security/security.c

   1 /*
   2  * Security plug functions
   3  *
   4  * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com>
   5  * Copyright (C) 2001-2002 Greg Kroah-Hartman <greg@kroah.com>
   6  * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com>
   7  *
   8  *      This program is free software; you can redistribute it and/or modify
   9  *      it under the terms of the GNU General Public License as published by
  10  *      the Free Software Foundation; either version 2 of the License, or
  11  *      (at your option) any later version.
  12  */
  13
  14 #include <linux/capability.h>
  15 #include <linux/config.h>
  16 #include <linux/module.h>
  17 #include <linux/init.h>
  18 #include <linux/kernel.h>
  19 #include <linux/sched.h>
  20 #include <linux/security.h>
  21
  22 #define SECURITY_FRAMEWORK_VERSION      "1.0.0"
  23
  24 /* things that live in dummy.c */
  25 extern struct security_operations dummy_security_ops;
  26 extern void security_fixup_ops(struct security_operations *ops);
  27
  28 struct security_operations *security_ops;       /* Initialized to NULL */
  29
  30 static inline int verify(struct security_operations *ops)
  31 {
  32         /* verify the security_operations structure exists */
  33         if (!ops)
  34                 return -EINVAL;
  35         security_fixup_ops(ops);
  36         return 0;
  37 }
  38
  39 static void __init do_security_initcalls(void)
  40 {
  41         initcall_t *call;
  42         call = __security_initcall_start;
  43         while (call < __security_initcall_end) {
  44                 (*call) ();
  45                 call++;
  46         }
  47 }
  48
  49 /**
  50  * security_init - initializes the security framework
  51  *
  52  * This should be called early in the kernel initialization sequence.
  53  */
  54 int __init security_init(void)
  55 {
  56         printk(KERN_INFO "Security Framework v" SECURITY_FRAMEWORK_VERSION
  57                " initialized\n");
  58
  59         if (verify(&dummy_security_ops)) {
  60                 printk(KERN_ERR "%s could not verify "
  61                        "dummy_security_ops structure.\n", __FUNCTION__);
  62                 return -EIO;
  63         }
  64
  65         security_ops = &dummy_security_ops;
  66         do_security_initcalls();
  67
  68         return 0;
  69 }
  70
  71 /**
  72  * register_security - registers a security framework with the kernel
  73  * @ops: a pointer to the struct security_options that is to be registered
  74  *
  75  * This function is to allow a security module to register itself with the
  76  * kernel security subsystem.  Some rudimentary checking is done on the @ops
  77  * value passed to this function.  A call to unregister_security() should be
  78  * done to remove this security_options structure from the kernel.
  79  *
  80  * If there is already a security module registered with the kernel,
  81  * an error will be returned.  Otherwise 0 is returned on success.
  82  */
  83 int register_security(struct security_operations *ops)
  84 {
  85         if (verify(ops)) {
  86                 printk(KERN_DEBUG "%s could not verify "
  87                        "security_operations structure.\n", __FUNCTION__);
  88                 return -EINVAL;
  89         }
  90
  91         if (security_ops != &dummy_security_ops)
  92                 return -EAGAIN;
  93
  94         security_ops = ops;
  95
  96         return 0;
  97 }
  98
  99 /**
 100  * unregister_security - unregisters a security framework with the kernel
 101  * @ops: a pointer to the struct security_options that is to be registered
 102  *
 103  * This function removes a struct security_operations variable that had
 104  * previously been registered with a successful call to register_security().
 105  *
 106  * If @ops does not match the valued previously passed to register_security()
 107  * an error is returned.  Otherwise the default security options is set to the
 108  * the dummy_security_ops structure, and 0 is returned.
 109  */
 110 int unregister_security(struct security_operations *ops)
 111 {
 112         if (ops != security_ops) {
 113                 printk(KERN_INFO "%s: trying to unregister "
 114                        "a security_opts structure that is not "
 115                        "registered, failing.\n", __FUNCTION__);
 116                 return -EINVAL;
 117         }
 118
 119         security_ops = &dummy_security_ops;
 120
 121         return 0;
 122 }
 123
 124 /**
 125  * mod_reg_security - allows security modules to be "stacked"
 126  * @name: a pointer to a string with the name of the security_options to be registered
 127  * @ops: a pointer to the struct security_options that is to be registered
 128  *
 129  * This function allows security modules to be stacked if the currently loaded
 130  * security module allows this to happen.  It passes the @name and @ops to the
 131  * register_security function of the currently loaded security module.
 132  *
 133  * The return value depends on the currently loaded security module, with 0 as
 134  * success.
 135  */
 136 int mod_reg_security(const char *name, struct security_operations *ops)
 137 {
 138         if (verify(ops)) {
 139                 printk(KERN_INFO "%s could not verify "
 140                        "security operations.\n", __FUNCTION__);
 141                 return -EINVAL;
 142         }
 143
 144         if (ops == security_ops) {
 145                 printk(KERN_INFO "%s security operations "
 146                        "already registered.\n", __FUNCTION__);
 147                 return -EINVAL;
 148         }
 149
 150         return security_ops->register_security(name, ops);
 151 }
 152
 153 /**
 154  * mod_unreg_security - allows a security module registered with mod_reg_security() to be unloaded
 155  * @name: a pointer to a string with the name of the security_options to be removed
 156  * @ops: a pointer to the struct security_options that is to be removed
 157  *
 158  * This function allows security modules that have been successfully registered
 159  * with a call to mod_reg_security() to be unloaded from the system.
 160  * This calls the currently loaded security module's unregister_security() call
 161  * with the @name and @ops variables.
 162  *
 163  * The return value depends on the currently loaded security module, with 0 as
 164  * success.
 165  */
 166 int mod_unreg_security(const char *name, struct security_operations *ops)
 167 {
 168         if (ops == security_ops) {
 169                 printk(KERN_INFO "%s invalid attempt to unregister "
 170                        " primary security ops.\n", __FUNCTION__);
 171                 return -EINVAL;
 172         }
 173
 174         return security_ops->unregister_security(name, ops);
 175 }
 176
 177 EXPORT_SYMBOL_GPL(register_security);
 178 EXPORT_SYMBOL_GPL(unregister_security);
 179 EXPORT_SYMBOL_GPL(mod_reg_security);
 180 EXPORT_SYMBOL_GPL(mod_unreg_security);
 181 EXPORT_SYMBOL(security_ops);