• C
    LSM: Switch to lists of hooks · b1d9e6b0
    Casey Schaufler 提交于
    Instead of using a vector of security operations
    with explicit, special case stacking of the capability
    and yama hooks use lists of hooks with capability and
    yama hooks included as appropriate.
    
    The security_operations structure is no longer required.
    Instead, there is a union of the function pointers that
    allows all the hooks lists to use a common mechanism for
    list management while retaining typing. Each module
    supplies an array describing the hooks it provides instead
    of a sparsely populated security_operations structure.
    The description includes the element that gets put on
    the hook list, avoiding the issues surrounding individual
    element allocation.
    
    The method for registering security modules is changed to
    reflect the information available. The method for removing
    a module, currently only used by SELinux, has also changed.
    It should be generic now, however if there are potential
    race conditions based on ordering of hook removal that needs
    to be addressed by the calling module.
    
    The security hooks are called from the lists and the first
    failure is returned.
    Signed-off-by: NCasey Schaufler <casey@schaufler-ca.com>
    Acked-by: NJohn Johansen <john.johansen@canonical.com>
    Acked-by: NKees Cook <keescook@chromium.org>
    Acked-by: NPaul Moore <paul@paul-moore.com>
    Acked-by: NStephen Smalley <sds@tycho.nsa.gov>
    Acked-by: NTetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
    Signed-off-by: NJames Morris <james.l.morris@oracle.com>
    b1d9e6b0
tomoyo.c 14.5 KB