module to implement the capable function call
 191  * however it chooses to.
 192  */
 193 int capable (int cap)
 194 {
 195         if (security_ops->capable (current, cap)) {
 196                 /* capability denied */
 197                 return 0;
 198         }
 199
 200         /* capability granted */
 201         current->flags |= PF_SUPERPRIV;
 202         return 1;
 203 }
 204
 205 EXPORT_SYMBOL_GPL(register_security);
 206 EXPORT_SYMBOL_GPL(unregister_security);
 207 EXPORT_SYMBOL_GPL(mod_reg_security);
 208 EXPORT_SYMBOL_GPL(mod_unreg_security);
 209 EXPORT_SYMBOL(capable);
 210 EXPORT_SYMBOL(security_ops);