security/seclvl.c

   1 /**
   2  * BSD Secure Levels LSM
   3  *
   4  * Maintainers:
   5  *      Michael A. Halcrow <mike@halcrow.us>
   6  *      Serge Hallyn <hallyn@cs.wm.edu>
   7  *
   8  * Copyright (c) 2001 WireX Communications, Inc <chris@wirex.com>
   9  * Copyright (c) 2001 Greg Kroah-Hartman <greg@kroah.com>
  10  * Copyright (c) 2002 International Business Machines <robb@austin.ibm.com>
  11  *
  12  *      This program is free software; you can redistribute it and/or modify
  13  *      it under the terms of the GNU General Public License as published by
  14  *      the Free Software Foundation; either version 2 of the License, or
  15  *      (at your option) any later version.
  16  */
  17
  18 #include <linux/config.h>
  19 #include <linux/module.h>
  20 #include <linux/moduleparam.h>
  21 #include <linux/kernel.h>
  22 #include <linux/init.h>
  23 #include <linux/security.h>
  24 #include <linux/netlink.h>
  25 #include <linux/fs.h>
  26 #include <linux/namei.h>
  27 #include <linux/mount.h>
  28 #include <linux/capability.h>
  29 #include <linux/time.h>
  30 #include <linux/proc_fs.h>
  31 #include <linux/kobject.h>
  32 #include <linux/crypto.h>
  33 #include <asm/scatterlist.h>
  34 #include <linux/gfp.h>
  35 #include <linux/sysfs.h>
  36
  37 #define SHA1_DIGEST_SIZE 20
  38
  39 /**
  40  * Module parameter that defines the initial secure level.
  41  *
  42  * When built as a module, it defaults to seclvl 1, which is the
  43  * behavior of BSD secure levels.  Note that this default behavior
  44  * wrecks havoc on a machine when the seclvl module is compiled into
  45  * the kernel.  In that case, we default to seclvl 0.
  46  */
  47 #ifdef CONFIG_SECURITY_SECLVL_MODULE
  48 static int initlvl = 1;
  49 #else
  50 static int initlvl;
  51 #endif
  52 module_param(initlvl, int, 0);
  53 MODULE_PARM_DESC(initlvl, "Initial secure level (defaults to 1)");
  54
  55 /* Module parameter that defines the verbosity level */
  56 static int verbosity;
  57 module_param(verbosity, int, 0);
  58 MODULE_PARM_DESC(verbosity, "Initial verbosity level (0 or 1; defaults to "
  59                  "0, which is Quiet)");
  60
  61 /**
  62  * Optional password which can be passed in to bring seclvl to 0
  63  * (i.e., for halt/reboot).  Defaults to NULL (the passwd attribute
  64  * file will not be registered in sysfs).
  65  *
  66  * This gets converted to its SHA1 hash when stored.  It's probably
  67  * not a good idea to use this parameter when loading seclvl from a
  68  * script; use sha1_passwd instead.
  69  */
  70
  71 #define MAX_PASSWD_SIZE 32
  72 static char passwd[MAX_PASSWD_SIZE];
  73 module_param_string(passwd, passwd, sizeof(passwd), 0);
  74 MODULE_PARM_DESC(passwd,
  75                  "Plaintext of password that sets seclvl=0 when written to "
  76                  "(sysfs mount point)/seclvl/passwd\n");
  77
  78 /**
  79  * SHA1 hashed version of the optional password which can be passed in
  80  * to bring seclvl to 0 (i.e., for halt/reboot).  Must be in
  81  * hexadecimal format (40 characters).  Defaults to NULL (the passwd
  82  * attribute file will not be registered in sysfs).
  83  *
  84  * Use the sha1sum utility to generate the SHA1 hash of a password:
  85  *
  86  * echo -n "secret" | sha1sum
  87  */
  88 #define MAX_SHA1_PASSWD 41
  89 static char sha1_passwd[MAX_SHA1_PASSWD];
  90 module_param_string(sha1_passwd, sha1_passwd, sizeof(sha1_passwd), 0);
  91 MODULE_PARM_DESC(sha1_passwd,
  92                  "SHA1 hash (40 hexadecimal characters) of password that "
  93                  "sets seclvl=0 when plaintext password is written to "
  94                  "(sysfs mount point)/seclvl/passwd\n");
  95
  96 static int hideHash = 1;
  97 module_param(hideHash, int, 0);
  98 MODULE_PARM_DESC(hideHash, "When set to 0, reading seclvl/passwd from sysfs "
  99                  "will return the SHA1-hashed value of the password that "
 100                  "lowers the secure level to 0.\n");
 101
 102 #define MY_NAME "seclvl"
 103
 104 /**
 105  * This time-limits log writes to one per second.
