Commit 01db63f2 authored by Andrew Morton's avatar Andrew Morton Committed by Linus Torvalds

[PATCH] security: add disable param to capabilities module

From: Chris Wright <chrisw@osdl.org>

Add disable param to capabilities module.  Similar to the SELinux param for
disabling at boot time.  This allows vendors to ship single binary image with
capabilities compiled statically, and disable it if they provide another
security model compiled as module.
parent b2768587
...@@ -22,6 +22,7 @@ ...@@ -22,6 +22,7 @@
#include <linux/skbuff.h> #include <linux/skbuff.h>
#include <linux/netlink.h> #include <linux/netlink.h>
#include <linux/ptrace.h> #include <linux/ptrace.h>
#include <linux/moduleparam.h>
static struct security_operations capability_ops = { static struct security_operations capability_ops = {
.ptrace = cap_ptrace, .ptrace = cap_ptrace,
...@@ -52,9 +53,16 @@ static struct security_operations capability_ops = { ...@@ -52,9 +53,16 @@ static struct security_operations capability_ops = {
/* flag to keep track of how we were registered */ /* flag to keep track of how we were registered */
static int secondary; static int secondary;
static int capability_disable;
module_param_named(disable, capability_disable, int, 0);
MODULE_PARM_DESC(disable, "To disable capabilities module set disable = 1");
static int __init capability_init (void) static int __init capability_init (void)
{ {
if (capability_disable) {
printk(KERN_INFO "Capabilities disabled at initialization\n");
return 0;
}
/* register ourselves with the security framework */ /* register ourselves with the security framework */
if (register_security (&capability_ops)) { if (register_security (&capability_ops)) {
/* try registering with primary module */ /* try registering with primary module */
...@@ -72,6 +80,8 @@ static int __init capability_init (void) ...@@ -72,6 +80,8 @@ static int __init capability_init (void)
static void __exit capability_exit (void) static void __exit capability_exit (void)
{ {
if (capability_disable)
return;
/* remove ourselves from the security framework */ /* remove ourselves from the security framework */
if (secondary) { if (secondary) {
if (mod_unreg_security (MY_NAME, &capability_ops)) if (mod_unreg_security (MY_NAME, &capability_ops))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment