1/*
2 * Security plug functions
3 *
4 * Copyright (C) 2001 WireX Communications, Inc <chris@wirex.com>
5 * Copyright (C) 2001-2002 Greg Kroah-Hartman <greg@kroah.com>
6 * Copyright (C) 2001 Networks Associates Technology, Inc <ssmalley@nai.com>
7 *
8 *	This program is free software; you can redistribute it and/or modify
9 *	it under the terms of the GNU General Public License as published by
10 *	the Free Software Foundation; either version 2 of the License, or
11 *	(at your option) any later version.
12 */
13
14#include <linux/capability.h>
15#include <linux/module.h>
16#include <linux/init.h>
17#include <linux/kernel.h>
18#include <linux/security.h>
19
20#define SECURITY_FRAMEWORK_VERSION	"1.0.0"
21
22/* things that live in dummy.c */
23extern struct security_operations dummy_security_ops;
24extern void security_fixup_ops(struct security_operations *ops);
25
26struct security_operations *security_ops;	/* Initialized to NULL */
27
28static inline int verify(struct security_operations *ops)
29{
30	/* verify the security_operations structure exists */
31	if (!ops)
32		return -EINVAL;
33	security_fixup_ops(ops);
34	return 0;
35}
36
37static void __init do_security_initcalls(void)
38{
39	initcall_t *call;
40	call = __security_initcall_start;
41	while (call < __security_initcall_end) {
42		(*call) ();
43		call++;
44	}
45}
46
47/**
48 * security_init - initializes the security framework
49 *
50 * This should be called early in the kernel initialization sequence.
51 */
52int __init security_init(void)
53{
54	printk(KERN_INFO "Security Framework v" SECURITY_FRAMEWORK_VERSION
55	       " initialized\n");
56
57	if (verify(&dummy_security_ops)) {
58		printk(KERN_ERR "%s could not verify "
59		       "dummy_security_ops structure.\n", __FUNCTION__);
60		return -EIO;
61	}
62
63	security_ops = &dummy_security_ops;
64	do_security_initcalls();
65
66	return 0;
67}
68
69/**
70 * register_security - registers a security framework with the kernel
71 * @ops: a pointer to the struct security_options that is to be registered
72 *
73 * This function is to allow a security module to register itself with the
74 * kernel security subsystem.  Some rudimentary checking is done on the @ops
75 * value passed to this function.  A call to unregister_security() should be
76 * done to remove this security_options structure from the kernel.
77 *
78 * If there is already a security module registered with the kernel,
79 * an error will be returned.  Otherwise 0 is returned on success.
80 */
81int register_security(struct security_operations *ops)
82{
83	if (verify(ops)) {
84		printk(KERN_DEBUG "%s could not verify "
85		       "security_operations structure.\n", __FUNCTION__);
86		return -EINVAL;
87	}
88
89	if (security_ops != &dummy_security_ops)
90		return -EAGAIN;
91
92	security_ops = ops;
93
94	return 0;
95}
96
97/**
98 * unregister_security - unregisters a security framework with the kernel
99 * @ops: a pointer to the struct security_options that is to be registered
100 *
101 * This function removes a struct security_operations variable that had
102 * previously been registered with a successful call to register_security().
103 *
104 * If @ops does not match the valued previously passed to register_security()
105 * an error is returned.  Otherwise the default security options is set to the
106 * the dummy_security_ops structure, and 0 is returned.
107 */
108int unregister_security(struct security_operations *ops)
109{
110	if (ops != security_ops) {
111		printk(KERN_INFO "%s: trying to unregister "
112		       "a security_opts structure that is not "
113		       "registered, failing.\n", __FUNCTION__);
114		return -EINVAL;
115	}
116
117	security_ops = &dummy_security_ops;
118
119	return 0;
120}
121
122/**
123 * mod_reg_security - allows security modules to be "stacked"
124 * @name: a pointer to a string with the name of the security_options to be registered
125 * @ops: a pointer to the struct security_options that is to be registered
126 *
127 * This function allows security modules to be stacked if the currently loaded
128 * security module allows this to happen.  It passes the @name and @ops to the
129 * register_security function of the currently loaded security module.
130 *
131 * The return value depends on the currently loaded security module, with 0 as
132 * success.
133 */
134int mod_reg_security(const char *name, struct security_operations *ops)
135{
136	if (verify(ops)) {
137		printk(KERN_INFO "%s could not verify "
138		       "security operations.\n", __FUNCTION__);
139		return -EINVAL;
140	}
141
142	if (ops == security_ops) {
143		printk(KERN_INFO "%s security operations "
144		       "already registered.\n", __FUNCTION__);
145		return -EINVAL;
146	}
147
148	return security_ops->register_security(name, ops);
149}
150
151/**
152 * mod_unreg_security - allows a security module registered with mod_reg_security() to be unloaded
153 * @name: a pointer to a string with the name of the security_options to be removed
154 * @ops: a pointer to the struct security_options that is to be removed
155 *
156 * This function allows security modules that have been successfully registered
157 * with a call to mod_reg_security() to be unloaded from the system.
158 * This calls the currently loaded security module's unregister_security() call
159 * with the @name and @ops variables.
160 *
161 * The return value depends on the currently loaded security module, with 0 as
162 * success.
163 */
164int mod_unreg_security(const char *name, struct security_operations *ops)
165{
166	if (ops == security_ops) {
167		printk(KERN_INFO "%s invalid attempt to unregister "
168		       " primary security ops.\n", __FUNCTION__);
169		return -EINVAL;
170	}
171
172	return security_ops->unregister_security(name, ops);
173}
174
175EXPORT_SYMBOL_GPL(register_security);
176EXPORT_SYMBOL_GPL(unregister_security);
177EXPORT_SYMBOL_GPL(mod_reg_security);
178EXPORT_SYMBOL_GPL(mod_unreg_security);
179EXPORT_SYMBOL(security_ops);
180