diff options
author | Karol Lewandowski <k.lewandowsk@samsung.com> | 2016-06-23 15:02:50 +0200 |
---|---|---|
committer | Seung-Woo Kim <sw0312.kim@samsung.com> | 2016-12-14 13:52:20 +0900 |
commit | 6d83e3d703f7464ccd12b78c5b3e9041be24ea8c (patch) | |
tree | 091ce555339a4dac9a7acfc14c618a27d338a478 /security | |
parent | c170bbb6cff411fb98f5624bde8e227fa32fcdc5 (diff) |
kdbus: Remove kdbus Linux Security Module hooks
This commit removes support for kdbus-LSM hooks as policy decisions
are handled solely by userspace (libdbuspolicy library). This commit
reverts following:
- 802de9506 ("lsm: smack: smack callbacks for kdbus security hooks")
- f13b7e7bd ("kdbus: use LSM hooks in kdbus code")
- 067afa709 ("lsm: smack: Make ipc/kdbus includes visible so smack callbacks could see them")
- 442f047fd ("lsm: make security_file_receive available for external modules")
- 3b556db4b ("lsm: kdbus security hooks")
Change-Id: Iae90cdb9577a9e706288b28d70bd57574398276e
Signed-off-by: Karol Lewandowski <k.lewandowsk@samsung.com>
Signed-off-by: Seung-Woo Kim <sw0312.kim@samsung.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/capability.c | 24 | ||||
-rw-r--r-- | security/security.c | 24 | ||||
-rw-r--r-- | security/smack/Makefile | 2 | ||||
-rw-r--r-- | security/smack/smack_lsm.c | 61 |
4 files changed, 0 insertions, 111 deletions
diff --git a/security/capability.c b/security/capability.c index 4b01edd1755d..0d03fcc489a4 100644 --- a/security/capability.c +++ b/security/capability.c @@ -595,25 +595,6 @@ static int cap_sem_semop(struct sem_array *sma, struct sembuf *sops, return 0; } -#ifdef CONFIG_KDBUS - -static int cap_kdbus_conn_alloc(struct kdbus_conn *conn) -{ - return 0; -} - -static void cap_kdbus_conn_free(struct kdbus_conn *conn) -{ -} - -static int cap_kdbus_talk(const struct kdbus_conn *src, - const struct kdbus_conn *dst) -{ - return 0; -} - -#endif /* CONFIG_KDBUS */ - #ifdef CONFIG_SECURITY_NETWORK static int cap_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk) @@ -1111,11 +1092,6 @@ void __init security_fixup_ops(struct security_operations *ops) set_to_cap_if_null(ops, inode_notifysecctx); set_to_cap_if_null(ops, inode_setsecctx); set_to_cap_if_null(ops, inode_getsecctx); -#ifdef CONFIG_KDBUS - set_to_cap_if_null(ops, kdbus_conn_alloc); - set_to_cap_if_null(ops, kdbus_conn_free); - set_to_cap_if_null(ops, kdbus_talk); -#endif /* CONFIG_KDBUS */ #ifdef CONFIG_SECURITY_NETWORK set_to_cap_if_null(ops, unix_stream_connect); set_to_cap_if_null(ops, unix_may_send); diff --git a/security/security.c b/security/security.c index f24430258b34..8e9b1f4b9b45 100644 --- a/security/security.c +++ b/security/security.c @@ -812,7 +812,6 @@ int security_file_receive(struct file *file) { return security_ops->file_receive(file); } -EXPORT_SYMBOL(security_file_receive); int security_file_open(struct file *file, const struct cred *cred) { @@ -1153,29 +1152,6 @@ int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen) } EXPORT_SYMBOL(security_inode_getsecctx); -#ifdef CONFIG_KDBUS - -int security_kdbus_conn_alloc(struct kdbus_conn *conn) -{ - return security_ops->kdbus_conn_alloc(conn); -} -EXPORT_SYMBOL(security_kdbus_conn_alloc); - -void security_kdbus_conn_free(struct kdbus_conn *conn) -{ - security_ops->kdbus_conn_free(conn); -} -EXPORT_SYMBOL(security_kdbus_conn_free); - -int security_kdbus_talk(const struct kdbus_conn *src, - const struct kdbus_conn *dst) -{ - return security_ops->kdbus_talk(src, dst); -} -EXPORT_SYMBOL(security_kdbus_talk); - -#endif /* CONFIG_KDBUS */ - #ifdef CONFIG_SECURITY_NETWORK int security_unix_stream_connect(struct sock *sock, struct sock *other, struct sock *newsk) diff --git a/security/smack/Makefile b/security/smack/Makefile index bd6927c3459d..ee2ebd504541 100644 --- a/security/smack/Makefile +++ b/security/smack/Makefile @@ -6,5 +6,3 @@ obj-$(CONFIG_SECURITY_SMACK) := smack.o smack-y := smack_lsm.o smack_access.o smackfs.o smack-$(CONFIG_SECURITY_SMACK_NETFILTER) += smack_netfilter.o - -ccflags-y += -Iipc diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 64c6ece64133..8f8cdbd46717 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -42,7 +42,6 @@ #include <linux/shm.h> #include <linux/binfmts.h> #include <linux/parser.h> -#include <kdbus/connection.h> #include "smack.h" #define TRANS_TRUE "TRUE" @@ -3626,60 +3625,6 @@ static int smack_setprocattr(struct task_struct *p, char *name, return size; } -#ifdef CONFIG_KDBUS - -/** - * smack_kdbus_conn_alloc - Set the security blob for a KDBus connection - * @conn: the connection - * - * Returns 0 - */ -static int smack_kdbus_conn_alloc(struct kdbus_conn *conn) -{ - conn->security = smk_of_current(); - - return 0; -} - -/** - * smack_kdbus_conn_free - Clear the security blob for a KDBus connection - * @conn: the connection - * - * Clears the blob pointer - */ -static void smack_kdbus_conn_free(struct kdbus_conn *conn) -{ - conn->security = NULL; -} - -/** - * smack_kdbus_talk - Smack access on KDBus - * @src: source kdbus connection - * @dst: destination kdbus connection - * - * Return 0 if a subject with the smack of sock could access - * an object with the smack of other, otherwise an error code - */ -static int smack_kdbus_talk(const struct kdbus_conn *src, - const struct kdbus_conn *dst) -{ - struct smk_audit_info ad; - struct smack_known *sskp = src->security; - struct smack_known *dskp = dst->security; - int rc; - - if (smack_privileged(CAP_MAC_OVERRIDE)) - return 0; - - smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NONE); - - rc = smk_access(sskp, dskp, MAY_WRITE, &ad); - rc = smk_bu_note("kdbus talk", sskp, dskp, MAY_WRITE, rc); - return rc; -} - -#endif /* CONFIG_KDBUS */ - /** * smack_unix_stream_connect - Smack access on UDS * @sock: one sock @@ -4701,12 +4646,6 @@ struct security_operations smack_ops = { .getprocattr = smack_getprocattr, .setprocattr = smack_setprocattr, -#ifdef CONFIG_KDBUS - .kdbus_conn_alloc = smack_kdbus_conn_alloc, - .kdbus_conn_free = smack_kdbus_conn_free, - .kdbus_talk = smack_kdbus_talk, -#endif - .unix_stream_connect = smack_unix_stream_connect, .unix_may_send = smack_unix_may_send, |