security: remove register_security hook
The register security hook is no longer required, as the capability
module is always registered. LSMs wishing to stack capability as
a secondary module should do so explicitly.
Signed-off-by: James Morris <jmorris@namei.org>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Acked-by: Greg Kroah-Hartman <gregkh@suse.de>
diff --git a/include/linux/security.h b/include/linux/security.h
index 43c6357..31c8851 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1239,11 +1239,6 @@
* @pages contains the number of pages.
* Return 0 if permission is granted.
*
- * @register_security:
- * allow module stacking.
- * @name contains the name of the security module being stacked.
- * @ops contains a pointer to the struct security_operations of the module to stack.
- *
* @secid_to_secctx:
* Convert secid to security context.
* @secid contains the security ID.
@@ -1471,10 +1466,6 @@
int (*netlink_send) (struct sock *sk, struct sk_buff *skb);
int (*netlink_recv) (struct sk_buff *skb, int cap);
- /* allow module stacking */
- int (*register_security) (const char *name,
- struct security_operations *ops);
-
void (*d_instantiate) (struct dentry *dentry, struct inode *inode);
int (*getprocattr) (struct task_struct *p, char *name, char **value);
@@ -1564,7 +1555,6 @@
extern int security_init(void);
extern int security_module_enable(struct security_operations *ops);
extern int register_security(struct security_operations *ops);
-extern int mod_reg_security(const char *name, struct security_operations *ops);
extern struct dentry *securityfs_create_file(const char *name, mode_t mode,
struct dentry *parent, void *data,
const struct file_operations *fops);
diff --git a/security/capability.c b/security/capability.c
index 6e0671c..5b01c0b 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -721,12 +721,6 @@
}
#endif /* CONFIG_SECURITY_NETWORK_XFRM */
-static int cap_register_security(const char *name,
- struct security_operations *ops)
-{
- return -EINVAL;
-}
-
static void cap_d_instantiate(struct dentry *dentry, struct inode *inode)
{
}
@@ -940,7 +934,6 @@
set_to_cap_if_null(ops, sem_semop);
set_to_cap_if_null(ops, netlink_send);
set_to_cap_if_null(ops, netlink_recv);
- set_to_cap_if_null(ops, register_security);
set_to_cap_if_null(ops, d_instantiate);
set_to_cap_if_null(ops, getprocattr);
set_to_cap_if_null(ops, setprocattr);
diff --git a/security/root_plug.c b/security/root_plug.c
index a41cf42..be0ebec 100644
--- a/security/root_plug.c
+++ b/security/root_plug.c
@@ -28,9 +28,6 @@
#include <linux/usb.h>
#include <linux/moduleparam.h>
-/* flag to keep track of how we were registered */
-static int secondary;
-
/* default is a generic type of usb to serial converter */
static int vendor_id = 0x0557;
static int product_id = 0x2008;
@@ -97,13 +94,7 @@
if (register_security (&rootplug_security_ops)) {
printk (KERN_INFO
"Failure registering Root Plug module with the kernel\n");
- /* try registering with primary module */
- if (mod_reg_security (MY_NAME, &rootplug_security_ops)) {
- printk (KERN_INFO "Failure registering Root Plug "
- " module with primary security module.\n");
return -EINVAL;
- }
- secondary = 1;
}
printk (KERN_INFO "Root Plug module initialized, "
"vendor_id = %4.4x, product id = %4.4x\n", vendor_id, product_id);
diff --git a/security/security.c b/security/security.c
index 30b0278..59f23b5 100644
--- a/security/security.c
+++ b/security/security.c
@@ -125,35 +125,6 @@
return 0;
}
-/**
- * mod_reg_security - allows security modules to be "stacked"
- * @name: a pointer to a string with the name of the security_options to be registered
- * @ops: a pointer to the struct security_options that is to be registered
- *
- * This function allows security modules to be stacked if the currently loaded
- * security module allows this to happen. It passes the @name and @ops to the
- * register_security function of the currently loaded security module.
- *
- * The return value depends on the currently loaded security module, with 0 as
- * success.
- */
-int mod_reg_security(const char *name, struct security_operations *ops)
-{
- if (verify(ops)) {
- printk(KERN_INFO "%s could not verify "
- "security operations.\n", __func__);
- return -EINVAL;
- }
-
- if (ops == security_ops) {
- printk(KERN_INFO "%s security operations "
- "already registered.\n", __func__);
- return -EINVAL;
- }
-
- return security_ops->register_security(name, ops);
-}
-
/* Security operations */
int security_ptrace(struct task_struct *parent, struct task_struct *child,
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 745a69e..91200fe 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -126,13 +126,11 @@
int selinux_enabled = 1;
#endif
-/* Original (dummy) security module. */
-static struct security_operations *original_ops;
-/* Minimal support for a secondary security module,
- just to allow the use of the dummy or capability modules.
- The owlsm module can alternatively be used as a secondary
- module as long as CONFIG_OWLSM_FD is not enabled. */
+/*
+ * Minimal support for a secondary security module,
+ * just to allow the use of the capability module.
+ */
static struct security_operations *secondary_ops;
/* Lists of inode and superblock security structures initialized
@@ -5115,24 +5113,6 @@
*secid = isec->sid;
}
-/* module stacking operations */
-static int selinux_register_security(const char *name, struct security_operations *ops)
-{
- if (secondary_ops != original_ops) {
- printk(KERN_ERR "%s: There is already a secondary security "
- "module registered.\n", __func__);
- return -EINVAL;
- }
-
- secondary_ops = ops;
-
- printk(KERN_INFO "%s: Registering secondary module %s\n",
- __func__,
- name);
-
- return 0;
-}
-
static void selinux_d_instantiate(struct dentry *dentry, struct inode *inode)
{
if (inode)
@@ -5517,8 +5497,6 @@
.sem_semctl = selinux_sem_semctl,
.sem_semop = selinux_sem_semop,
- .register_security = selinux_register_security,
-
.d_instantiate = selinux_d_instantiate,
.getprocattr = selinux_getprocattr,
@@ -5612,7 +5590,7 @@
0, SLAB_PANIC, NULL);
avc_init();
- original_ops = secondary_ops = security_ops;
+ secondary_ops = security_ops;
if (!secondary_ops)
panic("SELinux: No initial security operations\n");
if (register_security(&selinux_ops))
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 3c7150b..ee5a51c 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -1822,27 +1822,6 @@
*secid = smack_to_secid(smack);
}
-/* module stacking operations */
-
-/**
- * smack_register_security - stack capability module
- * @name: module name
- * @ops: module operations - ignored
- *
- * Allow the capability module to register.
- */
-static int smack_register_security(const char *name,
- struct security_operations *ops)
-{
- if (strcmp(name, "capability") != 0)
- return -EINVAL;
-
- printk(KERN_INFO "%s: Registering secondary module %s\n",
- __func__, name);
-
- return 0;
-}
-
/**
* smack_d_instantiate - Make sure the blob is correct on an inode
* @opt_dentry: unused
@@ -2673,8 +2652,6 @@
.netlink_send = cap_netlink_send,
.netlink_recv = cap_netlink_recv,
- .register_security = smack_register_security,
-
.d_instantiate = smack_d_instantiate,
.getprocattr = smack_getprocattr,