X-Git-Url: http://git.onelab.eu/?a=blobdiff_plain;f=security%2Fsecurity.c;h=b457664412835d8e2a2629098a87769a9d864037;hb=6a77f38946aaee1cd85eeec6cf4229b204c15071;hp=70a9fcfde8e32b86b4067a67ba81c8dc30322d20;hpb=87fc8d1bb10cd459024a742c6a10961fefcef18f;p=linux-2.6.git diff --git a/security/security.c b/security/security.c index 70a9fcfde..b45766441 100644 --- a/security/security.c +++ b/security/security.c @@ -18,49 +18,46 @@ #include #include -#define SECURITY_SCAFFOLD_VERSION "1.0.0" +#define SECURITY_FRAMEWORK_VERSION "1.0.0" /* things that live in dummy.c */ extern struct security_operations dummy_security_ops; -extern void security_fixup_ops (struct security_operations *ops); +extern void security_fixup_ops(struct security_operations *ops); struct security_operations *security_ops; /* Initialized to NULL */ -static inline int verify (struct security_operations *ops) +static inline int verify(struct security_operations *ops) { /* verify the security_operations structure exists */ - if (!ops) { - printk (KERN_INFO "Passed a NULL security_operations " - "pointer, %s failed.\n", __FUNCTION__); + if (!ops) return -EINVAL; - } - security_fixup_ops (ops); + security_fixup_ops(ops); return 0; } static void __init do_security_initcalls(void) { initcall_t *call; - call = &__security_initcall_start; - while (call < &__security_initcall_end) { - (*call)(); + call = __security_initcall_start; + while (call < __security_initcall_end) { + (*call) (); call++; } } /** - * security_scaffolding_startup - initializes the security scaffolding framework + * security_init - initializes the security framework * * This should be called early in the kernel initialization sequence. */ -int __init security_scaffolding_startup (void) +int __init security_init(void) { - printk (KERN_INFO "Security Scaffold v" SECURITY_SCAFFOLD_VERSION - " initialized\n"); + printk(KERN_INFO "Security Framework v" SECURITY_FRAMEWORK_VERSION + " initialized\n"); - if (verify (&dummy_security_ops)) { - printk (KERN_ERR "%s could not verify " - "dummy_security_ops structure.\n", __FUNCTION__); + if (verify(&dummy_security_ops)) { + printk(KERN_ERR "%s could not verify " + "dummy_security_ops structure.\n", __FUNCTION__); return -EIO; } @@ -82,19 +79,16 @@ int __init security_scaffolding_startup (void) * If there is already a security module registered with the kernel, * an error will be returned. Otherwise 0 is returned on success. */ -int register_security (struct security_operations *ops) +int register_security(struct security_operations *ops) { - if (verify (ops)) { - printk (KERN_INFO "%s could not verify " - "security_operations structure.\n", __FUNCTION__); + if (verify(ops)) { + printk(KERN_DEBUG "%s could not verify " + "security_operations structure.\n", __FUNCTION__); return -EINVAL; } - if (security_ops != &dummy_security_ops) { - printk (KERN_INFO "There is already a security " - "framework initialized, %s failed.\n", __FUNCTION__); - return -EINVAL; - } + if (security_ops != &dummy_security_ops) + return -EAGAIN; security_ops = ops; @@ -112,12 +106,12 @@ int register_security (struct security_operations *ops) * an error is returned. Otherwise the default security options is set to the * the dummy_security_ops structure, and 0 is returned. */ -int unregister_security (struct security_operations *ops) +int unregister_security(struct security_operations *ops) { if (ops != security_ops) { - printk (KERN_INFO "%s: trying to unregister " - "a security_opts structure that is not " - "registered, failing.\n", __FUNCTION__); + printk(KERN_INFO "%s: trying to unregister " + "a security_opts structure that is not " + "registered, failing.\n", __FUNCTION__); return -EINVAL; } @@ -138,21 +132,21 @@ int unregister_security (struct security_operations *ops) * The return value depends on the currently loaded security module, with 0 as * success. */ -int mod_reg_security (const char *name, struct security_operations *ops) +int mod_reg_security(const char *name, struct security_operations *ops) { - if (verify (ops)) { - printk (KERN_INFO "%s could not verify " - "security operations.\n", __FUNCTION__); + if (verify(ops)) { + printk(KERN_INFO "%s could not verify " + "security operations.\n", __FUNCTION__); return -EINVAL; } if (ops == security_ops) { - printk (KERN_INFO "%s security operations " - "already registered.\n", __FUNCTION__); + printk(KERN_INFO "%s security operations " + "already registered.\n", __FUNCTION__); return -EINVAL; } - return security_ops->register_security (name, ops); + return security_ops->register_security(name, ops); } /** @@ -168,15 +162,15 @@ int mod_reg_security (const char *name, struct security_operations *ops) * The return value depends on the currently loaded security module, with 0 as * success. */ -int mod_unreg_security (const char *name, struct security_operations *ops) +int mod_unreg_security(const char *name, struct security_operations *ops) { if (ops == security_ops) { - printk (KERN_INFO "%s invalid attempt to unregister " - " primary security ops.\n", __FUNCTION__); + printk(KERN_INFO "%s invalid attempt to unregister " + " primary security ops.\n", __FUNCTION__); return -EINVAL; } - return security_ops->unregister_security (name, ops); + return security_ops->unregister_security(name, ops); } /** @@ -189,9 +183,11 @@ int mod_unreg_security (const char *name, struct security_operations *ops) * This allows the security module to implement the capable function call * however it chooses to. */ -int capable (int cap) +int capable(int cap) { - if (security_ops->capable (current, cap)) { + if (vx_check_bit(VXC_CAP_MASK, cap) && !vx_mcaps(1L << cap)) + return 0; + if (security_ops->capable(current, cap)) { /* capability denied */ return 0; } @@ -201,9 +197,24 @@ int capable (int cap) return 1; } +int vx_capable(int cap, int ccap) +{ + if (security_ops->capable(current, cap)) { + /* capability denied */ + return 0; + } + if (!vx_ccaps(ccap)) + return 0; + + /* capability granted */ + current->flags |= PF_SUPERPRIV; + return 1; +} + EXPORT_SYMBOL_GPL(register_security); EXPORT_SYMBOL_GPL(unregister_security); EXPORT_SYMBOL_GPL(mod_reg_security); EXPORT_SYMBOL_GPL(mod_unreg_security); EXPORT_SYMBOL(capable); +EXPORT_SYMBOL(vx_capable); EXPORT_SYMBOL(security_ops);