 106  */
 107 #define seclvl_printk(verb, type, fmt, arg...)                  \
 108         do {                                                    \
 109                 if (verbosity >= verb) {                        \
 110                         static unsigned long _prior;            \
 111                         unsigned long _now = jiffies;           \
 112                         if ((_now - _prior) > HZ) {             \
 113                                 printk(type "%s: %s: " fmt,     \
 114                                         MY_NAME, __FUNCTION__ , \
 115                                         ## arg);                \
 116                                 _prior = _now;                  \
 117                         }                                       \
 118                 }                                               \
 119         } while (0)
 120
 121 /**
 122  * The actual security level.  Ranges between -1 and 2 inclusive.
 123  */
 124 static int seclvl;
 125
 126 /**
 127  * flag to keep track of how we were registered
 128  */
 129 static int secondary;
 130
 131 /**
 132  * Verifies that the requested secure level is valid, given the current
 133  * secure level.
 134  */
 135 static int seclvl_sanity(int reqlvl)
 136 {
 137         if ((reqlvl < -1) || (reqlvl > 2)) {
 138                 seclvl_printk(1, KERN_WARNING, "Attempt to set seclvl out of "
 139                               "range: [%d]\n", reqlvl);
 140                 return -EINVAL;
 141         }
 142         if ((seclvl == 0) && (reqlvl == -1))
 143                 return 0;
 144         if (reqlvl < seclvl) {
 145                 seclvl_printk(1, KERN_WARNING, "Attempt to lower seclvl to "
 146                               "[%d]\n", reqlvl);
 147                 return -EPERM;
 148         }
 149         return 0;
 150 }
 151
 152 /**
 153  * security level advancement rules:
 154  *   Valid levels are -1 through 2, inclusive.
 155  *   From -1, stuck.  [ in case compiled into kernel ]
 156  *   From 0 or above, can only increment.
 157  */
 158 static void do_seclvl_advance(void *data, u64 val)
 159 {
 160         int ret;
 161         int newlvl = (int)val;
 162
 163         ret = seclvl_sanity(newlvl);
 164         if (ret)
 165                 return;
 166
 167         if (newlvl > 2) {
 168                 seclvl_printk(1, KERN_WARNING, "Cannot advance to seclvl "
 169                               "[%d]\n", newlvl);
 170                 return;
 171         }
 172         if (seclvl == -1) {
 173                 seclvl_printk(1, KERN_WARNING, "Not allowed to advance to "
 174                               "seclvl [%d]\n", seclvl);
 175                 return;
 176         }
 177         seclvl = newlvl;  /* would it be more "correct" to set *data? */
 178         return;
 179 }
 180
 181 static u64 seclvl_int_get(void *data)
 182 {
 183         return *(int *)data;
 184 }
 185
 186 DEFINE_SIMPLE_ATTRIBUTE(seclvl_file_ops, seclvl_int_get, do_seclvl_advance, "%lld\n");
 187
 188 static unsigned char hashedPassword[SHA1_DIGEST_SIZE];
 189
 190 /**
 191  * Converts a block of plaintext of into its SHA1 hashed value.
 192  *
 193  * It would be nice if crypto had a wrapper to do this for us linear
 194  * people...
 195  */
 196 static int
 197 plaintext_to_sha1(unsigned char *hash, const char *plaintext, int len)
 198 {
 199         char *pgVirtAddr;
 200         struct crypto_tfm *tfm;
 201         struct scatterlist sg[1];
 202         if (len > PAGE_SIZE) {
 203                 seclvl_printk(0, KERN_ERR, "Plaintext password too large (%d "
 204                               "characters).  Largest possible is %lu "
 205                               "bytes.\n", len, PAGE_SIZE);
 206                 return -ENOMEM;
 207         }
 208         tfm = crypto_alloc_tfm("sha1", CRYPTO_TFM_REQ_MAY_SLEEP);
 209         if (tfm == NULL) {
 210                 seclvl_printk(0, KERN_ERR,
 211                               "Failed to load transform for SHA1\n");
 212                 return -ENOSYS;
 213         }
 214         // Just get a new page; don't play around with page boundaries
 215         // and scatterlists.
