diff options
author | Ahmed S. Darwish <darwish.07@gmail.com> | 2008-03-06 18:09:10 +0200 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2008-04-19 10:00:51 +1000 |
commit | 076c54c5bcaed2081c0cba94a6f77c4d470236ad (patch) | |
tree | 5e8f05cab20a49922618bb3af697a6b46e610eee /include | |
parent | 04305e4aff8b0533dc05f9f6f1a34d0796bd985f (diff) | |
download | blackbird-op-linux-076c54c5bcaed2081c0cba94a6f77c4d470236ad.tar.gz blackbird-op-linux-076c54c5bcaed2081c0cba94a6f77c4d470236ad.zip |
Security: Introduce security= boot parameter
Add the security= boot parameter. This is done to avoid LSM
registration clashes in case of more than one bult-in module.
User can choose a security module to enable at boot. If no
security= boot parameter is specified, only the first LSM
asking for registration will be loaded. An invalid security
module name will be treated as if no module has been chosen.
LSM modules must check now if they are allowed to register
by calling security_module_enable(ops) first. Modify SELinux
and SMACK to do so.
Do not let SMACK register smackfs if it was not chosen on
boot. Smackfs assumes that smack hooks are registered and
the initial task security setup (swapper->security) is done.
Signed-off-by: Ahmed S. Darwish <darwish.07@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/security.h | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/include/linux/security.h b/include/linux/security.h index 697f228daf19..f4116d6ed64b 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -36,6 +36,9 @@ extern unsigned securebits; +/* Maximum number of letters for an LSM name string */ +#define SECURITY_NAME_MAX 10 + struct ctl_table; struct audit_krule; @@ -137,6 +140,12 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) /** * struct security_operations - main security structure * + * Security module identifier. + * + * @name: + * A string that acts as a unique identifeir for the LSM with max number + * of characters = SECURITY_NAME_MAX. + * * Security hooks for program execution operations. * * @bprm_alloc_security: @@ -1270,6 +1279,8 @@ static inline void security_free_mnt_opts(struct security_mnt_opts *opts) * This is the main security structure. */ struct security_operations { + char name[SECURITY_NAME_MAX + 1]; + int (*ptrace) (struct task_struct * parent, struct task_struct * child); int (*capget) (struct task_struct * target, kernel_cap_t * effective, @@ -1537,6 +1548,7 @@ struct security_operations { /* prototypes */ extern int security_init (void); +extern int security_module_enable(struct security_operations *ops); extern int register_security (struct security_operations *ops); extern int mod_reg_security (const char *name, struct security_operations *ops); extern struct dentry *securityfs_create_file(const char *name, mode_t mode, |