[PATCH] security: add disable param to capabilities module

From: Chris Wright <chrisw@osdl.org>

Add disable param to capabilities module.  Similar to the SELinux param for
disabling at boot time.  This allows vendors to ship single binary image with
capabilities compiled statically, and disable it if they provide another
security model compiled as module.

1 files changed, 10 insertions, 0 deletions

diff --git a/security/capability.c b/security/capability.c
index a190f8291892e2..532023c652caa6 100644
--- a/security/capability.c
+++ b/security/capability.c
@@ -22,6 +22,7 @@
 #include <linux/skbuff.h>
 #include <linux/netlink.h>
 #include <linux/ptrace.h>
+#include <linux/moduleparam.h>
 
 static struct security_operations capability_ops = {
 	.ptrace =			cap_ptrace,
@@ -52,9 +53,16 @@ static struct security_operations capability_ops = {
 /* flag to keep track of how we were registered */
 static int secondary;
 
+static int capability_disable;
+module_param_named(disable, capability_disable, int, 0);
+MODULE_PARM_DESC(disable, "To disable capabilities module set disable = 1");
 
 static int __init capability_init (void)
 {
+	if (capability_disable) {
+		printk(KERN_INFO "Capabilities disabled at initialization\n");
+		return 0;
+	}
 	/* register ourselves with the security framework */
 	if (register_security (&capability_ops)) {
 		/* try registering with primary module */
@@ -72,6 +80,8 @@ static int __init capability_init (void)
 
 static void __exit capability_exit (void)
 {
+	if (capability_disable)
+		return;
 	/* remove ourselves from the security framework */
 	if (secondary) {
 		if (mod_unreg_security (MY_NAME, &capability_ops))