 216         pgVirtAddr = (char *)__get_free_page(GFP_KERNEL);
 217         sg[0].page = virt_to_page(pgVirtAddr);
 218         sg[0].offset = 0;
 219         sg[0].length = len;
 220         strncpy(pgVirtAddr, plaintext, len);
 221         crypto_digest_init(tfm);
 222         crypto_digest_update(tfm, sg, 1);
 223         crypto_digest_final(tfm, hash);
 224         crypto_free_tfm(tfm);
 225         free_page((unsigned long)pgVirtAddr);
 226         return 0;
 227 }
 228
 229 /**
 230  * Called whenever the user writes to the sysfs passwd handle to this kernel
 231  * object.  It hashes the password and compares the hashed results.
 232  */
 233 static ssize_t
 234 passwd_write_file(struct file * file, const char __user * buf,
 235                                 size_t count, loff_t *ppos)
 236 {
 237         int i;
 238         unsigned char tmp[SHA1_DIGEST_SIZE];
 239         char *page;
 240         int rc;
 241         int len;
 242
 243         if (!*passwd && !*sha1_passwd) {
 244                 seclvl_printk(0, KERN_ERR, "Attempt to password-unlock the "
 245                               "seclvl module, but neither a plain text "
 246                               "password nor a SHA1 hashed password was "
 247                               "passed in as a module parameter!  This is a "
 248                               "bug, since it should not be possible to be in "
 249                               "this part of the module; please tell a "
 250                               "maintainer about this event.\n");
 251                 return -EINVAL;
 252         }
 253
 254         if (count < 0 || count >= PAGE_SIZE)
 255                 return -ENOMEM;
 256         if (*ppos != 0) {
 257                 return -EINVAL;
 258         }
 259         page = (char *)get_zeroed_page(GFP_KERNEL);
 260         if (!page)
 261                 return -ENOMEM;
 262         len = -EFAULT;
 263         if (copy_from_user(page, buf, count))
 264                 goto out;
 265
 266         len = strlen(page);
 267         /* ``echo "secret" > seclvl/passwd'' includes a newline */
 268         if (page[len - 1] == '\n') {
 269                 len--;
 270         }
 271         /* Hash the password, then compare the hashed values */
 272         if ((rc = plaintext_to_sha1(tmp, page, len))) {
 273                 seclvl_printk(0, KERN_ERR, "Error hashing password: rc = "
 274                               "[%d]\n", rc);
 275                 return rc;
 276         }
 277         for (i = 0; i < SHA1_DIGEST_SIZE; i++) {
 278                 if (hashedPassword[i] != tmp[i]) {
 279                         return -EPERM;
 280                 }
 281         }
 282         seclvl_printk(0, KERN_INFO,
 283                       "Password accepted; seclvl reduced to 0.\n");
 284         seclvl = 0;
 285         len = count;
 286
 287 out:
 288         free_page((unsigned long)page);
 289         return len;
 290 }
 291
 292 static struct file_operations passwd_file_ops = {
 293         .write = passwd_write_file,
 294 };
 295
 296 /**
 297  * Explicitely disallow ptrace'ing the init process.
 298  */
 299 static int seclvl_ptrace(struct task_struct *parent, struct task_struct *child)
 300 {
 301         if (seclvl >= 0) {
 302                 if (child->pid == 1) {
 303                         seclvl_printk(1, KERN_WARNING, "Attempt to ptrace "
 304                                       "the init process dissallowed in "
 305                                       "secure level %d\n", seclvl);
 306                         return -EPERM;
 307                 }
 308         }
 309         return 0;
 310 }
 311
 312 /**
 313  * Capability checks for seclvl.  The majority of the policy
 314  * enforcement for seclvl takes place here.
 315  */
 316 static int seclvl_capable(struct task_struct *tsk, int cap)
 317 {
 318         /* init can do anything it wants */
 319         if (tsk->pid == 1)
 320                 return 0;
 321
 322         switch (seclvl) {
 323         case 2:
 324                 /* fall through */
 325         case 1:
 326                 if (cap == CAP_LINUX_IMMUTABLE) {
 327                         seclvl_printk(1, KERN_WARNING, "Attempt to modify "
 328                                       "the IMMUTABLE and/or APPEND extended "
 329                                       "attribute on a file with the IMMUTABLE "
 330                                       "and/or APPEND extended attribute set "
 331                                       "denied in seclvl [%d]\n", seclvl);
 332                         return -EPERM;
 333                 } else if (cap == CAP_SYS_RAWIO) {      // Somewhat broad...
