aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJames Morris2007-10-17 01:31:32 -0500
committerLinus Torvalds2007-10-17 10:43:07 -0500
commit20510f2f4e2dabb0ff6c13901807627ec9452f98 (patch)
treed64b9eeb90d577f7f9688a215c4c6c3c2405188a /security/Kconfig
parent5c3b447457789374cdb7b03afe2540d48c649a36 (diff)
downloadam43-linux-kernel-20510f2f4e2dabb0ff6c13901807627ec9452f98.tar.gz
am43-linux-kernel-20510f2f4e2dabb0ff6c13901807627ec9452f98.tar.xz
am43-linux-kernel-20510f2f4e2dabb0ff6c13901807627ec9452f98.zip
security: Convert LSM into a static interface
Convert LSM into a static interface, as the ability to unload a security module is not required by in-tree users and potentially complicates the overall security architecture. Needlessly exported LSM symbols have been unexported, to help reduce API abuse. Parameters for the capability and root_plug modules are now specified at boot. The SECURITY_FRAMEWORK_VERSION macro has also been removed. In a nutshell, there is no safe way to unload an LSM. The modular interface is thus unecessary and broken infrastructure. It is used only by out-of-tree modules, which are often binary-only, illegal, abusive of the API and dangerous, e.g. silently re-vectoring SELinux. [akpm@linux-foundation.org: cleanups] [akpm@linux-foundation.org: USB Kconfig fix] [randy.dunlap@oracle.com: fix LSM kernel-doc] Signed-off-by: James Morris <jmorris@namei.org> Acked-by: Chris Wright <chrisw@sous-sol.org> Cc: Stephen Smalley <sds@tycho.nsa.gov> Cc: "Serge E. Hallyn" <serue@us.ibm.com> Acked-by: Arjan van de Ven <arjan@infradead.org> Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'security/Kconfig')
-rw-r--r--security/Kconfig6
1 files changed, 3 insertions, 3 deletions
diff --git a/security/Kconfig b/security/Kconfig
index 460e5c9cf49..a94ee94cf49 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -74,15 +74,15 @@ config SECURITY_NETWORK_XFRM
74 If you are unsure how to answer this question, answer N. 74 If you are unsure how to answer this question, answer N.
75 75
76config SECURITY_CAPABILITIES 76config SECURITY_CAPABILITIES
77 tristate "Default Linux Capabilities" 77 bool "Default Linux Capabilities"
78 depends on SECURITY 78 depends on SECURITY
79 help 79 help
80 This enables the "default" Linux capabilities functionality. 80 This enables the "default" Linux capabilities functionality.
81 If you are unsure how to answer this question, answer Y. 81 If you are unsure how to answer this question, answer Y.
82 82
83config SECURITY_ROOTPLUG 83config SECURITY_ROOTPLUG
84 tristate "Root Plug Support" 84 bool "Root Plug Support"
85 depends on USB && SECURITY 85 depends on USB=y && SECURITY
86 help 86 help
87 This is a sample LSM module that should only be used as such. 87 This is a sample LSM module that should only be used as such.
88 It prevents any programs running with egid == 0 if a specific 88 It prevents any programs running with egid == 0 if a specific