 334                         seclvl_printk(1, KERN_WARNING, "Attempt to perform "
 335                                       "raw I/O while in secure level [%d] "
 336                                       "denied\n", seclvl);
 337                         return -EPERM;
 338                 } else if (cap == CAP_NET_ADMIN) {
 339                         seclvl_printk(1, KERN_WARNING, "Attempt to perform "
 340                                       "network administrative task while "
 341                                       "in secure level [%d] denied\n", seclvl);
 342                         return -EPERM;
 343                 } else if (cap == CAP_SETUID) {
 344                         seclvl_printk(1, KERN_WARNING, "Attempt to setuid "
 345                                       "while in secure level [%d] denied\n",
 346                                       seclvl);
 347                         return -EPERM;
 348                 } else if (cap == CAP_SETGID) {
 349                         seclvl_printk(1, KERN_WARNING, "Attempt to setgid "
 350                                       "while in secure level [%d] denied\n",
 351                                       seclvl);
 352                 } else if (cap == CAP_SYS_MODULE) {
 353                         seclvl_printk(1, KERN_WARNING, "Attempt to perform "
 354                                       "a module operation while in secure "
 355                                       "level [%d] denied\n", seclvl);
 356                         return -EPERM;
 357                 }
 358                 break;
 359         default:
 360                 break;
 361         }
 362         /* from dummy.c */
 363         if (cap_is_fs_cap(cap) ? tsk->fsuid == 0 : tsk->euid == 0)
 364                 return 0;       /* capability granted */
 365         seclvl_printk(1, KERN_WARNING, "Capability denied\n");
 366         return -EPERM;          /* capability denied */
 367 }
 368
 369 /**
 370  * Disallow reversing the clock in seclvl > 1
 371  */
 372 static int seclvl_settime(struct timespec *tv, struct timezone *tz)
 373 {
 374         struct timespec now;
 375         if (seclvl > 1) {
 376                 now = current_kernel_time();
 377                 if (tv->tv_sec < now.tv_sec ||
 378                     (tv->tv_sec == now.tv_sec && tv->tv_nsec < now.tv_nsec)) {
 379                         seclvl_printk(1, KERN_WARNING, "Attempt to decrement "
 380                                       "time in secure level %d denied: "
 381                                       "current->pid = [%d], "
 382                                       "current->group_leader->pid = [%d]\n",
 383                                       seclvl, current->pid,
 384                                       current->group_leader->pid);
 385                         return -EPERM;
 386                 }               /* if attempt to decrement time */
 387         }                       /* if seclvl > 1 */
 388         return 0;
 389 }
 390
 391 /* claim the blockdev to exclude mounters, release on file close */
 392 static int seclvl_bd_claim(struct inode *inode)
 393 {
 394         int holder;
 395         struct block_device *bdev = NULL;
 396         dev_t dev = inode->i_rdev;
 397         bdev = open_by_devnum(dev, FMODE_WRITE);
 398         if (bdev) {
 399                 if (bd_claim(bdev, &holder)) {
 400                         blkdev_put(bdev);
 401                         return -EPERM;
 402                 }
 403                 /* claimed, mark it to release on close */
 404                 inode->i_security = current;
 405         }
 406         return 0;
 407 }
 408
 409 /* release the blockdev if you claimed it */
 410 static void seclvl_bd_release(struct inode *inode)
 411 {
 412         if (inode && S_ISBLK(inode->i_mode) && inode->i_security == current) {
 413                 struct block_device *bdev = inode->i_bdev;
 414                 if (bdev) {
 415                         bd_release(bdev);
 416                         blkdev_put(bdev);
 417                         inode->i_security = NULL;
 418                 }
 419         }
 420 }
 421
 422 /**
 423  * Security for writes to block devices is regulated by this seclvl
 424  * function.  Deny all writes to block devices in seclvl 2.  In
 425  * seclvl 1, we only deny writes to *mounted* block devices.
 426  */
 427 static int
 428 seclvl_inode_permission(struct inode *inode, int mask, struct nameidata *nd)
 429 {
 430         if (current->pid != 1 && S_ISBLK(inode->i_mode) && (mask & MAY_WRITE)) {
 431                 switch (seclvl) {
 432                 case 2:
 433                         seclvl_printk(1, KERN_WARNING, "Write to block device "
 434                                       "denied in secure level [%d]\n", seclvl);
 435                         return -EPERM;
 436                 case 1:
 437                         if (seclvl_bd_claim(inode)) {
 438                                 seclvl_printk(1, KERN_WARNING,
 439                                               "Write to mounted block device "
 440                                               "denied in secure level [%d]\n",
 441                                               seclvl);
 442                                 return -EPERM;
 443                         }
 444                 }
 445         }
 446         return 0;
 447 }
 448
 449 /**
 450  * The SUID and SGID bits cannot be set in seclvl >= 1
 451  */
 452 static int seclvl_inode_setattr(struct dentry *dentry, struct iattr *iattr)
 453 {
 454         if (seclvl > 0) {
 455                 if (iattr->ia_valid & ATTR_MODE)
 456                         if (iattr->ia_mode & S_ISUID ||
 457                             iattr->ia_mode & S_ISGID) {
 458                                 seclvl_printk(1, KERN_WARNING, "Attempt to "
 459                                               "modify SUID or SGID bit "
 460                                               "denied in seclvl [%d]\n",
 461                                               seclvl);
 462                                 return -EPERM;
 463                         }
 464         }
 465         return 0;
 466 }
 467
 468 /* release busied block devices */
 469 static void seclvl_file_free_security(struct file *filp)
 470 {
 471         struct dentry *dentry = filp->f_dentry;
 472         struct inode *inode = NULL;
 473
 474         if (dentry) {
 475                 inode = dentry->d_inode;
 476                 seclvl_bd_release(inode);
 477         }
 478 }
 479
 480 /**
 481  * Cannot unmount in secure level 2
 482  */
 483 static int seclvl_umount(struct vfsmount *mnt, int flags)
 484 {
 485         if (current->pid == 1) {
 486                 return 0;
 487         }
 488         if (seclvl == 2) {
 489                 seclvl_printk(1, KERN_WARNING, "Attempt to unmount in secure "
 490                               "level %d\n", seclvl);
 491                 return -EPERM;
 492         }
 493         return 0;
 494 }
 495
 496 static struct security_operations seclvl_ops = {
 497         .ptrace = seclvl_ptrace,
 498         .capable = seclvl_capable,
 499         .inode_permission = seclvl_inode_permission,
 500         .inode_setattr = seclvl_inode_setattr,
 501         .file_free_security = seclvl_file_free_security,
 502         .settime = seclvl_settime,
 503         .sb_umount = seclvl_umount,
 504 };
 505
 506 /**
 507  * Process the password-related module parameters
 508  */
 509 static int processPassword(void)
 510 {
 511         int rc = 0;
 512         hashedPassword[0] = '\0';
 513         if (*passwd) {
 514                 if (*sha1_passwd) {
 515                         seclvl_printk(0, KERN_ERR, "Error: Both "
 516                                       "passwd and sha1_passwd "
 517                                       "were set, but they are mutually "
 518                                       "exclusive.\n");
 519                         return -EINVAL;
 520                 }
 521                 if ((rc = plaintext_to_sha1(hashedPassword, passwd,
 522                                             strlen(passwd)))) {
 523                         seclvl_printk(0, KERN_ERR, "Error: SHA1 support not "
 524                                       "in kernel\n");
 525                         return rc;
 526                 }
 527                 /* All static data goes to the BSS, which zero's the
 528                  * plaintext password out for us. */
 529         } else if (*sha1_passwd) {      // Base 16
 530                 int i;
 531                 i = strlen(sha1_passwd);
 532                 if (i != (SHA1_DIGEST_SIZE * 2)) {
 533                         seclvl_printk(0, KERN_ERR, "Received [%d] bytes; "
 534                                       "expected [%d] for the hexadecimal "
 535                                       "representation of the SHA1 hash of "
 536                                       "the password.\n",
 537                                       i, (SHA1_DIGEST_SIZE * 2));
 538                         return -EINVAL;
 539                 }
 540                 while ((i -= 2) + 2) {
 541                         unsigned char tmp;
 542                         tmp = sha1_passwd[i + 2];
 543                         sha1_passwd[i + 2] = '\0';
 544                         hashedPassword[i / 2] = (unsigned char)
 545                             simple_strtol(&sha1_passwd[i], NULL, 16);
 546                         sha1_passwd[i + 2] = tmp;
 547                 }
 548         }
 549         return 0;
 550 }
 551
 552 /**
 553  * securityfs registrations
 554  */
 555 struct dentry *dir_ino, *seclvl_ino, *passwd_ino;
 556
 557 static int seclvlfs_register(void)
 558 {
 559         dir_ino = securityfs_create_dir("seclvl", NULL);
 560         if (!dir_ino)
 561                 return -EFAULT;
 562
 563         seclvl_ino = securityfs_create_file("seclvl", S_IRUGO | S_IWUSR,
 564                                 dir_ino, &seclvl, &seclvl_file_ops);
 565         if (!seclvl_ino)
 566                 goto out_deldir;
 567         if (*passwd || *sha1_passwd) {
 568                 passwd_ino = securityfs_create_file("passwd", S_IRUGO | S_IWUSR,
 569                                 dir_ino, NULL, &passwd_file_ops);
 570                 if (!passwd_ino)
 571                         goto out_delf;
 572         }
 573         return 0;
 574
 575 out_deldir:
 576         securityfs_remove(dir_ino);
 577 out_delf:
 578         securityfs_remove(seclvl_ino);
 579
 580         return -EFAULT;
 581 }
 582
 583 /**
 584  * Initialize the seclvl module.
 585  */
 586 static int __init seclvl_init(void)
 587 {
 588         int rc = 0;
 589         if (verbosity < 0 || verbosity > 1) {
 590                 printk(KERN_ERR "Error: bad verbosity [%d]; only 0 or 1 "
 591                        "are valid values\n", verbosity);
 592                 rc = -EINVAL;
 593                 goto exit;
 594         }
 595         if (initlvl < -1 || initlvl > 2) {
 596                 seclvl_printk(0, KERN_ERR, "Error: bad initial securelevel "
 597                               "[%d].\n", initlvl);
 598                 rc = -EINVAL;
 599                 goto exit;
 600         }
 601         seclvl = initlvl;
 602         if ((rc = processPassword())) {
 603                 seclvl_printk(0, KERN_ERR, "Error processing the password "
 604                               "module parameter(s): rc = [%d]\n", rc);
 605                 goto exit;
 606         }
 607         /* register ourselves with the security framework */
 608         if (register_security(&seclvl_ops)) {
 609                 seclvl_printk(0, KERN_ERR,
 610                               "seclvl: Failure registering with the "
 611                               "kernel.\n");
 612                 /* try registering with primary module */
 613                 rc = mod_reg_security(MY_NAME, &seclvl_ops);
 614                 if (rc) {
 615                         seclvl_printk(0, KERN_ERR, "seclvl: Failure "
 616                                       "registering with primary security "
 617                                       "module.\n");
 618                         goto exit;
 619                 }               /* if primary module registered */
 620                 secondary = 1;
 621         }                       /* if we registered ourselves with the security framework */
 622         if ((rc = seclvlfs_register())) {
 623                 seclvl_printk(0, KERN_ERR, "Error registering with sysfs\n");
 624                 goto exit;
 625         }
 626         seclvl_printk(0, KERN_INFO, "seclvl: Successfully initialized.\n");
 627  exit:
 628         if (rc) {
 629                 printk(KERN_ERR "seclvl: Error during initialization: rc = "
 630                        "[%d]\n", rc);
 631         }
 632         return rc;
 633 }
 634
 635 /**
 636  * Remove the seclvl module.
 637  */
 638 static void __exit seclvl_exit(void)
 639 {
 640         securityfs_remove(seclvl_ino);
 641         if (*passwd || *sha1_passwd) {
 642                 securityfs_remove(passwd_ino);
 643         }
 644         securityfs_remove(dir_ino);
 645         if (secondary == 1) {
 646                 mod_unreg_security(MY_NAME, &seclvl_ops);
 647         } else if (unregister_security(&seclvl_ops)) {
 648                 seclvl_printk(0, KERN_INFO,
 649                               "seclvl: Failure unregistering with the "
 650                               "kernel\n");
 651         }
 652 }
 653
 654 module_init(seclvl_init);
 655 module_exit(seclvl_exit);
 656
 657 MODULE_AUTHOR("Michael A. Halcrow <mike@halcrow.us>");
 658 MODULE_DESCRIPTION("LSM implementation of the BSD Secure Levels");
 659 MODULE_LICENSE("GPL");